Thursday, August 11, 2016

Privilege Management Reading List

An Introduction to Identity Management - Spencer C. Lee

The underlying problem is the absence of federated directories.  Microsoft
defines federation as “the technology and business arrangements necessary for
the interconnecting of users, applications, and systems. This includes
authentication, distributed processing and storage, data sharing, and more.”

Federated directories interact and trust each other, thus allowing secure information sharing between applications.  Companies are currently running isolated, independent directories that neither interact with nor trust each other.

https://www.sans.org/reading-room/whitepapers/authentication/introduction-identity-management-852

NOTE: This was a great paper and ahead of its time, but needs to be updated.
= = =
Improving Application and Privilege Management: Critical Security Controls Update by John Pescatore.

The biggest barrier to enabling application control and privilege management has been
fear of self-inflicted wounds: causing business disruption or huge increases in help desk
calls as legitimate software and business-critical access are blocked. But products and
techniques have improved over the past few years, and today you can find many success
stories that show what works in enabling application control and privilege management
with minimal or no interference to business operations.

This whitepaper describes the recent update to Version 6.0 of the CIS Critical Controls,
with a focus on application control and privilege management as high-payback, quick
wins—when done right

https://www.sans.org/reading-room/whitepapers/analyst/improving-application-privilege-management-critical-security-controls-update-36912

= = =
Keys to the Kingdom: Monitoring Privileged User Actions for Security and Compliance - David Shackleford

According to CERT, mechanisms to prevent privileged insider abuse should include the following:
•   Enforce separation of duties and least privilege. Separation of duties implies that
no one employee can perform all privileged actions for a system or application. Least
privilege implies that employees are granted only the bare minimum privileges
needed to perform their jobs.

•   Implement strict password and account-management policies and practices.
This should be enforced for all users, including administrators and other privileged
users.

•   Log, monitor, and audit employee online actions.Organizations need to be vigilant about what actions privileged users are taking, and should use a variety of logging and monitoring techniques.

•   Use extra caution with system administrators and privileged users. Because these
users are often granted the “keys to the kingdom” in terms of access and capabilities,
additional safeguards often need to be implemented to adequately monitor and man-
age their behavior

https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890
= = =
Implementing Least Privilege in an SMB - Tim Ashford

This paper is focused on the problem of managing privilege in the Windows environment.

https://www.sans.org/reading-room/whitepapers/authentication/implementing-privilege-smb-36657

Note: This paper is a candidate to be updated as an Analyst paper
= = =

Implementing Least Privilege at your Enterprise - Jeff Langford

This is an introduction to the Saltzer and Schroder design principles.

https://www.sans.org/reading-room/whitepapers/bestprac/implementing-privilege-enterprise-1188
= = =
Security Controls in Service Management - K  V  Warren

This paper is a crosswalk between ISO 27000 and the Critical Controls. Where possible, use access control configuration templates which are in compliance with organization's policies. User and group templates are used grant minimum access rights and privileges needed for the user to perform his/her job.  Policy elements include: (expiry, lifetime, minimum length, complexity, difficulty, lockout after X failed attempts, etc).

https://www.sans.org/reading-room/whitepapers/iso17799/security-controls-service-management-33558

NOTE: this paper is a bit dated, but could be a topic for a future Analyst program paper.
= = =
Privileged Password Sharing: "root" of All Evil - J. Michael Butler

Privileged accounts are difficult to manage in any enterprise running multiple distributed operating systems and versions of those systems.  The more disparate the systems, the larger the problem. Take, for example, an environment that has HP UX, Red Hat Linux, IBM AIX, mainframes, Active Directory, Windows 2003 Server, Windows 2008 Server, and a few other odds and ends.  How can one administrator provision and keep track of every privileged user on every system?  For that matter, how can a team of administrators control who is doing what, on which server, and to what end?

https://www.sans.org/reading-room/whitepapers/analyst/privileged-password-sharing-root-evil-35195
= = =

Increasing Security and Reducing Costs by Managing Administrator Rights with Process-based Privilege Management with Viewfinity - A What Works Paper

What caused you to look for a solution like Viewfinity?

 In our Windows XP environment, we had a custom written tool that gave users 24
hour administrative rights to their machines. Going into Windows 7, we knew that tool
wasn’t compatible with Windows 7. About 1,000 of our 6,000 end users had local
administrative rights on their PCs and it had gotten out of hand. We had three different
models for the XP environment: regular users who were given complete local admin
rights, users with extra accounts without Internet access who had local admin rights and
users utilizing the custom written tool for temporary access. Going into Windows 7, we
had to come up with a solution to handle administrative rights and that’s what set us down the path of looking at the different tools and options out there.
NOTE: this paper is a bit dated, any updates on Viewfinity/CyberArk? Any real world stories of PAM tools helping with update to Win 10?

https://www.sans.org/media/critical-security-controls/case-studies/WhatWorks-Viewfinity.pdf
= = =


No comments:

Post a Comment