PW - Privileges in the Real World: Securing Password Management - Andrey Dulkin

without any further Ado all thank you fa and good evening everybody thank you for coming here I know it's late and it's challenging for me because I'm coming from Israel so I'm it's four it's 4 a.m. 4 a.m. in Israel and I'm a big jetl some of you as well but we are going to make true so we are in Vegas and I would like to start with stor that is relevant to what's going on here it is this attack on S organization who here have heard about this okay quite a few people so in general s the own and netwk the own casinos around the world H they have two right here the Venetian and The Palazo

they have in maau and Singapore and other places they're owned by Sheldon Edon who in h December 13 had some comments about the Iranian nuclear program the Iranians didn't like it for some reason so they decided to get back they decided to attack the infrastructure they couldn't H brid directly the Las Vegas Network so they tried to find some office they found another branch in Bethlehem Pennsylvania not the one Palestine um and so basically what they did was they tried to root Force the vpm they tried once two weeks later they tried again they couldn't break in so they found two weeks later a test web server they found the vulnerability there and they went in once inside the

network they were able to detect a credential used by systems administrator who connected from the main Network here in Vegas basically left his credentials behind going to touch on that later on a machine in that branch and they were able to hijack that this credential and get back into the main Network and from there you know it's like any other malware worm just compiled it inside the network using those credentials they operated inside collected information destroyed information and uh as a h a gr they publish sensitive information on s's own website like just to in your page and they say and basically what they did they destroyed the entire network it infrastructure of the of the casinos

over here including and one interesting aspect for those of you who have seen the ocean 11 movies right they have this whale program right the high rollers program so all data was destroyed regarding this program basically for a few weeks the casino couldn't identify who the high rollers are which is is very problematic now all this happened due to a single password or basically a single hash right password being compromised and here we are going to see what no [Music] no should we turn it on somehow there's a controller on the it's right again Eugene once again good morning Gentlemen please be seated I see we're still dressing in the dark Eugene once again don't call me

Eugene our recent unknown Intruder penetrated using a super user account giving him access to our whole system precisely what you paid to prevent someone didn't bother reading my carefully prepared memo on commonly used passwords now then as I so meticulously pointed out the foremost used passwords are love sex secret and God so would your Holiness can change her password who who recognize the movie you're right I expect everybody here recognize the movie it's a 1995 movie called hackers one of the first one with Angelina J another reason to see de side being professional relevance but basically it's 20 years ago and it discusses the same problem that we have today okay of several accounts with a high privileges

that if compromised enable an attacker to do whatever they want in the network so before we continue I'm going to try something new that I haven't done before we are going to try ping this presentation so please go to this this website P could I say use this PO ID come on take out your phones everybody's connected nowadays let's try to run the first poll just to see that this thing works yeah no there pleas nothing nothing that I wrote so you

okay we have a first answer second one third come on really 10 n eight seven somebody chose blackhead I'm really

surprised three 2 one okay ah yeah sneakers one excellent okay so we know this tool works and we know sneakers is the best hack in movie we did it okay let's continue so the prity escalation cycle and this is what we are going to discuss here basically it works this way the attackers get in they compromise some device which has some credential they use those credential they retrieve those credentials they use them to operate inside the network usually it is to gain access to another location with higher privilege credentials they steal those and the cycle repeats itself spirally until the attackers get sufficient credentials that will enable them to get to their goal inside the network it's

important to know that the credential that we are talking about here can be both user credentials but they can also be application credentials right Services application server every application every VM uh virtual machine every every hypervisor has a built-in account with the highest privileges for it and there are many Network level accounts including personal administrative accounts and our research show that there are usually three to four times as many privileged accounts in an organizational Network as there are user accounts okay so and I'm talking here to people who understand this concept right because every hypervisor as you said has those account sometimes people when I present this find this surprising because they're saying but we don't have that

many administrators okay but you have much more devices and so when we discuss what the attackers are looking for they are basically looking for any account that will grant them access and they don't care about Andre's account right if and's account is the right account excellent if it's some other account whatever I don't try to specifically impersonate under I want to frame him for days okay almost goes back to the hacker mod we have actually it's way before right we have a machine on which all um domain users are defined as power users okay so basically any domain account is a privileged account of that machine which is also wrong configuration and we even have an

application account whose password I'm sorry for you guys behind is written in the account description you know if you ever need the password it's right there the account scho actually the interest secur Stu here is is for the security control see that okay so one of the things that we can do with DNA is detect the presence of credentials on one machine that would enable compromise of another machine on which that account has high provil okay so what we ask ourselves in this research that I'm about to present is how many machines endanger the entire network okay and we are in Vegas so basically the question is how lucky must an attacker get with their initial

compromise in order to be able to compromise from that machine the entire network and the way we do it is we take a machine we see to which machines a attacker would be able to access by compromising the credentials on this machine and then we go forward and we say okay there are more credentials here what machines what additional machines can be compromised from there and we can't all those Machin okay so this machine is able to compromise if this the entire network this machine can compromise six more machines the metric that we Define is a highly threatening machine the highly certain machine is a machine that would enable the compromise of over 80% do to

be so what are those five machines are the entire net who are the highest maches here a this one clearly highly right we also have this one which is also Cod is this one and this one is we in Vegas and I would like to start this is the basic of what we are doing and then we split the networks okay we try to assign a score to the entire network we are asking how many of the machines in the network are very okay it's a a medium number ofing there over 50% of owned by this network is at a very high R level right the attacker can L anywhere flip a coin over 50% chance the

Iranians didn't he will land on the machine for which he will be able to compromise the entire so we are going to the next po some of you have networks so let's try this [Music] question what is the level of exposure of your networks okay is it higher R medium race low okay the first answer

wasn't 5 4 3 2 one okay so we have majority of the people think that their Network low risk then we have split last second the high Network oh okay it keeps it will keep Rising it won't affect the presentation anymore so you head it so the results those are the results okay basically what we see is and those are the results of a research I forgot to mention of over 60 networks that we have scanned in real world so only 70% of the networks are low risk and the majority of the networks are either medium or high risk with a very significant amount of networks in the high risk category so basically in those Network the attacker can land

anywhere right or not anywhere but a very high chance that the machine on which the attacker lands they'll be able to compromise the entire network why is that basically due to service accounts that exist on those machines or due to user accounts user accounts meaning administrators connected to this machine left their credentials behind them and now the attacker can hijack them and move okay so we can also try to evaluate the effectiveness of mitigation and but before we touch on that just if we compare servers versus workstations as expected I won't go too much into details here but the purple line is the percentage of the servers that are highly Reg as expected on servers there is a higher

chance of fing privilege credentials right either applications or administr so if we try to assign mitigations we can try to mitigate the threat from user accounts for example if we are using local accounts to connect to devices we don't leave behind hashes that could be used by an attacker to compromise other devices right if we are using onetime password to connect to devices again we won't leave behind hashes that the attacker can abuse so we see that the situation improves B we can try to mitigate the threat coming from the service account okay for example if we remove the locally storage credentials if we have some system that provides passwords on demands to application and services instead of them

being locally stored next to the application which is the usual case then the attacker want be able to find them again we can use local accounts where possible and the Improvement here is much more significant so there is a lot of threat that is coming from services and if we employ all our tools switch to local accounts and we Zone properly meaning a privileged account is only privileged to a subset of the servers instead of the entire network that we can improve this situ situation significantly there are other best practices that can be employed and they are even more interesting as would say so two Factor authentication right it's a known tool and there's a lot of

discussion about how it should properly be employed but it's a fairly easy case to make that a two Factor authentication should first of all be employed for the privilege users in the network okay whoever is the administrator especially Z administrators who have access to our domain controllers they should deploy to factor authenication the second concept is steering and the people from Microsoft and there are other people who are familiar with that but basically what we are saying is that not all devices and our Network are same so we would like to use a different administrative account for every sort of device meaning there would be an administrative account for the workstations sorry for the servers and a

separate administrative account for the domain controllers and in this situation then attacker who would be able to compromise one of those devices would be only able to move laterally within the tier and if we are also zoning it then only within the zone and not be able to escalate the Privileges to the Dom but a more secure approach would be to avoid using passwords from workstation at all okay if we are able to deploy a solution where the user will connect to some sort of a jump server with their personal credentials which are not privileged and then use H and this jump will establish the privilege session for them then there will be no privilege credential on the

user end now we know that human beings are very bad we've been discussing this throughout this conference at setting passwords human beings set weak passwords human being set they reuse the same passwords over many devices they will assign passwords and not change them for a long time sometimes never change them at all they will use Global passwords that are applicable to many devices okay and this is okay they're all a bit JL but this is just wrong okay for those not who have not yet seen this episode it's probably one of we're talking about cyber security today and how safe people's passwords are what is one of your online passwords currently it is my dog's name in the year I

graduated from high school oh what kind of dog do you have I have a 12 papon and what's his name Jameson Jameson and where did you go to school um I went to school back in Greensburg Pennsylvania what School uh field Area Senior High School oh when did you graduate in 2009 oh great it's like my cat's name and then just like a random number okay has you had this cat for a while yeah she's my childhood pet a and what's her name her name is Jolie Jolie M so like a password of your would be Jolie and then a number like number one uh like my birthday oh when is your birthday uh June 12th oh nice what year were you

born uh 95 oh great so Jolie six 6 12 95 got it jam up 1 2 3 spell g e m m a well most of them are Italian oh beautiful yeah so like like what's a good Italian passord uh my grandma's name what's your grandma's name uh Maria Maria so Maria is your password oh yeah let you know my password oh yeah yeah so yeah I assume your administrators won't give out password to somebody coming up with a mic on street but human beings are just bad very bad at sending password and we would like to prevent human beings from ever setting or touching the privileged password which is the most sensitive and this is where I would say the most

significant improvements that can be made in modern Enterprises can be made and it is to set a system an automated system that will manage all the privileged passwords by itself and then change the passwords according to a policy and enable access according to an established workflow to use those accounts when needed this way the human beings will only be able to manage their own personal password which is not prish by itself so I will end here and um I will open up to questions if you have any but basically we went through an attack scenario we described the exposure of networks to such attacks and provided some best practices so questions on of those yeah

considering system account management centralized privilege account management is more secure because that uh you know the machine that allow it to access essentially every other system is just as one single machine so according to your metric right considering the overall number of machines it's very small percentage that actually right but it is still a single single fail right so we have so when you when you touch when you use the term single point of failer we're basically describing two aspects one is the availability of this system and there are of course Disaster Recovery High availability Solutions and others but we are also discussing the security of the solution so you have one point fillar and if it is compromised

than what happens to the entire network and basically here we have a conceptual issue right whether it is easier to protect hundreds of end points each of them using an administrative account or to have a one highly secure solution okay on which we can employ all our security understanding and our detection mechanisms to avoid such compromise so we believe that this approach is much better and it is possible okay we know that it's possible but I understand your point okay it's a decision that an organization needs to make and U it does sound like putting all your eggs in one basket but this basket is highly protected I don't know I'm not sure how this metaphor should

develop if anyone has a good metaphor on this on the basketball yeah systems have sure so uh either public key or SSH key is it is also possible to use this or similar system and it is crucial to manage for example with SSH keys or public keys on S you have keys that are left behind after accounts are disabled you have keys that are never changed okay which are also if I just recently there was this Cisco story right with a keys that an SSH key that just wasn't changed so employing the same approach to S shts and pki or any other public INF solution is is also wise okay and it's BEC even easier you can now

employ a different mode of authentication including two Factor authentication two Legacy systems that didn't support them before because you are separating the personal authentication from the privilege authentication you can now employ two Factor authentication on the Legacy main frame that wouldn't supported otherwise so there are many combinations that can possible okay yeah you prot yeah so many approaches here but first of all take it out of the domain entirely okay only have local admin access to this machine H we secure specifically an our solution I'm promoting the concept here I'm not talking but we employ a proprietory secure protocol to communicate with it so any other communication to it is prevented and local security controls

including strong encryption on the storage itself and and there are several other controls you can discuss it with you later yeah we to stop you know uh time is out but thank you and for than you I'll be