It’s the basics that let you down.
Most of the big breaches you hear about today are not due to some hacking wizardry you see in the movies. Most are due to companies not taking care of the basics; patching, passwords, filtering, and the like. Some companies spend millions on advanced security hardware and software but ignore the very basics that these advanced systems will never pick up if exploited. Let’s explore just one of them as an example to give practical advice that can be used in any company for nothing more that the labor expense. Let’s focus on credential security. If you have a credential (leaked, guessed, default, etc) that can be used to gain access to a system then all the advanced and expensive software in the world won’t help you; it’s legitimate traffic!
Set Passwords On All Systems
It is critical to set complex passwords on all systems. To many times we see a database or a webserver set with default credentials. This gives an attacker a foothold onto the network and it is all over from there. To keep up with all the areas you need to set passwords it is essential to have an Asset Inventory Database. This should list all the hardware, software, versions and areas to login.
It is also critical segment the use of admin accounts from certain areas of the network. If you login to a workstation with a Domain Admin account, the credential may be cached on the system. If an attacker gains access to that system, they’ll be able to steal that credential and take over your domain. I recommend only using powerful accounts on systems that require their use such as a Domain Controller where you need that much power.
Because of the above, I recommend not caching credentials. This is a sure fire way of letting an attacker that has a foothold on your network gain full access to more powerful credentials.
Running Software With Least Privileges
If you run a software program with a powerful credential and that software is exploited the attacker will have the same privileges as that credential. As an example, if one ran Tomcat with an account that is in the Domain Admins group, when the hacker gains access to the Tomcat Management Console, they can create an application that will run with those privileges. This will mean they can create accounts and add them to the Domain Admins group!
If systems share the same local administrator account password, if an attacker gains access to one system, they will gain access to all systems that use that account. I highly recommend removing all local administrator accounts.
If users are given privileges to install software on their workstations, it opens up the risk they will install malicious software, including ransomware. I recommend giving employees very basic rights to their workstations. Even system administrators should only login to their systems using a basic user account and use a separate account for admin tasks.
Many credentials get leaked from 3rd party breaches (Adobe, Dropbox, etc) and bot logs. These can be used to gain access to data sitting in the 3rd party system or access to company resources. One company that is spending millions on buying up these breached credentials from the Darknet/Darkweb is Breachview.com. They have (by far) the largest database of breached credentials and are well known for keeping it up-to-date with even the most obscure datasets. I highly recommend that companies purchase a feed into this database to understand what credentials are currently breached and to track future breaches.
Multi Factor Authentication (MFA) should be employed on all externally facing systems and all sensitive internal systems. MFA can seriously reduce the risk of a breach. If a password is stolen, without the second form of authentication, the hacker won’t be able to gain access to the system. Note to administrators: DON’T TURN THIS OFF ON YOUR ACCOUNTS! I find with too many companies that admins turn off MFA on their own accounts to save time logging in.
Much more gain be written on this and in much greater depth. It’s a simple area but one that will make the difference. I recommend focusing on all the security basics before moving onto anything more complex. Give it a go and get in touch should you have any questions.
Written By: James Windsor