M A N A G I N G U N I X A C C O U N T S I N T O D A Y ’ S C O M P L E X W O R L D – S T O P T H E S H A D O W I T

A N D B E M O R E E F F I C I E N T

B Y C H R I S R AY, C I S S P - I S S M P

1

TABLE OF CONTENTS • State of the Union

• IAM – What the Industry Requires

• Defense in Depth Model

• IAM Evolution

• Scenario I – User Account Management

• Scenario II – Server Management

• Scenario III – Audit Madness!

• Getting Executive Buy-In

• Summary

2

STATE OF THE UNION – INTERNET OF THINGS (OR “THINGIFICATION”)

3

1. 50 to 200 billion connected devices by 2020 “Number of connected devices worldwide will rise from 15 billion today to 50 billion by 2020.” -

Cisco

2. $1.7 trillion in spending by 2020 “Global spending on IoT devices & services will rise from $656 billion in 2014 to $1.7 trillion in

2020.” - IDC

3. The $79 billion smart-home industry “Smart-home industry generated $79.4 billion in revenue in 2014 and is expected to rise

substantially as mainstream awareness of smart appliances rises.” - Harbor Research & Postscapes

4. 90% of cars will be connected by 2020 “By 2020, 90% of cars will be online, compared with just 2% in 2012 supporting in-car infotainment,

autonomous-driving, and embedded OS markets” - Telefonica

5. 173.4 million wearable devices by 2019 “Global wearable device shipments will surge from 76.1 million in 2015 to 173.4 million units by

2019.” - IDC

The wearables market will connect to the smart-home and connected-car markets and

open the doors to new automation solutions. Cars can be unlocked, started, or even

summoned by a smartwatch. Wearables can also be used to open smart-home locks,

automatically turn lights on and off, and communicate remotely with smart appliances.

Chart source: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html

State of the Union – Information Security

After Verizon breach, 1.5 million

customer records put up for sale

Verizon Enterprise's security

expertise gets put to the test. by Jon Brodkin - Mar 24, 2016 3:58pm CDT

4

IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS

PR.AC-1: Identities and credentials are

managed for authorized devices and

users • CCS CSC 16

• COBIT 5 DSS05.04, DSS06.03

• ISA 62443-2-1:2009 4.3.3.5.1

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4,

SR 1.5, SR 1.7, SR 1.8, SR 1.9

• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,

A.9.3.1, A.9.4.2, A.9.4.3

• NIST SP 800-53 Rev. 4 AC-2, IA Family

• HIPAA Security Rule 45 C.F.R. §§

164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C),

164.308(a)(4)(i), 164.308(a)(4)(ii)(B),

164.308(a)(4)(ii)(C ), 164.312(a)(2)(i),

164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d)

PR.AC-4: Access permissions are managed, incorporating

the principles of least privilege and separation of duties • CCS CSC 12, 15

• ISA 62443-2-1:2009 4.3.3.7.3

• ISA 62443-3-3:2013 SR 2.1

• ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4

• NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC6, AC-16

• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3), 164.308(a)(4),

164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PR.MA-2: Remote maintenance of organizational assets

is approved, logged, and performed in a manner that

prevents unauthorized access • COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,

4.4.4.6.8

• ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1

• NIST SP 800-53 Rev. 4 MA-4

• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3)(ii)(A), 164.310(d)(1),

164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(2)(ii),

164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e), 164.308(a)(1)(ii)(D)

DE.CM-3: Personnel activity is monitored to detect

potential cybersecurity events • ISA 62443-3-3:2013 SR 6.2

• ISO/IEC 27001:2013 A.12.4.1

• NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11

• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A),

164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) 5

Payment Card Industry, Data Security Standards (PCI-DSS)

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.

8.1.3 Immediately revoke access for any terminated users.

10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.

10.2.5.a Verify use of identification and authentication mechanisms is logged.

10.2.5.b Verify all elevation of privileges is logged.

10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.

IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS

6

DEFENSE IN DEPTH MODEL – WHERE DOES IAM FIT IN?

• Model resides across all environments

regardless of platform

• Control challenges to focus on:

– IAM Provisioning / Deprovisioning

– Granular Access Controls – “Least

Privilege”

– Policy Enforcement – e.g Password

Complexity

– Logging / Auditing

– Non-repudiation

• What about enabling the business?

7

IAM PROCESS

8

Many kinds of users access these systems,

including:

• Employees.

• Contractors.

• Partners.

• Vendors.

• Customers.

Insiders: including employees and

contractors.

Outsiders: including customers,

partners and vendors.

SCENARIO I – USER ACCOUNT MANAGEMENT

Scenario: When users and administrators need access to a system, a user account needs to be created on each host

in order to provide system access for the user. Rights for these users accounts are not granular which gives the user

more access than is needed. Privileged account passwords must be changed immediately when a person changes

departments or leaves the company.

Challenge:

• New User Accounts (Provisioning) – How do I set up multiple user accounts for administrators and ensure ongoing consistency

to main directory (e.g. Peoplesoft, Windows AD, etc.)?

• Removing User Accounts (Deprovisioning) – How do I promptly remove a person’s access when they change departments or are

no longer with the company?

– How do I change all of my generic privileged account passwords that the person may have had knowledge of?

• Authorization – How do I limit what an administrator can have access to?

• Password Policy – How can I enforce the company’s password policy?

Watch Out! • Excessive local accounts remain

• Contractor / 3rd Party support personnel are closely

managed and keep access after leaving company

• Rotating passwords are practiced

• Violations of “least privilege” principle

9

SCENARIO I – USER ACCOUNT MANAGEMENT

Unix operating systems have progressed significantly through the years in

regards to user account management.

• “chmod 777 TopSecretFile” – not recommended! – except on slot machines…

• Red Hat Identity Management (IdM)

– IdM even provides native integration with Active Directory.

• Managing User Accounts Deploy and modify PAM (Pluggable Authentication

Modules) to enforce password policy.

• Solaris 11.3 - Specific extended rights can be applied to file objects, port

numbers, and user IDs. These extended rights replace the set of rights that

are otherwise available, except for the basic set.

Remember: Implement “least privilege” not only for admins but also for partners, contractors and end users.

Look at solutions that synchronize passwords across environments and provide automated provisioning and

deprovisioning of accounts. 10

SCENARIO II – SERVER MANAGEMENT Scenario: Unix administrators must constantly connect to their servers to perform daily

management tasks. Accounts require “root” level access to perform duties. Access is typically “all

or none” in regards to having admin level access. Command line restrictions are not available.

11

Challenge: • Generic accounts – How do I effectively manage my servers

without using generic accounts?

• Remote Access – Given the problem with generic accounts like

“root”, how do I manage the servers remotely if I can’t connect

with “root”?

• Command line – What commands can I restrict users from running?

Watch Out!

Avoid Non-repudiation.

Don’t forget your service accounts.

SCENARIO II – SERVER MANAGEMENT Disable remote “root” access.

• Change the root shell to prevent users from logging in directly as root, the system administrator can

set the root account's shell to /sbin/nologin in the /etc/passwd file.

• To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file

/etc/ssh/sshd_config, and change the line that reads:

#PermitRootLogin yes to read as follows: PermitRootLogin no.

• Use PAM.

Enforce use of “sudo”: sudo <command>.

• Easy to use and adds an extra layer of protection.

• Audit logs of the user’s transactions are saved in /var/log/messages.

• Administrator can allow different users access to specific commands based on their needs.

Command line – what commands are allowed?

• Restrict commands within the shell itself or via sudo configuration file, /etc/sudoers.

12

SCENARIO III – AUDIT MADNESS!

Scenario: Internal Audit, Information Security, Customers, and Regulatory Audits constantly

require evidence of controls around Unix systems. Some scripting is available for automation but

most evidence collection is cumbersome and pulls Admins away from daily operations.

Challenge:

• Logging – How can I show the details of what happened and by whom?

• Auditing – How am I collecting evidence for the constant audits?

Watch out!

• Physical and mental drain on Unix Operations’ teams.

• Do not give audit the ability to simply run their own commands to gather evidence.

13

SCENARIO III – AUDIT MADNESS!

Move logging to centralized server (e.g. syslog server).

Script!

• http://www.orafaq.com/wiki/Scripts

• http://www.isaca.org/Journal/archives/2015/Volume-4/Pages/auditing-linux-unix-server-

operating-systems.aspx

• http://www.softpanorama.org/Security/perl_sec_scripts.shtml

Be proactive – collect evidence periodically (e.g. quarterly) and save for audit.

• Feed into Security Information and Event Management (SIEM) solution when possible.

14

TIPS FOR GETTING EXECUTIVE BUY-IN Show efficiency

• Time saved and resources reduced by having automated solution.

• Reduce overhead associated

Audit Improvements

• Partner with audit (both internal and external) for evidence collection.

• Reduction in audits around privileged account management.

• Identity Management always hot item for Corporate Board Members.

Enabling the business

• Numerous business benefits for more robust Identity Management program.

• Improve Time to Market for internal and external customers.

• Greatly reduce the security risk!

15

SUMMARY

Difficult job for Unix Admins

Know the audit / security requirements

Find ways to automate when possible

Show reduction in work time and risk

16

PowerBroker for Unix &

Linux

Control and Audit Unix and Linux User

Activity

Helicopter View – BeyondTrust Solutions

PowerBroker Auditor:

Audit for Active Directory

Audit for File Server

Audit for MS Exchange

PowerBroker Auditor:

Audit for Active Directory

Audit for File Server

Audit for MS Exchange

PowerBroker Identity Services:

Single Sign On (AD Bridge)

Policy Mgmt for Unix/Linux/Mac via AD

PowerBroker Identity Services:

Single Sign On (AD Bridge)

Policy Mgmt for Unix/Linux/Mac via AD

Privilege Management:

PowerBroker for Windows

PowerBroker for Unix / Linux

PowerBroker for Mac

Privilege Management:

PowerBroker for Windows

PowerBroker for Unix / Linux

PowerBroker for Mac

Password Safe:

Password Management

Session Management

SSH Key Management

Application Management

Password Safe:

Password Management

Session Management

SSH Key Management

Application Management

Vulnerability Management:

Vulnerability Management

Patch Mgmt for Adobe, Java, etc

Analytic Reporting

Vulnerability Management:

Vulnerability Management

Patch Mgmt for Adobe, Java, etc

Analytic Reporting

PowerBroker for Unix & Linux:

• Eliminates the sharing of privileged credentials and delegate

permissions without exposing credentials

• Tracks, logs and audits activities performed on Unix and

Linux systems for compliance

• System level control provides powerful file and folder

controls, not just command line analysis

• Extends beyond Unix and Linux platforms, helping to reduce

risk across the enterprise

How does it work?

Detailed Forensics and Reporting:

• Searchable Index

• Scheduled Reports

• Custom Reporting

• Single Events Window

Product Demonstration

Quick Poll

Q&A

Thank you for attending!