Neuroprivilogy: The New Frontier of Cyber Crime

By Shlomi Dinoor, vice president, emerging technologies, Cyber-Ark Software

Is your Neuroprivilogy vulnerable? The answer is most probably yes, you simply have no clue what Neuroprivilogy is (yet)…

The first step of this discussion is defining a fancy term to help educate and describe this new phenomenon:  Neuroprivilogy.  As the name suggests Neuroprivilogy is constructed from the words neural (network) and privileged (access), and can be defined as the science of privileged access points’ networks.  Using the neural network metaphor, an organization’s infrastructure is not flat, but instead, a network of systems (neuron=system).  The connections between systems are access points similar to synapses (for neurons).  Some of these access points are extremely powerful (i.e. privileged) while others are not.  Regardless, access points should be accessed only by authorized sources.

In nearly every IT department, discussions about virtualization and debates about moving to the cloud usually end up in the same uncomfortable place, bookended by concerns about lack of security and loss of control. To help create a realistic risk/reward profile, we must first examine how the definition of privilege, in context of the identity and access management landscape, is evolving.  We are no longer just talking about controlling database administrators with virtually limitless access to sensitive data and systems; we are talking about processes and operations that can be considered privileged based on the data accessed, the database being entered, or the actions being taken as a result of the data.

The concept of “privilege” is defined by the risk of the data being accessed or the system being manipulated.  Virtualized and cloud technologies compound that risk, making traditional perimeter defenses no longer sufficient to protect far-reaching cloud-enabled privileged operations. Whether data is hosted, based in a cloud or virtualized, “privileged accounts and access points” are everywhere.

To gain a better understanding of the vulnerabilities impacting a privileged access points’ network, consider these Seven Neuroprivilogy Vulnerability Fallacies:

1. These access points have limited permissions

Most access points are granted privileged access rights to systems – systems use proxy accounts for inter-system interactions (e.g. application to database). Usually the most permissive access rights required are used as the common (permission) denominator.

2. Given the associated high risk I probably have controls in place

Does anything from the following list sounds familiar? Hardcoded passwords, clear text passwords in scripts, default password never changed, if we’ll touch it everything will break… The irony is personal accounts for real users have very limited access rights, while having stricter controls (even simple ones such as mandating frequently password change).

3. But I have all those security systems so I must be covered, right?

Existing security controls fail to address this challenge – IAM, SIEM and GRC are all good solutions, however they address the challenge of known identities, accounting for limited access to the organization’s infrastructure, hence lower risk. Accounts associated with privileged access points usually have limitless access, and are often used by non-carbon based entities or anonymous identities. Therefore, more adequate controls are required.

4. Privileged access points vulnerability is strictly for insiders

Picture yourself as the bad guy, which of the following would you target? Personal accounts with limited capabilities protected by some controls, OR privileged access points with limitless access protected by no controls? The notion of an internal access point is long gone; especially with the borderless infrastructure trend (did I say cloud?).

5. This vulnerability is isolated to my traditional systems

Some of the more interesting attacks/breaches from the past year present an interesting yet not an entirely unexpected trend. The target is no longer confined to the traditional server, application or database. Bad guys attacked source code configuration management systems (Aurora attacks), point of sale devices, PLC (Stuxnet), ATMs, Videoconferencing systems (Cisco) and more.

6. Adding new systems (including security) should not impact my security posture

That’s where it gets interesting. Most systems interact with others, whether of infrastructure nature (such as database, user store) or services. Whenever adding a system to your environment you immediately add administrative accounts to the service, and interaction points (access points) to other systems. As already mentioned most of these powerful access points are poorly maintained, causing a local vulnerability (of the new system) as well global vulnerability (new system serves as a hopping point to other network nodes). Regardless, your overall security posture goes down.

7. I have many more accounts for real users than access points for systems

Though this fallacy might sound right, the reality is actually very different. It is not about how many systems you have, but the inter-communication between them. Based on conversations with enterprise customers, the complexity of the network and magnitude of this challenge will surprise many.

When observing these fallacies and advanced persistent threat (APT) attacks characteristics, you realize Neuroprivilogy vulnerability is the Holy Grail for APT attackers. Cyber criminals understand the potential of these privileged access points’ networks and by leveraging these vulnerabilities they have transformed the cyber crime frontier, as seen with many of the recent APT attacks, such as Stuxnet.  It fits perfectly with APT characteristics – not about quick or easy wins, but about patient, methodological and persistent attacks targeting a well defined (big) “prize.” Working the privileged access points’ network will eventually grant the bad guy access to his target.

So, what options exist for organizations that must balance protecting against cyber criminals with the proven advantages of virtualization and cloud technology?  Let’s get down to some more details about network access points – how to find them and now to eliminate the vulnerability, or at least lessen the impact.

Discover – there is nothing you can do if you don’t know about it… To better secure network access points, including related identities, processes and operations, organizations must be able to automate the detection process of privileged accounts, including service accounts and scheduled tasks, wherever they are used across the data center and remote networks.  This auto-detection capability significantly reduces ongoing administration overhead by proactively adding in new devices and systems as they are commissioned, and it further ensures that any privileged password changes are propagated wherever the account is used.  It also increases stability and eliminates risks of process and application failures from password synchronization mismatches.

Control – don’t be an ostrich, take control! Another benefit of automation, particularly for those who fear loss of control, is that organizations are assured that password refreshes are made at regular intervals and in line with the organization’s IT and security policies. Having an automated system in place allows the company to have a streamlined mechanism for disabling these privileged accounts immediately, thus lessening the impact on business operations.

And yeah, Comply – from a compliance standpoint, regulations such as Sarbanes-Oxley, PCI, and Basel II require organizations to provide accountability about who or what accessed privileged information, what was done, and whether passwords are protected and updated according to policy.  Without the necessary systems in place to automatically track and report that access, compliance becomes a daunting, time-consuming, and often expensive process, especially in terms of employees’ time and potential fines.

It is true no single solution can prevent every breach or cyber threat that could impact a virtualized or cloud environment (multi layers of defence is important). However by adopting a Neuroprivilogy state of mind, organizations gain a more holistic view of infrastructure vulnerabilities.  The best advice is to “prepare now” by proactively implementing proven processes and technologies to automate adherence to security policies that are in place across the entire enterprise.  In doing so, enterprises can protect sensitive access points against breaches, meet audit requirements as well as mitigate productivity and business losses.

So, now that you know more, I’ll ask again: is your Neuroprivilogy vulnerable? If you aren’t sure, chances are there is a cyber criminal out there who already knows.  So now the real question becomes: what are you going to do about it?

# # #

About the author:  Shlomi Dinoor has more than 12 years of security and identity management experience in senior engineering management positions.  As the head of Cyber-Ark Labs at Cyber-Ark Software (www.cyber-ark.com), Dinoor is focused on new technologies that help customers prepare for “what’s next” in terms of emerging insider threats, data breach vulnerabilities and audit requirements.  To read more, visit his personal blog, Shlomi’s Parking Spot.

Will the Cloud Cause the Reemergence of Security Silos?

by: Matthew Gardiner

Generally in the world silos relate to things that are beneficial, such as silos for grain or corn.  However in the world of IT security, silos are very bad.  In many forensic investigations application silos turn up as a key culprit that enabled data leakage of one sort or another.  It is not that any one application silo is inherently a problem – one can repair and manage a single silo much as a farmer would do – it is the existence of many silos, and silos of so many type, that is the core problem.  Farmers generally don’t use thousands of grain silos to handle their harvest; they have a handful of large, sophisticated, and centralized ones.

The same approach has proven highly effective in the world of application security, particularly since the emergence of the Web and its explosion of applications and users.  Managing security as a centralized service and applying it across large swaths of an organization’s infrastructure and applications is clearly a best practice.  However with the emergence of the Cloud as the hot application development and deployment platform going forward, organizations are at significant risk of returning to the bad days of security silos.  When speed overruns architecture, say hello to security silos and the weaknesses that they bring.

What do I mean by security silos?  I think of silos as application “architectures” which cause security (as well as IT management in general) to be conducted in “bits-and-pieces”, thus uniquely within the specific platform or system.  Applications are built this way because it feels faster in the short term. After all, the project needs to get done.  But after this approach is executed multiple times the organization is left with many inconsistent, custom, and diverse implementations and related security systems.  These systems are inevitably both complex to operate and expensive to maintain as well as easy to breach on purpose or by accident.

Perhaps this time it is different?  Perhaps IT complexity will magically decline with the Cloud?  Do you really think that the move to the Cloud is going to make the enterprise IT environment homogeneous and thus inherently easier to manage and secure?  Not a chance.  In fact, just the opposite is most likely. How many organizations will move all of their applications and data to public clouds?  And for that matter to a single public cloud provider.  Very few.  Given this, it is imperative that security architects put in place security systems that are designed to operate in a highly heterogeneous, hybrid (mixed public cloud and on-premise) world.  The cloud-connected world is one where applications and data will on one day be inside the organization on a traditional platform, the next day hosted within the organizations private cloud, the next day migrated to live within a public cloud service, and then back again, based on what is best for the organization at that time.

Are security silos inevitable with the move to the Cloud?  In the short term, unfortunately, probably yes.  With every new IT architecture the security approach has to do some catch-up.  It is the security professionals’ job to make this catch-up period as short as possible.

How should we shorten the catch-up period?

  • First update your knowledge base around the Cloud and security.  There are a lot of good sources out there; one in particular that I like is from the Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing.
  • Second rethink your existing people, processes, and technology (sorry for the classic IT management cliché) in terms of the cloud.  You will find the control objectives don’t change, but how you will accomplish them will.
  • Third start making the necessary investments to prepare your organization for the transition to the cloud that is likely already underway.

While there are many areas covered in the above CSA document, let me focus on one area that in particular highlights some cloud specific security challenges, specifically around Identity and Access Management.

The CSA document says it well, “While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.”  Issues such as user provisioning, authentication, session management, and authorization are not new issues to security professionals.  However, accomplishing them in the context of the cloud requires that the identity management systems that are on-premise in the enterprise automatically “dance” with the equivalent systems at the various cloud service providers.  This dance is best choreographed through the use of standards, such as SAML, XACML, and others.  In fact the rise of the cloud also raises the possibility of outsourcing even some of your identity management services, such as multi-factor authentication, access management, and other capabilities to specialized cloud security providers.

While in the short term it would seem that the emergence of some security silos is inevitable with organizations’ aggressive move to the cloud, it doesn’t have be this way forever.  We know security silos are bad, we know how to avoid them, and we have much of the necessary technology already available to eliminate them. Our necessary action is to take action.

Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM, cloud security, and other security-related topics. He is a member of the Kantara Initiative Board of Trustees. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT’s Sloan School of Management.  He blogs regularly at: http://community.ca.com/members/Matthew-Gardiner.aspx and also tweets @jmatthewg1234.  More information about CA Technologies can be found at www.ca.com.

Certifiable in the Cloud

Author: Pamela Fusco, VP of Industry Solutions for Solutionary

Cloud computing remains as much a mystery to some as it is a part of others’ daily lexicon. I spend a lot of time working with people who have connections to various offices of the U.S. government and I find that regardless of the topic, or the background of the person I’m speaking with, one thing that consistently works when I’m discussing something like cloud services with an audience that may not be too familiar with it, is to start with an analogy.

Are you ready for my big Cloud computing analogy? Here it is: PIZZA!

Now, you might be wondering what pizza has to do with cloud computing?  Simply put, the passion for pizza is internationally recognized. With the exception of a few minor recipe tweaks here or there, the process for making it is well-known and all of the major “systems” we need to make it (ovens, stoves, etc.) are there for anyone to access.

But the funny thing about making pizza, is that as simple as it seems, not everyone can make good pizza and unless you’re making four or five pizzas at a time, you end up with a lot of wasted food (half salami, bunches of veggies, etc.). So for those of us who simply don’t have the time, or desire to do it ourselves, we order out. And that has fueled this multi-billion dollar pizza industry.

So taking pizza to the cloud–organizations have already figured out that the ROI for “at home” cloud computing (i.e., pizza making) is not as impressive as the ROI you benefit from when buying from someone who is already in the business of delivering cloud services.

No great mystery here really, right? But let’s get a bit more complicated because cloud computing is just the beginning. Sure, an organization might initially look at cloud computing as a way to realize cost savings over maintain data centers, but there’s so much more to it than that and that’s where you have to be careful.

History is an excellent indication of what our future holds. In fact, many believe that in order to understand our future, we must first understand our past. And that couldn’t be truer when it comes to risk mitigation and compliance in a virtualized cloud environment. If we take a look back at how applications have been delivered in the past, we have to also recognize the issues that have presented themselves with regards to risk mitigation and compliance. And just as unauthorized mainframe access was a problem way back then, the availability of our data when it’s “in the cloud” is a concern for organizations today.

All industries are under substantial oversight and regulation—from the FDA to PCI DSS—and requirements for these industries are ever changing. When operating with constantly changing requirements, basic standards and processes are core to the success of the operation and are usually “baked in” at some level within the data services you’re purchasing. But what happens when you want to try something different; more toppings perhaps, or maybe you’re hosting a get together and your on-demand needs have doubled?  If you’re with an experienced cloud servicers provider, then you probably won’t hesitate to place your custom order and add more products, because you trust the service and you are confident that what you receive will be “business as usual” and you will get your products as you need them.

This is all possible through experience. Your local pizzeria knows how to produce their products, scale their product to meet demand, and deliver services to support point in time needs and requirements. Heck, they probably even offer a “30 minute” service delivery guarantee (a.k.a. SLA).  Service providers, from infrastructure to software, must know their business and the business requirements of their clients, but they must also invest in R&D and innovation to ensure client retention, increase client base, and maintain compliance with regulatory statutes.  If they ignore any of these aspects, history will repeat itself.