Guest blog post by Bryan Krausen, author of IT Diversified. Find the full article here.

Thycotic has released yet another free IT tool for Admins in an effort to help them discover where privileged accounts may be utilized within their infrastructure. Utilizing a free tool such as this can be important in many scenarios including:

• Discovery mechanism for IT staff unfamiliar with the company’s infrastructure (new staff, consultants, etc)
• Auditing the utilization of accounts with elevated privileges (ensuring IT compliance)
• Account lockout scenarios (where are problematic accounts used)
• Detection of unauthorized accounts tied to services or scheduled tasks (think virus, spyware, or unauthorized services)
• Identifying the use of what unfamiliar accounts may be utilized for (think Active Directory cleanup)

A huge benefit of this tool is that it’s both agentless and does not require an installation on the host performing the scan. Additionally, it’s only 14MB when compressed and 37MB when extracted, making it extremely portable for IT professionals. For such a small tool, it’s fairly simple to see how powerful it can be for even the largest enterprise. Tie this tool’s results with Excel formulas or something like BeyondCompare and it could become a fairly powerful auditing tool.

To get started with the tool, download the application from Thycotic using the link above. Extract the contents of the .zip file and run the executable (yup, it’s that easy). Enter the domain you wish to scan and appropriate credentials for the servers and workstations you wish to scan. (Thycotic states that the account must have administrative privileges on the target hosts.) Select the appropriate scan, or choose both, and start the scan. Upon completion, the tool asks for a company name to append to the report’s title and saves the results in a variety of formats in the location chosen.

In viewing the results, start with the Executive Summary (the file is named ThycoticWindowsAccountAnalysis – domain – date). This quick and great looking report gives you a quick breakdown of items such as what Windows Components are utilizing these accounts (services, scheduled tasks, application pools, etc), whether the account is marked for password expiration, and the age of the existing password tied to that account. Furthermore, the report displays what service accounts it discovered and how many instances of said accounts were found across the infrastructure.

Last but not least, the results are also available as a CSV which provide you all the discovered accounts, the name of the host it was found on, and where on that host it’s being utilized. It also provides the Password Last Set Date and the expiration status of said account. An example of these results are shown below (yeah…I’m using an account named bryan in my lab )

The only change to the tool that I’d love to see is the ability to scan using IP Range. This would enable the discovery of hosts sitting in a segregated DMZ or when a user wants to discover accounts on specific hosts where scanning the entire domain might not be feasible. The great folks at Thycotic have already sent this feedback to the developers so hopefully we’ll see a version 2.0 with new features

So discover away you IT admins, you consultants, and security pros. Take control of your privileged accounts and run a more secure business.

For more help, check out Thycotic’s six page PDF: Privileged Account Discovery for Windows. And while you’re at it, take a look at Thycotic’s UNLOCKED conference.

For the last 15 years, IT Weapons, a Konica-Minolta Company, has provided award-winning security consulting, private cloud solutions, and technology services for organizations worldwide. They had been using homegrown privileged account management (PAM) solutions, but grew quickly and determined that they needed an enterprise-class PAM solution to improve security and make going through audits easier.

Challenges

IT Weapons not only provides services, but builds and runs secure IT systems for many companies of all sizes around the world. In total, they actively manage more than 11,000 devices in their private cloud alone, supporting hundreds and thousands of systems for their clients daily. In order to provide the best solutions and build systems that will properly integrate with their existing environments, clients must provide IT Weapons with access to privileged systems and sensitive areas of the network. Due to the nature of their work, IT Weapons constantly deals with security and compliance auditors on a regular basis and needed a way to manage those clients’ privileged account information.

Solutions

Thycotic Secret Server acts as a way to store privileged credentials, secure them, and audit who has been using them and when. Implementing a policy of least privilege is easy, as permissions can be assigned/removed from roles assigned to users as needed. Separation of duties is also easy to apply using Secret Server, with visibility of privileged accounts being controlled on a per-user basis or by groups as the administrator chooses. Access can be restricted such that only certain users can access certain accounts, a user has to request access from another user to access the account, or the account can only be “checked out” to one user at a time – this delves into the world of nonrepudiation, where a user cannot deny his or her actions due to the audit trail left when he or she accessed sensitive information. Additionally, secure passwords can be automatically generated on an account and remotely changed every time a user is finished using it, allowing for a constantly changing password such that a user cannot log into a privileged account after checking it back in on Secret Server.

Conclusion

Today, Secret Server is the primary privileged account management solution used by IT Weapons. Ted Garner, Co-Founder and CEO of IT Weapons says, “Security is going to remain paramount, and is a critical piece to our growth. We know it’s an important part of our future, but it’s partners like Thycotic that will be flexible and grow with us that make it a critical partnership for our ongoing growth.” By practicing stronger privileged account management internally and providing a secure way to vault, manage, and audit credentials for clients, IT Weapons can continue to meet the growing security needs of their global client base.

In November 2015, KuppingerCole released a White Paper titled “Protecting the keys to your kingdom against cyber-attacks and insider threats” outlining the state of security surrounding organizations protecting their privileged accounts throughout their organizations. In this blog post, I’d like to highlight a couple of critical points KuppingerCole makes in this report and expand a bit on why Privileged Account Management has become such an important and more prevalent topic in the security community at large.

Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, authored this white paper to share his perspective on the state of Privileged Account Management in the organizations he has worked with. Even in the introduction, Martin leads with two very important observations that, in my opinion, nicely sums up what I have also seen in the companies I’ve worked with over the years. He states: “Privilege Account Management is far more than just managing a few administrators within a particular system environment…And, “Setting up Privilege Account Management nowadays is a #1 requirement for mitigating Information Security risks and improving cyber-attack resiliency.”

Martin does an excellent job in the Highlights section of the report going into details about why Privileged Account Management is much larger than just watching over a small handful of administrators, and while he covers the technical examples of what falls under the purview of Privileged Account Management, there is a cultural component that is missing from this equation. While the number of cyber-attacks is growing, and the root causes for these attacks is more commonly being determined to be an abuse of a privileged account, leadership within organizations across the globe still make security decisions seemingly blind to these events. Commonly, the response is “It’s too hard,” or “There’s no easy solution,” and they move their security programs toward other layers of defense. Over time, this builds an organizational culture of moving to the Next Great Security Solution, rather than address the base problems which, as time continues on, become more and more the most common attack vector by both hackers and malicious insiders.

Following the steps outlined in this excellent White Paper to understand the state of your environment and begin working toward addressing the Privileged Account Management Challenge is a critical component of success. But to even begin this process, there must be an organizational culture within your security program which will support this undertaking. This is so very important, as handling this problem is absolutely a huge undertaking and can be a very difficult thing to solve without  the drive and support from leadership to expend the resources necessary to understand where your privileged accounts exist, and subsequently, how best to protect and manage those accounts now and going forward. This may not be a new concept to anyone who’s familiar with launching a new project, but for something as critical to the state of security as beginning an effort to properly manage privileged accounts, getting that executive buy-in and supportive culture established in the organization is absolutely imperative to successfully tackle the critical Privileged Account Management Challenge posed in this white paper.

Once you get this effort toward the Privileged Account Management Challenge started, then Martin’s second point comes into focus. Over the course of the last few years, we have seen more studies and reports which show an increasing trend of criminals, hackers, malicious insiders and other attackers are zeroing in on finding and taking advantage of privileged credentials to carry out whatever activity they’ve set out to do. Whether that’s intellectual property theft (common with educational institutions), data mining for personally identifiable information to sell on black markets (e.g. Target, Home Depot, Anthem, and many more), or impacting the operations of the target’s business or organization (e.g. Sony Playstation Network outages), it becomes painfully evident that protecting these keys to the kingdom should truly be the #1 priority for any organization that is trying to establish a security program. If additional efforts aren’t made by more organizations to address protecting these critical accounts that have access to so much data, then this trend will continue ever-upward. If we continue to leave the door open because it’s too difficult to close it, then intruders will continue to follow this path of least resistance and come in to our domains in that manner. The evidence shows us that the trend is there, and now is the time for us to finally take action to start making these kinds of attacks and data breaches less common than they are today.

We’ve had great success in EMEA teaming with the top partners to deliver the industry’s most comprehensive privileged account management solution. Here’s an example of what our distributor in the UK, Alpha Generation, recently posted about how easily it is for attackers to gain privileged access and take over the network.  

Attackers don’t break-in when they can log-in

In IT security, the language we use can be misleading. We talk about attacks, breaches, and hacking our defences. These sound like violent acts – where an intelligent attacker outsmarts and out-thinks our security.

But that’s not always the case. In fact, most incidents are a whole lot quieter than that.

Attackers don’t always hack through layers of sophisticated security. Sometimes, they just use the password.

From individual users to service accounts, the privileged passwords you use are the easiest way into your business. They give people widespread access to your most confidential systems – the ones that support your everyday business and store your most private data.

And those passwords are often the least protected element of your IT.

How privileged passwords give attackers access

Privileged passwords are attached to accounts with elevated security permissions. The access they offer goes beyond a simple user desktop. That’s exactly why they make excellent attack vectors.

Common privileged passwords include:

• Administrative accounts, like a root user on Linux / UNIX or your Windows Administrator account.
• Service accounts that provide a security context for services. They’re not users specifically, and that means they’re often used from multiple applications and devices.
• Application accounts that secure the connection between two applications.

In the right hands, these are the passwords that help systems to work correctly and users to get on with what they need to do. But, in the wrong hands, they provide access to a wide range of functionality and data.

Take leading retailer Target, who had 40 million credit card numbers and personal information for as many as 70 million people stolen in November 2013. Their estimated losses were at $420 million according to Gartner. And the sophisticated, advanced attack methodology that was used? Attackers simply logged in.

They took privileged passwords from one of Target’s HVAC suppliers – a considerably easier target – then used their widespread access to infect Target’s network with a trojan.

Target’s passwords, when turned against them, posed a serious security threat. But, of course, those passwords are an essential part of business. There’s no getting around their existence – we’ll always need to secure our infrastructure using passwords.

So what steps can we take to secure the passwords themselves?

Why your passwords aren’t protected

There’s a lot you can do to protect your privileged passwords.

You can enforce robust policies – like changing passwords on a regular basis, or enforcing a certain level of password strength. You can implement processes that keep the window of opportunity for misuse small. You could even use something like dual control to ensure that no single user knows your privileged passwords, with each part of it defined by a different administrator.

But here’s the truth of it. That stuff is difficult and time-consuming and usually involves huge spread sheets.

We’re all working with limited resources. We’re trying to secure a huge range of devices, in a world where people bring their own laptop to work or take their operating system away with them on a USB drive. The threats continue to evolve. All of our resources go into keeping up.

And that means protecting your passwords gets left behind.

A practical approach to protecting your passwords

There’s no denying the risk associated with your privileged passwords. According to Verizon’s Data Breach Investigations Report, 88% of IT security breaches in 2014 involved privilege abuse of some kind. But a manual approach to the problem just isn’t sustainable.

That doesn’t mean you should do nothing. That just means you should look to automate the process as much as possible.

Thycotic Secret Server automatically discovers enterprise-wide privileged passwords around your infrastructure, and consolidates them in a secure vault with two-factor authentication and AES 256 encryption. All of your policies are enforced automatically, from password complexity to change frequency.

And, crucially, every interaction with a password is monitored and logged. Regular reports can be generated with a few clicks, which is ideal for the demands of compliance standards like PCI DSS, HIPAA, and SOX.

So you’ll always know who is using a password – and what they are using it for.

With the release of Thycotic Secret Server 9.0 comes some major new features and enhancements. Session launchers get changes with new options for SSH connections with root users, an OS X launcher client, and privilege management for UNIX systems through Command Menus.

Introducing Mac Session Launchers

The Mac session launcher has been a popular feature request, and the 9.0 release gives all editions of Secret Server the Mac session launcher. If you are using a Mac, just run a session launcher and you’ll be prompted to download the Mac OS X client. Once that’s installed you’ll be able to run RDP, SSH, and custom launchers just like on Windows. The client for Mac’s supports proxying, Session Recording, and Session Termination just like the Windows client.

The Mac session launcher brings native tool support to OS X so IT admins can use the tools they want without compromising privileged account security.

Enhanced Security with UNIX Privilege Management

9.0 also introduces a new additional module for controlling what commands users can run as root. In many cases contractors or lower privileged users need privileged access to UNIX servers to perform specific tasks. Rather than provide full root access, Secret Server administrators can now setup a command menu to restrict certain users and groups to a command subset. For example, you could delegate the ability to install updates and reboot servers without granting any additional access, limiting the potential for misuse of a root level credential.

As a part of this, admins can now configure Secrets to connect with a lower privileged account over SSH and then automatically switch to root since root is typically denied direct SSH access.

Announcing Active Geo Replication

Secret Server has supported SQL AlwaysOn and database mirroring for database redundancy for many years. With the 9.0 release there is a new module available that gives administrators the option to use SQL Replication.

SQL Replication is a better fit than SQL AlwaysOn when there are geographically dispersed sites and potential for an outage of the link between sites and each site needs its own active copy of Secret Server running during that time. If you’ve got Secret Server users in London and San Francisco, and you want to make sure both sites always have an active Secret Server instance available even if the link goes down, Geo Replication might be a good option for you.

Recently, Adobe worked with us here at Thycotic to publish a use case document on how they’ve implemented Secret Server for enterprise password management within their application build environment. While the core message surrounding the ability to automate processes and remove the human error element is critical for Adobe and just about any other organization out there, I wanted to spend a couple of minutes highlighting one of the key success factors they found that helped make the automation process work: flexibility.

I hear from colleagues all over the world their struggle to find security tools and other products which ultimately lack the flexibility they need to support their particular environments. In some cases, it’s a problem of scope and scale. Large companies with highly virtualized environments must find ways to configure, patch, modify, and otherwise manage the thousands of systems they’re deploying globally and, more importantly, in accordance with their particular company’s policies or system requirements. As we all know, no two companies handle these things the same way, so why would you use software that only allows you to perform its functions in a single way?

In other cases, it may not be about size, but more about the peculiarities of that specific company’s needs and business processes. A patch management system that relies on an Active Directory implementation to deliver Windows patches does little good to an energy company that uses older Unix systems which aren’t bound to a Microsoft directory service. Not to mention the needs to isolate (often in a fully air-gapped configuration) these systems away from other parts of the network, which makes a tool that can only handle deploying patches in this dedicated way absolutely useless to an organization like this. It becomes imperative that the deployment tool be able to be customizable and flexible enough to support non-standard or uncommon configurations in order to allow the business to accomplish their mission.

It’s an old dilemma, really. Too often, organizations adjust and compromise their internal processes and methods to accommodate the tools they purchase when what we should be doing is demanding software that can accommodate our processes and methods our business requires. Software with the flexibility to provide good extensibility of function and form is the key piece that can turn a simple layer of defense in your security program into a powerful tool to build efficiency and reduce overall risk to the organization. Additionally, you get the added benefit of efficiency in not having to rewrite your internal processes, while your admins and other users can utilize a tool that supports the methods they are already familiar with and are trained to do. There is a huge overall benefit that can be realized by leveraging these kinds of tools.

So, what should we be looking for as part of our review processes for new tools? Well, as Adobe mentioned in the use case, security tools like Thycotic Secret Server, which have extensive APIs, are a great start. APIs allow you to automate most, if not all, of the administrative and rote tasks that are repeated constantly in your technology processes. Not only do you take away the human error problem, but you can accomplish these tasks far more quickly and at a much larger scale by leveraging API programming to automate these tasks. Additionally, look for tools that support the use of scripting to extend the functionality of what they can do. Most IT admins today rely heavily on scripting languages to automate their own day-to-day tasks, so why not leverage what’s already in place today? If a sysadmin has already written a Perl script to properly restart services on a target host after it’s patched, why wouldn’t you want your patch management tool to simply execute that existing script automatically whenever that system is patched? Being able to extend out the use of these security tools without having to re-write or recreate the functions enables you to make the most out of your investment without spending additional time and money to create new customized tools or worse, bringing in expensive consultants to make the tool do what you need.

Adobe has shown how effective and efficient processes can become when automated with the right toolset. Getting there, however, relied on the ability to be flexible enough to support their processes in the way they needed them to be executed. If you’re looking to find the same sort of efficiency benefits for your organization, make flexibility, and extensibility a requirement for any of your reviews of new tools no matter in what area of the organization they’re needed.

Want to learn more about more about our web services API? Watch our How-to: Web Services for Secret Server API video.

With digital medical records, patient online portals, and other electronic methods of healthcare management, maintaining a secure network is critical to meeting the Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements. HIPAA’s security requirements are made up of technical security measures, which require covered entities to maintain reasonable safeguards for protecting electronic protected health information, most commonly known as e-PHI.

The safeguards have standards such as access control, authentication procedures, transmission security, and audit control. All of which were created and are implemented keeping e-PHI in mind, but not necessarily the local accounts or domain accounts, running dependencies on those machines storing or interacting with the e-PHI. Without HIPAA mandating how entities should manage access and rotation of these accounts, the Department of Human and Health Services’ (HHS) research has showed an increase in malicious targeting of the healthcare system. Targeting attacks such as ransomware, take advantage of the 243 days that HHS found it takes for most HIPAA compliant environments to detect malicious activities. These types of security vulnerabilities have led to the amount of Americans affected increasing from 7.4 million in 2014, to 41 million in 2015.

Thycotic’s Secret Server is a solution for closing the gap between meeting compliance mandates and making your technical environment truly secure. Secret Server Password Management Software manages the availability, rotation, and integrity of the privilege accounts that allow access to electronic Protected Health Information (e-PHI). The tool creates a centralized, encrypted location for password storage, the ability to restrict access by role, full auditing of credential usage, and automatic password changing. Add a custom security policy to Secret Server to automatically change passwords at required times, enforce password length and complexity requirements, and ensure sensitive systems maintain a high level of access control and oversight over privileged accounts. Those are just a few features in Secret Server that are able to protect access to your e-PHI data as well as ensure that your company is meeting HIPAA Security Rule requirements.

Want to also learn how Secret Server can also protect against ransomware attacks?  Find out how to protect healthcare systems by eliminating ransomware’s ability to install on your network — keeping your healthcare systems running so your healthcare teams can make time-sensitive health decisions for your patients. Download the healthcare ransomware white paper today.

One of the most requested features on our feature vote tracker of all time has been native support for a Mac OSX session launcher with the same capabilities and functionality as the Windows launchers. You asked and we answered, Secret Server 9.0 includes the first version of the Mac launchers. Here’s everything you need to know about getting started with Mac Launchers in your environment.

Mac Session Launchers

The session launchers for Mac are very similar to the Windows session launchers. The architecture consists of a protocol handler client that has to be installed on the OSX workstation that recognizes when a user clicks a launcher in Secret Server and opens the session.

If you don’t have the protocol handler, Secret Server will detect that the launcher didn’t work and will prompt you to download.

Download and run the OS X application, and the wizard will guide you through step by step on installing the protocol handler.

After installation, you should be able to open SSH and Remote Desktop Sessions from Secret Server. Just like on the windows side, there shouldn’t be any additional software needed for SSH and RDP sessions. Secret Server will open up SSH sessions in Terminal, and the protocol handler packages a version of the FreeRDP utility for remote desktop connections.

When connecting to a server or the Secret Server proxy for the first time, you will get prompted to trust the host key as a security measure to prevent connecting to an unrecognized server.

Once you trust the host key, it will be placed in your authorized keys file, and you won’t be prompted again for that server.

You can use the mac session launchers the same way as windows launchers, including session proxying, session recording, and session monitoring.

Custom Launchers

One area that requires additional configuration is with custom launchers. On the Windows side these can be configured by either passing in command line arguments or running an application as an identity, such as an MMC snapin or a PowerShell script as a domain user.

With the Mac custom launchers you can pass in parameters, or upload a shell script to run. So for example if you wanted to run Secure CRT as your preferred SSH launcher, you would specify the application path, and then the process arguments for the application. You can set different ways to launch the app between Windows and Mac, so both environments can use Secure CRT, and Secret Server knows how to start it on each platform.

Shell scripting is another option to run custom processes on the Mac. Just create a shell script, and specify the shebang identifier such as #!/bin/sh or #! /usr/bin/python and the Mac will run the script using the specified program. So you can create a python script to run a utility or call out to AppleScript to automate a login to a GUI.

Going forward we will be adding new features and enhancements to the Mac launcher based on user feedback. If there are built in launchers you’d like to see please let us know in the comment section below.

Curious about enhancing security by enforcing least privilege on Unix/Linux root admin accounts? Learn more about our Thycotic Privilege Manager for Unix.

Every advanced persistent threat uses application vulnerabilities and privileged accounts to gain access so they can reach their target and carry out fraudulent or malicious activity.  To mitigate against these threats means getting visibility on who has privileged access and which systems pose the highest risk that can download and install applications from the internet without proper security controls to prevent you from being the next victim of cyber-crime.

o    Discover and reduce privileged users/accounts

o    Before allowing applications to install or execute check if it is safe

o    Continuous protection and detection against cyber threats

Cyber threats are real and everyone is a target.  No one is excluded and you must take action to understand what these risks are and how they impact your business.  Cyber security awareness and training should now become mandatory to anyone who is operating computer resources or technology that is critical to business functions.  The biggest threats today are targeted phishing and advanced persistent threats that target valuable assets of an organisation and they use multiple hacking stages in order to carry out their work.  These stages include:

o    Reconnaissance

o    Gaining access

o    Pivot building

o    Privilege escalation

o    Maintaining access

o    Malicious activity

o    Covering tracks

Reconnaissance is a stage for learning as much about the organisation as possible with information that is already available on the public internet.  Gaining access typically uses targeted phishing attacks or known vulnerabilities in systems and applications that allow an attacker to gain access and get through the perimeter security defenses followed by discovering the network.  The difference between a low severity breach and a high severity breach is the privileged account that has been compromised.  The privilege escalation stage of the attack determines how damaging a cyber breach will impact the organisation; this is the difference between compromising a single device or users credentials and the entire organisation.  Once a privileged account is compromised the attacker can carry out the next phases of the attack to maintain access, carry out fraudulent activities, ransomware, stealing sensitive data or malicious activity.

Thycotic can help organisations protect and detect against these cyber threats by mitigating gaining access, system vulnerabilities, discovering and mitigating privileged accounts and making maintaining access more difficult for an attacker.

Learn more about how Thycotic can help your organisation mitigate against cyber threats by starting a free privileged account management trial today.

Recently, IDC posed the question “Can Security Make IT More Productive”?

In their Technology Spotlight, IDC examined issues around security and the undergoing transformation from negative to positive and from obstructionist to an enablement role. The paper also highlighted how Thycotic solutions play in addressing associated challenges.

According to IDC, Privileged Access Management (PAM) is foremost on the minds of enterprises as they defend against credential theft and other account compromise. The focus on shared accounts and partner access continues to drive the need. Furthermore, the architecture lends itself to broader use as user activity monitoring and dynamic authentication become more popular.

Thanks to companies such as Thycotic, the PAM space continues its robust growth.

At Thycotic, we believe that it’s critical to secure privileged accounts in today’s environments. Privileged accounts are used in many devices including servers, operating systems and databases. Attackers target privileged accounts to gain access and escalate their privileges, eventually gaining access to confidential information.

Because these “bad actors” are using the privileged credentials of an authorized user, they can be very difficult to identify once access has been attained.

The situation is exacerbated by:

• Unknown and unmanaged admin accounts
• “Privilege creep” that unknowingly causes low-level admins to accumulate dangerously high levels of privilege over the years
• Default accounts and passwords that were never changed
• Superuser/root accounts and passwords that are shared among many admins

To address these issues, many organizations still depend on manual systems which are inefficient and ineffective

In an effort to make systems easier to use and operate, while being more secure at the same time, we recently unveiled Secret Server 9.0, the latest version of our flagship solution which enables businesses of all sizes to store, distribute, change and audit passwords in a secure environment. Secret Server 9.0 provides organizations with a fundamental security layer to protect against cyber-attacks that target privileged accounts to get at critical information assets within an organization.

Get more information on Secret Server 9.0 and discover why nearly 4,000 companies worldwide, including Fortune 500 enterprises, rely on Thycotic for the best PAM and security available on the market today.

Guest post from Alpha Generation a Thycotic certified partner who specializes in IT distribution with a focus on proactive security in the UK.

Anyone that handles payment card data is affected, so most of us have heard of the Payment Card Industry Data Security Standard (PCI-DSS). It establishes key expectations for protecting cardholder data, whether you’re handling a transaction or keeping details in storage.

When you think of PCI, you probably think of your go-to defensive measures. You’ll have carefully considered the role of your firewall, your anti-virus, and any intrusion prevention systems and made sure they meet the required standard.

However, with the rise in insider threats, protecting your network at the edge is just one part of effective security. So, as you’d expect, PCI compliance also covers the way you should handle accounts, and privileged passwords – both how they are used and how auditable that is.

How are accounts and privileged passwords used?

Requirement 7.1.2 of PCI DSS states that you must ‘Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities’.

That means equipping users with a login that is appropriate to the task at hand – not an all-encompassing root that gives them more power than they need.

Fundamentally, you’d achieve this by managing a large number of logins, each with their own level of access to a system or the wider network. However, it is important to consider the impact of every account – the additional administrative burden that every login represents.

Meanwhile, your root-level accounts are a cause for concern. The blanket access they offer is just too widespread to be ‘least privilege’ for most roles.

However, it’s possible to enforce least privilege on root admin accounts. SSH Command whitelisting limits the commands that are available to an admin, effectively stripping unnecessary privileges away from the login. This is an effective way to make root accounts more granular and tailored to job responsibilities.

Are your privileged accounts really auditable?

Requirement 10.2.2 of PCI DSS states you must ‘Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges’.

In short, you need to know who is using a privileged account at a given moment, and what they are doing with it.

The problem is how we really use our passwords. In an ideal world, every account would only be used by a single admin. In practice, those privileged accounts are routinely shared by several people in a team. That’s the way of working that makes sense. That’s how we really get things done.

In that context, accountability is quite simply impossible. While you can see which login is being used, there’s just no way to verify who is using it.

Thycotic Secret Server gives you a centralised, secure repository where your passwords can be stored. When a user needs access, they retrieve the password from this encrypted vault. As a result, you can generate a full audit trail for your passwords, and effectively link them to individuals.

Meeting your PCI obligations with Thycotic

In essence, PCI compliance depends on your ability to:

• Give your users the least privileges for the task they need to carry out

• Maintain full visibility over how accounts are used, even if they are shared between different team members

Thycotic offers an entire suite of tools to help you meet these obligations quickly and easily, including:

• Thycotic Secret Server to make access to shared privileged passwords fully auditable

• Thycotic Privilege Manager for UNIX to limit the commands that a root login can execute

• Thycotic Self Service Password Reset to lessen the administrative burden of resetting passwords – and allow you to enforce your policies with confidence

  Together, they bring the way you use passwords to a compliant standard – without restricting the way you really work. Learn more about staying PCI-compliant with Thycotic and Alpha-Gen.

Founded in 1993, Community IT Innovators provides a variety of managed IT services to over 150 organizations in the United States. As they grew, they quickly realized that their homegrown privileged account management solution needed to be replaced with a more scalable and secure solution that would also be capable of auditing credential usage and changing passwords remotely. They ultimately chose Thycotic Secret Server because of its feature set and ability to solve their problems directly.

Access Control

Community IT Innovators often found themselves having consultants use privileged accounts to access client systems to perform services. Naturally, this can lead to unintentional circumstances where one such consultant is able to access credentials for an account that has nothing to do with his/her job function. One of the most basic rules of cybersecurity is the policy of least privilege: a user should only have access to those resources absolutely necessary to perform his/her job function. Thycotic Secret Server provides an easy-to-use interface to show who has privileges on a Secret and what those privileges allow him/her to do.

Auditing

In addition to controlling who can access a privileged account, it is important to audit when it was accessed, by whom, and what actions were taken on it. Thycotic Secret Server not only logs these events, but administrators can choose to receive an email notification when a Secret is viewed, its privileges are changed, its fields are edited, or several other events pertaining to it occur. In addition, Thycotic Secret Server supports integrating with CEF/SysLog systems in the Enterprise Plus Edition, allowing logs to be exported for easier viewing, possibly on a separate server.

Authentication

The separation of privileges provided by Thycotic Secret Server would be useless if a user with malicious intent was able to log into a technician’s Thycotic Secret Server account and use its privileges to access client networks unauthorized, leaving behind an audit trail that would point the security team to the technician – the victim in this situation. Community IT Innovators therefore makes use of Thycotic Secret Server’s two-factor authentication capabilities, requiring users to input one-time passcodes sent to an email or cell phone to access their Secret Server accounts.

Want to learn more about Community IT Innovator’s use case? Download their full use case here and find out how they protect their non-profit clients with Thycotic’s enterprise-level password management software, and watch their full story below!

I remember watching Saturday morning cartoons when they would air a lot of those public service announcements with the shooting star tagline “The More You Know” (yes, I’m dating myself a bit here).  I still see that pop up every now and then as a meme on Facebook or Twitter somewhere. But, as funny as it can be nowadays when the internet gets a hold of it for one funny GIF or another, there’s a pretty relevant idea buried in this that the Information Security industry can really take to heart, especially in an era where things move as fast as they do, and organizations are constantly bombarded with one-size-fits-all solutions promised by one vendor or another.

Sure, we all want to find a way to improve the security posture of our organizations, and most of us in technology got there because we’re really good at finding the path of least resistance when it comes to accomplishing tasks. But often, decision makers will skip one very key step in the process when selecting a software product and trying to implement it as a security control on their network. That being, they don’t have a good handle on what they have, what’s actually going on within their network, or what the scope of the problem is that they want to solve. As one of my favorite SANS instructors told me (and has been echoed by many): You can’t protect what you don’t know you have.

When I first started here at Thycotic, one of the features of Secret Server that jumped out at me was the various discovery tools in the suite for Windows, Unix, and VMware accounts. I distinctly remember the conversation I had at that time with our company founder when he first showed it to me:

Nathan:     “So, wait. You have a module here that will automatically scan and find all these privileged accounts wherever they are and how they’re being used?”

Founder:   “Yes. Just something we tossed in to make it easier to populate the encrypted store.”

Nathan:     “Wait, wait, wait… this was an almost incidental tool?!? If I had known this back in my days as a sysadmin, this would have solved SO many problems for me!”

Founder:   “Really? That’s cool. Maybe you can let more people know about it.”

Nathan:     “Not just that, but maybe we should make this a tool people can use to scope out their network and see just how many accounts they have running around out there. THAT would be cool!”

Well, I’m pleased to say that somewhere along the way, that conversation must have stuck because we’ve recently released a standalone version of that very module as the Privileged Accounts Discovery for Windows tool. And best of all, it’s free.

Now, you can use a very simple, purpose-built tool that can scan the Windows systems on your network and identify where privileged accounts exist on your systems, how they’re being used (running Windows Services, Scheduled Tasks, etc.), whether or not they’re expired, and much more information about each credential. All of this can be output in a CSV file that you can use to do some additional analysis, or to an Executive Risk Report in PDF format that will represent the findings in charts and graphs along with providing remediation recommendations.

If you’re a decision maker looking into purchasing a full-fledged Privileged Account Management solution, this tool is an excellent first step that can give you visibility into the true scope of what you’re going to be dealing with. Know up front how big the problem is so that you can ensure you purchase the right product with the right feature set the first time. Don’t budget for something that turns out isn’t able to get the job done and have to go back to your executives or finance team to request even more budget and go through the whole process again. If you’re an operations team member or a sysadmin, this sort of tool will help you have a better understanding of what the implementation will look like, which stakeholders and other admins may need to get involved and maybe even reveal some of those servers and workstations that have slipped through the cracks of your inventory or asset management system. And for security folks, this kind of visibility is absolutely key to be able to find where the possible attack vectors are in the environment and begin to build the necessary controls to lock them down and protect the assets these privileged credentials are able to access. All of this, from a free tool no less.

There’s so much benefit for all teams involved that skipping that initial step of understanding what you have and the full scope of the problem you’re trying to solve needs to be avoided at all costs. There are plenty of ways to do these assessments quickly and efficiently, with the long-term return being more than worth the investment in taking that beginning step. So, decision makers out there? Consider this your own personal Public Service Announcement to help during your next software purchase. The More You Know, indeed…

WASHINGTON, Feb. 2, 2016 /PRNewswire/ — Thycotic, provider of privileged account management solutions for more than 4,000 organizations world-wide, today announced that Privileged Accounts Discovery for Windows is now being offered for free. Designed with security pros, IT management and C-level executives in mind, the tool provides one collection point for all Windows privileged accounts, generates detailed reports, indicates the status of privileged passwords, and identifies potential security risks they may represent.

Privileged accounts are often overlooked by security and IT teams. Administrators manage user accounts with Active Directory policies, but rarely change or review local Windows and service accounts. Thycotic’s Privileged Accounts Discovery for Windows summarizes the health and risk of these accounts by analyzing passwords to determine if they have been changed and whether or not they have been set to never expire. The solution identifies those passwords that may be targets for external and internal threats and helps identify what the actual risk is.

“We believe there is nothing currently available on the market that is comparable to this solution, even among commercial products,” said Nathan Wenzler, Executive Director of Security at Thycotic. “In order to assist organizations with taking that critical first step to protecting privileged accounts, we are providing this free solution so they can easily discover what’s out there without risk of locking out accounts or changing their IT environments.”

Privileged Accounts Discovery for Windows is simple and secure; simply download and step through the intuitive interface. This free solution scans organizations Windows systems without using agents and with limited impact on network bandwidth. All the solution requires to run is an Active Directory domain credential to scan the network. The remote scan runs quickly and doesn’t need complex configuration. Once completed, a full list of local Windows and privileged accounts and management-ready summary reports is provided.

Privileged Account Discovery for Windows will save organizations hours of effort while making their organization much more secure from hackers targeting privileged account credentials. Key features include:

• Simplicity – Just run once per Active Directory domain, and the Privileged Accounts Discovery tool does the rest. It generates executive-ready reports and a spreadsheet inventory of the accounts it found. The tool can be copied and run wherever needed, at no charge.
• Privacy – No privileged passwords are ever reverse engineered or discovered by the tool. The executive summary report aggregates data, and only account names are shown in the inventory. No sensitive information is stored in the tool and no exposure of end user domain usernames is displayed.
• Valuable data – Data is ready to be used immediately. Reports are produced for the executive team and detailed lists are created for security and IT admins indicating where privileged accounts are used.
• Actionable reports – At the click of the mouse, management reports are generated into presentation-ready materials for use in risk analysis, security assessment, and cost justifications. Easy-to- understand summary reports are available, along with inventory reports to find and remediate critical privileged accounts.
• Security — Thycotic Privileged Accounts Discovery for Windows locates passwords that have never been changed or that violate your company’s security or compliance policies. Find vulnerable passwords and backdoor accounts before attackers do.

Follow Thycotic on Twitter at @Thycotic.

As vice president and CIO at Saab Defense and Security USA LLC, Per Hammarin manages a 10 member IT team in Washington, DC which is part of a parent organization based in Sweden.  Over more than 30 years and progressive positions within the civil aircraft and defense subsidiary of the company known for its iconic automobiles, Jammarin has worked all over the world in IT management roles.

In 2010, Hammarin helped to select Thycotic Secret Server Enterprise Plus edition as the privileged account management tool for the Saab Defense and Security parent company of 300+ users worldwide.

Hammarin, like many other customers evaluating Thycotic to address their privileged account management needs, chose to deploy Secret Server for the combined benefit of ease-of-use and effectiveness. “You don’t have to read a hundred page manual or hire professional services to figure out how the system works.”

While the possibility of hackers compromising privileged account credentials may seem like an obvious risk to most, Hammarin takes advantage of additional security features to deter potential insider threats. For example, Saab has leveraged Secret Server’s:

• Easy importing, making it simple for different teams to consolidate individual password files (Excel, documents, and dispersed tools).
• Event Subscriptions to receive instant e-mail alerts when users access certain secrets.
• Audit logs to gain visibility over what the IT team is doing regarding their job duties.
• Heartbeat feature to detect if administrators change passwords outside of Secret Server.

“You have to recognize that sooner or later, an unauthorized person may get into your system; it’s just a matter of time,” Hammarin emphasized. “And if that happens, the odds are they will not be easily detected for months—the average time is now about 180 days before an intrusion with compromised credentials is discovered.” Since they’ve deployed automated password changing, Secret Server will have replaced the majority of credentials with new passwords several times in that timeframe, making a brute force attack less viable.

Learn more about Saab’s use of Secret Server and Thycotic experience with the full case study or watch Hammarin’s ‘How does SAAB feel about its Password Management solution? Interview.

Organizations today are only barely scratching the surface when it comes to vulnerability assessments with unauthenticated scans. Unauthenticated scans still leave many unknowns that leave your organization vulnerable to attack.

Credentialed Vulnerability Assessments Made Easy

We are excited to announce our partnership and integration between Nessus® Cloud and Nessus® Manager with Thycotic Secret Server. The seamless integration provides a secure storage of privileged credentials in Secret Server and the automatic retrieval at scan time by Nessus®. This provides the ability to easily perform credentialed scans while having full accountability and control around your organization’s privileged credentials.  The integration also dramatically improves security by reducing pass-the-hash exposure, automates the entire process for all the devices on your network, and ensures all devices are scanned while being audited for later reporting.

Why Thycotic and Tenable

Incorporating a credentialed vulnerability assessment into your security program means your organization will have access to faster and more reliable information around detection and mitigation. No longer do your Security Administrators have to be burdened by the logistics around credentialed network vulnerability assessments.  Matt Alderman, vice president of strategy, Tenable Network Security said in the alliance release announcement, “Password management for credentialed scans can be challenging, and without authenticated scans, customers can miss local vulnerabilities, misconfigurations, and other security issues that expose hosts to compromise. This integration helps our customers more easily manage credentials to run authenticated scans, giving them the visibility they need to manage security threats across all of their assets.”

Isn’t it time to make managing credentialed scans seamless and secure?

Learn more about the integration between Tenable Nessus® and Thycotic Secret Server during our upcoming ‘Automating Credentialed Vulnerability Assessments’ webinar on Thursday, July 19^th. Register now!

The wait is almost over. We couldn’t be more thrilled to announce Secret Server Cloud and to give you the option to exercise freedom of choice in Privileged Account Management security. Immediately get the privileged account protection your organization needs without the costs of heavy upfront expenses around new hardware and software licenses. Secret Server Cloud brings everything your enterprise needs with complete simplicity and support. If immediate return on investment is not enough, here are 5 other top reasons you need Secret Server Cloud.

1. Meet compliance immediately. Feeling high pressure from your auditor or security team to meet compliance around privileged accounts? PCI Compliance and HIPAA are becoming increasingly important and expensive. We satisfy their regulation requirements along with your team’s pressures without breaking your budget.
2. High Availability and Disaster Recovery are built in. Stop worry about whether or not the front end application is available. Get your life back and let us take care of this stress around protecting your data from disaster events.
3. No upfront costs. Tired of balancing the need for stronger controls with the high cost of enterprise software? You finally have the chance to easily setup, manage, and maintain a Privileged Account Management (PAM) solution at a low based subscription cost.
4. Endless Support. We have an award-winning support team ready to help whenever you have a question or problem. We’ve developed the solutions around our customer’s needs. If you have a feature request or want to offer feedback you have an extended team ready for you.
5. Guaranteed the best PAM Cloud offering. Yes, we feel confident enough to toot our own horn. With over 7,500 customers worldwide and over 20 years of experience in privileged account management software, our cloud offering has the power, security, and intelligence of Secret Server on premise, but now in the cloud.

You aren’t just purchasing a product, but investing in a partnership with the leading privileged account management team. With this investment we want to make it easier than ever to protect your business from hackers and cyber criminals. Sign up now to make sure you get a preview of Secret Server Cloud before general availability.

What are you most excited for with Secret Server Cloud? Let us know in the comment section below.

It’s time to boost your Secret Server productivity with our new add-on modules created to give you the customization and features your organization needs. Save time and effort while increasing your security when you enhance your Thycotic Secret Server solution with any of these integrated add-on modules. Choose which edition you currently use or are interested in to learn about our recommended add-ons.

Professional Edition:

1.) Service Account Manager – Discover and manage all of your service accounts, their credentials, and their dependencies to eliminate vulnerabilities and automate password protection.

2.) Secret Workflow – Gain additional automated protection of your privileged accounts with this workflow module that enables:
• Onetime checkout of a password which is automatically changed when checked back in
• Request access, which requires an assigned user to approve access to a Secret
• DoubleLock allows users to self-encrypt individual Secrets for added security

3.) Add-on Sampler Pack – Gives you an easy way to sample several security boosting upgrades including:
• Session Recording lets you record and view proxy connections after their use
• UNIX SUPM provides whitelist commands to Super Users for UNIX-based sessions
• Application API enables you to retrieve privileged credentials on the fly from Secret Server, and lets developers remove hardcoded passwords in application files while substituting an API to request those credentials.

Enterprise & Premium Editions:

1.) Application Server API – Enables you to retrieve privileged credentials on the fly from Secret Server, and lets developers remove hardcoded passwords in application files while substituting an API to request those credentials.

2.) Advanced Auditing – Integrates your Secret Server Events directly with your SIEM solution to enhance your monitoring and analysis data, and getting a more complete picture of your security posture.

3.) HSM Integration – Allows you to store your Secret Server unique encryption key in your third-party HSM solution.

See how these Secret Server upgrades can boost your privileged account password protection with add-on modules that deliver time-saving functionality. Watch our quick overview video to see which add-on modules are right for you.

Which add-on module are you most excited for?

Any organization that maintains a computer network is vulnerable to outside attacks.  Even if it is a single computer in someone’s home, break-in attempts are constant with hackers automatically pinging addresses (including your home router) looking for cracks they can sneak through.  At home, it’s bad enough that the exposure is your personal data including family photos, bank, and financial information and other personal information.  Now, apply that to the federal government, the FBI, IRS, DoD, etc.  The data here obviously needs to be protected.  If something is stolen and leaked there, it could be devastating.

If you work in security for the federal government or have any dealings with computer systems for any government agency, you know there are policies in place to generally protect systems across the board. No matter if they are a PoS (point of sale) system, web server, mail server, or servers housing top secret data.  The high-level compliance driver today for the federal government is something called FISMA, or the Federal Information Security Management Act guidelines.  FISMA is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.  FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely, and efficient manner.

The National Institute of Standards and Technology (NIST) outlines nine steps toward FISMA compliance:

1. Categorize the information to be protected.
2. Select minimum baseline controls.
3. Refine controls using a risk assessment procedure.
4. Document the controls in the system security plan.
5. Implement security controls in appropriate information systems.
6. Assess the effectiveness of the security controls once they have been implemented.
7. Determine agency-level risk to the mission or business case.
8. Authorize the information system for processing.
9. Monitor the security controls on a continuous basis.
(http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act)

Here are some common sense approaches you can apply to meet not only some of these requirements, but other standards found across the computer industry.

What do you need to protect?  Most data and other security assets can only be accessed using a privileged account, so it makes sense to start there.  We recommend protecting privileged access across the enterprise and lock down Windows endpoints to prevent a hacker’s ability to get access to privileged accounts.  We do note it does not necessarily prevent hackers from getting in, but we protect valuable computer assets from a hacker when they compromise the perimeter – because there is a high probability they will.  It’s not a question of if, it’s a question of when, and how many times.  And we are not just talking about external hackers and threats – we are talking about internal threats as well.

The Thycotic approach

To simplify our approach at Thycotic, here is what we do:

1. Discover accounts on computer assets (workstations, server, switches, routers, *NIX systems)
2. Identify (on Windows systems) which of those accounts have administrative rights. These are the accounts you need to control access to because this is what hackers are looking to compromise.
3. Remove administrative rights from day-to-day users. Keep all ‘regular’ users in STANDARD USER CONTEXT.
4. Control access to those administrative accounts that remain.
5. Discover what applications require administrative rights – if you don’t know already.
6. Apply application controls around all processes/programs/executables/installers run by both end users and administrative users.
a. Including the ability to protect systems from the unknown by applying real-time application analysis to protect against zero-day attacks ransomware and other malicious software.

With this approach, you can keep the bad guys away from your data, and keep them (or anyone else using an email attachment, or a browser session, etc.) from running bad things on your computers – workstations or servers, real or virtual.

If you can do all of this, and provide a centralized place to manage all of it – AND provide (in that same centralized location) the ability to create nice audit reports around all of this security management, you are well on your way in meeting compliance. Compliance is not only FISMA, but for other standards as well.

Privileged Manager for Windows applies application control policies to both workstations and servers to control what a user or an administrator can run on the endpoint.

Compliance is mostly about common sense. Once you read all of the small print included in the standards you need to follow, it really boils down to this:

• Control access to data and resources
• Provide backup and recovery mechanisms for your data
• Get everyone onboard to use the controls you put in place to protect your data
• Make sure you can prove your controls are working

Here at Thycotic, we can get you well on your way in putting compliance practices in place no matter the standards that govern you and your organization.

The Threat

Not only do privileged accounts exist on every network, but they exist on nearly every aspect of it. The router has an administrative login, the database has one, and every workstation has either a local or domain administrator account that can be accessed from it. The reality is that these accounts, if compromised, can provide an attacker or malicious insider control of your network and the data stored on it. Data could be lost or stolen, causing potentially catastrophic damages to the business not just financially, but also in terms of the company’s image and brand.

The Proactive Defense

Thycotic Secret Server helps to discover, secure, and monitor activity of these privileged accounts so that they have a much lower risk of being compromised and used to gain control of the network. Secret Server is a web application that places privileged account information in a centralized Microsoft SQL Server database protected by AES-256 encryption to act as a centralized vault. It integrates with Active Directory and provides an individual login to each user to allow administrators to assign granular permissions to privileged accounts at the role, group, and user levels.

The Free Solution

Thycotic is on a global mission: to help IT teams world-wide protect their organizations from hackers by offering Secret Server absolutely free to businesses. Free Edition has been introduced to help small, growing businesses to help them start managing their privileged accounts professionally. Those who sign up will receive 25 users and 250 Secrets, as well as award-winning service and support. By signing up for Secret Server Free, you will be helping Thycotic to reach its goal of protecting 20,000 organizations worldwide against cyber attacks with $100 million worth of Free Privileged Account Security software! Get started today.