Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


December 31, 2010

The End of the Dark Ages...

For over a decade now, organizations have been operating in the proverbial dark when it comes to knowing Who can really do What in their IT infrastrucutres, and in particular, in regards to knowing who can really enact which IT administrative tasks in their IT infrastructures. 


For instance, while numerous IT personnel may have the ability to reset the password of the user account of the organization's CEO, in all likelihood, in most organizations, no one really knows exactly who can reset the CEO's account's password.

Organizations that do not know exactly who effectively has what administrative entitlements for identity, security and access management in their IT infrastrucutre, have a (very serious) problem, because a single such unauthorized administrative access grant is usually sufficient to cause substantial damage to organizational security.

Tomorrow, Paramount Defenses Inc, will put an end to this problem...

                                 ... tomorrow, after a decade of darkneess, there will be light.  

... 04.05.2011  1100 PDT

Best,
Sanjay

PS: Oh, and just more thing ... but that will have to wait until tomorrow.

December 14, 2010

The WikiLeaks Security Incident – A Warning and a Wake-Up Call to Organizations Worldwide

Folks,

We’ve all heard of the infamous WikiLeaks incident by now.



There is THE incident, and then there are opinions dime-a-dozen on the incident. There is also the frequent use of the word “cyber-war” by journalists in reference to childish DDOS attacks.

It is not my intention to offer just another opinion, like perhaps Mr.Bruce Schneier, who in his own words "doesn't really have much to say about it", but (I think nonetheless) felt the need to do chime in.

As some of you may know, virtually the entire U.S government, from the Department of Defense (DOD) to the U.S. Congress, runs on Microsoft's Windows Server platform, powered by Active Directory, which is at the very foundation of their security.


As former Microsoft Program Manager for Active Directory Security, I do actually have much to say about it, but in the interest of time, shall keep it brief, and share it with you in the form of an information security practioner’s perspective on the incident.

So, if I may, here's my 2c on this incident -

It is public knowledge that at the heart of the WikiLeaks incident is the leak of United States Diplomatic Cables, wherein the whistle-blower website WikiLeaks started to publish classified documents of detailed correspondence between the U.S. State Department and its diplomatic missions around the world.

The leak has since been characterized as being a threat to national security of many a nation and even condemned as an attack on not just the U.S. but all governments. (Also, as mentioned previously, since then, this has been the topic of substantial media coverage and there have been numerous articles written by as many journalists on the subject, each entitled to their opinion.)

However, if one were to objectively view the incident from an IT security perspective, I believe that there are two distinctly separate incidents involved here –

  1. Unauthorized Disclosure of Information by an Insider – At the core of the incident is the act, by an insider, of obtaining access to, and subsequently disclosing, to an outsider, over 250,000 U.S. government documents (which constitute the property of the United States government) including over 130,000 unclassified documents, about 100,000 documents classified as "confidential" and about 15,000 documents classified as “secret”.
     
  2. Information Dissemination by an Outsider – Then there is the act, by a party external to the U.S. government i.e. WikiLeaks, involving the dissemination of this information, i.e. making these documents indiscriminately and globally accessible to all on the Internet. Whether this was done with or without regard to the impact that doing so could have on impacted entities (i.e. the United States government, and the individuals, embassies and governments of whom there is a mention in these documents) is really immaterial.

As to the former i.e. unauthorized disclosure by an insider, at its essence, this was the most elemental form of a security incident, in which a trusted insider who had access to a confidential organizational IT asset (or in this, a vast set thereof) willfully violated organizational security policy by disclosing this (set of) organizational IT asset(s) to one or more parties external to the organization. The only thing that made this security incident so serious was the fact the value of the IT assets whose confidentiality was compromised was so high that it could potentially have had a real impact on national security and international relations.

As to the latter i.e. information dissemination by an outsider, that was an incident in which an entity chose to disseminate potentially sensitive information (in this case, these documents) delivered to them, indiscriminately by publishing them online. As to the legality of this action by this outsider, while White House Press Secretary Robert Gibbs recently said that "…the stealing of classified information and its dissemination is a crime,” I for one am not going to opine on the legality of the dissemination of such information, as that is something for a court of law to decide.

From a security perspective, IMHO the damage was done the moment these IT assets (i.e. these documents) crossed the proverbial organizational boundary (i.e. were disclosed to an external party), because from that point on, these documents were out in the open, and could easily have been silently sold to the highest bidder, or delivered to a long list of entities who could substantially gain or profit from them, whether they be international terrorists, rogue regimes, crime syndicates and so on.

In fact, one has to wonder if it could have possibly been be far more damaging if these documents were stolen and sold to say, an international terrorist organization, and the fact they were stolen and now in the hands of a terrorist organization, would never to have come to light.

At the end of the day, this unfortunately was a serious failure to adequately protect the confidentiality of what it largely considered classified U.S. government information, and it does raise many security valid questions.

For instance, if the U.S. government does have a least-privilege access (LPA) security model in place, how come three million individuals had access to these sensitive documents? Or for that matter, did three million individuals really have a business need to have access to these sensitive documents? If so, one has to further wonder as to how this access was ultimately enforced? In fact, many questions come to mind, and I’m certain many such questions will undoubtedly be raised during their own internal investigations.

If I may digress for a moment...
It is worth mentioning that when it comes to access enforcement, there is unfortunately almost always a disconnect between the intended security policy and the implemented security policy, primarily because implementation involves specification of access control intent in computer systems, and that can get very complicated and difficult to manage, and rather quickly so.

For instance, numerous aspects, such as the lack of a single point of administrative control, arcane nesting of security groups, administrative churn over time, and the specification of access controls at various levels (e.g. file, folder, server, trust etc.) all have a direct impact on the effective resultant access on an IT asset, and consequently on the ability of an organization to effectively maintain and control access to their IT assets.

Consider for instance the set of access controls involved in protecting a set of documents residing on a file server joined to the Active Directory. As you may know, there are multiple access control points wherein security must be specified. For instance, there is the access control list (ACL) on each individual document. Then there are ACLs on the folder(s) containing these documents, and ACLs on the share itself. In addition, there is the list of individuals who are authorized network access to this domain joined computer and then there the domain security groups that are used to provision access at each of these access control points.

On a related note, one critical yet often overlooked aspect of security today is the need to (accurately) assess and review the identities of all individuals who can influence (modify) the memberships of the very security groups used to control access to organizational IT assets.

For instance, while it is important to review the membership of a security group being used to control access to a specific IT asset, it is equally important to determine and review exactly who all can modify the membership of that security group as well, because, ultimately, whoever has this ability could instantly change the membership of the group, and consequently obtain or facilitate access to every document/IT asset being protected by that group. (This is one such critical area where our innovative Gold Finger access assessment solution for Active Directory helps organizations instantly and automatically make these determinations.)

The bottom line is that the specification and enforcement of authorization intent is neither easy nor straight-forward, and many a time, this one simple root of complexity can make it difficult to attain or maintain least-privileged access, particularly in large IT infrastructures. As a result, quite often, one or more IT resources could easily end up being inadequately protected and vulnerable to compromise.

But I digress.

All said and done, the WikiLeaks incident is a warning and wake-up call to organizations worldwide – IT security today is mission-critical to business, and it must be a top business priority, because, as we have clearly seen in this case, it only takes ONE such security incident to have a substantial impact on business.

After all, if you think about it, this was very much akin to an employee at a Fortune 100 business organization taking a set of confidential business documents, such as a set of confidential product blue-prints, and disclosing them to an outsider. The only thing that makes the release of these cables more sensational is the nature of information they contained, the unauthorized disclosure of which, substantially impacted a broad and larger set of issues and entities.

Today IT security has become paramount to organizational security and business continuity and at Paramount Defenses Inc, we know this first-hand (; today our solutions and services help secure and defend the very foundation of IT security at over 4000 organizations in over 70 countries around the world.)

In days and weeks to follow, I intend to shed light on numerous specific and highly pertinent IT security issues and challenges that directly impact organizational security worldwide.

Thanks,
Sanjay

PS: It would also be nice to see the media stop referring to these kiddish DDOS attacks as cyber-war. These DDOS attacks are so primitive in nature that any half-serious IT security enthusiast should be able to code one up in a few hours. I doubt these journalists have any idea as just how much damage a real DDOS attack on a mission-critical component, such as the Active Directory, could actually do. For that matter, I doubt they even know what the Active Directory is, let alone why it is so important.

December 1, 2010

It's Time

Folks,

For five years, we have exercised great restraint in regards to shedding light on matters of paramount importance to the IT security posture of organizations worldwide.


However, in light of certain recent global events, it might very well be in the best interest of the security of these organizations for us to shed light on these vital matters, as it could make a meaningful difference in their security posture.

Starting Monday, December 13, 2010, I shall start sharing valuable insights via this blog.

Stay tuned...

Best wishes,
Sanjay

PS: Our work at Paramount Defenses, which impacts 1000s of organizations worldwide, imposes substantial time constraints, thus leaving little time for activities such as blogging, thus the delay in getting to this sooner.

PS2: In the interest of convenience, you may find it helpful to Subscribe to the blog.

November 5, 2010

Gold Finger 3.0 Now Deployed in 3000+ Organizations in 65+ Countries Worldwide

Folks,

One week ago, we introduced Gold Finger 3.0, the latest release of our innovative IT security and resultant access reporting solution for Microsoft Active Directory.



The powerful Gold Finger 3.0 delivers substantial enhancements for our global customers, including custom ready-to-furnish report generation capabilities, novel reporting features, advanced reports, an enhanced UI, versatile licensing options, a new edition, and an online store.

Most importantly, it is also the most provably trustworthy reporting solution for Microsoft's Active Directory.

Perhaps the fact that Gold Finger is the world's only IT solution that can accurately determine resultant access in Active Directory and instantly deliver mission-critical security insight, which organizations absolutely need but just do not have today, is also worthy of mention.

I am pleased to inform you that earlier today, Gold Finger 3.0 crossed the 3000th organization deployment mark, and is now deployed in more than 65 countries worldwide.

You can expect Paramount Defenses to continue to deliver innovation and value to Microsoft's global ecosystem, because at its foundation lies Active Directory, and its security is of paramount importance.


For more information, please feel free to visit - http://www.paramountdefenses.com/goldfinger

Thank you, and best wishes,
- Sanjay

June 10, 2010

The U.S Department of Homeland Security runs on Active Directory Too (, and it seems to have been found to be inadequately protected)

Folks,

As former Microsoft Program Manager for Active Directory Security, I cannot over-emphasize the need for adequately protecting your organization's foundational Active Directory deployment.

This is a vital IT security issue, and we ordinarily do not shed light on it in the public domain, but rather to choose inform our global customer base privately. However, if the U.S. government is willing to shed light on it in the public domain (which I don't think it should), I suppose it would be okay if I too shared a thought.

The Inspector General of Homeland Security recently published the findings of a security audit that covered the implementation of Active Directory at the U.S. Department of Homeland Security, and I highly recommend reading it.

Department of Homeland Security (DHS) Logo

Here's a snippet from the Executive Summary -
    The Department of Homeland Security uses Microsoft Windows Active Directory services to manage users, groups of users, computer systems, and services on its headquarters network. We reviewed the security of the Active Directory collection of resources and services used by components across the department through trusted connections. These resources and services provide department-wide access to data that supports department missions but require measures to ensure their confidentiality, integrity, and availability. The servers that host these resources must maintain the level of security mandated by department policy. Systems within the headquarters’ enterprise Active Directory domain are not fully compliant with the department’s security guidelines, and no mechanism is in place to ensure their level of security. These systems were added to the headquarters domain, from trusted components, before their security configurations were validated. Allowing systems with existing security vulnerabilities into the headquarters domain puts department data at risk of unauthorized access, removal, or destruction.
    ...
(The link to the entire report is at the end of this post.)

The fact of the matter is that virtually the entire U.S. government actually runs on Active Directory, and I would not be surprised if the foundational Active Directory deployments of other departments in the U.S government may also be inadequately protected (; though I seriously hope that is not the case.)

Comprehensive protection of an organization's foundational Active Directory deployment requires a first-hand understanding of the attack surface, of the various components involved, and the of the risks associated with each of these components, and the knowledge to know which risks to mitigate, and which ones to manage, and how so.

It does NOT involve the mere deployment of fancy security applications, but in fact requires the deployment of a well thought out and well integrated set of security controls involving security policies, practices and tools/applications, which together provide trustworthy protection.

Formally speaking, it requires that an organization first perform a formal risk assessment of its Active Directory and then based on its findings, assess and deploy an adequate set of risk mitigation measures.

While at Microsoft, I had the privilege of having performed an Active Directory Security Risk Assessment of Microsoft global Active Directory infrastructure, so this is second nature to some of what we do now at Paramount Defenses Inc. (While I will not divulge any details, suffice it to say that it took a 90 page report to document cursory findings, which was delivered to the highest offices at Microsoft.)

If your organization is running on Active Directory, I encourage you to please take a serious look at its security, and if needed, please enact appropriate risk mitigation measures to ensure its adequate protection.
As I sign off, I'll leave with you a simple mantra - Your Microsoft Windows Server based IT infrastructure is only as secure as is its foundational Active Directory. (Please) Protect it.

Thanks,
Sanjay

PS: Link to the official report - Stronger Controls Needed on Active Directory Systems.

June 2, 2010

It's Time To Shed Light On Matters of Global IT Security

Folks,

On July 01, 2010, it will have been 5 years since I moved on from Microsoft Corporation.

Starting July 01, TIME PERMITTING, I will start sharing (via this blog) insightful perspectives on vital matters of global IT security that have a direct bearing on the security of organizations and citizens around the world.

Thanks,
Sanjay 

May 24, 2010

1500 Organizations in 60 Countries, and Counting

Folks,

Earlier today, Gold Finger crossed the 1500th deployment mark, and added Israel, Ukraine and Pakistan (amongst others) to the list of countries it is currently deployed in, totaling 61.




With over 20,000 organizations worldwide running on Active Directory, these continue to be incredibly busy times for all of us at PD, and we're committed to helping our customers secure their mission-critical Active Directory deployments.

To all of you who have sent across your best wishes, thank you for your wishes and for your continued patience. The delay in shedding light on matters of global IT security is intentional and momentary.

Best wishes,
Sanjay

April 6, 2010

Introducing Gold Finger version 2.5, our $50M gift to the Microsoft Ecosystem

Folks,

Earlier this month Paramount Defenses officially released v2.5 of our Gold Finger IT security audit, compliance and reporting solution for Microsoft Windows Server based IT infrastructures powered by Active Directory.


Gold Finger v2.5 features over 400 security reports, including TRUE last logon reports, enhanced searching, instant CSV exporting and seamless support for Windows 7 clients.

With Gold Finger v2.5, organizations can instantly fulfill their security audit and regulatory compliance reporting needs for identity and access management, and do so in a reliable and trustworthy fashion.

With well over 200,000 Microsoft Certified Systems Administrators in the world today, and the Free Edition representing a modest US $500/admin in value, just the Free Edition of Gold Finger v2.5 in itself represents a $50M gift to the Microsoft ecosystem.


Best wishes,Sanjay
At Paramount Defenses Inc, we're committed to ensuring that the Microsoft ecosystem can fulfill its security audit and regulatory compliance reporting needs in an efficient, cost-effective and most importantly, in a trustworthy fashion.

March 4, 2010

Apologies for the Delay : 1000 and Counting.

Hi Folks,

I apologize for the delay in sharing my perspectives via this blog.

We've been very busy helping organizations worldwide fulfill their essential Active Directory focused IT security and access reporting, audit and compliance needs.

Earlier this week, Gold Finger crossed the 1000th deployment mark, and added Fiji and Malta to the list of countries it is currently deployed in, totaling 52.



With over 20,000 organizations worldwide running on Active Directory, these continue to be very busy times for us, but I'm committed to taking out time to share my perspectives with you.

Thank you for your continued patience.

Best wishes,
Sanjay

January 25, 2010

Hello, World

Hi Folks,

I'm Sanjay, CEO of Paramount Defenses, and formerly Microsoft Program Manager for Active Directory Security.


If you use Microsoft's Windows to logon at work, whether it be at a business or a government organization, or if you're invested in the stock market, chances are that my work impacts your life today.

You see, underlying the information security of 8 out of every 10 IT infrastructures in the world lies Microsoft's Active Directory, and for 4 years (2001 - 2005) I was responsible for its security for Microsoft.

Today I run Paramount Defenses, a valued Microsoft security partner, where we develop innovative high-value security solutions that solve byzantine problems and fulfill global, paramount security needs.

You'll hopefully agree that today IT security is paramount to corporate and national security, and perhaps because I know what lies beneath, I worry about the state of organizational IT security defenses globally.

I've decided to share some perspectives on certain IT security issues that impact the security of organizations worldwide today, with the hope of improving their security posture, so it can have a positive impact your personal, professional and financial security as well.

Stay tuned...

Best wishes,
Sanjay