The Value of Layers: A Current Admin Rights Attack

At CGP we tend to preach security in layers, and a current attack is a great example why.

This attack is so bad, the federal government is shutting down any unpatched (i.e. updated & protected) servers tonight at midnight. A current major attack requires a minor foothold into your network to pull off, something like an email with a malicious attachment that a user opens. The attack gives full admin control to your servers, at which point the attackers can do anything from sifting through your information to ransoming it. The vulnerability is using the normal methods people and computers connect with, so it is not something that can easily be blocked with a firewall or security software.

How layers come into play

So how do you protect yourself in this case? First off is that we are fortunate that Microsoft has issued an update to protect against this attack already (back in August) - the first layer. But how do you know if you were already attacked? This is one great example why we recommend regularly auditing the active accounts on your network - yet another important layer. If this attack is exploited, you will notice suspicious accounts having administrator rights, and be able to shut them down.

Process is key

Our cyber security framework shows the five operational areas of security along the top (i.e. actions to take) and the tools and processes we use under that. Ignore those both for now - the bottom is where we want to focus on. IT is guilty of pushing technology as the solution to everything, but note how much people and process come into play, especially as you move to reacting. A regular review of active user accounts falls under the Detect phase. This is typically the phase where most IT teams/processes are lacking. But the process of detection is actually the most important because that is where the most advanced threats live, and if detected and neutralized, die before they cause harm.