Persistent hackers have a common means of taking over company networks: They compromise one or more enterprise users using social engineering.
Either they've already compromised a website the user visits or they send a phishing email, which asks for enterprise credentials. If the user visits a compromised website, usually a malicious script will probe the user's computer for common unpatched software (such as Java) or induce the user to run a Trojan executable.
Either way, the bad guy gets a backdoor into one or more user systems, gains local admin access, then uses that access to look for elevated network credentials. It usually doesn't take long. Usually, there are dozens of active users with elevated group memberships all over any network. The average hacker needs less than an hour to move from a single pwned computer to total environment takeover.
The two best defensive strategies are to implement "perfect patching" and to teach your users how to spot social engineering scenarios. It's also a huge help to not have multiple users running around your network using superelevated credentials all the time.
Locking down admin boxes
Today, most companies have reduced elevated group membership to a bare minimum or require that every potential admin check out, on a limited time-basis, any elevated credential they need to use. But even more can be done.
Back in 2013, I wrote about using secure jump boxes to improve your overall enterprise security. They go by many names, including secure admin workstations (SAWs). The concept: You lock down a workstation -- and tell all administrators to use only that secure workstation whenever they do anything requiring elevated credentials. This makes elevated credential far more difficult to steal.
SAWs can be real computers or virtual machines. I recommend the following characterisitcs for any SAW:
- Highly tightened security settings
- Multifactor access control
- No access to or from the Internet
- Strict firewall rules
- Application control whitelisting so that only pre-approved programs can run
- Perfect patching
- Hypervigilant auditing
SAWs are fairly common in most of today's enterprises. My strongest experience is in Microsoft Windows systems, but I also love Linux and BSD for creating SAWs. At home and for some of my clients, I use OpenBSD. It's hard to beat the based security given by OpenBSD's default settings and security choices.
Skyport kicks it up a notch
I recently ran across the talented people at Skyport Systems. They've created what looks to be a great Linux-based SAW, which is only part of their SkySecure solution. Their solution is essentially a bunch of SAWs, each dedicated to one or more applications, managed from a very secure platform.
They start with a tamper-resistant chassis running a hardware-based hypervisor chip, a Trusted Platform Module (TPM) chip, and Intel's Trusted Execution Technology. This combination of hardware and software ensures that the critical hardware remains unadulterated and the integrity of the BIOS/UEFI, hardware boot process, and operating system boot process has verified integrity. This last part is relatively common on many of today's computers, Windows and otherwise, but without it as a base, you can't trust the system.
Skyport starts with this trusted base and adds Security Enhanced Linux (SELinux), which is a hardened implementation (or module, depending on the implementation) of Linux. SELinux implements Linux with least-privileged, mandatory access controls, along with a slew of heightened security options that have been reviewed, approved, and recommended by security experts around the world for almost two decades.
Native multifactor authentication is used (including from LDAP, geo-fencing, and 2FA-Mobile repositories). Synthetic credentials are used for shared resources so that no admin ever has global device-level credentials or passwords. SSH is monitored and filtered for X11 and SCP traffic. Anomalous traffic generates proactive alerting.
Bare minimum applications are installed. Whitelisting is done with an implicit deny on all applications along with traffic not previously approved and defined. Whitelisting policies are implemented in hardware with the Cavium processor located on the network interface card/IO controller. Hardware-based packet capturing and mirroring is used to detect any flows violating whitelisting policies.
SELinux runs as a secured proxy/firewall for each application. The SkySecure solution allows an admin to SSL into a particular address/port and authenticate using multifactor authentication -- and it binds the admin into a specific device and application. Everything is monitored and recorded. If an admin tries to allow access to the Internet, an audit exception is made and flagged.
Good luck, hackers, stealing those sessions and credentials.
I'm new to Skyport and its SkySecure solution, but I'm impressed with what I read and saw. After a few email exchanges with company officers and technologists, I can tell this company gets it.
I must get a dozen computer security pitches a day. Most of them are boring and repetitive, and they rarely offer anything new. Skyport is different. If you have high-value assets or critical applications to protect, check out Skyport's SkySecure solution.