Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.


Gold Finger The Paramount Brief Gold Finger Mini World Peace

Thursday, June 23, 2016

The Need for a Trustworthy Free Active Directory Audit Tool

Folks,

Starting July 04, 2016, we're going to start addressing certain matters of cyber security that today have a global impact on the security of a majority of business and government organizations worldwide.


Until then, over the next few days, I just wanted to very briefly cover a few technical aspects.


Today, I wanted to briefly provide some clarity on the need for a trustworthy free Active Directory Audit Tool -

Free Active Directory Audit Tool

Now you might be wondering why a free Active Directory Audit Tool deserves any mention on a blog on cyber security.

There's a very good reason for that, as elucidated below.



Cyber Security 101

"Law #1 of the 10 Immutable Laws of Security states that if a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

A corollary of this law is that if you yourself download and run a program possibly written by a bad guy, on your computer, it may not be your computer anymore, and if you’re a privileged user, your network may no longer be your network anymore too.

To make a long story short, if a privileged user, such as an Active Directory Domain Admin were to download and run software from the Internet that happened to be malicious in nature, since that software would be running in Domain Admin context in that organization, it could cause substantial damage and result in a major cyber security breach.

In fact, depending on the expertise of the author of that malicious software, its execution could not only enable the perpetrator to exfiltrate large amounts of data, it could also possibly cause massive automated destruction of organizational IT assets.



A Worrisome Situation

For months now, our cyber intelligence has indicated that to this day thousands of IT personnel from thousands of organizations worldwide continue to search for a free Active Directory Audit Tool.


(Its worth pausing for a moment to) think about that!

A majority of these IT personnel are administrative personnel at prominent business and government organizations worldwide. They often serve in capacities such as System Admins, Domain Admins etc. and by virtue of their responsibilities typically possess vast and usually unrestricted privileged access in their foundational Active Directory deployments.




One. (Just One.)

Imagine an individual in such a capacity searching for and downloading a free tool from the Wild Wild Web, and then running it, even if once, to fulfill a need. In all likelihood, that tool will run in a privileged security context, typically Domain Admin or the like, because in essence, that individual will be logged in using their administrative account when running such a tool.

Now imagine a scenario wherein the tool that this individual downloaded and run (even if only once), happened to be malicious in nature, written and uploaded by a malicious entity, such as a professional hacker or an Advanced Persistent Threat (APT).

Hacker
You don't need to a PhD. in Cyber Security to conclude that in such a scenario, even if that administrative individual were to run such a tool ONCE, it could result in a security compromise, and possibly grant the perpetrator a door into, and possibly vast control, if not full control, over the organization's IT infrastructure.

In short, just one IT admin need download and execute just one malicious piece of software in their corporate environment just one time, and its effectively GAME OVER.



They Know

In addition to various nefarious entities (e.g. professional hackers. organized crime syndicates etc.) in the Western world, many others, including the Russians and Chinese, not only possess deep Windows and Active Directory technical expertise, they also know that many IT personnel actively seek and download a variety of free tooling, so it would not be unreasonable to assume that they could exploit this knowledge to their malicious gain.

APT
I'll let you infer where I'm going with this; the astute mind should have no problem connecting the dots.



A Trustworthy Alternative

In light of the above, the fact that our cyber intelligence indicates that to this day thousands of IT personnel from thousands of organizations worldwide continue to search for free a Active Directory Audit Tool was quite unsettling and concerning.

Ideally, today no organization should allow the use of free tooling of any kind in their environments.

CISO

Ideally, the CISOs of all organizations should immediately establish and enforce a cyber security policy prohibiting the use of free tooling of any kind in their IT environments by all IT personnel, whether employees or contractors.

Unfortunately, our cyber intelligence indicates that even this basic cyber security 101 measure today largely remains just an ideal, and in most organizations worldwide, IT personnel still seek and rely on free tooling to fulfill various needs.

In other words, the reality on the ground is FAR from ideal.

In light of this reality, we felt that it was imperative to provide organizations worldwide a trustworthy alternative when it comes to free Active Directory audit tooling.


Thus, about two months ago we released a limited free version of our flagship Gold Finger Active Directory Audit Tool.

This limited free version shares the same code-base as does our flagship Gold Finger Active Directory Audit Tool, which today is not only the Gold Standard for Active Directory Audit Tooling, but also the world's most trustworthy Active Directory Audit Tool, trusted by the world's most powerful business and government organizations and deployed in 6 continents worldwide.

It is my privilege to share with you that in less than 50 days of its release, our novel free Active Directory Audit Tool has been downloaded in 50+ countries worldwide and is being used by many of the world's top business and government organizations.



In Summary

If organizations must rely on free Active Directory Audit Tooling, it is our hope that at the very least they exercise sound judgment when choosing such tooling, because a poor choice could mean the difference security and compromise.

As idealists, we hope that the day is not far where no organization allows the use of free tooling of any kind in their environments. As you'll hopefully agree, in today's world, there is simply no reason to rely on free tooling of any sort.

Unfortunately, based on the reality on the ground, that day seems far away, so until such a day arrives, the least we can do is to raise awareness about the inherent dangers in using untrustworthy free tooling, and provide them with a trustworthy free option.

The details on our free tool are over at - http://www.active-directory-security.com/2016/06/free-active-directory-audit-tool.html


Alright, my time's up. Thanks, and stay tuned.

Best wishes,
Sanjay

Tuesday, June 21, 2016

LDP.exe

Folks,

Starting July 04, 2016, we're going to start addressing certain matters of cyber security that today have a global impact on the security of a majority of business and government organizations worldwide.


Until then, over the next few days, I just wanted to very briefly cover a few technical aspects.


Today, I wanted to briefly cover a relatively little-known free Microsoft Active Directory analysis tool known as LDP.exe -

LDP.exe

LDP.exe is a free Microsoft utility that can help instantly obtain vast amounts of technical Active Directory configuration data.

Specifically, if you know what to look for and where to look for it, then LDP can help you find it within seconds. Of course, it also has substantial limitations, and that's where advanced tooling comes to the rescue, but there's still a lot of basic reconnaissance that a trusted insider or intruder could perform without detection using LDP.

So, why does a simple utility like LDP.exe deserve any real-estate on this blog?

Our online cyber security intelligence indicates that IT personnel from most organizations to whose Executive Leadership (Chief Executive Officers) we had sent The Paramount Brief a few weeks ago, are today starting to search for LDP.exe.


Is this a coincidence? Most likely, not.

In all likelihood, the right questions are finally being asked at the right levels, and as a consequence, the IT departments of these organizations are (finally) just starting to take a closer and deeper look at their foundational Active Directory deployments. (And, its high time they did so.)

So, again, what does all this have to do LDP.exe being covered on a blog focused on Cyber Security?

We anticipate that in months to come, 1000s of IT professionals and Cyber Security professionals from 1000s of organizations worldwide are going to be searching for LDP.exe, perhaps because that's possibly the (novice) advice they're likely getting from Microsoft, so they can start digging deeper into the current security state of their foundational Active Directory deployments.


We wanted to help them hit the ground running with LDP.exe because if you know as much as we do about Active Directory security, then you'll know that these organizations undeniably need to know the basic stuff, and more importantly a lot more, not just yesterday, but in fact ten years ago, so we put together a quick primer on LDP for them, a link to which can be found below.

We also wanted to advise them NOT to download LDP.exe from any source except from Microsoft's official download point on Microsoft's website, to minimize the possibility of downloading a potentially malicious version of LDP.exe that may have been built and put up by an Advanced Persistent Threat (APT) for reasons you can infer. (To the astute mind: YES, sadly Microsoft has not digitally signed LDP, thus necessitating this advice.)

So here's everything you need to know to download and get started with LDP - LDP.exe for Active Directory - Official Download Source, Usage, Tutorial and Examples.

Stay tuned.

Best wishes,
Sanjay

Tuesday, May 31, 2016

Paramount Defenses to Donate Up To $50 Million in Microsoft Active Directory Audit Software

Folks,

Last month we announced our intention to donate up to $50 Million of our Microsoft Active Directory Audit Tool Software to non-profit and other organizations such as K-12, public universities, hospitals & government agencies in 100+ countries worldwide.

Today, I just wanted to take a few moments to share some relevant details concerning this announcement.


ACTIVE DIRECTORY ON-PREMISES

It is a well-known fact that Microsoft Active Directory On-Premises is the bedrock of organizational cyber security worldwide.


Specifically, over 85% of all business and government organizations worldwide operate on Microsoft Active Directory today.



ACTIVE DIRECTORY IN THE CLOUD

In addition, Microsoft’s recent foray into Cloud Computing and its introduction of Microsoft Azure Active Directory, its multi-tenant cloud based directory and identity management service, as well as Amazon now offering organizations the ability to run Active Directory as a managed service via Amazon Web Services (AWS) Cloud, will further increase the use of Active Directory.


As the world’s use of and reliance on Microsoft Active Directory increases, so does the need to obtain both basic as well as advanced cyber security insight (e.g. the ability to precisely audit privileged users in Active Directory) into Active Directory.




THE NEED FOR TRUSTWORTHY BASIC ACTIVE DIRECTORY CYBER SECURITY INSIGHT

All organizations that operate on Microsoft Active Directory, at a minimum, need to be able to perform basic Active Directory security audits, such as to be able to assess the state of all domain user accounts and security groups in Active Directory.
 
 
Over the years we have found that a large number of organizations have yet to fulfill even these basic needs, and in their attempts to fulfill these basic needs, every day IT personnel from across the world, including from many of the world’s most prominent business and government organizations, continue to seek free tooling in their attempts to fulfill these needs.
 
Unfortunately the concern with most free tooling out there is that there is little to no assurance of it being trustworthy or reliable, and thus, any reliance on it, and especially its use by privileged IT users could seriously jeopardize organizational security.
 
For instance, one such example of a free but highly inaccurate Active Directory Audit Tool can be found here.
 
Similarly, a malicious entity such as a hacking group or an APT could make available a seemingly useful yet covertly malicious tool for free online, which when downloaded and run by an unsuspecting user, could instantly grant them instant unauthorized access privileged access in the organization’s IT network.
 
 
Unfortunately, even though the use of potentially untrustworthy free tooling could substantially endanger organizational security, thousands of IT personnel continue to seek, download and use potentially untrustworthy free Active Directory audit software, thus exposing their organizations to risk. 
 
To help all organizations worldwide trustworthily fulfill their basic Active Directory security audit needs, we have decided to donate $50 Million worth of our entry-level Active Directory Security Audit Software to non-profit organizations, as well as make available a limited version of our trustworthy entry-level Gold Finger Active Directory Security Audit Tool, completely free.

Of course, we primarily help organizations fulfill their advanced Active Directory Audit needs, such as privileged access audit, attack surface reduction, insider threat protection and regulatory audit and compliance, so this is the least we can do for them.





DONATING UP TO $50 MILLION IN ACTIVE DIRECTORY AUDIT TOOLING

To help non-profit and other needy organizations worldwide, we have decided to donate up to $50 Million of our trustworthy  Microsoft Active Directory Security Audit Tool Software, measured at fair market value, to non-profit and other organizations such as K-12 schools, public universities, hospitals and government agencies across over 100 countries worldwide.
 
 
The average donation should be in the vicinity of $10,000 per organization, and we intend to donate our software to approximately 5,000 organizations across 100+ countries. In effect, each such organization will receive an unlimited annual user license of our commercially licensable Active Directory Security Audit Tool, thus empowering all their IT personnel to be able to easily and trustworthily perform basic Active Directory Audits.





OUR FREE ACTIVE DIRECTORY AUDIT TOOL 

In addition to the donation of our entry-level Active Directory Security Audit software, we also made available a free version of the tool, so that all organizations worldwide can trustworthily fulfill their basic Active Directory security audit needs.
 
Free Active Directory Audit Tool
 
Our free Active Directory Audit Tool is a limited version of our licensable Active Directory Security Audit Tool. It lets IT personnel worldwide audit the basic security state of any Active Directory deployment in the world trustworthily and at a button's touch.
 
 
 
Our $50M donation represents a small fraction of the annual potential for our globally deployed Gold Finger product. As the world's top cyber security company, and possibly the world's most security conscious company, this is the least we can do.
 
Best wishes,
Sanjay

Wednesday, May 25, 2016

Its Time to Provide Thought Leadership to the Cyber Security Space

Folks,

Ten years ago, after doing my bit, I had moved on from Microsoft Corporation to help organizations worldwide adequately secure and defend the very foundation of their cyber security and their very lifeline, their foundational Active Directory.


Given my years at MSFT, I had a lot to share with the world back then as well, but as someone once said, mere talk is cheap.



So I silently went to work for an entire decade (2006 - 2016) to address arguably the world's biggest cyber security challenge.


Ten years later, not only have we uniquely addressed it for the entire world, we've made it as easy as touching one button.



Today, my work  speaks for itself, and it uniquely helps secure and defend the world's most powerful organizations worldwide.


Today, what we do at Paramount Defenses is imperative for and mission-critical to the cyber security of Microsoft's ecosystem.



We have much to say, and now that its no longer mere talk, we're going to talk a little.


Starting July 04, 2016, its time to provide thought leadership to the Cyber Security space.


Best wishes,
Sanjay


PS: Between now and July 04, 2016, I'll also cover a few low-key items on this blog because they need to be addressed.

Tuesday, March 1, 2016

The Paramount Brief - Declassified and Substantiated


Folks,

Earlier today, at Paramount Defenses we declassified The Paramount Brief.



All along, the password to the brief has been :  AreWeReallySecure?  (A question organizations need to ask themselves.)

To some the brief may appear to be a fairly simple document. Its simplicity is intentional, because it was primarily written for a non-technical audience i.e. C-Level Executives worldwide who lead the world's top business and government organizations.

It was written for C-Level executives because we found that in most organizations, not only is there a substantial lack of understanding regarding the importance of protecting their foundational Active Directory, but also there is no accountability chain, and almost no one at the top realizes the consequences that an Active Directory Security breach could have on business.

The risk described in the brief is in our opinion the world's #1 cyber security because it provides possibly the easiest possible avenue for professional perpetrators to start at a single initial easily compromisable organizational domain-joined machine or account and gain all-powerful privileged access (the "Keys to the Kingdom") in minutes, by just enacting a few simple tasks.

It is also imperative to understand that neither of 1) multi-factor authentication, 2) auditing, or 3) user-activity/network logging/profiling can prevent a proficient perpetrator from being successful. (Details available upon request.)

Today, I'll share just a few high-level technical details involved. The low-level technical details can be boring, so I'll save them for another day, or you can have your best IT folks try and explain them to you.




Active Directory - The Core of Privileged Access

Unless you live on another planet, you know that Active Directory is the core of privileged access in Microsoft Windows Server based IT infrastructures (and that's over 85% of the world) because all privileged power resides in Active Directory.


In fact, Active Directory is not just the core of privileged access, it is the very foundation of cyber security worldwide, because the IT infrastructures of most business and government organizations are powered by Microsoft Active Directory, and in these IT infrastructures, the entirety of the organization's user accounts, computer accounts and security groups are stored, protected and managed in the organization's Active Directory.

By the way, Active Directory is not only foundational to Microsoft's native authentication protocol in Windows, Kerberos (without which no one can logon to engage in any secure network activity in a Microsoft Windows Server based network), it is also foundational to Microsoft's entire cloud computing platform, Microsoft Azure.





An Ocean of Active Directory Permissions

Within Active Directory, each of these foundational building blocks of cyber security, i.e. domain user and computer accounts, security groups, etc. are all stored as  Active Directory objects, and are each protected by an access control list (ACL) that specifies security permissions (e.g. Create Child, Reset Password etc.) granted (allowed/denied) to a security principal (user, group, well-known SID etc.) on the object.

 
In most Active Directory deployment, there exist thousands of objects (accounts, groups, OUs etc.), each one of which needs to be securely managed. Since it is not feasible for a small number of individuals to manage such a large number of accounts and groups, Active Directory provides a valuable capability called delegation of administration which enables organizations to delegate various aspects of identity and access management amongst their IT teams based on the principle of least privilege.

This administrative delegation capability leverages Active Directory's security model, and in essence, for each administrative delegation made in Active Directory, corresponding security permissions are specified in the ACLs of all objects that fall in the scope of the administrative delegation, for the security principals (users, groups etc.) to whom the tasks are being delegated.

In addition, IT personnel also often specify access directly/manually in the ACLs of Active Directory objects to directly delegate administrative tasks or provision access to fulfill specific business requirements.


Consequently, today, in thousands of organizations worldwide, it is these very Active Directory security permissions that protect all privileged user accounts and group memberships, and in fact all Active Directory content, and that ultimately control/govern who has what privileged access across the network.

In fact, in most Active Directory deployments, since IT personnel have been delegating administration and provisioning access in the Active Directory for years now, there exist hundreds of thousands, if not millions of Active Directory security permissions that are collectively protecting the organization's foundational building blocks of cyber security.


In essence, underlying the foundational cyber security of most organizations worldwide, is an ocean of Active Directory security permissions collectively protecting the very building blocks of cyber security in their Active Directory.





How Secure are our Building Blocks of Security in Active Directory?

If the very foundational building blocks of cyber security that help an organization facilitate secure access to the entirety of their IT assets, it is worth asking the question as to how secure are these very building blocks themselves within the Active Directory.



For instance, since all of the most powerful administrative security groups in a Microsoft Windows Server IT infrastructure (e.g. Enterprise Admins, Domain Admins, Builtin Admins, etc.) are stored in Active Directory, its worth asking the question - Exactly how many individuals today have sufficient access to be able to change/control/manage the membership of these groups?

After all, if an unauthorized individual could control the membership of any one of these powerful privileged access groups, he could instantly elevate himself or anyone of his choice to be an all-powerful admin and obtain the "Keys to the Kingdom".

Similarly, for each privileged access user that is a member of these powerful privileged groups, its worth asking the question - Exactly how many individuals can reset the password of the domain user account of these privileged access users?

After all, if a single unauthorized individual could reset the password of even one of these privileged accounts, he/she could instantly become a privileged user and obtain the "Keys to the Kingdom". Similarly, if Smart cards are in use, its absolutely worth knowing, at all times, exactly how many individuals can disable the use of Smart Cards on Active Directory accounts?

In fact, the same questions must be asked for all Executive accounts, such as that of the CEO, CIO, CISO, CFO etc. Actually they hold true for all accounts, such as that of a Software Engineer that might have access to the source-code of an operating system at a major software company, or a financial analyst who might have access to confidential financial data, so ideally organizations must know exactly who can reset the password of / disable the Smart Card of every employee in the organization.

By the same token, isn't it worth asking the question as to exactly how many people can change the membership of any domain security group that is being used to control access to a small or large set of IT resources across the network? After all, the easiest way to gain access to a large number of IT resources across the network is simply to add your account to a security group that already has access to these IT resources. That way, you don't even have to try to compromise a server; you'll automatically be granted access to all IT assets across the network to which that group is granted access!

In summary, organizations have a mission-critical need to know, at all times, exactly who can control the very foundational building blocks of their cyber security, because without this knowledge, they are operating in the (dangerous) proverbial dark.




100%

In case you're wondering how relevant this might be to cyber security today, allow me to share a simple fact with you - 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of a single Active Directory privileged access user account.


As evidenced by these breaches, today Active Directory privileged user accounts are the #1 target for malicious perpetrators.

Thus far, perpetrators have been using difficult ways to compromise Active Directory accounts. I'm referring to passing hashes, reusing tickets etc. Unfortunately, there are far easier was to compromise Active Directory privileged user accounts today.

For instance, all you need to do is to find out who can reset a privileged user's password, iterate that process a few times, and find a single vulnerable starting point, which once compromised, will allow you to escalate your privilege to that privileged user within seconds, without having to go through such archaic and painful ways (i.e. pass-the-hash etc.)

For that matter, simply determine who controls the membership of a privileged user group, then find out who can reset their password, and iterate the process a couple of times, and you'll likely find that some local IT admin whose account or computer is insufficiently protected is in that chain. That's your starting point. Once you've got his account, the rest takes a few seconds.

The astute mind will get the drift.





But we use Smart Cards!

Organizations that have Smart Cards or other multi-factor authentication measures in place may be operating under a false sense of security by assuming that since they have multi-factor authentication in place, they're immune from password reset based attack vectors. (Besides there's much more to this than mere password resets.)

For such organizations, it might help to know that the weakest link in the use of smart cards (or other multi-factor authentication measures) is that anyone who has administrative control over the smart-card protected account can with a single mouse-click uncheck the Smart card is required for interactive logon setting on the account.



As soon as that happens, authentication on the account will fallback to being password based, and one can set any password of choice on the account and login with it. So at the very least, its worth knowing at all times - Exactly how many individuals have modify permissions or write-property to the relevant attribute on smart-card enabled accounts?

The astute mind will note that in addition to the above, you'll also want to know exactly who has Modify Permissions permissions on a Smart Card enabled account, because anyone who has that permission, can grant him/herself any permission on the account, including the permission required to uncheck the uncheck the Smart card is required for interactive logon setting.




Cyber Security 101

Folks, this is Cyber Security 101. After all, if cyber security is fundamentally about ensuring that all to an organization's digital assets is authenticated and authorized based on the principle of least-privilege, how can an organization accomplish that without knowing exactly who effectively has what access on the very foundational building blocks of cyber security that enable them to provision and maintain least-privileged access across your IT infrastructure?


Today, at the very least, today, all organizations must have answers to the following basic questions -
  1. How many individuals possess unrestricted privileged access in Active Directory?
  2. How many individuals possess restricted (delegated) privileged access in Active Directory?
  3. Exactly who can manage the accounts of these unrestricted and restricted privileged access users?
  4. Exactly who can reset the passwords of these unrestricted and restricted privileged access users?
  5. Exactly who can change the membership of our privileged security groups in Active Directory?
  6. Exactly who can control security permissions on privileged accounts, groups and OUs in Active Directory?
(The astute mind will observe that one should at the very least also know exactly who can modify the Trusted for Unconstrained Delegation bit on domain computer accounts, because if you can do that, then ...   (... I'll let you complete the sentence.))

After all, if we don't even know who possesses and controls privileged access in our foundational Active Directory environments, i.e. who possesses and controls the Keys to the Kingdom, what's the point of deploying a plethora of cyber security measures.

Ideally, at a minimum, the same questions should be answered for all executive accounts (CEO, CFO, CIO, CISO, Board Members, VPs etc.) and groups, as well as all high-value accounts, groups and IT assets stored in the Active Directory.

Speaking of which, shouldn't organizations know exactly who can create user accounts and security groups in their Active Directory, or for that matter, join machines to the domain, and of course who can delete domain user and computer accounts, security groups and OUs?

(The astute mind will observe that in fact there is a lot more that all organizations must know about at all times, such as, for instance, something as simple as who can change the logon hours of domain user accounts, because if just ONE perpetrator (e.g. a disgruntled insider) who had sufficient effective access to be able to do so, were to write a simple script to change the logon hours of all domain user accounts, you could easily have a situation wherein come Monday morning at 9:00 am no one would be able to logon, and if course if no one can logon, business comes to a proverbial halt!)




So, how do we answer these fundamental yet important cyber-security questions?

As mentioned above, today, in most organizations worldwide, the entirety of an organization's foundational cyber security building blocks are being collectively protected by hundreds of thousands (and in most cases, millions) of Active Directory security permissions specified in Active Directory ACLs.


How is an organization to determine exactly who has what level of privileged access across these hundreds of thousands (or millions) of security permissions spanning thousands of their Active Directory objects?

Those who know very little about Active Directory Security will tell you that's easy. They'll suggest doing  a simple ACL dump and then looking at what permissions are granted to which users/groups. In fact, I wouldn't be surprised if most IT personnel at most organizations will suggest this route. (One could of course follow that suggestion, but then one would end up with substantially inaccurate data, reliance upon which could be very dangerous, to say the least.)

You see, unfortunately, its not that easy. In fact, its difficult, very difficult.

Here's why...




Active Directory Effective Permissions/Access

For the sake of simplicity, consider the security permissions specified in the ACL of a single Active Directory object.


Each of these Active Directory security permissions allows or denies some user or group some access. However, they do not individually influence access because as you may know, permissions can be allowed or denied, and be explicit or inherited, so in fact it is the complete set of all security permissions specified in the ACL of an Active Directory object, considered as a whole, in light of the governing precedence orders (e.g. explicitly specified permissions override inherited permissions but not always, denies override allows but not always, etc.) that ultimately determine the true and actually i.e. effective permissions/access granted on the object.

In other words, it is the effective permissions on an Active Directory object that matter and that govern who really has what access on an Active Directory object. This one fundamental fact of Active Directory security potentially impacts global security today, yet very few folks understand it.



Any individual or organizations that is relying on a simple enumeration/analysis of who has what permissions, as opposed to who has what effective permissions, is doing it completely wrong, and operating on dangerously inaccurate data.


In fact, Effective Permissions are so important that Microsoft's native tooling has an entire tab dedicated to them -


Unfortunately, Microsoft's Effective Permissions Tab has three major deficiencies which almost render it practically useless.

The first is that it may not always take all factors involved in the accurate determination of effective permissions into account.

(I'm not about to publicly mention the inaccuracies of the native Effective Permissions calculator in Active Directory, because the last time I mentioned one publicly, Microsoft picked up on it, and fixed it. (That one had to do with determining and displaying who can modify back-links in Active Directory. Strictly speaking, no one can modify back-links, because they are constructed / read-only. However, prior to my having mentioned that publicly, the Effective Permissions Tab/calculator would happily (and errantly) display a list of individuals who could modify back-links.))

The second and major one is that (as seen in the picture above) it can at best compute an approximation of the effective permissions for a specific user that you have to specify. The astute mind will note that this very quickly renders it almost unusable, because if you had 10,000 domain user accounts in your Active Directory, you would have to enter the identity of each one of these 10,000 users, ONE by ONE, and then make a note of their effective permissions to ultimately and hopefully arrive at the list of all individuals that may have a specific effective permission granted on a given Active Directory object.


I don't know about you, but if my manager asked me to sit in front of a computer, and enter 10,000 names one after the other, then make a note of all the effective permissions granted to each user, (you know, a process that could take weeks), I would probably find more suitable employment elsewhere.


The third one and the biggest one is that the Microsoft's native Effective Permissions Tab can at best determine effective permissions for a single user on a single object. In other words, if an organization had thousands of objects in its Active Directory, organizational IT personnel would have to use the tab one object at a time, specifying one user at a time, and that process could take years to do, not to mention that since the state of access in Active Directory is constantly changing, in all likelihood, any such attempts to make such determinations would be futile to begin with.

For instance, consider this - let's say you wanted to answer the simple, fundamental question - Who can create user accounts in our Active Directory?

That seems like a question most organizations should want to know the answer to, because if someone could create a user account, they could engage in malicious activities that could not be linked to them.

It turns out that to answer this one single question, the organization would have to determine effective permissions on every object in Active Directory under which someone could create a user account e.g. Organizational Units, Container etc.

We recently had a very prominent government organization come to us with this exact need. For reasons known best to them, they had 20,000 organizational units in their Active Directory domain, so to answer that one simple fundamental question, they would have to determine effective permissions on at least 20,000 OUs in their Active Directory!


There are very few people in the world who know how to accurately determine effective permissions in Active Directory. Even if they could, and it took them 30 minutes to do so per object, it would take them 600,000 minutes to determine effective permissions across 20,000 objects, and that's assuming no one changed a single permission during that time.

I think you'll get the drift.

(Incidentally, with our innovative cyber security tooling that embodies our unique, patented and globally recognized effective access assessment technology, this organizations was able to make this determination within minutes, at a button's touch.)


You see, in order to answer these elemental and fundamental cyber security questions concerning who has what privileged access in Active Directory, organizations require the ability to accurately and efficiently determine effective access across an entire tree of Active Directory objects. (Simply put, the ability to efficiently perform an accurate effective privileged access audit.)


You know, something like this.

Unfortunately, Active Directory completely lacks this elemental and fundamental capability, and as a result, organizations have no way of knowing exactly who effectively has what privileged access on their foundational building blocks of cyber security. (They never have!)

In fact, because they have never had this capability, considering that most Active Directory deployments have been around for years, and that a substantial amount of access provisioning and delegation has been done over the years, we have a situation wherein an excessive and unknown number of users have all kinds of effective privileged access in the Active Directory, yet no one knows exactly who has what effective privileged access.





Beware of Inaccurate Tooling

I'll digress for a minute to share something important with you. As goes the old saying, the only thing more dangerous than no knowledge is inaccurate knowledge. In all of ten years that we've been around, not a single organization has attempted to address the problem, perhaps because they're mature enough to understand just how difficult it is to solve this problem.


However recently, one company had a brilliant(ly dumb) marketing idea for their auditing solution, so amidst some fanfare, it released freeware tooling that claims to make some of this easy. Having written the book on the subject, we tested this tooling, and were shocked to find that it is not only woefully inadequate, it is so substantially inaccurate, that its almost dangerous.

Interestingly, this company seems to have no clue as to just how substantially inaccurate their tooling is. Sadly, neither do most IT pros, who may happily proceed to rely on it, in effect endangering the very foundational security for their organizations.

To metaphorically give you an idea of just how inaccurate it is, if it were being used as a metal/weapon detector at an airport, let alone boarding the flight, we would not just run out of the terminal, we would get out of the airport as fast as we could!

In our opinion, the only folks who could possibly benefit from such substantially inaccurate freeware tooling are malicious perpetrators, because even if its only 20% accurate, that's sufficient for them to identify a few privilege escalation paths.





Organizations Worldwide are likely at High Risk

In the foundational Active Directory deployments of most organizations today, today there likely exist 1000s of arcane privilege escalation paths in most Active Directory deployments worldwide, leading from regular domain/computer accounts to highly privileged user accounts and security groups, that are difficult hard to identify with the naked eye.



However, with sufficient tooling, in the wrong hands, they could be very quickly identified and potentially exploited by malicious perpetrators to inflict substantial damage within minutes.


Sadly, a malicious perpetrator need only compromise a single domain user/computer account to deploy and use such tooling to identify these privilege escalation paths. The entire discovery process would be read-only and given the sheer amount of read access that takes place in Active Directory deployments, it would in all likelihood not show up on any radar.

Once the perpetrator has identified a kill-chain, he/she could make a move at an opportune time (e.g. Saturday morning 3:00 am) and in less than 5 minutes, simply by using basic Active Directory management tools provided by Microsoft, escalate his/her privilege to that of an all-powerful privileged access user.

Once that's done, its game over.


[Fortunately, with similar tooling, designed for and only made available to the good guys (i.e. organizational IT personnel), organizations could quickly and accurately determine effective privileged access in their Active Directory, as well as their source, and eliminate all excessive access before it can be exploited by malicious perpetrators.]





The Attack Surface

The attack surface is unfortunately vast - it is the entire Active Directory.


The attack surface is vast because virtually every domain user account, computer account, security group and other vital content stored in Active Directory is a potential target of compromise.

Attack surface details are over at - http://www.paramountdefenses.com/cyber-security/attack-surface.html





Active Directory Effective Privileged Access Audit

As a mature and professional cyber security company, we do not shed light on cyber security risks that cannot be mitigated, because we understand that doing so can potentially endanger organizations.

Folks, this profoundly elemental, high-impact cyber security risk is actually virtually 100% mitigatable, and in fact any organization that wishes to mitigate it can do so in a very short amount of time.

To mitigate this risk, what organizations worldwide require is the ability to accurately and efficiently determine effective privileged access across entire Active Directory trees (OUs, domains etc.) so that they can quickly and reliably identify all individuals who currently possess, but are not entitled/authorized to possessing, effective privileged access in their foundational Active Directory, as well as identify the source of all such identified excessive access, so that they can then quickly revoke all such excessive access before malicious perpetrators are able to identify and potentially exploit them.


Today, organizations also have several options to do so, as outlined at - http://www.paramountdefenses.com/effective-privileged-access-audit.html

Subsequently, having attained least-privileged access state in their Active Directory, they can and must continue to maintain this least-privileged access state in their foundational Active Directory at all times, because it only takes the compromise of one privileged access user account to cause substantial damage.

My 10 minutes are almost up, so I will conclude this by adding that although this is a high-impact esoteric cyber security risk that potentially threatens the foundational cyber security of most organizations worldwide today, it is virtually 100% mitigatable, and all it really takes for an organization to mitigate this risk is to have the will to mitigate it.


Finally, as you will hopefully agree, there can be no security without accountability, and accountability must start at the very top, because should there be a cyber security incident, ultimately, it the organization's leadership that will be held accountable by its stakeholders, which is why the Paramount Brief was written for executives.

Over the last decade, IT administrators and IT professionals from 8,000+ organizations across 150+ countries worldwide have knocked at our door (completely unsolicited), and we found that most of these organizations had one thing in common - the troops in the trenches know about the problem, but middle and senior management seem clueless, as a result of which, the troops are powerless, and afraid to escalate the problem, and as a result, we have a dangerous situation wherein most organizations worldwide are still defenseless and in the proverbial dark.

It is high-time the Generals (CEOs) and their Colonels (CIOs, CISOs, IT Directors etc.) understood that their troops need their help, and that should an adversary be successful in taking them down, entire Kingdoms could be lost very, very quickly.

(Any organization in the world that would like to see a demo of just how easy this is to do may feel free to request one.)

The CEOs of the world's Top-200 business organizations have also been directly informed about this cyber security risk.

Best wishes,
Sanjay


PS1: Note to the folks at Microsoft - If you need help understanding this stuff, let me know.

PS2: If you found this interesting, you may like - OPM Data Breach Cyber Security Hack: Trillion $ Privileged Access Insight

Monday, December 7, 2015

The Paramount Brief

Folks,

In the security interest of thousands of organizations that operate on Microsoft Active Directory worldwide, as well that of their stakeholders (shareholders, customers, employees, partners, etc.) on January 04, 2016  February 29, 2016* we will declassify The Paramount Brief.

January 04, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief by Four Weeks, Appoints Former FBI Cyber Division Unit Chief Liaison to DHS to its Advisory Board.

February 01, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief One Final Time.


The Paramount Brief

The Paramount Brief documents a serious and potentially imminent cyber security risk to most organizations worldwide, one that could potentially be exploited by any insider, and within minutes, potentially result in a massive cyber security breach.


I will elaborate just a bit -
  • It is very serious because it could potentially grant the perpetrator complete, unrestricted, system-wide access within minutes, irrespective of whether or not security controls like 2-factor authentication, auditing etc. are in place. 
  • It is potentially IMMINENT because i) the attack surface is vast, ii) literally anyone in the organization could enact the threat , and iii) the tooling required to identify the weaknesses and easily enact the threat is freely available today.
  • Literally any insider, i.e. anyone who has an Active Directory domain user account, or is in possession of a domain-joined computer, already has sufficient access to be able to identify the weaknesses and potentially exploit them. 

 

Professional Courtesy

As a professional courtesy, last week, we shared a copy of the Paramount Brief with the top executives of some of the world's top business organizations across 6 continents worldwide. As cyber security professionals, we also asked them not to take our word for it, but to have the brief substantiated within their own IT environments and arrive at their own conclusions.

 
Most of these organizations have taken it seriously (and rightly so) and are in the midst of having this substantiated within their own environments. Many of them have their best people working on it, and have also requested a dialogue to gain more clarity.

(I've received Thank you notes from the CEOs of many of the world's top companies, including that of Fortune 10 companies.)




Substantiation

Organizations that have received an advanced copy of the Paramount Brief should have it internally substantiated and arrive at their own conclusions as to its applicability to them. Please do not take our word for it, but do get it objectively substantiated.

In most organizations, the substantiation part will be passed down from the CEO's office to the CIO's office to the CISO's office, and possibly down to a Director's level, who may eventually end up asking an Active Directory Admin to substantiate its validity.



5 Helpful Pointers -

Since so many Active Directory admins today do not understand the subtle yet profound difference between "Who has what permissions" and "Who has what Effective Permissions", here are a few pointers to help them objectively substantiate the risk -
  1. The Basics - The Risk, Attack Surface and Attack Vectors at Privileged Access Insight
  2. The difference between Permissions and Effective Permissions
  3. What is an Effective Privileged Access Audit?
  4. Why auditing is insufficient (read #12, "The $ Billion Difference between Audit and Auditing" section here)
  5. Why 2-factor authentication is insufficient (read #10, the "A Caveat when using Two-Factor Authentication for Active Directory Accounts" section of this blog post on the OPM Breach.)


5 Simple Questions -

To make it really easy for them, they may want to consider whether the answer to even 1 of the 5 questions below is NO -
  1. Do we know exactly how many privileged (unrestricted and delegated) user accounts there exist in our Active Directory?
  2. Do we know exactly how many individuals can reset the passwords of all of our accounts?
  3. Do we know exactly how many individuals can change the membership of all of our security groups?
  4. Do we know exactly how many individuals can set the "Trusted for Unconstrained Delegation" bit on computer accounts?
  5. Do we know exactly how many individuals can create, delete and manage user accounts, security groups, Organizational Units (OUs) and computer accounts in our Active Directory, as well as modify critical Active Directory configuration settings (e.g. make a Schema change, make a Replication change, transfer a FSMO role, promo a DC etc. ) ?
(By the way, here's the associated impact of compromise.)

If the answer to even 1 of these questions is NO, you will have substantiated the applicability of the brief to your organization.

Since 100% of all major recent cyber security breaches involved the compromise of just 1 Active Directory privileged user account, exactness is paramount and approximations could likely mean the difference between security and compromise.





Sole Objective

Please know that our sole objective in having shared this brief with some organizations, and in declassifying it weeks from now, is to educate organizations worldwide about an esoteric attack vector that today provides perpetrators a vast attack surface and an extremely easy route to potentially very quickly and easily gain unrestricted administrative access within their environments.


I must reiterate that it is imperative that it be unequivocally understood that we are not declassifying this with the intention of furthering business.

(If we have so many customers today, it is only because over the last 7 years, over 7000 organizations from over 150 countries have knocked at our doors, completely unsolicited, to seek our help in addressing a very important cyber security challenge.)

In fact, for any organization that wishes to determine exactly how many individuals have what level of privileged access in their foundational Active Directory deployments today, we will be glad to make our solutions available for them at no cost to them.




Also A Matter of Corporate Governance

This is also almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.


If we reached out to the executive leadership of certain organizations, it is only because when the potential of damage from even a single cyber security breach associated with this attack vector is so high that it could impact the entire organization (and in all likelihood, many of its stakeholders), it is imperative that the organization's leadership have first-hand knowledge about it.

Our cyber security intelligence indicates that in most organizations worldwide, this esoteric yet important matter is not even on the radar of their organization's IT and cyber security leadership, let alone being on the radar their executive leadership.

Today, in the event of a cyber security breach, it is the executive leadership that will be held accountable by the organization's stakeholders (shareholders, customers, employees etc.) and thus we felt that this must be brought to their direct attention.

Today, there must be a clear chain of accountability from the very top to the very bottom (e.g.: CEO > CIO > CISO > Director, Directory Services /Identity and Access Management > Enterprise Admins) because without it, security is almost impossible.

This is thus almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.





Microsoft was Informed

Please know that as early as 2008, the Paramount Brief was delivered to several senior/important individuals at Microsoft.


It appears that, for whatever reason, Microsoft chose not to act upon it.

Since thousands of organizations continue to be at risk, and continue to be oblivious to this highly potent attack vector, in light of the fact that 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account, we felt that we had no choice but to publicly declassify this.


By the way, this is not even rocket science; it is common sense. But I suppose, as they say, common sense is not so common.

Onward to January 04 February 01, February 29, 2016 - http://www.theparamountbrief.com/

Best wishes,
Sanjay

PS: You're welcome to contact us, but before you do, please familiarize yourself with this.

> December 11, 2015 Update - Paramount Defenses to declassify the Paramount Brief.

>> January 04, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief by Four Weeks, Appoints Former FBI Cyber Division Unit Chief Liaison to DHS to its Advisory Board.

February 01, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief One Final Time.


February 29, 2016 -  The Paramount Brief Declassified

All content is copyrighted and all photos are licensed. Microsoft Building picture courtesy: @ iStock.com/JasonDoiy