Is Your Hash Being Passed?

25 02 2014

 

A typical day in IT:

It’s another day-in-the-life of an IT administrator and you have yet another 1,000 problems to solve. Around noon you receive a ticket saying Bob is having trouble with his computer’s performance. Instead of grabbing lunch, you RDP into his computer to figure out the problem. You need admin credentials to see what’s going on, so you use your Domain Administrator account.  Turns out Bob needs to update a driver. It was a simple fix and you disconnect from the user’s computer, happy to have a couple minutes left to grab a sandwich.

Later that day you see login alerts from your SIEM tool for several machines you don’t typically access. Alarmingly, they happened while you were picking up your sandwich. Your password is strong and well above the company’s password recommended length, including alphanumeric and symbols. How was it used?

Turns out, the person who “borrowed” your credentials didn’t have to figure out your password. Instead, they infected Bob’s less secure computer and waited for you to log in using your Domain Administrator credentials. When you used RDP to enter Bob’s machine they captured the clear text hash of your password. Congratulations, your hash was passed.

What is Pass-the-Hash?

A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s password instead of their plain text password. It allows an attacker to impersonate another user, typically a privileged account. This type of attack can affect ANY network using Windows machines. For the attacker, the advantage getting a hash instead of the password is it can be done without a brute-force attack, which is not as effective and takes a lot more time.

How is the Hash acquired?

Hashes can be acquired through a variety of methods, two being the most common. The first is to retrieve the hash from a SAM dump for the local machine users. The second is to grab the dump of a user’s credentials stored by Windows in the LSASS.exe process, allowing the attacker to retrieve the hash of any account that connects to the machine for example; an RDP-connected domain accounts. This is how the attacker compromised the Domain Administrator’s credentials from Bob’s computer in the scenario above.

How can Secret Server mitigate the threat of Pass-the-Hash?

While Pass-the-Hash attacks have existed for the last 17 years, the threat is now bigger than ever, with tools to exploit this vulnerability continuously improving. Currently the best way to protect yourself from a Pass-the-Hash threat is to upgrade to Windows 8.1 and Server 2012 R2. The new Windows updates have built-in security measures, including making the LSASS.exe a protected process, adding new security identifiers, and changing RDP so it no longer stores the remote login’s credentials on the target machine.

It is typically not practical to upgrade every computer in an organization quickly, and a network would still be vulnerable during the upgrade process. However, there are other protective measures that can be taken by using Secret Server. For example, organizations can use Secret Server’s Check Out feature and configure it to automatically change the password after each RDP session’s Check Out is complete. This would render any hash that was captured during the session useless; when the password is changed, the hash also changes. Secret Server can also restrict which computers can use an account by restricting the launcher inputs. These measures mitigate the chance of a Pass-the-Hash attacks by greatly reducing the amount of time a hash is valid and decreasing the computers accessible for attack on privileged accounts.





Sneak Peek: New Secret Server features only at RSA Conference 2014

20 02 2014

2014 marks Thycotic’s 5th year exhibiting at the RSA cybersecurity conference. RSA is one of the largest gatherings of IT security professionals and analysts in North America. This year, the conference takes place February 24-28th 2014 at the Moscone Center.

RSA Conference 2014

Thycotic to unveil new Secret Server features

We’re excited to demonstrate not-yet-published Secret Server features before they’re officially released at booth 415 during RSA expo hours. Our team will also give demos of our other IT products and are available to answer any questions you have on our products or password management best practices. Product Manager Ben Yoder and CEO Jonathan Cogley will be there, as well as many more of our great team. Look for our 20X20 black and green booth, you can’t miss us!

What to expect from RSA

Informations sessions cover a variety of security hot topics: hackers and threats, governance, risk and compliance, cryptography, data privacy and more. IT security professionals come eager to discover the latest in security technology, debate fiery issues and mingle with the best in breed vendors and industry experts. Oh, and don’t forget the rocking vendor parties that pack the evenings; complete with food, drinks and entertainment of all kinds amidst the backdrop of a lively San Francisco nightlife.

Awesome keynote lineup

RSA 2014 boasts an impressive speaker lineup worth checking out, including Nawaf Bitar of Juniper Networks, Art Gilliland of HP, James Comey of the FBI and a special closing keynote appearance by Stephen Colbert guaranteed to bring some hilarity to the mix.

Thinking about attending? Register for RSA 2014 here.

See you there!

 





4 Steps to HIPAA Compliance with Privileged Identity Management

11 02 2014

HIPAA, or the Health Insurance Portability and Accountability Act, is meant to protect specific health information gathered and used by the healthcare industry. Many people are familiar with how HIPAA affects their privacy as individuals, but not everyone may know how HIPAA shapes an organization’s security practices. A recent breach at St. Joseph Health Center exposed personal information of over 2,000 individuals and reinforces the concern for data security. With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information remains protected.

Let’s review exactly how Secret Server can assist your organization in achieving HIPAA compliance. From a privileged identity management standpoint, here’s what you need to know:

1.       Protect your information systems  This one is a given, but not everyone takes the time to do it! Make sure all of your servers (ALL of them – not only those that specifically handle personal health information) have strong, unique passwords that are rotated frequently. Don’t leave any easy targets for intruders to exploit. Require users to change their passwords often and enforce strong password requirements.

Secret Server provides the ability to manage server and systems accounts, not only by storing them in a central repository, but also by changing them on a regular, scheduled basis. Improve password strength by configuring password requirements for Secret Server’s random password generator.

Have too many servers on your network to keep track of? Secret Server can automatically discover the local Windows and service accounts on your network and pull them into Secret Server to be managed.

2.       Encrypt data in transit   Especially personal health information (PHI), but this applies to all information that secures the systems storing and transporting PHI as well. Use SSL/TLS to encrypt data being sent over the network.

Secret Server encrypts all sensitive information before it’s stored and as a web-based application supports the use of SSL/TLS encryption for access. What does this mean? Your passwords and any other private information such as credit card numbers, pin codes or even documents are encrypted and stored securely in one central repository.

3.       Record access to data   HIPAA requires measures to ensure data isn’t modified or deleted without authorization. Keep an accurate record of who has access to which systems or information and why.

Once your accounts are managed by Secret Server, it will be your central point for sharing and auditing access to privileged credentials. Secret Server keeps an audit of who views and edits credentials, showing you who had access, which system or data they needed access to, and when. You can even require comments to keep a more comprehensive audit trail of why a user accessed the data.

4.       Provide documentation   Have reports and audit logs available in case any information is requested for review. Secure access to documentation so you are able to track exactly who has the ability to review it.

Secret Server contains a number of built-in reports that will give you an overview of the status of your passwords, who has access to credentials and data, and more. Use a read-only user role to allow auditors to access reports and documentation without the ability to view or edit sensitive information.

Do you work in the healthcare IT industry? Share your experience meeting HIPAA requirements in the comments below.





SIEM Spotlight: Join us this week for our HP ArcSight Integration webinar

4 02 2014

Yep, you guessed it. We’re going to talk about big data. You’ve probably heard the buzz term a million times this year, but here’s an important question for any IT administrator and management team: What role does big data play in making your organization more secure?

Pairing security information and event management (SIEM) with strong privileged account management and password practices combines the best of both worlds for folks looking to strengthen their internal security posture. Just imagine, you could know when an employee started to view an unusual number of passwords because the SIEM tool immediately alerted your security team, preventing a potential insider threat.

The SIEM market includes several vendors that offer strong, enterprise-class tools for proper SIEM management, and that integrate out of the box with Secret Server.

HP_ArcSight

On Thursday, February 6, join us and HP ArcSight as we take a deeper look into how Secret Server integrates with SIEM tool HP ArcSight and what that means for customers and their security plan. Join the webinar to see:

  • A full demonstration of the integration.
  • Common examples of how SIEM technology pairs with enterprise password management to enhance security.
  • Live question and answer session with both Thycotic and HP ArcSight.

Event details

Integration Spotlight: HP ArcSight and Thycotic.

Thursday February 6, 11:30am EST.

Hosted by: Ben Yoder from Thycotic, and Eric Shou and Morgan DeRodeff from HP.

Interested in learning more? Register for the webinar now.

 

 





Thycotic Receives Perfect Score for Customer Satisfaction in the Latest Forrester PIM Wave

3 02 2014

THANK YOU to all of our customers. We hope you know how much we value you every day, and it’s thanks to you that we received a perfect score from Forrester for customer satisfaction. You have given us your feedback on products, stopped by our booth at trade shows to chat, and shared your IT security challenges with us. Without this feedback, we wouldn’t be where we are today.

Forrester Research also provides us with great insight to help us better understand the enterprise IT security landscape and, ultimately, learn how to satisfy our customers. The latest feedback from Forrester comes in the form of the new Forrester Privileged Identity Management Wave.

For the latest Wave, Forrester evaluated Secret Server 8.2, which was released July 2013 (version 8.4 is the latest at the time of publishing). We answered questions about Secret Server, provided demos and gave information for their scoring criteria. Thycotic enterprise clients spoke to Forrester analysts about their experiences with Thycotic Secret Server and Thycotic. Forrester also helps us spread the word about our great products, and we thank everyone who helped us with this Wave.

Forrester just released the official PIM Wave today Monday February 3rd 2014. To summarize – Thycotic customers are satisfied, and Thycotic continues to add more features and functionality to Secret Server in 2014.

For a more detailed review, please take a look at our Forrester Research PIM Wave Thycotic Analysis





Don’t Just Store, Actively Manage Your Passwords! Create Custom Password Changers for All Devices

28 01 2014

 

You just purchased a new network device or server and realized that Secret Server doesn’t contain a specific password changer for it. You figure the best you can do is store the static credentials in Secret Server, but there’s no way Secret Server could actively manage password changing, right? Think again! Secret Server has a variety of ways you can customize password changers, no matter how complex your environment.

SSH

SSH password changers can change passwords for ANY of your SSH-compatible devices. Modify an existing SSH password changer or create your own. Enter the SSH commands in Secret Server, replacing actual credentials in the commands with values that reference the credentials stored in the Secret. The same will work for any device accessible for password changes over Telnet.

HP iLO Account Custom Password Changer Template

A few examples:

  • Configure a Dell DRAC password changer:

http://support.thycotic.com/KB/a166/how-to-manage-drac-passwords-with-secret-server-using-ssh.aspx

  • Use the built-in Cisco password changer (customizable):

http://support.thycotic.com/KB/a251/heartbeat-and-remote-password-changing-for-cisco-accounts.aspx

  • Use the built-in Unix Root account password changer:

http://support.thycotic.com/KB/a369/heartbeat-remote-password-changing-unix-root-accounts.aspx

LDAP

Secret Server comes with several LDAP password changers configured for Active Directory, DSEE and OpenLDAP. You can either customize the existing password changers or use one as a template to create your own custom configurations, for example to change passwords for 389 Directory Server. Customizable settings include enabling SSL, method of authentication, and username authentication format. See the article below for details:

  • Use and configure custom LDAP password changers:

http://support.thycotic.com/KB/a183/ldap-password-changing.aspx

Web Passwords

Secret Server’s web password management includes Remote Password Changing for Amazon Web Services, Google, and Windows Live accounts. Configure these options under the Remote Password Changing tab for any Secret using the Web User Account password changer.

Remote Password Changing for a Windows Live Account

Password Changing for Additional Account Types

Secret Server contains password changers for many other account types as well. While these are not all customizable, they include many commonly used account types such as Oracle, SQL Server, SonicWall NSA and more. A full list of included password changers can be accessed here.

See the Secret Server User Guide for more info on creating and testing custom password changers.

Did you create your own custom password changer? Share it with others on our forum.

Send us your ideas and suggestions any time. Post new feature requests and see what other customers have requested at feedback.thycotic.com.





Fasten Your Seat belts! Advancements to Web Services API Speed Up Remote Password Changing

14 01 2014

If you are familiar with Secret Server’s web services API, you already know that it can be a convenient way to retrieve, create and update Secrets individually and in bulk, especially if you already use scripts to accomplish account-related tasks in your environment. Some of the most common use cases require only simple calls to Secret Server to add and retrieve stored information, such as:

  • Efficiently adding new Secrets as new domain accounts are created.
  • Replacing privileged account credentials with web service calls to retrieve and utilize the account information within the same script.

More fine-grained operations, such as updating Secret security and Remote Password Changing settings require increased functionality from web service calls. This week, we’ll take a look at the additions to web services that have come with the release of Secret Server version 8.4, providing more control over Remote Password Changing for Secrets.

To start, let’s see how web services would assist Sarah, our handy system administrator, in the following scenario:

Sarah has decided that she wants to use a dedicated privileged account to change passwords for all service accounts in her production domain. A great deal of these accounts are scattered throughout her folder structure in Secret Server. Without using web services, Sarah would have to find every account in the Secret Server GUI and set the privileged account manually. Now, if the Secrets were all located in a single folder, Bulk Operation would make this a breeze. However, with the varying locations of these accounts, searching for each individual Secret to update will be time-consuming. Fortunately, Sarah is familiar with PowerShell and can use web services to update all of her service account Secrets. She uses the script below:

Web Services API PowerShell Script for Remote Password Changing

This script will search Sarah’s Secret Server to find any Secret with a name containing the word ‘Service.’ The script then updates the Secret’s privileged account setting for Remote Password Changing. Sarah can also reuse the script any time privileged accounts need to be updated for a large number of Secrets.

The scripts can also be used to change additional Secret properties, such as Require Approval for Access, Require Comment and Check Out. For more information about these properties, see our Web Service API Guide (Pages 60-62), available from the Secret Server Support page.

On another topic, are you tired of endless calls to the help desk to reset a user’s forgotten AD password? You won’t want to miss this week’s webinar, introducing Password Reset Server, our AD self-service password reset tool. Register now!





Enable, Disable, or Mirror: A Deeper Look into User Administration

7 01 2014

Controlling users is one of the most important facets of Secret Server password management administration. While Secret Server supports local users and groups, the easiest way to administer users is to use Active Directory (AD) integration. Secret Server can automatically pull in existing AD users and groups and create user accounts with the same permissions. After discovering the groups, Secret Server offers several different options on importing the data. 

secret-server-user-administration-screen.jpg

Enabling Users. First, you have the option of automatically creating and enabling all users from the selected groups. This is the best option for small groups with only user accounts that need enabling.

Disabling Users. The next option is to have the users created and marked as disabled. Don’t worry, disabled users do not count towards license seats. This is ideal when importing groups with a mix of service and user accounts. Disabling allows administrators to import the existing groups without worrying about exceeding license limits and adds another layer security because users added through AD don’t automatically have access to Secret Server. Simply import and select which users you want to enable. This can all be done using the Bulk Operation feature by administrating multiple users at once.

Mirroring User’s Status. Finally, Secret Server can mirror the user’s status in AD. Mirroring the status will not only create the users in Secret Server but also automatically enable and disable users based on their status within the AD group. Unlike the other options, it is the only method that actively affects existing users. This is useful for administrators who want to automate permissions based on groups. Mirroring allows you to administer AD groups and automatically reflect changes within Secret Server. As for security options, Secret Server supports the use of RADIUS if two-factor authentication is a concern, along with our built-in email based two-factor.

Upcoming webinars. Join us next week for our Deep Dive: Service Account Discovery Webinar. Product manager Ben Yoder will show you how to gain control of your network’s service accounts and dependencies through a step-by-step guide in our live webinar.

Also, be sure to check back next week as we will go over recent changes made to our Web Service API with the release of Secret Server 8.4.000000.

We want your feedback for future blog posts! Leave a request below and we will consider it for a later post. Happy 2014 everyone.





2013: A Security Odyssey

31 12 2013

What did 2013 hold for Thycotic Software? New partners, software releases, and other exciting milestones. Join us for our movie themed year-in-review.

This year, in the wake of dozens of newsworthy data breaches, the landscape for IT security broadened with every headline. The importance of securing privileged credentials and managing identity went from a “nice to have” to a “need to have” seemingly overnight. It became more apparent from IT teams across the globe that a spreadsheet was no longer a trusted, secure repository to manage privileged passwords in an organization.

So what did this mean for Thycotic? Keeping a close eye on security trends, we listened to our customers and built the features they requested to solve their most essential use-cases in privileged account management. But that wasn’t all we did.

Here are just a few highlights of what made 2013 a defining year for Thycotic Software.

Let it snow, let it snow? More like, let it grow, let it grow!

Inc. Magazine named us one of the Top 5000 Fastest Growing Companies in the US, and #33 in the top 100 fastest growing companies in DC. We couldn’t be more honored to receive this privilege. Our growth is attributed directly to our fantastic customers and our intelligent, hard-working team.

Lions, Tigers, and Splunk – Oh, My!

This year we announced several great partnerships, ending the year with an official announcement of our partnership with Splunk to release the Secret Server App for Splunk Enterprise. We’re proud of all of our new partnerships, and especially of our rapidly growing technology integration partner program. You can read more about the Splunk integration with Secret Server in our press release.

Come fly with me, let’s fly, let’s fly away.

We broke a personal record at Thycotic by sponsoring over 35 tradeshows across the world in 2013. We’ve presented dozens of keynotes, spotlight sessions, thought leadership interviews and spoke directly with thousands IT security and operations professionals in every major vertical about their security needs. Thanks to our dedicated team who worked round-the-clock to make those events a major success.

Release the kracken!

This year we’ve had several exciting releases to our products Secret Server, Password Reset Server and Group Management Server based on direct requests from our customers.

For Secret Server, some notable new features are: SAP support for natively changing passwords on SAP accounts; expanded API to increase automation in scripting; Custom Columns for a more tailored dashboard view; Website Password Changing to automatically change passwords for Windows LIVE, Google and Amazon accounts; SAML Support for increased security and single-sign on convenience; and Improved Discovery for Scheduled Tasks and Application Pools, now discoverable by Secret Server.

Other new product features are Active Directory Attribute Integration to let employees easily update their own AD information with Password Reset Server, and Group Renewal for Group Management Server to remind Active Directory group managers to double check their group membership from time to time.

So what’s next for 2014?

We think that 2014 will trump this year in success stories, growth, partnerships and products. We hope you join us every step of the way. Join us on LinkedIn and Twitter for the latest news in cybersecurity and be sure to stop by our booth at RSA 2014 in San Francisco as we kick off another thrilling year in IT security.  Also Thycotic is hiring, join the Thycotic team – read these great Thycotic reviews and see the latest Thycotic videos.









Follow

Get every new post delivered to your Inbox.

Join 30 other followers