Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

New IT Security Best Practices for Maintaining “Business as Usual” Despite Evolving Threats

Posted August 13, 2014    Morey Haber

normal-blog-imgIt’s time to get back to business. Here in the U.S., summer vacations are wrapping up and businesses are looking forward to closing out 2014. Over the past year, we’ve seen several incidents that warrant changes in the ways consumers make purchases and businesses conduct transactions. Consider last week’s theft of a whopping 1.2 billion usernames and passwords by the Russian underground. When it comes to IT security, it’s impossible to see the upcoming holiday season as business as usual. Proper security due diligence requires your organization to evolve or be the next victim. The question that plagues everyone is where to start. Here’s a quick primer:

Rotate Shared Passwords to Keep Attackers Guessing

If you aren’t changing administrative passwords for users and service accounts on a regular basis, you’re holding a ticking time bomb. Consider how many people know shared passwords, where they are documented, and if any systems have been infected by malware in contact with those accounts. All of these scenarios, and many others, could lead to password leaks and allow unauthorized privileged access to sensitive systems and data. The best solution: reset passwords frequently with a privileged password management solution.

Remove Administrative Rights to Limit Malicious Access

How many users have administrative access to desktops, servers, or other systems? Why do they have this access?

Common malware techniques like Pass-the-Hash on Windows can easily steal administrative passwords and use them to navigate a network virtually undetected. A server administrator can leverage excessive privileges to add backdoor accounts or dump databases with sensitive data. So why risk it?

The best practice is for all users to operate only as standard users and be granted administrative privileges only when needed. Adopting a least-privilege model is like wearing a seat belt. It restricts your movement in case of an accident (intentional or purely accidental) but allows you to operate the vehicle normally without restrictions. Obviously with a seat belt on you can’t reach into the backseat, but that’s the whole point of least privilege; you shouldn’t. If you need to reach the backseat, the seat belt (i.e., your privileges) can be loosened via rules that dictate when this access is merited. Automated least-privilege solutions are available for both UNIX/Linux and Windows.

Intelligently Manage Vulnerabilities to Lock Criminals Out

If you’re not patching assets on a regular basis, you’re clearly leaving doors and windows unlocked for criminals (yes, another analogy). Consider that a clean install of Windows 7 has over 230 cumulative vulnerabilities, and many organizations still limit vulnerability assessment to servers – often without accounting for credentialed access. What does that say about the host of unlocked and unprotected doors and windows out there?

Malicious activity can come from a wide variety of attack vectors and can start on a workstation, an HVAC system (e.g., Target), or even a mobile device. The solution starts with getting a zero-gap vulnerability assessment of the entire environment. It should be authenticated and cover all the devices (or a statistical sample if other imaging and change control parameters exist and can be proven).

Of course, the output of vulnerability assessments should not be “phone books” with thousands of pages of faults. Reports should graduate results in logical sequences; present the largest risks first; indicate what to remediate first; and reveal the impact of remediation activities. Having a clear, repeatable assessment process can prove that assets are being remediated and that vulnerabilities are being eliminated.

Patching vulnerabilities is not always possible, but it’s the primary method for fixing these flaws. Configuration changes and other techniques can mitigate the risks when patching is not an option, equating to iron bars placed in front of that unlocked window. Performing vulnerability assessment and patch management are best practices and not just required by regulatory compliance initiatives.

Get Smart with Centralized Management

Each one of these disciplines can be implemented as a technology silo, deployed in phases, or managed under a single platform. Business as usual should not mean cobbling together multiple vendors, tools and procedures to harmonize security across all teams in an organization.

An IT risk management platform can take the guesswork out of security decisions by centralizing privileged password management, least privilege, and vulnerability assessment. A platform can make it easy to leverage best practices in managing security threats, streamlining operations, and improving communication – all through a single pane of glass.

Adapting to the threats around us is a never-ending battle. Just look at the raft of business security changes that are now commonplace: Security tags on merchandise to prevent shoplifting, mirrors and finger guards on ATMs to prevent pin number theft, and two-factor authentication to combat identity theft. Similar widespread adoption of the above best practices will help you mitigate today’s most pressing IT security threats – and keep your business out of the breach headlines.

, , ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

, , , , ,

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

, ,

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…