In the news this week was an article about a successful ransomware attack. It detailed how network access was achieved using email phishing and then went on to explain how the attackers leveraged this low-level network access to compromise the entire network. It was done by breaking password hashes in an attempt to gain access to local admin accounts, then trying these passwords on other hosts and domain administrator accounts. Compromise of a domain admin account then allowed the attackers to take control of the domain, which led to game over. This kind of attack scenario has been around for years and continues to work for a variety of reasons, two of which are inadequate network segmentation and configuration control.
Many of the networks we see are “flat.” In other words, there is no appreciable network segmentation in place. This woeful state of affairs allows any user on the network to see the entire setup, including “server space.” It also provides cyber criminals with many attack surfaces and helps them maneuver around the network. Such network implementations make it very difficult indeed to meet two of the hallmark principles of information security: need to know and least privilege.
By properly segmenting the network, you are allowing users access to only those network assets and information they need to perform their jobs. You are also giving yourself interfaces to implement access controls and monitoring. By employing internal firewalls between network segments, you can strictly control what enters and leaves each segment. This allows you to design appropriate security controls for each network segment, which can reduce cost and administration time. Another benefit of network segmentation can be reduced congestion and improved performance.
Another key to reducing the ability of attackers to compromise networks and the private information they contain is proper system configuration. One of the configuration problems we see very often has to do with the way network administrators onboard and administer network systems. We see administrators using the same admin passwords for whole groups of systems across the network. When an attacker compromises a user system and breaks the local admin password hash, they can then use that same password to access other systems and move laterally across the network. That is why it is best practice to use unique admin passwords for each different system. This intimidates network administrators who are often overworked and understaffed in the first place. However, unique passwords for each network entity are another hallmark security control that should be applied universally to meet best practices recommendations.
This situation is often exacerbated by network administrators that use the same password for administrator access and simple network access. If an attacker compromises the administrators network account, they can then sign in as a domain admin and, once again, game over. That is why we advocate strict control of privileged accounts on the network. Ideally, privileged accounts should require very strong access controls such as multipart authentication and should be monitored and alarmed.
Implementing proper network segmentation and configuration control makes your organization a hard target for attackers who are out to compromise your private information and systems. These controls are definitely worth the extra money and worker time to implement.