Security Market Segment LS
Wednesday, 26 August 2015 16:51

Passwords are the keys to the IP kingdom

By

In computer parlance, ‘privilege’ is the nirvana – it allows a hacker to control anything from a single computer to a global network.

According to John Worrall, CMO for CyberArk (NASDAQ: CYBR) gaining privilege access is the focus of the attack cycle.

“It is all about passwords (keys) and what locks (doors) they open. In the hands of a trusted user passwords are fine – in the hands of a hacker it is like locking your door but leaving the keys to the Ferrari on the table inside,” he said.

I interviewed John who had presented earlier at the Gartner Security and Risk Management Summit in Sydney. He started by positioning CyberArk as the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges [passwords] to attack the heart of the enterprise. “We are trusted by the world’s leading companies – including 40 percent of the Fortune 100 and 17 of the world’s top 20 banks – to protect their highest value information assets, infrastructure and applications,” he said.

Advertisement over – now to the interview and for convenience much is paraphrased to avoid ‘he said’ repetition.

Essentially every computing device has a login and password. Every computing device connected to a network – and by inference the internet – has an IP (Internet Protocol) address and can be locally and remotely accessed. In many cases, a single IP address can have several logins – administrator, super user, user, and even back doors for maintenance and update provided by the manufacturer. Complicate this by adding in the Internet of Things (IoT) and Bring your own device (BYOD) and few know the extent of the network, let alone can control access.

CyberArk essentially sets up a highly secure software ‘vault’ that stores all these passwords and via secure VPNs logs the user into any permitted device. It eliminates the need for clear text passwords and the inherent ability to cut and paste them and exposing them to key loggers.

The main solution is in three parts:

First, identify passwords across the entire network and store them in the enterprise password vault. Passwords include both those used by humans and those used by machine-to-machine (scripts) to communicate.

Second, is to track these credentials in motion via a single control point. System logs do not provide the granularity needed. Continuous real time monitoring of every use of passwords and their use it tracked and it can identify if the use is legitimate. If it is not, there are a range of automatic responses (changing the password immediately) or alerts to system administrators who make decisions based on system uptime and consequences.

Third is to build a profile of users and their rights – and apply policies that can be measured against the ‘normal’ behaviour of a user.

Password attacks generally enter a system via spear phishing – malware entering a user workstation and gradually the hacker finds escalation ‘up the asset chain’ to the server, then to the domain controller and it is all theirs to control. Also remember that internal breaches can occur – remember Edward Snowdon and the leaks from the NSA.

We spoke about the high profile hacks recently on Ashley Madison, Sony, and Sands Casino and John felt that in every case it could be attributed to password compromise. Frankly, he was more concerned that these hacks were more about embarrassing and putting the companies out of business – not the normal hack. The recovery time and costs would be enormous.

I asked about what skills staff needed and like my interview with Ron Davidson titled ‘Thank goodness for the white hatters’ he too drew from national security agencies like NSA and Unit 8200. Its CEO Udi Mokady had come from a similar background in a military intelligence unit.

We spoke about the move to biometrics – facial recognition, fingerprints etc. - as a replacement to passwords. His response was blunt – they are all passwords and can suffer from the same issues. We joked about cutting off fingers etc., but his take is that it is easier to invest in planting a rogue insider than other methods.

We spoke about password security and his take was that they should be changed after every use – not every few months as was custom. In order to do that Cyberark had created an SSH Key Manger to securely store, rotate and control access to SSH keys with the highest levels of security, including the encryption of keys at rest and in transit, granular access controls and integrations with strong authentication solutions.

John used the term ‘jump server’ and essentially, it is a special-purpose computer on a network typically used to manage devices in a separate security zone. CyberArk software runs on a jump server on the network. That network can include on premise, hybrid or cloud. Increasingly they were managing logins and passwords for social media as well. Bring your Own Device (BYOD) simply meant more network attach/attack points and made it easier to get inside the perimeter to carry out password escalation.

While CyberArk has Fortune 100 companies it also has small law firms that absolutely need chain of evidence and the Vault provides that.

We spoke about how hackers recreate or discover passwords. It was a kind of ‘I can tell you but I would have to shoot you’ moment but suffice to say it often starts with spear phishing attacks or internal attacks and hackers then escalate until they find the assets they want. “There are numerous graphical interface tools you can buy off the shelf that will expose passwords – even you can use them.”

End of story – I am going to change all my passwords again, and again, and again. Wish I could afford CyberArk.


Subscribe to Newsletter here

WEBINAR INVITE: Exploring Emerging Strategies for 5G Monetization

Network Operators continue to invest in 5G and build out their infrastructure.

With the recent impact of world events, the pressure is on to explore additional ways beyond traditional subscription models to monetize existing investments and speed up returns.

Creative thinking is key in this space, and in this webinar, you will learn about innovative ideas for Network Operators and Enterprise Business to enable new services and opportunities to drive incremental revenue.

Join us for this thought-provoking webinar with ITR Analyst, Marc Einstein, where you will learn about:

- Key industry 5G trends
- How COVID-19 is driving innovation and potential new business opportunities and applications for 5G

Click below to register your interest for the AUGUST 26, 4PM WEBINAR (AEST)

REGISTER NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

BACK TO HOME PAGE

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

ResearchWire

Guest Research & Case Studies

Channel News

Comments