Is Your Hash Being Passed?

25 02 2014

 

A typical day in IT:

It’s another day-in-the-life of an IT administrator and you have yet another 1,000 problems to solve. Around noon you receive a ticket saying Bob is having trouble with his computer’s performance. Instead of grabbing lunch, you RDP into his computer to figure out the problem. You need admin credentials to see what’s going on, so you use your Domain Administrator account.  Turns out Bob needs to update a driver. It was a simple fix and you disconnect from the user’s computer, happy to have a couple minutes left to grab a sandwich.

Later that day you see login alerts from your SIEM tool for several machines you don’t typically access. Alarmingly, they happened while you were picking up your sandwich. Your password is strong and well above the company’s password recommended length, including alphanumeric and symbols. How was it used?

Turns out, the person who “borrowed” your credentials didn’t have to figure out your password. Instead, they infected Bob’s less secure computer and waited for you to log in using your Domain Administrator credentials. When you used RDP to enter Bob’s machine they captured the clear text hash of your password. Congratulations, your hash was passed.

What is Pass-the-Hash?

A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s password instead of their plain text password. It allows an attacker to impersonate another user, typically a privileged account. This type of attack can affect ANY network using Windows machines. For the attacker, the advantage getting a hash instead of the password is it can be done without a brute-force attack, which is not as effective and takes a lot more time.

How is the Hash acquired?

Hashes can be acquired through a variety of methods, two being the most common. The first is to retrieve the hash from a SAM dump for the local machine users. The second is to grab the dump of a user’s credentials stored by Windows in the LSASS.exe process, allowing the attacker to retrieve the hash of any account that connects to the machine for example; an RDP-connected domain accounts. This is how the attacker compromised the Domain Administrator’s credentials from Bob’s computer in the scenario above.

How can Secret Server mitigate the threat of Pass-the-Hash?

While Pass-the-Hash attacks have existed for the last 17 years, the threat is now bigger than ever, with tools to exploit this vulnerability continuously improving. Currently the best way to protect yourself from a Pass-the-Hash threat is to upgrade to Windows 8.1 and Server 2012 R2. The new Windows updates have built-in security measures, including making the LSASS.exe a protected process, adding new security identifiers, and changing RDP so it no longer stores the remote login’s credentials on the target machine.

It is typically not practical to upgrade every computer in an organization quickly, and a network would still be vulnerable during the upgrade process. However, there are other protective measures that can be taken by using Secret Server. For example, organizations can use Secret Server’s Check Out feature and configure it to automatically change the password after each RDP session’s Check Out is complete. This would render any hash that was captured during the session useless; when the password is changed, the hash also changes. Secret Server can also restrict which computers can use an account by restricting the launcher inputs. These measures mitigate the chance of a Pass-the-Hash attacks by greatly reducing the amount of time a hash is valid and decreasing the computers accessible for attack on privileged accounts.





Sneak Peek: New Secret Server features only at RSA Conference 2014

20 02 2014

2014 marks Thycotic’s 5th year exhibiting at the RSA cybersecurity conference. RSA is one of the largest gatherings of IT security professionals and analysts in North America. This year, the conference takes place February 24-28th 2014 at the Moscone Center.

RSA Conference 2014

Thycotic to unveil new Secret Server features

We’re excited to demonstrate not-yet-published Secret Server features before they’re officially released at booth 415 during RSA expo hours. Our team will also give demos of our other IT products and are available to answer any questions you have on our products or password management best practices. Product Manager Ben Yoder and CEO Jonathan Cogley will be there, as well as many more of our great team. Look for our 20X20 black and green booth, you can’t miss us!

What to expect from RSA

Informations sessions cover a variety of security hot topics: hackers and threats, governance, risk and compliance, cryptography, data privacy and more. IT security professionals come eager to discover the latest in security technology, debate fiery issues and mingle with the best in breed vendors and industry experts. Oh, and don’t forget the rocking vendor parties that pack the evenings; complete with food, drinks and entertainment of all kinds amidst the backdrop of a lively San Francisco nightlife.

Awesome keynote lineup

RSA 2014 boasts an impressive speaker lineup worth checking out, including Nawaf Bitar of Juniper Networks, Art Gilliland of HP, James Comey of the FBI and a special closing keynote appearance by Stephen Colbert guaranteed to bring some hilarity to the mix.

Thinking about attending? Register for RSA 2014 here.

See you there!

 





Password Reset Server User Interface REFRESH

18 02 2014

Face it, there will always be end-users that forget their passwords. Giving them the ability to reset their own password is key to saving time, money and unnecessary stress, both for the user and the help desk.

The trick is to make the reset process as simple as possible. We kept this in mind with the latest release of Password Reset Server, our end user self-service password reset tool. We focused on enhancing the user interface to make the process for end-users simple and intuitive. The modern interface provides clear action steps and a newly designed enrollment process tailored to the end-user. Below are screen shots of the new, fresh face of Password Reset Server:

Introducing the new Password Reset Sever landing page

Password Reset Server Login

Updated enrollment process: End-users can now select the questions they want to answer

Enrollment Security Questions

Modern end-user interface to manage their answers

PRSSecurity Questions

And for administrators (Don’t think we would leave you out!) check out our new configuration screen

Administrator Configuration User Interface

Like what you see? Join us this Thursday February 20th at 11:30 AM EST for our Password Reset Server Webinar as we showcase the new user interface and the other features of our last release.

Look out for the next Password Reset Server Release coming in April, which is feature-focused. Want a sneak peek? In THIS release, you got the ability for end-users to choose the security questions they want to answer. In the NEXT release, you’ll be able to flag specific questions from that list as required. And, if you have a Security Policy for different groups in your organization, you can choose different required questions for each group.





4 Steps to HIPAA Compliance with Privileged Identity Management

11 02 2014

HIPAA, or the Health Insurance Portability and Accountability Act, is meant to protect specific health information gathered and used by the healthcare industry. Many people are familiar with how HIPAA affects their privacy as individuals, but not everyone may know how HIPAA shapes an organization’s security practices. A recent breach at St. Joseph Health Center exposed personal information of over 2,000 individuals and reinforces the concern for data security. With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information remains protected.

Let’s review exactly how Secret Server can assist your organization in achieving HIPAA compliance. From a privileged identity management standpoint, here’s what you need to know:

1.       Protect your information systems  This one is a given, but not everyone takes the time to do it! Make sure all of your servers (ALL of them – not only those that specifically handle personal health information) have strong, unique passwords that are rotated frequently. Don’t leave any easy targets for intruders to exploit. Require users to change their passwords often and enforce strong password requirements.

Secret Server provides the ability to manage server and systems accounts, not only by storing them in a central repository, but also by changing them on a regular, scheduled basis. Improve password strength by configuring password requirements for Secret Server’s random password generator.

Have too many servers on your network to keep track of? Secret Server can automatically discover the local Windows and service accounts on your network and pull them into Secret Server to be managed.

2.       Encrypt data in transit   Especially personal health information (PHI), but this applies to all information that secures the systems storing and transporting PHI as well. Use SSL/TLS to encrypt data being sent over the network.

Secret Server encrypts all sensitive information before it’s stored and as a web-based application supports the use of SSL/TLS encryption for access. What does this mean? Your passwords and any other private information such as credit card numbers, pin codes or even documents are encrypted and stored securely in one central repository.

3.       Record access to data   HIPAA requires measures to ensure data isn’t modified or deleted without authorization. Keep an accurate record of who has access to which systems or information and why.

Once your accounts are managed by Secret Server, it will be your central point for sharing and auditing access to privileged credentials. Secret Server keeps an audit of who views and edits credentials, showing you who had access, which system or data they needed access to, and when. You can even require comments to keep a more comprehensive audit trail of why a user accessed the data.

4.       Provide documentation   Have reports and audit logs available in case any information is requested for review. Secure access to documentation so you are able to track exactly who has the ability to review it.

Secret Server contains a number of built-in reports that will give you an overview of the status of your passwords, who has access to credentials and data, and more. Use a read-only user role to allow auditors to access reports and documentation without the ability to view or edit sensitive information.

Do you work in the healthcare IT industry? Share your experience meeting HIPAA requirements in the comments below.





SIEM Spotlight: Join us this week for our HP ArcSight Integration webinar

4 02 2014

Yep, you guessed it. We’re going to talk about big data. You’ve probably heard the buzz term a million times this year, but here’s an important question for any IT administrator and management team: What role does big data play in making your organization more secure?

Pairing security information and event management (SIEM) with strong privileged account management and password practices combines the best of both worlds for folks looking to strengthen their internal security posture. Just imagine, you could know when an employee started to view an unusual number of passwords because the SIEM tool immediately alerted your security team, preventing a potential insider threat.

The SIEM market includes several vendors that offer strong, enterprise-class tools for proper SIEM management, and that integrate out of the box with Secret Server.

HP_ArcSight

On Thursday, February 6, join us and HP ArcSight as we take a deeper look into how Secret Server integrates with SIEM tool HP ArcSight and what that means for customers and their security plan. Join the webinar to see:

  • A full demonstration of the integration.
  • Common examples of how SIEM technology pairs with enterprise password management to enhance security.
  • Live question and answer session with both Thycotic and HP ArcSight.

Event details

Integration Spotlight: HP ArcSight and Thycotic.

Thursday February 6, 11:30am EST.

Hosted by: Ben Yoder from Thycotic, and Eric Shou and Morgan DeRodeff from HP.

Interested in learning more? Register for the webinar now.

 

 





Thycotic Receives Perfect Score for Customer Satisfaction in the Latest Forrester PIM Wave

3 02 2014

THANK YOU to all of our customers. We hope you know how much we value you every day, and it’s thanks to you that we received a perfect score from Forrester for customer satisfaction. You have given us your feedback on products, stopped by our booth at trade shows to chat, and shared your IT security challenges with us. Without this feedback, we wouldn’t be where we are today.

Forrester Research also provides us with great insight to help us better understand the enterprise IT security landscape and, ultimately, learn how to satisfy our customers. The latest feedback from Forrester comes in the form of the new Forrester Privileged Identity Management Wave.

For the latest Wave, Forrester evaluated Secret Server 8.2, which was released July 2013 (version 8.4 is the latest at the time of publishing). We answered questions about Secret Server, provided demos and gave information for their scoring criteria. Thycotic enterprise clients spoke to Forrester analysts about their experiences with Thycotic Secret Server and Thycotic. Forrester also helps us spread the word about our great products, and we thank everyone who helped us with this Wave.

Forrester just released the official PIM Wave today Monday February 3rd 2014. To summarize – Thycotic customers are satisfied, and Thycotic continues to add more features and functionality to Secret Server in 2014.

For a more detailed review, please take a look at our Forrester Research PIM Wave Thycotic Analysis








Follow

Get every new post delivered to your Inbox.

Join 30 other followers