Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privileged Access Management

Published by옥숙 부 Modified over 4 years ago

Similar presentations

Presentation on theme: "Privileged Access Management"— Presentation transcript:

1 Privileged Access Management
Geoff Gottlieb ISSA Chapter Meeting 6/6/19

2 What is privileged access?
Privileged accounts provide elevated, often unrestricted access to an organization's underlying information systems and technology, making them rich targets for both external and internal malicious actors. Often referred to as the "keys to the kingdom," these accounts have been used in successful attacks to gain access to corporate resources and critical systems (e.g., "crown jewels"), resulting in data breaches. NCCOE Practice Guide on Privileged Account Management ( management)

3 Keys to the Kingdom Domain administrators
Unix/Linux root level administrators Firewall administrators Database administrators Server administrators Virtualization environment administrators

4 But what about…. Business users who run data queries
Developers who have broad access to data Service accounts that have broad access to data and systems Application accounts that run web facing and other applications that have broad access to data and systems

5 How guarded is the kingdom?
Do you allow remote administration from a user’s workstation? Do you allow database queries from a user’s workstation? Do you block anything between your user’s workstation and your infrastructure environment? Do all your servers have the same built-in administrator username/password?

6 Anthem Source: BankInfoSecurity (

7 Anthem Source: BankInfoSecurity (

8 This is actually easier than you think..
Bloodhound (

9 Where do you start? Microsoft has a great white paper on where to start. They have skin in the game, but this guidance can be followed without purchasing anything server/identity/securing-privileged-access/securing-privileged- access CyberArk is one of the leaders in the Privileged Access space. They also have a free discovery tool BeyondTrust & Thycotic – Other software players in the space

10 Where did we start? Multifactor authentication to the data warehouse
Built-in server administrator accounts We used CyberArk EPV Microsoft LAPS is also available for free Domain Administrators – Password Vault Isolated privileged account Frequent rotation (Typically 12 hours after use) Other accounts with broad reach into the environment CyberArk Discovery & Assessment

11 Where are we going? Workstation environment separate from data center
All system administration and distributed development performed via privileged accounts Admin sessions isolated so privileged passwords are not stored on the workstation (Privileged Session Manager) More multifactor authentication for more users Application and service account password rotation Detection for Pass the Hash and Pass the Ticket

12 Questions?

Download ppt "Privileged Access Management"

Similar presentations

So You Think Your Domain Controller Is Secure?

So You Think Your Domain Controller Is Secure?
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Privileged Identity Management Enterprise Password Vault

Privileged Identity Management Enterprise Password Vault
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
1 The New Cyber Battleground: Inside Your Network Chad Froomkin Major Account Executive Southeast.

1 The New Cyber Battleground: Inside Your Network Chad Froomkin Major Account Executive Southeast.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 PUNCH PUNCH (Purdue University Network Computing Hubs) is a distributed network-computing infrastructure that allows geographically dispersed users to.

1 PUNCH PUNCH (Purdue University Network Computing Hubs) is a distributed network-computing infrastructure that allows geographically dispersed users to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity – Multiple services how do I stay compliant? Wade Tongen NA Commercial SE.

Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity – Multiple services how do I stay compliant? Wade Tongen NA Commercial SE.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
GCSC July 2008. FIRE07282008-01 – User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine.

GCSC July FIRE – User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.

Similar presentations

Ads by Google