In a Nutshell: 2017 marked an all-time high number of data breaches, with 1,579 total incidents exposing more than 200 million consumer records. Nearly all of these breaches were caused by the vulnerability and exploitation of a network or stolen credentials that provided access to restricted areas. PowerBroker privileged access management solutions by BeyondTrust address nearly every vulnerability that cybercriminals look for. The solutions tackle password management, privilege management, active directory bridging, and auditing and reporting. The recently unveiled PowerBroker for Networks manages access to sensitive Internet of Things devices as well as routers, networks, ICS, and SCADA. //
The dependency by financial service providers on technology to run everything from accounting records to door locks comes with both benefits and risks. Relying on tech to complete tedious tasks can boost production and improve workplace environment. But each new piece of software or hardware added to the system increases the risk of cyberattacks and data breaches.
A record 1,579 data breaches occurred in 2017, exposing more than 200 million records — 20% of which were credit and debit card numbers — as well as over 158 million Social Security numbers, and the numbers could actually be much higher. More than half of the attacks have incomplete records of the information stolen, making the total impact of the breaches unknown.
Many of the crimes could have been prevented with tighter security standards, like those provided through privileged access management (PAM) solutions — one of the most rapidly growing industries in cybersecurity. While many vendors offer solutions for one or two security issues, BeyondTrust remains one of the few companies providing services for the entire PAM spectrum.
“If you look at any of the recent security breaches, a hacker needed privileges to steal all that information,” said Morey Haber, CTO at BeyondTrust. “To get that, they either know the passwords, guess the passwords, or exploit a vulnerability to raise privileges and navigate through the network in order to exploit another system that privileges can be escalated on.”
Haber pointed to two factors he said are behind every breach — vulnerability and exploitation of a network or a stolen credential.
BeyondTrust’s PowerBroker family of products helps clients in all industries mitigate user risk without a negative impact on productivity by limiting unnecessary access to programs and managing key vulnerability points like passwords and administrative controls.
The company boasts a massive client base — including Paypal, Oracle, NASA, and Prudential — that turn to PowerBroker to assess system vulnerability and manage privileged access to sensitive systems.
“Many companies don’t realize that over 80% of malware can be stopped by a person operating with standard user rights and not admin privileges,” Haber said. “But as a standard user, the applications we all need to work with every day may simply not work.”
PAM Covers the “Four Buckets” of Access Management
BeyondTrust’s solutions are both scalable and flexible, offering a single architecture that can host one solution or all four.
“These programs can be obtained and deployed individually, or they can be integrated together using the platform,” Haber said. “The more data you pump in from all of our features, the richer your analytics coming out of it will be because you have more data sources on user behavior.”
Haber compared the PAM solution to four buckets that each hold an important element of the product that, whether engaged singularly or all together, provide important services for clients.
“Those four buckets make up the definition of privileged access management,” he said.
Most of the solutions are available for clients running on Mac, Windows, Linux, and Unix operating systems.
1. Password Management
Password management is possibly the single biggest issue companies face in the aftermath of a data breach. Haber noted three components that increase vulnerability that many companies fail to address.
“The biggest flaw is password reuse,” he said. “That’s where the same password exists on multiple devices or it’s being used between corporate or business assets, or social media and personal accounts. Once one system gets compromised, that password is reused everywhere.”
While the reuse of a password is the most common flaw Haber’s found, it isn’t the only potentially fatal problem.
“Password sharing happens when a colleague needs a password or multiple people know the domain admin password,” he said. “How many places is that account password known and how many people know it?
“Then there are stale passwords that have never been changed or are set to default. Professional services come in and set the password and you’ve had dozens of people come and go from the company and the passwords still haven’t been changed.”
PAM corrects these issues by regularly changing passwords to a random set of characters. Users who need access can check the password out and use it to complete their task. Once completed, a new password is generated and the old one is discarded.
This process of single-use passwords makes it harder for would-be attackers to infiltrate a system — it also removes a difficult task from employees.
“We’re all just human beings,” Haber said. “We can’t remember hundreds of passwords, so we tend to cluster one password for social media, one for routers and switches, and one for other programs, and then we end up with a problem.”
2. Privilege Management
This solution withholds administrator rights from end users and employs fine-grained policy controls for all privileged access. The program monitors and audits sessions for unauthorized access or changes to files and directories and reports back with analytics on system and user behavior.
The management solution solves an issue with Windows and Mac systems that requires administrator rights to log in to certain programs. By giving elevated permissions to standard users without handing over administrator access, employees can complete their jobs without excessive control over other systems.
3. Active Directory Bridging
This solution extends Microsoft Active Directory authentication, single sign-on capabilities, and Group Policy configuration management to Unix, Linux, and Mac systems, to improve efficiency, simplify compliance, and reduce risk.
The system can track users on their standard account across all platforms to maintain the security of the entire network.
4. Auditing and Reporting
This solution allows Finserv companies to remain PCI-compliant by tracking any active directory configuration changes in real time.
Users can pinpoint exact changes and find who performed each change and when.
“Financials as a vertical are a very interesting problem because some privileged activity is needed to conduct transactions or potentially steal money,” Haber said. “Outside of an ATM hack, you really need privileges inside of a bank to do something bad. You want to monitor and restrict all that activity and that’s where PAM comes into play.”
PowerBroker for Networks Offers the First Privilege Management Solution for Networks, IoT, ICS, and SCADA
In February 2018, BeyondTrust announced the release of a first-of-its-kind addition to the PowerBroker family — PowerBroker for Networks.
The scalable solution controls which command users can run, records sessions, alerts, and provides a complete audit trail of user activity on network devices via the command line.
With so many automation programs and devices being grouped under the Internet of Things (IoT) umbrella, financial services need to limit access to potentially harmful programs.
“Financial institutions have cameras and door locks and all the automation that’s now classified as IoT,” Haber said. “That door lock has an admin password. There are no granular permissions on it to say who can cause it to reboot, add a user, or unlock, compared to another command.”
Power Broker for Networks gives clients using IoT devices the ability to differentiate between a root or admin privileged user and a standard user that may not natively exist on a device. The solution also manages access to routers, switches, firewalls, ICS, and other SCADA devices by implementing least privilege policies and application control across these devices too.
Retina Intelligently Reduces System Vulnerability
Another key product that benefits Finserv organizations is BeyondTrust’s Retina solution to manage vulnerabilities within a network and deliver real-time reports on issues that may affect security.
“When we run a scan, the system can find vulnerability information, like patches or other updates that a system may be missing, that make the risk for corruption higher based on the vulnerabilities and the people using it,” Haber said.
Haber said the Retina system can be used by any company with a large farm of computer systems (cloud or on-premise) that requires periodic patching and updates. Retina finds when things aren’t right — a computer not getting patches, getting different software downloads, or one that is being logged in to after hours and helps correct them.
The solution reports back with a full analysis of the problem, highlighting any users who may be blocking or changing the makeup of the system.
A Flexible Solution with Benefits for Every Department
Haber pointed that there isn’t a target end user for PowerBroker’s solutions. Nearly every client has different goals for the program, which alters who ultimately controls it.
“If you’re talking about PAM on a desktop where admin rights have been removed to protect a user and keep them from installing games or whatnot, that would normally be controlled by IT operations,” he said. “If you’re working on the server side, that would normally go to security. If you’re in power generation or anything with critical infrastructure for water treatment, then it would likely go to the automation team.”
The growing list of clients choosing BeyondTrust for their PAM needs is proving that the solution’s flexibility is key to its effectiveness.
“The end user can be anyone who needs to run commands and process work with those systems, but doesn’t have, and shouldn’t have, root access but still needs to interact with the systems,” Haber said.
Seemingly daily announcements of new data breaches have sent Finserv companies to scrambling to find solutions for a problem some didn’t know existed. Improper password management and excessive user access create vulnerabilities within a system that cyberattackers exploit to steal millions of sensitive documents every year.
The problem is one BeyondTrust hopes to put an end to in the coming years.
“When we talk to C-level executives, they know there’s a problem,” Haber said. The question they have to answer is if they want one vendor and one platform where everything plugs together to see all of the data, or do they want different vendors for different operating systems or programs?”