Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

New IT Security Best Practices for Maintaining “Business as Usual” Despite Evolving Threats

Posted August 13, 2014    Morey Haber

normal-blog-imgIt’s time to get back to business. Here in the U.S., summer vacations are wrapping up and businesses are looking forward to closing out 2014. Over the past year, we’ve seen several incidents that warrant changes in the ways consumers make purchases and businesses conduct transactions. Consider last week’s theft of a whopping 1.2 billion usernames and passwords by the Russian underground. When it comes to IT security, it’s impossible to see the upcoming holiday season as business as usual. Proper security due diligence requires your organization to evolve or be the next victim. The question that plagues everyone is where to start. Here’s a quick primer:

Rotate Shared Passwords to Keep Attackers Guessing

If you aren’t changing administrative passwords for users and service accounts on a regular basis, you’re holding a ticking time bomb. Consider how many people know shared passwords, where they are documented, and if any systems have been infected by malware in contact with those accounts. All of these scenarios, and many others, could lead to password leaks and allow unauthorized privileged access to sensitive systems and data. The best solution: reset passwords frequently with a privileged password management solution.

Remove Administrative Rights to Limit Malicious Access

How many users have administrative access to desktops, servers, or other systems? Why do they have this access?

Common malware techniques like Pass-the-Hash on Windows can easily steal administrative passwords and use them to navigate a network virtually undetected. A server administrator can leverage excessive privileges to add backdoor accounts or dump databases with sensitive data. So why risk it?

The best practice is for all users to operate only as standard users and be granted administrative privileges only when needed. Adopting a least-privilege model is like wearing a seat belt. It restricts your movement in case of an accident (intentional or purely accidental) but allows you to operate the vehicle normally without restrictions. Obviously with a seat belt on you can’t reach into the backseat, but that’s the whole point of least privilege; you shouldn’t. If you need to reach the backseat, the seat belt (i.e., your privileges) can be loosened via rules that dictate when this access is merited. Automated least-privilege solutions are available for both UNIX/Linux and Windows.

Intelligently Manage Vulnerabilities to Lock Criminals Out

If you’re not patching assets on a regular basis, you’re clearly leaving doors and windows unlocked for criminals (yes, another analogy). Consider that a clean install of Windows 7 has over 230 cumulative vulnerabilities, and many organizations still limit vulnerability assessment to servers – often without accounting for credentialed access. What does that say about the host of unlocked and unprotected doors and windows out there?

Malicious activity can come from a wide variety of attack vectors and can start on a workstation, an HVAC system (e.g., Target), or even a mobile device. The solution starts with getting a zero-gap vulnerability assessment of the entire environment. It should be authenticated and cover all the devices (or a statistical sample if other imaging and change control parameters exist and can be proven).

Of course, the output of vulnerability assessments should not be “phone books” with thousands of pages of faults. Reports should graduate results in logical sequences; present the largest risks first; indicate what to remediate first; and reveal the impact of remediation activities. Having a clear, repeatable assessment process can prove that assets are being remediated and that vulnerabilities are being eliminated.

Patching vulnerabilities is not always possible, but it’s the primary method for fixing these flaws. Configuration changes and other techniques can mitigate the risks when patching is not an option, equating to iron bars placed in front of that unlocked window. Performing vulnerability assessment and patch management are best practices and not just required by regulatory compliance initiatives.

Get Smart with Centralized Management

Each one of these disciplines can be implemented as a technology silo, deployed in phases, or managed under a single platform. Business as usual should not mean cobbling together multiple vendors, tools and procedures to harmonize security across all teams in an organization.

An IT risk management platform can take the guesswork out of security decisions by centralizing privileged password management, least privilege, and vulnerability assessment. A platform can make it easy to leverage best practices in managing security threats, streamlining operations, and improving communication – all through a single pane of glass.

Adapting to the threats around us is a never-ending battle. Just look at the raft of business security changes that are now commonplace: Security tags on merchandise to prevent shoplifting, mirrors and finger guards on ATMs to prevent pin number theft, and two-factor authentication to combat identity theft. Similar widespread adoption of the above best practices will help you mitigate today’s most pressing IT security threats – and keep your business out of the breach headlines.

, , ,

Leave a Reply

Additional articles

Cavalancia-Headshot - Medium

Making Windows Endpoints the Least of your Worries

Posted September 2, 2015    Nick Cavalancia

We’re all concerned that someday an external hacker will try to gain access to your company’s critical data and systems. The problem? Your endpoints – both your workstations and servers – bypass (and often leave) the safety and security of your environment daily.

, ,

Why Customers Choose PowerBroker: Low Total Cost of Ownership

Posted September 2, 2015    Scott Lang

In a survey of more than 100 customers, those customers indicated that BeyondTrust’s low powerbroker-difference-2total cost of ownership was a competitive differentiator versus other options in the privileged account management market.

, , ,

Passwords: A Hacker’s Best Friend

Posted September 1, 2015    Larry Brock

After all the years of talk about biometrics and multi-factor authentication, we still have passwords and will likely have them for a long time. Because many “high risk” systems require complex passwords (zk7&@1c6), most people that use them believe their passwords are secure. But they aren’t.

, ,