NIST Guidelines for Secure Shell and What They Mean for Your Organization

Size: px
Start display at page:

Download "NIST Guidelines for Secure Shell and What They Mean for Your Organization"

Transcription

1 NIST Guidelines for Secure Shell and What They Mean for Your Organization

2 Table of Contents Introduction 3 SSH: A refresher 3 A secure yet vulnerable control 3 A widespread risk throughout the enterprise 3 Security controls help to reduce risk 4 NIST Control Area: Account Management 4 NIST Control Area: Access Enforcement 5 NIST Control Area: Least Privilege 5 NIST Control Area: Auditing and Monitoring 6 NIST Control Area: Risk Assessment 7 NIST Control Area: Identity and Authentication 7 Bringing a new level of security to the enterprise 8 About CyberArk 9 About NISTIR Cyber-Ark Software Ltd. cyberark.com 2

3 Introduction As part of an ongoing effort to help organizations strengthen security, the National Institute of Standards and Technology (NIST) recently issued an internal report on the use of Secure Shell (SSH) in interactive and automated access management. This report is intended to help organizations better understand SSH, and it offers a series of recommendations regarding SSH key management, access control, session monitoring, auditing and more to help organizations better secure remote access that is established using SSH. SSH: A refresher SSH is a protocol used to enable secure access to remote systems. SSH relies on a pair of cryptographic keys to authenticate users and applications to root, administrative and other system accounts. Thanks to its ease of use and reliability, SSH has become frequently used by system administrators to access privileged accounts on remote machines, and it is commonly used in automated IT processes to secure application-to-application communications, such as file transfers and automated backups. A secure yet vulnerable control While the SSH protocol itself provides a secure communications channel, unmanaged SSH keys can introduce several vulnerabilities into an otherwise secure system. The greatest challenge associated with the SSH protocol is that there is no inherent way to see or manage the keys used for authentication. As a result, SSH keys can easily be created and distributed, but they are difficult to track and control. Worse, due to this inherent lack of control, SSH keys can be intentionally created and used to circumvent privileged account management solutions. To compound this risk, the keys, which are completely out of the view and control of IT, never expire. Consequently, SSH keys can provide backdoor access for authorized and unauthorized users to critical systems, and IT security teams may never know. A widespread risk throughout the enterprise In a typical enterprise environment, there could be hundreds or even thousands of unsecured, unmanaged SSH keys used to authenticate to privileged administrative and root accounts. However, unlike privileged passwords, these keys are not typically part of any IT security plan. There is no way to monitor who has access to what, or even where the keys exist across an organization. As a result, basic security measures, such as the termination of unused accounts or the automatic rotation of account credentials, are not typically applied to SSH keys. Therefore, unhappy employees or malicious attackers can exploit these unsecured privileged credentials to gain widespread access to a multitude of systems and the sensitive data on these systems without ever being detected. According to a recent report by the Ponemon Institute, the majority of organizations today are neither securing nor managing SSH keys. Worse, as a result, fifty-one percent of organizations surveyed in the report have already experienced an SSH key-related compromise. 1 1 Ponemon 2014 SSH Security Vulnerability Report. Ponemon Institute. Cyber-Ark Software Ltd. cyberark.com 3

4 Security controls help to reduce risk As noted in the NIST recommendations for SSH, the effective management of SSH-based access requires proper provisioning, termination and monitoring processes. In its report, NIST has provided very specific guidelines on security controls for SSHbased access management. Some of the key areas that require controls include: Account management Access enforcement Least privilege Risk assessment Identification and authentication Auditing and monitoring Through its recommendations, NIST has begun encouraging organizations to start treating SSH keys like the privileged credentials they truly are. These proposed controls recognize the sensitivity of SSH keys and compel organizations to better secure and manage these keys. By following the NIST recommendations, organizations can get a head start on becoming compliant, mitigate the risk of unauthorized access to critical systems and better secure their sensitive data. The sections below look at each of the above categories and highlight how CyberArk solutions can help organizations implement these security controls. NIST Control Area: Account Management AC-2 CONTROLS #D, #G, #J, #K CyberArk SSH Key Manager CyberArk Discovery and Audit To prevent unauthorized users from accessing sensitive or regulated information, NIST recommends that organizations proactively secure, manage and monitor the use of SSH keys that provide access to privileged accounts. Recommendations related to account management include: Ensure that users only have access to the SSH keys needed for their role. Track the usage of keys to gain an audit trail of who accessed what and when. Rotate shared SSH keys as soon as a user leaves the authorized group. Continuously ensure that SSH keys are compliant with organizational policy. With CyberArk solutions, organizations can set policies to grant users access to SSH keys based on their existing role and access rights. Security teams can then track and audit the usage of the SSH keys to see exactly who accessed what and when. To ensure that these credentials do not remain static, policies can be configured to rotate SSH key pairs according to a master schedule or when needed, on-demand. The CyberArk Discovery and Audit tool, which finds and locates SSH keys across the IT environment, can be run to locate SSH keys and easily pinpoint which keys are compliant with organizational policy and which require attention. Cyber-Ark Software Ltd. cyberark.com 4

5 NIST Control Area: Access Enforcement AC-3, AC-3 CONTROL ENHANCEMENT #3, AC-17 CyberArk SSH Key Manager CyberArk Application Identity Manager A critical security measure is the control of access to enterprise systems, whether they are servers, virtual machines, operating systems, databases or applications. Any compromise at any level could result in serious consequences. As a result, the NIST recommended best practices in this area include: Create and enforce approval policies for SSH key-based access. Prevent users from propagating access rights by installing new private keys. Lock down authorized keys files so that users are unable to install their public keys on unauthorized target systems. CyberArk SSH Key Manager allows security personnel to grant access to SSH keys based on role. Organizations can define which credentials each user or user group is permitted to view or access. Organizations are then able to protect access to these credentials, as well as hide all unauthorized credentials from a user s view. Automated workflows can be configured to allow users to request one-time access to SSH keys with elevated privileges as needed for specific business reasons. Additionally, CyberArk Application Identity Manager enables organizations to remove locally stored SSH keys from applications and application servers and instead store them securely in a digital vault, thus preventing unauthorized users from compromising these keys and using them to propagate access across the environment. When used together, CyberArk SSH Key Manager and CyberArk Application Identity Manager can significantly reduce the risk of unauthorized access to private SSH keys. By securely storing private user and application SSH keys, organizations can control access to these keys, strengthen their security posture and become compliant with NIST recommendations. NIST Control Area: Least Privilege AC-6, AC-6 CONTROL ENHANCEMENTS #2, #3, #4, #5, #7, #10 CyberArk Discovery and Audit CyberArk SSH Key Manager CyberArk On-Demand Privileges Manager Privileged accounts are at the heart of most data breaches, so it s important to control SSH keys based on what type of access each user is granted. Privileges and access rights should be limited to only those required for a user s role or function to provide the highest degree of security. Therefore, in this area, NIST recommends the following: Continuously monitor the SSH key inventory and trust relationships between keys. Restrict what commands may be run with each SSH key. Only grant privileged SSH access if a task cannot be done using a non-privileged account. Prevent unauthorized users from accessing private keys that grant access to privileged accounts. Cyber-Ark Software Ltd. cyberark.com 5

6 Remove private SSH keys from local machines and frequently rotate key pairs. Lockdown the authorized keys files to prevent users from adding their own public keys without approval. CyberArk Discovery and Audit enables organizations to inventory SSH keys, trust relationships and orphan keys; for maximum effectiveness, the tool can be run at regular intervals to monitor the key inventory over time. Once discovered, the keys can be removed from local machines and centrally stored in the digital vault. SSH Key Manager enables organizations to restrict privileges at the key level and granularly control who has access to what keys, thus enforcing least privilege. Automated key rotation and distribution helps organizations streamline security processes, comply with requirements and improve their security postures, all without burdening the IT team. Additionally, CyberArk On-Demand Privileges Manager enables organizations to limit privileges at the individual account level while still allowing users to escalate privileges for specified business purposes in accordance with policy. NIST Control Area: Auditing and Monitoring AU-3 CONTROL ENHANCEMENT #1, CA-7, CM-5, SI-4 CyberArk SSH Key Manager CyberArk Discovery and Audit CyberArk Privileged Session Manager Continuous auditing of privileged account access helps organizations ensure that the processes for provisioning, lifecycle management and key termination are being followed and enforced. Similarly, ongoing monitoring of privileged user activity helps organizations detect unauthorized activities, commands or changes to critical systems. To effectively monitor and audit the use of both SSH keys and SSH session activity, NIST recommends that organizations: Track the use of SSH keys, including who used the private key and what target system was accessed with that key. Regularly analyze SSH-based access and trusts to detect unauthorized keys. Proactively prevent systems administrators from modifying SSH keys and files. Monitor user activity to detect unauthorized changes to SSH keys or SSH configuration files. CyberArk Discovery and Audit enables organizations to locate SSH keys throughout the environment and clearly understand trust relationships between systems. Using this tool, organizations can identify unauthorized SSH keys and trusts and take steps to remediate unauthorized keys. CyberArk SSH Key Manager works with CyberArk Privileged Session Manager to track the use of SSH keys and monitor user activity during SSH sessions. With these tools for monitoring and auditing, organizations can detect unauthorized SSH access, unauthorized changes to SSH key files and other unauthorized configuration changes. Combined, CyberArk technology provides visibility into the SSH key inventory, a complete audit trail of SSH access and searchable session audit logs that can accelerate forensics investigations. Cyber-Ark Software Ltd. cyberark.com 6

7 NIST Control Area: Risk Assessment CA-3, RA-3 CyberArk Discovery and Audit Security and risk assessments help organizations identify vulnerabilities and weaknesses that employees or attackers could exploit. Environments that use SSH keys for authentication often have several linked systems that can all subsequently be compromised if an attacker were to compromise a single private key. To address this vulnerability, organizations should assess their environments, look for unnecessary relationships between systems, and take steps to better segregate their environment and reduce the risk an SSH key compromise. To effectively understand an SSH environment and make a plan to mitigate risks, NIST recommends: Assess the entire IT environment to locate all SSH keys. Understand trust relationships between systems, and map how lateral movement could occur using compromised SSH keys. Determine which users, systems or applications have access to which keys. Make an actionable plan to remove unnecessary keys from users and systems. CyberArk Discovery and Audit enables organizations to locate privileged accounts and SSH keys throughout the IT environment, gain insight into trust relationships between users and systems, and map which systems can be exploited by attackers to move laterally through the organization. Using this information, organizations can fully understand their privileged account vulnerabilities and create a clear plan to remediate risks and remove unnecessary access. NIST Control Area: Identity and Authentication CyberArk SSH Key Manager IA-2, IA-5, IA-5 CONTROL ENHANCEMENT #7, IA-8, PS-4 CyberArk Application Identity Manager CyberArk Enterprise Password Vault To easily identify who is doing what, it s important to ensure that each user has a unique SSH key and that the SSH key cannot be shared with other users. In situations when it is not possible to distribute individual keys, organizations must limit which users have access to shared keys, control access to those keys, and monitor who is accessing the keys. Organizations must also be sure to rotate shared key pairs as soon as a user within an authorized user group leaves. Regardless of whether key pairs are used by individuals or shared within groups, it is important that organizations do not rely on static SSH keys for authentication. Instead, organizations should proactively rotate all key pairs to limit the risk of unauthorized access using SSH keys. Further, to ensure that organizations are cognizant of all the credentials used within their environments, NIST also highlights the importance of finding and removing hard-coded passwords used within applications and scripts, as these credentials can easily be accessed and used to propagate unauthorized access. Cyber-Ark Software Ltd. cyberark.com 7

8 To support the above goals, NIST recommends the following: Assign SSH keys on an individual user or system basis, and enforce policies that prohibit the sharing, copying, or moving of private keys. Ensure that shared SSH key pairs are rotated as soon as a user leaves the group. Proactively rotate all key pairs on a regular basis to eliminate static keys. Prohibit automated access that relies on hard-coded passwords. CyberArk SSH Key Manager can tie both shared and non-shared SSH keys to individual user identities, allowing for the controlled management of private key information within the context of a corporate identity policy. It is designed to securely store, rotate, and control access to SSH keys to prevent unauthorized access to privileged accounts. In addition, it can limit the lifetime of a key by automatically managing key rotation. This solution also integrates with Active Directory and other identity and access management solutions to ensure that keys are appropriately decommissioned in the event of an employee s termination. On the hard-coded credential side, CyberArk Application Identity Manager can remove embedded passwords and locally stored SSH keys that are used to facilitate automated application processes and securely store these privileged credentials in a digital vault. Using CyberArk Enterprise Password Vault or SSH Key Manager, organizations can secure, manage and rotate these credentials from a single platform in accordance with organizational policy. Bringing a new level of security to the enterprise By following the carefully detailed NIST guidelines and using CyberArk solutions, companies can now bring SSH key security and management into their broader enterprise security plans. With these measures in place, no longer will unprotected SSH keys pose an underlying threat to critical systems and data. With CyberArk solutions, companies can discover and identify the thousands of SSH keys within their organizations, and then proactively secure, manage and control access to them. Monitoring and auditing, along with continual assessments, help to identify new vulnerabilities as they develop and ensure ongoing security. Using CyberArk solutions, organizations can build a comprehensive privileged account security strategy that equally secures, manages, and monitors privileged passwords and SSH keys all from a single, unified platform. By using an integrated platform to secure all privileged accounts and credentials, organizations can address compliance requirements and strengthen their security postures while streamlining IT security process. Cyber-Ark Software Ltd. cyberark.com 8

9 About CyberArk CyberArk is the trusted expert in privileged account security because of its track record of innovation and security expertise. CyberArk s Privileged Account Security solutions have been organically developed from the ground up, designed to meet the needs of even the largest, most complex organizations. CyberArk provides a comprehensive, tightly integrated, end-to-end solution that protects all privileged accounts, whether they are on-premises or in the cloud. In addition, the entire CyberArk suite of products is built on a single integrated platform, providing organizations with a high degree of flexibility, scalability, and usability. Companies can deploy a single infrastructure and expand the solution cost effectively as budgeting and funds allow. With CyberArk solutions, organizations can secure, manage, monitor and control access to all their privileged credentials, including both passwords and SSH keys, as well as gain the reporting capabilities necessary to prove compliance with audit requirements. CyberArk solutions enable organizations to strengthen their security postures while confidently addressing NIST guidelines for secure automated access. To learn more about CyberArk, visit About NISTIR 7966 To read the brief and recommendations in full, download NISTIR 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH) directly from the NIST website at Cyber-Ark Software Ltd. cyberark.com 9

10 All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd. Copyright by Cyber-Ark Software Ltd. All rights reserved.

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide

More information

Securing Remote Vendor Access with Privileged Account Security

Securing Remote Vendor Access with Privileged Account Security Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials

More information

Pass-the-Hash. Solution Brief

Pass-the-Hash. Solution Brief Solution Brief What is Pass-the-Hash? The tools and techniques that hackers use to infiltrate an organization are constantly evolving. Credential theft is a consistent concern as compromised credentials

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

IBM Security Privileged Identity Manager helps prevent insider threats

IBM Security Privileged Identity Manager helps prevent insider threats IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged

More information

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account

More information

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions z September 2011 Table of Contents EXECUTIVE SUMMARY... 3 CYBER-ARK

More information

The 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller

The 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller Learn How Privileged Account Security Solutions are the Right Painkiller Table of Contents Introduction: Control Access, Empower Team 3 The 10 Pains of UNIX Security 4 Pain No.1: Protecting the Keys to

More information

Leveraging Privileged Identity Governance to Improve Security Posture

Leveraging Privileged Identity Governance to Improve Security Posture Leveraging Privileged Identity Governance to Improve Security Posture Understanding the Privileged Insider Threat It s no secret that attacks on IT systems and information breaches have increased in both

More information

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

Introduction to AWS Security July 2015

Introduction to AWS Security July 2015 Introduction to AWS Security July 2015 Page 1 of 7 Table of Contents Introduction... 3 Security of the AWS Infrastructure... 3 Security Products and Features... 4 Network Security... 4 Inventory and Configuration

More information

CyberArk Privileged Threat Analytics. Solution Brief

CyberArk Privileged Threat Analytics. Solution Brief CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o

More information

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information

More information

Next Generation Jump Servers for Industrial Control Systems

Next Generation Jump Servers for Industrial Control Systems Next Generation Jump Servers for Industrial Control Systems Isolation, Control and Monitoring - Learn how Next Generation Jump Servers go beyond network separation to protect your critical infrastructure

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Solving the Security Puzzle

Solving the Security Puzzle Solving the Security Puzzle How Government Agencies Can Mitigate Today s Threats Abstract The federal government is in the midst of a massive IT revolution. The rapid adoption of mobile, cloud and Big

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers

Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers Agenda Introductions The rise of machine-based identities

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Addressing the United States CIO Office s Cybersecurity Sprint Directives RFP Response Addressing the United States CIO Office s Cybersecurity Sprint Directives How BeyondTrust Helps Government Agencies Address Privileged Account Management and Improve Security July 2015 Addressing

More information

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015 Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...

More information

Real-Time Security for Active Directory

Real-Time Security for Active Directory Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The

More information

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content

More information

How to Achieve Operational Assurance in Your Private Cloud

How to Achieve Operational Assurance in Your Private Cloud How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational

More information

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse

More information

White paper. Implications of digital certificates on trusted e-business.

White paper. Implications of digital certificates on trusted e-business. White paper Implications of digital certificates on trusted e-business. Abstract: To remain ahead of e-business competition, companies must first transform traditional business processes using security

More information

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015 Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Symantec's Continuous Monitoring Solution

Symantec's Continuous Monitoring Solution Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

Is Your Identity Management Program Protecting Your Federal Systems?

Is Your Identity Management Program Protecting Your Federal Systems? Is Your Identity Management Program Protecting Your Federal Systems? With the increase in integrated, cloud and remote technologies, it is more challenging than ever for federal government agencies to

More information

Addressing PCI Compliance

Addressing PCI Compliance WHITE PAPER DECEMBER 2015 Addressing PCI Compliance Through Privileged Access Management 2 WHITE PAPER: ADDRESSING PCI COMPLIANCE Executive Summary Challenge Organizations handling transactions involving

More information

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD www.wipro.com Table of Contents Executive Summary 03 Introduction 03 Challanges 04 Solution 05 Three Layered Approach to secure BYOD 06 Conclusion

More information

Privileged Session Management Suite: Solution Overview

Privileged Session Management Suite: Solution Overview Privileged Session Management Suite: Solution Overview June 2012 z Table of Contents 1 The Challenges of Isolating, Controlling and Monitoring Privileged Sessions... 3 2 Cyber-Ark s Privileged Session

More information

The Essential Security Checklist. for Enterprise Endpoint Backup

The Essential Security Checklist. for Enterprise Endpoint Backup The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing

More information

Best practices guide to application-to-application (A2A) Password management. Privileged password management

Best practices guide to application-to-application (A2A) Password management. Privileged password management Best practices guide to application-to-application (A2A) Password management Privileged password management Overview In datacenters worldwide it is common practice to hard-code passwords and user IDs in

More information

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust

More information

PowerBroker for Windows

PowerBroker for Windows PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...

More information

October 2014. Four Best Practices for Passing Privileged Account Audits

October 2014. Four Best Practices for Passing Privileged Account Audits Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least

More information

The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect, alert and respond to privileged accounts

The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect, alert and respond to privileged accounts The CyberArk Privileged Account Security Solution A complete solution to protect, monitor, detect, alert and respond to privileged accounts Table of Contents The Privileged Account a Real, Pervasive, Threat...3

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Defending the Database Techniques and best practices

Defending the Database Techniques and best practices ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target

More information

Secret Server Qualys Integration Guide

Secret Server Qualys Integration Guide Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

PowerBroker for Windows Desktop and Server Use Cases February 2014

PowerBroker for Windows Desktop and Server Use Cases February 2014 Whitepaper PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 4 Sample Regulatory

More information

Password Management Evaluation Guide for Businesses

Password Management Evaluation Guide for Businesses Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various

More information

SecureGRC TM - Cloud based SaaS

SecureGRC TM - Cloud based SaaS - Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries

More information

Configuring Hosting Controller with Exchange 2013 & 2016

Configuring Hosting Controller with Exchange 2013 & 2016 Configuring Hosting Controller with Exchange Hosting Controller www.hostingcontroller.com Contents Proprietary Notice... 1 Introduction... 2 Minimum System Requirements for Exchange 2013... 2 Exchange

More information

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds. ENTERPRISE MONITORING & LIFECYCLE MANAGEMENT Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid

More information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

Mitigating Risks and Monitoring Activity for Database Security

Mitigating Risks and Monitoring Activity for Database Security The Essentials Series: Role of Database Activity Monitoring in Database Security Mitigating Risks and Monitoring Activity for Database Security sponsored by by Dan Sullivan Mi tigating Risks and Monitoring

More information

Avoiding the Top 5 Vulnerability Management Mistakes

Avoiding the Top 5 Vulnerability Management Mistakes WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Centrify Server Suite Management Tools

Centrify Server Suite Management Tools SERVER SUITE TECHNICAL BRIEF Centrify Server Suite Management Tools Centrify Server Suite includes - at no extra charge - a powerful set of management tools in all editions: Centrify Identity Risk Assessor

More information

WHITE PAPER Malicious Code and Mobile Devices: Best Practices for Securing Mobile Environments

WHITE PAPER Malicious Code and Mobile Devices: Best Practices for Securing Mobile Environments Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com WHITE PAPER Malicious Code and Mobile Devices: Best Practices for Securing Mobile Environments Sponsored

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Understanding Account Access Management

Understanding Account Access Management The Essentials Series: Managing Access to Privileged Accounts Understanding Account Access Management sponsored by by Ed Tittel Understanding Account Access Management...1 Types of Access...2 User Level...2

More information

CA Vulnerability Manager r8.3

CA Vulnerability Manager r8.3 PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013 SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov

More information

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Database Auditing: Best Practices Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Verizon 2009 Data Breach Investigations Report: 285 million records were compromised

More information

10 Hidden IT Risks That Might Threaten Your Law Firm

10 Hidden IT Risks That Might Threaten Your Law Firm (Plus 1 Fast Way to Find Them) Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with

More information

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Security Self-Assessment Tool

Security Self-Assessment Tool Security Self-Assessment Tool State Agencies Receiving FPLS Information, 7/15/2015 Contents Overview... 2 Access Control (AC)... 3 Awareness and Training (AT)... 8 Audit and Accountability (AU)... 10 Security

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

PRIVILEGED ACCOUNTS DISCOVERY FOR WINDOWS

PRIVILEGED ACCOUNTS DISCOVERY FOR WINDOWS PRIVILEGED ACCOUNTS DISCOVERY FOR WINDOWS Executive Summary Prepared for Acme Inc Scan Date 01/08/2016 18:35:38. Scan completed in 50 minutes. Directory Domain Scanned test.acmeinc.com - Ou(s) Scanned:

More information

Three significant risks of FTP use and how to overcome them

Three significant risks of FTP use and how to overcome them Three significant risks of FTP use and how to overcome them Management, security and automation Contents: 1 Make sure your file transfer infrastructure keeps pace with your business strategy 1 The nature

More information

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT Document K23 RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT THE BOTTOM LINE Managing privileged accounts requires balancing accessibility and control while ensuring audit capabilities. Cyber-Ark

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Governance and Control of Privileged Identities to Reduce Risk

Governance and Control of Privileged Identities to Reduce Risk WHITE PAPER SEPTEMBER 2014 Governance and Control of Privileged Identities to Reduce Risk Merritt Maxim CA Security Management 2 WHITE PAPER: PRIVILEGED IDENTITY GOVERNANCE Table of Contents Executive

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Tenable for CyberArk

Tenable for CyberArk HOW-TO GUIDE Tenable for CyberArk Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with CyberArk Enterprise Password Vault. Please email any comments

More information

Choosing Encryption for Microsoft SQL Server

Choosing Encryption for Microsoft SQL Server Choosing Encryption for Microsoft SQL Server www.securityfirstcorp.com 29811 Santa Margarita Pkwy Rancho Santa Margarita, CA 92688 888-884-7152 CONTENTS Database Security Issues 3 Balancing Database Security

More information

Vistara Lifecycle Management

Vistara Lifecycle Management Vistara Lifecycle Management Solution Brief Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Assuring Application Security: Deploying Code that Keeps Data Safe

Assuring Application Security: Deploying Code that Keeps Data Safe Assuring Application Security: Deploying Code that Keeps Data Safe Assuring Application Security: Deploying Code that Keeps Data Safe 2 Introduction There s an app for that has become the mantra of users,

More information

Host-based Protection for ATM's

Host-based Protection for ATM's SOLUTION BRIEF:........................................ Host-based Protection for ATM's Who should read this paper ATM manufacturers, system integrators and operators. Content Introduction...........................................................................................................

More information

Symantec Client Management Suite 8.0

Symantec Client Management Suite 8.0 IT Flexibility. User Freedom. Data Sheet: Endpoint Management Overview of Symantec Client Management Suite Symantec Client Management Suite automates time-consuming and redundant tasks for deploying, managing,

More information

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration Websense Data Security Suite and Cyber-Ark Inter-Business Vault The Power of Integration Websense Data Security Suite Websense Data Security Suite is a leading solution to prevent information leaks; be

More information

WEB CONTENT MANAGEMENT SYSTEM

WEB CONTENT MANAGEMENT SYSTEM WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Addressing BYOD Challenges with ForeScout and Motorola Solutions Solution Brief Addressing BYOD Challenges with ForeScout and Motorola Solutions Highlights Automated onboarding Full automation for discovering, profiling, and onboarding devices onto both wired and wireless

More information

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities Identity and Access Management Integration with PowerBroker Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 4 BeyondTrust

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know Whitepaper Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know Phone (0) 161 914 7798 www.distology.com info@distology.com detecting the unknown Integrity

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information