BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

New IT Security Best Practices for Maintaining “Business as Usual” Despite Evolving Threats

Posted August 13, 2014    Morey Haber

normal-blog-imgIt’s time to get back to business. Here in the U.S., summer vacations are wrapping up and businesses are looking forward to closing out 2014. Over the past year, we’ve seen several incidents that warrant changes in the ways consumers make purchases and businesses conduct transactions. Consider last week’s theft of a whopping 1.2 billion usernames and passwords by the Russian underground. When it comes to IT security, it’s impossible to see the upcoming holiday season as business as usual. Proper security due diligence requires your organization to evolve or be the next victim. The question that plagues everyone is where to start. Here’s a quick primer:

Rotate Shared Passwords to Keep Attackers Guessing

If you aren’t changing administrative passwords for users and service accounts on a regular basis, you’re holding a ticking time bomb. Consider how many people know shared passwords, where they are documented, and if any systems have been infected by malware in contact with those accounts. All of these scenarios, and many others, could lead to password leaks and allow unauthorized privileged access to sensitive systems and data. The best solution: reset passwords frequently with a privileged password management solution.

Remove Administrative Rights to Limit Malicious Access

How many users have administrative access to desktops, servers, or other systems? Why do they have this access?

Common malware techniques like Pass-the-Hash on Windows can easily steal administrative passwords and use them to navigate a network virtually undetected. A server administrator can leverage excessive privileges to add backdoor accounts or dump databases with sensitive data. So why risk it?

The best practice is for all users to operate only as standard users and be granted administrative privileges only when needed. Adopting a least-privilege model is like wearing a seat belt. It restricts your movement in case of an accident (intentional or purely accidental) but allows you to operate the vehicle normally without restrictions. Obviously with a seat belt on you can’t reach into the backseat, but that’s the whole point of least privilege; you shouldn’t. If you need to reach the backseat, the seat belt (i.e., your privileges) can be loosened via rules that dictate when this access is merited. Automated least-privilege solutions are available for both UNIX/Linux and Windows.

Intelligently Manage Vulnerabilities to Lock Criminals Out

If you’re not patching assets on a regular basis, you’re clearly leaving doors and windows unlocked for criminals (yes, another analogy). Consider that a clean install of Windows 7 has over 230 cumulative vulnerabilities, and many organizations still limit vulnerability assessment to servers – often without accounting for credentialed access. What does that say about the host of unlocked and unprotected doors and windows out there?

Malicious activity can come from a wide variety of attack vectors and can start on a workstation, an HVAC system (e.g., Target), or even a mobile device. The solution starts with getting a zero-gap vulnerability assessment of the entire environment. It should be authenticated and cover all the devices (or a statistical sample if other imaging and change control parameters exist and can be proven).

Of course, the output of vulnerability assessments should not be “phone books” with thousands of pages of faults. Reports should graduate results in logical sequences; present the largest risks first; indicate what to remediate first; and reveal the impact of remediation activities. Having a clear, repeatable assessment process can prove that assets are being remediated and that vulnerabilities are being eliminated.

Patching vulnerabilities is not always possible, but it’s the primary method for fixing these flaws. Configuration changes and other techniques can mitigate the risks when patching is not an option, equating to iron bars placed in front of that unlocked window. Performing vulnerability assessment and patch management are best practices and not just required by regulatory compliance initiatives.

Get Smart with Centralized Management

Each one of these disciplines can be implemented as a technology silo, deployed in phases, or managed under a single platform. Business as usual should not mean cobbling together multiple vendors, tools and procedures to harmonize security across all teams in an organization.

An IT risk management platform can take the guesswork out of security decisions by centralizing privileged password management, least privilege, and vulnerability assessment. A platform can make it easy to leverage best practices in managing security threats, streamlining operations, and improving communication – all through a single pane of glass.

Adapting to the threats around us is a never-ending battle. Just look at the raft of business security changes that are now commonplace: Security tags on merchandise to prevent shoplifting, mirrors and finger guards on ATMs to prevent pin number theft, and two-factor authentication to combat identity theft. Similar widespread adoption of the above best practices will help you mitigate today’s most pressing IT security threats – and keep your business out of the breach headlines.

Tags:
, , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,