It’s been said that there are two types of organizations - those who know their systems have been hacked and those who haven’t figured it out yet. It may sound extreme, but that’s the reality in the world of IT security.
With a wealth of automated hacking tools at the disposal of nation-state attackers and other professional hackers, many networks are under a constant barrage of attacks. And when you factor in the poor legacy security decisions made by many organizations, the odds of being owned by a cyberattack are very high indeed.
Once you accept the fact that the bad guys are eventually going to get into your network, you can significantly mitigate the damage done and stay out of the data breach headlines. Here are some tips to bolster your organization’s cybersecurity posture.
Segment the Network. Having one big, flat network is a really good way to assist hackers in executing the classic “land and expand” cyber attack. To combat this type of attack you must insert firewalls and SSH tunnels, or other types of tunnels, between segments.
Change Domain Architecture. Instead of having one domain, break it up into multiple domains in which there are different trust models between different domains.
Re-authenticate Between Networks. As employees cross over networks, require them to logoff and then log back on with a different set of credentials. Why is this important? Think about the way an attack works. If the hacker obtains a broad credential that is usable on multiple machines, he will exploit that credential to get as far as he can on the network, looking for anything of value. Don’t make it any easier for a hacker to move around your environment. Secure the access pathways to your systems.
Remove Local Admin Rights. Here is one of my strongest recommendations - remove administrator accounts from your local machines. Do not allow users to be the local admin. Here’s why: The first part of the process during a cyberattack is escalation. A hacker gets hashes for a pass-the-hash attack by being the local administrator on the box. If you don’t allow a user to be a local admin, and their system is attacked by malware, the attacker now needs to escalate to administrator to extract credentials.
Limited Credential Lifetimes. Credentials should be measured in lifetimes of hours or days, not weeks or months. After you use a credential for privileged access, it should be randomized. Why? That credential will leave persistent information on the machine, and that information can be reused. If an attacker can escalate to domain admin, he can work his way through all the other boxes on the network. But if you invalidate the credential, there is no persistent value to be exploited, even if a hacker does manage to obtain the credential.
Eliminate Persistent Access. Why should someone be a domain admin every single hour of the day? Why not make them a regular user and require them to check out a domain admin account for a specific purpose? Even better, have them escalate to local admin on the box where they need to do the work. Then have that escalation expire. In this way, all you have is one regular user account, on one machine.
As with any advice, you can choose to ignore these cybersecurity practices. Just be prepared to deal with the consequences. After all, it’s a simple concept. The more difficult you make it for a cyberattack to succeed in your environment, the less damage you’re going to sustain.
Want to learn more about how a cyberattack works and the steps you can take to block an attack in progress? Watch our webinar:
Chris Stoneff
VP Security Solutions, Development
