Mitigating the Risks of Privilege-based Attacks in Federal Agencies

(1)

Mitigating the Risks of Privilege-based Attacks in

Federal Agencies

Powerful compliance and risk management solutions for government agencies

WHITE PAPER

(2)

In no event shall BeyondTrust be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material.

The information contained in this document is subject to change without notice.

No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this white paper.

For the latest updates to this document, please visit:

http://www.beyondtrust.com

Disclaimer

All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust is not associated with any other vendors or products mentioned in this document.

(4)

Your networks are under attack – from within and without

The compliance landscape for government agencies changes with almost every administration. There are always new requirements – and penalties – that agencies have to be able to anticipate, implement, and report on. At the same time, government information networks – like their counterparts in public and private enterprises – are constantly vulnerable to both internal and external threats. Each of these types of threats has their own unique characteristics.

• Internal threats may be malicious (designed to cause harm) or unintentional (the result of human error), exposing weaknesses in the agency’s defenses and policies. Regardless of intent, insiders can do significant damage quickly, as they are already inside perimeter-layer security.

• External threats are designed to exploit vulnerabilities in networks and endpoints; they often seek to gain a foothold where they can act as an insider. Once an attacker gains administrative access, it is easy to make configuration changes that enable the installation of malicious software, and alter security controls for unfettered access to sensitive information.

The collateral damage of such attacks is extensive, ranging from “simple” non-compliance consequences to national security threats. Intellectual property, defense information, personnel records, and other classified information can easily be stolen, sold, and used against the interests of the U.S. government, its citizens, and its allies. The key is to enforce strict limits on what a given network user is able to do in terms of accessing and utilizing network resources, and to monitor usage to quickly identify improper activity.

The most effective approach to take with end users in the current environment involves restricting access privileges through both policy and technology methods – allowing the least possible privilege for every user. This is the domain of BeyondTrust’s PowerBroker privileged account management (PAM) solutions.

What does “privilege” have to do with it?

The least-privilege approach has gained a lot of credibility recently thanks to one notorious name: Edward Snowden. In the aftermath of Snowden leaking classified information he had access privileges to, the NSA announced it would reduce system administrator privileges by 90%. Indeed, “Insider and privilege misuse” was identified by the 2014 Verizon Data Breach Investigations Report as one of the nine basic patterns of activity in the past decade that have resulted in confirmed data breaches. The fact is many government users have more access than they need to perform their current job functions. With a least-privilege approach, users receive permissions only to the systems, applications, and data they need based on their current role or profile in the agency. These privileges can be user, system, or role-based as well as time-based (e.g., access granted only for certain days or hours, or for a set duration of time). Administrators can increase or restrict access as needed – after all, user roles do

(5)

change frequently and special projects often require elevated levels of access – but whenever possible, and as quickly as possible, privileges should return to their least level.

Still, it is important to understand that restricting privileges is only part of the solution. All user activity while under approved privileges should be monitored and audited to ensure

appropriate use, and to quickly identify, flag, and prevent misuse – whether malicious or unintentional. By monitoring privileged users with solutions such as BeyondTrust’s PowerBroker® products, which enable proactive alerts and associated reporting, you can achieve “verifiable compliance” with stated access policies – and gain assurance that your security solution can pass any audit.

PowerBroker: Comprehensive privileged

account management

BeyondTrust’s PowerBroker suite of privileged account

management (PAM) solutions provides comprehensive visibility and control over account privileges within complex agency environments. Integrated within the BeyondInsight™ IT Risk Management Platform, which provides centralized management and control, PowerBroker solutions reduce the risk and minimize the impact of internal and external threats by giving IT and security teams powerful discovery and analytics capabilities. BeyondTrust currently offers 15 distinct PowerBroker products within four functional categories that represent essential risk management requirements:

Privilege Management – Enabling fine-grained control for assigning privileges to users throughout the organization. • PowerBroker Servers Enterprise

• PowerBroker UNIX & Linux

• PowerBroker for Windows Desktops & Servers • PowerBroker for Virtualization & Cloud • PowerBroker for Databases

Active Directory Bridging – Ensuring single sign-on using the same Active Directory for all resources, while auditing all users who are logging in.

• PowerBroker Identity Services “AD Bridge”

Survey Results:

“Privileges Gone Wild”

In 2013, BeyondTrust surveyed 265 IT decision makers, comprising security managers and network and systems engineers across a number of sectors, including government, financial services, manufacturing, and others. Their responses are fairly shocking, and speak to the importance of privileged account management.

80% of respondents believe that it’s at

least somewhat likely that employees access sensitive or confidential data out of curiosity.

76% say the risk to their organization

caused by the insecurity of privileged users will increase over the next few years.

65% of organizations have controls to

monitor privileged access, yet 54% say they have the ability to circumvent these controls.

44% of employees have unnecessary

access rights.

43%

of respondents allow sensitive data to

be stored on employee workstations/laptops.

28% admitted to having retrieved

information not relevant to their job, such as financial reports, salary information, and HR and personnel documents.

(6)

Privileged Password Management – Establishing a “virtual safe” for shared passwords in the company, ensuring secure storage and retrieval.

• PowerBroker Password Safe®

Auditing & Protection – Offering reporting and analytics functionality to establish and maintain compliance.

• PowerBroker Auditor for File System • PowerBroker Auditor for SQL • PowerBroker Auditor for Exchange

• PowerBroker Auditor for Active Directory (AD)

• PowerBroker Recovery for AD

• PowerBroker Change Manager for AD • PowerBroker Privilege Explorer for AD • PowerBroker Event Vault for Windows For specific information on each of the PowerBroker applications, please visit

http://www.beyondtrust.com/Home/AllProducts.

(7)

The BeyondInsight IT Risk Management Platform

All PowerBroker PAM solutions are backed by BeyondTrust’s Retina family of vulnerability

management (VM) solutions. Both the PAM and VM solutions share a common management console framework called BeyondInsight. In addition to serving as a central management, analytics and reporting console for the PAM and VM product families, BeyondInsight offers additional capabilities such as discovery, profiling, role-based access, and smart groups for identifying, organizing, and reporting on assets and accounts.

Additionally, the BeyondInsight console enables centralized alerting, reporting, and search

functionality, which aggregates all privileged account information into a data warehouse and then provides rich analytics and reporting capabilities for mitigating risk and documenting compliance. The BeyondInsight management console is scanner-agnostic, allowing data feeds from BeyondTrust Retina and vulnerability scanners such as Nessus®, Nexpose®, and QualysGuard®.

Compliance: How BeyondTrust mitigates risk across the board

PowerBroker and BeyondInsight provide important capabilities that support a wide range of government information security requirements. Here we have broken down some of the most common and pressing federal mandates and regulations, showing the extent to which BeyondTrust’s PAM and Retina VM solutions can help agencies achieve and maintain compliance.

FISMA/NIST

This section requires some familiarity with the following:

• The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to implement information security solutions to protect the information and information systems that support agency operations and assets.

• National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce charged with advancing measurement standards.

• Federal Information Processing Standards (FIPS) are issued by NIST in accordance with FISMA; they are compulsory and binding for federal agencies.

• Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents.

• NIST Risk Management Framework (NIST RMF) is the standard for integrating information security and risk management into government agency information systems. The NIST RMF encompasses a range of activities defined by several different NIST SPs.

BeyondTrust supports the requirements of three key SPs relating to the NIST RMF: SP 53, SP 800-39, and SP 800-137.

(8)

NIST SP 800-53: Security and Privacy Controls for Federal Information Systems & Organizations BeyondTrust’s solutions address several individual controls under the following control families: • Access Control – PowerBroker for UNIX & Linux, PowerBroker for Windows

• Audit & Accountability – PowerBroker for UNIX & Linux, PowerBroker for Windows, PowerBroker Auditor • Security Assessment and Authorization – PowerBroker for Windows, Retina family of VM solutions

• Configuration Management – PowerBroker for Windows, Retina Configuration Management Module • Identification and Authentication – PowerBroker Password Safe

• Risk Assessment – PowerBroker for Windows, Retina family of VM solutions

• System & Services Acquisition – PowerBroker for UNIX & Linux, PowerBroker for Windows, Retina CS • System and Communications Protection – PowerBroker for UNIX & Linux, PowerBroker for Windows • System and Information Integrity – PowerBroker Endpoint Protection Platform, Retina Patch

Management Module, Retina Protection Agent

By addressing the above controls, our solutions also enable agencies to prepare for security controls assessments per NIST SP 800-53A (“Guide for Assessing the Security Controls in Federal Information Systems and Organizations”).

NIST SP 800-39: Managing Information Security Risk

BeyondTrust’s PowerBroker and Retina solutions, in conjunction with the BeyondInsight Risk

Management Platform, collectively address all of the tasks defined under the following phases of the “Risk Management Process” defined in 800-39:

• Risk Framing – Discovering and profiling assets and accounts; grouping and filtering according to risk, privacy, and compliance issues

• Risk Assessment – Threat and vulnerability identification, risk determination

• Risk Response – Identifying and evaluating alternative courses of action to responding to risks determined during the assessment phase

• Monitoring Risk – Monitoring information systems and privileged accounts on an ongoing basis to verify compliance, determine effectiveness of response measures, and identify changes NIST SP 800-137: Continuous Monitoring

BeyondTrust offers several solutions that enable continuous monitoring, defined by 800-39 as part of the 11 security automation domains that support continuous monitoring; these include:

• Vulnerability Management • Patch Management • Malware Detection

• Asset Management

(9)

SANS Top 20 Critical Security Controls

The SANS Top 20 Controls are a set of recommendations coordinated by the SANS Institute, a

private U.S. company that specializes in information security and cybersecurity training, and compiled by a consortium of U.S. and international agencies and experts from private industry. BeyondTrust solutions and services deliver coverage across several of the controls, as depicted below:

1: Inventory of Devices  11: Limitation/Control: Ports, Protocols, Services 

2: Inventory of Software  12: Controlled Use of Administrative Privileges 

3: Secure Configurations: Hardware & Software  13: Boundary Defense ½

4: Continuous Vuln. Assessment & Remediation  14: Maintenance, Monitoring, & Analysis of Audit Logs 

5: Malware Defenses  15: Controlled Access Based on Need to Know 

6: Application Software Security ½ 16: Account Monitoring and Control 

7: Wireless Device Control ½ 17: Data Loss Prevention ½

8: Data Recovery Capability  18: Incident Response and Management 

9: Security Skills Assessment and Training  19: Secure Network Engineering 

10: Secure Configurations: Network Devices ½ 20: Penetration Tests & Red Team Exercises 

 Broad applicability | ½ Partial applicability |  Not applicable

National Industrial Security Program Operating Manual (NISPOM)

The National Industrial Security Program (NISP) was established to manage the needs of private industry to securely access classified information. The NISP Operating Manual (NISPOM) establishes the specific standard procedures and requirements for all government contractors with regards to their ability to access and use classified information.

Collectively, the PowerBroker for UNIX & Linux, PowerBroker for Windows, and PowerBroker Auditor solutions address the following Information System Security procedures defined in Chapter 8 of the NISPOM:

• 8-303: Identification and Authentication Management • 8-311: Configuration Management

• 8-505: Systems with Group Authenticators • 8-606: Access Controls

• 8-607: Identification and Authentication • 8-609: Session Controls

(10)

Department of Defense Information Technology

Security Certification and Accreditation Process

(DITSCAP)

Targeted for agencies within the U.S. Department of Defense, DITSCAP details the standards and processes that agencies must adhere to in order for their information assurance and security solutions to be certified and accredited. These standards are based largely on NIST SP 800-53 (see section A above), so the same PowerBroker and Retina solutions that enable compliance for 800-53 will position agencies for DITSCAP certification as well.

Certifications

FIPS 140-2 is a U.S government computer security standard used to accredit cryptographic modules. • PowerBroker Password Safe ships on commercially

supported FIPS 140-2 validated components for all encryption over passwords to critical data.

• PowerBroker for UNIX & Linux integrates with SafeNet Luna for U.S. and Canadian government agencies requiring FIPS 140-2 Level 2/Level 3 validation.

Providing the assurance you need

In the current environment, considering both the unrelenting cybersecurity threats faced by

organizations of all sizes everywhere, and the many global political uncertainties affecting American institutions in particular, U.S. government agencies have to be more vigilant and proactive than ever before. With over 4,000 worldwide customers, including more than 200 U.S. Federal departments and agencies, BeyondTrust delivers a comprehensive suite of PowerBroker PAM solutions that have been proven in a wide range of large and complex IT environments.

According to Gartner, BeyondTrust is one of only two vendors able to offer complete PAM capabilities today; as agencies are under pressure to limit the number of discrete vendors, BeyondTrust can handle the bulk of your security requirements and thereby help reduce your vendor portfolio. You get the protection you need and the peace of mind you desire.

To see PowerBroker solutions in action, contact BeyondTrust at 1-301-807-3112 or

[email protected] to schedule a demo. For more information, please visit us at http://www.beyondtrust.com.

Key Benefits of PowerBroker PAM

Solutions

• Pass audits and comply with

government mandates

• Dynamically discover, profile, and group

assets and accounts

• Mitigate insider threats through granular

password and privilege management

• Implement and enforce least-privilege

access controls for agency end users

• Ensure accountability through session

monitoring and recording, keystroke logging, and real-time auditing

• Fulfill reporting requirements via 260+

reports included out of the box, plus a flexible ad hoc reporting capability

• Enable informed, actionable decisions

from meaningful data gleaned from context-aware security intelligence, including asset, user, and account privilege information

• Consistently authenticate users across

(11)

Sample U.S. Federal customers that trust BeyondTrust

Over 200 U.S. Federal departments and agencies trust BeyondTrust solutions for privileged account management and vulnerability management.

About BeyondTrust

BeyondTrust provides context-aware Privileged Account Management and Vulnerability Management software solutions that deliver the visibility necessary to reduce IT security risks and simplify compliance reporting.

We empower organizations to not only mitigate user-based risks arising from misuse of system or device privileges, but also identify and remediate asset vulnerabilities targeted by cyber attacks. As a result, our customers are able to address both internal and external threats, while making every device – physical, virtual, mobile and cloud – as secure as possible.

BeyondTrust solutions are unified under the BeyondInsight IT Risk Management Platform, which provides IT and security teams a single, contextual lens through which to view user and asset risk. This clear, consolidated risk profile enables proactive, joint decision-making while ensuring that daily operations are guided by common goals for risk reduction.

The company is privately held, and headquartered in Phoenix, Arizona. For more information, visit beyondtrust.com.

Mitigating the Risks of Privilege-based Attacks in Federal Agencies