Restricting Access

Valid login credentials in the hands of criminals, in addition to technical vulnerabilities, are a major problem for the security of your computers and services. On the Darknet, hackers can obtain extensive collections of identity data and login information. Because users tend to use the same passwords for different services, you might also be at risk if other services fall victim to hacking. In fact, more than two-thirds of users continue to use previously leaked login data for more than a year. The US National Institute of Standards and Technology (NIST) and the German Federal Office for Information Security (BSI) IT basic protection compendium (IT-Grundschutz-Kompendium) point out the dangers and recommend regular checking of user accounts and passwords.

Different service providers offer identity leak checkers. The free American service Have I Been Pwned (HIBP) [4] is probably the best known provider of leak information. By entering an email address, you will receive information about whether it was part of a data leak. Even if it is your company email address, the use of HIBP is questionable for data protection reasons in some countries and should be discussed with the corporate legal department. Moreover, HIBP does not give you direct access to the affected password to this account, so you cannot check it directly against your systems. However, specialized service providers on the market also implement General Data Protection Regulation (GDPR)-compliant checks of login data.

When assigning user rights, you need to consider the possibility of stolen login data and give employees only the access rights they absolutely need for their normal workday, especially when accessing servers and shared files. For example, if you grant users read-only rights for existing files on a server, the users need to upload a new file for each change, but the user cannot delete or encrypt the files.

The principle of least privileges means, above all, that you need to establish processes that regularly check the existing privileges, especially when employees change departments or collaborate across departments on projects. The phenomenon is common, for example, among interns who pass through different departments in the course of their internship. Once granted, privileges are often not revoked, but new ones are regularly added. At the end of an internship, the intern then has access to a user account with many security-related access options.

Preventing the Spread

If attackers do gain access to computers in your corporate network, despite all protective measures, this does not necessarily mean that they will ultimately be successful with their attack. Try to mitigate the damage in these cases. To prevent the spread, it makes sense to isolate different departments and different teams in the same department from each other in terms of network technology and locate them on their own subnets. Between these subnets, you need to have a firewall that regulates interdisciplinary network traffic, limited only to what is necessary.

The faster you react, the greater your chance of averting a major loss. Comprehensive monitoring of your resources identify and isolate affected systems quickly. You might want to isolate an entire team or department together. In this way, you can uphold the ability to work and protect the other organizational units in the meantime. Of course, you also need to go through this process regularly. Often, only a few firewall rules are required. Depending on your infrastructure setup, you can also automatically isolate affected computers in a separate virtual local area network (VLAN). An attacker then still has access to a system but cannot infect any other computers from there. If you log internal network connections on the routers between your departments, you can even determine afterward whether propagation – also known as lateral movement – has taken place.

Although attackers might have penetrated your corporate network through a vulnerability, it doesn't mean they will find the same vulnerability on other systems. Attackers therefore use different tools, including the remote desktop protocol (RDP) supplied by Microsoft. Especially in these times of home office and VPN connections from home to the corporate network, remote desktop connections are enjoying great popularity. In most cases, access is quickly granted by Active Directory. Again, you need to monitor connections established with the directory service at central locations and automate your response to undesirable connection attempts to the extent possible.

Protecting Backups

Creating backups is one of the administrator's standard tasks. However, you should not only handle and monitor how backups are created, but also how existing backups are protected and accessed. At best, you have no access to the backup system. Instead, the backup system needs access to the individual services it is supposed to back up. If the users of your systems cannot access the backup themselves, it cannot be encrypted by ransomware launched from a normal user account.

To support easy recovery of files for normal use, you will want to establish different backup systems: one that your users can manage themselves, and one that can only be accessed in extreme emergencies and only by a few administrators. Although this action does not protect you against an attacker demanding a ransom to protect your sniffed trade secrets, you can quickly resume operations after a ransomware incident.