IT security has never been more critical, the threat so great and IT defenses so inadequate with false assurance of security by throwing money at the wrong resources. It is our operational security, architecture and design that has allowed these threats to flourish. Consider these scenarios violating one or more of the Ten Immutable Laws Of Security
- Every Virtual Machine (VM) administrator who manages a Domain Controller (DC) virtual machine is effectively a domain admin.
- Every SAN administrator managing the virtual drives of a DC is effectively domain admin.
- An agent or service from a management tool (i.e. antivirus) running on a DC is often used to compromise domain admin
- A compromised SAN or database admin’s PC accessing the crown jewels (Intellectual Property, HBI or PII) can be THE most valuable target
- Multi-factor authentication can still be compromised after authentication if a system is owned via man-in-the-middle attacks.
- Password Credential Vaults joined to a compromised domain are not your password vault anymore.
- PKI w/ Smart Cards and multi-factor OTP/token solutions cannot stop, cookie/session hijacking, credential thefts or pass-the-hash
- Is your critical infrastructure SCADA or Industrial Control System (ICS) controlling chlorine for public water supply on a network connected to Internet terrorists? Why?
- If you have EVER surfed the Web with a high-power credentialed account, your network is at risk for system credential theft/pass-the-hash compromise.
- If you deploy machines using images with common local admins or network accounts in administrators group, your entire network may be AT RISK for pass-the-hash attacks.
- If ANY 3rd party plugin or Software on ANY PC is not patched ANYWHERE in your network and you are not whitelisting apps (i.e. AppLocker), then you are at great RISK.
We are not at risk because we have bad security software. Its never been better, but technology is still not a panacea. The bad guys have adapted to the way we build and operate. Systems administrators, developers and engineers protecting our critical infrastructure have allowed themselves become uneducated and passive on securing against the current threats often times solely dependent on firewalls, security appliances and intrusion detection systems (IDS) to protect their networks, computers and data systems from malicious intrusions or theft. Wouldn’t you know the bad guys noticed our laziness, and even nation states capitalized on it, got organized, educated and tooled up becoming strategic in their efforts to get the lead conducting offensive hacking with coordinated targeted attacks. Wake-up CISOs, admins, and developers - Firewalls, IDS/IPS, and Antivirus won’t cut it any more against state sponsored cyber attacks!
The bad guys are attacking all layers from printer firmware to compromising conference room phones eavesdropping on real-time conversations; targeting employee’s’ mobile phone apps; attacking unpatched O/S and browser plugin vulnerabilities; exploiting poor credential protection in the cloud; and secretly dropping never seen zero days for sale to highest nation state government bidders. How many phone admins have trained on Defense in Depth or Incident Response? How many PKI administrators understand the risks of BYOD scenarios and how to adequately plan for securing communications with MDM providers? How many critical SCADA and Industrial Control Systems are directly connected to the Internet for convenience via management PCs that are managed no differently than any other machine on the network?
Intrusion detection is imperfect!. Spam filters catch a lot, but are inadequate to trap targeted spear phishing which like most social engineering attacks almost always work and are nigh impossible to stop. Once a low-level beachhead PC is owned and foothold established, often from a browser based drive by exploit, zero-day or clicked link using custom compiled code specific to your organization tested specifically to be undetectable by your security software. Because of historical scenarios, often imaged-bases approach are used to deploy computers with common management accounts or local admin passwords coupled with domain administrators surfing the Web using privileged accounts (double whammy) allowing the foreign invaders to then traverse the network laterally, elevate privileges, and take control of the DCs, password storage databases and virtual machine or SAN management software to effectively own the network and harvest data conducting unrestricted espionage for years undetected with potential for complete data destruction at the command of a button outside your borders. Its in the news everyday and affects business, education and government alike.
So, do we throw in the towel and give up? No, we may lose a few low hanging sheep to the wolves, but we don’t have to lose the shepherds too! The Domain Admins, VM admins, SAN Admins, DB Admins, SCADA systems need to be protected from the Internet and compromised PCs in the network differently using a secure architecture and design and well defined and enforceable operational security practices that are effectively monitored. Assume for a second that every workstation and server on your network with direct internet access or using common credentials shared admin accounts with a machine that has Internet access (regardless of whether its Windows, Unix, Linux, Mac, Appliance etc…) has an undetectable rootkit with a keystroke logger and a credential editor/Pass-the-Hash tool installed and you begin to understand the reality of the threat and how you must deal with it. Think like the enemy before you are the next headline news article. Sun Tzu said in the Art of War, “If you know neither the enemy nor yourself, you will succumb in every battle”
Be proactive and hunt for the hidden threats that may lurk unnoticed on your network; if you are targeted specifically you likely won’t ever detect it internally using COTS tools. Perhaps it may be discovered only after a law enforcement agency brings it to your attention or after a proactive incident response investigation. Educate IT staff on the real current threats and analyze the techniques used by attackers and the operational security needed to properly deal with those threats. Defend at all layers and coordinate suspicious activity between platform security admins. Never assume your AV or IDS signatures and heuristics will automatically catch the threat. Understand and monitor event logs and patch those plugins and 3rd party browsers. Use security policies to configure systems and manage drift. Identify your valuables assets using a risk management model. Follow the recommended guidance for securing AD and mitigating PtH threats.
Firewalls are necessary, but so is a security development lifecycle (SDL) for applications to prevent and respond to application threats. Antivirus is important, but so is adding security controls such as ASLR, DEP and Certificate verification (such as available with the EMET 4.0). Patching the O/S is important, but so is application whitelisting and 3rd party application inventory and patch management.
Secure builds are important, but as critical are secure monitoring and IPsec restrictions to protect valuable assets on the wire and to prevent malicious inbound traffic. Limiting the number of domain admins is crucial, but even one privileged account of any kind with access to the manage the storage systems or virtual machines and is Internet or email connected compromises the security for the entire network.
We are at risk primarily because admins don’t always understand the threats. We are failing because we are using antiquated architectures and designs that have not been modified to keep up with the ever-changing threat landscape. We lose data and become the story of the day because we use poor design and operational security and most of the time don’t know whether or not they have been compromised because we rely solely on security software notifications as the authority of the state of our network.