According to John Worrall, CMO for CyberArk (NASDAQ: CYBR) gaining privilege access is the focus of the attack cycle.
“It is all about passwords (keys) and what locks (doors) they open. In the hands of a trusted user passwords are fine – in the hands of a hacker it is like locking your door but leaving the keys to the Ferrari on the table inside,” he said.
I interviewed John who had presented earlier at the Gartner Security and Risk Management Summit in Sydney. He started by positioning CyberArk as the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges [passwords] to attack the heart of the enterprise. “We are trusted by the world’s leading companies – including 40 percent of the Fortune 100 and 17 of the world’s top 20 banks – to protect their highest value information assets, infrastructure and applications,” he said.
Advertisement over – now to the interview and for convenience much is paraphrased to avoid ‘he said’ repetition.
Essentially every computing device has a login and password. Every computing device connected to a network – and by inference the internet – has an IP (Internet Protocol) address and can be locally and remotely accessed. In many cases, a single IP address can have several logins – administrator, super user, user, and even back doors for maintenance and update provided by the manufacturer. Complicate this by adding in the Internet of Things (IoT) and Bring your own device (BYOD) and few know the extent of the network, let alone can control access.
CyberArk essentially sets up a highly secure software ‘vault’ that stores all these passwords and via secure VPNs logs the user into any permitted device. It eliminates the need for clear text passwords and the inherent ability to cut and paste them and exposing them to key loggers.
The main solution is in three parts:
First, identify passwords across the entire network and store them in the enterprise password vault. Passwords include both those used by humans and those used by machine-to-machine (scripts) to communicate.
Second, is to track these credentials in motion via a single control point. System logs do not provide the granularity needed. Continuous real time monitoring of every use of passwords and their use it tracked and it can identify if the use is legitimate. If it is not, there are a range of automatic responses (changing the password immediately) or alerts to system administrators who make decisions based on system uptime and consequences.
Third is to build a profile of users and their rights – and apply policies that can be measured against the ‘normal’ behaviour of a user.
Password attacks generally enter a system via spear phishing – malware entering a user workstation and gradually the hacker finds escalation ‘up the asset chain’ to the server, then to the domain controller and it is all theirs to control. Also remember that internal breaches can occur – remember Edward Snowdon and the leaks from the NSA.
We spoke about the high profile hacks recently on Ashley Madison, Sony, and Sands Casino and John felt that in every case it could be attributed to password compromise. Frankly, he was more concerned that these hacks were more about embarrassing and putting the companies out of business – not the normal hack. The recovery time and costs would be enormous.
I asked about what skills staff needed and like my interview with Ron Davidson titled ‘Thank goodness for the white hatters’ he too drew from national security agencies like NSA and Unit 8200. Its CEO Udi Mokady had come from a similar background in a military intelligence unit.
We spoke about the move to biometrics – facial recognition, fingerprints etc. - as a replacement to passwords. His response was blunt – they are all passwords and can suffer from the same issues. We joked about cutting off fingers etc., but his take is that it is easier to invest in planting a rogue insider than other methods.
We spoke about password security and his take was that they should be changed after every use – not every few months as was custom. In order to do that Cyberark had created an SSH Key Manger to securely store, rotate and control access to SSH keys with the highest levels of security, including the encryption of keys at rest and in transit, granular access controls and integrations with strong authentication solutions.
John used the term ‘jump server’ and essentially, it is a special-purpose computer on a network typically used to manage devices in a separate security zone. CyberArk software runs on a jump server on the network. That network can include on premise, hybrid or cloud. Increasingly they were managing logins and passwords for social media as well. Bring your Own Device (BYOD) simply meant more network attach/attack points and made it easier to get inside the perimeter to carry out password escalation.
While CyberArk has Fortune 100 companies it also has small law firms that absolutely need chain of evidence and the Vault provides that.
We spoke about how hackers recreate or discover passwords. It was a kind of ‘I can tell you but I would have to shoot you’ moment but suffice to say it often starts with spear phishing attacks or internal attacks and hackers then escalate until they find the assets they want. “There are numerous graphical interface tools you can buy off the shelf that will expose passwords – even you can use them.”
End of story – I am going to change all my passwords again, and again, and again. Wish I could afford CyberArk.