Any computer security policy is founded on the concept of identifying users and establishing their credentials to authorize them to access system networked resources. Managing usernames and passwords might seem like a trivial task but when a network grows to have many resources and correspondingly many users, the potential for security breaches multiplies.
Integration with Windows Active Directory (AD) provides flexibility for network administrators to adopt a wide range of security policies.
In the most extreme form of “least privilege” access, administrators can lock down each user to allow access only to very specific resources, at specific times, and with specified permissions for specific resources such as file systems, individual files, servers, VPNs, medical workstations, medical and industrial equipment, printers and copiers, and phones.
In practice, this ideal level of control is rarely achieved, and compromises are made to make managing the operation more practical. As a result, many organizations face the following user access challenges:
- User accounts often grant more access than the employee needs.
- Sometimes user accounts survive an employee’s termination – for one reason or another they aren’t disabled.
- In some cases, a user can create “local” user accounts with access privileges. This is often allowed in systems managed with Windows Active Directory.
- There can be some systems in the network that do not use the network administrator’s security protocol.
- IoT Devices (both wired and wireless) and various off the shelf software packages with default passwords (for example: “admin/admin”) appear in corporate network. Most of the time, account management with passwords can become tedious when thousands of IoT devices are deployed in the network, because these devices are typically configured by the manufacturer with default credentials.
While these challenges vary, the end result is the same: an un-authorized user gains access, typically via a VPN or SSH session to some system or device, and from there accesses other privileged resources in the system. In this type of security breach, malware need not be involved, although this may turn out to be a vector for malware. Given the numerous ways in which phishing attacks can install malware agents on an employee-owned corporate laptop, jumping to other devices with weak credentials becomes easier for attackers.
Ordr and Active Directory, RADIUS and wireless Integration
Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, enabling security teams to monitor which user is accessing what device at what time. Ordr provides two key perspective:
- User tracking – analysis of all IoT devices accessed by a user.
- Device tracking – analysis of which users were logged into a specific device, at what time, duration and more.
Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.
We also track and monitor corporate and guest network users. Corporate resources need to be accessed by corporate users with the right credentials from the corporate network. Ordr can alert or trigger the appropriate incident response workflow when a guest network user crosses over to the corporate network.
Finally, organizations can take advantage of all this rich user authentication during a security incident to provide qualifying details such as which network was the entry point, which device the “user” used to get into the network and what authentication methods they used, in addition to detailed Ordr Flow Genome flows.
Account Misuse Use Cases
Our customers have used the Ordr platform in many cases where one or more misuse of user accounts have occurred.
- Unauthorized user accessing accounts - Based on the network data collected in the Ordr Data LakeTM, we were able to reconstruct extensive and specific activities conducted by a person with an unauthorized-yet-active account, specifically:
- When the user account was logged on and off, and to which system.
- What specific resources were accessed.
- The amount and direction of data transacted (in malware terms, the identification of the data that was exfiltrated.
- Former employee accesses records – In one healthcare environment, we identified that a former nurse used their login credentials at a medical facility to access more than 600 data records. With the information gathered from Ordr, the response and mitigation of the security breach was initiated in a few minutes. Similar incidents have been documented publicly.
- Security cameras with default passwords - Another case involved access to security cameras whose default passwords had not been changed. This can happen not only on new installations but also where a failed unit is replaced by a worker not familiar with the organization’s security requirements. After the initial incident the security team was able to make necessary operational changes to avoid a reoccurrence of this specific problem.
To find out more about how Ordr is helping organizations today, you can view our case studies, webinars and white papers here.