A friend of mine at Microsoft recently said, “There are two types of IT administrators – those who know that their systems have been attacked and owned, and those who haven’t figured it out yet.” It may sound extreme, but that is truly today’s reality in the world of IT security.
With a wealth of automated hacking tools at the disposal of nation-nation state attackers and other professional hackers, most networks are under a constant barrage of attacks. And when you factor in the poor legacy security decisions made by many organizations, the odds of being owned by a cyber attacker are very high.
However, even once you accept the fact that the bad guys will get into your network, you can significantly mitigate the damage done. Here are some tips to bolster your organization’s IT security posture.
7 Quick Tips to Improve IT Security
Segment the Network. Having one big, flat network is a really good way to help hackers execute the classic “land and expand” cyber attack. To combat this type of attack you must insert firewalls and SSH tunnels, or other types of tunnels, between segments.
Change Domain Architecture. Instead of having one domain, break it up into multiple domains in which there are different trust models between domains.
Re-authenticate Between Networks. As employees cross over networks, require them to logoff and then log back on with a different credentials. Why is this important? Think about the way an attack works. If the hacker obtains a credential that is usable on multiple machines, he will exploit that credential to get as far and as wide as he can on the network, looking for anything of value. Don’t make it any easier for a hacker to move around your environment.
Implement Multiple SIEMs. What we see among our most security-conscious customers is the use of multiple SIEMS with different trigger points. Outside the perimeter, the SIEM collects all security data. An event might or might not be of interest, but the SIEM is gathering it regardless. As you enter the perimeter of the network, that SIEM is set for hair trigger transactional alerting.
Remove Local Admin. Remove administrator accounts from your local machines. Don’t allow users to be the local admin. Here’s why: Part of the process during a cyber attack involves escalation. A hacker obtains hashes for a pass-the-hash attack by being the local administrator on the box. So if you don’t allow a user to be a local admin, and their system is attacked by malware, the attacker still needs to escalate to administrator in order to extract credentials.
Limited Credential Lifetimes. Credentials should be measured in lifetimes of hours – not days, weeks or months. Once a credential is used for privileged access, it should be destroyed. Why? That credential leaves persistent information on the machine. And that information can be reused. If an attacker can escalate to domain admin, he can work his way through the other boxes on the network. But if you invalidate the credential, there is no persistent value to be exploited. Even if a hacker does acquire the credential.
Eliminate Persistent Access. Why should a domain admin be a domain admin every hour of the day? Why not make them a regular user and require them to check out a domain admin account for a specific purpose? Even better, escalate them to local admin on the box where they need to work. Then have that escalation expire. In this way, all you have is one regular user account, on one machine.
Just remember, the more difficult you make it for a cyber attack to succeed in your environment, the less damage you’re going to sustain.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.