Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Compromised Contractor Credential Leads to Largest Cyberattack into the Systems of the US Government

July 13, 2015

  • Blog
  • Archive
The damage from the US federal government’s Office of Personnel Management data breach is only getting worse. First disclosed last month and affecting 4.2 million US federal employees, the number of compromised records now has reached 21.5 million people, including those who received government background checks for the past 15 years. Although the investigation is ongoing it was announced yesterday that the hacker in both cases gained access to the OPM computer systems “via a compromised credential of a contractor.” We’ve seen in the private sector Home Depot and Target breaches just how important it is to have strict control and accountability over third parties given access to sensitive systems. How do we overcome this perpetual vulnerability? In this blog I will summarize four (4) steps:
  • Setting up a secured enclave for sensitive systems to isolate management
  • Requiring third parties to go through a proxy
  • Recording all sessions with dual control capabilities to view, terminate, etc.
  • Applying dynamic workflow (i.e. do not allow third party to access these servers during production periods, or after hours depending on their management function, etc.) to further tighten access and embrace behavior modeling to detect suspect activity
Slipping through the cracks Third parties can “slip through the cracks.” How? In addition to not disabling terminated accounts or removing third party users from specific groups in the enterprise directory (like Active Directory), many times these solutions do not extend into the local system, application, database, and other accounts where privileged access may be granted. This is the benefit of an enterprise password and privilege management solution set. It may also be harder to detect when these third-party users are given excessive native permissions and access these resources using the same methods as internal employees. This is why a product that manages, controls and reports on third party access from a central location can help. Products like this drive accountability down to the specific users. Options for limiting third-party access Many customers choose to extend VPN access to third parties, but in some cases VPNs may only grant access to the enterprise password solution which will proxy all activities. At no time should these third parties have direct access to the managed assets. This is increasingly common in cloud management platforms and in virtual machines running in virtual and cloud environments. See the screenshot below for how we accomplish this. OPMBreach1 Even if a vendor has a set of credentials for the managed resource, you still need a gateway proxy capability in the same manner as providing access through a managed account. A common practice is to set up VPN access directly to interact with an appliance which is used to proxy activities to a secured sever. The server is completely isolated using firewalls to only allow access from the appliance. Workflow approvals can be set up to require employee verification and approval of the session. All current sessions can be viewed by an employee with options to view, manage or terminate the sessions. See a screenshot of how we do that below. OPMBreach2Recording and playing back sessions The ability to force third parties through a password appliance where all activities are recorded is standard practice. The ability to record and playback the sessions at a later date is also standard. The frequency of the playback can either be using a sampling of the recorded sessions or the playback of the specific sessions depending on the specific activity and criticality of the assets being managed. Don’t be the next victim Nothing these breach victims has done to this point was enough. A change in attitude must accompany a change in leadership. Defaulting to a least privilege model with automated password management and privileged session management is the only path forward. When millions of records – and potential victims – is at play you have to assume you’re under constant attack and behave thusly. If you are interested in taking the next step in maturing your privileged account management deployment, contact us today.

Brad Hibbert

With over 20 years of experience in product strategy and management, Brad leads BeyondTrust’s solution strategy. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where Brad led strategy and products. Under Brad’s leadership, eEye launched several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies. Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Formerly, at FastLane Technologies, which was sold to Quest Software in 2001, Brad worked extensively with key Microsoft business units on product direction and go-to-market strategies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.