CyberArk DNA now detects pass-the-hash vulnerabilities
By Digital News Asia February 28, 2014
- Pass-the-hash attacks frequently used as attack vector in advanced threats
- Used to harvest hashes to steal access to privileged systems and machines
ENTERPRISE security company CyberArk has unveiled the latest version of its Discovery & Audit (DNA) tool, which it said identifies and maps exposed privileged password hashes and all related vulnerable machines on a network.
CyberArk DNA is a patent-pending, lightweight, standalone tool that exposes the magnitude of privileged account security risks by enabling organisations to easily identify and analyse all privileged accounts across their network, the company said in a statement.
Pass-the-hash attacks represent a significant risk to organisations because they are frequently used as an attack vector in advanced threats, CyberArk said.
These attacks capture account logon credentials on one computer and then use those credentials to gain access to other computers on the same network.
Attackers use this technique to gain a foothold and harvest hashes to steal access to privileged systems and machines, travelling across the network until reaching their ultimate target – a company’s intellectual property or data.
“Pass-the-hash attacks have been an attack vector in some of the most spectacular breaches, and they continue to be a major threat to businesses,” said Roy Adar, vice president of product management at CyberArk.
“Understanding the extent of the vulnerability is the critical first step in mitigating the risk of pass-the-hash.
CyberArk DNA is the only tool on the market designed to identify and visualise an organisation’s privileged account risk exposure – being able to simultaneously scan for pass-the-hash vulnerabilities is a natural extension of the security and audit tool,” he added.
Password hashes serve as an authenticator across a network, making them a priority target for attackers. Hashes on endpoints often include the privileged credentials of a network administrator, or services that perform privileged actions on the endpoint, CyberArk said.
Attackers who penetrate these endpoints can steal the hashes to escalate their network privileges to help carry out their attack. Because of this, tight control and security of privileged credentials can dramatically reduce a company’s exposure to pass-the-hash attacks.
The first step in addressing pass-the-hash vulnerabilities is to understand the risk landscape in the enterprise. CyberArk DNA v4 is the first tool to identify password hashes, locating all vulnerable machines on a network to provide the most accurate and reliable data about an organisation’s exposure, the company claimed.
Best practices for protecting against pass-the-hash attacks include:
- Securing administrative access to machines with password masking and aging credentials. This reduces the risk of attackers gaining access to the hashes;
- Frequently changing privileged account passwords (CyberArk recommends automating password changes and restricting them to one-time use to ensure tight security standards); and
- Implementing and enforcing least privileges for all administrators.
CyberArk DNA v4 is available immediately. For a free trial of CyberArk DNA or for more information, click here. For more information on how CyberArk protects against pass-the-hash attacks, click here.
The end of passwords, and other IT predictions
CyberArk unveils Master Policy, new approach to privileged account security