Roman Sebránek

How to secure company against cyber attacks

There are many professional articles and advices how to protect your company against hacker’s attacks, but what is the right one? You can read lot of headers like Do you invest enough funds to protect your company data? Does IT security really about money? Partly! Good news is that lot of things can be done for free.

Globally, successful defense is based on main three pillars: people, processes and technologies. Their mutual ties are crucial in terms of defense effectiveness. But as many say, it’s good to divide problem into smaller ones. Let's look at it per partes.
There is general consensus that people are the least reliable link in this triangle schema.

Process, Technology and Peolpe

This belief steams from the fact there is small number of real IT security experts on the market defining right rules and patterns or educating members in company. This claim brings questions how to improve knowledge of basic IT security habits? The answer is quite simple, we have to immediately start systematically to educate users in our company network what are the main threats and how to fight against by everyday habits with new way of thinking about security. It flows from publicly available resources that most successful vector of attack is led through inadequately secure standard user account which opens the door to obtain credentials of account with higher rights (service accounts, admin accounts, ...) - standardly called privileged account.

Another way how to protect company data except security education of employees is set a set of rules and processes which can help improve protection. Typically define level of password complexity, password duration or multi-factor authentication for VPN connection.

VPN

Defining own security patterns is really difficult discipline because it should be taken into account many points which can adversely affect user experience – ideally, find a balance between safety and good user experience (which is easy to say but harder to do). But one thing is for sure that whatever we propose/implement for purpose of security increase it will be condemn to the users.

The key to success is being prepared

To design security process is one thing, but implement it is another thing. Basically, implementation is directly connected with last pillar of data protection triangle - technologies. Nowadays, there is large scale of security solutions on the market, what is the right one for my type of company? It is clear that other solutions will be chosen for a small business and another multinational corporation. First of all we should realize the relationship between risks and effectiveness, which means what losses we are willing to accept to reduce our initiation costs for security level. Core investments in technology for data protection can be divided into three main points:

1. Communication security
Typically secure E2E communication by encryption. It is good to mention that globally vectors of attacks they are not lead directly on encrypted communication, but on endpoint devices. Reason is very simple, on the endpoints there is communication typically decrypted, what’s more on some endpoints (typically servers) there is not only decrypted communication, but there is usually stored communication key. That’s why server security is one of most important (See more about servers securing by GreyCorbel Solutions). It is empirically proven that an attacker does not want to waste time wiretapping encrypted communication, which must then be decrypted. It is significantly simpler to lead attack directly where is communication already encrypted.

2. Access management security
Today is very popular that organizations around the world opens their backend resources to the users through their own API’s (in Europe for some organizations it is mandatory ordinance regulated by the European Directive – commonly known as PSD2), which, of course, brings new threats. Mitigation of these threats is handled through authentication protocols like oAuth2, open ID connect, … (this topic will be subject of our following article).

3. Behavioral analysis
Idea of behavioral analysis is based on premise that we should be able to define what is the typical user behavior. It means we know reasons why customer use our digital services, we know his habits and we know his main goal. Based on these facts we can evaluate suspicious user. This discipline is about machine learning, advanced algorithms and statistics models. To implement solutions or services focused on behavioral analysis in house is really financially demanding, so i t is therefore worthwhile to use one of the many services offered, either as an on-premise solution or as a cloud service.

Combining all three of the above security approaches is a way to reduce the risk of losing business data which are one of the most important assets of your company. This claim proving following statistic issued by CSO company declaring that more than 65% of businesses should be terminated in case of data lost in one month. This statement was further elaborated by Better Business Bureau company with following result, deadline of termination for rest of business is maximally 3 months.

What to watch out for and what mistakes are most common?

Following paragraph is describing four most common mistakes in companies according Microsoft.

Login and password of service/admin account in SYSVOL directory
(to learn more about SYSVOL see: Microsoft technet). In SYSVOL share directory are usually stored important configuration files which are used through whole domain. Usually you can find there files like: service.xml, groups.xml, scheduledTasks.xml etc. and in many cases in this files are credentials of privileged account shown in plain text. It brings very simple way for attacker how to abuse this privileged account.
Recommendation: For this threat there is recommendation to crypt credentials in this files by AES-256 (at least).

Insufficiently strong passwords of privileged accounts.
In general, it is good to hold password for these accounts in terms of 10-12 characters (at least). Problem occurs when the password validity is not set, because in this case you offer to the attackers as much time as they need for their brute force attacks.
Recommendation: in privileged account password policy have to be taken into account not only password complexity, but password validity, too.

Getting ntds.dit file
(read more about ntds.dit at: Microsoft docs). This file stored all domain objects: accounts, rights, passwords, etc. This file is store in domain controller, so it means that this file can access everybody how can log in to the DC.
Recommendation: Access to the DC should be granted only to the very narrow group of users and restrict full control rights for AD accounts/groups specially for service accounts.

The same login and password of local admin account for couple or all machines in domain.
Just break the password (for example key logger) of local admin account dedicated for attacked machine and attacker can control all machines in domain.
Recommendation: see following article and get more information: how to protect.

All posts