Every firm takes measures to protect against being hacked. And yet, it happens every day and is a global menace. Equifax is the latest corporate brand to become synonymous with huge data breach. As of the writing of this post over 145 million US consumers have been exposed to potential risk of identity theft by the Equifax Data breach. A clear failure of many layers of Executive and IT Management to protect their systems from an intrusion. Below are my top 10 simple steps that every Enterprise IT shop should have mastered to prevent intrusions and data breaches.
10 simple steps to prevent Enterprise Intrusions and data breaches
Step 1: Establish Account Validation Process
The #1 method bad actors gain a foothold in your network or on a server is to comprise a valid account and then start installing malware. If they can comprise an administrator account, then they can create new accounts including new admin accounts. A very well published intrusion from a household brand name, in the entertainment industry, all started with an email administrator clicking on a phishing scheme link in an email that allowed malware to be installed on their workstation. With malware installed there is access to your network. Bad actors remotely load their exploits at will and then send instructions to active them at a time of their choosing as well as creating new accounts for their use. When an intruder can create an account, they own you, game over.
By using valid accounts, Bad Actor work for months with minimal risk of being detected to install malware and remote programs at will on any device attached to your network.
The #1 way to prevent unauthorized accounts is to detect and disable those accounts immediately. Doing this is simple, but takes effort to establish the process.
Here is how:
Nightly, create and export a text file from your HR system of all people that should have access such as employees, consultants, contractors, etc. From your network directory, (e.g. Active Directory) export all accounts that do have access into a text file. Establish a batch job to compare those two files—looking for differences. There are directory sync products that will do this.
In most cases you will find terminated employees on the list….which is a good thing to detect and disable by itself. But if there is an account on your network directory that is not in your HR system—that is a potential bad actor. Disable those accounts immediately. Flag it for immediate review. Keep those accounts disabled while you investigate.
Daily, report to run is to show all new administrative accounts created within the last 24 hours. Have a person review all new accounts created with elevated privileges and double check them for proper authorization; especially domain administrator. Producing and reviewing this report is the most important thing you can do after back-ups.
Monthly, report all accounts with elevated privileges and reconcile it to each person. While this sounds like an extra step, keep in mind, administrative privileges are used to install and run ransomware and kill programs in your environment.
Following these steps will dramatically reduce the #1 way your network can be comprised. Typically, organizations that are compromised have learned that these bad accounts went undetected in their system for months and months.
Step 2: Server Patching
Patching sounds basic and it is. Most vulnerabilities still sneak-in on servers and desktops because they are not running critical security patches. There many examples of ransomware exploits being successful even when patches to prevent them have been available for months. For the patches to work—they need to be installed; so most shops have a monthly patching program–I bet yours does too. But do you have a method to discover, audit and report patch levels for all Server Operating Systems in your enterprise?
Does your shop check that all (I mean all: even those outside of the data center or not centrally managed) servers are included in the program and actually running the critical patches? Audit servers appearing on the list with the CMDB so you know you have them all. Oh, you don’t have a complete list of ALL Servers? All it just takes is one unpatched server to allow access to your entire network. Run a monthly report on all servers and their patch levels. Applying missing critical patches is an easy fix to plug a big hole.
Step 3: Use an Enterprise class anti-spam filter and block links that don’t have a good reputation.
So many excellent solutions to block spam already in place. For best results, take it one step further for phishing messages that get through. Block any outbound connection that is not white listed or with no or bad reputation.
End-Users (or System Administrators for that matter), clicking on links is a high percentage method bad actors introduce malware into your environment. Organizations also use End-User security training that instructs people not click on links that are unknown. Periodically sending “pretend” phishing emails from an external source to test and reinforce the right end-user behavior is a best practice.
Unfortunately, people are in a hurry and clicking is a reflex action or some links are just too tempting—so block the outbound connection. If it blocks a valid business link, a quick call to the service desk can remedy that. It truly is a better case of better to be overly caution than infected.
Step 4: Desktop Anti-Virus
Most shops insist every network attached desktop, laptop run an up-to-date AV. Does your AV and client support reporting status back to a central console in real time? A console can validate the client machine is up to date and will alert when a virus or attack is occurring—and can automatically disable network access and open a ticket.
A best practice is to block network access if a client machine is not running the AV with a current signature file. Protecting the network from infected or rogue machines by blocking network access, out weights the inconvenience of a single end user.
Step 5: Edge Security
Another obvious step, that many have in place but another opportunity to make sure best practices are being followed. All Entry Points into the network infrastructure must be secured with Firewalls & IPS. There are many good products and strategies for this. Have your team present the current situation and talk about any missing pieces or outdated products. Ask the team what their process is for updating products including firmware. They should be able to produce a list of all installed product versions including firmware as compared to the vendor’s most current. Make sure products run on the most current firmware and there is a process for updating it. Lastly, don’t let products get too far behind on versions. New features and capabilities in current versions are designed to keep up with threats.
Step 6: Event Coloration
Logs of Infrastructure (Network, Server, SAN, etc.) should be sent through an event correlation solution. This allows what looks like small events, to be correlated into an alert because in actuality, it is a larger event. This can be a cloud based service or you can develop an in-house Security Operations Center. If starting from scratch, consider using a trusted vendor or consultant to support you on this. Doing this right has strategic benefits. Doing this wrong means spending a lot, being flooded with meaningless data, and not be able to act.
Step 7: Take 2 Factor Authentication to the next level
Enterprise wide roll-out of 2 Factor Authentication for remote access to resources that would normally only be accessible if you were at a corporate location on the local area network. For example; VPN & VDI. Most organization have this. Do you use it for Webmail? You should.
For an extra layer of protection strongly consider 2 factor authentication for network login for end-users to their local workstation even on the LAN; when they have access to accounts with equity assets and cash. For example, any end-user than can move money such as set-up and execute fund or wire transfers. Alternatively, have the fund transfer application require a second authorization—so that a bad actor (internal and external) cannot gain access and transfer funds to themselves; (yes, that happens).
Step 8: Social Engineering
Selling consumer data is big, big, big business. Bad actors are highly organized and they are targeting your System Administrators. Keep System Admins from being a target for social engineering and email phishing attacks. Ask every person in IT with elevated account privileges to help protect themselves and organization by using generic job descriptions on all their social media accounts, especially LinkedIn. Because, Sys Admin’s are targeted. All it takes is one click for malware to be installed on an administrators workstation. So, on social media web sites, instead of titles like Server Administrator, System Administrator, Back-Up Administrator, Systems Engineer with your company logo next to it – ask your people in those roles if they would please consider using something nonspecific labels like Office of Technology Associate, Enterprise Services Technician, etc. In the end it will help reduce the attack surface.
Step 9: Be very serious about least privilege.
End-user and Service accounts should not be running with administrator privileges. The only accounts with administrator privileges should be trained professional system administrators (period). Protect the organization from end-users installing (unknowingly) malware on their machine by granting standard user access.
With Windows 7 and 10 it is very straight forward to remove administrator level from the local user account. For some shops this may require a desktop OS architect to look at your how applications run on the desktop without running as an administrator.
Service accounts running with administrative rights pose a danger as well. Most shops with a large installed base of homegrown applications use hundreds of service accounts. If your shop does not have a secure coding practice and naming convention for service account management—pull a team together to address this situation.
Step 10: Have Full and complete Back-ups that can be restored
There are many problems an intrusion presents in addition to a data breach. Intruders on your network can encrypt your data and offer the key for a large sum of bitcoins (otherwise known as Ransonware); erase everything from your servers and put your operations back to paper and pens are two very real problems.
You need to make sure if all else fails…you can get your data back. What would be the impact on your company if data was comprised, encrypted or applications erased? So, here is the question CIO’s need to ask: how do you know the back-ups are in place and will work when you need them?
Perform a one-time audit of all PROD applications, files, directories, folders to ensure they are actually being backed-up. You may be shocked at the number of files never backed-up or fail on a regular basis. Have the team use the audit to get all files in a back up job. You may also find that the back-up infrastructure is not sized big enough to handle all of the files—and that will spin off another project to address your back-up strategy.
Have the team present a monthly report showing backup fails and completes. The team needs to test the recovery of random files every quarter—and show that on a report—that you look at.
Next step after PROD, consider a bi-weekly or weekly backup of key non-prod data such as all development libraries, files and builds.
Make sure IT Ops has back-up files accessible for quick recovery for urgent business needs; but also make sure system back-ups are stored off-site. I recommend using tools and storage platforms that enable a real-time automated synchronization to an off-site location or cloud service.
Finally, consider putting your back-up on a separate network to reduce traffic, impacts to network performance and protect back up files/images from being stolen or erased by an intruder.
If you are faced with a large price tag for additional back-up infrastructure consider the cost and disruption of recent ransomware exploits or just an issue with equipment failures, flood, etc… If IT has a current, viable back-up—you can get back up and running no matter what happens. This is one of the most basic functions within IT, but often over looked; because it is assumed it is working.
Help Stop Data Breaches. Please Share your experience in the comments section.