Security Market Segment LS
Wednesday, 26 August 2015 16:51

Passwords are the keys to the IP kingdom

By

In computer parlance, ‘privilege’ is the nirvana – it allows a hacker to control anything from a single computer to a global network.

According to John Worrall, CMO for CyberArk (NASDAQ: CYBR) gaining privilege access is the focus of the attack cycle.

“It is all about passwords (keys) and what locks (doors) they open. In the hands of a trusted user passwords are fine – in the hands of a hacker it is like locking your door but leaving the keys to the Ferrari on the table inside,” he said.

I interviewed John who had presented earlier at the Gartner Security and Risk Management Summit in Sydney. He started by positioning CyberArk as the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges [passwords] to attack the heart of the enterprise. “We are trusted by the world’s leading companies – including 40 percent of the Fortune 100 and 17 of the world’s top 20 banks – to protect their highest value information assets, infrastructure and applications,” he said.

Advertisement over – now to the interview and for convenience much is paraphrased to avoid ‘he said’ repetition.

Essentially every computing device has a login and password. Every computing device connected to a network – and by inference the internet – has an IP (Internet Protocol) address and can be locally and remotely accessed. In many cases, a single IP address can have several logins – administrator, super user, user, and even back doors for maintenance and update provided by the manufacturer. Complicate this by adding in the Internet of Things (IoT) and Bring your own device (BYOD) and few know the extent of the network, let alone can control access.

CyberArk essentially sets up a highly secure software ‘vault’ that stores all these passwords and via secure VPNs logs the user into any permitted device. It eliminates the need for clear text passwords and the inherent ability to cut and paste them and exposing them to key loggers.

The main solution is in three parts:

First, identify passwords across the entire network and store them in the enterprise password vault. Passwords include both those used by humans and those used by machine-to-machine (scripts) to communicate.

Second, is to track these credentials in motion via a single control point. System logs do not provide the granularity needed. Continuous real time monitoring of every use of passwords and their use it tracked and it can identify if the use is legitimate. If it is not, there are a range of automatic responses (changing the password immediately) or alerts to system administrators who make decisions based on system uptime and consequences.

Third is to build a profile of users and their rights – and apply policies that can be measured against the ‘normal’ behaviour of a user.

Password attacks generally enter a system via spear phishing – malware entering a user workstation and gradually the hacker finds escalation ‘up the asset chain’ to the server, then to the domain controller and it is all theirs to control. Also remember that internal breaches can occur – remember Edward Snowdon and the leaks from the NSA.

We spoke about the high profile hacks recently on Ashley Madison, Sony, and Sands Casino and John felt that in every case it could be attributed to password compromise. Frankly, he was more concerned that these hacks were more about embarrassing and putting the companies out of business – not the normal hack. The recovery time and costs would be enormous.

I asked about what skills staff needed and like my interview with Ron Davidson titled ‘Thank goodness for the white hatters’ he too drew from national security agencies like NSA and Unit 8200. Its CEO Udi Mokady had come from a similar background in a military intelligence unit.

We spoke about the move to biometrics – facial recognition, fingerprints etc. - as a replacement to passwords. His response was blunt – they are all passwords and can suffer from the same issues. We joked about cutting off fingers etc., but his take is that it is easier to invest in planting a rogue insider than other methods.

We spoke about password security and his take was that they should be changed after every use – not every few months as was custom. In order to do that Cyberark had created an SSH Key Manger to securely store, rotate and control access to SSH keys with the highest levels of security, including the encryption of keys at rest and in transit, granular access controls and integrations with strong authentication solutions.

John used the term ‘jump server’ and essentially, it is a special-purpose computer on a network typically used to manage devices in a separate security zone. CyberArk software runs on a jump server on the network. That network can include on premise, hybrid or cloud. Increasingly they were managing logins and passwords for social media as well. Bring your Own Device (BYOD) simply meant more network attach/attack points and made it easier to get inside the perimeter to carry out password escalation.

While CyberArk has Fortune 100 companies it also has small law firms that absolutely need chain of evidence and the Vault provides that.

We spoke about how hackers recreate or discover passwords. It was a kind of ‘I can tell you but I would have to shoot you’ moment but suffice to say it often starts with spear phishing attacks or internal attacks and hackers then escalate until they find the assets they want. “There are numerous graphical interface tools you can buy off the shelf that will expose passwords – even you can use them.”

End of story – I am going to change all my passwords again, and again, and again. Wish I could afford CyberArk.


Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.

CLICK HERE!

WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.

REGISTER HERE!

BACK TO HOME PAGE
Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News