Security Fundamentals for your Privileged Account Security Deployment

Similar documents
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

CyberArk Privileged Threat Analytics

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Privileged Account Security: A Balanced Approach to Securing Unix Environments

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

the SWIFT Customer Security

CyberArk Privileged Account Security

CS 356 Operating System Security. Fall 2013

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Designing and Operating a Secure Active Directory.

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

epldt Web Builder Security March 2017

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Security Architecture

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Security+ SY0-501 Study Guide Table of Contents

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

EXECUTIVE VIEW. KuppingerCole Report

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CIS Controls Measures and Metrics for Version 7

Safeguarding Privileged Access. Implementing ISO/IEC Security Controls with the CyberArk Solution

CIS Controls Measures and Metrics for Version 7

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

IPM Secure Hardening Guidelines

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Total Security Management PCI DSS Compliance Guide

Securing Active Directory Administration

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Privileged Accounts Meeting the Payment Card Industry (PCI) Data Security Standard (DSS) 3.2 with CyberArk Solutions

Cyber security tips and self-assessment for business

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

IC32E - Pre-Instructional Survey

10 FOCUS AREAS FOR BREACH PREVENTION

Course Outline 20744B

Ekran System v Program Overview

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Teradata and Protegrity High-Value Protection for High-Value Data

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Google Cloud Platform: Customer Responsibility Matrix. December 2018

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Ransomware A case study of the impact, recovery and remediation events

One Hospital s Cybersecurity Journey

VMware vcloud Air SOC 1 Control Matrix

CIS Top 20 #5. Controlled Use of Administrative Privileges

SECURITY & PRIVACY DOCUMENTATION

Course Outline. Course Outline :: 20744A::

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

[MS20744]: Securing Windows Server 2016

Security and Compliance at Mavenlink

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Secure VFX in the Cloud. Microsoft Azure

QuickBooks Online Security White Paper July 2017

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

CYBERSECURITY RISK LOWERING CHECKLIST


ABB Ability Cyber Security Services Protection against cyber threats takes ability

RSA NetWitness Suite Respond in Minutes, Not Months

Online Services Security v2.1

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

Microsoft Securing Windows Server 2016

CYBERARK PAS INSTALL AND CONFIGURE COURSE AGENDA

Critical Hygiene for Preventing Major Breaches

METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION

The Common Controls Framework BY ADOBE

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ISSP Network Security Plan

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

The Ten Pains of Unix Security. Learn How Privileged Account Security Solutions are the Right Remedy

Sparta Systems TrackWise Digital Solution

Pass-the-Hash Attacks

MEETING ISO STANDARDS

Projectplace: A Secure Project Collaboration Solution

Securing Privileged Accounts: Meeting the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 with CyberArk Solutions

RSA Authentication Manager 8.0 Security Configuration Guide

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Addressing Cybersecurity in Infusion Devices

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Secure Application Development. OWASP September 28, The OWASP Foundation

Managing the Risk of Privileged Accounts and Passwords

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

The Honest Advantage

WHITE PAPER MAY The Payment Card Industry Data Security Standard and CA Privileged Access Management

Mapping BeyondTrust Solutions to

ITSM SERVICES. Delivering Technology Solutions With Passion

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Securing Windows Server 2016

Transcription:

Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216

Compromising privileged accounts is a central objective for any attacker, and CyberArk s Privileged Account Security Solution is designed to help improve your organization s ability to control and monitor privileged activity. As with any security solution, it is essential to deploy the CyberArk Privileged Account Security Solution in a secure manner and ensure the controls you have implemented are not circumvented by an attacker. The eight controls described in this document are all key recommendations for protecting your CyberArk deployment, and therefore your privileged accounts. Consolidated by our team, these controls reflect our experience in implementing industry best practices when supporting our customers in installing and operating our products. The recommendations are also based upon analysis of various reports made by companies that experienced a security incident and other research data generally available in the industry. Details are included in the CyberArk Digital Vault Security Standards document and CyberArk product documentation. It is imperative that you follow as many of these steps as practicable in your environment, recognizing there may be other methods that you may wish to use based on your organization s expertise. Please review your CyberArk deployment on a regular basis to ensure it complies with industry best practices, including those outlined in this document. For questions or assistance with designing and implementing these controls or support in reviewing your deployment, contact your CyberArk or partner representative. Recommendations for Protecting your CyberArk Deployment 1. Isolate and Harden the Digital Vault Server Recent attacks have shown that it is common for threat actors to leverage vulnerabilities in Kerberos protocol to move throughout the environment undetected. It is therefore required that the Digital Vault server run on an isolated and trusted platform. For more information, see the CyberArk Secure Platform document. The Digital Vault server is not a member of a Windows Domain Third-party software is not installed on the Digital Vault server Network traffic to the Digital Vault server is restricted to CyberArk protocols CyberArk Software Ltd. cyberark.com 2

Network traffic from the Digital Vault server is restricted to CyberArk protocols and approved integrations such as LDAP for user and group provisioning or SMTP for email alerts The Digital Vault server operating system credentials are unique Any infrastructure hosting the Digital Vault server has the same controls applied to it as those applied to the Digital Vault server Due to the increased risk and complexity of assuring controls on the underlying infrastructure, such as VMWare ESX and the SAN backing it, it is strongly recommended that Digital Vault servers be physical servers. 2. Use Two-Factor Authentication Using two-factor authentication to the CyberArk Privileged Account Security Solution for all users and product administrators enables you to mitigate common credential theft techniques, such as basic key loggers or more advanced attack tools that are capable of harvesting plaintext passwords. CyberArk recommends that customers deploy two-factor authentication to the CyberArk Digital Vault, preferably over RADIUS protocol. 3. Restrict Access to Component Servers Like the Digital Vault server, CyberArk components, including the Password Vault Web Access, Central Policy Manager and Privileged Session Manager, are sensitive assets. The core principle of this control is to treat CyberArk infrastructure with the highest level of sensitivity. Follow Microsoft s best-practices for mitigating credential theft 1 and securing Active Directory; CyberArk component servers are of the same security level as domain controllers (tier 0) Consider keeping CyberArk component servers out of the domain Limit the accounts that can access component servers; ensure that any domain accounts used to access CyberArk servers are unable to access domain controllers and other member servers and workstations 1 Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques https://www.microsoft.com/en-us/download/details.aspx?id=36036 CyberArk Software Ltd. cyberark.com 3

Limit the number of domain credentials that are able to access the component servers Use host-based firewalls and IPsec to restrict, encrypt and authenticate inbound administrative traffic; use the CyberArk Privileged Session Manager and the local administrator account to access component servers Deploy application whitelisting and limit execution to authorized applications 4. Limit Privileges and Points of Administration Reducing the number of privileged accounts and/or the extent of their privileges reduces the overall privileged account attack surface. This is true both for the enterprise as a whole and for each solution implemented, including CyberArk. The core principle of this control is that there should only be a few CyberArk administrators, and they should only possess limited privileges, unless elevated through a strong approval process. Eliminate unnecessary CyberArk administrative accounts Reduce privileges of CyberArk administrative accounts Restrict personal accounts to business-as-usual permissions justified for their role; CyberArk administrators do not have justification to access all credentials Require privilege elevation (with Dual Control or Ticketing Integration) for system configuration changes or to access credentials that the CyberArk administrator otherwise does not have justification to access Use the CyberArk Privileged Session Manager to isolate and monitor CyberArk administration Require two-factor authentication for all avenues of administrative access 5. Protect Sensitive Accounts and Encryption Keys Like many applications, the CyberArk Digital Vault has sensitive accounts and encryption keys. These sensitive accounts come in two forms: business-as-usual administrators (addressed in Control #4) and out-of-band administrators (e.g. the Master user), to be used when the normal administration methods are not available. Furthermore, the CyberArk Digital Vault utilizes two encryption keys to secure data: the Operator Key is used for runtime encryption tasks and the Master Key is used for recovery operations. CyberArk Software Ltd. cyberark.com 4

Store the built-in Vault Administrator, OS Administrator and idrac/ilo root passwords in a physical safe (distribute copies to two or more locations); ensure that access requires more than one individual Store the Master Password and Master Key in a physical safe (distribute copies to two or more locations) and ensure that access requires more than one individual Do not store the Operator Key on the same media as the data Use a Hardware Security Module (HSM) to secure the Operator Key 6. Use Secure Protocols The use of insecure protocols can easily render other controls void. To reduce the risk of eavesdropping and other network-based attacks, use encrypted and authenticated protocols for all communications. For example, use HTTPS for the Password Vault Web Access, LDAPS for the Digital Vault LDAP integration, RDP/TLS for connections to the CyberArk Privileged Session Manager and SSH (instead of telnet) for password management. 7. Monitor Logs for Irregularities In order to detect problems early, it is essential to monitor the logs generated by both the CyberArk Privileged Account Security Solution and the infrastructure on which it runs. Early detection is one of the key elements in reducing the impact of any issue, whether security or operational. Aggregate CyberArk application and infrastructure logging within your SIEM Monitor and alert upon excessive authentication failures, logins to the Digital Vault server operating system, logins as Administrator or Master and important infrastructure events Consider implementing CyberArk Privileged Threat Analytics for automated analysis and alerting on anomalies in CyberArk s audit logging CyberArk Software Ltd. cyberark.com 5

8. Create and Periodically Test a CyberArk Disaster Recovery Plan Even with extensive controls and best practices in place, as attackers continuously seek evolved, sophisticated attack methods, things can still go wrong. Having a documented disaster recovery plan that specifically takes into account your organization s CyberArk deployment, and periodically validating it will ensure that you can quickly recover your data and restore operations. A good disaster recovery plan begins with an assessment of the various risks, the likelihood of occurrence and impact. The disaster recovery plan should provide information about the physical infrastructure, key contacts, processes to access out-of-band credentials and procedures to recover from likely and/or high-impact problems. Furthermore, it is important to ensure that your CyberArk solutions, Privileged Account Security in particular, are included and accounted for as a vital step in recovery as part of your general disaster recovery process, throughout the enterprise. CyberArk Software Ltd. cyberark.com 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback