Application Security

2/1/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Poor Visibility, Weak Passwords Compromise Active Directory

Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Every company has different security challenges. One common hurdle is securing Active Directory, which remains a critical issue because it's used to store increasing amounts of data. Businesses face a major risk in granting access to too many people without knowing who is safe.

"Active Directory was put in decades ago, and many companies, especially large ones, have had it a long time," says Skyport Systems CEO Art Gilliland. "Most companies don't have a handle on what Active Directory looks like or how many people in the organization can administer it."

One of the biggest problems is a lack of visibility into the amount of people and systems with administrative rights, he continues. Admins, and sometimes systems, have access to keys and codes, and the ability to disable or enable controls as they wish.

Skyport researchers learned last year that many businesses overly expose AD admin credentials and consequently expose themselves to security breaches. More than 90% of organizations use AD to control policies for users and services, and they need to better secure their infrastructure. More than half let admins use the same account to configure AD and multiple other services.

Older programs make it tough to control security. "Bad guys use legacy programs to gain access and elevate privileges, and that's when the real damage and breaches begin," Gilliland says. Attackers rarely target Active Directory first; they look for other ways to get in, then access the AD system.

"It's usually a vulnerability in some application," he adds. "It typically starts simply, with a vulnerability that's probably known and the company just hasn't patched it."

Cracking Down on Attackers
"Once you've elevated privileges, it's impossible to see bad stuff is happening," Gilliland says of visibility. "You can't tell someone has the keys to the kingdom and is running amok."

There are two types of attackers, he explains. Some spread mass phishing attacks to see what level of access they get, then figure out if there's anything of value. Others use more targeted attacks attempting to gain access to specific information — for example, healthcare data.

If you've been breached in any way, most breach response companies will lock down and assess Active Directory because, as Gilliland puts it, "the attacker has almost always done something in AD." The next step is to turn off attackers' access, but finding them is tough, especially if your business has a big AD deployment.

Sometimes the only way to handle an Active Directory breach is to rebuild AD from scratch. If you have evidence that outside attackers have found their way in and created 10,000 accounts in a 50,000-person company, it will be almost impossible to get rid of them without starting over.

"The marketplace makes it very difficult to know who's attacking you until after they've stolen something and after the damage is done," he says. It doesn't help that adversaries are becoming smarter and using more-sophisticated tools than they were five years ago. Attackers are a profit center; IT departments have a strict budget that limits their actions.

The Vulnerability of Passwords
"The Active Directory password is probably the most valuable one," says Amit Rahav, VP of marketing and business development at Secret Double Octopus. "We've been told to create long and complicated passwords, we've been told to change them frequently, and we end up using more and more passwords to get our jobs done."

Passwords are the most common authentication factor but also the most frequently abused, and they're a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a "single point of failure." The most common way for attackers to obtain passwords is through social engineering or phishing attacks.

But sometimes those aren't even necessary. Rahav points out that some passwords are encrypted, but often they're weak; for example, a birth date or dog's name. Open source tools are available to break those types of passwords, he explains. Sometimes employees store passwords in iPhone notes, Android notes, or Google+ pages, where they're easily found.

Rahav emphasizes the need for stronger protection. "It's time to move into stronger and user-friendly authentication factors … move from passwords into phones, biometrics, and things of that nature." Microsoft offers Windows Hello, which authenticates using facial recognition but requires new hardware.

Rahav anticipates biometrics will continue to grow for Active Directory authentication and within the enterprise, especially as more people use it for personal devices. "A few years ago, nobody knew what biometrics was; now before breakfast we use it two or three times."

How to Be Proactive about AD Security  
Once malicious actors are inside, it's hard to detect them, whether they're external attackers or rogue employees. Often Active Directory is threatened by internal users who have been granted privileges they shouldn't have. You need to know who has access and how to restrict it.

A straightforward step for businesses to take is securing the access workstation, says Gilliland. "The first thing you should do is make sure you can only access Active Directory from a system that's specifically designed to administer Active Directory and nothing else," he says. "That will eliminate a lot of pain."

From there, you should monitor the actual domain controllers. It's complicated, says Gilliland, but provides visibility into what's happening and helps avoid malicious activity. Businesses should also modernize the way that they delegate access to who has permission to change rules.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.