Jeramy Kopacko, security consultant and solutions architect at Sophos, weighs in on proactive cyber security strategies that businesses can leverage in 2021 to combat evolving threats.
It’s only March and we’re already seeing major cyber security breaches and vulnerabilities greet us in 2021. SolarWinds has led the headlines with a breach that has now impacted almost 100 private sectors and 9 federal agencies, according to Deputy National Security Advisor Anne Neuberger in a recent White House Press Brief.
In the most recent joint hearing, SolarWinds has shifted to scapegoating a recent intern for leaving the password ‘solarwinds123’ on a file server that had been exposed to the internet—previously warned by an independent security researcher.
This is not to dump on SolarWinds but rather than use the event to explain how we can use this to improve your operations. Let’s use the metaphor for cybersecurity with the phrase “firefighting.”
When a home catches fire, you dial 911 and seek your local fire department to relinquish the flames. Just the same as when you encounter a breach, you dial your MSP to respond to the event. But why wait until something happens?
Around the interior of a home, smoke detectors alert you of potential danger—where there’s smoke, there’s fire. So how do we find “smoke” in your environment?
Principle of Least Privilege
Start by auditing domain admin or local admin accounts and reviewing what permissions they need to do their role. Limiting the power of these accounts can go a long way in minimizing the impact of a breach.
- Public Facing Email Accounts
- Identity Sync Services
- Backup Services
- Line of Business Service Accounts
A Microsoft employee Steve Syfuh wrote this blog on how to use managed service accounts in place for your traditional service admin accounts.
This goes to IT Professionals as well. Your email account should not have super admin credentials. Plan as if your account will be compromised. MFA is a tool—not a silver bullet.
It’s no secret that the IT space is a highly competitive field. In fact, the average tenure of an employee is around three years. How do you handle this turnover? Do they just “blame the intern?”
You can find reports from major vendors like Verizon and LastPass that passwords are consistently reused and recycled. Start by using tools, both free and paid, to audit what passwords are used across your systems.
- Expose any reused passwords
- Provide metrics on how easily they can be cracked
- Check active passwords against leaked databases
If you are using out of the box domain policies in your environment, then you are not currently taking advantage of invaluable logs for your organization. A quick search on “Auditing User Accounts in Active Directory” will provide countless tutorials.
If you have a SIEM or (shameless plug) are using Sophos Intercept-X with EDR, you can quickly audit your systems with a few clicks for the following event IDs:
- Event ID 4720: a new account created
- Event ID 4722: a user account was enabled
- Event ID 4740: a user account was locked
- Event ID 4725: a user account was disabled
- Event ID 4726: a user account was deleted
- Event ID 4738: a user account was changed
- Event ID 4781: a user account name was changed
- Event ID 4625: an account failed to log on
- There are several failed login types
By monitoring and routinely looking at these events, this can give you an early indication that a hack is being attempted or has been successful.
Apply these tactics to your existing processes and increase the chance of catching the smoke before it turns to flame. Simple security strategies can save you countless hours and dollars.