While an organisation usually faces more external attacks, the reality is that IT teams need to be just as concerned about insider threats.
Malicious insiders have been responsible for some interesting breaches or hostage scenarios in recent history. Consider Terry Childs in San Francisco who held the city hostage for two weeks while sitting in a jail cell or the infamous Edward Snowden, formerly of the NSA.
IT must continue to focus on protecting the perimeter but should also air gap internal network segments and, in some cases, business units.
After all, there’s no good reason to let developers be on the same network as human resources, or allow accountants to access the web servers.
Organisations should also change privileged credentials on a frequent basis, with unique and complex values for each credential. Continuously rotating privileged credentials blocks the lateral movement on the network that hackers seek.
>See also: The Trojan horse: 2017 cyber security trends
In order to minimise the risks posed by both external cyber attacks and insider threats organisations should also review role changes and turnover in the IT department and check their websites for the use of embedded credentials in clear text.
Companies should also ensure that staff are not sharing or reusing passwords and that administrator and root passwords are changed on a regular basis. Finally, confirm that critical systems are not subject to compromise by newly-discovered or well-worn threats, by performing regular penetration testing.
Lesser known than its cousin pass-the-hash, this newer attack, dubbed pass-the-ticket, is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop pass-the-ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorisation server.
The attacker can leverage the ticket to gain lateral movement within the network. He/she can seek out additional permissions and steal sensitive data.
The eventual goal of pass-the-ticket could be to steal the hash of the krbtgt account on a domain controller. This is the account used by Kerberos to encrypt ticket granting tickets.
Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called “Golden Ticket”, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution centre.”
In general, you can’t block pass-the-ticket exploits with standard cyber security defences. That’s because local and domain password changes don’t invalidate compromised tickets. And while multi-factor authentication is typically a sound verification practice, pass-the-ticket exploits bypass it altogether.
Protecting against pass-the-ticket requires a different approach on the part of IT. You should start by stabilising the IT environment through frequent, automated credentials updates and securing escalation to impede lateral movement.
Further reduce your attack surface by minimising the presence of highly privileged logins that attackers can use to gain control of your network.
Finally, establish, in advance, a process to remove attackers’ access to compromised systems.
Identity management and orphaned user accounts
One of the most common mistakes that IT groups continue to make is not properly managing user accounts when employees leave the organisation.
Orphaned user accounts are exploited to gain unauthorised access to sensitive company resources. Finding and disabling inactive, orphaned user accounts seals potential security holes in the network.
Depending on the particular organisation, when an employee leaves a company, untangling his or her identity from the network can be anywhere from a simple 5 second change to a seemingly never-ending process.
The core of the problem is with how well an IT group understands provisioning and how quickly they can limit the ability of employees to embed their identities in places that are not part of the corporate provisioning process.
Here’s another difficult to manage element of de-provisioning user accounts: shared resources (backdoors) created by departed employees.
These resources (i.e. shared folders, permission changes, etc.) often exist well after an employee leaves. But they are no longer documented or under the control of the company.
Many IT departments loathe killing off these resources for fear of disrupting critical business operations.
A third issue involves provisioning systems themselves. In many cases, these systems require extensive manual work to complete the provisioning/de-provisioning process.
In other cases, the systems are so complex and so tightly dependent on a bewildering set of technologies, that the process devolves into an inconsistent, unreliable and undocumented mess.
This results in occasional silent failures, and orphaned accounts remaining undetected in critical systems.
Generally, auditors are responsible for finding orphan accounts. But the real challenge comes down to the frequency and depth of the audits and the ability of the organisation to mitigate the findings.
Panama Papers leak shows inherent weaknesses of law firm cyber security
The 11.5 million leaked documents from Panamanian law firm Mossack Fonseca last year, placed some of the worlds rich and famous under scrutiny about how they hide their wealth.
The implications of law firm data breaches are mind boggling since parties within lawsuits provide full disclosure about their chosen law firms as a matter of public record.
It is a simple step for a criminal to move on to attacking that law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and blackmail people based on information not publicly known.
>See also: The UK’s new National Cyber Security Centre
The lesson from the Panama Papers leak is that it is up to the client to inspect the cyber warfare capabilities of their law firm. Clients should not be comfortable with assurances that everything is fine or that the law firm has passed their audits.
Audits do not test the ability of a law firm to sustain its cyber security when attacked.
Clients should ask their firms about whether they are regularly penetration tested by different firms, have segregated networks, use multiple levels of cryptography, have air gapped networks, and use an automated privileged identity management system to rotate all sensitive credentials on every system, every 2-24 hours worldwide.
Privileged access management in the cloud
Cloud service providers face significant security challenges when managing privileged identities on a massive scale in large and elastic environments.
In multi-tenant organisations, the number of systems under management can extend into the hundreds of thousands. A secure environment requires discovering and managing all identities on all systems.
Accomplishing cloud identity security requires a solution that can discover, audit and control access to privileged accounts entirely by machines in an automated and programmatic manner.
Not through direct human intervention. Only by deploying automated security solutions can these organisations locate and remediate weaknesses faster than nation-state attackers and criminal hackers can exploit them.
Next-generation security solutions exist that meet requirements for managing privileged identities in large cloud environments.
This removes a significant operational roadblock that once prevented large cloud providers from complying with regulatory requirements and IT security best practices.
With any luck in 2017 these issues can finally be remedied with the help of automation and even prevent other issues from arising. You never know what is around the corner, but by following the advice and effectively managing privileged identities – hopefully organisations can be spared the worst.
Sourced by Jonathan Sander, VP of product strategy at Lieberman Software