Category: News

Zero Trust: Why Your Most Privileged Users Could Be Your Biggest Security Weakness

Your security infrastructure is there to protect your organization from malicious threats. That much is obvious, but what happens when a user’s credentials are compromised and threat actors access your systems? This could expose your company to a data breach and all the reputational damage, operational downtime and financial costs that come with it.

But all access is not created equal. What would happen to your organization if one of your privileged users had their identity compromised? Privileged account management (PAM) helps protect against the most dangerous data breaches because it enables you to closely monitor your most sensitive accounts.

Protecting Your Privileged Users Is Paramount

The majority of security breaches involve the compromise of user and privileged accounts via attack vectors such as phishing, malware, and other means. Once the attacker establishes a foothold in the network, the next step is to find and hijack a privileged account, enabling the actor to move laterally across the network while appearing as a legitimate user.

At this point, the malicious activity can begin. Attackers often search compromised networks for valuable data such as personally identifiable information (PII), intellectual property and financial data. Such sensitive information enables threat actors to commit financial fraud as well as other crimes.

The bottom line is that protecting critical data means protecting your most valuable users. That’s why Gartner recognized privileged account management in its “Top 10 Security Projects for 2019,” along with detection and response, cloud security posture management, business email compromise, and more. The research firm also placed PAM on its 2018 list.

Further demonstrating the criticality of PAM is a Centrify survey that revealed 74 percent of data breaches involve unauthorized access to a privileged account. If privileged access is the most fruitful point of attack for cybercriminals, why are so many companies still not taking even basic steps to prevent this abuse?

For the full article please visit the following link.

Source: Zero Trust: Why Your Most Privileged Users Could Be Your Biggest Security Weakness


SecurIT Europe: Our 2018 in review

2018 was a beautiful year for SecurIT in Europe.

  • We realized an 18% growth within our European resource pool 
  • Our innovation power was proven by completing over thirty certification pathways. 
  • With over 90 successful projects, we substantially extended our customer base. 
  • 2 new partnerships were added to our portfolio with market leader vendors in the Identity and Access Management (IAM) space: Okta and Omada 
  • Last but not least, we went global in 2018 by acquiring U.S. based Palmetto Security Group in Greenville, South Carolina almost doubling our staff and our services across the ocean 

Hard work pays off they say, by the end of 2018 SecurIT was ranked 2nd in the category security and 73rd overall in the MT1000, the most extensive survey among business decision makers on the quality and popularity of business service providers in the Netherlands.  

All of the above are exciting reasons for us to look back on a successful 2018!!  

Our growth  
18% growth of our resource pool 

Completed over thirty certification pathways 

New partnerships with Okta and Omada 

Project delivery  
Extension of customer base 

Delivered over 90 successful projects 

Going global  
Acquired U.S. based company, Palmetto Security Group

Next level Privileged Account Management Protect Privileged Accounts from hackers and insider threats

Round table IBM/SecurIT, 25 september 2018, Woerden

Privileged Accounts bieden vaak onbeperkte toegang tot systemen en data en dat brengt risico’s met zich mee. Volgens Forrester kunnen 80% van alle breaches gerelateerd worden aan Privileged Accounts. Succesvol Privileged Account Management (PAM) is daarmee een behoorlijke uitdaging.

Beheerders hebben Privileged Accounts nodig, bijvoorbeeld voor het installeren van software-updates en het resetten van wachtwoorden. Helaas zijn de gebruikers van Privileged Accounts steeds vaker het doelwit van cyberaanvallen. De beheerders zelf zijn meestal niet het probleem; het zijn hun gewilde inlogaccounts die niet altijd aan een persoon zijn gekoppeld, die een gevaar zijn. En als accounts onbeheerd blijven, kunnen onbevoegden volledige controle over computersystemen krijgen.

Veel organisaties kampen met dezelfde vragen op het gebied van Privileged Accounts. Tijdens de rondetafel in Woerden konden zij sparren en discussiëren met vakgenoten en hun kennis en ervaringen op dit gebied delen.

Privileged Account Management ontwikkelt zich snel. Is het efficiënt geregeld of is er ruimte voor verbetering?

Om de snelle ontwikkeling van Privileged Accounts Management toe te lichten, geeft SecurIT een presentatie. Doel: de belangrijkste problemen op dit gebied in kaart brengen.

De presentatie zorgt voor veel herkenning bij de deelnemers; verouderde wachtwoorden kent iedereen. Opgemerkt wordt ook dat het beveiligingsprobleem niet alleen speelt binnen het serverpark, maar zeker ook op werkstations van individuele kantoormedewerkers.

Iedereen is zich ervan bewust dat er veel ruimte voor verbetering is. Voor sommigen is de stap naar PAM gewoonweg nog te groot: “Alle processen eromheen: dat is gewoon teveel op dit moment.” Daarop wordt opbouwend gereageerd: “Als je weet wat de eerste stap is, is dat ook al heel wat.”

Diverse deelnemers hebben in hun eigen organisatie al analyses uitgevoerd om het probleem in kaart te brengen (en niet alleen op de OS-laag): bij clouddiensten, hosted services, in SAP-omgevingen. Er worden stappen gezet, proof of concepts opgezet, maar het afdwingen en naleven van policies, ook in samenspraak met externe leveranciers, blijft lastig.

Waar zit het grootste risico? Welke problemen zijn er?

Bij beveiliging is het altijd een afweging van risico’s, zo is de consensus. Zomaar alles aanwijzen als ‘insecure’ is niet werkbaar. Te strikte securitymaatregelen werken averechts. “Je moet aanmerken waarmee je echt onderuit kunt gaan. Met te strenge maatregelen maken ‘security-theoretici’ hun eigen zaak kapot. Soms is er alleen in theorie een probleem.”

Zo kun je nu eenmaal niet elke uitzendkracht die een lopende band in werking moet zetten, een eigen account geven. In zo’n geval kun je bijvoorbeeld zoneringen aanbrengen, zodat je jezelf beschermt tegen schades door buitenstaanders. Dat kan echter weer conflicten met beheerders veroorzaken, omdat zij niet via een beheerzone willen werken.

En soms, zo wordt gesteld, kun je dingen het best op een manier regelen die in theorie ‘niet klopt’, omdat bijvoorbeeld een productieproces niet stil mag komen te liggen. Dit kan zelfs zover gaan als geen wachtwoord toekennen, of het wachtwoord delen met collega’s.

Toegang geven en samenwerking met vendors is ander een heikel punt, zo onderkennen de deelnemers. Waartoe autoriseer je hen? Hoe bepaal je wanneer en waartoe zij toegang hebben? Sommige organisaties hebben te maken met honderden externe leveranciers waarvoor dit allemaal moet worden geregeld, bijvoorbeeld voor het doen van onderhoud.

Tijdens de discussie worden nog diverse andere problemen gesignaleerd, zoals:

  • Hoe ga je om met het aanvragen van rechten op software van externe leveranciers als je die echt nodig hebt? Vanuit de leverancier is vaak een domain-admin-account vereist, anders vervalt de support, terwijl zo’n account niet altijd technisch noodzakelijk is.
  • Eigenaarschap in de organisatie is een ander pijnpunt. Wie weet hoe je het wachtwoord kunt wijzigen? Als daar geen helder antwoord op is, wordt een wachtwoord niet gewijzigd, met alle risico’s van dien.
  • Hoe controleer je wat een externe persoon of organisatie op je netwerk heeft gedaan? Niet altijd worden bewegingen gelogd en de logfiles worden vaak ook niet lang bewaard.
  • Niet alle admin-accounts worden geregistreerd en meegenomen in het IAM-systeem, bijvoorbeeld SAP service accounts.
  • Multi-factor authenticatie is niet het ei van Columbus, maar het zorgt wel voor awareness bij medewerkers.
  • Een deel van de aanwezigen heeft problemen om PAM ingevoerd te krijgen in hun organisatie. Het blijkt voor een deel kennisafhankelijk. Zo goed mogelijk informeren blijkt een goede manier om PAM te stimuleren. Zichtbaar zijn en uitleggen ook, want: “Als je alleen maar iets afpakt, wordt het per definitie vervelend.”

Wat zou een best practice zijn voor Privileged Account Management?

Op deze open vraag komen na de koffie verschillende suggesties, waaronder:

  • Zonering in tiered service-modellen: ‘Dat hebben we samen met Microsoft gedaan en het werkt erg goed voor ons. Iedereen went er snel aan.’
  • Per systeem een eigen log-in.
  • ‘We zijn begonnen met terug te werken vanuit de end-points, omdat we de grootste risico’s zien in medewerkers die niet zijn opgeleid als IT’er.’
  • Ga ervan uit dat alle externe devices insecure zijn. Houd de toegang gewoon dicht.
  • Houd het klein, voer een POC (proof of concept) uit. En leer daarvan. Gaat het fout, doe het dan nog een keer.
  • Ook voor de fysieke wereld kunt je per zonering verschillende policies maken: Maak keuzes aan de hand van de verdeling open/kantoor/critical en businesscritical.
  • Zorg ervoor dat je al snel iets kunt laten zien, bijvoorbeeld een POC. Dat helpt bij het overtuigen van mensen.

Wat neem je mee naar huis?

Aan het einde van de bijeenkomst wordt de balans opgemaakt. Er zijn – uiteraard – veel verschillende maturity-levels. Niet te hard van stapel lopen, lijkt het devies: “Wees niet te ambitieus; kijk naar de fase waarin je organisatie zit en zet één stapje tegelijkertijd.” “Maak een tussenstap, of zet het op de roadmap 20-30.” Toch zijn diverse deelnemers ook gestimuleerd om met ‘echte’ PAM-tooling aan de slag te gaan: “Alleen een wachtwoordkluis is toch niet genoeg.”

Next-level PAM blijkt dus heel situatie-afhankelijk: Het hangt af van de organisatie en bestaande processen of een PAM-oplossing succesvol wordt, ook van hoe sterk de organisatie zich maakt voor implementatie. Vaak geven organisaties bij gebrek aan draagvlak en visie de volgende stap snel op. “PAM wordt als een bedreiging gezien, maar het is eerder een excuus om geen stappen te zetten.”

15 opvallende uitspraken:

  • ‘Bij een bedrijf van 2000 kantoormedewerkers vonden we 7371 Privileged Accounts op 343 servers. Ook waren er 833 PA-hashes en 43.787 administrator hashes. Dat was een eyeopener voor de klant.’
  • ‘Het password was al 11 jaar niet gewijzigd. Is dat erg?’
  • ‘Het begint bij het liquideren van het aantal domain-admins.’
  • ‘Het ligt vaak niet aan technische mogelijkheden tot ingrijpen, maar aan discipline binnen de organisatie.’
  • ‘We hebben er vier jaar over gedaan om een IAM-systeem in ons IT-landschap te brengen. Geen gedeelde accounts meer. Enorme ruzies zijn daarmee gepaard gegaan.’
  • ‘Het leek ons wel veilig om een account te hebben dat niet door PAM wordt gemanaged.’
  • ‘Uiteindelijk wordt het altijd fysiek, je moet naar die server toe en er moet een stekker in het netwerk.’
  • ‘Wij hebben bring your own device de nek omgedraaid.’
  • ‘Als je kwaad wilt, dan lukt dat. Altijd.’
  • ‘Een gevoelig account is niet per definitie een privileged account. Zo’n account kan weer heel andere beveiligingsmaatregelen vereisen, veel procesmatiger of fysieker.’
  • ‘Als je een laag risico hebt, ga je niet iets heel ingrijpends aan je organisatie opleggen.’
  • ‘Maakt geautomatiseerd beheer PAM minder bedreigend?’
  • ‘Beheerders van systemen zijn de moeilijkste groep om mee te krijgen met PAM: ze overschatten zichzelf en zijn zich niet bewust van alle problemen.’
  • ‘IAM wordt al langer gezien als een business enabler. Dat zal PAM ook worden, maar daar zijn we nog niet.’
  • ‘Ik heb nog nooit in de praktijk integratie van IAM- en PAM-tooling werkend gezien.’

Okta Named a Leader in the Gartner Magic Quadrant for Access Management

This week, Gartner released its second Magic Quadrant for Access Management, Worldwide, and Okta was once again named a Leader. They placed highest in “ability to execute” in the report, a recognition Okta also held last year.

Gartner’s recognition follows continued momentum for Okta, including its recent customer conference, Oktane18, where the company launched Sign In with Okta, Project Onramp, API Products for One App and ThreatInsight. At Oktane18, Okta also unveiled new partnerships with VMware’s Workspace ONE and Workplace by Facebook. Okta also continues to expand globally, recently announcing that it will be doubling the size of its San Jose office and opening new offices in Washington, D.C., Paris and Stockholm.

According to Gartner, “Access management applies to technologies that use access control engines to provide centralized authentication, single sign-on (SSO), session management and authorization enforcement for target applications in multiple use cases (e.g., B2E, B2B and B2C). Target applications may have traditional web application architectures, native mobile architectures or hybrid architectures. Increasingly, target systems include APIs. Smart or constrained devices with or without human operators may be incorporated as well. Applications may run on the customers’ premises or in the cloud.”

You can read the details and download the full report here.

Gartner Magic Quadrant Access Management 2018


Privileged Account Management is #1 Security Project in 2018 for CISO’s says Gartner

At the beginning of this month Gartner had their annual Security & Risk Management Summit. The event is always a valuable opportunity to learn from top CISOs and security and risk management professionals, to explore leading-edge research and to discuss emerging cyber security trends.

Although there were a number of excellent presentations throughout the week, one in particular stood out based on its pragmatic guidance and actionable takeaways. Also, organizations have long term strategic security programs, but they need to demonstrate quick wins along the way.

In his talk, “Top 10 Security Projects for Security and Risk Management Organizations,” Gartner VP and Distinguished Analyst Neil MacDonald outlined the top 10 security projects for 2018, based upon a number of criteria: the emerging technologies that support the project are not yet mainstream; the project helps deliver against the CARTA (continuous adaptive risk and trust assessment) approach; and the project has high risk reduction versus resources required as compared to alternatives.**  MacDonald identified privileged account management (PAM) as the #1 focus for organizations.

In our opinion, strategic privileged account management projects should be expanded into a longer term program. Comprehensive privileged account management that extends protections to other users and applications across the enterprise, in the cloud, at the endpoint and throughout the DevOps pipeline, will take an integral project to the next level.

Ready to get started?  Start by prioritizing the implementation of controls for protecting privileged credentials to drive tangible results quickly. A CyberArk report, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials,” outlines a proven framework for an intensive sprint of approximately 30 days to help reduce risk and achieve quick wins.

Don’t stop there. After demonstrating the value of protecting privilege across high-risk areas to key stakeholders, it’s time to take a phased approach to expand coverage to new areas, evolving these projects into long-term, business-critical cyber security programs.  For guidance, we encourage you to download the CyberArk  Privileged Access Security Hygiene whitepaper.

*Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018

**Gartner, Gartner Security & Risk Management Summit 2018 agenda, https://www.gartner.com/en/conferences/na/security-risk-management/agenda/track

Source: https://www.cyberark.com/blog/privileged-account-management-1-security-project-2018-cisos-says-gartner/


SecurIT’s participation at Heliview IAM congress 2018

We look back at a successful day at the Heliview IAM congress 2018 . A combination of inspiring sessions about what’s hot in the IAM landscape. The day was divided in three different themes: Getting the basics right and get in control, IAM scalability and flexibility in different IAM infrastructures (hybrid, cloud and on-prem), Future ready IAM. For our presentation we focused on the second theme.

Peter Giervield, Security Architect at SecurIT was one of the speakers. Our presentation was about “Getting the Cloud under control” and SecurIT’s Best Practices. SecurIT’s best practices (SBP) is a method we use to help our clients with the whole IAM project. It’s basically a basic installation based of all the previous expertise, where 90% is preset and 10% can be customized. It speeds up the process to get to the first actual production deployment. It’s optional, custom projects will always be possible, they just require more time.

He also talked about the cloud, and how “the cloud” doesn’t exist, as in one single cloud. There are many different cloud solutions such as Private, Public or Hybrid clouds. But also, IaaS/PaaS/SaaS/FaaS/MSaaS and XaaS with all kinds of different deployment models. Currently we notice that clients mostly look at the following vendors: Amazon (AWS), Google (Google Cloud), Microsoft (Azure), IBM (IBM Cloud), Digital Ocean etc.

On the exhibition floor there were many different IAM solution providers pitching their solutions. We were able to tell people about our company as implementation partner of different IAM solutions. And how we differentiate ourselves from other implementation partners. Mainly by having a permanent staff in a business where knowledge sharing is key and the 18 years experience we bring with us.

We hope to see you at our next events. Got any questions? Give us a call.


We look back at a successful Round Table on IAM by SecurIT and IBM

Yesterday on May 3rd we invited some IAM professionals to discuss different IAM issue’s and current trends in the Identity & Access Management landscape. This gave us the opportunity to learn from each other and share some customer stories as knowledge partner at the table. For this round table we selected Kasteel Woerden as location. We look back at a successful day where everyone received plenty food for thought. A short summary below on some of the topics that we discussed.

The first topic we discussed was how we currently deal with the automated life cycle management. This means the whole onboarding/off-boarding process and giving people the right access from begin to end. It became clear that for most it’s currently only partly automated and a lot is still done by hand. Which means there is a lot of time to win and this gets more important everyday with the lack of good security resources.

Another topic was scalability of the IAM services within an organization and how people thought about moving from on premise solutions to the cloud. Many pro’s and con’s regarding the cloud came by. The most important concern was trust. How can you be sure the cloud supplier has the same high security requirements as you do, or where is the data stored? One of the ways you can check this is by looking at their certification. Not just everyone can walk into their datacenters. Most agreed that for the time being there will be many hybrid solutions, with part cloud and part on premise.

We also talked about Identity Management and how you can use context to gain trust and when to force a second authentication, when trust us low. For example, if the same person logs on from a new location a 2-factor-authentication might be required. But it goes even further than that, for example how quickly you type in your password. These can all be triggers to ask for the extra verification.

Resources, specially how to use them productively, was touched during many topics, but very specific during the cloud discussion. If you move your IAM functions to the cloud, would you still need all these security resources on-premise? How much of the responsibility are you willing to give away? It became clear that you will always need your security resources on-premise to manage these new cloud solutions. Knowledge is power and it can be too risky to depend only on third parties for this.

The last topic we discussed was how to handle privileged accounts and how to make sure they are secured. Many different solutions can help with this, but it became clear most of the professionals prefer to store the credentials in a vault. From there you can secure the way the organization works with the most sensible credentials. If a change has to be made this can be requested by sending a change request. This way you will always know who and why is inside your system. You can even shield some of the privileged functions and only give access to the ones that are required and for a limited period.

We are looking forward to the next one. Didn’t get invited or where you unable to attend this one? Let us know and we will keep you updated on when the next one takes place. Got urgent questions? Give us a call.


Less than 30% can prevent ransomware attacks

Less than 30 percent of IT security executives who responded to a recent survey reported that they would be able to prevent large-scale ransomware attacks.

Despite this, SolarWinds MSP’s new report, “The 2017 Cyberattack Storm Aftermath,” found that IT security executives have a high level of knowledge of crypto-malware. More than two-thirds (69 percent) of respondents said they were deeply familiar with ransomware attacks such as WannaCry, which infected hundreds of thousands of endpoints within 48 hours earlier in May 2017, and Petya, which affected systems in dozens of countries in June 2017.

This familiarity led approximately three-quarters of survey participants to rate the risk of both WannaCry and Petya as very high, but it didn’t translate to better protection against this type of incident. While most respondents indicated that they would be able to detect WannaCry (72 percent) and Petya (67 percent), only 28 percent and 29 percent, respectively, said they would be able to prevent these attacks.

For the full article please visit the following link.

Source: Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals


CyberArk acquires Vaultive

CyberArk (NASDAQ: CYBR), the global leader in privileged account security, today announced the acquisition of certain assets of privately-held Vaultive, Inc., a cloud security provider. The deal closed today.

The CyberArk Privileged Account Security Solution is the industry’s most comprehensive solution for protecting against privileged account exploitation anywhere – on-premises, in hybrid cloud environments and across DevOps workflows. Building upon the Vaultive technology, CyberArk will deliver greater visibility and control over privileged business users, and Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) administrators. By delivering a cloud-native and mobile experience, Vaultive will extend the CyberArk solution to these highly privileged users, which are frequent targets for cyber attacks.

“The Vaultive team brings innovative technology and advanced cloud industry experience to CyberArk. We look forward to incorporating the technology to add additional depth and proactive protection for enterprises facing an expanding attack surface in the cloud,” said Udi Mokady, chairman and CEO, CyberArk. “Vaultive provides a strong building block to accelerate CyberArk’s cloud security strategy, making CyberArk the only vendor able to extend privileged account security to administrators and privileged business users in cloud environments with this level of granularity and control.”

For the full article please visit the following link.

Source: CyberArk Press release


CyberArk DNA™

CyberArk Discovery & Audit (DNA) is a powerful tool (available at no charge) that scans systems on your network to uncover accounts, credentials and misconfigurations that can create risk. Following a scan, CyberArk DNA generates a detailed report that IT auditors and decision makers can use to evaluate the status of privileged accounts in the organization and identify areas of risk. The tool is an agentless, lightweight executable designed to expose the magnitude of the privileged account security challenge in on-premises and cloud-based environments. CyberArk DNA helps organizations uncover: ƒ

  • Windows accounts and account statuses. Identify privileged and non- privileged Windows accounts, including local administrator, domain administrator, standard user and service accounts. View the password strength, password age and last login date. ƒ
  • Unix accounts, credentials and permissions. Centrally view the status of root and individual user accounts on Unix systems, identify SSH key pairs and trusts, and uncover misconfigured sudoers files that can increase the risk of unauthorized privileged escalation. ƒ
  • Privileged domain accounts. Discover dormant or unprotected privileged domain service accounts that have access to critical assets or services. ƒ
  • Pass-the-Hash vulnerabilities. Locate password hashes vulnerable to theft, and gain a visual map of Pass-the-Hash vulnerabilities and potential pathways to sensitive data and critical assets. ƒ
  • Hard-coded application credentials. Identify systems that have embedded, hard-coded or exposed credentials in plain-text, which can be captured by malicious attackers inside the network.

Download the CyberArk DNA whitepaper.

Or fill out the form to receive your free assessment.