EPAS analyses the objective strength of passwords in selected target systems. Weak passwords are vulnerable to malicious cyber attacks. EPAS is able to assess unsalted, statically salted, as well as dynamically salted passwords. It is customized for system specific encryption and evaluates personal, as well as technical and system accounts.
EPAS PQENF is an optional password quality enforcement licensed feature. The EPAS PQENF integrates as LSA module into the domain controller of a Windows Active Directory environment and is available to ensure that passwords meet necessary security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is either accepted or rejected if it fails to meet the defined security requirement. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by EPAS.
EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.
EPAS was developed based on more than 15 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.
EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements.
EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS can simulate various attack methods used by cyber criminals, such as dictionary or brute force attacks. Dictionaries are customizable regarding language and customer specific vocabulary or terms.
Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.
In addition to “heartbeat” users, all technical and system accounts are assessed and evaluated by EPAS. These accounts authenticate by using either very simple passwords, default vendor passwords, or no password at all. Yet these accounts usually have the highest privileges and are sometimes even exempt from a password policy. The authentication of technical and system accounts to other systems is one of the largest IT security risks.
Automatic notification is used to prompt users to change their passwords if these are too weak or do otherwise not comply with defined audit parameters. The same feature automatically notifies the service administrator of a completed password audit job and the availability of a report.
An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. It can process simultaneous parallel tasks and can audit millions of accounts on different systems over a single weekend.
All data EPAS processes is permanently encrypted. Trusted Computing is used to seal the platform, an additional TPM chip secures software and data integrity by employing cryptographic methods. EPAS applies various hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.
EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:
Microsoft Active Directory Accounts
Microsoft Windows Local Accounts
IBM System z – zSeries – S/390 RACF (z/OS, z/VM)
IBM System i – iSeries – AS/400
IBM System p – pSeries – RS/6000 AIX
IBM Lotus Domino Application Server
BSD Operating System
Linux Operating System
Sun Solaris – SunOS
Apache Basic – htpasswd
SAP NetWeaver – ABAP AS
LDAP Authentication Server
MSSQL System Accounts
MySQL System Accounts
Oracle System Accounts
PostgreSQL System Accounts
Sybase ASE System Accounts
DB2 Database Custom Application
Informix Database Custom Application
MaxDB Database Custom Application
MSSQL Custom Database Application
MySQL Database Custom Application
Oracle Database Custom Application
PostgreSQL Custom Database Application
Sybase ASA Database Custom Application
Sybase ASE Database Custom Application
Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types.
EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.
Detack will be participating at the Munich Tech Days 2016 (13.07. + 14.07.). Come and join our workshop "The Password Zone – an Attackers View on Passwords and how to Measure Password Attack Resilience". Find out more
EPAS PQENF is an optional password quality enforcement licensed feature. The EPAS PQENF integrates as LSA module into the domain controller of a Windows Active Directory environment and is available to ensure that passwords meet necessary security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is either accepted or rejected if it fails to meet the defined security requirement. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by EPAS. Find out more
Ludwigsburg, June 9th. Detack GmbH and its partner Praetors AG are proud to announce that the United States Patent and Trademark Office (USPTO) has granted the U.S. patent no. 9,292,681 B2 for technology employed by its Enterprise Password Assessment Solution EPAS. Find out more
Ludwigsburg/Germany, February 25 - Detack GmbH will be part of this year´s RSA conference to introduce its unique Enterprise Password Assessment Solution EPAS to the North American market. As an independent supplier of high quality IT security audits and in-house developed IT security products, Detack will be present in San Francisco from February 29 – March 3 as part of the German pavilion, North Expo Booth N4020/03. Find out more
Celebrating its 25th anniversary this year, RSA Conference continues to drive the information security agenda worldwide. Detack will be exhibiting at booth 4020/3 at the German TeleTrust pavilion. February 29th – March 4th 2016 Find out more