Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


February 21, 2020

The ONE Question NO ONE knows the Answer to at RSA Conference 2020

Hello,

On Monday, the RSA Conference 2020 will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"

If that's the case, let's talk security -  I'd like to ask the entire RSA Conference just 1 simple cyber security question -

Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?


If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.



Unequivocal Clarity

If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:

    Does our organization know exactly -
  • Q 1.  Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
  • Q 2.  Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
  • Q 3.  Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
  • Q 4.  Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
  • Q 5.  Who can change or control who has what privileged access in our Active Directory?

If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.




This is Paramount

If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.


Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."




Zero out of 1000

There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.


Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.

That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.




The Key

The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.


There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.



Thanks,
Sanjay.

January 7, 2020

Who Needs WMDs (Weapons of Mass Destruction) Today ?

Folks,

Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.


Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.


They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

January 6, 2020

What is Active Directory? (Cyber Security 101 for the Entire World)

Folks,

Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.


Cyber Security 101

Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Again, after all, who cares about a phone book?!




Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.



Active Directory Security Must Be Organizational Cyber Security Priority #1

Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


Here's why - A deeper, detailed look into What is Active Directory ?


For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)



In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

Best wishes,
Sanjay.