Active Directory Security - 10 most common issues


For last 15 years, I have been working on Active Directory Security and Operation. I have done Active Directory Security and operation assessment for many organizations. In the beginning, I figured out many security issues but not all. That was the good initiative though. Later through my experience and sharing knowledge with like-minded security and system admins professional, I realized that there so many most common issues related to Active Directory Security. I have tried to compile them as 10 most common Active Directory Security issues. I totally agree there are more issues to talk about but let us focus on top 10 according to me.



1. Too many Domain Admins

By default, Domain Admins group members have full administrative rights on all workstations, servers, Domain Controllers, Active Directory, Group Policy etc. This is too much power for anyone account in an organization. Only Active Directory Administrators require Domain Admins privileges. Whoever is not actively managing Active Directory, should not be in Domain Admins group. Delegations must be used if in case someone need to work on specific part of the Active Directory. Also service accounts should not be in this group.




2. Delegated Access are not tracked

Default groups in Active Directory provide too much privileges. For example, help desk people in Account Operators group will have more rights then they actually need. It is better to use delegation instead and monitor it. Delegation can be leveraged to insure that appropriate rights for each admin group.




3. Service Accounts with short password and over-permissioned

I have seen many times when vendor simply ask for Domain Admins rights for its service account which is actually may not be needed at all. Hackers are fond of privileged accounts and specially loves service accounts because it is less attentive. Additional privileges to service accounts can be used maliciously to escalate privilege on network.

it is to insure that service accounts get the rights they actually need to do their job. Service accounts credentials are in protected memory of LSASS process, an attacker can easily extract that password which may lead to compromise the network.

Another mitigation against Kerberos brute force attack (offline) is to use the password longer than 15 characters. This can be achieved by configuring the fine grained password policy for service accounts.



4. Using credential in GPP

Windows 2008 came out with Group Policy Preferences which provide additional functionality to system administrators. They can manage local accounts and credential, local groups and schedule task etc. This has created a big issue because encrypted credentials are stored in XML file which are located in SYSVOL share. This share can be access from any domain joined systems. If the credential is already configured in GPP, remove it immediately. Delete the XML files from the SYSVOL. Microsoft also release the patch MS14-068 to address this vulnerability which remove the functionality to manage credentials.

5. Unpatched Servers and workstations

Regular patching of servers have been an issue in many organization. According to Verizon Data Breach report published in 2015, 99% of the vulnerabilities exploited in breaches had a patch for more than a year. Patching is the most critical for maintaining the security of the systems. Its is actually not realistic having a system not patched for months when a vendor released a patch. Unpatched systems provide the ability to attackers to gain privileged access to the systems.



6. Unmanaged Admin group membership

When a snowball start rolling on snow, its size getting bigger and bigger. Same thing happen with group in Active Directory. Most of the time group membership keep increasing slowly but hardly go down. Admin groups specially in Active Directory need to be monitor and scrutinized. Group automation will be the best choice just to make sure that appropriate users are in their appropriate groups all the time. These admins groups are need to be reviewed on regular basis, some of them, Domain Admins, Administrators group, Account Operators, and any other user-created group which provide privileged access to systems.



7. Local administrator account password is same across the network

Local account is used to logon to the system when Active Directory is not available. Most of the time, system administrators build servers with the same password for local administrator account. it may end that all systems will have the same password for local administrator account. if the account is hacked, this will provide the access to all the system, make the life easy for hackers. Therefore, each system must have unique password for its local administrator password. There are many software available that will not only manage the unique password but also rotate them on regular basis.



8. Unmanaged inactive user and computer accounts

Enabled stale accounts in Active Directory always attract the attackers because it can be leveraged to get access to resources without being noticed. There are few different ways to take control of the account, since it is inactive, most probably the usage will not be noticed.

We should have a plan to deal with inactive users accounts.



9. No isolation for highly privileged accounts and systems

Pass-the-Hash attack is the perfect example for such type of environment where same privilege account is being used to logon to servers, domain controllers and workstations. We have been talking about this attack for so many years but still organizations are lacking behind. Imagine if the malware get onto computers inside the network. Attackers using this malware will search for the credentials to steal and re-use it. if the privileged accounts logon to various computers, those credential on the system can be stolen. It is important that all highly privileged accounts must be isolated. Domain Admins account must not be used to logon to workstation and member servers. Regular accounts must not be given administrative level of privileges on any system, rather separate accounts must be created for admin level of work.



10. Using legacy authentication on network

When we talk about legacy authentication, we simply talk about LM/NTLMv1 authentication. These legacy authentication protocols are insecure, therefore it is very important to completely remove these legacy protocols. Windows Server 2008 R2 include the feature to help identify the NTLM authentication use on the network. The minimum protocols for authentication should be NTLMv2 and Kerberos
at No comments:

Cybersecurity: Create culture of security and trust among people


Watch out for cyber threats in 2015-2016. Many research companies have posted lot of information on cyber threats, cyber attacks, and cybercrimes. Top cyber threats that have been dominating the news for past couple of years are identity theft, retail data hacks, healthcare data hacks, phishing and social engineering attacks, mobile and smartphone security threats, and financial institution attacks.

The US and UK research shows that the behavior of employees present one of the biggest risks to the organizations. BYOD solution, growth of social media, remote working and mind-set of younger generation employees that don’t value traditional control, all together create new threats in an organization’s cyber defense.

Recently US House identified that inside is the number one threats. Insider means, all employees, short-term, long term contractor, vendors who have access to some of the resources. Number of government and private case studies have shown that insider who knowingly participate in cyberattacks have a motivations: revenge, desire for power and recognition, financial gain, loyalty to others on organization, and political beliefs. Organized crime and activist groups’ collaboration with insider has become common.

Attack on South Carolina Department of Revenue, where almost 4 million unencrypted bank accounts and tax returns were stolen by Russian gang. Forensics established link with an employee who facilitated the attack by opening a link in an email, enabling the hackers to steal the employee’s credential and access the state’s data.

We understand that technical defenses are very important to protect organization’s perimeter. But these defenses will limited effect if they are undermined by employees who do not follows the security policies just because these are inconvenient or they don’t understand why these policies are necessary.

“People”, hence become the essential component of strong and effective cyber defense. Cyber security strategies must focus on human aspects, developing a positive security culture based on trust and not surveillance.

  • Cyber security is a shared responsibility of each and every employee of the organization. Organization should stress the responsibility of individual as well as whole team for protecting the critical data and make no exception for leader. Employee must act as a role model by adopting the positive way of working, such that, in response to a security breach, acknowledge what had happened openly and treat it as an opportunity to learn rather than firing or imposing the fear on employee’s mind set.
  • Encourage employees to view security as something that enables the organization to deliver its promise to customers and achieve its vision
  • Social media and home based work are normal behavior. Make it easy for employee to do the right thing. Investing resources and effort in employees and culture, can significantly improve the security and reduce the potential of successful cyberattack.

Organizations can reduce their exposure to employee risk by adopting the ‘human aspects of organization’, building a security culture that focus on building and maintaining trust. There are ways to build the trust within the organization

  • Create an open, ethical and proportionate approach to cyber security
    Employees first must accept that there is a credible threat and have clear understanding of why these measures are essential. It also mean that enabling proportionate checks and balances in place, focus where it focus most and prepare to challenge controls that are unnecessary and/or redundant.
  • Tag the culture with shared values and beliefs
    The culture, build on values, focused around the integrity, security and trust develops commitment ad challenges a ‘culture of blame’. People need social reinforcement from the norms of behaviors around them rather than just putting a poster in hallway or lobby.
  • Power of the majority
    People look to follow the social norms, they want to like and trust each other. These traits can be used as strong key to help reinforce the right behavior. Organization to achieve the deeper understanding of failures, how they were detected and implications, acts as a strong deterrent. It may not be necessary that increasing the controls is the right thing to do but getting behaviors right is also effective.

Top data security breaches in 2015-2016


 

  • Anthem: In February 2015, health care provider, Anthem acknowledged that it was hacked by then unknown attackers, who accessed 80 million records from the people
  • Ashley Madison: A group called Impact Team stole the site’s user database in July, hackers released everything which included the personal information such as email and physical addresses for 37 million users
  • An unknown group infiltrated hundreds of banks in multiple countries, stolen somewhere in $1 billion
  • Nearly 15 million T-Mobile customers had their information stolen after credit-checking company Experian was hacked
  • US government agency Office of Personal Management, was breached and exposing information of about 22 million records
  • There are many more to be noted like Target (70 million), Home Depot (56 million), MySpace (16 million), LinedIn (117 million)
at No comments:

Identity Theft: Common ways of theft and preventions


Identity theft begins when someone takes your personally identifiable information (PII) such as your name, Social Security number (SSN), date of birth, home address, without your knowledge or permission for their personal financial gain.

Identity theft has become a nightmare for all of us. Organizations and institutions are investing a lot for identity management and prevention of breaches and theft. As an individual, we need to understand the different techniques used by criminals for identity theft so that we can not only raise our awareness but also prevent it from being happened. I would go in details with most common ways of theft and shade a light on prevention steps.

There are so many techniques used by hackers or criminals that we should categorized them into offline or non-technical and online or technical identity theft attacks. Let us find out how these attacks are carried out and how we can prevent them.

Offline or non-technical attacks



Mail theft: This is when a thief targets your mailbox and searches through your documents in search of paperwork that may have sensitive personal identification information on it. Things like government files or credit card applications that are pre-filled out are just a few of the items that may be targeted. Identity theft criminals, at times, have been known to re-direct your mail by submitting a change of address to the post office.

Prevention: You should monitor your mail regularly. If you suspect that someone has been taking mail out of your mailbox, contact the post office immediately. Do not leave your mail in the mailbox for extended periods. Use a locking mailbox if possible, or rent a box at the post office. If possible, receive your bills and make payment online.

Dumpster Diving: Criminals will go through your trash looking for utilities bills, credit cards bills, medical insurance, bank statement and other personally identifiable information. This crime is surprisingly common.

Prevention: You should shred everything before disposing of it with a cross-cut paper shredder. Another method to use is to go paperless by receiving statements and making your payments online. Keep track of your credit report and report any discrepancies to your Credit Card Company and credit bureaus.

Social Engineering: Social engineering is the practice of highly skilled criminals or actors either in person, over the telephone, or computer, uses means to deceive someone else into divulging sensitive information. Usually, social engineers know some information that lead the victim to believe they are legitimate and give the information asked. Pretexting is also part of social engineering.

 Prevention: best approach is stay diligent. Do not give out any personal information to anyone you do not know. If in doubt, do not be afraid to obtain the person’s contact number; let him/her know that you will call him/her back. Verify the person’s identification. Also verify with others or verify with the company the person is representing that such information is really needed.

Shoulder surfing: The criminal attempts to get close enough to you so that when you enter password information, such as a PIN number at an ATM, the thief records the password. Although this can typically occurs in a public setting, where the victim is and their credentials are in plain sight, it may also occur through a video camera setup by the criminal.

Prevention: You should be aware of your surroundings when you are accessing any accounts that require you to enter a password or PIN in public. If someone stands too close to you, do not be afraid to ask the person to move back. If he/she is not willing to do so, let the person go first. Remember, it is better to be safe than sorry. If you do not feel safe, leave the place immediately.

Old-Fashioned Stealing: Criminals target wallets and purses, mail, bank and credit card statements, pre-approved credit offers, new checks, tax information, personnel records, or bribe employees who have access.

Prevention: Limit the amount of personal information you carry with you. Do you not carry your Social Security card, blank checks, old deposit slips, and any information that may contains your login and password information. Women are advised to keep their purses closed and secure at all times. Carry purse close to your body, with the bag in front so that you can keep it within your sight.

Online or technical attacks



Social Networking: Criminals regularly search social networking sites to steal personal information like name, date of birth, address and other information so they can use to commit fraud.



Prevention: You should be careful when posting on social networking site such as Facebook, Twitter. You should avoid listing your personal information on sites. Always use the privacy settings of social networking site.

Skimming: Criminals steal credit/debit card numbers by using a special storage device attached to ATM machines. The device reads the magnetic strip on your card which thieves use to commit fraud.

Prevention: Make it a habit to periodically check your credit reports. This helps you discover if anyone made unauthorized purchases or has stolen your identity to access your bank accounts or open other lines of credit in your name. Try to minimize credit transactions and use cash instead.

Pretexting: Criminals use false pretenses to obtain your personal information from financial institutions, telephone companies, and other sources. This is when a thief dupes their victim into giving up personal information by playing the “con game.” Whether by phone‚ in person or over the internet‚ they will use a piece of info they already have about you to make them seem legitimate. Criminals will call you on telephone, and make you to believe they are business that require this information.

Prevention: Verify who you are speaking to. Ask for a call back number, and question why they need this information. Look for the telephone number of the company the individual says he/she works for. Call the company. See also Social Engineering

Man-in-the-Middle: Criminals are involved in intercepting communication between the two parties and record the information without the knowledge of both parties. Criminals use this information to steal the personal identifiable information.

A common scenario is searching for URL of the company, say http://mybank.com. Once found, click on the link to access the website. However when the website appeared on screen, you did not notice that URL has changed to something like http://badguys.com/http://myvictim.com. This is the website that redirected you to criminal’s website. Any information you enter here is recorded by criminals now.

Prevention: You should be more diligent when access a website from the web search results. Always check that website address is legitimate by verifying the URL in address bar. Do not create or enter your information such login information if the website is not “https”.

Phishing schemes: Increasingly popular now that almost all business is conducted via the internet‚ this crime is committed when hackers access files on your computer that could contain the keys to your identity. By pretending to be financial institutions or companies, criminals can send spam or pop-up messages to get you to reveal your personal information. These types of attacks occur in number of ways, cell phone texting, social networks, and emails with or without attachment, SMS and standard mail in your mailbox.

  • Malware based: Criminals attached harmful computer program onto emails, websites and other electronic documents on internet such as PDF, DOC, XLS, PIN or JPEB type of files. Criminals will make you feel that these emails are from legitimate person, company or organizations that you are known to.
  • SMShing: Criminals also send span text messages pretending as financial institutions or other legitimate organization. These text messages has sense urgency that may lead you to disclose your personal information by clicking on the link that appear on text message.
  • Vishing: This is also known as “voice phishing”. Criminals often contact you over the telephone, pretending that the call is from legitimate organization or government agencies. You may have received calls or voice message, pretending from IRS regarding a serious audit issue and can lead to arrest by FBI.
  • Spam based: In this type of attacks, criminals, known as spammers, send repeated spam emails to you. These emails offer you scholarships, free product, business partnership etc. Spammers also pretends to be financial institution or organization you might belong to.
  • Spear phishing: this attack is similar to email spamming but it target businesses. Criminals or spammers send emails to almost every employee of the organization and can be written to look like that it is sent by a division within the organization

Prevention: Protect yourself by contacting the security administrator or help desk in organization. Do not reply back the email. Do not open any attachment. Do not click any link provided in the email. If you accidentally open the attachment or click the link, immediately notify the security team for further investigation. Be caution when downloading or installing programs from the Web. Do not click or fall into the trap for free games, movies, software on internet.

Check out the website www.antiphisihign.org or www.spamhaus.org which contains an active list of phishing schemes or allows you to check if the website is suspected of phishing.

For network or system administrators, if you are fan of free tools to do your job, always check if the downloaded file is legitimate or not. Check out at www.virustotal.com

Employment scams: These scams advertise a bogus job with high salary and benefits compare to other companies for same job. Criminal’s website will ask you to enter personal information such SSN in addition to other personal information.

Prevention: Do not fall into the trap and always verify that posting company is legitimate. Research the company before submitting any information or downloading attachment. If you are not sure, just avoid it. Never give out personal identification information without knowing whom you are dealing with.

Resource to find if a website is legitimate is www.scambusters.org. this website contains review of the website along with message board.

 

 

 
at No comments:

Protect online privacy for families and kids


Most kids are skilled navigators when it comes to internet or web browsing.  They are much comfortable using computers, cell phones, tablets or IPods. While kids get tremendous opportunity to learn and explore new ideas, current information, learning materials and knowledge, it can be a dangerous and harmful to kids in some aspect. Website, mobile apps collect huge amount of data including personal information from kids. This information can be used for multiple purposes that we mostly are not aware. I will try to focus on some of the online privacy related issues and how we can prevent and protect our kids and families.

Malicious and inappropriate content

Internet is another world of fun and learning for kids. It is like another universe with many black holes. On one hand Internet provide very helpful information and knowledge people, it also has on other hand, sexual, violent and inappropriate contents. One accidental click, can lead to open thousands of similar websites.

Parents are advised to established rules for computer and internet use. Parents can use internet browser’s built-in content filtering feature, configure router (if firewall is enabled) at home to block access to sexual, gaming, and any inappropriate sites. Parents must make sure that their computer has latest and up to date anti-malware software with firewall features. Most of the security software offer parental control and monitoring features.

Kids should be advised not to download or install any app or software on computer or cell phones without checking with their parents or guardians.

Spies and Identity theft

Identity theft has become a very much concern to everyone. Kids and home users are the best target for this type of attack due to their less or no knowledge about internet security. There are many ways to steal or collect the personal information of a person who is always update their current status with accurate information. For example, if a kid post or update its status “I am alone home today”, this information can attract strangers or criminals as this house is more vulnerable now.

Kids are advised and so the parents, never ever share their personal information, like cell phone, home address, SSN, credit card, date of birth and any sensitive information. Oversharing post poses a risk of exposing sensitive information not only to social network groups but to cybercriminals who could use them to steal your identity.

It is advisable to always use the privacy setting like on Facebook or Instagram. Never share their password in any case to anyone except your parents.

Exploitative and abusive people

Privacy and internet safety is not only about what do you share on internet but also who are in your social network. It is advisable to parents to monitor their kid’s social network group and who they are adding to. Parents should confirm that their kids know everyone personally in their social networking groups contact list.

Kids are advised to their parents or guardian immediately if they feel uncomfortable online. Kids also be advised to not post anything bullying or inappropriate messages or text online. Kids must check with their parents before posting their pictures on social media. Do not share any inappropriate picture of anyone. Keeps the social network group conversation as healthy as possible.

Kids are advised to not meet anyone in person, they “met” on internet. If someone ask to meet, kids should immediately tell their parents or guardians. Some people may not be who they claim to be.

Parents should be refrain from giving administrative access to computer to their kids. They are also advised not to use admin account when surfing on internet.
at 3 comments:
Subscribe to: Posts (Atom)