Skip to content

帳號管理為什麼這麼重要?

在整個企業中,使用者依靠帳號和密碼來存取服務和管理設備。這些帳戶的安全性非常重要,保護特權帳戶存取更為重要。特權帳戶具有系統管理級別的存取權限,允許管理者對服務和設備進行設定變更。

在對密碼管理相關方面,特別是像 PAM (Privileged Access Management) 的系統,其安全需求是來自於組織中對所有不同帳戶和密碼管理的困難。通常情況下,環境中的密碼比人員數量多五倍或更高;當密碼未以適當方式管理或更替時,則容易造成洩漏的風險。IT 部門在建立密碼系統時,密碼通常無法或不允許以其他形式保存,或者它們可能永遠不會更替。而特權帳戶如果沒有得到適當的保護,組織很容易受到實質損害。

遠端工作與使用自帶裝置工作的興盛,都有可能讓存在於端點設備上的帳戶,完全脫離IT管理的掌控。再者,使用者設備也不在受保護的IT基礎環境之內,難以施以有效的控制管理。

除了管理特權帳戶的生命周期的問題,包括如何建立和更替密碼週期等;更要建立稽核追蹤,顯示哪些特權帳戶在什麼時候做了什麼事,還須提供在使用者工作階段加上多因子身份驗證 。

 

什麼是特權帳戶?與它們可能的潛在危險 

特權帳戶大致可分為七大類:

  1. Local Administrative Accounts 本機系統管理員
    這些帳戶具有對本機作業系統重要服務或功能的管理權限。它們通常用於 IT 相關工作,如伺服器維護和資料庫管理。
  1. Privileged User Accounts 特權使用者
    這些帳戶可以存取敏感資料和交易記錄,指派給組織內部分特定的人員,也被稱為”超級使用者”。
  1. Domain Administrative Accounts 網域管理
    這些是管理組織專屬的帳戶類型。他們有權存取所有網域內的伺服器和工作站,可用於變更其他管理帳戶、使用者帳戶;以及變更伺服器和工作站設定。
  1. Emergency Accounts 緊急帳戶
    這些是為在緊急情況下使用的fail-safe 帳戶,將非特權使用者帳戶提升到管理者權限,以解決系統問題或在反制攻擊,它們也被稱為break-glass和fire-call帳戶。
  1. Service Accounts 系統服務
    這些是用於應用程式/服務與作業系統之間通信的特權網域和本機帳戶。它們操作複雜,幾乎永遠不會過期,因此造成潛在的危險。大多數組織對服務帳戶沒有任何有效稽核:組織可能沒察覺他們的存在,或者未分配置設定,暫停。帳戶可能是有效的,但從來沒有被使用過;密碼可能永遠不會過期,密碼強度不足或沒有密碼。這都可能被勒索軟體、惡意程式、非善意內部人員所利用。
  1. Active Directory or Domain Service Accounts AD或網域服務帳戶
    這些帳戶將網域資源組織成邏輯層次結構,從而使組織內核心系統功能順利運作。
  1. Application Accounts 應用程式帳戶
    這些帳戶用於管理應用程式的存取活動,包括執行批次作業和對資料庫的存取權限等。這些帳戶的密碼可能存於未加密的檔案中(如 ini, cfg 等),或者以明文方式包含在程式碼(code, script, bat, shell ) 當中,因此容易被找出而形成重大風險。

 

特權帳戶管理的挑戰

然而組織是個活生生的實體,需要盡可能少的員工帳戶驗證與存取的阻礙。當密碼是人員數量的五倍時,管理存取權限似乎是一項非常令人沮喪的任務。

密碼驗證在安全上是出了名的不可靠。儘管多年來 IT 團隊都在盡最大努力推動密碼管理的最佳實務,但用戶可能選擇不安全的密碼,並在整個企業環境中重複使用密碼。畢竟人的記憶有限,個人可管理的密碼數量受到限制,這最終導致使用者驗證及存取控管出現安管上的缺口。

特權帳戶和普通帳戶之間的根本區別在於,特權帳戶比標準賬戶擁有更多更強的功能,需要加強安全與保護。

 

如何有效管理帳號與存取權限

強化特權帳戶管理(PAM)基本上需要嚴格的計劃和 IT 基礎設施來配合。它需要的安全控制,身分驗證,事件稽核、活動監視。不論是否有專屬PAM系統的情況下,以下是建議的實務做法:

強化密碼原則

強密碼原則是基本的網路存取安全要求,也是身分驗證的必要因子。特權帳戶必須定期更改密碼,並遵循密碼管理原則,不允許共用。有一些密碼管理工具,如LastPass,可以安全地儲存密碼並提供密碼強度分析。

存取權與權責分離

理想情況下,特權帳戶只應授予適當的人員。這就必須根據工作需要,將特權和職責義務分開指派。理想情況下,只有組織和部門內有限數量的特定人員才有權擁有特權帳戶。它還需要分離角色和功能,包括使用者讀取、寫入、編輯修改和執行檔案資料的權利等。職責角色和特權存取的分離或隔離,可防止人員超出存取範圍而違反安全規定;並確保事件調查的日誌完整性不受干擾。

系統隔離與網路隔離

系統隔離與網路隔離,基本上就是需要將它們像特權和職責分離,基於工作相關性和重要性而區隔開一樣。

監控和稽核特權存取活動

對資料的安全威脅之一是來自組織內的違規洩漏行為,通常是來自具有特權存取的人員。因此,有必要對特權存取活動監控 。除了監控和記錄特權活動外,還有必要透過端點的系統與人員活動記錄和螢幕截圖來稽核監視所有活動。

 

其他建議

在既有的監視及稽核的記錄前提下,進一步實施活動偵測和防止未經授權存取的控制作法。對於有特權帳戶的人員,利用活動記錄分析不正常活動也很重要,這將有助於建立修改對應的安全政策,或防止潛在攻擊發生。

關於Version 2

Version 2 Digital 是立足亞洲的增值代理商及IT開發者。公司在網絡安全、雲端、數據保護、終端設備、基礎設施、系統監控、存儲、網絡管理、商業生產力和通信產品等各個領域代理發展各種 IT 產品。透過公司龐大的網絡、通路、銷售點、分銷商及合作夥伴,Version 2 提供廣被市場讚賞的產品及服務。Version 2 的銷售網絡包括台灣、香港、澳門、中國大陸、新加坡、馬來西亞等各亞太地區,客戶來自各行各業,包括全球 1000 大跨國企業、上市公司、公用事業、醫療、金融、教育機構、政府部門、無數成功的中小企及來自亞洲各城市的消費市場客戶。

關於精品科技
精品科技(FineArt Technology) 成立於1989年,由交大實驗室中,一群志同道合的學長學弟所組合而成的團隊,為一家專業的軟體研發公司。從國內第一套中文桌上排版系統開始,到投入手寫辨識領域,憑藉著程式最小、速度最快、辨識最準等優異特性,獲得許多國際大廠的合作與肯定。歷經二十個寒暑,精品科技所推出的產品,無不廣受客戶好評。

What is Application-to-Application Password Management (AAPM)?

Application-to-Application Password Management (AAPM) eliminates the need to store credentials in application source codes, scripts, and configuration files.

In this way, passwords are managed by the AAPM solution and become unknown to developers and support staff.

Also, an AAPM solution allows applications and scripts to securely obtain access credentials to other applications, eliminating the need for third-party applications and scripts to store access credentials.

The credentials stored in the solution are always encrypted and access is controlled and configurable, making it possible to change credentials at any time.

Keep reading this article and learn more about other benefits and best practices of an AAPM solution.

What is Application-to-Application Password Management (AAPM)?

The authentication process is not just for administrator users to log on interactively to computers, network equipment, and applications. Software-based applications and services must also prove their identity to other services before being granted access.

Storing credentials and passwords in plain text within the code carries significant risk. This practice is known as hard-coding and has the risk associated with the possibility that malicious people can quickly discover these credentials, increasing the possibility of privilege abuse in the systems. 

Application-to-Application Password Management (AAPM) eliminates the need to store credentials in an unencrypted text in the application.

Instead, developers introduce API calls into its code to programmatically access the credential and perform password operations. The password can be stored in the application’s memory and not written to the disk.

After the application is closed, the memory is deallocated and the password expires, leaving no room for malicious actions. Using this approach, AAPM protects credentials and controls access to them.

Benefits of Application-to-Application Password Management (AAPM)

Application-to-Application Password Management (AAPM) offers the following advantages:

  • It stores encrypted credentials in a tamper-resistant location. Credentials are not stored in plain text.
  • It prevents unauthorized users from gaining access to credentials.
  • Based on the configured password policies, AAPM dynamically changes the credentials of a target account. These changes are sent to the requesting servers to keep the local cache up to date.
  • Reliable authentication of all password requests made by applications.
  • Use of the solution’s connection API to manage application credentials.
  • Granular access control, providing remote access to a specific service or application without displaying the password to the requesting user.

The solution uses its own template for changing the password of the application credentials and stores the new encrypted password in its database. The credential can be viewed directly by the solution’s connection API or inserted directly into the application server connection pool.

 

Best Practices for Application-to-Application Password Management (AAPM)

For the holistic management of privileged credentials between applications, the following practices are recommended.

  • Discover all privileged credentials, such as shared administrator, user, service application and accounts, SSH keys, database accounts, cloud, and social media accounts. It includes those used by third parties and suppliers, in their on-premises and cloud infrastructure.
  • The discovery should include all platforms (Windows, Unix, Linux, cloud, local, and more), directory, hardware device, application, services, firewalls, routers.
  • The discovery should clarify where and how privileged passwords are being used, and help reveal blind spots of security and neglect, such as:

○ Long-forgotten orphan accounts that could provide an attacker with a back door to your infrastructure.

○ Passwords with no expiration date.

○ Inappropriate use of privileged passwords, such as using the same administrator account on multiple service accounts.

○ SSH keys reused on multiple servers.

  • New systems and applications are being developed all the time, so make periodic discoveries to ensure that all privileged credentials are protected, centralized, under management.
  • Manage application passwords. Protecting hardcoded passwords requires separating the password from the code so that when not in use, it is securely stored in a centralized password vault, instead of being constantly exposed as in plain text.
  • When implementing API calls, you can gain control over scripts, files, code, and hardcoded keys, eliminating hard-coding credentials. After doing this, you can automate your password updates as often as the policy requires.
  • Bring SSH keys for management. SSH keys are like just another password, although followed by a key pair that must also be managed. Update private keys and passwords regularly and ensure that each system has a unique key pair.
  • Threat analysis. Continuously analyze password, user, and privileged account behavior to detect anomalies and potential threats. The more integrated and centralized password management is, the more easily you can generate reports on accounts, keys, and systems exposed to risks. A higher degree of automation can accelerate your awareness and orchestrate a response to threats, such as allowing you to immediately block an account or session or change a password.

Many government and market regulations (PCI DSS, for example) state that confidential information should not be hardcoded. Eliminating hardcoded passwords and ensuring that application credentials undergo periodic password resets help organizations meet auditing and compliance requirements.

Do you want more information on how to optimize communication between applications? Contact our experts or click here.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

ESET receives Top Product awards for best Windows antivirus software from AV-TEST

BRATISLAVA –  ESET, a global leader in cybersecurity, has again been recognized with Top Product awards in the latest AV-TEST Product Review and Certification reports for both its business and home consumer products. ESET’s business offering for Windows, ESET Endpoint Security 7.3, and its Windows consumer product, ESET Internet Security 14.0, achieved perfect scores in the Protection, Usability and Performance categories, leading both to be commended with Top Product awards in the November and December 2020 tests. This follows ESET’s success in AV-TEST’s August and October reports, in which ESET Endpoint Security 7.3 and ESET Internet Security 13.2 also received Top Product awards.

 
AV-TEST, a leading independent testing organization, uses one of the largest collections of malware samples in the world to create a real-world environment for highly accurate in-house testing and realistic test scenarios.  
 
The tests evaluated the best Windows antivirus software for home and business users, with all vendors being assessed across three main categories: Protection, Performance and Usability. Across consumer and business evaluations, ESET’s solutions scored a perfect 6 in the Protection category, which measures the protection against and detection of malware, including web and email threats. The solutions also achieved a perfect score in the Usability category, which measures the impact on usability with indicators such as false alarms, false detections and unnecessary blocking of websites. Finally, in the Performance category – determining the average influence on computer speed – both consumer and business products once again scored 6 out of 6, an improvement from the 5.5 that ESET solutions scored in the August/October tests.  
 
Roman Kováč, Chief Research Officer at ESET, commented, “We are thrilled to continue to receive commendations for our home and business security solutions, and our additional success in achieving perfect scores in all three categories makes me extremely proud. At ESET, we are dedicated to our work in making technology safer for consumers and businesses, and the recognition of our solutions as Top Products is evidence of such efforts. Commendations from AV-TEST reaffirm that our solutions are proven to work in real-world scenarios. With the events of the past year moving more of the world online than ever before, and cyber-threats constantly evolving, this affirmation has never been more important. Home users and businesses alike can be confident that they are in safe hands with ESET.”
 
Learn more about ESET’s home and business solutions for Windows here.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Portnox Aids Credit Unions in Meeting New NCUA ACET Compliance Standards for Cybersecurity

As the NCUA’s cybersecurity standards tighten, Portnox’s network access control solutions are enabling credit unions to remain compliant & operational

NEW YORK, NY – March 3, 2021 – Portnox, a leading provider of network access control (NAC) and network security solutions, today announced that it has begun working with a number of U.S.-based credit unions to enhance their cybersecurity programs and meet stricter controls standards laid out within the National Credit Union Administration’s (NCUA) new Automated Cybersecurity Examination Tool (ACET) framework.

According to the NCUA, the ACET mirrors the FFIEC’s Cybersecurity Assessment Tool developed for voluntary use by banks and credit unions. Just like the FFIEC’s Tool, the ACET consists of two parts: The Inherent Risk Profile and the Cybersecurity Maturity level. The Control Maturity portion measures a credit union’s level of cybersecurity controls. The levels range from “baseline” to “innovative,” with the 123 baseline statements representing the minimum regulatory expectations.

“In light of recent network hacks, and as the NCUA audits continue to expand, many credit unions struggle with finding an effective solution to meet Domain 3 controls within the ACET framework,” said Ofer Amitai, CEO at Portnox. “Fortunately, Portnox can provide the network access control, endpoint awareness, risk and real-time remediation capabilities that either directly meet or highly contribute to many of the most difficult ACET Domain 3 audit areas and requirements.”

Portnox CLEAR, the first and only cloud-delivered network access control solution on the market, is a natural fit for credit unions. With no on-site networking hardware required to operate, no patching or on-going maintenance, and low overall total cost of ownership, Portnox CLEAR caters to financial institutions with minimal in-house IT resources needing to meet regulatory and compliance standards.

“We spent years looking for a NAC solution for our clients that was affordable, and more importantly, something that wasn’t extremely difficult to install. We found that with Portnox CLEAR, and now our clients are benefiting from enhanced security and compliance by using CLEAR,” said Lee Bird, President at Btech, a managed security services provider and Portnox partner based in Pasadena, California that specializes in cybersecurity for credit unions.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×