close icon
Home Page
Products

Products

PAM logo
Privileged Access Management
PEM logo
Endpoint Privilege Management
PPA logo
Automation
Industries

Industries

school_line
Education
bank_line
Finance
government_line
Government and Defence
hospital_line
Healthcare
computer_line
IT Operations
settings_5_line
Industrial Control Systems
briefcase_line
Legal
store_2_line
Retail
Partners

Partners

Resellers and Distributors
Partner marketing support
Partner opportunity
Resources

Resources

tool_line
Free Tools
bookmark_line
Blog
file_search_line
Case Studies
usb_line
PAM Integrations
video_line
Videos
Webinars
paper_line
White Papers
book_2_line
Osirium University
news_line
Documentation
Company

Company

IDcard_line
About
news_line
News & Events
Team
Investor Hub
Software reviews gold medal
See the report
search_3_line
BOOK A DEMO
All posts
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
29
June 2020

Some Inconvenient Truths About Credentials and Remote Access

Andy Harris

... and how to mitigate remote working risks

In this lock-down period we have all seen a massive growth in virtual private network (VPN) access to our systems. Many of us has seen big changes in the workforce due to furlough and layoffs. I talked about these issues in a recent Osirium webinar.

In general, VPN access is more risky than office based access, and there are some uncomfortable truths about humans and credentials:

  • Human generated passwords are at least three orders of magnitude easier to brute force. Here I'm not talking about you dear reader - but all those people in your organisation. They all have a job to do and you ask them to refresh their passwords at the most inconvenient times. So it's no wonder they naturally pick simplistic passwords. And if it's easier to remember, you can be sure it will be in an attacker's dictionary.
  • Most passwords are not actually brute-forced. They are simply intercepted in the user's desktop environment. Mostly, this is malware based on browser extensions and plug-ins. There are many key-logger toolkits available on the internet and often malware is customised to individuals. Even if you are using a password vault the credentials will still going through the malware. The vault isn't doing much to protect the credentials.
  • Individual Vaults are for individuals not organisations. Never, ever allow your staff to use individual password vaults for corporate accounts. If they leave - the credentials leave with them. You might think it's a pain to reset the passwords on systems and devices, but once someone leaves who have their own sets of credentials, you've got a lot of new pain to deal with. For example, consider VMware 6.0 onwards - if you Google "reset the root password", you'll see it's easier to buy new disks and re-install! Even then, you've still got to worry about migrating the old virtual disks to the new installation.
  • VPNs are dangerous because they allow lateral movement. Not everyone just connects to the systems they should. Many prod and poke around. The bad actors will search through your networks in subtle ways. Once everyone is on the VPN, your SIEM logs will look very different, they will be harder to analyse to find the interest content in all the noise. The lateral movement may not be from the VPN, but may use a system within your infrastructure as a launch pad.
  • Your staff, or what you think are your staff, are the bad actors. In general, server-based security is on an upward trend. No bad actor will attempt to subvert a bank's servers - it's just too difficult. It's much easier to infiltrate the user environment. Once malware is in the user's environment, it can track their behaviour: when they work, where they go, what credentials they use. Then the malware emulates the user's behaviour - even in a background copy of their own browser to launch probes and attacks. This kind of attack is the hardest to detect since it effectively hijacks both the user's credentials and their behaviour.
  • Third parties might not have the same credential hygiene as you. They need to get work done and they will do it with anyone they can. Third parties use third parties - don't be surprised!

Principles

  • There is too much VPN access, users should be limited to access only the systems they need. Application based proxies achieve this.
  • The user's credentials should only be used to verify identity. Multi-factor authentication should be deployed. Extra factors defeat malware that impersonates a user. Machine generated, long and complex credentials should be used between the proxy and the system, application, or device. These credentials should be automatically refreshed and retired when the accounts are no longer needed. There should be ONLY ONE instance of any identity allowed. A user should not be able to login twice.
  • The privileged credentials that are used on the end systems and applications should not be known to the users, these credentials should not even flow through the user's desktop at any point.

The three principles above are a separation of people from credentials, a mapping of peoples identities to roles and the prevention of lateral movement through an IT infrastructure. Simply put, these principles solve all the risks associate with VPN access.

Privileged Access Management in action

In these lockdown times, teams haven't got the time or budget for complexity or long deployment times. Once you have your access sorted, you have time to breathe. Here's what to do to build fundamental security into what you have. Here's an example "before" diagram, where your users arrive at the VPN, and can then get to where they need (and everywhere else):

‍

‍

Here's the "after" diagram with the users getting to the VPN, and then using Privileged Access Management (PAM) as a gateway to create an Identity to Role mapping:

‍

‍

You'll see there are two secure ways into the corporate network: the VPN and direct web access. In both cases you get the identity to role mapping. The web route is particularly suited to third party access - since this way you won't need to provision them with VPN accounts.

We've presented here a fast route to good security, if you'd like to know more about this or other ways to protect your valuable IT infrastructure, please get in touch.

‍

Related Topics

Third-Party Access
Privileged Access Management
Identity & Access Management
all posts
Top
Home Page
cyber essentials certified badge
Industries
EducationFinanceGovernment and DefenceHealthcareIT OperationsIndustrial Control SystemsLegalRetail
Company
AboutTeamBoard of DirectorsInvestor HubJob Opportunities
Resources
Free ToolsBlogPAM IntegrationsVideosWebinarsWhitepapersDatasheetsDocumentationCase Studies
Support
Support PortalOsirium University
© 2023 OSIRIUM. All rights reserved.
AccessibilityPrivacy PolicyEULATerms of ServiceSitemap