Global Communication Solutions Provider Deploys CyberArk to Mitigate Pass-the-Hash Attacks

• 网络安全和隐私 - 身份认证管理
• 网络安全和隐私 - 网络安全
• 网络安全和隐私 - 安全合规

• Professional Service
• 电信

• 商业运营

• 入侵检测系统

• 网络安全服务
• 系统集成

For this global communications company, Pass-the-Hash attacks posed an immediate and troubling challenge. While the company was able to identify the existence of these types of attacks before a serious breach occurred (evidence of password theft and password cracking was clear and eminent), they struggled with the unique nature of a stolen hash. As a first step, the IT team opted to restrict access to their admin and privileged accounts by issuing Smart Cards. Unfortunately, this did not solve the problem, as vulnerabilities persisted within these Smart Card-enabled accounts. Smart Cards, which are touted to prevent credential theft through multifactor authentication, actually exacerbate the problem. With Smart Cards, the passwords associated with each privileged account, by default, never expire and are never changed again. As a result, once the hash is stolen, the attacker can exploit it in perpetuity. To truly combat Pass-the-Hash attacks against Smart Card-enabled admin accounts, the organization would need to deploy a custom solution that ensures admin and privileged passwords are automatically changed with some frequency to proactively protect against stolen credentials and abuse.

CyberArk’s customer, a publicly-traded provider of communication solutions and services to enterprises and governments, is well established as a proactive, security-aware organization. However, as a global business with access to sensitive customer information, the company is also frequently a target of increasingly sophisticated cyber-attacks. The company has an annual revenue of $8.69 billion USD (2012) and employs 22,000 employees in 65 countries, with sales in 100 countries. The company is headquartered in the USA and is known for its robust security measures and proactive approach to cybersecurity.

Fortunately, the communications company simultaneously initiated a search for a password management solution to proactively manage all of their local, built-in privileged accounts. After reviewing multiple solutions, the company selected the CyberArk Privileged Account Security Solution. The company chose CyberArk due to the robustness of the solution and its ability to restrict and protect privileged domain accounts. Soon after deployment, however, members of the security solutions team were able to identify a more critical use case for the CyberArk solution. Out of the box, the solution also enabled the organization to limit the ability of administrators to inadvertently expose privileged credentials to higher risk computers and Pass-the-Hash cyber attackers. Through role-based access control, the organization can identify and manage Smart Card-enabled privileged accounts, assigning strong and rapidly changing passwords that prevent attackers from stealing credentials and authenticating across the network. Moreover, the organization now controls, manages and logs the use of all privileged user credentials with the CyberArk solution. Looking ahead, the company plans to leverage the CyberArk Privileged Account Security Solution to enforce other highly relevant mitigation steps, including: Unique password changes for every privileged user and service accounts (such as Windows Services, Scheduled Tasks, IIS App Pools and others) – this mitigates the dangers of password reuse. Automation of random and complex passwords. One-time password changes for privileged access – whenever a Windows domain admin uses a privileged credential, it is replaced with a new one. If the privileged credential is changed right after its usage, the window of opportunity for the attacker is very narrow.

• The CyberArk solution was easy to deploy. The process involved little coordination with other departments and, within days, the organization was able to begin creating policies, define them and apply them to protect their privileged accounts.
• Since implementation, the organization has yet to have one single Pass-the-Hash attack or incident involving highly privileged accounts, and there have been no other indicators of future attacks.
• Moreover, the CyberArk solution has eliminated any and all abuses of privileged accounts across the customer’s entire network.

• Annual revenue: $8.69 billion USD (2012)
• Employees: 22,000 employees in 65 countries
• Sales in 100 countries