You’ve undoubtedly put a variety of defenses in place to limit the ability of attackers to enter your network — but attackers are notoriously clever and persistent little devils. On the one hand, they barrage your network with brute-force attacks, rush to take advantage of newly discovered software vulnerabilities before you have a chance to deploy critical patches, and try to slip past your firewalls with credentials purchased all too easily on the dark web. Meanwhile, they’re also relentlessly pummeling your users with phishing attacks, blind-siding them with drive-by downloads, and enticing them with free software and USB drives laced with malware. With all these attack vectors constantly in play, some bad guys are bound to get into your network, jeopardizing both security and compliance.
Of course, those are just the attackers coming from outside — others are already inside your network, in the form of malicious insiders. There’s that employee who didn’t get the raise and promotion they felt they deserved, looking to get even by damaging or stealing critical data. And what about that former employee, the one whose credentials were never disabled but who could really score some points at their new company by supplying some choice bits of your IP or your customer contact database? Or the contractor with lots of access rights — and their own agenda?
It’s no wonder that more and more organizations, from the U.S. National Security Agency (NSA) to Microsoft, are adopting an “assume breach” mindset — they accept that attackers are already inside their network and focus on developing strategies to mitigate the threat they pose. The key is understanding how attacks unfold and having proper Active Directory governance processes in place. Attackers typically move stealthily from machine to machine, collecting whatever credentials they can to elevate their privileges so they can get to the systems and data they’re after. In most networks, this lateral movement is simply far too easy: If attackers can simply move carefully and avoid appearing in a security report, they can achieve their goal, and your organization may find itself in the headlines as the latest massive breach.
Fortunately, there are proven best practices and Active Directory solutions that can help you secure your cloud storage and protect your other critical systems and data by limiting the ability of attackers to move laterally and escalate their privileges:
- Don’t rely on preventive control technologies alone.
- Keep a close eye on built-in admin groups.
- Look out for delegated permissions.
- Identify who can expand privileged authority.
- Control rights at the server or workstation level.
- Identify and reset admin accounts that might be compromised.
- Control which endpoints privileged users can log on to.
- Implement the least privilege principle across the IT environment.