Tag Archives: Privileged Accounts Management

New York’s Cybersecurity Requirements for Financial Service Companies are a real game changer

1 November 2016

In post ‘Learn How the NYDFS Cybersecurity Regulations Will Impact Your Company‘ Shawn E. Tuma talks about the impact of the New York Department of Financial Services Cyber Security Regulation on the daily business.

Negotiating service contracts and working with third parties will require considerably more effort after the entry into force of the regulation. But a regulation has long been overdue, at least since the details of the Target data breach in December 2013 come to be known.

From a security point of view the Cybersecurity Regulation is a real game-changer. Some concepts are borrowed from the ISO 27001, but in some areas the NYDFS Cybersecurity Regulation goes much further than the ISO requirements.

The scope of the regulation, Nonpublic Information, is clearly and sufficiently broad defined in section Definitions (500.01). In my opinion, the focus on Nonpublic Information might create blind spots because significant damage can be caused by compromised Public Information as well.

Section 500.02 demands the implementation of a Cybersecurity Program. The program shall be designed to

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

The requirement to mitigate any negative effects‘ is new, and will have a major impact on IT security operations.

Section Audit Trail (500.06) requires the implementation of a Privileged Account Management (PAM) solution.

Section Multi-Factor-Authentication (500.12) states, where Multi-Factor Authentication (MFA) is required. Unfortunately, MFA is not mandatory for the access to non-web applications. I would prefer so secure all applications with MFA.

The strict application of the Principle of Least Privilege, which is demanded in section Access Privileges (500.07), for access to Nonpublic Information is a big step forward.

All in all, the Cybersecurity Requirements for Financial Service Companies are a big step forward towards increased cyber security. If implemented well, the likelihood of data breaches will decrease dramatically.

If your company is implementing a cyber security program currently, it makes definitely sense to take a closer look at this regulation. It can be easily adapted to whatever type of business.

Have a good day.

Advertisements

Cross-Domain Innovation: Using a PAM solution for efficient mitigation of Pass-the-Hash attacks

25 October 2016

During the ‘Move Laterally’ phase of a cyber-attack the Pass-the-Hash (PtH) method is often used to jump from one system to another in Windows networks. The best way to deal with PtH attacks is to use only locally defined privileged accounts with individual passwords because the related hashes are not valid on other systems. For more details please see the NSA IAD guideline ‘Reducing the effectiveness of Pass-the-Hash‘.

Using individual passwords on thousands of Windows systems is a really big challenge. In addition, since network login with local users has to be deactivated, the effort for the administrators is significantly increased. With this, the NSA suggestions will, if at all, only be implemented in very few organization.

Today, I participated in a great presentation of BeyondTrust’s Enterprise Password Management solution. Although primarily designed for privileged account management, the solution provides all the capabilities for the efficient management of local privileged accounts, and even with one-time passwords and automated creation of rdp sessions to the target systems. With this, PtH attacks can be mitigated nearly without any extra effort for the administrators.

Have a good day.

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.