EPAS analyses the objective strength of passwords in selected target systems. Weak passwords are vulnerable to malicious cyber attacks. EPAS is able to assess unsalted, statically salted, as well as dynamically salted passwords. It is customized for system specific encryption and evaluates personal, as well as technical and system accounts.
EPAS Enforcer is a password quality enforcement component, provided as a licensed feature of EPAS. EPAS Enforcer for A/D integrates as an LSA filter on the Windows Active Directory domain controllers and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by the computer.
EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.
EPAS was developed based on more than 15 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.
EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements.
EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS can simulate various attack methods used by cyber criminals, such as dictionary or brute force attacks. Dictionaries are customizable regarding language and customer specific vocabulary or terms.
Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.
In addition to “heartbeat” users, all technical and system accounts are assessed and evaluated by EPAS. These accounts authenticate by using either very simple passwords, default vendor passwords, or no password at all. Yet these accounts usually have the highest privileges and are sometimes even exempt from a password policy. The authentication of technical and system accounts to other systems is one of the largest IT security risks.
Automatic notification is used to prompt users to change their passwords if these are too weak or do otherwise not comply with defined audit parameters. The same feature automatically notifies the service administrator of a completed password audit job and the availability of a report.
An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. It can process simultaneous parallel tasks and can audit millions of accounts on different systems over a single weekend.
All data EPAS processes is permanently encrypted. Trusted Computing is used to seal the platform, an additional TPM chip secures software and data integrity by employing cryptographic methods. EPAS applies various hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.
EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:
Microsoft Active Directory Accounts
Microsoft Windows Local Accounts
IBM System z – zSeries – S/390 RACF (z/OS, z/VM)
IBM System i – iSeries – AS/400
IBM System p – pSeries – RS/6000 AIX
IBM Lotus Domino Application Server
BSD Operating System
Linux Operating System
Sun Solaris – SunOS
Apache Basic – htpasswd
SAP NetWeaver – ABAP AS
LDAP Authentication Server
MSSQL System Accounts
MySQL System Accounts
Oracle System Accounts
PostgreSQL System Accounts
Sybase ASE System Accounts
DB2 Database Custom Application
Informix Database Custom Application
MaxDB Database Custom Application
MSSQL Custom Database Application
MySQL Database Custom Application
Oracle Database Custom Application
PostgreSQL Custom Database Application
Sybase ASA Database Custom Application
Sybase ASE Database Custom Application
Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types.
EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.
A short webinar recording, introducing the concept of password quality assurance based upon audits, analytics and enforcement Find out more
The term "state of the art" is everywhere - companies are urged to adapt their IT security to it. However, the expression is not further defined or explained. For this reason, the Bundesverband IT-Sicherheit e.V. (Federal Association for IT Security) (TeleTrusT) has set up a special working group to draw up guidelines on the state of the art. As a member of this task force, Detack GmbH was actively involved in creating these guidelines. The English version of them will be published in cooperation with the European Union Agency for Network and Information Security (ENISA). Please find the document under the following link: Find out more
In 2019, Detack is again participating at the RSA Conference in San Francisco, USA (March 4th – 8th, 2019). You can find us at the TeleTrusT German Pavilion (Booth No. 5671-4). The RSAC is the world's leading IT Security event with international participation. Find out more
On 09 - 11.10.2018 it-sa, Europe's largest IT security trade fair and one of the most important platforms for cloud, mobile and cyber security as well as data and network security in the world is taking place. This year Detack is represented at the Cyber-Security-Community booth (Hall 10 | 405). Make an appointment or just drop by - we look forward to seeing you!
Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.
Detack GmbH and its partner Praetors AG are proud to announce that the European Patent Office (EPO) will be granting EU patent no. EP13155372.9 for technology employed by its Enterprise Password Assessment Solution EPAS.
EPAS Enforcer is a password quality enforcement component, provided as a licensed feature of EPAS. EPAS Enforcer for A/D integrates as an LSA filter on the Windows Active Directory domain controllers and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by the computer. Find out more
Ludwigsburg, June 9th, 2016. Detack GmbH and its partner Praetors AG are proud to announce that the United States Patent and Trademark Office (USPTO) has granted the U.S. patent no. 9,292,681 B2 for technology employed by its Enterprise Password Assessment Solution EPAS. Find out more
Ludwigsburg/Germany, February 25. Detack GmbH will be part of this year ́s RSA conference to introduce its unique Enterprise Password Assessment Solution EPAS to the North American market. As independent supplier of high quality IT security audits and in-house developed IT security products, Detack will be present in San Francisco from February 29 – March 3 as part of the German pavilion, North Expo Booth N4020/03. Find out more