BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

6 Tips to Bolster Your Enterprise Cybersecurity Posture

November 29, 2018

  • Blog
  • Archive

It’s been said that there are two types of organizations - those who know their systems have been hacked and those who haven’t figured it out yet. It may sound extreme, but that’s the reality in the world of IT security.

With a wealth of automated hacking tools at the disposal of nation-state attackers and other professional hackers, many networks are under a constant barrage of attacks. And when you factor in the poor legacy security decisions made by many organizations, the odds of being owned by a cyberattack are very high indeed.

Once you accept the fact that the bad guys are eventually going to get into your network, you can significantly mitigate the damage done and stay out of the data breach headlines. Here are some tips to bolster your organization’s cybersecurity posture.

Segment the Network. Having one big, flat network is a really good way to assist hackers in executing the classic “land and expand” cyber attack. To combat this type of attack you must insert firewalls and SSH tunnels, or other types of tunnels, between segments.

Change Domain Architecture. Instead of having one domain, break it up into multiple domains in which there are different trust models between different domains.

Re-authenticate Between Networks. As employees cross over networks, require them to logoff and then log back on with a different set of credentials. Why is this important? Think about the way an attack works. If the hacker obtains a broad credential that is usable on multiple machines, he will exploit that credential to get as far as he can on the network, looking for anything of value. Don’t make it any easier for a hacker to move around your environment. Secure the access pathways to your systems.

Remove Local Admin Rights. Here is one of my strongest recommendations - remove administrator accounts from your local machines. Do not allow users to be the local admin. Here’s why: The first part of the process during a cyberattack is escalation. A hacker gets hashes for a pass-the-hash attack by being the local administrator on the box. If you don’t allow a user to be a local admin, and their system is attacked by malware, the attacker now needs to escalate to administrator to extract credentials.

Limited Credential Lifetimes. Credentials should be measured in lifetimes of hours or days, not weeks or months. After you use a credential for privileged access, it should be randomized. Why? That credential will leave persistent information on the machine, and that information can be reused. If an attacker can escalate to domain admin, he can work his way through all the other boxes on the network. But if you invalidate the credential, there is no persistent value to be exploited, even if a hacker does manage to obtain the credential.

Eliminate Persistent Access. Why should someone be a domain admin every single hour of the day? Why not make them a regular user and require them to check out a domain admin account for a specific purpose? Even better, have them escalate to local admin on the box where they need to do the work. Then have that escalation expire. In this way, all you have is one regular user account, on one machine.

As with any advice, you can choose to ignore these cybersecurity practices. Just be prepared to deal with the consequences. After all, it’s a simple concept. The more difficult you make it for a cyberattack to succeed in your environment, the less damage you’re going to sustain.

Want to learn more about how a cyberattack works and the steps you can take to block an attack in progress? Watch our webinar:

Webcasts

The 7 Steps to a Successful Cyberattack: How to Defend Against Them

Photograph of Chris Stoneff

Chris Stoneff, VP Security Solutions, Development

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.