Privileged access: The risks outweigh the rewards?

by: Anand Harikrishnan, CEH on Sunday, November 24, 2013 10:20 AM

This blog is another small effort to touch across the risk relating to Privilege accounts. I am sure all those who work in the information security field agree that privilege accounts pose a serious risk within organizations. With tens of thousands of users working on applications in an organization, the risk that privileged accounts pose within organizations is beyond what we can think of. However, at a time when statistics points, “more than 50% threats to an organization are from insiders”, have we assessed the risk relating to this seriously?

Some of the questions haunting us on privileged accounts must be:

  • How many such accounts exist within our organization?
  • Who all have access to these accounts in our organization?
  • Which systems hold these accounts?
  • Was the account granted for a specific period?
  • Are these accounts subject to logging, review or audit?
  • Are these accounts left active once the user left the organization?


Information security policy enforces that each process, user or program must be able to access only those information or resource that are required for its legitimate purpose. However, the reality is that applications, administrators and technology experts in organizations cannot complete their day-to-day activities with such controlled privileges. Each one of us would have come across with technicians’ or administrators who have the right to use windows administrator account or hold root privileges in UNIX enterprise systems. Most of the core applications and routine scripts used within the technology space come embedded with privileged accounts. However, by knowing the risk associated with these accounts, we cannot just take out these accounts. Privileged accounts are required, but the larger question remains, whether we have assessed the risk related to these privilege accounts?

When a business request takes an upper hand above the technology constraints not often, a request for privileged accounts is questioned. Accounts are created without proper justification and approval workflow. In addition, after its intended use, accounts are not disabled. A more difficult situation is when multiple users share such critical accounts. Privileged accounts often have full access to almost everything on the system. Organisations are facing the challenge in identifying inappropriate privileged account usage, and cannot often guarantee that privilege accounts are used responsibly.  Malware exploits like stuxnet make use of this gap in security, which is enough to compromise the overall security of an enterprise. This is why SOX, HIPPA regulations stress on this essential component for having complience. Careless usage of privileged accounts can result in huge reputations, financial and legal impact to organizations.

It is high time organisations take a strict and continues look into this gap. Many organizations do not want to invest heavily in Identity and Access control solutions, but considering the challenge and complexity, they do not have an option than brining in a solution to manage these critical accounts. Organisations must empower administrators with tools, which can:

  • Determine the count of privileged accounts
  • Identify the users who own these accounts
  • Identify the systems which use these accounts
  • Review the risk associated with those accounts
  • Control the access granted to these accounts
  • Log and audit these accounts
  • Identify unauthorized usage of these accounts
  • Showcase the principle of least privilege

A one-stop solution must be in place that can Authenticate, authorize and enforce Accountability. A review of the existing controls/process in place on privilege accounts. Separation of duties, Training and awareness is not enough to manage this risk. In this age while organizations invest heavily in technology products, focus must be given to review the insider threats and on technology & strategies relating to privileged in management.



Tips for creating strong password

by: SecureToday.net Admin on Wednesday, December 22, 2010 9:10 AM

This post is from Help Net Security, a great resource for News, Articles and information on Security. Visit Help Net Security and subscribe or follow their tweets. This post is located here.

To ensure consumers stay safe online and enjoy this holiday season, Check Point outlines practical tips for creating a strong password.

  • Choose a password that is at least 8 to 10 characters long. This should be long enough to prevent brute force attacks. Since brute force attacks consist of trying every possible code, combination, or a password until the right one is found.
  • Make sure your password is difficult to guess. Do not use names of any kind, including your login name, family member’s name or a pet’s name. Also avoid using personal information such as a phone number, birthday or place of birth.
  • Avoid words that can be found in the dictionary. With the availability of online dictionaries it is easy for someone to write a program to test all of the words until they find the right one.
  • Stay away from repeated characters or easy to guess sequences. For example: 77777, 12345, or abcde.
  • Choose a password that is a mixture of numbers, letter and special characters. The more complex and random it is the harder it will be for a malicious person to crack.
  • Use fragments of words that will not be found in a dictionary. Break the word in half and put a special character in the middle.
  • Choose different and unique passwords for all of the important sites.
  • Change your passwords often. Even if someone cracks the system password file, the password they obtain is not likely to last long.
  • Use a reliable password protection solution.

To get more insight on how people create poor passwords, take a look at this analysis of 32 million breached passwords.



How to avoid rogue security software

by: SecureToday.net Admin on Thursday, February 25, 2010 8:23 AM

What can you do to help prevent the spread of rogues and make sure that rogue software vendors stop profiting from their unscrupulous business? Follow these tips below to tell what’s real and what’s not when it comes to security software – and share them with friends and family who may be vulnerable to rogue threats.

1. Do not fall for scare tactics. While browsing sites, be cautious of pop-ups warning you that your system is infected and offering a product to clean it up. Never pay for a program that installed itself to your computer. This is a hallmark of rogue software.

2. Use security software with real-time protection and keep it up-to-date. If you know that you have anti-virus, anti-spyware, and a firewall on your PC, you can safely ignore security alerts you receive that do not come from your chosen security software provider. (Rogue security software will often try to lure computer uses by using legitimate looking pop-up messages that appear to be security alerts.) Also, most anti-malware programs will help keep you protected from rogues because they can detect and remove these programs.

3. Access experts at security forums and ask about the software you are considering before you decide to purchase it.

4. Read the software reviews at reputable sites like Download.com. Do not blindly trust individual sites offering security products.

5. Ask knowledgeable friends and family members about quality software they use. Keep in mind that when you search for trustworthy security software online, rogue products can, and often do, appear in the search results list.

6. Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams, and to be cautious of links in e-mail messages and on social networking sites.

Author: Erin Earley, editor of Lavasoft News.

NOTE: Original article is posted on Help Net Security website: http://www.net-security.org/malware_news.php?id=1245. You can subscribe to their news for up-to-date security news and articles.
Follow us on Twitter: @securetoday.



MS Patch released: MS10-002 IE 0-day

by: Zarex dela Cruz, CISSP, CISA on Thursday, January 21, 2010 1:13 PM

Just finished attending McAfee’s monthly Hacking Exposed Live Special Edition to cover the “Operation Aurora”, which I talked about in my yesterday’s post. As always, Stuart McGlure demonstrated a simple and quick exploit to show how easy it is for this exploit to be executed in a vulnerable system.

In McGlure’s demo, he accessed his customized website using IE-6, which is vulnerable to the attack and showed how the exploit is downloaded to the machine, saved, decoded, and ran. Exploits like these make it really scary for everyone because it does not even require the end user to perform anything such as clicking or downloading something.

To make things worst, the downloaded file was a jpg (or could be gif, png). To some, it could just be a simple image file, but it is actually an executable file. The process is automatic. The jpg file is downloaded, repackaged, and then the binary is executed. The payload could be anything as installing a backdoor Trojan that sits in your computer to steal information, or it could be a nasty virus that wipes out your entire drive.

While I’ve been stressing enough to everyone to be aware about clicking links from emails or visiting suspicious websites, sometimes at the end of the day, it boils down to how your system is configured for protection. What are your protections, walls, or shields from these evildoers? Do you have your system locked down, updated, or patched?

PATCH. One best step to do is to patch your system so you are not vulnerable. Today, Microsoft released an out-of-band security patch to addressed this zero-day vulnerability. I highly recommend you to install this patch as your first line of defense. Here is the link: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx. Again, do not install any third-party patches. Trust only the one that comes from vendor. Currently, I am attending the Microsfot’s Out-of-Band Security Release bulletin webcast, which they covered what is included in this patch.

BROWSER. It is discovered that other versions of IE, not only IE-6 could be vulnerable to this attack. So, it is not a bad idea to use an alternate browser like Firefox, Opera, or Chrome. I might also include your favorite email clients such as Outlook can easily launch the attack too, since email is displayed in HTML. So be aware of all the avenues where this attack can get through.

DEFENSE. For home users it is highly advised that you have an antivirus software and an up-to-date virus definitions. Having host firewall or IPS (Intrusion Protection System) also adds more layer of protection. In the corporate world, taking advantage of the powerful features of your Firewall, Proxy, nIPS, hIPS, and your Antivirus is very crucial.

Inline proxies can block those file downloads that are suspicious or deemed infected, thereby, protecting the corporate users. With a good signature and inline IDS, you can also block or drop these type of attacks or traffic. Likewise, an updated Antivirus can catch this before it can wreak havoc. Multiple lines of defense implemented correctly can provide you or your company a better protection mechanism.

So again, download and install the patch now, it is available from the link above; update your antivirus – protect yourself!



Haiti Earthquake and Scam emails

by: Zarex dela Cruz, CISSP, CISA on Thursday, January 21, 2010 9:28 AM

Haiti Earthquake Landslide

The recent earthquake disaster that struck Haiti is sometimes unbearable to watch. With an estimate of 80,000 death and rising or 200,000 according to Haitian government. The damages sum up to billion of dollars. It is indeed a disaster that melts your heart in pity.

More than 5 years ago, a colossal disaster hit Indonesia and other parts of the world with an earthquake in the Indian ocean that caused huge and deadly tsunamis in Indonesia, Sri Lanka, Africa, and other countries. All of these sad stories easily spread out the Internet, including heart-touching pictures.

These stories always touch the heart of many. And this is exactly what bad guys take advantage of. In a previous post about Phishing, we’ve uncovered how it works. This is what these scammers is going to use again to exploit vulnerable people. So again, BEWARE of these scam emails asking for donations to help Haiti Earthquake victims. They can appear legitimate but always ensure that you do not click on any link they provide.

Example below is a capture from McAfee’s blog of what could be a similar scam email to lure to donating money to them. This one is from a French origin.

Haiti Scam email

Last week the United States FBI released an immediate warning and reminder to Internet users to be very diligent and apply critical eyes in responding to emails asking for donations of the aftermath of the Haiti earthquake. I’ve outlined below with their guidelines:

Read the rest of this article »