The Truth Behind Cybersecurity’s Biggest Lie
Date: 5 December 2019
The world of modern cybersecurity has unfortunately been made more complicated than it really needs to be. Every day, we hear about new solutions that are based on the most modern and unpronounceable technologies that promise to protect organisations like nothing else can.
Cut the FUD and just focus on your business’s active directory
They are sold and turned into overnight successes purely on the basis of fear mongering. Fear, uncertainty and doubt, or FUD, as this phenomenon is popularly referred to as, has almost become a marketing tool which demonstrates just how sad the state of affairs really is. Business CEOs and CFOs are not idiots and it’s time to cut the BS and offer solutions with real value.
This Webinar, hosted by Amar Singh, CEO of Cyber Management Alliance along with Chris Eves, Cybersecurity Specialist at ALSID, seeks to separate the wheat from the chaff. The two cyber crisis management experts aim to shed light on the stuff that truly matters and that must be made the focus area immediately by those businesses who are really interested in beefing up their security posture.
The webinar focusses on these simple and straightforward pieces of advice:
- C-suite executives are not idiots and they’re tired of being sold fear!
- Cybersecurity vendors need to stop trying to outwit them
- Instead, raise awareness and provide factual guidance.
- Discussions must be organisation-specific and based on hard facts
- Scaring CEOs and C-levels with the 4% fines that GDPR imposes is an old-fashioned, outdated and preposterous methodology that needs to be shown the door already!
- Beating the drum on GDPR related fines is old-fashioned and outdated. The executives are already aware of the proposed fines to BA and Marriott.
The duo move on quickly to highlight the aspects of cyber protection that do really matter and the foremost of these is the Active Directory, which Amar likes to refer to as the heart of the organisation. People lose sight of the Active Directory, while being swayed away by other sophisticated-sounding tools and technologies, and this is the very vulnerability that hackers exploit. Chris and Amar reiterate one simple but oft-forgotten fact throughout this educational webinar – With a strong Active Directory, most cyber-attacks that have happened in the recent past would not have gone through successfully!
The SingHealth Attack
Next, they take a deeper look at some recent examples of cyber crisis and delve into how these attacks really happened. They start with a discussion of SingHealth, Singapore’s largest cluster of healthcare institutions. The data breach that compromised
- Personal details of nearly 1.5 million people and
- Prescriptions of about 160,000 patients
The Webinar further brings up some alarming facts about the SingHealth attack:
~ AD audits happened at the organisation once a year but none of the remediation exercises was followed through.
~ The Citrix servers, critical for remote access, were not covered by the Central AD policy.
~ Many local admin accounts were left unmanaged, completely ignoring the machines/tools that could have been used to manage them.
~ There were plenty of dormant privileged service accounts – exactly the kind of carelessness that attackers go after.
The Ukraine Electricity Grid Cyber-Attack
The next case that Chris and Amar discuss is one of the worst cyber-attacks ever, that successfully compromised Ukraine’s power grid. National infrastructure was literally attacked through an email and a very clever piece of malware. Cyber-criminals in this case, too, managed to gain privileges and attack the heart of the organisation i.e. its Active Directory. So great was the impact of this attack that the hardware was left inoperable and unrecoverable. This was one of the few cases where a cyber-attack successfully impacted the physical realm and physical assets, leaving Ukraine without power.
Examples such as this are discussed during the Webinar to illustrate compellingly just how damaging an Active Directory compromise can be! Chris and Amar, however, are quick to underline that Active Directory is the core piece but the rest of the security posture also has to be strong in order to protect the organisation successfully and ensure that an attack doesn’t go through.
The sad part here is that several organisations have still not learnt from the mistakes of others. It’s still very easy for hackers to compromise businesses across the globe, move laterally and finally get hold of admin credentials and then do exactly as they want.
The message, therefore, is loud and clear – “If you want to deny longevity to cyber-criminals, you have to protect your Active Directory.”
ALSID and how it protects your AD for you
Once the severity of a compromised AD was made clear, Amar questioned Chris on what ALSID does and how it can support organisations with protecting and securing AD.
According to Chris, many organisations do little bits in organisational protection like multi-factor authentication, privileged account management and identity solution management but they fail to look at the gaps and vulnerabilities within AD. Further, some may have AD monitoring in place, but they don’t actually monitor the logs or follow through on them proactively.
ALSID, Chris claims, looks at gaps/holes/vulnerabilities in AD and gives deep visibility and real-time detection of attack attempts which can help the client quickly plug loopholes and actually stop an attack from going through.
What Amar liked and in his opinion what makes ALSID very attractive is the fact that there is no need for any on-device agent installation. Furthermore the product doesn’t need admin rights.
The Time to Deploy
Chris claimed that ALSID is relatively straightforward, easy to configure and integrates with the wider security stack such as SIEM and SOAR solutions.
The final takeaways from this Webinar are:
- Protect your Active Directory at all costs.
- Audit your Active Directory and all users
- Be Bold: Disable accounts if they are not being used
- Monitor Active Directory activity
- Baseline what is considered good in Active Directory – Malicious activity in AD is often the first indicator of a compromise
- Prepare for a rebuild – Take regular complete off-line back-ups of your AD schema and configuration
- Get rid of bad practice when it comes to AD
- Privileged accounts should not run KERBEROS service
- Always ask yourself for AD: Who has access to what and who can do what
Founded in 2015 and headquartered in London UK, Cyber Management Alliance Ltd. is a recognised independent world leader in Cyber Incident & Crisis Management consultancy and training. The organisation is renowned globally as the creator of the flagship Cyber Incident Planning and Response course certified by the UK Government’s National Cyber Security Centre.
Cyber Management Alliance has serviced over 300 enterprise clients in multiple verticals including government, banking, finance, IT, consultancies, healthcare, oil & gas and retail across 38 countries. It has carved a niche by assessing, building and improving its clients’ Cyber Incident & Crisis Management capabilities through training, tabletop exercises, health checks and audits. Today, Cyber Management Alliance has a global and diverse network of over 80,000 cyber executives and practitioners worldwide.