Bulletproof admin boxes beat the toughest hackers

Persistent hackers have a common means of taking over company networks: They compromise one or more enterprise users using social engineering.

Either they’ve already compromised a website the user visits or they send a phishing email, which asks for enterprise credentials. If the user visits a compromised website, usually a malicious script will probe the user’s computer for common unpatched software (such as Java) or induce the user to run a Trojan executable.

Either way, the bad guy gets a backdoor into one or more user systems, gains local admin access, then uses that access to look for elevated network credentials. It usually doesn’t take long. Usually, there are dozens of active users with elevated group memberships all over any network. The average hacker needs less than an hour to move from a single pwned computer to total environment takeover.

The two best defensive strategies are to implement “perfect patching” and to teach your users how to spot social engineering scenarios. It’s also a huge help to not have multiple users running around your network using superelevated credentials all the time.

Locking down admin boxesToday, most companies have reduced elevated group membership to a bare minimum or require that every potential admin check out, on a limited time-basis, any elevated credential they need to use. But even more can be done.

Back in 2013, I wrote about using secure jump boxes to improve your overall enterprise security. They go by many names, including secure admin workstations (SAWs). The concept: You lock down a workstation — and tell all administrators to use only that secure workstation whenever they do anything requiring elevated credentials. This makes elevated credential far more difficult to steal.

SAWs can be real computers or virtual machines. I recommend the following characteristics for any SAW:

Highly tightened security settings

Multifactor access control

No access to or from the Internet

Strict firewall rules

Application control whitelisting so that only pre-approved programs can run

Perfect patching

Hypervigilant auditing

SAWs are fairly common in most of today’s enterprises. My strongest experience is in Microsoft Windows systems, but I also love Linux and BSD for creating SAWs. At home and for some of my clients, I use OpenBSD. It’s hard to beat the based security given by OpenBSD’s default settings and security choices.

Full Story:

Source: Bulletproof admin boxes beat the toughest hackers | InfoWorld

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.