6 super-defenses against super-user attacks

defenses against super attackes 1
ID management

Privileged Identity Management is based on a common link in the chain of almost every advanced threat: obtaining the credentials of an administrator, super-user or even a program with local admin rights. PIM tools lock down those special user credentials. Some PIM systems concentrate on auditing or anomaly detection so that even trusted insiders who have gone turncoat can be caught. Others look at the password aspect of identity management, cycling impossibly long randomized passwords. Some concentrate on Linux environments, while others are Windows-based. Almost all PIM tools embrace the concept of least-privilege, giving users only the level of access and privilege that they need to run a specific command. Read the full review.

BeyondTrust PowerBroker UNIX & Linux
BeyondTrust PowerBroker UNIX & Linux

PowerBroker initially installs an agent on every server. All requests by users to run a process, either remotely or on a local machine, are sent to the authorization server, which checks the policy file and then either approves or rejects the request. In either case, the request and the resolution are logged. The log file of every user request is stored at a central server, which is not accessible from any of the client machines on a network. So even insider threats won’t be able to cover their tracks. Any attempts to circumvent the authorization server were met with failure in our testing. In addition, sessions from users can be recorded and played back later. When using the recording feature, even erased keystrokes are captured. A final component is the BeyondInsight tool, which uses analytics to identify anomalous behaviors and first time events.

defenses against super attackes 3
NetIQ Privileged Account Manager 3.0

Privileged Account Manager from NetIQ defines privileged accounts as any that are able to access files, run programs and add or change the rights of existing users. They also concentrate on non-human accounts, which might be held by certain programs or processes. The heart of NetIQ is the Enterprise Credential Vault, which stores all passwords for assets in an encrypted data safe. Users don’t need to know the passwords. Instead, they apply for access and if approved, are given a temporary password. Administrators can also set up rules for what happens after a session is authorized. We tried some sneaky ways to trick a protected machine and every time we were met with a session disconnected screen and revoked credentials. On the admin panel, those forced disconnects glowed bright red. Full sessions can also be recorded by Privileged Account Manager.

Lieberman Software Enterprise Random Password Manager
Lieberman Software Enterprise Random Password Manager

The core of the Lieberman solution is its Enterprise Random Password Manager (ERPM), a powerful tool which can randomize thousands of passwords in just a few minutes as a result of an alert or simply on a set schedule to ensure that even in the event of a captured password, it won’t be valid for very long. Setting up the ERPM on a network should be a fairly seamless process for most organizations. There are no agents, which makes ERPM fairly unique. Once password control of systems is given to the ERPM, an administrator can set up rules to make sure that all generated passwords conform to the restrictions of each machine on a network. Users apply for passwords to gain access to systems managed by the ERPM. These can be granted automatically based on policy. Or everyone can be subject to manual approval.

CyberArk Privileged Account Security Solution
CyberArk Privileged Account Security Solution

The CyberArk Solution is one of the most comprehensive systems we tested. It’s made up of five elements, which can be purchased and installed separately. They are the Enterprise Password Vault, SSH Key Manager, Privileged Session Manager, Application Identity Manager and On-Demand Privileges Manager. The heart of the system is the Enterprise Password Vault, a repository for storing and monitoring passwords that users need to access to gain permission to use system resources. Each password in the vault is stored and encrypted separately. The different levels of access and permissions that can be set up is impressive. The recording of user sessions is very precise. The system records keystrokes and video-like screen captures, but it also makes the collected data completely searchable.

Centrify Server Suite and Privilege Service
Centrify Server Suite and Privilege Service

With Centrify, users log in and have their privileges elevated as needed without having to check out a password, and without even knowing root or administrator passwords. Server Suite and Privilege Service can make networks even more secure by turning mobile devices into a second authentication factor. Server Suite and Privilege Service work with Windows, Mac and mixed environments and make up one of the most economical products in this review. Instead of a vault, Server Suite administrators can set up various permissions that can be given to users. Unless an end user tries to do something that isn’t authorized, they probably won’t have very much contact with Centrify Server Suite. On the audit side, the main tracking panel clearly shows the user and the commands they used for each session. Administrators can call up recorded sessions by users.

defenses against super attackes 7
Viewfinity Privilege Management

The Viewfinity Privilege Management suite worked well in locking down the privileges of all users and increasing overall network security. Viewfinity starts with a silent discovery phase that takes place over several weeks. The information collected is then placed into a policy creation engine that gives administrators total control over how everything is allowed to access the network. Setting up policies is incredibly easy. Monitoring can take on many different levels, from recording every keystroke and videoing an entire session to simply notifying someone that an action is being taken. The two main strengths of Viewfinity, besides its ability to protect networks from malicious or compromised privileged users, are its ability to remain mostly out of the way, and the dazzling array of easily customizable access options.