Index
A
Application attacks, 130
Application compatibility toolkit (ACT) limitations, 63
AppLocker limitations, 63
B, C
Application Security Incorporated, 52
black and white nature, 51
common pitfalls, 52
germane regulations, 43
“Holmes/Judy” version, 51
need for, 51
rank and privilege, 53
Compliance process, 141
administrator privilege, 142
audit failure, wild side, 155
auditing challenge, 156
authorized user access, 157
extensive auditing and logging features, 157
IT infrastructure security, 156
MD Anderson Cancer Center, 156
off-site logging capability, 157
UNIX network security, 156
Carl's view, 161
cloud environment
access control, 146
ISO 27001 standard, 147
policy compliance, 146
virtual machine, 146
corporate governance, 142
auditing and management, 143
IT acquisition assets, 143
PIM solution, 143
data security, 145
database access monitoring, 146
demand of compliance vs. open source, 154, 155
GRC, 142
HIPAA (see Health Insurance Portability and Accountability Act)
least privilege, 153
least privilege Lucy, 160, 161
PCI DSS (see Payment Card Industry Data Security Standard (PCI DSS))
Compliance process (continued)
privilege resource security
access, 152
control, 152
identity management, 151
monitoring process, 152
remediation process, 152
risk, 144
credential management, 144, 145
levels of insder threat mitigation solution, 144
management, 144
privilege management, 145
session management, 145
rules and regulations, 141
satisfaction, 141
secure Sam, 160
security and productivity
access control, 158
good IT health, 158
Computer Security Institute (CSI), 54
Control Objectives for Information and related Technology (COBIT), 119
Cost of apathy
admin privilege elevation, 164
breaches and least privilege, 163
breaches identity, 169
Care New England, manages operations
end-user support manager, 170
help-desk calls, 170
least privilege solution, 170
policy, 170
cloud vendors
business and IT security, 171
cloud-hosted data, 171
mission-critical virtual server, 172
cyber crime
black market buyers data, 165
CSO struggle, 166
market option, 165
stolen information sales, 165
Jérôme Kerviel, fraudulent transaction, 164
least privilege
compliance, 173
heterogeneous coverage, 174
insider breaches, 167
malcontents, 168
malicious code and software download, 167
PIM systems, 168
reduced complexity, 173
secure sam, 174
secutiry, 173
least privilege
ROI caluclation, 173
weighing in, 174
Matt Miszewski
over-privileged, 167
staff information retention, 166
steal/manipulate sensitive information, 175
theme, 164
D
Data awareness, 130
Data encryption, 119
Data leak prevention (DLP), 132
Database encryption, 120
Database-based applications, 127
compliance audit failure, 132, 133
compliance Carl, 140
DAM
change management, 137
compliance reporting, 138
control of privilege, 136
control systems, 137
custom-developed solutions, 136
data auditing, 137
effective credential management, 137
products, 137
DBA, 129
desktop
DLP, 132
enterprise Windows environment, 131
IT administrator status, 131
IT support impact, 131
personal computing, 131
Gawker, 135
information storage servers, 128
least privilege
architecture, 138
best practices, 138
data sensitivity, 140
vulnerability, 139
legacy applications, 130
privilege management policy, 134
tongue-in-cheek approach, 134, 135
Defense Advanced Research Projects Agency (DARPA), 100
Desktops, 16
E, F, G
Georgia Tech Information Security Center (GTISC), 29
Governance, risk, and compliance (GRC), 142
H
Health information exchanges (HIEs), 91
Health Insurance Portability and Accountability Act (HIPAA)
administrator rights, 149
ePHI Data Systems, 148
final rule, 148
least privilege, 149
personal data protection, 149
I
Information Systems Audit and Control Association (ISACA), 119
IT constant change, 1
adapting process, 10
best practices, 19
best-of-breed security software, 1
Corporate Governance, 18
federal mandates
BGC Partners, 13
critical infrastructure, 13
intrusion detection, 13
risk compliance, 12
system/application policy, 14
villains, 16
final observations, 19
government regulations, 18
hard costs, 18
heroes, 16
internal vs. external threats
information security, 2
IT infrastructure requirement, 16, 17
least privilege, Lucy, 20
pervasive and problematic information, 9
PIM (see Privileged identity management)
security, Sam, 20
soft costs, 18
villains, 15
Yin–Yang security concept, 14, 15
IT privilege, 23
Accident Prone Annie, 27
data loss, 28
desktop and server misuse, 27
fortified network vulnerability, 27
internal operator error, 27
multi-tiered approach, 28
IT privilege (continued)
Accident Prone Annie (continued)
security breach research project, 28
accidental harm, 24
data breach
authorization, 34
sensitivity, risk security, 32, 33
social security, 35
third-party organization, 34
Disgruntled Dave
access information, 27
Aleynikov, Sergey, 26
Cyber Security, 25
cybercrime threat, 25
Goldman's source code, 26
illegal network access, 26
insider attack, definition, 24
HR and IT department
cloud computing, 36
collaborative process, 37
fine-grained entitlement, 36
insiders challenge management, 36
interface, 36
rank and privilege concept, 36
indentity management, 38
indirect harm, 24
international harm, 24
rights management, 39
thief Irene identification, 29
accountability, 30
Android mobile operating system, 31
Barracuda employee, 30
Google's Android Market, 31
GTISC, annual summit, 29
hackers, vulnerability, 31
Heron, George examination, 29
security configuration, 31
startling statistic, 29
tongue-in-cheek approach, 37, 38
tried-and-true security methods, 39
user experience, 32
J, K, L
Least privilege
balanced security and productivity, 183
balance conscientious, 184
productivity conscientious, 184
security conscientious, 183
implementation, 186
communication, 187
delineate cross-organization, 188
ensure managers understand security, 187
provide or enlist in training, 187
security a corporate goal, 187
insider threats
cloud, 180
physical, 179
virtual, 180
intent vs. action
accidental misuse of privilege, 178
analysis, 179
indirect misuse of privilege, 178
insider threats, 178
intentional misuse of privilege, 178
IT security
bad habits, 182
kicking bad behaviors, 182
cloud migration, 43
common pitfalls, 48
need for, 47
worst nightmare, 49
password authenticaion
enforce strong passwords, 186
password rotation, 186
secure reason, 186
user password, 185
security storm prevention
company, 180
management solution, 181
solution implementation, 185
user privileges managment, 185
weighing in, 188
M
Misconfiguration error, 129
Multi-tenancy security
administrative tools, 117
CloudLog, 124
COBIT, 119
cross division/department privacy, 115
data encryption, 119
database encryption, 120
hybrid cloud, 115
IDC Enterprise Panel survey, 116
information assets, 114
ISACA, 119
IT organization, flexibility and scalability, 116
least privilege policies, 124, 125
outsourced storage and computing capacity, 114
PCI DSS, 119
Ponemon Institute report, 118
private cloud, 115
ad-hoc drill-down validation, 124
compliance reporting requirements, 123
ESX hypervisors, 123
guest operating systems, 123
information assets, deployment and management, 123
network computing, 123
VMware, 123
privilege misuse types, 117, 118
privileged account credentials protection, 119
privileged identity management, 117
privileged user access, 119
public clouds, 114
admin controls, 121
assessing and managing risk, 120
data protection, 122
NIST, 120
security and privacy, accountability, 120
security technologies, 122
service-level agreements, 122
uncertainty principle, 121
vendor priorities, 122
trusted digital identities, 121
N
National Institute of Standards and Technology (NIST), 106, 120
O
Out-of-cycle patching, 129
P
Payment Card Industry Data Security Standards (PCI DSS), 119, 149, 150
Policy life cycle, 4
Privileged identity management (PIM), 85, 85, 98, 117
access control
IT assests, 6
SUPM and SAPM, 6
application account, 5
asset information, 3
authentication process, 7
emergency account, 5
generic/shared administrative accounts, 5
legal/illegal information, 4
personal account, 5
policy life cycle, 4
solution, 143
specific costs, 4
Privileged identity management (continued)
superuser, 5
system, 168
traditional solution, 3
Privileged user, 130
Q, R
Registry and file system virtualization vulnerability, 62
Role-based access control (RBAC)
access control lists, 107
advanced access control, 106
cost and complexity, 106
financial application, 107
medical application, 107
multi-user and multi-application online systems, 106
NIST, 106
RunAs administrator vulnerability, 63
S
Sarbanes-Oxley (SOX), 150, 151
administrator access rights, 43
business partner, weakest link, 45
common pitfalls, 44
face value projects, 43
mobile malware threats, 46
need for, 44
personal tablets and mobile computing devices, 46
WikiLeaks, 45
Server privilege, 79
breaches, 80
carte-blanche access, 79
CETREL's security operations, 92
compliance Carl, 96
HIEs, 91
least privilege Lucy, 95
privilege identity management system, 94
secure Sam, 95
storage, 80
Sudo
compliance implications, 88
Con Sudo, 87
licensed code vs. freeware, 86, 88
Pro Sudo, 87
Unix/Linux administrator, 86
vulnerabilities, 89
UNIX and Linux servers, least privilege implementation, 90
vulnerability scanning, 92
WikiLeaks. see WikiLeaks
Servers, 17
Share account password management (SAPM), 6
Super user privileged access management (SUPM), 6
T
Tongue-in-cheek approach, 66, 67
Transaction monitoring, 130
U
User access control (UAC) security vulnerability, 62
V
Virtual environment, 17
Virtual environment protection
change-management process, 108
desktop registry and file system virtualization, 102, 103
desktop virtualization, 100, 101
“keys to the kingdom,” 108
least privilege solution, 108, 109
PIM, 98
privilege misuse types, 105, 106
RBAC (see Role-based access control)
security costs, 98
virtual shell game, 103
virtual theft
DARPA, 100
virtual guest vulnerability, 100
virtual-machine migration tool, 108
Virtual shell game, 103
Virtualization (Med-V & App-V) vulnerability, 63
W, X, Y, Z
WikiLeaks
automated privilege access lifecycle management, 84
leveraging access, 84
multi-industry survey, 84
“needs must” basis, 85
White House attempt, 83
WikiWar
IT management, 86
metaphor, 85
open source solutions, 86
Windows desktops, group policy, 61
Active Directory, 73
compliance Carl, 76
individual's role, 62
least privilege
architecture, 73
Lucy, 76
Microsoft published vulnerabilities, 69, 70
MS AppLocker
administrator privileges, 65, 66
desktop security, 66
local administrator, 65
Safe Mode boot and AppID Service disable, 65
whitelist creation, 65
whitelist management, 65
MS UAC
administrative privilege, 64
administrator password, 64
computer protection, 63
corporate legal text/customized warnings, 63
security vulnerability, 63
standard users, 63
personal productivity, 75
Quintiles Transnational company, 74
secure Sam, 75
survey results
185 IT administrators survey, 71
application types, 72
configuration setting requirements, 72
fine-graned privilege access, 73
Legacy Applications and Least Privilege Access Management, 71
Sage and QuickBooks, 72
University of Winchester, 74, 75
Wild West, 70