It is often said that there are two types of companies: those who know that their systems have been hacked and those who do not know it yet. It may sound extreme, but it’s the reality in the world of IT security.
Given the wealth of tools available to state cybercriminals and other professional hackers, many networks are constantly under attack. And knowing that companies often make poor decisions about their security due to their poor threat detection system, the likelihood of being a victim of a cyber-attack is very high.
Once accepted that there is a good chance that malicious people will break into the network, the damage can be significantly reduced and the data compromised. Here are some tips for strengthening a company’s cyber security posture.
- The first thing to do is to segment the network. Having a single network is the best way to help cybercriminals carry out the classic “land and expand” cyber-attack. To combat this type of attack, it is necessary to insert firewalls and SSH tunnels or other types of tunnels between the segments.
- The domain architecture must be changed. Instead of having a single domain, it is better to break it down into several domains with several different approval models between different domains.
- Reauthentication must be required between networks. When employees change networks, they must be forced to disconnect and reconnect with different credentials. Why is it important? Think about the procedure of an attack. If the hacker obtains a broad identifier usable on several machines, it will exploit this identifier to infiltrate as far as possible on the network in search of value to steal. Securing access to systems reduces the risk of cybercriminals roaming the corporate environment.
- Another step is the removal of local admin rights. This is one of my strongest recommendations: remove administrator rights on local machines. Users do not have to be the local administrator. That’s why: The first part of the process during a cyber-attack is the recovery. To perpetrate a pass-the-hash attack, a hacker hashes the credentials by being the local administrator of the system. If a user is not allowed to be a local admin and the system is attacked by malware, the attacker must escalate to the administrator rights to retrieve the credentials.
- We must opt for a limited lifetime of identifiers. The identifiers should be measured in hours or days and not in weeks or months. Once an identifier used for privileged access, it must be made random. Why? This identifier will leave persistent information on the machine and this information will be reused. If an attacker can go back to the admin rights of the domain, he can have access to all other stations in the network. But if the identifier is invalidated, there is no persistent value to exploit, even if a hacker manages to get the identifier.
- My last tip is to eliminate permanent access. Why does someone have to be a domain administrator permanently? Why not make it a regular user and ask him to connect to the domain’s admin account only for a specific purpose? Better yet, we can force him to go back to the local admin rights on the position on which he has to work with an expiry time at the escalation. Thus, there is only one regular user account on a machine.
We can of course choose to ignore these cyber security practices. But in that case, you have to be ready to bear the consequences. After all, the concept is simple: the harder it will be to achieve a cyber-attack in the environment, the less damage there will be.