Security Implications of Employee Account Compromise

-Anirban Banerjee, Ph.D.anirban@onionid.com

HELLO!I am Anirban Banerjee.Founder and CEO of Onion ID.

https://www.linkedin.com/in/anirbanbanerjeephd

Implication and Compliance

Current Status

What is Privileg

e

Challenges

Strategies

Implication and Compliance

4

Compliance violations Loss of revenue Loss of trust Employee Dissatisfaction

Implications

Compliance

• (1) Availability of ePHI Data—45 CFR 164.308(a)(7)(ii)

• (2) Integrity of ePHI Data—45 CFR 164.312(c)(1), (2), & (e)(2)(i)

• (3) Authentication to ePHI Data Systems—45 CFR 164.312(d)

• (4) Access Control in ePHI Data Systems—45 CFR 164.312(a)(1), (2), & (3)

• (5) Audit of ePHI Data Systems—45 CFR 164.308(a)(5)(ii)(c) & 164.312(b)

Where is PAM relevant?

• 7.1.1 - Inventory of assets• 7.1.2 - ownership of assets• 7.1.3 - acceptable use of assets• 10.1.2 - change management• 10.1.3 - segregation of duties• 10.3.1 - capacity management• 10.10.1 - audit logging• 10.10.2 - monitoring system use

• Additionally - 11.1.1 , 11.2.4 , 11.6.1 , 13.1.1 , 13.2.3, 15.1.4, 15.1.5 15.2.1

Where is PAM relevant?

• #5 Controlled use of administrative privileges.• #6 Maintenance, Monitoring and Analysis of Logs.• #9 Limitation and controls for network ports and services.• #10 Data recovery capability.• #11 Secure configurations for network devices like firewalls and routers.• #14 Controlled access based on the need to know.• #16 Account Monitoring and Control.• #19 Incidence Response and Management.

Where is PAM relevant?

• Need 2FA for every admin access. (v3.2) • Need to demonstrate authorization controls.• Access audit mechanisms need to be in place.

Where is PAM relevant?

What can an employee see

What can an employee click

What can an employee fill

What can an employee download

Use Case

Current Status

12

Laptops In house servers

Mobile devices

Cloud Servers

The Landscape is ChangingIT Landscape

• Shift in Capex to Opex• Cost savings – 25% on avg.

• Employee Mobility• Easy access – 49% on avg.

• Scaling is easier• More efficient – 55% on avg.

• Time savings• More time to innovate – 31% on avg.

• Choice – no traditional vendor lock in

Why is the Cloud Popular

SAML & SaaS

• Less than 25% of corporate apps have SSO support

• Less than 1% of all SaaS apps understand SAML

• Passwords are here to stay!

Mapping User Roles

• How to map to 3rd party SaaS apps?• SAML assertions - weak support.• No magic bullet

What is Privilege

17

Privilege Management is not just Access Control

Privilege Management

PAM - 100% Coverage

Web Apps Servers and Containers

PAM - LayersShrek:      Ogres are like onionsDonkey:   They Stink?

Shrek:      Yes. No.Donkey:   Oh.....they make you cry

Shrek:      No!Donkey:   Oh, you leave 'em out in the sun, they get all brown, start sproutin' little white hairs

Shrek:      NO. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers. [sigh]Donkey:   Oh, you both have layers.Oh.

PAM has layers. Onions have layers.  We both have layers. Get it?

PAM - The 7 Layers

2FA on Apps and Servers

SaaS PAM

SSH, RDP Session Control

Secret Storage

Access sharing

Reporting and Audits

Server PAM

Evolution of PAM

PAM 1.0Crawl

• Password Vaulting• SSH Key Rotation• Video-session

Recording

PAM 2.0Walk

• Rights Management• Time based checkout• Credential rotation

PAM 3.0Run

• SaaS PAM• Adaptive

authentication• Automated auditing

Challenges

23

Secrets management API/Machine to API/Machine authentication API keys in code

Hard Problems

User Fatigue

2FA = Friction

• Entering 8 Digit Codes

• Carrying Hardware• One time Passwords• Multiple IDs

Strategies

26

Command Filtering

SSH Key Management

Session Recording

URL Filtering

Action Filtering

View Filtering

Solution Features

Layer on top of existing services

Dynamic Privilege Management

SSO NAC CASB

Deployment

HappyUsers

2FA ≠ Friction

Air-Signature

Touch ID

Proximity

Geo Fencing

ACTIVE AUTHENTICATION

CAN HELP

▸ Concept of least privilege

▸ Risk score everything▸ Every command is

analyzed▸ Learn, Match, Act,

Update

WHAT TO LOOK FOR AND WHAT TO DO

Usually never runs visudo /etc/shadow – high riskCOMMANDS BEING RUN

Where are you connecting from, time, # of connectionsCONNECTION STATISTICS

Risk score every command: White, Grey, BlackEVERY COMMAND IS

ANALYZED

Invisible 2FA for Grey, Physical 2FA for BlackTAKE ACTION

Apache Spark, Pykit Sci, SSH proxiesTOOLS

32

OSS Tools and Plumbing

▸ Scikit Py,Weka▸ Apache Kafka▸ Apache Spark▸ Twilio▸ Nodejs

▸ Try SVM, Ladtree, Stumps

33

Register Servers

Dynamic DNSChange Keys

OSS Tools and Plumbing

Conclusion

2FA on Apps and Servers

SaaS PAM

SSH, RDP Session Control

Secret Storage

Access sharing

Reporting and Audits

Server PAM

PAM is important.

You can build your own system with OSS.

Many compliance workflows will benefit from PAM.

Challenges exist, but, solutions exist too.

THANK YOU!www.onionid.com anirban@onionid.comTel: +1-951-231-0557

https://www.linkedin.com/in/anirbanbanerjeephd

36

HIPAA

▸ (1) Integrity of ePHI Data—45 CFR 164.312(c)(1), (2), & (e)(2)(i). Controls must be put in place to verify legitimate changes to ePHI data until it is safely destroyed.

▸ (2) Availability of ePHI Data—45 CFR 164.308(a)(7)(ii). There needs to be documented polcies and procedures about making available copies of ePHI data. There must also be a way to recover information from a loss.

▸ (3) Authentication to ePHI Data Systems—45 CFR 164.312(d). There must be a way to verify the identity of a person attempting to gain access to any system containing or handling ePHI data.

▸ (4) Access Control in ePHI Data Systems—45 CFR 164.312(a)(1), (2), & (3). There needs to be in place a procedure so that inactive sessions are killed off, every user or device accessing ePHI data has a unique ID and there are strict access control requirements in place.

▸ (5) Audit of ePHI Data Systems—45 CFR 164.308(a)(5)(ii)(c) & 164.312(b). Controls need to be in place to not only monitor and report but also to audit access rights and actions taken when any device or person accesses ePHI data.

37

FFIEC

▸ (a) Conduct regular audits to review the access and permission levels to critical systems for employees and contractors. Implement least privileges access policies across the entire enterprise. In particular, do not allow users to have local administrator rights on workstations.

▸ (b) Change default password and settings for system-based credentials.

▸ (c) Prevent un-patched systems, such as home computers and personal mobile devices from connecting to internal-facing systems.

▸ (d) Implement monitoring controls to detect unauthorized devices connected to internal networks.

▸ (e) Use secure connections when remotely accessing systems and services (e.g., virtual private networks).

38

PCI DSS 3.2

▸ (1) Layer low friction 2FA techniques like Geofencing, Geoproximity, Fingerprint sensing instead of 6/8 digit based logins. The lower the friction of verifying your identity the better adoption you will see.

▸(2) Install command introspection mechanisms to prevent misuse of server level employee accounts. This ensures that even when accounts are compromised an account cannot be misused.

▸(3) Have in place automated audit mechanisms to see who has accessed data. Implement 2FA for authorization, not just authentication - follow a layered approach to security not an M&M one.

▸(4) Discover from your AD or LDAP who are the group leaders and what applications people are accessing. You can choose to also parse through any SIEM logs or analyze access patterns directly from the servers.

▸(5) Implement a way for layering 2FA on apps that do not support 2FA. You can look at some commercial products that can help or build in hooks to your forward web proxy or CASB solution using their APIs. Tying these APIs with Twilio type of services will make implementation easier.

39

ISO 27001

▸ 7.1.1 - Inventory of assets▸ 7.1.2 - ownership of assets▸ 7.1.3 - acceptable use of assets▸ 10.1.2 - change management▸ 10.1.3 - segregation of duties▸ 10.3.1 - capacity management▸ 10.10.1 - audit logging▸ 10.10.2 - monitoring system use

▸ Additionally - 11.1.1 , 11.2.4 , 11.6.1 , 13.1.1 , 13.2.3, 15.1.4, 15.1.5 15.2.1 

40

CIS/CSC

▸ 5. Controlled use of administrative privileges - A PAM solution can tightly control what privileges are present for any account not only on servers but also on any 3rd party SaaS service.

▸ 6. Maintenance, Monitoring and Analysis of Logs - A PAM solution can feed in event information in syslog, JSON formats to a SIEM endpoint for analysis.

▸ 9. Limitation and controls for network ports and services - A PAM solution can make sure that certain accounts cannot use protocols like SSH over certain IP ranges and ports.

▸ 10. Data recovery capability - A PAM solution allows for delegation of access when an employee is fired so that no data loss is incurred in removal of access for the erstwhile employee.

▸ 11. Secure configurations for network devices like firewalls and routers - A PAM solution can ensure that only certain updates or patches can be applied to critical equipment managing the network. This can be achieved via command introspection.

▸ 14. Controlled access based on the need to know - A PAM solution is purpose built to solve this pain point. You should be able to choose who accesses what and what can they do with the access with most PAM solutions.

▸ 16. Account Monitoring and Control - same as above.▸ 19. Incidence Response and Management - PAM solutions are

often tied to into the dashboards that IR teams use. Its important for a PAM solution to export data in real time so that it can be used for IR by the team. This is already available in a few PAM solutions.