It’s Time to Be Proactive with IT Security Administration
Is your organization upholding password policy best practices? Here are three you can implement right away to keep your organization and users safe.
All too often, it can be easy for organizations to build a set of identity-based security processes and procedures only to then walk away once the work is done. Sure, you’ll be monitoring things and making adjustments here and there, but the effort is primarily reactionary. There are no forward-thinking or proactive steps taken to ensure those processes and procedures are followed consistently and evaluated on an ongoing basis.
One reason is the misperception that there is a lack of ROI on cybersecurity measures. According to cybersecurity expert Troy Hunt, the potential fines for cybersecurity failures — such as those under GDPR — should be more than enough to justify the investment. Despite this, companies are sticking with old (even decades-old) security systems — putting their businesses, employees, and customers at significant and prolonged risk of a breach
However, strong IT security administration doesn’t have to come with a heavy price tag. There are a number of steps and best practices you can follow with your existing systems to ensure your employees’ and customers’ data remains safe. Much of it rests with a role that your IT and information security teams already have as well: your administrators.
1. Administer Your Administrators
Take a careful look at your Active Directory (AD) setup. Here, your organization’s users have been assigned appropriate roles with permissions according to what they need access to and what their position does. This critical area of your IT security administration must be reviewed and updated frequently, particularly for midsize to larger organizations where there’s a greater rate of employee turnover and overall role changing (i.e., promotions, transfers, etc.).
This is especially important with administrator accounts. A periodic account and rights cleanup in AD ensures that users have access to what they need — and no longer have access to what they don’t. If you haven’t already, consider coordinating responsibilities and permissions with your HR department to understand what a person should and should not have access to. As roles change, people leave, and new employees are hired, your IT security administration team will have an understanding of what access a person will need and can take action immediately.
For example, a great starting point is a breakdown of three types of accounts: 1) standard, 2) administrator, and 3) domain administrator. The standard account speaks for itself. However, the distinction between an admin and domain admin is critical. Administrators don’t necessarily need full access to your organization’s domain to perform their everyday functions. Giving administrators that level of access means there’s a greater chance of something going wrong. By limiting control to domain administrators only, the risk of something going wrong is reduced.
2. Audit Your Administrators
Just as with the three overall types of AD accounts mentioned above, there are also a number of different administrator and operator account types. These range from domain and enterprise admins to schema and exchange admins. Operator account types include server operators, backup operators, DHCP administrators, and remote desktop users. Clearly, there are a number of different account types with varying degrees of access and authority, which is why it’s critical to conduct periodic audits into who holds what account type.
Consider following what’s called a least-privilege administrative account model, where your administrators and other AD account holders are given only the minimum permissions needed to do their work. Periodically reviewing these accounts will help you understand who has been added, who has been removed, who has access to what, and — most importantly — why. Often, certain users are given permissions because the admin was taking the path of least resistance. Perhaps it was a one-time situation where an employee needed access to a certain group, but the administrator forgot to revoke the access 24 hours later.
In its best practices for securing AD, Microsoft notes that in many instances during AD assessments, the company being audited often had an excessive amount of users with privileges and permissions that they don’t need or that not as many people should need. While the privileges and permissions themselves aren’t an issue, the sheer number of them is what’s problematic. This is particularly true for large organizations, where more and more users can start to gain permissions for their roles for unnecessary reasons. The more users with permissions they don’t need means there’s a greater chance of something going wrong.
And as we all know, one time can be all it takes to bring an organization to its knees.
3. Rotate Administrator Access
Simply auditing your administrator types isn’t going to be enough. Even though these individuals have been entrusted with greater permissions and responsibility, they’re still human and can make mistakes. Consider rotating passwords on different administrator accounts to keep credentials fresh, which provides a double measure of protection in that the administrator’s password is changed frequently (even without his or her knowledge) and cybercriminals wouldn’t be able to use the account if the credentials were leaked.
The use of password vaults makes this process easier and more efficient because the password for a specific administrator can change without his or her knowledge. This allows the administrator to continue on with their daily tasks while important data is being rotated to prevent one credential from remaining stagnant for too long.
Groups also make this approach even more secure and dynamic. For example, setting up an administrator group for your password vault 1) ensures that only specific administrators are able to access it, 2) allows passwords to become more private, 3) allows those passwords to be rotated securely amongst a smaller group, 4) creates more accountability between the members of the group, and 5) ensures the password vault is more secure across the board. The same approach should be considered for Server Admin Access and Workstation Admin Access.
4. MFA Everything
We’ve said it before, and we’ll say it again: multi-factor authentication (MFA) is an absolute necessity for ensuring effective IT security administration across the board. Once you’ve implemented the recommendations above, MFA only adds even more assurance that your AD accounts remain secure by requiring admins — even those with the most permissions and the most power — to verify their identity prior to accessing AD and other secure areas of your organization’s environment.
Need Help With IT Security Administration? You’re Not Alone
Inversion6 helps organizations take a more strategic approach with their information security. From working with leaders to develop stronger security programs to communicating and managing the performance of those programs throughout the organization, our chief information security officers will partner with you to ensure that the highest levels of security are observed and put to use at all times.