Category: Blog

A Healthy Active Directory Makes for a Healthy Environment

A Healthy Active Directory Makes For a Healthy Environment Do What You Can to Bolster Your Security Posture

October is National Cybersecurity Awareness Month! In honor of the occasion, our Loop1 Technical Account Manager, Katie Boldizar, gives insight about the importance of maintaining Active Directory (AD) and how a healthy AD can significantly improve your cybersecurity protocols!

Keeping your AD secure is fundamental to maintaining services for Microsoft-based servers and networks. Proper upkeep of your Active Directory is crucial to cybersecurity because Active Directory holds the keys to the proverbial kingdom—so to speak. With the ability to assign and enforce security & encryption protocol, control the storage & flow of data, and manage access rights, certificates, & security roles, AD is truly the core of the entire IT infrastructure.

Because Active Directory is such an integral piece of our technical environments, there are numerous housekeeping tasks that need to be addressed to maintain optimal domain health. But, due to the chaotic nature of the modern SysAdmin role, many of these tasks are often neglected, overlooked, or take a backseat to more mission-critical tasks. We’ve all heard the saying the squeakiest wheel gets the grease – well, that sentiment rings true for IT professionals world-over.

Alas – You are not alone in your journey to maintaining a healthy AD. SolarWinds has a deep bench of security-related tools that will help increase the security posture in your environment with minimal time and effort on your part. Let’s look at some of the most commonly overlooked tasks and how SolarWinds Access Rights Manager (ARM) can simplify these tasks.

To start, let’s talk about finding and fixing the broken inheritance permissions.

I won’t make you air your dirty laundry in a public forum, but, I am willing to bet that someone reading this is thinking to themselves, “When was the last time I checked for broken inheritance permissions in my environment?” – Last week? Last month? Maybe even last year??!

Regardless of where you fall on this spectrum, establishing a regular maintenance schedule can help you avoid broken inheritance permissions and will further secure your environment from external attack. For practitioners utilizing SolarWinds ARM, I encourage you to incorporate the out-of-the-box features into your maintenance schedule. A handy, built-in report will identify all your corrupted inheritance issues with no manual processes or messy scripts to maintain, saving you time and effort in the long run.

It’s possible that you are using some kind of complex scripting to automate this process in order to avoid setting up reminders to check for errors or anomalies. While it may be more convenient to automate most of the time, in this instance automation can pose a security risk to your AD.

Creating automatic workflows to check permissions instead of establishing a schedule could lead to a situation where incorrect permissions are applied to the wrong object. This could be anything from granting the wrong permission to a file resulting in a breach of confidential data, to security permissions being incorrectly applied to an Organization Unit (OU), resulting in a catastrophic failure. Ultimately, inaccurate inheritance permissions can cause errors or inability to edit objects for administrative accounts or groups trying to modify the Active Directory – a headache we all want to avoid.

Next, we need to talk about circular nested groups.

For those of you new to the conversation, circular nested groups occur when groups are created that include overlapping user access by means of nested group access creating an infinite loop in the full membership path. Active Directory allows “children” to also be “parents” in the same instance of their family tree so to speak, which can lead to circular nested groups. If you have a nested group structure that loops in a circular manner, every user who is a member of any of the other recursive groups will be granted access rights for all of the groups. Needless to say, this structure makes group membership assignments ineffective and pose rather obvious security risks.

You are more likely to have circular nested groups as more and more layers are added to your nested group structure. There are a number of ways to identify circular nested groups in your environment from manual process to utilizing PowerShell scripts, but for those that can, we recommend using SolarWinds ARM which can automatically identify any recursion that exists in your environment.

The last major task we need to discuss is monitoring assigned permissions using DirectAccess.

Because DirectAccess gives us the ability to determine how permissions are assigned to any user and identify users with directly granted permissions, we are able to swiftly eliminate any inappropriate access, thus reducing overall risk and strengthening security posture. SolarWinds ARM can pinpoint all of the direct access rights on your file server(s), allowing you to use the built-in drag and drop functionality to effortlessly direct access rights into a particular group. As always, security best practices should be top of mind when using DirectAccess to set permissions in Active Directory.

Using DirectAccess to assign permissions through group membership ensures that we are eliminating security risk where possible. This approach allows us to utilize the rule of privilege – an AD best practice that emphasizes the importance of assigning users the permissions they need to do their job and nothing more. Keep in mind that the rule of privilege is used to prevent the spread of potential threats to your entire environment and has nothing to do with the trustworthiness of your employees or team members.

All-in-all, Active Directory is an extremely useful tool utilized by nearly 90% of businesses to supports sysadmins, accidental DBAs, and IT professionals of all sorts, in their attempt to keep our IT environments safe and secure. If you are looking to bolster your security protocols, your first step is to ensure that your environment is set up properly. Once that is established, maintaining regularly scheduled checkups in your Active Directory will help you sustain a secure environment. Beyond that, utilizing DirectAccess, checking for broken inheritance permissions, and keeping a clean environment are the best ways to keep your organization safe from a security threat. Good luck and God’s speed in your security journey. For further support, or any questions you may have about Active Directory contact a member of the Loop1 team today!

By: Katie Boldizar
Loop1 Technical Account Manager
Network+, Security+, SCP
https://katieboldizar.com

Q&A with our Loop1 Engineer on keeping your servers secure

Servers are integral to network functionality and are also one of most common targets of a cyber attack. According to Verison’s 2018 Data Breach Investigations Report, the second most common type of security breach the world is a Denial of Service (DoS) attack on servers. Servers, cloud servers, and even hybrid servers can all receive a DoS attack. As such, servers of all types have inherent security vulnerabilities that need monitoring.

computer server illustration

Katie Boldizar, our Loop1 Technical Account Manager, shares her observations about current server security practices and discusses the future of server monitoring and server security as IT environments become more complex.

Katie has over 10 years experience working in IT infrastructure, installation, configuration, and security. Prior to her career in IT, she served as a Multiple Launch Rocket System repairer (94P) in the U.S. Army.

 

Q: What measures to maintaining server security often get overlooked?

A: In order to keep any server secure, you need to patch the server on a regular basis. Another key component to consistent server security would be “hardening” the server:

      • Vetting what software is and isn’t allowed on a server
      • Limiting the server’s open ports (connections to the outside world)
      • Controlling the internet access to the server (who can access the server and what types of devices can access the server)


Q: What good practices do you recommend to others to ensure uninterrupted server security?

A: Making sure the server is properly hardened is my first recommendation. Monitoring who logs into a server and controlling user permissions to which part of a server can be accessed by what user would be other good practices to put into place.

Lastly, I recommend implementing policies that focuses on user accountability, such as regularly changing passwords and setting server usage standards.

 

Image of a data center full of server racksQ: What are the most common SolarWinds tools you’ve seen used for server security?

A: I’ve seen many environments utilizing SEM (Security Event Manager) with file integrity monitor software, which can not only track any files and folders within a server, but also provide details about any changes made to all files and folders within a server.

ARM (Access Rights Manager) is another common tool. ARM is used for automating server access and setting user permissions, which is helpful in preventing data loss and security breaches.

 

Q: What are your thoughts on maintaining physical server security versus cloud server security?

A: For me, there is not too much of a difference. I feel that most now view cloud hosted servers just as secure as on-premise servers. Though, there is an ongoing debate.

 

Q: What are your predictions for the use of cloud-based and cloud hosted servers over physical servers?

A: Serverless architecture adoption and microservices have grown in popularity as more clients are moving away from container-based services. Additionally, I’ve seen an increase in the use of cloud security automation, which allows you to launch security protocols as a response to cloud events such as a DoS attack.

Though, many large organizations that invest a lot in security and choose to keep their data centers onsite may favor housing their data on physical servers.

 

Q: Lastly, what are your recommendations to keep a company’s data secure in cloud servers?

       A: My top recommendations for cloud security:

  • Educate employees about cloud security awareness and best practices
  • Create a data backup plan
  • Be aware of who has access to the data
  • Always use encryption and have a strong password policy

As cyber attacks and DoS attacks on servers continue, maintaining and monitoring server security remains an ongoing process in safeguarding who has access to the data on a server.

Creating a regular patch and update schedule, educating all employees about security awareness, and monitoring who/what device(s) have access to a server are just a few preventative steps to making sure your servers ready for a cyber attack.

By: Katie Boldizar
Loop1 Technical Account Manager
Network+, Security+, SCP
https://katieboldizar.com

Happy #SysAdminDay – A Sit Down with Our In-House SysAdmin

I have a really great joke about UDP, but you probably wouldn’t get it. . .

Comedic gold that good can only mean one thing: IT’S SYSADMIN DAY! To celebrate, we sat down with our very own Loop1 SysAdmin, @Ben Penney, to learn a little more about him and his integral role in our company.

Q: What exactly is a SysAdmin? In general, what are the responsibilities of a SysAdmin?

BP: The best way to think of a SysAdmin would be a person or team that maintains a company’s day-to-day functionality.

Depending on the company the role could be taking care of severs specifically or certain functions of a network. Usually, there is a team of SysAdmins that take care of different functions: servers, network (switches and routers), help desk and hardware.

Examples of hardware devices SysAdmins maintain:

Servers, VM, switches, routers, firewalls, laptops, desktops, printers, wireless devices, WI-FI networks, conferencing equipment, smart TVs, and much more.

Q: If you could be any animal in the world, what animal would you be and why?

BP: Bald eagle – They can see things up to two miles away and they look badass

Q: What are the day-to-day functions that SysAdmins perform?

BP: In terms of the day-to-day functions, the role of a SysAdmin is the make sure that each person has what they need to do their job. For our Loop1 team, it’s making sure that everyone has a laptop, the correct applications running on the machine, and making sure that each person has the right permissions to perform their job (access to particular file servers, specific email calendars, use of certain applications, etc).

For Loop1, I take care of the server infrastructure. I make sure that we have the right servers to perform the company’s needs, as well as maintain the servers by keeping them healthy and patched on a regular basis. More importantly, my job as a SysAdmin is to make sure that all servers and systems are up and running so that the company can function. I am responsible for making sure that all company hardware is patched, secure, and ensure that redundancies are in place in case something does fail—and it’s all documented.

Q: Are you more of a hunter or a gatherer?

BP: Hunter – no reason I just feel that’s me

Q: Are SysAdmin responsibilities generally the same from company to company, or are there differences?

BP: More so in a large-scale network, having everything well documented is important. So, if something were to happen to a SysAdmin, another person could easily step in and know-how the network functions and not having to waste time figuring out how and where everything in the network is connected.

Another function of a SysAdmin is keeping a record of every machine in the environment. Knowing how old each machine is and when it was patched are key to maintaining the upkeep of the company network, which is most important because it’s the network that employees work in and do their job.

Q: What’s your favorite ’90s jam?

BP: Sublime – Santeria

Q: What part of managing the network are SysAdmins involved with?

BP: In regards to networking, in our instance, we have an internet connection, a firewall that brings the connection in, and switches that distribute that internet connection to multiple systems.

Q: Do SysAdmins have a role in network security?

BP: Security is another function that a SysAdmin role could include. Typically for larger companies, there is a security team making sure that machines and hardware devices are regularly patched. For Loop1, I hold that responsibility as well as implementing programs that enforce security policies that help reduce security risks that would be detrimental to the company network.

Some of the programs SysAdmins use to enforce security policies could be security training for employees, fake phishing campaigns, social engineering tests, or just leaving a USB outside the office and see who picks it up and uses it. But, these are just high-level examples of what can be done. There is a lot more than can be done by SysAdmins to help keep a company network secure.

Q: You’re a new addition to the crayon box. What color would you be and why?

BP: Blue streak – because I like the color blue and the movie

Q: Favorite Super Hero?

BP: Chuck Norris

Q: Is there anything you would want others to understand about the roles and responsibilities of SysAmdin beyond just, oh SysAmdin the IT person who fixes the printer and the computers when it breaks?

BP: My advice for employees at any company would be to learn more about the environment they are working in. No matter what position your job is, you will have a computer to use.

Employees having some basic knowledge about the computer you use on a day-to-day basis can save a lot of time. When a member of the IT team comes by to fix your machine, take a moment to learn about what caused the issue and perform your work in a more efficient manner.

So there you have it, folks – a glimpse into the life of the man that keeps our systems and networks running so the rest of us can do the things that we do best! Thank you for being our IT Bald Eagle! Cheers to you, Ben Penney, and Happy SysAdmin Day!

Keeping your network secure–a Q&A with our Loop1 Engineer

With the ever present threat of a cyber attack it’s important to maintain proper cybersecurity. Company networks are a common point of cyber attacks.

Network security breaches primarily come from attacks from outside the network attempting to get in: hacking, phishing attacks, etc. But, according to the “2018 Data Breach Investigations” by Verison, network vulnerabilities can also come from within the network: human error, unregulated access to data, rouge employees, etc.

Our Loop1 Engineer Katie Boldizar discusses the importance of establishing network security protocols to ensure consistent security throughout all aspects of a network.

Katie has over 10 years experience working in IT infrastructure, installation, configuration, and security. Prior to her career in IT, she served as a Multiple Launch Rocket System repairer (94P) in the U.S. Army.

 

Q: What are the three most common issues you see in keeping a network secure?

man pointing at IT networking icons

A: Unknown assets on the network will always be one of the biggest issues. Without a complete inventory of what devices are using the network, you will never know the full extent of what needs to be secured.

Out-of-date systems are another issue. Having a firm patching plan and maintenance schedule in place are paramount to maintaining network security.

Proper security awareness training. With all of the security risks that exist, we can’t assume that all users on a network know what to watch out for: phishing attacks, ransomware, spam, etc. You can have every possible network security measure in place, but it won’t be helpful if your end users are not trained on common security awareness principles.

 

Q: What are the most common threats to network security?

A: Phishing Attacks – attacker pretends to be a part of an organization in order to trick people into sending login information and other private information

Viruses – a piece of code that replicates within a computer system and corrupts and/or destroys data

Ransomware – attacker seizes control of a computer system and denies access until a ransom is paid.

 

Q: Where do you feel networks are most vulnerable, why?

A: One area that can be overlooked is attacks from inside a network—even accidental attacks. For example, not having a policy about the use of USB flash drives.

USB flash drives are one of the most common ways a network can get infected. If your network policies allow the use of personal USB flash drives, you are also opening your network to the risks of what files are on them.

I’ve seen many network security policies that now disable the use of personal USB flash drives.

 

Q:What extra precautions could people take in order to maintain network security?

A: There are countless security measures to protect a network, but the most important thing being implemented now is a proper Security Information and Event Management (SIEM) solution. SIEM systems provide a real-time analysis of security alerts.

 

Q: What are the most common SolarWinds software you’ve seen implemented to keep a network secure?

globe internet connecting - Illustration

A: There are several SolarWinds tools, but I would say the most common are NCM (Network Configuration Manager) and SEM (Security Event Manager).

NCM offers the capability to create compliance reports and policies to help you maintain network devices.

SEM is a SIEM tool for monitoring real-time network security and helps to detect suspicious activity, enhance security, and demonstrate compliance with audit proven reporting from HIPAA, PCI DSS, SOX, DIS STIG, and more.

 

Q: How have IoT devices (smartphones, smart TVs, Wi-Fi enabled devices) impacted network security?

A: Everything from smartphones to smartwatches are assigned an IP address, which allows IoT devices to exchange data and communicate with other devices. This also means that IoT devices can in turn be hacked or intercepted.

As the number of IoT devices increases, the attack surface also gets bigger and creates more opportunities for exploits by cyber criminals.

The more technology we use in our lives, the more vulnerable we make ourselves.

Attempts to access a network can from outside the network but also can come from within. Keeping data safe and secure on a network is growing more complex as more and more devices and a larger variety of devices have internet connectivity.

Network security is no easy task but implementing regularly scheduled updates and training employees on security awareness/best practices are a good foundation to building and maintaining a secure network.

 

By: Katie Boldizar
Loop1 Technical Account Manager
Network+, Security+, SCP
https://katieboldizar.com/

 

 

 

Cyber Security

The Cost of a Cyber Attack

Around the world, more and more IT professionals are focusing on cybersecurity as safeguarding data is becoming increasingly more important to an organization’s internal success strategy. According to a study published by the Ponemon Institute in July of 2018, the average number of cybersecurity breaches increased by 6.4% in 2017 costing enterprise organizations an average of $3.86 million and 69 days from discovery to resolution of all breach-related issues. To get even more granular, organizations experienced an average per-record cost of $148 for every lost or stolen record. While US-based companies are the most vulnerable, both in the probability of an attack occurring and attack-related expenses, every domain across the globe is potentially at risk.

The good news? The IT industry as a whole is getting smarter and more well-prepared to guard against major attacks. Organizations are investing more in cybersecurity prevention with action items like:

  • Purchasing software to ensure the safety and security of IT environments
  • Employee Training
  • Extensive use of encryption
  • Creating reaction plans
  • Assembling response teams to remediate issues as quickly as possible

``APPROXIMATELY $6 TRILLION IS EXPECTED TO BE SPENT ON CYBER SECURITY GLOBALLY BY THE YEAR 2021``

What are the most common types of breaches to occur?

It is an unfortunate reality that criminal activity exists in all facets of our society, including the IT industry. For many enterprise organizations, software solutions such as the SolarWinds security products are an important part of their security plan to keep their environments safe and protected from potential threats.

The three major contributors to cybersecurity breaches are criminal or malice attacks, system malfunctions, and human error, respectively.

Security breaches can come in all sizes and with all different agendas.  The most common type of breach usually involves hacking client data; however, there are many different motivators.

The “2018 Data Breach Investigations” by Verison cited more than 20 different types of security breaches or incidences as potential threats.

While hacking is the most common type of breach, the size for all breach types is getting bigger in terms of attack scope and the number of records affected.

The Identity Theft Resource Center (ITRC), reported a total of 1,632 data breaches and 197 million consumer records exposed in 2017averaging 121,000 records per breach. In 2018, the ITRC reported a total of 1,244 breaches impacting over 446 million records.

An average of 358,000 records per breach in the US means there was an increase of nearly 66% of records impacted per incident in 2018.

The number of people exposed is even greater when you factor in other countries. According to Symantec’s “Norton Cyber Security Insights Report Global Results,” 978 million people in 20 countries were affected by cybercrime in 2017.

A major contributor to the significant cost difference among countries is the amount of money required to notify customers once a breach has occurred. Notification costs range widely throughout the world, due in large part to differences in regulation, with the United States being the highest at $740,000 as of 2018. In the United States, notification costs include:

  • Creation of contact databases
  • Determination of all regulatory requirements
  • Engagement of outside experts
  • Postal expenditures
  • Email bounce-backs
  • Inbound communication setups

The Real Cost of a Data Breach

As per IBM’s study, companies saved an average of $1 million when a security breach was discovered within 100 days of its intrusion and could save another $1 million if a breach was contained within 30 days. However, IBM’s study discovered it took approximately 197 days for a company to identify a breach and 69 days to contain the breach.

One of the largest security breaches in 2018, affecting approximately 383 million people globally, was the data breach at Marriott International.  According to the ITRC, Marriott International’s network security was initially compromised in 2014, and the unauthorized access remained undiscovered and undisclosed until 2018.

These attacks can be detrimental to an organization’s bottom line, a lesson not lost on the global ride-share company, Uber. They learned of a database breach that impacted more than 600,000 customers worldwide in 2016 but waited to send breach notifications until almost a year later in 2017. US courts responded to these missteps by fining the organization over $148 million dollars (OAG-DC).

Other major breaches over the years such as Yahoo in 2013 affecting nearly all 3-billion Yahoo customers, and the infamous Equifax breach in 2017 impacting more than 146 million customers worldwide has led to major changes in legislation. By 2018, all 50 states had enacted some variation of data privacy laws while Europe went as far as passing the General Data Protection Rights Act (GDPR).

Tools like SolarWinds NetFlow Traffic Analyzer (NTA) and Server & Application Monitor (SAM) provide organizations of all sizes the ability to effectively monitor environments and detect possible threats earlier, saving time and money.

``GLOBAL AVERAGE COST PER PERSON OF A BREACH: $148``

Due to the global nature of our society, all industries face challenges in maintaining a secure network. That being said, some industries face greater challenges in keeping data secure. Here are the top 5 industries most likely to encounter a breach along with the average cost per record:

  • Healthcare = $408
  • Financial Services = $206
  • Technology = $170
  • Industrial Manufacturing = $152
  • Public Sector (Government) = $75

Networks for large, global businesses are not the only networks that get attacked; networks for small, local businesses are just as vulnerable. A report by Consumer Reports found that small businesses often have the same level of sensitive information but lack the knowledge or resources to maintain a secure network. “Cyber attacks are often automated, hitting many servers at once, and so hundreds of small businesses may get caught up for every 1 major company that’s affected.”

Regardless of the size of your organization, SolarWinds has solutions that can protect your IT environment from these types of attacks. Tools like Network Configuration Manager (NCM), Patch Manager, and Access Rights Manager can be used to satisfy controls and manager access rights, while Log & Event Manager (LEM) and Network Performance Manager (NPM) can be used to ensure that security controls are working properly.

Where do network security vulnerabilities come from?

More often than not, security breaches are the result of outside entities wanting access to information on a network. But, threats to a network can also start from inside the network.

Unsurprisingly, there are many points of entry for malicious attackers to target your IT environment. According to the study published by Verison, these are the top 5:

  • Web Applications
  • Miscellaneous Errors
  • Point of Sale
  • Internet of Things (IoT) Devices
  • Privilege Misuse

In their study, Verison found that web applications on a network were attacked more than any other point of entry. “This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. [The use] of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi.”

The Internet of Things: A Growing Threat

Additionally, Internet of Things (IoT) devices and other wireless devices are a growing area of concern. The OECD notes that the current consumer market (current employees using a network or the public accessing a network) regularly utilize a wide variety of IoT devices such as: wearables (smart watches, phones), smart home applications (Nest thermostats, TVs), and motor vehicles.

The increased number of IoT devices connecting to a network poses a number of threats to an organization’s IT environment. In the Federal Trade Commission’s (FTC) report “Internet of Things: Privacy & Security in a Connected World”, the FTC’s panel cautioned that many companies manufacturing IoT devices may not come from a background with network security in mind or are unfamiliar with security compliance.

Moreover, some low-end devices may not be able to update device software or, “may lack economic incentives to provide ongoing support or software security updates at all, leaving consumers with unsupported or vulnerable devices shortly after purchase.” According to the FTC, IoT devices could potentially:

  • Allow for unauthorized access and misuse personal information
  • Used to facilitate attacks on other systems
  • Create safety risks that could be exploited to harm consumers

With the rising number of devices, it’s important to know who is on the network. SolarWinds’ Network Configuration Manager (NCM) can show what devices are connected, when devices approach end-of-service and end-of-life, make configuration changes, and even lock down devices with unauthorized access.

NCM’s network automation features were designed to manage changes across a network and maintain standards and service to all devices connected to the network all while reducing downtime and ensure that your network is compliant and secure.

``GROWING USE OF IoT DEVISES INCREASED THE AVERAGE COST PER PERSON PER BREACH BY $5``

While our ability to protect against attack continues to improve, IT trends confirm that the bad actors are just as adaptable. With every new software patch, there are numerous hackers ready and waiting to find new ways to exploit it.

The recent vulnerability discovered in Microsoft’s Remote Desktop Client serves as a good example of an organization taking a proactive approach to protecting customers once a threat was discovered. Microsoft went as far as offering a patch for XP clients, a product that had reached End of Service years before the vulnerability was discovered. While most individual users have moved on to newer versions of the product, Microsoft knew that many of their enterprise clients were running XP and did not want to risk exposing their systems to threat of attack.

This shift towards security preparedness should come as no surprise given the nearly $4 million price tag associated with identifying, containing, and remediating a data breach. Combine that with the potential of Federal prosecution and it would be downright reckless of organizations to exclude cybersecurity measures from their strategic plan. The growing number and size of attacks over the past decade confirm the importance of cybersecurity for all domains worldwide. As IT professionals it is our duty to remain diligent in our fight against attacks and continue to produce effective and innovative tools to protect the masses from the effects of a detrimental breach.

###

Do You Need Help Addressing Security Concerns? Finding the right security strategy can be overwhelming. ``What are my most vulnerable areas? What products are best for my environment? Where do I even begin?`` We get it. . .we have been there, and we want to help! Provide your contact details and a little bit of information about your environment and one of our team members will reach out to start the conversation.