EPAS is a patented (USPTO 9,292,681 B2, EP2767922) solution developed by Detack GmbH and its Swiss partner Praetors AG. It is an on-premises SaaS solution for enterprise wide, automatic and regular password quality assessment and enforcement for a wide range of systems. EPAS addresses the overwhelming issue of maintaining secure passwords in large, heterogeneous environments containing Microsoft A/D, Linux/UNIX, IBM System z, SAP and more.
EPAS uses a self-developed, patented technology in order to extract all relevant password data from a target system and to use this information as well as bundled intelligence data and analytics algorithms to assess the resilience of passwords against attacks.
The password quality assessment determines the resilience of existing passwords against attacks: if they are sufficiently complex to resist brute force and dictionary attacks, if they are shared by multiple accounts, or if they are present in leaked credentials databases – with databases kept up to date, ensuring that the on-premises data contains all the credentials leaked over the past 20+ years. This covers all the password-related compliance requirements of major standards, such as NIST recommendations.
EPAS employs only legitimate cipher text extraction methods and therefore does not cause any system availability risk for the target, i.e., there is no "hacking" involved.
EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Linux/UNIX, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying strictest privacy requirements and legislation. EPAS is an on-premises SaaS solution and delivered through appliances which are integrated into the client´s data center.
The EPAS Enforcer prevents the use of weak, reused, or shared passwords whenever the password is changed. It also prevents the users from setting passwords which have already been leaked, by checking them against all the credentials leaked over the past 20+ years. EPAS Enforcer integrates with Windows Active Directory domain controllers, Windows severs, Linux systems, etc., and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements.
If the password change attempt is unsuccessful, on supported systems, EPAS Enforcer displays the failure reasons (e.g., “Password must not be present in leaked credentials databases.”) to the end user. The security requirements for a password result from the security classification of the data to be protected, based on customer specific measurements.
EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.
EPAS was developed based on more than 20 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.
EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying strictest privacy requirements and legislation.
EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS simulates various attack methods used by cyber criminals, such as dictionary probing, brute force attacks, password spraying based on leaked credentials, or combinations of such methods. Latest generation of hardware-based acceleration is used for all cryptographic operations. Dictionaries are customizable regarding language and customer specific vocabulary or terms.
Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.
Up to date databases containing all the credentials leaked over the past 20+ years are stored within the EPAS appliance and used to detect if any of the existing passwords have already been exposed. This data is used by both EPAS Audit – to detect – and by EPAS Enforcer – to prevent their use. This feature effectively blocks attacks using leaked credentials attacks and satisfies compliance requirements.
EPAS integrates out of the box with several enterprise security applications, such as CyberArk solutions. Without any customization, EPAS already provides extensive automation in job management and notifications. Additionally, a standardized (REST) API allows flexible integration with any enterprise system with minimal effort.
An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. A central installation with satellite units can process simultaneous parallel tasks and can audit millions of accounts on different systems, from multiple datacentres, over a single weekend, with no human intervention.
All data EPAS processes is permanently encrypted. Trusted Computing, backed by a hardware TPM, is used to seal the platform and to ensure data integrity. EPAS employs both hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.
EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:
Microsoft Active Directory Accounts
Microsoft Windows Local Accounts
IBM System z – zSeries – S/390 RACF (z/OS, z/VM)
IBM System i – iSeries – AS/400
IBM System p – pSeries – RS/6000
AIX IBM Lotus Domino Application Server
BSD Operating System
Linux Operating System
Sun Solaris – SunOS
Apache Basic – htpasswd
SAP NetWeaver – ABAP AS
LDAP Authentication Server
Apple macOS – Mac OS X
Cisco ISE – ASA – IOS – NX-OS
MongoDB System Accounts
MSSQL System Accounts
MySQL System Accounts
Oracle System Accounts
PostgreSQL System Accounts
Sybase ASE System Accounts
DB2 Database Custom Application
Informix Database Custom Application
MaxDB Database Custom Application
MSSQL Custom Database Application
MySQL Database Custom Application
Oracle Database Custom Application
PostgreSQL Custom Database Application
Sybase ASA Database Custom Application
Sybase ASE Database Custom Application
Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types. EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.
Microsoft Active Directory
Linux Accounts / PAM
Microsoft Windows Accounts
Microsoft Azure AD / Hybrid
Microsoft SQL Server
Micro Focus NetIQ SSPR
Web-Based Password Management
The National Institute of Standards and Technology (NIST) is one of the authorities which sets the best practices on how to secure identities and authentication of users. The updated version of NIST Special Publication 800-63 “Digital Identity Guidelines” was released in 2019. Various companies and organizations use NIST guidelines to establish their security practices, while US federal agencies are required to comply with NIST 800-63.
These guidelines follow the Digital Identity Guidelines defined in the NIST Special Publication 800-63B. The following requirements notation and conventions are part of the aforementioned document. Whenever EPAS provides a feature that helps implement the given NIST recommendation, the feature is mentioned, together with the recommendation it covers, as well as a short explanation. A table summarizing the NIST recommendations covered is provided at the end. This document is intended as guidance for companies and organizations aiming to achieve compliance with NIST recommendations with the help of EPAS.
Download
ISO 27001 (officially known as ISO/IEC 27001:2013) is an international information security standard. This standard is used in an organization to implement, maintain, and to improve an information security management system (ISMS). Policies and procedures, including the legal, technical and physical controls involved in a company’s IT risk management processes, are part of the ISMS.
IS27001
Implementing ISO 27001 supports organizations in blocking security risks, protecting sensitive data, and identifying the scope and bounds of their security programs. EPAS strongly assists organizations into managing specific requirements. Following, EPAS is mapped according to related ISO/IEC 27001:2013 control objectives and controls retrieved from Annex A.
Download
The Payment Card Industry (PCI) initiated the first Data Security Standard (DSS) in 2004. Various revisions and updates have been done to the requirements since then. The PCI DSS contains twelve requirements for compliance, clustered by six logically connected controlled objectives.
PCI DSS provides the bare minimum requirements for protection against breaches which have occurred in the past. Therefore, it has a significant importance on the payment card ecosystem. EPAS assists organizations preventing breaches based on several PCI DSS requirements, and especially one of the essential security rules of the standard concerning vendor default passwords and weak or shared passwords. Following, EPAS features are mapped according to related PCI DSS requirements.
Download
A strategic priority for the United Arab Emirates is managing cyber threats and assuring the implementation of a secure national communications and information infrastructure. Therefore, Telecommunications Regulatory Authority (TRA) implemented the UAE Information Assurance Regulation v1.1 (IAR, March 2020) as a crucial component of the National Information Assurance Framework (NIAF) to specify prerequisites for enhancing the level of IA over all implementing organizations in the UAE. The UAE IA Standards grants technical and management data security controls to provide, develop, manage, and regularly update information assurance.
TRA IA Regulation provides in-depth requirements for protection against cyber attacks, as well as indications of how to secure and maintain an IT infrastructure. The TRA IAR draws security relevant controls from existing standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27010, ISO/IEC 27032, NIST 800-53 R4, ADSICv1, ADSICv2, etc.) while enhancing subcontrols and providing in-depth information about example implementations.
EPAS assists organizations preventing breaches based on several TRA IAR recommendations, as detailed in the following pages. Following, the integrated relationships and interactions among individual sector entities implementing the TRA IAR are presented.
Download
Detack participates in a strategic meeting with Queensland’s Treasurer, Hon. Cameron Dick, Minister for Trade and Investment and his team in Frankfurt in order to discuss establishing a subsidiary company and regional hub in Queensland. Find out more
Detack is honoured to be the gold sponsor of Team Oceania, who impressively achieved 2nd place at the IC3 Games in San Diego. Find out more
Detack supports the renowned cybersecurity expert, Troy Hunt. Known for creating "Have I Been Pwned", Hunt aligns with Detack’s mission to provide top-tier IT security. Find out more
Detack is delighted to announce a new collaboration with the University of Queensland Cyber. This partnership aims to advance knowledge and promote innovation in the field of cybersecurity. Find out more
Detack sponsors as an industry partner PasswordsCon 2023 in Bergen, Norway. Passwords and other authentication solutions will be the primary focus of this conference, which will bring together experts in password security from all over the world. Find out more
Detack meets Prof. Ryan Ko, Chair and Director of UQ Cyber, visits the UQ Cyber Security Hub and sponsors the participation of the Team Oceania at the International Cybersecurity Championship 2023 in San Diego. Find out more
Detack sponsors the activities of Troy Hunt, the creator of @haveibeenpwned. Find out more
Discover how security is compromised today through exploiting password authentication weaknesses, with and without Multi-factor Authentication. We will explore how Detack’s clients prevent security incidents and achieve compliance for user authentication on mainframes with EPAS. Find out more
Detack participates at the 2021 edition of the European Cybersecurity Certification Conference. The conference focus on the future EU cybersecurity certification schemes. Find out more
Detack participates at the European Innovation Council Summit 2021. The EIC was launched in March 2021 and the summit offers a cooperation platform between European start-ups, SMEs, innovators and investors. Find out more
Experts from Detack participate actively in the TeleTrusT working group "State-of-the-art" and support the ongoing development and adaptation of the TeleTrusT Manual for "State-of-the-art", which was first published in 2016. Find out more
Detack participates at the first part of the German-Australian Growth Summit. The summit aims to put together the key business leaders from Australia and Germany in order to rise the business and technological cooperation between the two countries. Find out more
Detack participates virtually at the GovWare Conference Singapore 2021. The conference takes place during the Singapore Cyber Week 2021 and presents latest trends in global cybersecurity with the focus on technology, organizational implementation and user perspectives. Find out more
Detack participates at the High-Level Conference on AI. The event presents the harmonised rules on Artificial Intelligence (AI) and the updated Coordinated Plan on AI, published by the European Commission in April 2021 in order to establish a better AI cooperation in the EU. Find out more
Detack participates in a 5-day virtual innovation tour to Singapore. The aim of the project is to support an exchange about innovative solutions and technologies in the field of smart cities and the development of modern business models in the same context. Find out more
Detack participates at "Gulf Information Security Expo und Conference" (GISEC) 2021 in Dubai. GISEC is the largest and most impactful cybersecurity exhibition in the UAE. Find out more
Praetors AG represents Detack at the virtual Swiss Cyber Security Days (SCDS) 2021. The SCSD presents innovative cybersecurity solutions to protect critical infrastructure and puts together the Swiss cybersecurity stakeholders in order to achieve effective cooperation. Find out more
Costin Enache, managing director at Detack, leads the panel discussion entitled "Mainframe passwords revisited: impact of the new security mechanisms" at the GSE UK Security Working Group conference. Find out more
Detack participates at the virtual Cybersecurity Standardization Conference. The conference aims to foster the exchange among various European cybersecurity stakeholders in order to more accelerate the implementation of the European Cybersecurity Act. Find out more
Detack takes part in a virtual business delegation and industry conference with the focus on mining industry in Australia, the delegation is supported by the German Federal Ministry for Economic Affairs and Energy. The slide deck is available. Find out more
Detack participates in the ECSO Cyber Solidarity Campaign Find out more
You can meet Detack and its regional partners at the "Cybersecurity – You Cannot Live Without It" workshop , presented by SGInnovate & Tegasus International, on February 3rd, 2020 in Singapore. Find out more
For the second time Detack is present at the CTI-EU Conference in Brussels. ENISA organizes this event with the aim to support exchanging ideas and experiences between the CTI experts across Europe. Find out more
In 2019, Detack is participating again at the RSA Conference in San Francisco, USA (March 4th – 8th, 2019). You can find us at the TeleTrusT German Pavillon (Booth No. 5671-4). The RSAC is the world’s leading IT Security event with international participation. Find out more about RSAC: https://www.rsaconference.com/events/us19 and about the German Pavilion: Find out more
John Waters, director of sales at Detack, was invited to hold a presentation on the paradigm shift in password security for the webinar series "Bitkom Security Insights". The recording of the webinar can be found at the following link: Find out more
Detack took part at the High-Level Roundtable on Europe’s Cyber Future organised by European Cyber Security Organisation (ECSO). The aim of the roundtable was to bring together key decision-makers from the European Union (EU) institutions, Member States and the private sector and help them to engage in a dialogue on how the European cyber security environment can be further settled. Find out more
Detack is present at the "2020 Cyber Riskers Talk Show" event in Sydney. This is one of the regular meetings of Australian experts in the fields of cyber security and risk management in the Sydney area. Find out more
The representative of Detack is elected as one of the chairs of SWG 5.3: Awareness. The SWG promotes topics like awareness-raising and basic hygiene skills in the European Union. Find out more
At this year’s PITS (Public-IT-Security) event, Detack will participate as an exhibitor as well as with a presentation in the expert round "Secure Access Rights". Visit us on site!
Detack GmbH will give a presentation on the topic of password security at the IHK (Chamber of Industry and Commerce) event "IT Security in SMEs #6" between 07.30 pm and 08.30 pm on May, 09th, 2018 in Stuttgart.
Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.
TeleTrusT and Detack GmbH (TeleTrusT-Regional Office Stuttgart) are organizing an information and discussion meeting on the topic "state of the art according to the EU data protection basic regulation" in the “Residenzschloss” (residential castle) in Ludwigsburg on March 21st. The press release can be downloaded below: Find out more
Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.
it-sa 2017 (taking place 10. – 12.10.2017) is the only IT security exhibition in the German-speaking region. Detack will be exhibiting at booth 9-210 at the joint stand of BITKOM. Do not hesitate to contact us regarding an appointment or just come by!
For the first time Detack will be present, together with its Malaysian partner, SecureMetric, at the Future of Finance Summit from 8th – 9th June 2017 in Singapore: an exciting, all-inclusive annual gathering that will bring together a wide range of players - banks, fintech players, insurance companies, asset managers, investors and customers - who are shaping the future of finance. The Future of Finance will be a dialogue between the institutions and the customer so that they can experience and communicate their expectations of the industry. Find out more
Detack in cooperation with its partner RHT, is organizing a breakfast and a presentation on June 7th, 2017 in Singapore of how modern technology can be employed to prevent becoming victim of an IT security attack. We will discuss password-related IT security risks, meeting regulatory requirements without switching from passwords to alternative technologies, and we will show you how the solution proposed by RHT and Detack, EPAS, has helped enterprises in over 30 countries.
On January 23rd 2017 the event MEET SWISS INFOSEC! will again take place in Zurich, Switzerland. It is the leading event for IT Security in Switzerland, attracting both national and international IT Security experts and interested parties. Detack will again be talking about the topic of authentication with the presentation “Authentication 4.0 – Who am I?”