With the start of the new year, many of us make resolutions to establish healthy habits or set new goals. Some might finally purchase a gym membership, aim to stop ordering takeout on weeknights, or plan to spend more time with family – all to improve quality of life. Resolutions can help us rip off the bandage and take action on achieving goals and forming habits that can increase our overall well-being. But New Year’s resolutions don’t revolve only around self-improvement or increasing quality of life. They also apply to optimizing an organization’s cybersecurity.
Organizations often put off taking critical measures and attacking pesky back-burner projects. But by adopting three cybersecurity concepts as New Year’s resolutions, organizations can take steps to strengthen the maturity and security of their enterprises. Organizing and securing networks, establishing annual reviews, and securing shared accounts can help establish a stronger cybersecurity posture – a worthwhile New Year’s resolution for any organization.
Organize and secure the network
Many organizations still operate with flat networks that use a single local area network (LAN) for all devices to communicate on with minimal segmentation or segregation. Taking the time to segment and add layers to networks through separation of traffic into virtual local area networks (VLANs) can isolate traffic traversing through networks and can yield several benefits, including:
Organizing information. Limiting traffic types such as wireless, Voice over Internet Protocol (VoIP), devices with sensitive data, and IT or management devices to their own individual VLANs allows for increased organization and performance of the network. Using VLANs allows IT personnel to reduce address space through subnetting VLANs, easily isolate and organize specific traffic (like VOIP), and reduce overall network latency through prioritization of VLANs.
Securing isolated traffic. While simply splitting the flattened network into VLANs to organize traffic can benefit IT personnel from an organizational approach, VLANs’ value does not end there. VLANs can be used in conjunction with access control lists (ACLs) to greatly increase security by limiting traffic within a defined VLAN to only that VLAN and devices that require access. For example, ACLs should be configured to prevent a user connected on a VOIP device from accessing the IT or management VLAN or a VLAN with sensitive devices, such as banking applications or medical devices. Similarly, organizations should avoid permitting their guest wireless networks to share traffic with their internal networks, which allows unvetted strangers access to sensitive information.
Proper segmentation of networks helps organizations operate on the principle of least privilege, ultimately reducing the attack surface. With these controls in place, an adversary’s ability to pivot between types of systems is greatly diminished, especially when compared to a flat network. In short, attackers can’t hack what they can’t touch.
Establish an annual account review
Setting up an annual review of their Microsoft Windows™ domain(s) can help organizations identify dormant accounts and excessive permissions, and it can help reduce and remove unnecessary privileged accounts.
Identify dormant accounts. Management should identify a threshold in which user accounts are considered dormant. Generally, after 90 days without activity on an account, most accounts can be considered dormant. Identifying these accounts and either locking them or moving them to a disabled user organizational unit within the Windows domain can prevent unauthorized access should the user have moved on from the organization.
Perform access reviews. It is important to review permissions of each account to prevent excessive access or privilege creep, such as when users change roles but keep their old permissions in addition to new ones. An effective way to perform a review is to use role-based access controls when provisioning permissions to user accounts. Organizing users by job title or department, applying permissions to the user group, and avoiding copying and cloning users within the domain can speed up the process of identifying what minimum level of access is required to complete job functions. Reviewing these permissions and teams at least annually can prevent any level of excessive access to the domain.
Limit use of domain administrators. Identifying and documenting which users have domain admin (or equivalent) rights can help identify and eliminate excessive permissions. These users have the most privilege within the organization and can potentially make drastic changes to the infrastructure. IT personnel should review privileged accounts to evaluate whether the accounts are needed or if the privilege level can be removed or reduced via the delegation of specific privileges. Having fewer accounts with elevated access in the domain makes it easier to monitor and lock down the network.
In determining criteria for what will be reviewed annually in a Windows domain review, management should make sure the process is repeatable and document policies and procedures around annual execution. Doing so can help establish a general benchmarking of the domain, and it can help yield metrics on the reduction of dormant accounts, excessive permissions, and privileged account tracking to show improvement or reveal performance gaps.
Secure shared accounts
Shared and service accounts throughout the organization often pose challenges in auditing, password rotation, and access review. At least annually, a review of user accounts should be performed to identify service accounts and remediate weak or shared passwords. The use of a privileged access management (PAM) solution throughout the organization allows for strong controls around the use of privileged accounts and addresses several challenges, including:
Increased auditing. With a PAM solution, auditing can be performed on which user retrieved a password or account and when the account was used, and some solutions even allow users to write notes to describe why the account was accessed. Logs can be sent to a centralized security information event monitor to generate alerts on privileged account usage to quickly identify and investigate anomalous activity or to perform routine audits.
Routine password rotation. A PAM solution can help organizations automate the cycling of strong (like, 127-characters strong), randomly generated passwords. Settings can be configured to rotate passwords for privileged accounts on a routine basis or whenever an account has been checked out and returned. When passwords are randomly generated and stored, IT personnel do not need to remember the passwords. They only need to copy passwords out of the PAM solution when using them.
Secure sharing. When users access privileged accounts through a PAM solution’s interface, passwords are always shared in a secure manner. This feature also allows for quick rotation or permission changes should a user leave the organization or transition to a new role. Users can be quickly imported to the solution and allowed specific access to accounts depending on their role. To read more about the problems solved by PAM solutions, check out previous posts on insider threats and password security.
The new year offers a fresh chance to change habits and set new goals. By adopting strong security controls and best practices, organizations can strengthen their environments and bring their cybersecurity maturity into the future.
Microsoft and Microsoft Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.