Today we are announcing the release of our latest whitepaper that includes the results of a research project performed for CA Technologies earlier this year. The focus of the research was to determine the effectiveness of the security controls provided by the CA Privileged Identity Manager (CA PIM) solution against attacks that target privileged identities. Privilege Identity Management is an approach for reducing risk and securing super user accounts. These accounts are required in every IT organization for performing system administrator tasks and the CA PIM solution aims to provide access and account management through a variety of security controls.
The CA PIM components that were considered in scope for the research project were the following:
Fine-Grained Access Controls – Layers access controls on top of the native operating system for protecting privileged accounts. In the event a privileged account is compromised, access to the compromised system is restricted.
Granular Audit Logging – Provides audit logging or tracking identity and actions of privileged accounts even in shared account scenarios. Combined with enforced fine-grained access controls, this is intended to help with early detection of privileged account compromise.
Application Jailing – Provides the ability to enforce fine-grained access controls on applications and processes. By limiting the system resources that can be accessed by an application, those resources are inaccessible to an attacker in the event a vulnerability is exploited, including previously unknown 0-day vulnerabilities.
The research performed included the following major activities:
Learning PIM and Initial Setup - The GDS Labs research team started with zero knowledge of the platform and learned about its features and capabilities through setting up common deployment scenarios, reviewing administrator guides, and receiving guidance from CA PIM product support. Additionally, profiling of the relevant agent processes was performed to identify system resources accessed, network communications, etc.
Threat and Countermeasure Enumeration - Research activities investigated how CA PIM can be deployed to mitigate common security threat vectors and attacks that target privileged users. The threats and attacks were narrowed to those relevant to the in-scope CA PIM components. Various CA PIM access control policies and configuration settings were identified as potential countermeasures.
Solution Mitigation Verification - Selected validation testing was performed to determine the resiliency of configured CA PIM policies against common bypass techniques and exploits relevant to fine-grained access controls. Additionally, CA PIM’s intercepting kernel agent architecture as well as sudo, shell wrapper, and proxy control architectures were compared and evaluated to determine their resiliency to the threats and attacks.
A penetration testing assessment of the product was not performed as part of this phase of the research project. Recommendations for improving the security posture of the product were provided to CA where relevant.
The whitepaper containing the results from our research can be downloaded from our Github page: