Persistent hackers have a common means of taking over company networks: They compromise one or more enterprise users using social engineering.
Either they’ve already compromised a website the user visits or they send a phishing email, which asks for enterprise credentials. If the user visits a compromised website, usually a malicious script will probe the user’s computer for common unpatched software (such as Java) or induce the user to run a Trojan executable.
Either way, the bad guy gets a backdoor into one or more user systems, gains local admin access, then uses that access to look for elevated network credentials. It usually doesn’t take long. Usually, there are dozens of active users with elevated group memberships all over any network. The average hacker needs less than an hour to move from a single pwned computer to total environment takeover.
The two best defensive strategies are to implement “perfect patching” and to teach your users how to spot social engineering scenarios. It’s also a huge help to not have multiple users running around your network using superelevated credentials all the time.
Locking down admin boxesToday, most companies have reduced elevated group membership to a bare minimum or require that every potential admin check out, on a limited time-basis, any elevated credential they need to use. But even more can be done.
Back in 2013, I wrote about using secure jump boxes to improve your overall enterprise security. They go by many names, including secure admin workstations (SAWs). The concept: You lock down a workstation — and tell all administrators to use only that secure workstation whenever they do anything requiring elevated credentials. This makes elevated credential far more difficult to steal.
SAWs can be real computers or virtual machines. I recommend the following characteristics for any SAW:
Highly tightened security settings
Multifactor access control
No access to or from the Internet
Strict firewall rules
Application control whitelisting so that only pre-approved programs can run
SAWs are fairly common in most of today’s enterprises. My strongest experience is in Microsoft Windows systems, but I also love Linux and BSD for creating SAWs. At home and for some of my clients, I use OpenBSD. It’s hard to beat the based security given by OpenBSD’s default settings and security choices.