Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Who will guard the guards
1. Who will guard the guards?
K. K. Mookhey
Principal Consultant
Network Intelligence India Pvt. Ltd.
2. Speaker Introduction
Founder & Principal Consultant
Network Intelligence
Institute of Information Security
Certified as CISA, CISSP and CISM
Speaker at Blackhat 2004, Interop 2005, IT Underground
2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework (Syngress),
Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus, IT Audit, IS
Controls (ISACA)
Over a decade of experience in pen-tests, application security
assessments, forensics, compliance, etc.
3. Agenda
Ground-level Realities
Compliance & Regulations
Case Study of Privileged Identity Challenges
Solutions
Policy
Process
Technology
7. SQL Server to Enterprise 0wned!
Entry Point – 172.16.1.36
Vulnerability -> SQL Server
Default username and password
Username: sa
Password: password
8. Privilege Escalation on the Network
Using the Administrator account logon to other machines
Login to the domain server was not possible
Check for Impersonating Users
9. The Insider Threat
No. 1 security concern of large companies is…
THE INSIDER THREAT (IDC Analyst Group)
86% of the insiders held technical positions (CERT)
90% of them were granted system administrators or
privileged system access when hired (CERT)
64% used remote access (CERT)
50% of those people were no longer supposed
to have this privileged access
(Source: Carnegie Mellon, DOD)
92% of all the insiders attacked following a negative
work-related event like termination, dispute, etc. (CERT)
11. Compliance and Regulation
Current Audit Questions around Privileged Accounts:
“Can you prove that you are protecting access to key accounts?”
“Who is acting as System Administrator for this activity?”
“Can you prove that Rahul Mehta’s access to the netAdmin ID was properly
approved?”
“Can you show me what Rahul Mehta did within his session as root last week?”
“Are you changing the Exchange Admin password inline with company policy?”
“Have you removed hard-coded passwords from your applications?”
PCI, SOX, Basel II & HIPAA are all
diving deeper into Privileged Accounts
12. Telecom Regulations
DOT circular (31st May 2011) states in 5.6 A (vi) c. that
The Licensee shall keep a record of all the operation and
maintenance command logs for a period of 12 months, which
should include the actual command given, who gave the
command, when was it given and from where. For next 24
months the same information shall be stored/retained in a
non-online mode.
13. Other Regulations
RBI Guidelines on Technology Risks
IT Act Notifications – April 2011
14. What are Privileged Accounts?
Acct Type Scope Used by Used for
Elevated • Personal Accounts • Privileged operations
elevated permissions • IT staff
Personal Accts • Access to sensitive
– JSmith_admin
(SUPM) – SUDO
information
Shared
Highly Powerful •• Emergency
• IT staff
• Administrator
• System Admins
• UNIX root Fire-call
• Network Admins
Difficult to Control,DBAs
Privileged
Accounts
• Manage & Monitor
• Cisco Enable
• Oracle SYS
• Disaster recovery
• Privileged operations
• Help Desk, etc
(SAPM)
Usage is Not ••‘Personalized’sensitive
• Local Administrators
Developers
• ERP admin
Legacy Apps
• Access to
information
Pose Devastating Risk if Misused
• Applications
• Hard-Coded, and • Scripts
Application • Online database access
Embedded Application • Windows Services
Accounts • Batch processing
IDs • Scheduled Tasks
(AIM) • App-2-App communication
• Service Accounts • Batch jobs, etc
• Developers
15. The Scope of the Problem...
“Most organizations have more privileged accounts than personal accounts”
(Sally Hudson, IDC)
Typical use case - mid-size company IT profile:
~10,000 employees
8,000+ desktops/laptops
200 Windows servers
10 Windows domains
500 Unix/Linux servers
20 WebSphere/Weblogic/Jboss/Tomcat servers
100 Oracle/DB2/Sqlserver databases
50 Cisco/Juniper/Nortel routers and switches
20 firewalls
1,000 application accounts
150 Emergency and break-glass accounts
16. App2App Communication
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
17. Summary: Privileged Identity & Session Management
A comprehensive platform for isolating and preemptively
protecting your datacenter – whether on premise or in the
cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
Integrate with IDAM
19. Policies
Privileged ID Management Policy & Procedures
Privileged ID allocation – process of the approval mechanism
for it
Privileged ID periodic review – procedure for this
Monitoring of privileged ID activities – mechanisms, and
procedures for logging and monitoring privileged IDs
Revocation of a privileged ID – what happens when an
Administrator leaves the organization?
How are vendor-supplied user IDs managed
Managing shared/generic privileged IDs
20. Thank you!
Questions / Queries
K. K. MOOKHEY
kkmookhey@niiconsulting.com
NETWORK INTELLIGENCE INDIA PVT. LTD.
www.niiconsulting.com