Security whilst online has been paramount for many years and with the ever-advancing technology available to us, cybersecurity is constantly evolving. Whilst the internet is an invaluable resource for our modern lives, it can also be a dangerous place but with these new advances in security, 2020 is set to show changes in cybersecurity in both good and bad ways, in this article we are going to explain this to you.
5 Ways Cyber Security Is Changing In 2020
1. Artificial Intelligence
Artificial intelligence or AI as it is more fondly know has been around for a while now, however, in 2020 it is estimated that this ever-changing form of technology is going to be used more frequently by those looking for targets online and by those trying to stop the ‘bad guys.’ This tech is able to detect patterns in online behavior and respond accordingly, leaving human intervention almost completely unnecessary.
There are a LOT of theories surrounding the rolling out of 5G, but until it is being widely used, no one can really predict its impact. However, one thing that is for sure is that it is something we will be exposed to this year and according to reports, it isn’t fully developed enough to withstand the high amount of threat online. Therefore, those at the top of tech are going to need to man all stations to keep on top of cybersecurity when using 5G.
3. Cyber Security Technology Platforms
This might seem like a complex term, and it is. However, in short, these platforms are essentially made up of five major components which will provide top-level security, and they look set to become a cybersecurity preference over the single-component tools of previous years.
4. Hackers Are Going To The Source
In years gone by hackers and cybercriminals would target individuals or companies but with the advances, we are seeing in technology, they are now able to target service providers. This means access to thousands of their customers and information. It sounds scary and it is. But on the flip side, these service providers also have access to just as innovative tech to fight the battle.
5. Risk Management
Attempting to handle individual cyber crimes is a fight that nobody is ever going to win. That being said, in 2020 it looks set to be more about managing the risks in order to put a stop to these types of crimes before the perpetrators have even had a chance to commit cybercrime. Businesses operating online now have access to an incredible amount of tools that can help them to prevent attacks, stopping them at the source.
It is astonishing how fast technology is moving forward and the speed at which this is happening is bound to translate into ever-changing online trends, and cybersecurity is no exception to this. If you are concerned about cybersecurity there are many tools and programs that you can use, funding this couldn’t be easier with the use of websites such as NowLoan which gives you the chance to find the best loans to fund your cybersecurity efforts.
So how can we account for dip in reported data breaches? It’s simple: many organisations have been shuttered – or operating in a more limited way – during the pandemic and either aren’t performing actions that could jeopardise their security or haven’t detected an incident.
Among organisations that have remained open, the threat is more severe than ever. You can take a look at every reported incident that accounts for April’s 216,141,421 breached records here.
As always, incidents affecting UK organisations are listed in bold. Meanwhile, you can stay up to date with the latest news by subscribing to our Weekly Round-up or visiting our blog.
If you’re among the millions of people working from home while also trying to entertain and educate your kids during the coronavirus pandemic, we imagine things have been pretty chaotic.
Were it not for the option of sitting your kids in front of a laptop for a few hours to do their schoolwork or play games, things might be even worse.
But while the technology gives you a break, do you have complete peace of mind about your children’s safety online? The Internet can be a dangerous place, which is why we talk so often about the importance of secure browsing.
We’re not only talking about parental controls, which, although they help you limit the kinds of activities that kids do online, don’t address a whole range of other threats. Let’s take a look at some of those risks and the things that children should do to stay safe online.
1. Install antivirus software
The first step anyone should take to protect themselves from cyber security threats is to install antivirus software.
These programs are designed to prevent anything nasty from getting onto your device and to alert you when something suspicious appears.
Most computers come with in-built antivirus software (Windows uses a program called Defender, for example), which should be sophisticated enough to tackle with everyday cyber security threats.
However, there are also plenty of programs you can pay for if you’re looking for something more resilient.
Whatever system you use, antivirus software tends to be relatively inobtrusive, running in the background and only popping up when it detects something fishy going on.
The only potential problem is that antivirus software can’t forcibly prevent you from doing anything risky – it simply alerts you to the threat and recommends that you take action.
It’s therefore up to parents to teach children about the importance of these warnings. To the untrained eye, they might be confused with annoying spammy pop-ups that you simply click away from.
Of course, the opposite is true – and it’s only by paying attention to what an antivirus program is telling you that you can prevent a whole lot of trouble down the line.
2. Make sure updates are applied
You’re probably familiar with alerts telling you that software needs to be updated and your computer restarted.
We often think they’re inconvenient, because we want to get on with whatever we were doing. But these updates are important and must be done sooner rather than later, because they improve the software and often patch vulnerabilities that could lead to cyber attacks.
It’s therefore essential that any device your child uses is updated regularly, with patches applied as soon as possible.
3. Watch out for phishing emails
Plenty of people on the Internet claim to be someone they’re not. For example, one of the biggest threats Internet users currently face is phishing.
These are malicious messages that appear to be from a trusted source, but attempt to trick users into handing over sensitive information or downloading malware.
There are two kinds of phishing that children should be concerned about, the first of which are email scams. Although the majority of these end up in spam folders, the more convincing ones can fool these detection tools and land in your kids’ inboxes.
Typical examples of phishing emails include messages supposedly from online services that claim that the recipients’ login information needs to be updated. When you click the link, you’re sent to a bogus version of that site and asked to provide your credentials.
If you do as the site asks, you’re simply handing out your details to them, which they can use to access your account and perhaps even try the same credentials on other accounts.
The other type of phishing scam children should be aware of involves social media, which we take a look at in our next point.
4. Monitor social media activity
Platforms such as Twitter and Reddit have revolutionised the way we think about staying safe online. A generation ago, we were constantly warned about the risks of speaking to strangers over the Internet, but now many websites are designed specifically for that purpose.
Although the majority of those people are harmless, there are still people who take advantage this. One way they do that is through social media phishing scams.
One such scheme works like this: your child sends a tweet to McDonald’s about a promotional offer. A cyber criminal who owns a Twitter account with a name like “McD’s Customer Support” jumps onto the reply and directs your kid to a website that asks them to sign up to receive the latest news, but is actually designed to siphon off their personal details.
You can help your children avoid these risks by teaching them to be careful of any communication that directs them to a website asking them to provide personal details.
When it comes to sites such as Facebook and Instagram, where you’re likely to reveal a lot of information about yourself, it may well be wise to make your account private. That means only people that you’re friends or who follow you can see your profile.
5. Think before handing out personal data
Pretty much every website you visit collects some sort of data about you. This might be relatively harmless information, like tracking cookies that help the website see what links you click and how long you stay on a page, but other practices aren’t as benign.
For example, you might be asked to create an account, in which case you’ll need to submit an email address and password, and maybe even your name, date of birth and other details.
Whenever you provide this information, there is the risk that it will be misused – either intentionally or accidentally.
Say, for instance, the organisation suffered a data breach and the information it collected was leaked online. A cyber criminal could send targeted scams to your child.
Although adults generally understand these risks, children aren’t as aware. It’s therefore up to you to teach them that this type of information is valuable and shouldn’t be shared with just anyone.
In the UK, organisations that use consent to collect the personal data of someone under the age of 13 need to seek the approval of someone with “parental responsibility” and take reasonable steps to ensure that the person providing this approval is who they say they are.
This means that if your child is under 13, you’ll always know which organisations are requesting their personal data.
The only exception to the GDPR’s rule is when the information is collected for preventive or counselling services offered directly to the child. The parental figure is often the reason the child is seeking these services, so it makes sense for the organisation to bypass their approval.
Staying secure during the coronavirus pandemic
The pandemic has blurred the lines between your work and home life, and the last thing you need is your kids creating problems that could affect your job.
This will be a significant problem if you don’t have your own work-issued laptop or phone, or if cyber criminals are able to attack your Wi-Fi router.
You should be particularly cautious about letting your children play games or do other potentially dangerous things on devices that you use for work.
This is just one of the reasons why coronavirus presents an unheralded challenge for organisations. It affects all parts of your business and there is no end in sight.
However, what is certain is that it’s more important than ever to remain vigilant and aware of the threats your organisation faces.
One virus is enough to contend with. Make sure you’re prepared to tackle whatever else comes your way with our packaged solutions, which include tools and services to help you address remote working best practices, network vulnerabilities and a host of other issues.
As we enter the fourth week of the lockdown, you’ve hopefully begun to find a routine in your new work arrangement.
Perhaps you’re able to get out of bed and shower before logging on instead of lying in bed until 8:55 am and crawling to your desk. Maybe you feel less guilty about having a mid-morning video chat with a colleague in lieu of your normal coffee break.
And fingers crossed you’re accustomed by now to saving up your one daily trip outdoors so that you have something to look forward to.
Despite the absurdity of all this, the one thing that makes it almost bearable is knowing that we’re all in it together. That’s why each week we’re sharing our experiences, advice and guidance on how to manage through the pandemic.
Researchers believe the information was compromised elsewhere, but the attacks used credential-stuffing attacks to confirm that people had reused their passwords on Zoom.
In other words, if you created a Zoom account using the same username and password that you’ve used elsewhere, attackers may have been able to access your account.
It’s worth emphasising, then, that for all of Zoom’s security faults, the blame for this incident lies with users rather than the platform.
To put it bluntly: there is nothing Zoom could have done to prevent this. It’s up to each of us to make sure we exercise good password practices whatever service we use, and part of that involves using a unique password for each account that we create.
The criminals’ ploys include creating bogus websites supposedly selling facemasks, and text messages imitating the government that claim that the recipient is being fined for breaking social distancing guidelines.
Video conferencing has become one of the main ways that employees communicate with each other during the coronavirus pandemic, but it’s not just software vulnerabilities that you need to be concerned about. You also need to be careful about mistakes you make when using the software.
In addition to poor password practices, as we discussed above, employees might forget that they have their camera or microphone on, which could result in them sharing information with unauthorised personnel or otherwise finding themselves in embarrassing and unprofessional situations.
Likewise, employees should be careful about what’s visible on their screen. This is most likely to be a problem if you have a whiteboard in your office on which work or personal details (such as your Wi-Fi password) are written.
Some video conferencing platforms include features that allow you to blur or mask your background, which is helpful if you want to avoid these risks.
Meanwhile, it’s always worth considering what information you might be sharing via these services. Just because you are working from home, it doesn’t mean you should neglect office protocols regarding protecting sensitive data.
IT Governance employee tips for working from home
Even though the lockdown is starting to feel a little more normal, new problems are never far away. For example, when we caught up with our Head of Marketing James Warren, we learned that he’d noticed a problem arising from his new work set-up.
“Anyone that wears contact lenses will be very aware that they sometime make your eyes feel tired and dry, and that could lead to eye strain and headaches,” he said.
“I’ve noticed in the last week that I’m spending more time looking at my screen that usual, due to [having so many] online meetings […] and therefore have been suffering more than usual.”
James also found that switching to glasses as early into the evening as possible helped prevent further eye strain.
Free brochure: Managing remote workers’ mental health
Our mental wellbeing has been almost as big of a concern during the lockdown as our physical health. Shut inside either by ourselves or cooped up with family or housemates (either of which is conceivably worse than the other) is bound to take its toll, and could manifest itself in the workplace through fractious relationships with colleagues or in slips in productivity.
It advises managers on the steps they can take to help an isolated workforce stay connected and how to spot signs that something might not be right with an employee. Perhaps there’s something about a way they’re acting in a video call or the tone of their emails or IMs that suggests they’re struggling.
With this guide, you can navigate these problems before they turn into something serious. After all, the coronavirus pandemic is tough enough without internal quarrels to worry about.
Coronavirus: your biggest challenge yet
Between a stumbling economy, coronavirus-related scams and concerns over employees’ mental health, organisations have a lot on their plates at the moment.
When you factor in the additional risks – such as an increased reliance on technology to share information and a weakened cyber security set-up with employees working from home – the pandemic poses serious problems that can’t be ignored.
That’s why we’ve put together a series of packaged solutions to help you tackle whatever comes your way. We have tools and services to help you address business continuity management, for example, as well as remote working best practices and network vulnerabilities.
Meanwhile, we’re offering 25% off our certified online training courses throughout May – which are available in several remote learning options.
As we enter the third week of the UK’s lockdown (yes, it has only been that long), things are starting to take their toll.
Organisations are shrinking, with staff off sick or furloughed, their defences are feeling the strain of a dispersed workforce, and cyber criminals are pouncing on increasingly stressed employees.
Perhaps the only thing keeping us going is the knowledge that we’re all in this together. As a reminder of that, we’re back with more of our experiences and advice on how to manage through the pandemic.
We also have a selection of free tools to help you address some of the challenges you’ll face, and summarise the latest coronavirus-related security threats.
Everyone has had to make compromises during the coronavirus pandemic and for a few days it seemed that cyber criminals were no exception – with two notorious gangs vowing not to attack hospitals.
Unfortunately, according to research from Interpol, many of their peers haven’t been as compassionate. Interpol’s cyber crime threat response team said it has detected a “significant increase” in ransomware attacks since the COVID-19 outbreak.
For these crooks, the outbreak means that overburdened hospitals are more likely to go against best practice and pay up. We can only hope that as the virus continues to spread, criminals will realise that their attacks are putting people’s lives at risk.
Interpol has alerted all 194 of its member countries about the increasing threat of ransomware, and is working with the cyber security industry to learn more about the attacks and how national police forces can combat them.
General Secretary Jan Shortt explained that many of the NPC’s members have received bogus claims from people selling masks and protective equipment.
“They just take the money and nothing shows up. Over a million reports have been made now.
“There’s a lot of scams out there so people need to help their neighbours.”
These kinds of attacks have skyrocketed since the coronavirus pandemic began, and although the elderly might be an attractive target for cyber criminals, they’re not the only ones who need to be concerned.
Superintendent Sanjay Andersen, head of the National Fraud Intelligence Bureau, said: “We’re advising people not to panic and to think about the purchase they are making. When you’re online shopping it’s important to do your research and look at reviews of the site you are buying from.”
This advice is consistent with online shopping in general, but it’s worth emphasising given the panic that some people might feel when preparing for the pandemic.
Before the lockdown, the security of our home Internet routers would probably have been, at best, a minor cause for concern, because it’s one of the less practical or effective ways for criminals to attack us.
That’s no longer quite as true, as cyber criminals know that many of us are working at home and are accessing vast amounts of sensitive information.
If you want to take an extra step to secure your Internet connection, IT Governance Security Testing Manager James Pickard recommends that you establish a second wireless network – also known as an SSID (Service Set Identifier) – for home working.
“The creation of a new network allows the separation of corporate and personal devices, increasing the security posture,” he writes.
“As an example: if you or family member falls victim to a phishing attack or downloads malware, having a separate network will limit the criminals’ access or the spread of the infection across both personal and corporate devices.
“It also allows you to increase the security of your new corporate Wi-Fi without affecting the configuration of your existing home network.
“Bandwidth limits can often be set on these networks to ensure that connectively is reliable when other family members are steaming/gaming/downloading ensuring good connectively for your corporate devises.”
IT Governance employee tips on working from home
As you’ll have seen first-hand, one of the biggest challenges of working from home is how to remain productive.
With so many distractions, it’s all too easy to wander off and start doing other things. Indeed, it’s amazing how seemingly boring tasks suddenly become appealing when the alternative is cracking on with work.
By contrast, some people are so self-conscious about not letting their work drop while working from home that they’ll plough on through the day, starting early, barely taking a lunch break and finishing late.
The latter might sound like a far more reliable employee, but their attitude can be just as dangerous. You need regular breaks if you’re to stay healthy and avoid careless mistakes, and even if you consider yourself a dedicated worker in the office, you probably don’t realise how often you get respites.
Consider the number of casual conversations you have with colleagues when you’re in the office, or how regularly you leave the office at lunchtime, or the number of meetings you normally attend. These are all once-ordinary parts of our day – and without them, we risk getting overworked and careless.
So, don’t feel bad if you stop work for ten minutes to make a coffee and speak to people, whether that’s other people in your home or a quick call with a co-worker.
Hosted by Sarah Cook – who has 20 years’ consulting experience, specialising in leadership and management development – this webinar outlines the benefits and challenges of remote working.
Tips and techniques for making remote working a success;
Practical advice for managers; and
Information on building personal and team resilience when working in isolation.
You can find more guidance on managing these requirements with our Remote Working Policy Template. It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.
Meanwhile, another way to ensure that your transition to remote working is successful is by implementing a BCP (business continuity plan).
This is a series of documents that explains how an organisation will respond in the event of disruption – including, where necessary, instructions on how employees can work from home safely.
We’ve created a free BCP template for those who want guidance on how to navigate the challenges the COVID-19 pandemic has brought.
It contains guidance on all the key aspects of that should be included in a BCP, giving you the framework you need to roll out an effective plan quickly.
Coronavirus: your biggest challenge yet
Organisations have a hard enough time as the moment without the threat of cyber crime and compliance issues. Unfortunately, the chaos that the coronavirus pandemic has caused means there are a variety of new security issues that you must address.
The cyber security industry is booming. Organisations are increasingly using technological solutions to perform core functions, and they need a way to make sure these processes aren’t vulnerable to cyber attackers.
This influx in opportunities is outpacing the number of qualified personnel, meaning now is an ideal time to get into an industry that promises generous salaries and opportunities for career progression.
Let’s take a look at four ways you can get started in the cyber security industry.
1) Identify your transferable skills
Unlike many professions, you don’t need cyber security experience to get into the field, although many people entering the field will come from jobs that have similar skillsets, such as systems administration or information analysis.
If you can demonstrate the relevance of your existing experience – what recruiters call ‘transferable skills’ – there’s no reason why you can’t get a foothold on the cyber security career ladder.
There are also plenty of entry-level positions available. Account executives and junior penetration testers, for example, tend to have little work experience, and can learn while on the job.
Of course, any prior experience is a massive advantage, so it’s worth taking an internship or volunteer position if you can. Alternatively, you could offer to help your employer or academic institution’s IT department in your spare time.
2) There are lots of free ways you can learn about the industry
It’s always a good idea to read as much as you can about a subject to find out what you’re getting yourself into. There are plenty of blogs dedicated to the practicalities of the cyber security industry; two good ones to start with are Troy Hunt’s and Brian Krebs’.
And, of course, there’s our own blog, which helps you stay up to date with the latest cyber security news and advice.
You should also consider following industry professionals on Twitter, as many of them provide useful tips, engage in debates and answer questions.
Meeting people and making connections is a great way to get your foot in the door. Networking websites such as LinkedIn can be helpful, but you should definitely take any opportunity to get face-to-face meetings.
Conferences are an excellent starting point. There are tons of events across the UK each year, where you can listen to keynote presentations, take part in roundtables and workshops, and network.
You should also get to know the cyber security professionals in your organisation. We’re not suggesting that you accost them during their lunch break, but a few well-timed questions could lead to essential advice.
More to the point, simply getting to know them on a personal level could give you an advantage when a job opens up in the department.
4) Gain a qualification
The best way to gain an advantage over other prospective cyber security professionals is to become qualified.
The qualifications you need will depend on your career path. If you don’t have this mapped out yet, or you simply want a strong overall understanding of how to navigate security risks, you should seek out a course that covers general topics, such as our Certified Cyber Security Foundation Training Course.
This one-day course explains the fundamentals of cyber security and shows you how to protect your organisation from a range of threats.
With group discussions and practical exercises led by real-world experts, you’ll gain a true insight into the skills needed to deal with cyber threats.
A version of this blog was originally published on 8 December 2017.
As the 2019 novel coronavirus sweeps across the globe, organisations are turning to their BCPs (business continuity plans) for solutions to the disruption that the pandemic is causing.
These plans should include guidance on to cope if employees are unable to work from the office – whether that’s because of a pandemic or something more prosaic, like a gas leak or other safety hazard.
If you don’t already have a plan in place, it’s not too late to start. Let’s take a look at everything you need to know.
What is a business continuity plan?
A BCP consists of the processes and procedures an organisation needs in order to continue operating during a disaster and recover as quickly as possible. All of this information is put into a document, which is regularly tested, developed and improved on to make sure the organisation is prepared. The BCP is often considered the heart of a BCMS (business continuity management system).
Who should have a business continuity plan?
All organisations, no matter their size, should create a BCP.
Details of the plan should be provided and any exclusions must be explained.
Persons with authority during and after an incident must be assigned roles.
Details of how and when the BCP will be invoked.
Developing the BCP
Information in the plan must be understood by and accessible to everyone in the organisation.
How, and under which circumstances, the organisation will communicate with employees and their relatives, key interested parties and emergency contacts.
Provide information relating to essential stakeholders, including their contact details.
Document owner, approver and change history record
The business continuity manager is the owner of the BCP and is responsible for ensuring that the procedure is reviewed and tested regularly.
The document must be published in a place that is available to all members of staff, especially those directly involved in the BCP, and in all appropriate formats (digital, hard copy, etc.).
Benefits of a business continuity plan
Creating a BCP will make it easier for your organisation to cope in a crisis and minimise the disruption for you and your customers. It also demonstrates to customers and investors that your business is prepared for anything, thereby gaining their confidence and giving you a competitive edge.
A BCP can also reduce or even avoid the risk of losing revenue if you are hit with a disruption. Returning to business as usual as quickly as possible minimises the time that your organisation is unable to operate and therefore unable to generate revenue.
Organisations that aren’t prepared often appear incompetent. This can damage their reputation and brand image, putting many people off associating with them, which could lead to a loss of customers.
Technological defences and staff training are two of the most frequently touted measures for preventing data breaches, but their effectiveness is dependent on the way organisations implement them.
This is a lesson organisations must learn quickly amid the COVID-19 pandemic, with a series of new information security risks surrounding their new, temporary work set-ups. Many employees are being asked to work from home, including some who using their personal devices.
Meanwhile, some organisations are already seeing depleted workforces due to illness or furloughs, meaning the remaining staff have to pick up more of the slack – and with IT teams having less oversight over the now-dispersed organisational infrastructure, there is less they can do to prevent the mounting threat of cyber attacks.
So how can you stay on top of these requirements during this turbulent time? The answer is to create or update an cyber security policy.
What is a cyber security policy?
A cyber security policy outlines an organisation’s cyber security defence strategy. Specifically, it explains the assets that must be protected, the threats to those assets and the controls that have been implemented to tackle them.
It’s only by documenting these that you can be sure that your organisation is approaching cyber security comprehensively and efficiently.
What a cyber security policy should include
All cyber security policies should include information on:
Which controls the organisation has implemented and the threats they address. For example, endpoints should be protected with antivirus software and firewalls
How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should regularly update browser, operating system and other Internet-facing applications
How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication
Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.
Employees and your cyber security policy
No matter how resilient your cyber security strategy is, you must always account for employees’ susceptibility to mistakes.
This might be the result of carelessness – such as misplacing files – or the result of targeted attacks from crooks. Phishing is one of the most common tactics in cyber crime because it circumvents many of the measures that organisations adopt to protect their organisation, instead going directly at employees.
A cyber security policy will mitigate these risks, explaining to employees how they can protect sensitive information in various scenarios.
It should also address what happens when an employee doesn’t follow protocol. The specific actions will depend on the circumstances, but in most cases you’ll discipline, or possibly even fire, some for deliberately flouting the rules.
Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation.
It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.
Organisations should also take some accountability when an employee makes a mistake, as it suggests that staff awareness training is lacking – whether that’s because the course content isn’t adequate or that sessions aren’t being performed regularly enough.
Part of your response to a security incident should be to review all of your defence measures, which includes your cyber security policy, training programmes and technologies.
Creating a cyber security policy
The content of your policy will depend on specific issues that you’ve identified when performing a risk assessment. That said, there are some universal issues that every organisation should account for, such as:
Software providers regularly release patches to fix identified vulnerabilities. Once the update is announced, the vulnerability is made public – which means cyber criminals can look to exploit it.
That’s why organisations must have a patch policy in place to ensure updates are applied as soon as they are released.
Acceptable Internet use
Employees should be given a degree of leeway when it comes to accessing non-work-related content on company devices; after all, everyone is entitled to breaks.
However, organisations should be careful about just how much freedom they’re afforded. Untrustworthy sites, especially those that encourage users to download content, can be used to infect the device with malware.
Remote working has become a standard part of modern business, thanks to the growing popularity of working from home and on the road.
Unfortunately, public Wi-Fi and employees’ home connections are less secure than your internal network, because it’s not subject to the rigorous defences you’ve implemented, such as firewalls.
Likewise, unlike your internal network, there’s no guarantee that only your employees have access.
As such, you should establish controls that prevent remote workers from accessing sensitive company information. This reduces the damage in the event that an employees’ account is compromised.
Creating strong passwords
Weak passwords are one of the biggest security problems that organisations face. Even though most employees are aware of the importance of strong login credentials, too many of them don’t think beyond obvious phrases such as ‘123456’ and ‘qwerty’.
Your cyber security policy should urge staff to create stronger passwords by outlining rules.
There are several schools of thought on what makes a strong password, the most common of which is that credentials should contain a combination of at least eight upper- and lowercase letters, numbers and special characters.
The problem with this method is that the result can be hard to remember. “Did I replace the ‘o’ with a ‘0’ or the ‘l’ with a ‘1’?”, for example.
One way around this is to make your password a code; a popular technique is to use the first letter from a sentence that uses each of those characters. For instance, “My first son was born in July ’01” becomes “MfswbiJ’01”.
You can also use the length of your password to your advantage; every additional character you add is one that a cyber criminal has to guess.
As such, three random words – with no special characters or numbers – is often more secure than a complex cipher such as the example above.
Your policy doesn’t need to specify one approach over another; some employees will be more comfortable with one approach and others with an alternative. The important thing is that staff break out of the habit of simple passwords that can be cracked instantly.
Does your policy account for your new work environment?
The most significant change in the way organisations are operating during the COVID-19 pandemic is the number of employees working from home.
Remote workers face a wide variety of challenges – particularly when there aren’t people still in the office who can pick up tasks that would require the security benefits that come with working on the premises.
On Monday, the RSA Conference 2020will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"
If that's the case, let's talk security -I'd like to ask the entire RSA Conference just 1 simple cyber security question -
Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?
If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.
If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:
Does our organization know exactly -
Q 1. Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
Q 2. Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
Q 3. Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
Q 4. Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
Q 5. Who can change or control who has what privileged access in our Active Directory?
If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.
This is Paramount
If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.
Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."
Zero out of 1000
There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.
Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.
That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.
The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.
There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.
Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.
In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.
So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?
Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.
Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?
Today, all you need is two WDs in the same (pl)ACE and its Game Over.
Puzzled? Allow me to give you a HINT:.
Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.
If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.
Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.
They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.
If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)
Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.
PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)
PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)
Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.
Cyber Security 101
Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?
You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.
The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because "Who really cares about just a phone book?"
In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.
Again, after all, who cares about a phone book?!
Active Directory - The Very Foundationof Organizational Cyber Security Worldwide
If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -
An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.
The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.
In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the risk of complete, swift and colossal compromise.
Active Directory Security Must Be Organizational Cyber SecurityPriority #1
Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.
For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)
In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.
I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.
Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.
When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.
So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)
Stay tuned for some valuable cyber security insights right here from January 06, 2020 and let me take your leave with a befitting (and one of my favorite) song(s) -
Best wishes, Sanjay.
PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.
Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?
It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:
Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.
Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.
Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.
Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.
Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.
We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.
Visit and use sites you know and trust
Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
Look for anything that is not familiar to your known experience with the site.
If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
If a site offers a second factor to authenticate you, use it.
Check all your payment card statements regularly to look for rogue purchases.
Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.
start this conversation out with the definition of device. The list of what
constitutes one is growing. For now, let’s say that you have a home computer
(desktop, laptop, or both), work computer (desktop, laptop, or both), home
tablet, work tablet, personal smartphone, and work smartphone. This is a pretty
extensive list of devices that an adversary could use to attack you professionally
and personally. But what about your Amazon Alexa or gadgets, smart toys, and
smart clocks? What about Google Assistant or Microsoft Cortana? Do you also
have a SmartTV? What about NEST, Wink, WeMo, SensorPush, Neurio, ecobee4,
Philips Hue, Smart Lock, GarageMate? Hoo boy! The list of connected devices goes
on and on.
of these devices safe to use? Well, the simple answer is no—unless you
specifically paid attention to its security. Also, for your smart devices that
work via voice control, do you know who might be listening on the other end? To
make things worse, many of these devices are also used in the corporate world,
because they are easy to deploy, and are very affordable.
about applications? Did the developer that created the application you are
using ensure they used good secure coding techniques? Or is there a likelihood
they introduced a flaw in their code? Are the servers for the application you
are running in the cloud secure? Is the data you are storing on these cloud
systems protected from unauthorized access?
really good questions we rarely ask ourselves—at least before we use the latest
and coolest applications available. We all make risk-based decisions every day,
but do we ever ensure we have all the data before we make that risk-based
What Can You Do?
by doing whatever homework and research you can. Make sure you understand the
social engineering methods that the malicious actors are currently using. Unsolicited
phone calls from a government agency (like the IRS), a public utility, or even
Microsoft or Apple are not legitimate. No you don’t owe back taxes, no your
computer has not been hacked, no you don’t need to give out sensitive personal
information to your power company over the phone.
How Can You Choose Safe Applications?
“Is this <name of application> secure?” Never install an application that
you don’t feel you can trust. Using an application is all about risk
management. Make sure you understand the potential risk to device and data
compromise, prior to choosing to use it.
How Can You Better Secure Your Home Network?
installation of any device, immediately change the login and password. These
are often stored in the configuration files that come with the product,
therefore are easy to look up.
login and password on your home Wi-Fi router frequently.
software for anything that connects is up to date.
Make sure you
have a clear sense of where your sensitive data is stored—and how it is
protected. Is it adequately protected—or, better yet, encrypted?
When in doubt, don’t
connect an IoT device to the Internet.
Lastly, look at some solutions that can be added to your home Wi-Fi network, that provide additional layers of protection and detection against IoT and other advanced attacks. F-Secure Sense Gadget is one such solution, as is Luma smart Wi-Fi router, Dojo, and CUJO. Dojo, for example, monitors all incoming and outgoing traffic and performs analysis looking for malicious traffic. With known weaknesses in IoT and home networks in general, solutions like the above are a good investment.
Don’t Give Hackers Easy Access
Not long ago, a casino in the Northeast had a fish tank in their lobby. To make management of the fish tank easier, they installed an IoT-enabled thermostatic control to set and monitor water temperature in the tank. The thermostatic control was connected to their internal network, as well as IoT-enabled to allow easy access from anywhere on the Internet. The device was breached from the Internet by malicious actors, and the internal network was penetrated, allowing the hackers to steal information from a high-roller database before devices monitoring the network were able to identify the unauthorized data leaving the network and shut it down. A classic case of what can happen without the right due diligence.
Try and follow this motto. Just because you can, does not mean you should. The latest shiny IT gadget that will make you seem cool, or potentially make some portion of your life easier to manage, should be evaluated thoroughly for security weaknesses, before you turn it on and open it up to the world. Make that good risk-based decision. Not many of us would consider doing this: “Hey Alexa, open up my desktop computer so that all my sensitive data is opened for all the world to see.” Or would we?
As I reflect upon my almost 40 years as a cyber security
professional, I think of the many instances where the basic tenets of cyber
security—those we think have common understanding—require a lot of additional
explanation. For example, what is a vulnerability assessment? If five cyber
professionals are sitting around a table discussing this question, you will end
up with seven or eight answers. One will say that a vulnerability assessment is
vulnerability scanning only. Another will say an assessment is much bigger than
scanning, and addresses ethical hacking and internal security testing. Another
will say that it is a passive review of policies and controls. All are correct
in some form, but the answer really depends on the requirements or criteria you
are trying to achieve. And it also depends on the skills and experience of the
risk owner, auditor, or assessor. Is your head spinning yet? I know mine is!
Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security
business. One auditor will look at evidence and agree you are in compliance;
another will say you are not. If you are going to protect sensitive
information, do you encrypt it, obfuscate it, or segment it off and place it
behind very tight identification and access controls before allowing users to
access the data? Yes. As we advise our client base, it is essential that we
have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.
People Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Process Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.
Technology Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.
The average mean time to identify an active incident in a
network is 197 days. The mean time to contain an incident is 69 days.
People Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.
Process What happens when an alert occurs? Who sees it? What is the documented process for taking action?
Technology What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?
People What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?
Process What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
Technology What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?
All of these things are important to create a comprehensive
InfoSec Program. The science is the technology that will help you build a
layered, in-depth defense approach. The art is how to assess the threat, define
and document the risk, and create a strategy that allows you to manage your
cyber risk as it applies to your environment, users, systems, applications,
data, customers, supply chain, third party support partners, and business
More Art – Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk
responsibility or do you give your risk responsibility to someone else?” Hint:
I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also
science if you use, for example, The Carnegie Mellon risk tools. But a good
risk owner and manager documents risk, prioritizes it by risk criticality,
turns it into a risk register or roadmap plan, remediates what is necessary,
and accepts what is reasonable from a business and cyber security perspective.
Oh, by the way, those same five cyber security professional we talked about
earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.
This week, the famous RSA Conference 2019is underway, where supposedly "The World Talks Security" -
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
Q 4.If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s)?!
Today Active Directory is at the very heartof Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.
A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.
Today's post is in the form of a simple letter, that follows (below.)
Subject - Cyber Security 101 for the C-Suite
To: Chairmen, CEOs and CFOs Worldwide
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.
Context - Foundational Security
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.
It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.
At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.
If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.
A Provable Concern - Inadequate Protection
Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?
Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.
Further, they likely may not know what it actually takes to adequately secure your organization's foundational Active Directory.
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.
Simple Proof - You Just Have to Ask
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -
Is the security of our foundational Active Directory deployment a top cyber security priority today?
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.
If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.
(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)
If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.
The Likely Reason (Optional Reading)
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.
CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.
The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory
CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.
You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy. Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)
If any of what I shared above made sense, I would encourage you to embrace my suggestions earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.
As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updatesbutton!
Windows Update Downloaded and Installed anUntrusted Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this. How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.) Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
Most respectfully, Sanjay
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
Helping Defend Microsoft's Global Customer Base ( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctlysecure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.
There's so much more to share, and I will continue to do so.
A Paramount Global Cyber Security Need
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.
Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.
Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.
There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.
So, that post should be out right here on this blog next week, possibly as early as Monday morning.
The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.
It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.
Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!
With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.
Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.
The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.
It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.
Connection is committed to promoting cyber security and online safety. Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.
The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.
The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.
The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.
What can you do?
Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:
Apply patches as they are released
Pay careful attention to your wireless environment
Watch for people and technology that look out of place
Utilize a trusted VPN solution
When possible, transfer data over an encrypted channel—such as HTTPS
Restrict sensitive information that would normally pass over a wireless network
And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication
How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.
(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait.Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!" The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, hereetc.etc.
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do isconcede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said- "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
What Constitutes a Privileged User in Active Directory
How to Correctly Audit Privileged Users/Access in Active Directory
How to Render Mimikatz DCSync Useless in an Active Directory Environment
How to Easily Identify and Thwart Sneaky Persistence in Active Directory
How to Easily Solve The Difficult Problem of Active Directory Botnets
The World's Top Active Directory Permissions Analysis Tools(and Why They're Mostly Useless)
The Paramount Need to Lockdown Access Privileges in Active Directory
How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.