Mitigating the Risks of Privilege-based Attacks in Federal Agencies

Transcription

1 WHITE PAPER Mitigating the Risks of Privilege-based Attacks in Federal Agencies Powerful compliance and risk management solutions for government agencies 1

2 Table of Contents Your networks are under attack from within and without... 4 What does privilege have to do with it?... 4 PowerBroker: Comprehensive privileged account management... 5 The BeyondInsight IT Risk Management Platform... 7 Compliance: How BeyondTrust mitigates risk across the board... 7 FISMA/NIST... 7 NIST SP : Security and Privacy Controls for Federal Information Systems & Organizations... 8 NIST SP : Managing Information Security Risk... 8 NIST SP : Continuous Monitoring... 8 SANS Top 20 Critical Security Controls... 9 Certifications Providing the assurance you need Sample U.S. Federal customers that trust BeyondTrust

3 2014 Beyond Trust. All Rights Reserved. Warranty This document is supplied on an "as is" basis with no warranty and no support. This document contains information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of BeyondTrust. Limitations of Liability In no event shall BeyondTrust be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this white paper. For the latest updates to this document, please visit: Disclaimer All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust is not associated with any other vendors or products mentioned in this document. 3

4 Your networks are under attack from within and without The compliance landscape for government agencies changes with almost every administration. There are always new requirements and penalties that agencies have to be able to anticipate, implement, and report on. At the same time, government information networks like their counterparts in public and private enterprises are constantly vulnerable to both internal and external threats. Each of these types of threats has their own unique characteristics. Internal threats may be malicious (designed to cause harm) or unintentional (the result of human error), exposing weaknesses in the agency s defenses and policies. Regardless of intent, insiders can do significant damage quickly, as they are already inside perimeter-layer security. External threats are designed to exploit vulnerabilities in networks and endpoints; they often seek to gain a foothold where they can act as an insider. Once an attacker gains administrative access, it is easy to make configuration changes that enable the installation of malicious software, and alter security controls for unfettered access to sensitive information. The collateral damage of such attacks is extensive, ranging from simple non-compliance consequences to national security threats. Intellectual property, defense information, personnel records, and other classified information can easily be stolen, sold, and used against the interests of the U.S. government, its citizens, and its allies. The key is to enforce strict limits on what a given network user is able to do in terms of accessing and utilizing network resources, and to monitor usage to quickly identify improper activity. The most effective approach to take with end users in the current environment involves restricting access privileges through both policy and technology methods allowing the least possible privilege for every user. This is the domain of BeyondTrust s PowerBroker privileged account management (PAM) solutions. What does privilege have to do with it? The least-privilege approach has gained a lot of credibility recently thanks to one notorious name: Edward Snowden. In the aftermath of Snowden leaking classified information he had access privileges to, the NSA announced it would reduce system administrator privileges by 90%. Indeed, Insider and privilege misuse was identified by the 2014 Verizon Data Breach Investigations Report as one of the nine basic patterns of activity in the past decade that have resulted in confirmed data breaches. The fact is many government users have more access than they need to perform their current job functions. With a least-privilege approach, users receive permissions only to the systems, applications, and data they need based on their current role or profile in the agency. These privileges can be user, system, or role-based as well as time-based (e.g., access granted only for certain days or hours, or for a set duration of time). Administrators can increase or restrict access as needed after all, user roles do 4

5 change frequently and special projects often require elevated levels of access but whenever possible, and as quickly as possible, privileges should return to their least level. Still, it is important to understand that restricting privileges is only part of the solution. All user activity while under approved privileges should be monitored and audited to ensure appropriate use, and to quickly identify, flag, and prevent misuse whether malicious or unintentional. By monitoring privileged users with solutions such as BeyondTrust s PowerBroker products, which enable proactive alerts and associated reporting, you can achieve verifiable compliance with stated access policies and gain assurance that your security solution can pass any audit. PowerBroker: Comprehensive privileged account management BeyondTrust s PowerBroker suite of privileged account management (PAM) solutions provides comprehensive visibility and control over account privileges within complex agency environments. Integrated within the BeyondInsight IT Risk Management Platform, which provides centralized management and control, PowerBroker solutions reduce the risk and minimize the impact of internal and external threats by giving IT and security teams powerful discovery and analytics capabilities. BeyondTrust currently offers 15 distinct PowerBroker products within four functional categories that represent essential risk management requirements: Privilege Management Enabling fine-grained control for assigning privileges to users throughout the organization. PowerBroker Servers Enterprise PowerBroker UNIX & Linux PowerBroker for Windows Desktops & Servers PowerBroker for Virtualization & Cloud PowerBroker for Databases Survey Results: Privileges Gone Wild In 2013, BeyondTrust surveyed 265 IT decision makers, comprising security managers and network and systems engineers across a number of sectors, including government, financial services, manufacturing, and others. Their responses are fairly shocking, and speak to the importance of privileged account management. 80% of respondents believe that it s at least somewhat likely that employees access sensitive or confidential data out of curiosity. 76% say the risk to their organization caused by the insecurity of privileged users will increase over the next few years. 65% of organizations have controls to monitor privileged access, yet 54% say they have the ability to circumvent these controls. 44% of employees have unnecessary access rights. 43% of respondents allow sensitive data to be stored on employee workstations/laptops. 28% admitted to having retrieved information not relevant to their job, such as financial reports, salary information, and HR and personnel documents. Active Directory Bridging Ensuring single sign-on using the same Active Directory for all resources, while auditing all users who are logging in. PowerBroker Identity Services AD Bridge 5

6 Privileged Password Management Establishing a virtual safe for shared passwords in the company, ensuring secure storage and retrieval. PowerBroker Password Safe Auditing & Protection Offering reporting and analytics functionality to establish and maintain compliance. PowerBroker Auditor for File System PowerBroker Recovery for AD PowerBroker Auditor for SQL PowerBroker Change Manager for AD PowerBroker Auditor for Exchange PowerBroker Privilege Explorer for AD PowerBroker Auditor for Active Directory (AD) PowerBroker Event Vault for Windows For specific information on each of the PowerBroker applications, please visit 6

7 The BeyondInsight IT Risk Management Platform All PowerBroker PAM solutions are backed by BeyondTrust s Retina family of vulnerability management (VM) solutions. Both the PAM and VM solutions share a common management console framework called BeyondInsight. In addition to serving as a central management, analytics and reporting console for the PAM and VM product families, BeyondInsight offers additional capabilities such as discovery, profiling, role-based access, and smart groups for identifying, organizing, and reporting on assets and accounts. Additionally, the BeyondInsight console enables centralized alerting, reporting, and search functionality, which aggregates all privileged account information into a data warehouse and then provides rich analytics and reporting capabilities for mitigating risk and documenting compliance. The BeyondInsight management console is scanner-agnostic, allowing data feeds from BeyondTrust Retina and vulnerability scanners such as Nessus, Nexpose, and QualysGuard. Compliance: How BeyondTrust mitigates risk across the board PowerBroker and BeyondInsight provide important capabilities that support a wide range of government information security requirements. Here we have broken down some of the most common and pressing federal mandates and regulations, showing the extent to which BeyondTrust s PAM and Retina VM solutions can help agencies achieve and maintain compliance. FISMA/NIST This section requires some familiarity with the following: The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to implement information security solutions to protect the information and information systems that support agency operations and assets. National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce charged with advancing measurement standards. Federal Information Processing Standards (FIPS) are issued by NIST in accordance with FISMA; they are compulsory and binding for federal agencies. Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents. NIST Risk Management Framework (NIST RMF) is the standard for integrating information security and risk management into government agency information systems. The NIST RMF encompasses a range of activities defined by several different NIST SPs. BeyondTrust supports the requirements of three key SPs relating to the NIST RMF: SP , SP , and SP

8 NIST SP : Security and Privacy Controls for Federal Information Systems & Organizations BeyondTrust s solutions address several individual controls under the following control families: Access Control PowerBroker for UNIX & Linux, PowerBroker for Windows Audit & Accountability PowerBroker for UNIX & Linux, PowerBroker for Windows, PowerBroker Auditor Security Assessment and Authorization PowerBroker for Windows, Retina family of VM solutions Configuration Management PowerBroker for Windows, Retina Configuration Management Module Identification and Authentication PowerBroker Password Safe Risk Assessment PowerBroker for Windows, Retina family of VM solutions System & Services Acquisition PowerBroker for UNIX & Linux, PowerBroker for Windows, Retina CS System and Communications Protection PowerBroker for UNIX & Linux, PowerBroker for Windows System and Information Integrity PowerBroker Endpoint Protection Platform, Retina Patch Management Module, Retina Protection Agent By addressing the above controls, our solutions also enable agencies to prepare for security controls assessments per NIST SP A ( Guide for Assessing the Security Controls in Federal Information Systems and Organizations ). NIST SP : Managing Information Security Risk BeyondTrust s PowerBroker and Retina solutions, in conjunction with the BeyondInsight Risk Management Platform, collectively address all of the tasks defined under the following phases of the Risk Management Process defined in : Risk Framing Discovering and profiling assets and accounts; grouping and filtering according to risk, privacy, and compliance issues Risk Assessment Threat and vulnerability identification, risk determination Risk Response Identifying and evaluating alternative courses of action to responding to risks determined during the assessment phase Monitoring Risk Monitoring information systems and privileged accounts on an ongoing basis to verify compliance, determine effectiveness of response measures, and identify changes NIST SP : Continuous Monitoring BeyondTrust offers several solutions that enable continuous monitoring, defined by as part of the 11 security automation domains that support continuous monitoring; these include: Vulnerability Management Patch Management Malware Detection Asset Management Configuration Management 8

9 SANS Top 20 Critical Security Controls The SANS Top 20 Controls are a set of recommendations coordinated by the SANS Institute, a private U.S. company that specializes in information security and cybersecurity training, and compiled by a consortium of U.S. and international agencies and experts from private industry. BeyondTrust solutions and services deliver coverage across several of the controls, as depicted below: 1: Inventory of Devices 11: Limitation/Control: Ports, Protocols, Services 2: Inventory of Software 12: Controlled Use of Administrative Privileges 3: Secure Configurations: Hardware & Software 13: Boundary Defense ½ 4: Continuous Vuln. Assessment & Remediation 14: Maintenance, Monitoring, & Analysis of Audit Logs 5: Malware Defenses 15: Controlled Access Based on Need to Know 6: Application Software Security ½ 16: Account Monitoring and Control 7: Wireless Device Control ½ 17: Data Loss Prevention ½ 8: Data Recovery Capability 18: Incident Response and Management 9: Security Skills Assessment and Training 19: Secure Network Engineering 10: Secure Configurations: Network Devices ½ 20: Penetration Tests & Red Team Exercises Broad applicability ½ Partial applicability Not applicable National Industrial Security Program Operating Manual (NISPOM) The National Industrial Security Program (NISP) was established to manage the needs of private industry to securely access classified information. The NISP Operating Manual (NISPOM) establishes the specific standard procedures and requirements for all government contractors with regards to their ability to access and use classified information. Collectively, the PowerBroker for UNIX & Linux, PowerBroker for Windows, and PowerBroker Auditor solutions address the following Information System Security procedures defined in Chapter 8 of the NISPOM: 8-303: Identification and Authentication Management 8-311: Configuration Management 8-505: Systems with Group Authenticators 8-606: Access Controls 8-607: Identification and Authentication 8-609: Session Controls 8-614: Security Testing 9

10 Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Targeted for agencies within the U.S. Department of Defense, DITSCAP details the standards and processes that agencies must adhere to in order for their information assurance and security solutions to be certified and accredited. These standards are based largely on NIST SP (see section A above), so the same PowerBroker and Retina solutions that enable compliance for will position agencies for DITSCAP certification as well. Certifications FIPS is a U.S government computer security standard used to accredit cryptographic modules. PowerBroker Password Safe ships on commercially supported FIPS validated components for all encryption over passwords to critical data. PowerBroker for UNIX & Linux integrates with SafeNet Luna for U.S. and Canadian government agencies requiring FIPS Level 2/Level 3 validation. Providing the assurance you need Key Benefits of PowerBroker PAM Solutions Pass audits and comply with government mandates Dynamically discover, profile, and group assets and accounts Mitigate insider threats through granular password and privilege management Implement and enforce least-privilege access controls for agency end users Ensure accountability through session monitoring and recording, keystroke logging, and real-time auditing Fulfill reporting requirements via 260+ reports included out of the box, plus a flexible ad hoc reporting capability Enable informed, actionable decisions from meaningful data gleaned from context-aware security intelligence, including asset, user, and account privilege information Consistently authenticate users across heterogeneous environments In the current environment, considering both the unrelenting cybersecurity threats faced by organizations of all sizes everywhere, and the many global political uncertainties affecting American institutions in particular, U.S. government agencies have to be more vigilant and proactive than ever before. With over 4,000 worldwide customers, including more than 200 U.S. Federal departments and agencies, BeyondTrust delivers a comprehensive suite of PowerBroker PAM solutions that have been proven in a wide range of large and complex IT environments. According to Gartner, BeyondTrust is one of only two vendors able to offer complete PAM capabilities today; as agencies are under pressure to limit the number of discrete vendors, BeyondTrust can handle the bulk of your security requirements and thereby help reduce your vendor portfolio. You get the protection you need and the peace of mind you desire. To see PowerBroker solutions in action, contact BeyondTrust at or federalsales@beyondtrust.com to schedule a demo. For more information, please visit us at 10

11 Sample U.S. Federal customers that trust BeyondTrust Over 200 U.S. Federal departments and agencies trust BeyondTrust solutions for privileged account management and vulnerability management. About BeyondTrust BeyondTrust provides context-aware Privileged Account Management and Vulnerability Management software solutions that deliver the visibility necessary to reduce IT security risks and simplify compliance reporting. We empower organizations to not only mitigate user-based risks arising from misuse of system or device privileges, but also identify and remediate asset vulnerabilities targeted by cyber attacks. As a result, our customers are able to address both internal and external threats, while making every device physical, virtual, mobile and cloud as secure as possible. BeyondTrust solutions are unified under the BeyondInsight IT Risk Management Platform, which provides IT and security teams a single, contextual lens through which to view user and asset risk. This clear, consolidated risk profile enables proactive, joint decision-making while ensuring that daily operations are guided by common goals for risk reduction. The company is privately held, and headquartered in Phoenix, Arizona. For more information, visit beyondtrust.com. 11