Security from within

IT security systems will always get more attention. And rightly so! We hear, see and read the media more and more about hack attempts and ddos attacks. Also from the Government if we get a push in the back to pay attention to security. Think, for example, of the law around data leaks. No one is waiting for a message in a register, let alone a fine of up to 10% of the annual turnover. And we haven't even on commercial espionage.

This article was first published on www.AroundTheCloud.nl.

What I see in practice often happen is that the attention around security sits down in the prevent digital burglary. For example, firewalls are configured and the antivirus security is tightened. No one wants that an attacker enters. At the same time, we know that with each other 100% safe, also digital, does not exist. How high the virtual fence that we also build is, There will always be possibilities to climb over it. Whether it is due to human error or by bugs in the security measures: to prevent a burglary is never quite. The aim is obviously to reduce the chance that one enters to make and keep as minimal as possible. Of course, that in a trade off which the risks and resources. Everyone will understand that the proverbial Baker at the corner less security measures for its accounting and to protect than a multinational does recipes. Where I want to focus for now on, is what to do if one still comes in.

Tak, What then? And how do I know that someone enters? Detection of a burglary is in my eyes just as important as the. I know several stories of companies out there weeks or even months later find out that they are hacked. In the meantime, can there be all leaked information are. Then go yet again after what information that is precisely! There are more and more ways to detect intrusions. Think of a IDS (Intrusion Detection System) or to SIEM (Security Information and Event Management) tooling. Also Microsoft ATA is a nice detection system. About these systems is much more to tell, but that we Park here to a next time. In addition to detection is another aspect that is important in case there is broken into. It is not intended that within equal access to all data and systems. "That my staff have not?” I hear you thinking. It's almost taken for granted that everyone only has access to the systems where he or she has to work with it. Yet it is often wrong in this area. That's because the IT department often has the rights to multiple systems to be able to. As long as you have this good is that fine. An example of this is the use of a ' normal ' staff account and a separate ' manage ' account. The management activities are executed with a different account than you used for the normal office work. This is a good start.

 

Without diving too deep into the technology: Administrators are not always aware of the functioning of so-called Pass-The-Hash and Pass-The-Ticket attacks. There's a Windows account that is on a computer or server login details. We are talking about login-data, also called credentials called. If an administrator so a problem to solve is an end user's computer and he logs in with his management account, then stay here data from behind on the end user's computer. If those same moments later hacked computer is, then the attacker can find here the login credentials of the administrator and he can so more rights within the IT environment of the company get. You would of course prevent you as an administrator you unconsciously visiting on a computer. This happens automatically, however,, because Windows now works once. Fortunately, there is what to do!

Remote take over

If you want to remotely control a computer than is often used a Remote Desktop Connection, also called a RDP session called. It is possible to launch it in Restricted Admin mode. This keeps no data on the back of your computer where you connect. More information can be found through this link.

Just-in-time access

With Windows Server 2016 is it possible to share from the temporary rights in Active Directory. You can called a Time To Live (TTL) to give a group membership. So for example, an administrator can get rights for two hours on a given system. After two hours, the rights automatically withdrawn. If a hacker after these two hours off with the data of the management account then can he not just everywhere at. The use of TTL on group memberships is just one of the possibilities that the PAM (Privileged Access Management) tooling for Active Directory provides. On This page from Microsoft is to find more technical information.

Tiering

Applying different layers of the infrastructure is tiering called. With it you can also put a step in security. If you for each tier a separate combination of username/password and only be used on the management systems and servers from the same tier then you can avoid, or more difficult as you want, that an attacker could execute from one tier in the other comes. More info on this Privileged Access Reference model is here ..

In addition to these three options, there are many other opportunities to get your internal security to a higher level. Am thinking, for example, also to a second factor authentication for the employees and the management accounts, a regular reset of the Krbtgt account, the SAM-R turn off protocol, use Protected Users Groups, etcetera.

It security does not stop at the front door. If a hacker once inside is then you will want to be able to detect this. Also would you like to prevent a hacker advance than the system that allows the hacker entered is. There are numerous technical and organizational means available. Unfortunately, these resources are often insufficiently known to the IT management departments. The argument that applying additional layers of security by definition means that the usability is less, is weak: There are plenty of measures where the user notice anything.

Leave a Reply