Discover System Vulnerabilities and Squash Them!
May 19th, 2016
I’m going to base this week’s blog on vulnerabilities. If you’ve read my previous blogs, then you might be wondering why the PowerBroker Password Safe Product Manager is writing about vulnerabilities and not the Retina Vulnerability Management Product Manager. However, these vulnerabilities are not the ones you might be thinking about. I want to talk today about vulnerable systems and accounts.
Let’s start with a virtual show of hands: can anyone tell me how many systems and accounts you have out there? In production and QA? And, how many database instances? Oh, and network devices, too? It’s difficult, isn’t it? Keeping track of assets is a huge challenge for any company. Assets are constantly being spun up, and spun down, especially given the ease at which virtualization/cloud environments can be provisioned. With every asset comes at least one privileged account — sometimes many more — if you include application accounts. This is what I am talking about when I say vulnerabilities — each of these accounts is a potential accident waiting to happen.
Discovery and Inventory
I cannot stress enough the importance of scanning your network to baseline what you have. You would be amazed at what a discovery scan often turns up. Test systems connected to the production network, systems with accounts that have not been changed for months (or often years – if at all), stale privileged accounts that have not been logged onto in forever… the list goes on and on. It’s a jungle out there – you’d be amazed and scared at what you will find.
So now you’ve done the first scan. You’ve scared yourself, your team, your boss, and your boss’ boss. What’s next? Now, you have to make things right by applying your security policies to the accounts you’ve discovered. You could print out a copy of everything the scanning tool finds then create an inventory manually, but this could be a job that takes forever. And never ends. And just like painting a really long bridge, once you finish you have to start all over again.
Get the Right Tool for the Job
The scan engine picks up user account information such as privilege, password age, date logged on, expired, and group membership. In addition, it picks up a lot of data about the host itself:
- Hardware – network cards, CPU, memory, drives, etc.
- Ports – any ports that were open together with services using them
- Processes – processes that were running at the time of the scan
- Services – all services with dependencies and logon account
- Shares – network shares open
- Software – all installed software together with the versions
You might be wondering what all the host data might be useful for. Simply put, it allows you to group hosts and perform conditional actions on accounts based on conditions such as installed software. Rather than you having to remember to add a database instance to a DBA group, Password Safe can look at the installed software, subnet, services— anything you basically want to build into your condition— then automatically onboard the instance, manage the admin account, add to the DBA group, and then send you an email to let you know that it’s done.
Password Safe not only scans and onboards your accounts automatically, it can also keep the passwords managed according to your security policy, and provide controls that audit and govern their release.
Password Safe also has an integrated session manager (at no extra charge) that can automatically log users onto resources without ever revealing the password, record all video and keystrokes for later playback, and allow real-time session monitoring, with options to remotely manage and disconnect active sessions.
For more information on how our solutions unite privilege and vulnerability intelligence, and how to squash those vulnerabilities, check out this video. Or, try our new, free tool to find privileges that might be hidden. Download PowerBroker Privileged Discovery and Reporting Tool (DART).