It’s time to get back to business. Here in the U.S., summer vacations are wrapping up and businesses are looking forward to closing out 2014. Over the past year, we’ve seen several incidents that warrant changes in the ways consumers make purchases and businesses conduct transactions. Consider last week’s theft of a whopping 1.2 billion usernames and passwords by the Russian underground. When it comes to IT security, it’s impossible to see the upcoming holiday season as business as usual. Proper security due diligence requires your organization to evolve or be the next victim. The question that plagues everyone is where to start. Here’s a quick primer:
Rotate Shared Passwords to Keep Attackers Guessing
If you aren’t changing administrative passwords for users and service accounts on a regular basis, you’re holding a ticking time bomb. Consider how many people know shared passwords, where they are documented, and if any systems have been infected by malware in contact with those accounts. All of these scenarios, and many others, could lead to password leaks and allow unauthorized privileged access to sensitive systems and data. The best solution: reset passwords frequently with a privileged password management solution.
Remove Administrative Rights to Limit Malicious Access
How many users have administrative access to desktops, servers, or other systems? Why do they have this access?
Common malware techniques like Pass-the-Hash on Windows can easily steal administrative passwords and use them to navigate a network virtually undetected. A server administrator can leverage excessive privileges to add backdoor accounts or dump databases with sensitive data. So why risk it?
The best practice is for all users to operate only as standard users and be granted administrative privileges only when needed. Adopting a least-privilege model is like wearing a seat belt. It restricts your movement in case of an accident (intentional or purely accidental) but allows you to operate the vehicle normally without restrictions. Obviously with a seat belt on you can’t reach into the backseat, but that’s the whole point of least privilege; you shouldn’t. If you need to reach the backseat, the seat belt (i.e., your privileges) can be loosened via rules that dictate when this access is merited. Automated least-privilege solutions are available for both UNIX/Linux and Windows.
Intelligently Manage Vulnerabilities to Lock Criminals Out
If you’re not patching assets on a regular basis, you’re clearly leaving doors and windows unlocked for criminals (yes, another analogy). Consider that a clean install of Windows 7 has over 230 cumulative vulnerabilities, and many organizations still limit vulnerability assessment to servers – often without accounting for credentialed access. What does that say about the host of unlocked and unprotected doors and windows out there?
Malicious activity can come from a wide variety of attack vectors and can start on a workstation, an HVAC system (e.g., Target), or even a mobile device. The solution starts with getting a zero-gap vulnerability assessment of the entire environment. It should be authenticated and cover all the devices (or a statistical sample if other imaging and change control parameters exist and can be proven).
Of course, the output of vulnerability assessments should not be “phone books” with thousands of pages of faults. Reports should graduate results in logical sequences; present the largest risks first; indicate what to remediate first; and reveal the impact of remediation activities. Having a clear, repeatable assessment process can prove that assets are being remediated and that vulnerabilities are being eliminated.
Patching vulnerabilities is not always possible, but it’s the primary method for fixing these flaws. Configuration changes and other techniques can mitigate the risks when patching is not an option, equating to iron bars placed in front of that unlocked window. Performing vulnerability assessment and patch management are best practices and not just required by regulatory compliance initiatives.
Get Smart with Centralized Management
Each one of these disciplines can be implemented as a technology silo, deployed in phases, or managed under a single platform. Business as usual should not mean cobbling together multiple vendors, tools and procedures to harmonize security across all teams in an organization.
An IT risk management platform can take the guesswork out of security decisions by centralizing privileged password management, least privilege, and vulnerability assessment. A platform can make it easy to leverage best practices in managing security threats, streamlining operations, and improving communication – all through a single pane of glass.
Adapting to the threats around us is a never-ending battle. Just look at the raft of business security changes that are now commonplace: Security tags on merchandise to prevent shoplifting, mirrors and finger guards on ATMs to prevent pin number theft, and two-factor authentication to combat identity theft. Similar widespread adoption of the above best practices will help you mitigate today’s most pressing IT security threats – and keep your business out of the breach headlines.
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.