With Cyber-Ark, hackers have no ‘privileges’
Runaway ‘privileged accounts’ mean big security trouble on a server. Chen Bitan says his firm has the answer
All around us, a storm of cyber-insecurity rages, engulfing everyone and everything in its path. In the second half of 2012, for example, security company Kaspersky Lab detected and blocked more than 200,000 new malicious programs every day — nearly double the amount the company’s software detected in the first half of the year. And the number of malware applications is growing at the same rate this year, company CEO Eugene Kaspersky said on a recent visit to Israel.
Many, if not most, of these malicious files are aimed at enterprise and government servers — the computers that run the companies that keep an economy going, and a society functioning. Banks, infrastructure companies, manufacturers, defense institutions — hackers are targeting them all, and unfortunately have had many successes, breaking into computers and stealing everything from credit card information to state security secrets.
But nearly all those attacks have one thing in common, says Chen Bitan, head of Cyber-Ark’s local office. “According to international research firm Deloitte, 100% of sophisticated attacks used privileged accounts to get into critical systems. We prevent attacks simply by choking off access to these accounts, denying hackers the opportunity to use them to break into systems.”
Large computer systems, especially those that have been around for years, usually contain many accounts that are no longer in use, for employees no longer with the company, as well as for groups of users, administrators, and other accounts not associated with specific users. Often these accounts will have special administrative privileges to access files and folders that ordinary user accounts do not have.
System administrators often set up these accounts for special purpose “missions,” such as trying to override a glitch in software in order to get out an important report, without being bound by system restrictions. But sometimes administrators forget to delete these accounts after putting out the fire — and there they remain, waiting to be exploited by someone who guesses the password (which is often a simple one, thrown together quickly and designed to be easy for the boss to remember). Ditto for superannuated user and group accounts; they often stick around well past their “due date,” and hackers can try cracking their password with no one even noticing their exploits, because those accounts aren’t being watched closely.
“In the past, hackers attempted to breach the perimeter layer — firewalls, anti-virus software, and so on — in order to beat system security,” said Chen. “Now they are much more sophisticated, scanning systems for privileged accounts and running automated cracking malware to break in and wreak havoc on networks.”
A large enterprise system can have hundreds of these privileged accounts, and they pose a great risk — in fact, Chen said citing the Deloitte report, they pose 100% of the risks of direct hack attacks, where hackers use software to crack passwords (as opposed to denial of service attacks, or gaining passwords using social engineering techniques, such as getting a user to click on a link that installs malware on a system). For system administrators, a hacker’s accessing a privileged account is a worse nightmare than accessing ordinary user accounts, because privileged accounts have — as the name implies — privileges to access and affect areas of servers that are usually off limits to non-privileged account holders.
Cyber-Ark chokes off the possibility that privileged accounts will be abused, by identifying and choking off access to the accounts. Cyber-Ark sets up a policy on user accounts, requiring the changing of passwords on a regular basis, as well as a “safe zone” for data to be managed when accessed from an account. The only data a user can manipulate is that which is inside the safe zone, said Chen, and that data is not written to saved server files until it is checked and rechecked for malware.
The software also looks for suspicious activity, alerting administrators on what is going on and allowing them to intervene at any time. “Our system isolates the privileged session from the rest of the network and keeps it away from the system until it is thoroughly analyzed,” said Chen. “Thus, all work sessions using accounts Cyber-Ark monitors remain isolated, and the credentials for an account — its password, etc. — remain isolated as well, so even if a hacker is copying the data using a keylogger or other malware, the only data they can access is that of the session itself, and not anything more on the server.”
Reviews for Cyber-Ark software are extremely positive, although some users report that the system slows down access to files, sometimes significantly, especially during “crunch times,” when many users are trying access server files. Nevertheless, Cyber-Ark has proven itself valuable enough to many of the largest companies in the world, who use the custom-designed versions Cyber-Ark provides (each installation is done under the supervision of a company technician, as the rules and requirements for each server and network are different).
Even though privileged accounts are clearly the preferred method today for hackers to crack their way into a system — with Cyber-Ark there to prevent that from happening — Chen agrees that “no software is foolproof, and no company can claim they can prevent all attacks.” Nevertheless, Cyber-Ark’s reputation in the industry is such that nearly half of the companies on the Fortune 50 list are among Cyber-Ark’s 1,400 or so clients — including 17 of the 20 largest banks worldwide.
Cyber-Ark was founded in 1999 (by some ex-IDF specialists in cyber-security) and has gone through several iterations. Now, it is the world leader in detecting and defending hacker attacks via privileged accounts, with customers from around the world. If Cyber-Ark’s customer list is a who’s who of the business world, so is the list of investors in the venture-capital based firm — including Seed Capital Partners, Cabaret-ArbaOne, Jerusalem Venture Partners (JVP), JP Morgan/Chase Partners, and Vertex Venture Capital. In December 2011, Cyber-Ark received a $40 million investment round led by Goldman Sachs and JVP. According to Chen, sales for Cyber-Ark are robust, and so is income.
The world needs Cyber-Ark, said Chen; the privileged accounts issue is really out of control, and Cyber-Ark provides the most effective way to prevent their exploitation, he added. “In many organizations they have no idea how many privileged accounts are on their servers,” Chen said. “Our tool scans for the existence of these accounts, identifying and isolating them — and we have found that in many organizations, there are four times more privileged accounts than there are employees.” That gives hackers plenty of opportunity to figure out ways to compromise systems, Chen added. “Once they get into a privileged account, that’s it — they are there to stay, and they will remain there until they compromise the system. The only solution is to keep them out of accounts altogether, and we’re happy to say that we do this very well.”