tag:blogger.com,1999:blog-54934271891880147282024-03-18T08:37:51.492-07:00Cyber Security BlogPerspectives on Cyber Security by the CEO of Paramount DefensesSanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comBlogger92125tag:blogger.com,1999:blog-5493427189188014728.post-86854307935332035562021-05-25T09:57:00.001-07:002021-05-25T09:57:34.181-07:00New Coordinates<p> Folks,</p><p>I hope this finds you all doing well. As some of you may now, over the years, I have shared numerous perspectives on <span style="color: #cc0000;">foundational cyber security</span> and on <span style="color: #cc0000;">Active Directory security</span>, both here (i.e. on this blog) and at my <a href="https://www.active-directory-security.com" target="_blank">second</a> blog.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBNqeCAmC9IgG81aGO1G9Trv9RQ3wN-1u5sLl43rZ8M3brU4Xu9PU172qZN8A7wKWJZ1DVQBdyROas9Gv3zhOc0CQ-w3Tvv0L4xXEBiPkwd2EJur_R-CTDvIQ4v77upvgh-VhcEKqM098j/s900/Vantage+Point.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="900" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBNqeCAmC9IgG81aGO1G9Trv9RQ3wN-1u5sLl43rZ8M3brU4Xu9PU172qZN8A7wKWJZ1DVQBdyROas9Gv3zhOc0CQ-w3Tvv0L4xXEBiPkwd2EJur_R-CTDvIQ4v77upvgh-VhcEKqM098j/w640-h426/Vantage+Point.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><p>Unfortunately, given my <a href="https://www.paramountdefenses.com" target="_blank">immense responsibilities</a> today, and the sheer paucity of time, I will no longer be able to share my perspectives on multiple blogs, so from now on, I will mostly be sharing my perspectives at the <a href="https://blog.paramountdefenses.com" target="_blank">Paramount Defenses Blog</a>.</p><p>I recently penned two relevant posts, including <a href="https://blog.paramountdefenses.com/2021/05/whats-common-between-colonial-pipeline-hack-and-solarwinds-breach.html" target="_blank">What's common between the Colonial Pipeline Hack and the SolarWinds Breach</a> and one on what actually was <a href="https://blog.paramountdefenses.com/2021/05/at-the-heart-of-the-solarwinds-breach.html">At the Heart of the SolarWinds Breach</a> i.e. none other than <a href="https://blog.paramountdefenses.com/2021/05/at-the-heart-of-the-solarwinds-breach.html" target="_blank">Privileged Access in Active Directory</a>.</p><p>The URL for my new coordinates is - <a href="https://blog.paramountdefenses.com">https://blog.paramountdefenses.com</a></p><p>Thanks,<br />Sanjay</p>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-59017332697026904752020-04-28T03:22:00.001-07:002020-04-28T03:22:06.529-07:00Coming Soon - "Active Directory Security for Attackers and Defenders"Folks,<br />
<br />
From the U.S. Department of Defense to the Trillion $ Microsoft Corporation, and from the While House to the Fortune 100, today over 85% of organizations worldwide operate on Microsoft Active Directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-naffG4cMB-RQ5A7QvZSBi5tIDESgWp0lyyEu3EfObrIB22wvN0h7nEOZnoV-Zq5pg83WscdjfABZjWoiHpIJ0w2Kp3Abb-QT75sylCOQ2_y_MGVAoSR7suuYHAYq503VQziT8A_sEGWH/s1600/Active-Directory-Security.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-naffG4cMB-RQ5A7QvZSBi5tIDESgWp0lyyEu3EfObrIB22wvN0h7nEOZnoV-Zq5pg83WscdjfABZjWoiHpIJ0w2Kp3Abb-QT75sylCOQ2_y_MGVAoSR7suuYHAYq503VQziT8A_sEGWH/s640/Active-Directory-Security.jpg" width="640" /></a></div>
<br />
The cyber security of these <a href="https://www.paramountdefenses.com/insights/active-directory.html" target="_blank">foundational</a> Active Directory deployments worldwide is thus paramount to cyber security worldwide, and yet, unfortunately, the Active Directory deployments of most organizations remain <a href="https://www.paramountdefenses.com/insights/the-paramount-brief.html" target="_blank">alarmingly</a> vulnerable to compromise.<br />
<br />
To help thousands of organizations adequately bolster their existing Active Directory security defenses, and to help millions of cyber security and IT personnel worldwide enhance their proficiency in this paramount subject, starting May 05, 2020, I will personally be sharing Active Directory security insights for everyone's benefit, at the <a href="https://blog.paramountdefenses.com/" target="_blank">Paramount Defenses Blog</a>.<br />
<br />
Save the date - <span style="color: #cc0000;">May 05, 2020</span><span style="color: #cc0000;">.</span> <br />
<br />
Best wishes,<br />
Sanjay.<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-67334275518916896952020-02-21T13:26:00.000-08:002020-02-22T16:36:23.894-08:00The ONE Question NO ONE knows the Answer to at RSA Conference 2020Hello,<br />
<br />
On Monday, the <b><span style="font-size: large;">RSA Conference 2020</span> </b>will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly <i><span style="color: #cc0000; font-size: large;">"The World Talks Security!"</span></i><i><span style="color: #cc0000; font-size: large;"><br /></span></i>
<br />
<span style="color: #cc0000;"><span style="color: #cc0000;"><span style="font-size: large;">If</span> that's the case, let's talk security -</span><span style="color: #cc0000;"> </span></span><span style="color: #cc0000;"> </span>I'd like to ask the <b>entire</b> RSA Conference just <span style="color: #cc0000; font-size: x-large;">1</span> simple cyber security question -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB2a_s3zlQQ8ufzN88NqlHEkxPNudYADh81UqZW6VPdQSpomIiIEMiQkltShwuc42Q96Iq7PwoAZ3CVYB5VEIoRHWYaOJ_5tR-D7EIreD14Dw4nUqO3aTLVRVgb7oyLIM-HuZOgYZVhQIW/s1600/Chair.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB2a_s3zlQQ8ufzN88NqlHEkxPNudYADh81UqZW6VPdQSpomIiIEMiQkltShwuc42Q96Iq7PwoAZ3CVYB5VEIoRHWYaOJ_5tR-D7EIreD14Dw4nUqO3aTLVRVgb7oyLIM-HuZOgYZVhQIW/s640/Chair.jpg" width="640" /></a></div>
<blockquote class="tr_bq">
<span style="font-size: x-large;">Q</span>uestion: <span style="color: #cc0000;">Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea <b>exactly</b> who has what <span id="goog_1380823608"></span>privileged access<span id="goog_1380823609"></span> in their foundational Active Directory deployments today?</span></blockquote>
<br />
<br />
If they <b>don't</b>, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.<br />
<br />
<br />
<br />
<b>Unequivocal <span style="color: #cc0000;">Clarity</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
If this one simple question posed above isn't clear, here are <span style="color: #cc0000; font-size: large;">5</span> simple specific cyber security 101 questions to help gain clarity:<br />
<br />
<span style="font-size: large;">Does our organization know <span style="color: #cc0000;">exactly -</span></span><br />
<ul>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 1.</span> Who can <span style="color: #cc0000;">run Mimikatz DCSync</span> against our Active Directory to instantly compromise everyone's credentials?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 2.</span> Who can <span style="color: #cc0000;">change the Domain Admins group's membership </span>to instantly gain privileged access company wide?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 3.</span> Who <span style="color: #cc0000;">can reset passwords of /disable use of Smartcards on</span> all Domain Admin equivalent privileged accounts?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 4.</span> Who can <span style="color: #cc0000;">link a malicious GPO to an(y) OU </span>in Active Directory to instantly unleash ransomware system-wide?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 5.</span> Who can <span style="color: #cc0000;">change or control who has what privileged access</span> in our Active Directory?</li>
</ul>
<br />
If an organization does not have <span style="color: #cc0000;">exact</span> answers to these <span style="color: #cc0000; font-size: large;">5</span> simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has <span style="color: #cc0000;">absolutely no control</span> over cyber security.<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<b>This is <span style="color: #cc0000;">Paramount</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
If you <span style="color: #cc0000;">don't </span>think that having exact answers to these questions is paramount, then you <span style="color: #cc0000;">don't</span> know a thing about cyber security.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRp_IhGYZ6YIqYWJh00YduKM9UOsifU1h8gdTSnG35pVYBXd-Ntmi9Fb-Of08n7Cu3lNBemAXwAv3PmaJjSYBvYnSmSM11O4PjmUWFAayeT3BJQHQHyBAk0kEnXkGIYWoDu-5b43vy3rA/s1600/Paramount.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="900" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRp_IhGYZ6YIqYWJh00YduKM9UOsifU1h8gdTSnG35pVYBXd-Ntmi9Fb-Of08n7Cu3lNBemAXwAv3PmaJjSYBvYnSmSM11O4PjmUWFAayeT3BJQHQHyBAk0kEnXkGIYWoDu-5b43vy3rA/s640/Paramount.png" width="640" /></a></div>
<br />
Just ask the world famous and globally trusted $10 Billion cyber security company <b>CrowdStrike</b>, and here's a <a href="https://www.crowdstrike.com/wp-content/brochures/datasheets/Datasheet_Active_Directory_Security_Assessment_v.03.09.18.pdf" rel="nofollow" target="_blank">quote</a> from them - "<i>A secure Active Directory environment can mitigate most attacks.</i>"<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">Zero</span> out of 1000</b><br />
<b></b><br />
There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is <span style="color: #cc0000; font-size: large;">0</span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHkdthr8WIMQDvdQUQRKyc0qlEZGDV_S0cYzsustZctYG4t1lHxPJ60KQV-Q-VTvrJ4y_d97_PxYR0b5BFHmdtY2SZosNiN7ePofxREIzIQEgDc-EiZ1n7Uky4QVg6AHF3FfXhFxhmzv6t/s1600/Zero.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="900" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHkdthr8WIMQDvdQUQRKyc0qlEZGDV_S0cYzsustZctYG4t1lHxPJ60KQV-Q-VTvrJ4y_d97_PxYR0b5BFHmdtY2SZosNiN7ePofxREIzIQEgDc-EiZ1n7Uky4QVg6AHF3FfXhFxhmzv6t/s640/Zero.png" width="640" /></a></div>
<br />
Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.<br />
<br />
That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">The </span>Key</b><br />
<b></b><br />
The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just <span style="color: #cc0000; font-size: large;">1</span> simple, fundamental cyber security capability - <a href="https://www.paramountdefenses.com/insights/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a>. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAHj20Kz5oLRLSx6cPnNClEhftZknj0HUJbKMlbWIDvMZ5z45HUs_kR-diCwemUVJkR2Ra9KyPZ8hvvzWLZ79NlMi_fEi91_TVgHiYzgWg8FG5BM38KzHlRBjt-AB6l8QMn6hgHCHcH4IY/s1600/The-Key.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="1600" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAHj20Kz5oLRLSx6cPnNClEhftZknj0HUJbKMlbWIDvMZ5z45HUs_kR-diCwemUVJkR2Ra9KyPZ8hvvzWLZ79NlMi_fEi91_TVgHiYzgWg8FG5BM38KzHlRBjt-AB6l8QMn6hgHCHcH4IY/s640/The-Key.jpg" width="640" /></a></div>
<br />
There's only <span style="color: #cc0000; font-size: large;">1</span> company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - <a href="https://www.paramountdefenses.com/" target="_blank">this</a> one.<br />
<br />
<br />
<br />
Thanks,<br />
Sanjay.<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-67882902950756057372020-01-07T23:45:00.000-08:002020-01-08T20:28:28.086-08:00Who Needs WMDs (Weapons of Mass Destruction) Today ?Folks,<br />
<br />
Today, <b>yet again</b>, I'd like to share with you a simple Trillion $ question, one that I had <a href="http://www.sanjaysblog.com/2006/09/who-needs-wmds-today.html" rel="nofollow" target="_blank">originally asked</a> more that 10 years ago, and recently <a href="https://www.cyber-security-blog.com/2017/01/who-needs-wmds-today.html" target="_blank">asked again</a> just about two years ago. Today it continues to be exponentially more relevant to the whole world.<br />
<br />
In fact, it is more relevant today than ever given the <a href="https://www.paramountdefenses.com/" target="_blank">paramount</a> role that cyber security plays in business and national security.<br />
<br />
<br />
So without further adieu, here it is - <span style="color: #cc0000; font-size: large;">Who needs WMDs (Weapons of Mass Destruction) Today?</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNzRQ_Ac2b1g2oBrQl4Xn2R2YjTe2g00awpmk2mxLyfCCsFMyhb-LBLXQLwn9ecJgmzyrp_XAmjpFZhPzgxXkwZSBx45_zsfFw3aawrxNjkz4BlDmBXvU7Ab_hkSF3FOYNHLhkfPhBVomt/s1600/WMD.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNzRQ_Ac2b1g2oBrQl4Xn2R2YjTe2g00awpmk2mxLyfCCsFMyhb-LBLXQLwn9ecJgmzyrp_XAmjpFZhPzgxXkwZSBx45_zsfFw3aawrxNjkz4BlDmBXvU7Ab_hkSF3FOYNHLhkfPhBVomt/s640/WMD.jpg" width="640" /></a></div>
<br />
<span style="color: #cc0000;">Ans:</span> Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.<br />
<br />
<br />
Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?<br />
<br />
Today, all you need is two WDs in the same (pl)ACE and its <b>Game Over</b>. <br />
<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">Puzzled?</span> Allow me to give you a HINT:. <br />
<br />
Here’s a simple question: What does the following non-default string represent and why should it be a <span style="color: #cc0000;">great</span> cause of concern? <br />
<div style="text-align: left;">
</div>
<blockquote class="tr_bq">
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)</blockquote>
<br />
Today, this one little question and the technicality I have shared above directly impacts the cyber security of <a href="https://www.paramountdefenses.com/insights/the-entire-world.html" target="_blank">the entire world</a>.<br />
<br />
<br />
If you read my words very carefully, <span style="color: #cc0000;">as you always should</span>, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.<br />
<br />
<br />
Today, the <span style="color: #cc0000;">CISO</span> of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company <span style="color: #cc0000;">MUST</span> know the answer to this question.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiouaqGJP03qG3scOwXc6y88FvCBUQFMoSOVFzUfMclqBWH41xgkuCIRGDmkl32cM_pf7ccgnuqRUefsW6l6zswzTdMyhRq4dsKhSva-oHFaJ6t9dTXXMtHvd3r2Qbnw6yEtFOMuJ8Qi6cC/s1600/Cyber-Security-Insights.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="1600" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiouaqGJP03qG3scOwXc6y88FvCBUQFMoSOVFzUfMclqBWH41xgkuCIRGDmkl32cM_pf7ccgnuqRUefsW6l6zswzTdMyhRq4dsKhSva-oHFaJ6t9dTXXMtHvd3r2Qbnw6yEtFOMuJ8Qi6cC/s640/Cyber-Security-Insights.jpg" width="640" /></a></div>
<br />
They must know the answer because it directly <span style="color: #cc0000;">impacts</span> and <span style="color: #cc0000;">threatens</span> the foundational cyber security of their organizations.<br />
<br />
If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)<br />
<br />
Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.<br />
<br />
Best wishes,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a><br />
<br />
<br />
PS: If you need to know right away, perhaps you should give your <a href="http://www.cyber-security-blog.com/2016/07/a-simple-100b-active-directory-security-question-for-alex-simons-at-microsoft.html" target="_blank">Microsoft contact</a> a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)<br />
<br />
PS2: If this intrigues you, and you wish to learn more, you may want to read this - <a href="https://blog.paramountdefenses.com/2019/12/hello-world-we-are-paramount-defenses.html" target="_blank">Hello World</a> :-)Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-49512632935749864032020-01-06T23:59:00.000-08:002020-01-07T12:42:30.576-08:00What is Active Directory? (Cyber Security 101 for the Entire World)Folks,<br />
<br />
Today is January 06, 2020, and as <a href="https://www.cyber-security-blog.com/2019/12/its-time-to-help-defend-organizations-worldwide.html" target="_blank">promised</a>, here I am getting back to sharing perspectives on cyber security.<br />
<br />
<br />
<b>Cyber Security <span style="color: #cc0000;">101</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - <span style="color: #cc0000;"><b>What</b> is Active Directory?</span><br />
<br />
You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies <span style="color: #cc0000;">the key</span> to organizational cyber security worldwide.<br />
<br />
The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its <b>simplest</b>, it is a directory of all organizational accounts and computers, it is <b>this</b> shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because "<b>Who really cares about just a phone book?</b>"<br />
<br />
In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.<br />
<br />
Again, after all, <b>who</b> cares about a phone book?!<br />
<br />
<br />
<br />
<b><br /></b>
<b>Active Directory - The Very <span style="color: #cc0000;">Foundation</span> </b><b>of </b><b>Organizational Cyber Security Worldwide</b><br />
<b></b><br />
If as they say, a "<i>A Picture is Worth a Thousand Words</i>", perhaps I should paint you a very simple Trillion $ picture -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7EGRSXN7KUyZhA67hADZpgDhyYa1_vaXcOdcntKcXjka6OBtBwg1aCBPlJhvuYV8EOMB-PJQziCk_l0ycGsy9gKUSXMqAIDp2fmMTpr84_m2HYdDbEGHGemkkKRy8gkWkgOoOopVcXiR_/s1600/microsoft-active-directory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="615" data-original-width="634" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7EGRSXN7KUyZhA67hADZpgDhyYa1_vaXcOdcntKcXjka6OBtBwg1aCBPlJhvuYV8EOMB-PJQziCk_l0ycGsy9gKUSXMqAIDp2fmMTpr84_m2HYdDbEGHGemkkKRy8gkWkgOoOopVcXiR_/s1600/microsoft-active-directory.png" /></a></div>
<br />
An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because <span style="color: #cc0000;">it is the very <b>foundation</b></span> of an organization's cyber security.<br />
<br />
<span style="color: #cc0000;">The entirety</span> of an organization's very building blocks of cyber security i.e. <span style="color: #cc0000;">all</span> the organizational user accounts and passwords used to <span style="color: #cc0000;">authenticate</span> their people, <span style="color: #cc0000;">all</span> the security groups used to aggregate and <span style="color: #cc0000;">authorize</span> access to all their IT resources, <span style="color: #cc0000;">all</span> their privileged user accounts, <span style="color: #cc0000;">all</span> the accounts of all their computers, including all laptops, desktops and servers are <span style="color: #cc0000;">all</span> stored, managed and secured <span style="color: #cc0000;"><b>in</b></span> (i.e. inside) the organization's foundational Active Directory, and all actions on them <span style="color: #cc0000;">audited</span> in it.<br />
<br />
In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the risk of complete, swift and colossal compromise.<br />
<br />
<br />
<b><br /></b><b>Active Directory Security Must Be </b><b><span style="color: #cc0000;">Organizational Cyber Security</span> <span style="color: #cc0000;">Priority #1</span></b><br />
<b></b><br />
Today, ensuring the highest protection of an organization's foundational Active Directory deployment <span style="color: #cc0000;">must</span> undoubtedly be the <span style="color: #cc0000;"><b>#1</b></span> priority of every organization that cares about cyber security, protecting shareholder value and business continuity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDkSCewfDDttqD4IYjwAF4pYmP3z98M6VLonwjBd0HYmVjRuRjiSCXenhH33Rq7TZC3UYaMCkEEE0smCbeYMHfKjhzJnIjhAYGBOQva20wWeBjKsdOC4JNvlaI5E_gfBiM4Y2AOc_q3iED/s1600/active-directory-security-is-paramount.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDkSCewfDDttqD4IYjwAF4pYmP3z98M6VLonwjBd0HYmVjRuRjiSCXenhH33Rq7TZC3UYaMCkEEE0smCbeYMHfKjhzJnIjhAYGBOQva20wWeBjKsdOC4JNvlaI5E_gfBiM4Y2AOc_q3iED/s640/active-directory-security-is-paramount.jpg" width="640" /></a></div>
<br />
<div style="text-align: center;">
Here's why - A deeper, detailed look into <a href="https://blog.paramountdefenses.com/2020/01/what-is-active-directory.html"><span style="font-size: x-large;">What is Active Directory</span></a> <span style="font-size: x-large;">?</span></div>
<br />
<br />
For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)<br />
<br />
<br />
<br />
In essence, today every organization in the world is <span style="color: #cc0000;">only as secure</span> as is its foundational Active Directory deployment, and from the <a href="https://www.paramountdefenses.com/insights/for-ceos.html" target="">CEO</a> to the <a href="https://www.paramountdefenses.com/insights/for-cisos.html" target="">CISO</a> to an organization's <a href="https://www.paramountdefenses.com/insights/for-investors-and-shareholders.html" target="">shareholders</a>, <a href="https://www.paramountdefenses.com/insights/for-citizens.html" target="">employees</a> and <a href="https://www.paramountdefenses.com/insights/for-citizens.html">customers</a>, everyone should know this cardinal fact.<br />
<br />
Best wishes,<br />
Sanjay.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-15355131908389740122019-12-06T09:00:00.000-08:002019-12-31T11:17:05.765-08:00Its Time to Help Defend Organizations WorldwideFolks,<br />
<br />
I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some <a href="https://www.paramountdefenses.com/" target="_blank">perspective</a>, getting <a href="https://www.paramountdefenses.com/products/goldfinger-007g.html" target="_blank">007G</a> ready for launch, and dealing with a certain nuisance.<br />
<br />
Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTmzsRNRP5lE2z6cy5aozBMhtC-X_engSv4-PRl9wTG_gzNPNTY7u1Yv-9ikO-yjo4-M6KbX4M1ABFu95wk_qY7xy8qyu1jXe_Sts6yQP1uY2eZ5Pnbqn6mc-3_scNBzdjNMndG8-08bUX/s1600/London.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="297" data-original-width="1600" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTmzsRNRP5lE2z6cy5aozBMhtC-X_engSv4-PRl9wTG_gzNPNTY7u1Yv-9ikO-yjo4-M6KbX4M1ABFu95wk_qY7xy8qyu1jXe_Sts6yQP1uY2eZ5Pnbqn6mc-3_scNBzdjNMndG8-08bUX/s640/London.jpg" width="640" /></a></div>
<br />
When you <a href="https://www.paramountdefenses.com/insights.html" target="_blank">know</a> as much as I do, care as much as I do, and possess as much <a href="https://www.paramountdefenses.com/solutions.html" target="_blank">capability</a> as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.<br />
<br />
So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, <a href="https://www.active-directory-security.com/" target="_blank">that</a> blog and the official PD blog (;see below.)<br />
<br />
<br />
Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog - <a href="https://blog.paramountdefenses.com/">https://blog.paramountdefenses.com</a><br />
<br />
<br />
Stay tuned for some valuable cyber security insights right here from January 06, 2020<br />
and let me take your leave with a befitting (and one of my favorite) song(s) -<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/mNgdH1OVs4Q/0.jpg" frameborder="0" height="337" src="https://www.youtube-nocookie.com/embed/mNgdH1OVs4Q?feature=player_embedded" width="600"></iframe></div>
<br />
Best wishes,<br />
Sanjay.<br />
<br />
<br />
PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right <a href="https://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">here</a>.<br />
<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-35224446573140362392019-03-07T07:00:00.000-08:002019-12-02T11:43:08.604-08:00A Simple Trillion$ Cyber Security Question for the Entire RSA ConferenceFolks,<br />
<br />
This week, the famous <b><span style="font-size: large;">RSA Conference 2019</span> </b>is underway, where supposedly <i><span style="color: #cc0000; font-size: large;">"The World Talks Security" -</span></i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYmUIaywF-BAo_I0L2WJfQkUeo0JeQ3A7xVRHmJdPYxSmrr_EIG39R1OodUgnGGcPM6rfghpVCHJSzuLw43puPTmg9XKk9UVCCRzyjy2NPZ1CCyMKxLx9FuZkO_QkfOOy0l4sIMZz9RSS1/s1600/corporate-corridor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="264" data-original-width="700" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYmUIaywF-BAo_I0L2WJfQkUeo0JeQ3A7xVRHmJdPYxSmrr_EIG39R1OodUgnGGcPM6rfghpVCHJSzuLw43puPTmg9XKk9UVCCRzyjy2NPZ1CCyMKxLx9FuZkO_QkfOOy0l4sIMZz9RSS1/s640/corporate-corridor.png" width="640" /></a></div>
<br />
<div style="text-align: center;">
<br /></div>
<span style="color: #cc0000;"><span style="font-size: large;">If</span> that's the case, let's talk - </span>I'd like to respectfully ask the entire RSA Conference just <span style="color: #cc0000; font-size: x-large;">1</span> simple cyber security question -<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-large;">Q</span>uestion: <span style="color: #cc0000;">What lies at the very foundation of cyber security and privileged access of</span> not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?</blockquote>
<br />
<blockquote class="tr_bq">
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 <a href="http://www.paramountdefenses.com/" target="_blank">here</a>.</blockquote>
<br />
<br />
<br />
<span style="color: #38761d;"><span style="font-size: large;">F</span>or those who may </span>know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaU_rgU7S3HN3vtF6tWKsiJdRXvIaYB4aD3pSBmM1mCO8YYSQaCVm5UI2-MkfkGfW9wLcbNiEeuu6mwfkUeHDvFrgvO3eGtRIJh9715bvFxOlL2-MJey_3vVO8MdnfUauoWUO6HshkXi2T/s1600/Active-Directory-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="640" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaU_rgU7S3HN3vtF6tWKsiJdRXvIaYB4aD3pSBmM1mCO8YYSQaCVm5UI2-MkfkGfW9wLcbNiEeuu6mwfkUeHDvFrgvO3eGtRIJh9715bvFxOlL2-MJey_3vVO8MdnfUauoWUO6HshkXi2T/s640/Active-Directory-Security.png" width="640" /></a></div>
<br />
<ul>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 1.</span> Should your organization's foundational Active Directory be compromised, what could be its impact?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 2.</span> Would you agree that the (unintentional, intentional or coerced) compromise of a <span style="color: #cc0000;">single</span> Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 3.</span> If so, then do you know that there is <a href="https://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">only one correct way</a> to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?</li>
<li><span style="color: #cc0000;"><span style="font-size: large;">Q</span> 4.</span> <span style="color: #cc0000;">If you don't</span>, then how could you possibly know <span style="color: #cc0000;">exactly</span> how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!</li>
</ul>
<br />
<span style="color: #cc0000;"><span style="font-size: large;">Y</span>ou see</span>, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the <i><span style="color: #cc0000;">Keys to their Kingdom(s)</span> </i>?!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTf6TOtSn05V7gDUCSigf9e8kQuGe9Lrirk4pW_WjBy2N5ME0IyisYsBWt-Z24xONKIS8wniYvQViIS6HNpyNrcBWN2qLWlxQ4rmWlAyKKMtkEArxAlxNvdGZE1dFP2xEPTp__xhDGtUwF/s1600/Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="1100" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTf6TOtSn05V7gDUCSigf9e8kQuGe9Lrirk4pW_WjBy2N5ME0IyisYsBWt-Z24xONKIS8wniYvQViIS6HNpyNrcBWN2qLWlxQ4rmWlAyKKMtkEArxAlxNvdGZE1dFP2xEPTp__xhDGtUwF/s640/Cyber-Security.png" width="640" /></a></div>
<br />
<span style="color: #cc0000; font-size: large;">T</span><span style="color: #cc0000;">oday</span> Active Directory is at the very <b><span style="color: #cc0000;"><a href="https://www.paramountdefenses.com/active-directory.html" target="_blank">heart</a></span></b> <span style="color: #cc0000;">of Cyber Security and Privileged Access</span> at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations <span style="color: #cc0000;">accurately</span> identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.<br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">T</span>hose who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without <i><span style="color: #cc0000;">first</span></i> being able to accurately identify privileged users in Active Directory.<br />
<br />
Best wishes,<br />
<a href="http://www.paramountdefenses.com/leadership.html" target="_blank">Sanjay</a><br />
<br />
<br />
PS: <a href="https://www.active-directory-security.com/2019/02/pardon-the-delay-and-goldfinger-6.5.html" target="_blank">Pardon the delay</a>. I've been busy and haven't much time to blog since my last post on <a href="https://www.cyber-security-blog.com/2018/11/cyber-security-101-for-the-c-suite.html" target="_blank">Cyber Security 101 for the C-Suite</a>.<br />
<br />
PS2: Microsoft, when were you planning to start <a href="https://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">educating</a> the world about what's actually <a href="https://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">paramount</a> to their cyber security?Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-19795637232703007542018-11-05T09:00:00.000-08:002018-11-05T12:59:21.571-08:00Cyber Security 101 for the C-Suite - Active Directory Security is ParamountFolks,<br />
<br />
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg84lB1gMN-s0pnagI9I1Nf5kmyrISp12ixpMYBNfP-hYCdFmLpG8CgBWoZHiFyKH98r7D5nT-sBzLMLJaADiQfDkU4Sox7rZImv2pHo9T9gzcMR8sSWvL4RO3uF8Uvend_LDh63RUGATPs/s1600/Corporate-Boardroom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="600" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg84lB1gMN-s0pnagI9I1Nf5kmyrISp12ixpMYBNfP-hYCdFmLpG8CgBWoZHiFyKH98r7D5nT-sBzLMLJaADiQfDkU4Sox7rZImv2pHo9T9gzcMR8sSWvL4RO3uF8Uvend_LDh63RUGATPs/s640/Corporate-Boardroom.jpg" width="640" /></a></div>
<br />
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.<br />
<br />
<blockquote class="tr_bq">
<u><span style="color: #cc0000;">A quick footnote</span></u> for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.</blockquote>
<br />
Today's post is in the form of a simple letter, that follows (below.)<br />
<br />
Thanks,<br />
Sanjay<br />
<br />
<br />
<span style="color: #999999;"><Begin Letter></span><br />
<br />
<h2 style="text-align: center;">
<b>Subject - <span style="color: #cc0000;">Cyber Security 101 for the C-Suite</span></b></h2>
<div style="text-align: center;">
<br /></div>
<b>To</b>: <span style="color: #38761d;">Chairmen, CEOs and CFOs Worldwide</span><br />
<br />
<br />
<br />
Dear C*O,<br />
<br />
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.<br />
<br />
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.<br />
<br />
<br />
<br />
<b><span style="color: #38761d;">Context </span><span style="color: #999999;">- Foundational Security</span></b><br />
<br />
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDDsG_lI9rH4I-e4CsxLROkF9WuQsJBLpjLNFnWPamP9toer3IR8uULXZEBWNB72KSD1LhHZIS0CpNqjDqaBkuF0NDG3t3ZiBcZvuvijR0fhOsIwmoWXtto3iPGSpOGqG_ugw6L5m7iIzu/s1600/Digital-Business.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDDsG_lI9rH4I-e4CsxLROkF9WuQsJBLpjLNFnWPamP9toer3IR8uULXZEBWNB72KSD1LhHZIS0CpNqjDqaBkuF0NDG3t3ZiBcZvuvijR0fhOsIwmoWXtto3iPGSpOGqG_ugw6L5m7iIzu/s640/Digital-Business.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.<br />
<br />
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.<br />
<br />
<span style="color: #38761d;">It is only logical then that </span>ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, <span style="color: #38761d;">cyber security is very important.</span><br />
<br />
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that <i>its </i>security would be paramount.<br />
<br />
<span style="color: #cc0000;">At the very foundation </span>of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, <span style="color: #cc0000;">lies a single technology - Microsoft Active Directory.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBq98IuLKFwqjUs64xtP0CAJUpTVgVMWLP8IgjXp15ZhplGveht5SP3ajT6kx62rW0BBps0_-GA9fIfCcOM14OXk85Y_hJfmnb0REZ8_UFKm6iaX2_OsvW96yB-HmguGgJ2nShwdk9cZCi/s1600/Active-Directory-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="640" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBq98IuLKFwqjUs64xtP0CAJUpTVgVMWLP8IgjXp15ZhplGveht5SP3ajT6kx62rW0BBps0_-GA9fIfCcOM14OXk85Y_hJfmnb0REZ8_UFKm6iaX2_OsvW96yB-HmguGgJ2nShwdk9cZCi/s640/Active-Directory-Security.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.<br />
<br />
If your organization's Active Directory were compromised, <span style="color: #cc0000;">everything</span> would immediately be exposed to the risk of compromise.<br />
<br />
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, <span style="color: #cc0000;">paramount</span>.<br />
<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">A Provable Concern </span><span style="color: #999999;">- Inadequate Protection</span></b><br />
<br />
Now, you might most likely be thinking - <i>Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Du-hfQkS3xScaFWaJeHHCj5ednDs4K5HouDyblCzimJfwehp5F4KJA79HDcWdywRAjoklNzBJQlpVk8OyAc9Zwj4HD92gNpswAl1WNgZ6iuXK7-9Rc_PnKhdq8Zc_mxrQBNcsBO6geEz/s1600/A-Concerned-CEO.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1487" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Du-hfQkS3xScaFWaJeHHCj5ednDs4K5HouDyblCzimJfwehp5F4KJA79HDcWdywRAjoklNzBJQlpVk8OyAc9Zwj4HD92gNpswAl1WNgZ6iuXK7-9Rc_PnKhdq8Zc_mxrQBNcsBO6geEz/s640/A-Concerned-CEO.png" width="640" /></a></div>
<br />
<span style="color: #cc0000;">Here's why you should be concerned</span> - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.<br />
<br />
Further, they likely may not know <a href="https://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">what it actually takes</a> to adequately secure your organization's foundational Active Directory.<br />
<br />
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.<br />
<br />
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its <a href="https://www.paramountdefenses.com/company/develop-innovative-mission-critical-cyber-security-solutions.html" target="_blank">this</a>.<br />
<br />
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;">Simple Proof </span><span style="color: #999999;">- You Just Have to Ask</span></b><br />
<br />
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory <i>actually</i> is today -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgteWi0A1NU4_eHUSJbEkB7_9LVZEu9xbYERZXAetfIRhw-gHtgPd-5PgudYPQhhqjycNBgOb_3KCV1BbDDHQ05bGNFGJmgErgh_VgU0Gb92WpJuP0s9ByYRX74wXPCyubRWZW4PbjpqX5/s1600/Privileged-Access.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgteWi0A1NU4_eHUSJbEkB7_9LVZEu9xbYERZXAetfIRhw-gHtgPd-5PgudYPQhhqjycNBgOb_3KCV1BbDDHQ05bGNFGJmgErgh_VgU0Gb92WpJuP0s9ByYRX74wXPCyubRWZW4PbjpqX5/s640/Privileged-Access.jpg" width="640" /></a></div>
<br />
<ol>
<li>Is the security of our foundational Active Directory deployment a top cyber security priority today?</li>
<br />
<li>Do we know exactly what the <a href="https://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">Top-5 security risks</a> to our foundational Active Directory are?</li>
<br />
<li>Do our Active Directory Admins know what <a href="https://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> are?</li>
<br />
<li>Do we know exactly who possesses what level of <a href="https://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">privileged access</a> in our Active Directory?</li>
<br />
<li>Do we know exactly who can control/manage each one of our Active Directory privileged accounts and groups?</li>
<br />
<li>Do we know exactly who can run <a href="https://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">Mimikatz DCSync</a> against our Active Directory today?</li>
<br />
<li>Can you tell me exactly <a href="https://www.paramountdefenses.com/goldfinger-mini.html" target="_blank">who can reset my domain user account's password</a> to then be able to login as me?</li>
</ol>
<br />
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">If they can't give you exact answers</span> to these questions, your organization's Active Directory is not secure - <span style="color: #cc0000;">its as simple as that</span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmyvFAjjeEgiIDodpTPKkhFzaLTtG-K9VWiNjq0zXtJ7lVABJBEL9HcXkyGc0-1hRJ_-93QZIqXYjsse1Zu1LHWKFIb4vi7OXJbAQxJYMknw8ZO4NJUCJsXKRYiUYdzXVpTgS6k8kpMl9/s1600/The-Truth.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="736" data-original-width="1235" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmyvFAjjeEgiIDodpTPKkhFzaLTtG-K9VWiNjq0zXtJ7lVABJBEL9HcXkyGc0-1hRJ_-93QZIqXYjsse1Zu1LHWKFIb4vi7OXJbAQxJYMknw8ZO4NJUCJsXKRYiUYdzXVpTgS6k8kpMl9/s640/The-Truth.png" width="640" /></a></div>
<br />
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - <span style="color: #cc0000;">they either have <u>exact</u> answers, or they don't</span>.<br />
<br />
(These questions are paramount to cyber security, and today there <a href="https://www.paramountdefenses.com/solutions/privileged-access-audit.html" target="_blank">exists</a> technology that can enable every organization in the world to answer them precisely, but because Microsoft <a href="https://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">likely forgot</a> to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">what it takes</a> to correctly answer them.)<br />
<br />
If a $Billion+ organization doesn't even know <span style="color: #cc0000;">exactly</span> who has what privileged access in their Active Directory, as well as <span style="color: #cc0000;">exactly</span> who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?<br />
<br />
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?<br />
<br />
<br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;">Driving Change</span></b><br />
<br />
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3ACouGjONKK0yzzNrn2axep1QJhuGRYMP4Tpfhx9tGDcUSoH-ciY0cnJor01oQmWhZKP7hV-WnOGAqvQxq-OSVrzsJh1P5wVk7Q1SqOTdnL3nMQuvVZ5dPBjDgxqCK12dBR2WiWq0tqF/s1600/CEO.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="914" data-original-width="1600" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3ACouGjONKK0yzzNrn2axep1QJhuGRYMP4Tpfhx9tGDcUSoH-ciY0cnJor01oQmWhZKP7hV-WnOGAqvQxq-OSVrzsJh1P5wVk7Q1SqOTdnL3nMQuvVZ5dPBjDgxqCK12dBR2WiWq0tqF/s640/CEO.png" width="640" /></a></div>
<br />
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.<br />
<br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;"><br /></span></b><br />
<b><span style="color: #38761d;">The Likely Reason </span><span style="color: #38761d;"><span style="color: #999999;">(Optional Reading)</span></span></b><br />
<br />
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.<br />
<br />
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.<br />
<br />
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that <i>over 50% of the Fortune 100's CISOs rely on them</i>. As a subject matter expert, I can tell you that <a href="https://www.cyber-security-blog.com/2017/12/privileged-account-security-guidance-for-cyberark.html" target="_blank">CyberArk itself may not know</a> how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.<br />
<br />
CyberArk is absolutely correct that "<i>Privilege is Everywhere.</i>" However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies <b>inside</b> Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwYoujIHTQx-BvMcORm_zmbORT0JNKrTtcybIQemWvdcbaVtFQAU-W7fO14FEchsGNhbS7xkyHRS1JI7MDGT_0O07Dl2rrKPGIJwHwgIIjWz2AazNLgqEe_JodUALqKKmDvY0Sfts4KDVo/s1600/Active-Directory-Privileged-Access.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="155" data-original-width="801" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwYoujIHTQx-BvMcORm_zmbORT0JNKrTtcybIQemWvdcbaVtFQAU-W7fO14FEchsGNhbS7xkyHRS1JI7MDGT_0O07Dl2rrKPGIJwHwgIIjWz2AazNLgqEe_JodUALqKKmDvY0Sfts4KDVo/s640/Active-Directory-Privileged-Access.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The majority of all Privileged Access,including the "<span style="color: #cc0000;">Keys to the Kingdom</span>", resides inside Active Directory</td></tr>
</tbody></table>
<br />
CyberArk isn't alone. As unbelievable as it may sound, today <a href="https://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">even Microsoft doesn't seem to know</a> what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.<br />
<br />
You may find this hard to believe, but of the <a href="https://www.rsaconference.com/events/us19/expo-sponsors/exhibitor-list" target="_blank">1000+ cyber security companies</a> exhibiting or presenting at the upcoming <i>RSA Conference 2019</i>, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.<br />
<br />
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as <a href="https://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">paramount</a> as it is, its <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">not</a> easy.<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that </span>of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.<br />
<br />
<br />
<br />
<b><span style="color: #38761d;">In Conclusion</span></b><br />
<br />
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)<br />
<br />
<div>
If any of what I shared above made sense, I would encourage you to <span style="color: #38761d;">embrace</span> my <span style="color: #cc0000;">suggestions</span> earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.</div>
<br />
As for myself, all I can say is that today my work and knowledge silently help secure and defend <a href="https://www.paramountdefenses.com/company/customers.html" target="_blank">so</a> many of the world's most important organizations across six continents worldwide.<br />
<br />
<span style="color: #38761d;">Thank you for your time.</span><br />
<br />
Respectfully,<br />
Sanjay Tandon.<br />
<br />
Chairman and CEO,<br />
<a href="https://www.paramountdefenses.com/" target="_blank">Paramount Defenses</a><br />
<br />
<br />
<br />
PS: Please know that I am also doing my bit to help <a href="https://www.active-directory-security.com/2018/11/time-to-help-microsoft-and-the-world.html" target="_blank">Microsoft and the World better Understand Active Directory Security</a><br />
<br />
<br />
<span style="color: #999999;"><br /></span>
<span style="color: #999999;"><End Letter></span><br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-57048152557018087602018-10-28T00:00:00.000-07:002018-10-29T06:57:09.189-07:00Happy Birthday, Bill Gates!Dear Bill,<br />
<br />
Here's wishing you Sir, likely the most successful and influential person of not just our time, but of all time, a very Happy B'day!<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrOQAgPXY58BAvx5j8DnItm3jz_COkOKdcSzAIsicMrloWVpA6aubmpZWZXgVcS9e_NRP8wNDsZSgyLxceeoinF8lbOnu4yheQ4FZhlFGA8srkRBSwVJ_0ZVCZIw2LNeuZvi66Tu6U9lrW/s1600/Bill-Gates.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="399" data-original-width="399" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrOQAgPXY58BAvx5j8DnItm3jz_COkOKdcSzAIsicMrloWVpA6aubmpZWZXgVcS9e_NRP8wNDsZSgyLxceeoinF8lbOnu4yheQ4FZhlFGA8srkRBSwVJ_0ZVCZIw2LNeuZvi66Tu6U9lrW/s320/Bill-Gates.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #cccccc;">Photo source and attirbution: https://mobile.twitter.com/BillGates/photo</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Most of the world knows you as the Founder of Microsoft, a great philanthropist, and the world's wealthiest* person.<br />
<br />
<br />
Based on my personal experience, I however know you to be someone who truly exemplifies the very <a href="https://www.cyber-security-blog.com/2018/10/be-humble-and-kind.html" target="_blank">words I strive to live by</a>, and ideally, that we should all strive to live by, because in the grand scheme of things, we are all here for relatively little time.<br />
<br />
<b><br /></b>
<b>Deep </b><span style="color: #38761d; font-weight: bold;">Gratitude </span><span style="color: #999999; font-weight: bold;">for Mr. Gates</span><br />
<br />
If I may, I'd like to share from my personal experience, a very small example of Mr. Gates thoughtfulness, humility and kindness.<br />
<br />
One day back in 2004, when I was a Microsoft employee, I got a call from the Reception of Building 33, the Executive Building at Microsoft, and I was asked to come and pick something up - when I reached there, the kind lady at the reception gave me a package and said that "<i>Bill left this for you, as he's unfortunately out of town today</i>," and in it was a note written by Bill himself - "<i>To Sanjay, Happy Birthday, Bill Gates</i>" ( <a href="http://www.sanjaytandon.com/impact.html" target="_blank">here</a>.) (BTW, this is not customary at all at Microsoft; in fact, it was an absolute rarity.)<br />
<br />
I couldn't believe it. Bill Gates, our CEO, and the world's most successful and wealthiest person, made and took the time to wish me <i>Happy B'day</i>, and since he was going to be out of town, he was thoughtful enough to have it be given to me on my b'day!<br />
<br />
Since that day, for the last fourteen years I've been working tirelessly to be able to express my profound respect and gratitude to Mr. Gates, and it is for the first time, that I feel I've done my bit to be able to thank him, not just in words, <a href="https://www.paramountdefenses.com/" target="_blank">but in global IMPACT</a>.<br />
<div style="text-align: center;">
<br /></div>
<br />
<span style="color: #38761d;">Mr. Gates, it is <b>your</b> greatness, kindness and humility that inspired me</span> to conquer proverbial mountains as I persevered against all odds to ultimately build and deliver a paramount capability needed to secure and defend the very foundation of cyber security of and across Microsoft's global organizational customer base <span style="color: #38761d;">i.e. <b>your </b></span><b>one little act</b> of kindness, led to and inspired <a href="https://www.paramountdefenses.com/" target="_blank">THIS</a>.<br />
<br />
<br />
<b><br /></b>
<b>Birthday <span style="color: #cc0000;">Wishes</span></b><br />
<br />
Mr. Gates, today, you're wished profound joy and excellent health, but above all, you're wished that which is a rarity today, and that which sometimes even all the money in the world can't buy - <span style="color: #38761d;">True Peace of Mind</span> and <span style="color: #38761d;">Happiness in the Simplest of Things!</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNYWsIWrvPUl6dJTaCwJAeHCb8Iqv0cHSsgJKDtzo91CBUSVjc8ITDmTu0Ig_DeL2piIeLPp8nUb6Idljr4aTTCk4RR2eSzvJbGwcm-ZoZr33O6lavmghXx3zr1DVHLHDduUj810MJzDFe/s1600/Happiness.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="362" data-original-width="719" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNYWsIWrvPUl6dJTaCwJAeHCb8Iqv0cHSsgJKDtzo91CBUSVjc8ITDmTu0Ig_DeL2piIeLPp8nUb6Idljr4aTTCk4RR2eSzvJbGwcm-ZoZr33O6lavmghXx3zr1DVHLHDduUj810MJzDFe/s640/Happiness.jpg" width="640" /></a></div>
<br />
<b><i>BillG</i></b>, I thank you for the incredible human being you are, and wish you a truly wonderful year ahead.<br />
<br />
Namaste,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>.<br />
<br />
<br />
<span style="color: #999999;">PS: I occasionally come across monetarily wealthy people, you know, little multi-millionaires and billionaires, and some of them exude such arrogance, that I feel like telling them that there are people out there (e.g. you) who could buy all their wealth out a hundred times over, so how about a little humility?! :-) In stark contrast, I visited the Gates Foundation website today, and it was so incredibly refreshing to see it unequivocally communicate that <b>All Lives Have Equal Value</b>! You Sir, command my respect.</span>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-6414693651973367802018-10-27T09:00:00.000-07:002018-10-27T17:54:43.220-07:00Words I Live ByFolks,<br />
<br />
Today, I just wanted to take a moment to share with you the words I live by -<br />
<br />
<div style="text-align: center;">
<iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/awzNHuGqoMc" width="640"></iframe>
</div>
<br />
No matter who we are, we should always strive to be ...<br />
<br />
Sincerely,<br />
<a href="https://twitter.com/BeHumbleNKind" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-31517396071984289802018-10-26T09:00:00.000-07:002018-10-27T17:54:33.821-07:00What Lies at the Foundation of Organizational Cyber Security Worldwide?Folks,<br />
<br />
In days to come, I'm going to answer both, the most important, and the <a href="https://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">second most important</a> question in all of Cyber Security<br />
<br />
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi69IEBVN8HWKJsrkKTiEp988Wljb41eWarqjWH87J_ePlLVFuGa8rVdiTK9X-KtTRhBVguXUmOZmZKFuS8UUthECK0KLdrKGNu6UfvApt7U_qzHxu0_wYCZLBqHtaqCGTU1OQpwtXG_aw/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi69IEBVN8HWKJsrkKTiEp988Wljb41eWarqjWH87J_ePlLVFuGa8rVdiTK9X-KtTRhBVguXUmOZmZKFuS8UUthECK0KLdrKGNu6UfvApt7U_qzHxu0_wYCZLBqHtaqCGTU1OQpwtXG_aw/s640/Active-Directory.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Microsoft Active Directory</b></td></tr>
</tbody></table>
<br />
Today, at the <span style="color: #cc0000;">very foundation</span> of organizational cyber security worldwide, lie their <a href="https://www.paramountdefenses.com/" target="_blank">foundational Active Directory deployments</a>.<br />
<br />
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its <a href="https://www.paramountdefenses.com/active-directory.html" target="_blank">foundation</a>.<br />
<br />
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right <a href="https://www.cyber-security-blog.com/" target="">here</a>.<br />
<br />
Best wishes,<br />
<a href="https://www.sanjaytandon.com/" target="_blank">Sanjay</a><br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-56767326999619907542018-10-13T03:00:00.000-07:002018-10-13T03:00:04.043-07:00A Very Simple Trillion $ Cyber Security Multiple-Choice QuestionFolks,<br />
<br />
In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and <a href="http://www.active-directory-security.com/2018/10/did-anyone-at-microsoft-ignite-2018-know-the-answer.html" target="_blank">what</a> the world's most important Active Directory security capability is.<br />
<br />
Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9NHredNpHZDk77wVDVMfJiX_cx4GBSeE_5o8RW_66hw5OIMHoG0IdKiq1jzrteTwZLqaoxXjTntC_i2kZIDE6RgZT6ruHqACcKlDbLS1fHA6BeorCzWg0a8dTIThCLmKr5cW-gboVswTV/s1600/Mimikatz-DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="640" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9NHredNpHZDk77wVDVMfJiX_cx4GBSeE_5o8RW_66hw5OIMHoG0IdKiq1jzrteTwZLqaoxXjTntC_i2kZIDE6RgZT6ruHqACcKlDbLS1fHA6BeorCzWg0a8dTIThCLmKr5cW-gboVswTV/s640/Mimikatz-DCSync.png" width="640" /></a></div>
<br />
<b><span style="color: #cc0000;"><span style="font-size: large;">Q</span>.</span> </b><span style="color: #cc0000;">What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run <b>Mimikatz DCSync</b> against an organization's foundational Active Directory deployment?</span><br />
<span style="color: #cc0000;"></span><br />
Is it -<br />
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>A.</b></span> The "<i>Get Replication Changes</i>" Extended Right </blockquote>
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>B.</b></span> The "<i>Get Replication Changes All</i>" Extended Right </blockquote>
<blockquote class="tr_bq">
<b><span style="color: #38761d;">C.</span> </b>Both A and B above </blockquote>
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>D.</b></span> Something else
</blockquote>
<br />
I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and <a href="https://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">here</a>'s why.<br />
<br />
You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what <a href="http://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">Mimikatz DCSync</a> is, let alone knowing the answer!<br />
<br />
If you know the answer to this question, and care to share, please <span style="color: #38761d;">feel free to share it by leaving a comment</span> below.<br />
<br />
Best wishes,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-66660160779819457372018-09-26T09:00:00.000-07:002018-09-30T17:05:16.984-07:00Time to Ignite An Intellectual Spark at Microsoft Ignite 2018!Folks,<br />
<br />
This week, thousands of IT professionals, managers, CISOs and CIOs are in Orlando, attending, well, <a href="https://www.microsoft.com/en-us/ignite" target="_blank">Microsoft Ignite 2018</a> !<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROm_J7XGr54DPVtskThUzLjLzRwrjrVjGY1Vniy04VX1lwuPb44pMjz7EM9nhQREKstF35GSIE_qwT8xxEht0ubE_nkxV6nKsjsSc5BSpDgz84OV_sHAvWTAkDmsh_OJOn7NC5nuQdRY/s1600/Microsoft-Ignite.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="582" data-original-width="1600" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROm_J7XGr54DPVtskThUzLjLzRwrjrVjGY1Vniy04VX1lwuPb44pMjz7EM9nhQREKstF35GSIE_qwT8xxEht0ubE_nkxV6nKsjsSc5BSpDgz84OV_sHAvWTAkDmsh_OJOn7NC5nuQdRY/s640/Microsoft-Ignite.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #cccccc;">Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite</span></td></tr>
</tbody></table>
<span style="color: #999999;"></span><span style="color: #cccccc;"></span><br />
Now, according to Microsoft's website, Microsoft Ignite has <span style="color: #cc0000;">SOLD OUT</span>! <span style="color: #38761d;">Great!</span> There are 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to <b>expert proctors</b>!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Did I mention that of course, Microsoft's very own experts are also going to be there, and collectively, they covered numerous vital areas such as <i>Securing the Enterprise</i>, <i>Simplified IT Management</i>, <i>Identity‚ Access & Compliance</i>, <i>Enterprise Security</i> etc.<br />
<br />
<br />
<span style="color: #cc0000;"><span style="font-size: x-large;">So</span>, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts,</span><span style="color: #38761d;"> </span>THERE MUST BE AT LEAST ONE PERSON AT MICROSOFT IGNITE who could answer A very SIMPLE QUESTION -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9qpbT7_wCLtAIPAujhMWgDIVJ1wqBOOIOlwMZBpKSY1MoTBMcE1lSpGLz2mE3CecSzPjP8gtuN_-z-HmjwEOYu1RqcAiYCLkHReDhyphenhypheniPQrkp0IZXX4ZzHfIMU2OneBcN9ZzikK1Wyi58/s1600/Question.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="226" data-original-width="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9qpbT7_wCLtAIPAujhMWgDIVJ1wqBOOIOlwMZBpKSY1MoTBMcE1lSpGLz2mE3CecSzPjP8gtuN_-z-HmjwEOYu1RqcAiYCLkHReDhyphenhypheniPQrkp0IZXX4ZzHfIMU2OneBcN9ZzikK1Wyi58/s1600/Question.png" /></a></div>
<br />
<span style="color: #cc0000; font-size: large;">Question</span><span style="font-size: large;"> - What's The World's <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">Most Important</a> Active Directory Security Capability?</span><span id="goog_52231147"></span><br />
<a href="https://www.blogger.com/"></a><span style="font-size: large;"></span><br />
<div style="text-align: center;">
<span style="font-size: x-small;">( URL: <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html</a> )</span></div>
<span style="font-size: x-small;"></span><br />
<span style="color: #b45f06;"><span style="font-size: large;"><br /></span></span>
<span style="color: #cc0000;"><span style="font-size: large;">N</span>ow, in case you're wondering</span> why anyone and in fact everyone attending Microsoft Ignite should care about this question, its because in a Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the numerous vital areas listed above i.e. <i>Securing the Enterprise</i>, <i>Simplified IT Management</i>, <i>Identity‚ Access & Compliance</i>, <i>Enterprise Security</i> etc. etc. can be adequately addressed without FIRST ENSURING THE SECURITY of their foundational Active Directory deployments!<br />
<br />
<br />
<span style="color: #38761d;"><span style="font-size: x-large;">G</span>uess what?!</span> I'm willing to bet that 99% of experts (let alone attendees) at Microsoft Ignite don't have a clue as to the answer!<br />
<br />
<br />
<span style="color: #cc0000;"><span style="font-size: large;">U</span></span><span style="color: #cc0000;"><span style="font-size: medium;">n</span>believable, haan?!</span> So much so for a US $ 800 Billion company's "<b>Sold Out</b>" IT Conference, where 100s of world renowned IT experts, including Microsoft's finest, were presenting, and where 1000s of IT professionals (including Domain Admins of most Fortune 100 companies) were attending, yet no one likely knows the answer to this most basic of Windows Security questions!<br />
<br />
<br />
Er, what's that millennial lingo again? Ah yes, OMG LOL ROFL !<br />
<br />
Doesn't anyone <a href="https://www.paramountdefenses.com/active-directory-security/guides.html" target="_blank">RTM</a> today? (They don't, and <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">here's</a> likely why.)<br />
<br />
<br />
<span style="font-size: large;">O</span>n a serious note, <span style="color: #cc0000;">if <b>anyone</b> attending Microsoft Ignite 2018 </span>(including Microsoft's own experts) knows the answer to this <b>1</b> question, be my guest and answer the question by leaving a comment at the end of <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">that blog post</a>, and you'll earn <a href="https://www.paramountdefenses.com/leadership.html" target="_blank">my</a> respect.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5-hS5KHAedDhGzG3lB7H1onB9d5-eBbFJ_wVYH5AWIjTDIPhWA5rTah4D6UzvDkWbW966zBxGQEszGTysiFRyKiF48DpzXVN8UmhCkeK4xgeDqPdvK9KbE-uNrBcXMdfT1A-tsejCZg/s1600/CISO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="640" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5-hS5KHAedDhGzG3lB7H1onB9d5-eBbFJ_wVYH5AWIjTDIPhWA5rTah4D6UzvDkWbW966zBxGQEszGTysiFRyKiF48DpzXVN8UmhCkeK4xgeDqPdvK9KbE-uNrBcXMdfT1A-tsejCZg/s640/CISO.jpg" width="640" /></a></div>
<br />
If you don't know the answer, I highly recommend reading, <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">one</a>, <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">two</a> and <a href="https://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">three</a>, because <span style="color: #cc0000;">without knowing the answer</span> to this <b><span style="color: #cc0000; font-size: large;">1</span></b> <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">question</a> (and without possessing this capability,) <span style="color: #cc0000;">you cannot secure anything</span> in an Active Directory based Windows network.<br />
<br />
<br />
Best wishes,<br />
SanjaySanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-20369417894643207952018-09-24T18:00:00.000-07:002018-09-30T09:24:41.242-07:00Pardon the Absence, and Get Ready!Folks,<br />
<br />
Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.<br />
<br />
Yes I was supposed to answer a rather important question, in fact, possibly <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">the world's most important cyber security question</a>, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.<br />
<br />
Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, <span style="color: #cc0000;">you know, the kind of stuff that even James Bond doesn't have yet!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz4TJuvZipwxUmvXD6K3Co-0IJNuMGg_WjG67EuU-WGxQg_bZoMmeqyMvuXEy5jB3XwImrdX1g6zxp4LF62Vht9-r454DnMHeBIErMLVGYRaI4ouwkHRVpddlXxN3qGQzhIbon-MvnzAI/s1600/The-Worlds-Most-Powerful-Weapon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz4TJuvZipwxUmvXD6K3Co-0IJNuMGg_WjG67EuU-WGxQg_bZoMmeqyMvuXEy5jB3XwImrdX1g6zxp4LF62Vht9-r454DnMHeBIErMLVGYRaI4ouwkHRVpddlXxN3qGQzhIbon-MvnzAI/s640/The-Worlds-Most-Powerful-Weapon.jpg" width="640" /></a></div>
<br />
<br />
By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you - <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/mNgdH1OVs4Q/0.jpg" frameborder="0" height="337" src="https://www.youtube-nocookie.com/embed/mNgdH1OVs4Q?feature=player_embedded" width="600"></iframe></div>
<br />
<br />
Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and... … well, <span style="color: #cc0000;">get ready</span>!<br />
<br />
Best wishes,<br />
SanjaySanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-8993948954250064462018-07-09T09:30:00.001-07:002018-07-09T12:30:58.619-07:00A Trillion $ Cyber Security Question for Microsoft and CISOs WorldwideFolks,<br />
<br />
Today, to give a hint for the answer to <a href="https://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html" target="_blank">this</a> <b>1</b> question, I asked possibly <span style="color: #cc0000;">the most important cyber security question in the world</span>, one that directly <span style="color: #cc0000;">impacts</span> the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of <span style="color: #cc0000;">billions</span> of people worldwide -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg24atmogiw5-mZtUVIG5YK20uzqB8fqnXNSJ3kcneduhFVfx5vucf2cs0Xl6kCtjj4Gwa1qXHi4JVNxVBkgIH7ps-ly54jSP0mSog2J_wYAXY-eDsmqhHcI4GfLBL-j3cDeOEAWtntEWI/s1600/Foundational-Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="557" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg24atmogiw5-mZtUVIG5YK20uzqB8fqnXNSJ3kcneduhFVfx5vucf2cs0Xl6kCtjj4Gwa1qXHi4JVNxVBkgIH7ps-ly54jSP0mSog2J_wYAXY-eDsmqhHcI4GfLBL-j3cDeOEAWtntEWI/s640/Foundational-Cyber-Security.png" width="640" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: large;">What's the World's <span style="color: #cc0000;">Most Important</span> Active Directory Security Capability?</span></div>
<br />
<div style="text-align: center;">
Here it is - <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html">www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html</a>.</div>
<b></b><br />
<div>
<b></b><br /></div>
<div>
<b></b><br /></div>
<div>
Those who <span style="color: #cc0000;">don't know</span> why this is the world's most important cyber security question may want to connect <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">one</a>, <a href="http://www.active-directory-security.com/2017/06/the-impact-of-an-active-directory-security-breach.html" target="_blank">two</a> and <a href="http://www.paramountdefenses.com/active-directory.html" target="_blank">three</a>. </div>
<br />
I <span style="color: #cc0000;">sincerely hope</span> that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will <span style="color: #38761d;">answer</span> this <span style="color: #cc0000;">ONE</span> question.<br />
<b><br /></b>
Best wishes,<br />
<a href="http://www.sanjaytandon.com/impact.html" target="_blank">Sanjay</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-21830929532912474872018-07-04T18:30:00.000-07:002018-07-04T18:32:28.991-07:00Happy 4th of July!Folks,<br />
<br />
Here's wishing you all a very Happy <span style="color: #0b5394;">Fourth</span> of <span style="color: #cc0000;">July</span>! Hope you have a great one!<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig_BnBoRy91I4IegpUatSzU555vvukHvjV95a823DovAZIDKlwdmFiNneFTAq0dtFEgehDvMCrmIRT6UZT4QB8C0RGG9QVNnifKYGXvFEa8nB3Pr-JPCreMdxcjAStQGlArHWucXcEVcc/s1600/USA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="632" data-original-width="1200" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig_BnBoRy91I4IegpUatSzU555vvukHvjV95a823DovAZIDKlwdmFiNneFTAq0dtFEgehDvMCrmIRT6UZT4QB8C0RGG9QVNnifKYGXvFEa8nB3Pr-JPCreMdxcjAStQGlArHWucXcEVcc/s640/USA.png" width="640" /></a></div>
<br />
I was supposed to answer a certain <a href="https://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html" target="_blank">question</a> today, but I decided to take the day off, so I'll answer it in days to come.<br />
<br />
Best wishes,<br />
Sanjay.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-51187440585888188432018-07-03T19:15:00.000-07:002018-07-05T19:45:09.607-07:00Mimikatz DCSync MitigationFolks,<br />
<br />
A few days ago I asked a (seemingly) very simple question ; no I'm not referring to <a href="http://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html" target="_blank">this</a> one, I'm referring to this one <a href="http://www.active-directory-security.com/2018/06/can-anyone-help-with-mimikatz-dcsync-mitigation.html" target="_blank">here</a> -<br />
<br />
<div>
<blockquote class="tr_bq">
<span style="font-size: large;"><span id="goog_1710219915"></span><span style="color: #cc0000;">Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?</span></span></blockquote>
</div>
<span style="font-size: large;"></span><a href="https://www.blogger.com/"></a><span style="color: #cc0000;"></span><br />
<span style="color: #cc0000;">Here's why I did so</span> - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.<br />
<br />
<span style="color: #38761d;">So, as promised</span>, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhshEbkZKU1HghPaF2wLmSgMXHjXsMgfqlohW1QlCGmBPiNejoK3rq8nGzM4uZwbsZlw4Qr7PYTeQpU9v-zzVHelU-msPCjJNDj57LiSGLl_x4nCFIwGkQTs4hczk5hyveEJAHIimWlSpk/s1600/Mimikatz-DCSync-Mitigation.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="434" data-original-width="1022" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhshEbkZKU1HghPaF2wLmSgMXHjXsMgfqlohW1QlCGmBPiNejoK3rq8nGzM4uZwbsZlw4Qr7PYTeQpU9v-zzVHelU-msPCjJNDj57LiSGLl_x4nCFIwGkQTs4hczk5hyveEJAHIimWlSpk/s640/Mimikatz-DCSync-Mitigation.jpg" width="640" /></a></div>
<br />
In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.<br />
<br />
<b><br /></b><b><span style="color: #cc0000;"><br /></span></b><br />
<b><span style="color: #cc0000;">First, A Quick Overview</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYAPh0i2VCl6kaX5faPITRMGdPINgRnLvf5DsW_5zaKfTW_UCk6ufVt6XoFnvWG5iGPkvKZmoI_9oR3RiTwJgQzXxqP_o2SSQDrZwvB1JrgmFiUnaXR5nKfvvE_6JuYqai_eYINAnjRTI/s1600/Mimikatz-DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYAPh0i2VCl6kaX5faPITRMGdPINgRnLvf5DsW_5zaKfTW_UCk6ufVt6XoFnvWG5iGPkvKZmoI_9oR3RiTwJgQzXxqP_o2SSQDrZwvB1JrgmFiUnaXR5nKfvvE_6JuYqai_eYINAnjRTI/s1600/Mimikatz-DCSync.png" /></a></div>
<br />
Mimikatz DCSync, a Windows security tool, is the creation of the brilliant <i>technical</i> expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.<br />
<br />
Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!<br />
<br />
Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on <b>detection</b> as a security measure, then its unfortunately already TOO late, because the damage has already been done.
<br />
<br />
<b><br /></b>
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">Detection Is Hardly Sufficient</span></b><br />
<span style="color: #cc0000;"></span><br />
They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -<br />
<br />
<div style="text-align: center;">
<a href="https://commons.wikimedia.org/wiki/File:Castle_romeo2.jpg" title="By United States Department of Energy [Public domain], via Wikimedia Commons"><img alt="Castle romeo2" src="https://upload.wikimedia.org/wikipedia/commons/0/0b/Castle_romeo2.jpg" width="512" /></a>
</div>
<br />
Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!<br />
<br />
<span style="color: #cc0000;">Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!</span><br />
<span style="color: #cc0000;"></span><br />
This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.<br />
<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">How to Mitigate Mimikatz DCSync</span></b><br />
<b><span style="color: #cc0000;"></span><br /></b>
The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.<br />
<br />
Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2lkjfAg2nVr5qn66tbYM531PhmIyV_jHGyWdg4VFsAhwvAmOJdfm6_TOfYgaRV3-z30jfVE7Uy-M_MI2vOFkCz4b9LVPGcZHei64MfH6bmo2V8RMLldG33MH9pUMgAZCrxhp8wE-PmuA/s1600/Active-Directory-Access-Control.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="69" data-original-width="686" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2lkjfAg2nVr5qn66tbYM531PhmIyV_jHGyWdg4VFsAhwvAmOJdfm6_TOfYgaRV3-z30jfVE7Uy-M_MI2vOFkCz4b9LVPGcZHei64MfH6bmo2V8RMLldG33MH9pUMgAZCrxhp8wE-PmuA/s1600/Active-Directory-Access-Control.png" /></a></div>
<br />
Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient <i>Get Replication Changes All</i> effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.<br />
<br />
While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.<br />
<br />
<span style="color: #cc0000;">Now, it is paramount to understand ONE subtle but profound difference here </span>- it is NOT <i>who has what permissions</i> on the domain root that matters, but <i>who has what effective permissions</i> on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.<br />
<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b><b>The Key - <a href="https://www.blogger.com/goog_1710219946"><span id="goog_1710219947"></span>Active Directory Effective Permissions<span id="goog_1710219948"></span></a></b><br />
<b></b><a href="https://www.blogger.com/"></a><br />
If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8rSpnjCcj62iyWLuSlhlwUmwAHpn4k3TzlPV6qx8M_OVKTww9ctBokLWI3bwV3-1jr4cc3FwLZPJEpF6mTHYecNST7IuarM4ZaBhPpyt5MPm00YsQZNIBK6g9vopivR1__VWjMZtd478/s1600/Active-Directory-Effective-Permissions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="267" data-original-width="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8rSpnjCcj62iyWLuSlhlwUmwAHpn4k3TzlPV6qx8M_OVKTww9ctBokLWI3bwV3-1jr4cc3FwLZPJEpF6mTHYecNST7IuarM4ZaBhPpyt5MPm00YsQZNIBK6g9vopivR1__VWjMZtd478/s1600/Active-Directory-Effective-Permissions.png" /></a></div>
<br />
<br />
In fact <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Effective Permissions</a> are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to <i>Effective Permissions</i>.<br />
<br />
Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as <a href="http://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html" rel="nofollow" target="_blank">this</a> dangerously inaccurate free tool.<br />
<br />
Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...<br />
<br />
<br />
<b><br /></b>
<b>Finally, <span style="color: #38761d;">How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync</span></b>
<br />
<br />
Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk - <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/K6rHKDw86-w/0.jpg" frameborder="0" height="337" src="https://www.youtube-nocookie.com/embed/K6rHKDw86-w?feature=player_embedded" width="600"></iframe></div>
<span style="font-size: x-small;"></span><br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.</span></blockquote>
<span style="font-size: x-small;"></span><br />
Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.<br />
<br />
Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">here</a>.<br />
<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">I'll say this one last time</span> - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why <span style="color: #cc0000;">mitigation</span> is <a href="http://www.paramountdefenses.com/" target="_blank">paramount</a>.<br />
<br />
Best wishes,<br />
Sanjay<br />
<br />
<br />
PS: *Here are 4 posts I've previously penned on Mimikatz DCSync - a <a href="http://www.cyber-security-blog.com/2016/08/how-to-lockdown-active-Directory-to-thwart-use-of-mimikatz-dcsync.html" target="_blank">summary</a>, <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">technical details</a>, <a href="http://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">a scenario</a> and <a href="http://www.active-directory-security.com/2018/06/can-anyone-help-with-mimikatz-dcsync-mitigation.html" target="_blank">the question</a>.<br />
<br />
PS2: In days to come, I'll answer <a href="http://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html" target="_blank">this</a> question too.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-44439372358416419692018-06-29T15:00:00.000-07:002018-06-29T15:00:05.818-07:00WHAT is the ONE Essential Cyber Security Capability WITHOUT which NOT a single Active Directory object or domain can be adequately secured?<br />
Folks,<br />
<br />
Hello again. Today onwards, as I had <a href="https://twitter.com/BeHumbleNKind/status/1012413321117499392" target="_blank">promised</a>, it is finally TIME for us to help SAFEGUARD Microsoft's Global Ecosystem.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIahcrKxnA80eHVLBhGvNGb_fUeyXZHm6kdfqzCr0HviGgPiqSSBEqBeeWJgw4KymI-geOxPNbJz3Hdj4XQMtx9HZFw4k2ZIqHj2HkBj3Q7l7NFna13VFHO2XAL4N9WzyCwljr-nnrdpQ/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIahcrKxnA80eHVLBhGvNGb_fUeyXZHm6kdfqzCr0HviGgPiqSSBEqBeeWJgw4KymI-geOxPNbJz3Hdj4XQMtx9HZFw4k2ZIqHj2HkBj3Q7l7NFna13VFHO2XAL4N9WzyCwljr-nnrdpQ/s640/Active-Directory.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Before I share how <a href="http://www.paramountdefenses.com/" target="_blank">we</a> uniquely do so, or answer <a href="http://www.active-directory-security.com/2018/06/can-anyone-help-with-mimikatz-dcsync-mitigation.html" target="_blank">this</a> paramount question, or ask more such ones, I thought I'd ask likely the <span style="color: #cc0000;">most important</span> question that today DIRECTLY impacts the <span style="color: #cc0000;">foundational </span>cyber security of 1000s of organizations worldwide.<br />
<br />
<b><br /></b>
<b><br /></b><b><span style="color: #cc0000;">Here</span></b> <b>It Is </b>-<br />
<blockquote class="tr_bq">
<span style="font-size: large;">What Is the <span style="color: #cc0000; font-size: x-large;">1</span> Essential Cyber Security Capability Without Which <span style="color: #cc0000;">NOT</span> a <span style="color: #cc0000;">single</span> Active Directory object, domain, forest or deployment can be <span style="color: #38761d;">adequately</span> secured?</span></blockquote>
<br />
<b><br /></b>
<b><br /></b>
<b>A Hint</b><br />
<b><span style="color: #38761d;"></span><br /></b>
I'll give you a hint. It controls exactly who is <span style="color: #cc0000;">denied</span> and who is <span style="color: #38761d;">granted</span> access to literally everything within Active Directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLWvVf3-OoR1b-F1ksResFbYzHN47h1zZRss3fMAGlNsrrRdXF6Gmmz9kN0-wDYTco136cJ_Gfk1rBOwM447ShELl3VOfCzD5RHNhdCWwhBNaAIyHpVjhA7uuAY4UWJlsGo2YU-UdJ1U/s1600/Active-Directory-Access-Control.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="69" data-original-width="686" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLWvVf3-OoR1b-F1ksResFbYzHN47h1zZRss3fMAGlNsrrRdXF6Gmmz9kN0-wDYTco136cJ_Gfk1rBOwM447ShELl3VOfCzD5RHNhdCWwhBNaAIyHpVjhA7uuAY4UWJlsGo2YU-UdJ1U/s1600/Active-Directory-Access-Control.png" /></a></div>
<br />
In fact, it comes into play every time anyone accesses anything in any Active Directory domain in any organization worldwide.<br />
<br />
<b><br /></b><b><br /></b><br />
<b>Make <span style="color: #cc0000;">No</span> Mistake</b><br />
<b></b><br />
Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.<br />
<br />
<b><br /></b>
<b><br /></b>
<b>Only <span style="color: #cc0000;">2 Kinds</span> of Organizations</b><br />
<b><br /></b>
Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, <span style="color: #cc0000;">and those that don't</span>. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are <span style="color: #cc0000;">provably</span> and <span style="color: #cc0000;">demonstrably </span><span style="color: #cc0000;"><a href="http://www.paramountdefenses.com/operating-in-the-dark.html" target="_blank">insecure</a>.</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
If you know the answer, feel free to leave a comment below.<br />
I'll answer this question right here, likely on <span style="color: navy;">July</span> <span style="color: #cc0000;">04</span>, 2018.<br />
<br />
Best,<br />
<a href="http://www.sanjaytandon.com/impact.html" target="_blank">Sanjay</a>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-57705931631317151512018-06-18T09:00:00.000-07:002018-06-25T20:13:08.598-07:00Alarming! : Windows Update Automatically Downloaded and Installed an Untrusted Self-Signed Kernel-mode Lenovo Driver on New Surface DeviceFolks,<br />
<br />
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and <span style="color: #cc0000;">this is very important</span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWY9uGNpWBg81iEGrkPuqiJlu2Ik2H053YWcrdvX7MN4eRbLh5_G6KwxLiu5Vut0EzjzVuR2Uzd9AnSkPv-vZ4eowXycgiNKQwiGUET6Ujhg3PZPCfS4b3w9Zdas1-abZmxJe3hzgtkZc/s1600/Breach.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="800" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWY9uGNpWBg81iEGrkPuqiJlu2Ik2H053YWcrdvX7MN4eRbLh5_G6KwxLiu5Vut0EzjzVuR2Uzd9AnSkPv-vZ4eowXycgiNKQwiGUET6Ujhg3PZPCfS4b3w9Zdas1-abZmxJe3hzgtkZc/s640/Breach.jpg" width="640" /></a></div>
<br />
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.<br />
<br />
<blockquote class="tr_bq">
<span style="color: #cc0000;">Disclaimer</span>: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's <span id="goog_1308102413"></span><a href="https://www.fedmanager.com/featured/9-general-news/2608-dod-issues-cybersecurity-warning-against-lenovo-computers-handheld-devices" rel="nofollow" target="_blank">already</a> been <a href="https://www.theverge.com/2013/7/30/4570780/lenovo-reportedly-banned-by-mi6-cia-over-chinese-hacking-fears" rel="nofollow" target="_blank">said</a><span id="goog_1308102414"></span>.</blockquote>
<br />
<br />
As you know, Microsoft's been <a href="https://www.pcmag.com/news/350584/microsoft-admits-it-was-too-aggressive-about-windows-10" rel="nofollow" target="_blank">brazenly</a> leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious <a href="https://www.techrepublic.com/article/windows-10-violates-your-privacy-by-default-heres-how-you-can-protect-yourself/" rel="nofollow" target="_blank">affront</a> to Privacy.<br />
<br />
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top <a href="https://www.microsoft.com/en-us/surface/business/government" rel="nofollow" target="_blank">trustworthy</a> contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.<br />
<br />
<blockquote class="tr_bq">
<span style="color: #cc0000;">Side-note</span>: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as <i>System</i> on Domain Controllers within the U.S. Government.</blockquote>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
In particular, regardless of its respected heritage, for us, Lenovo wasn't an option, since it is <a href="https://en.wikipedia.org/wiki/Lenovo#Ownership" rel="nofollow" target="_blank">partly owned by the Chinese Govt</a>.<br />
<br />
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCkLRIa72pP_rgmC1zKxpDMVF_MwuG_TbvmyH0ERcin-b4lsNoi9LWLVlHYs34EAVloEmZhYNqQxhNrLDyD29P5vQY-j7KLeUHvf0LKBr0A13DJAKxmpNLhuXYx2eQP7jH5LGPJAD3w0/s1600/Microsoft-Surface.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="438" data-original-width="600" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCkLRIa72pP_rgmC1zKxpDMVF_MwuG_TbvmyH0ERcin-b4lsNoi9LWLVlHYs34EAVloEmZhYNqQxhNrLDyD29P5vQY-j7KLeUHvf0LKBr0A13DJAKxmpNLhuXYx2eQP7jH5LGPJAD3w0/s640/Microsoft-Surface.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Microsoft Surface</td></tr>
</tbody></table>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdl6Ti78XuejXG5TTGioQw0SVFbrdQ21xoeCJ9kDud39elp6B-7iilRLU0ejJ1ffYQ2G1HoPVprhBuLW8DEXqitYRd3uuJoC91fnbVw7HxjzsGEHneyAQXN-nQ5OqSN16NSCf8E9iBQI/s1600/Microsoft+Surface.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1075" data-original-width="1421" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdl6Ti78XuejXG5TTGioQw0SVFbrdQ21xoeCJ9kDud39elp6B-7iilRLU0ejJ1ffYQ2G1HoPVprhBuLW8DEXqitYRd3uuJoC91fnbVw7HxjzsGEHneyAQXN-nQ5OqSN16NSCf8E9iBQI/s640/Microsoft+Surface.png" width="640" /></a></div>
<br />
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, <span style="color: #cc0000;">and perform a Windows Update</span>.<br />
<br />
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.<br />
<br />
<br />
Now, you're not going to believe what happened within minutes of having clicked the <b><span style="color: #073763;">Check for Updates</span> </b>button!<br />
<br />
<br />
<b><br />
<span style="color: black;">Windows Update</span></b><span style="color: #cc0000;"><b> Downloaded and Installed an</b></span><span style="color: #cc0000;"> </span><b><span style="color: #cc0000;">Untrusted</span></b><br />
<b><span style="color: #cc0000;">Self-Signed Lenovo Device Driver </span><span style="color: black;">on Microsoft Surface! -</span></b><br />
<b></b><span style="color: #cc0000;"></span><span style="color: black;"></span><b></b><br />
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly <b>Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)</b>, on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!<br />
<br />
Here's a snapshot of <b>Windows Update</b> indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "<b><span style="color: #cc0000;">Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)</span></b>" -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgomDa_iwcMGBb8sJBg0nXvURUWLDa9tALXQqjJIZGzZ_giCJLr_g-LQ_gjFb_XmzGjGgKF3hVZgGmZIuG5ZCB6hYJTwuCQR-F3xl_yZHT9-KiAYPA9mK5hPlv6fkxZJuLrU0KRrqtEc80/s1600/2.+Lenovo+Driver+Installed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="921" data-original-width="1530" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgomDa_iwcMGBb8sJBg0nXvURUWLDa9tALXQqjJIZGzZ_giCJLr_g-LQ_gjFb_XmzGjGgKF3hVZgGmZIuG5ZCB6hYJTwuCQR-F3xl_yZHT9-KiAYPA9mK5hPlv6fkxZJuLrU0KRrqtEc80/s640/2.+Lenovo+Driver+Installed.png" width="640" /></a></div>
<br />
We couldn't quite believe this.<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">How could this be possible?</span> i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?<br />
<br />
So we checked the <b>Windows Update Log</b>, and sure enough, as seen in the snapshot below, the <b>Windows Update Log </b>too confirmed that Windows Update had just downloaded and installed a Lenovo driver -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhL_l4rqPGSpSExRA7Xnjrt4kNsLM71NYTYLwgXAFOnyVaT0YSBJ054a2M84PVvKZqBDgl2IRFjIk-DO2LBUUQKs6-I1ZK4vYXBSZOwuigIXIlQFIq1GS3Q22enQaulNGIoJ4XDwinW0/s1600/3.+Windows+Update+Log+Confirms+Lenovo+Driver+Installation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="923" data-original-width="1242" height="474" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhL_l4rqPGSpSExRA7Xnjrt4kNsLM71NYTYLwgXAFOnyVaT0YSBJ054a2M84PVvKZqBDgl2IRFjIk-DO2LBUUQKs6-I1ZK4vYXBSZOwuigIXIlQFIq1GS3Q22enQaulNGIoJ4XDwinW0/s640/3.+Windows+Update+Log+Confirms+Lenovo+Driver+Installation.png" width="640" /></a></div>
<br />
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the <b>Device Manager</b>, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.) <br />
<br />
Specifically, as you can see below, we again checked the <b>Device Manager, </b>this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two <i>Mice and other pointing devices </i>installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizCFxej6d5vvO-8HwhY4GK-jaManDvZ206eeVbUj0oUErSpk-8D7Y602KbHEJ5NmujSiysZCsTGR_L1sY36W-mvWPNEuOJqMwtgMDDwDNMNnSA_kXt9YHyyRr8FbpxJ5VZrK2YK70-S2I/s1600/4.+Device+Manager+Indicates+No+Lenovo+Device.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="1600" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizCFxej6d5vvO-8HwhY4GK-jaManDvZ206eeVbUj0oUErSpk-8D7Y602KbHEJ5NmujSiysZCsTGR_L1sY36W-mvWPNEuOJqMwtgMDDwDNMNnSA_kXt9YHyyRr8FbpxJ5VZrK2YK70-S2I/s640/4.+Device+Manager+Indicates+No+Lenovo+Device.png" width="640" /></a></div>
<br />
<br />
Next, we performed a keyword search of the <b>Registry</b>, and came across a suspicious <b>Driver Package</b>, as seen below -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIlKOZuL77xk6ueiU26gQlLv3DJbRsY0gQTJM9uf_z87G9Xbg8nC5ay9x_RFdAlAz_V5BAzO1v9Y1d_oF4NU2E7dqlJFptMFTj3vqpZfbWXi03I4sq4d165DHsDhVGn7D98m5U4vCNWzY/s1600/5.+Registry+links+Lenovo+to+phidmou.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="917" data-original-width="1328" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIlKOZuL77xk6ueiU26gQlLv3DJbRsY0gQTJM9uf_z87G9Xbg8nC5ay9x_RFdAlAz_V5BAzO1v9Y1d_oF4NU2E7dqlJFptMFTj3vqpZfbWXi03I4sq4d165DHsDhVGn7D98m5U4vCNWzY/s640/5.+Registry+links+Lenovo+to+phidmou.png" width="640" /></a></div>
<br />
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. <b>Configurations</b>, <b>Descriptors</b> and <b>Strings</b>, but this specific one only had one subkey titled <b>Properties</b>, and when we tried to open it, we received an <span style="color: #cc0000;"><i>Access Denied</i></span> message!<br />
<br />
As you can see above, it seemed to indicate that the provider was <b>Lenovo</b> and that the INF file name was <b>phidmou.inf</b>, and the OEM path was "<i>C:\Windows\SoftwareDistribution\Download\Install</i>", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "<b>dir /s phidmou.*</b>" and as seen in the snapshot below, we found one instance of such a file, located in <b>C:\Windows\System32\DriverStore\FileRepository\</b>.<br />
<br />
Here's that exact location on the file-system, and as evidenced by the <b>Created </b>date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_D8YjsxO546qhQR30Seq1hJjSzK-WY54hX_Y3pIqAWfNBvZk1a0or1uLRijsW3UoSntQFDPq4pbHqdL-ot-SNQsYmRAorRIvzLtVmXs0-mpHpNxqoErSFJMS_k2s7v0-lu1kXCnQ9sU/s1600/Created+on+April+01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="737" data-original-width="1016" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_D8YjsxO546qhQR30Seq1hJjSzK-WY54hX_Y3pIqAWfNBvZk1a0or1uLRijsW3UoSntQFDPq4pbHqdL-ot-SNQsYmRAorRIvzLtVmXs0-mpHpNxqoErSFJMS_k2s7v0-lu1kXCnQ9sU/s640/Created+on+April+01.png" width="640" /></a></div>
<br />
<br />
When we opened that location, we found thirteen items, including six drivers -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKssjKx7jAEUh98UGOj94-HpPGOqvW_dfevPK5i4k3QGDSHgadRh65a_g50SWOlG1mpvpy-l5bCm2xtNIIEoCW0jPL27C3QqnIoxyYiOt2xV56mPLcYIv0WU4MZh8Y4XGVHA2jMjqkg0s/s1600/6.+phidmou.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1541" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKssjKx7jAEUh98UGOj94-HpPGOqvW_dfevPK5i4k3QGDSHgadRh65a_g50SWOlG1mpvpy-l5bCm2xtNIIEoCW0jPL27C3QqnIoxyYiOt2xV56mPLcYIv0WU4MZh8Y4XGVHA2jMjqkg0s/s640/6.+phidmou.png" width="640" /></a></div>
<br />
Next, we checked the <b><i>Digital Signature </i></b>on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a <b>WDKTestCert</b> and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUs7IgWtUJN1JR17pzW2ZPXqTLQtY5ZzniiWT0xdYL2qsQ_XM-BsOhiW6pnkjOXTH6p2iJbUsJpIn0dBC3_sZDc_xWn6v0kCz0OnG7_aprE_vhPQ7aFcIgnzahDPSg9SLSEhCHL5Gej6k/s1600/7.+Driver+signed+by+Self-Signed+Cert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="919" data-original-width="1249" height="470" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUs7IgWtUJN1JR17pzW2ZPXqTLQtY5ZzniiWT0xdYL2qsQ_XM-BsOhiW6pnkjOXTH6p2iJbUsJpIn0dBC3_sZDc_xWn6v0kCz0OnG7_aprE_vhPQ7aFcIgnzahDPSg9SLSEhCHL5Gej6k/s640/7.+Driver+signed+by+Self-Signed+Cert.png" width="640" /></a></div>
<br />
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/test-signing" rel="nofollow" target="_blank">documentation</a> on Driver Testing "<i>However, eventually it will become necessary to test-sign your driver during its development, <span style="color: #cc0000;">and ultimately release-sign your driver before publishing it to users.</span></i>" -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0GHlEntnhwsDCVK9GuCihN_u_XDkgx_CR2XNogYjeTzwePRGmGhLzbL1zTWWONCtAOSeB6T7YAfm1nW3eM6MTwWxRa-Ey80jCYJb5kBPMARtE4Xh_GeV7-FFGCEUhAB6zhHp9Egm41sA/s1600/Untrusted+Cert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="838" data-original-width="618" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0GHlEntnhwsDCVK9GuCihN_u_XDkgx_CR2XNogYjeTzwePRGmGhLzbL1zTWWONCtAOSeB6T7YAfm1nW3eM6MTwWxRa-Ey80jCYJb5kBPMARtE4Xh_GeV7-FFGCEUhAB6zhHp9Egm41sA/s400/Untrusted+Cert.png" width="294" /></a></div>
<br />
<span style="color: #cc0000;">Clearly</span>, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!<br />
<br />
Again, per Microsoft's guidelines on driver signing, which can also be found <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/release-signing" rel="nofollow" target="_blank">here</a>, "<i>After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed</i>", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing" target="_blank">cross cert issued by Microsoft</a>.<br />
<br />
<span style="color: #cc0000;">If that is indeed the case</span><span style="color: #cc0000;">, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.</span><br />
<span style="color: #cc0000;"></span><br />
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!<br />
<br />
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?<br />
<br />
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;">Unacceptable</span> </b>and<b> <span style="color: #cc0000;">Deeply Concerning</span></b><br />
<b></b><b></b><span style="color: #cc0000;"></span><br />
<span style="color: #cc0000;">To us, this is unacceptable</span>, alarming and deeply concerning, <span style="color: #cc0000;">and here's why</span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuakeMzXhvdGTpQPf1vdJfQcOvR7dVWQcOc6fhx0jzaHKE-vcwKiba9Nj-y1XEPUOL7tnb-XLHkV9aURtND2axUEdYCorBNOkr7WxZ3b5OBFE_DeRS3oDbDzwlOL4GTpf0m3NfW3zCHqw/s1600/CISO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="640" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuakeMzXhvdGTpQPf1vdJfQcOvR7dVWQcOc6fhx0jzaHKE-vcwKiba9Nj-y1XEPUOL7tnb-XLHkV9aURtND2axUEdYCorBNOkr7WxZ3b5OBFE_DeRS3oDbDzwlOL4GTpf0m3NfW3zCHqw/s640/CISO.jpg" width="640" /></a></div>
<br />
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!<br />
<br />
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.<br />
<br />
<span style="color: #cc0000;">How much damage could that have caused?</span> Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)<br />
<br />
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been <i>Game Over</i> right there!<br />
<br />
<span style="color: #cc0000;">This leads me to the next question</span> - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?<br />
<br />
<span style="color: #cc0000;">This also leads me to another very important question</span> - Just how much <b>trust</b> can we, the world, impose in <b>Windows Update</b>?<br />
<br />
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar <b>Your device is upto date</b> message.<br />
<br />
<span style="color: #cc0000;">Speaking which, here's another equally important question</span> - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), <span style="color: #cc0000;">what is the guarantee that this won't happen again</span>?<br />
<br />
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "<i>Trusted for Unconstrained Delegation</i>" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">Active Directory Privileged User</a>, then, it would be tantamount to <b>Game Over </b>right then and there!<br />
<br />
<span style="color: #cc0000;">Think about it</span> - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, <span style="color: #cc0000;">and in 99% of situations</span>, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!<br />
<br />
<span style="color: #cc0000;">Again, to be perfectly clear</span>, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
<br />
<br />
<span style="color: #cc0000;">With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.</span><br />
<span style="color: #cc0000;"></span><br />
<span style="color: #cc0000;">In our case, this was very important</span>, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">If I Were Microsoft, I'd Send a Plane</span></b><br />
<b><span style="color: #cc0000;"><br /></span></b>Dear Microsoft, we immediately <b>quarantined</b> that Microsoft Surface device, and we have it in our possession.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGYcToBRTsHdC-PzjPrfar_6p-WkMM8bi_poX45FQymdimN4KKUy-VP4IySqRPrhRtyrUIS773oe8aXlPYeK1QhQubJ0I5ZJYE4E_KcdjRf3l6R70hly4PwnjQJechWXkYwd6mJiPNe_s/s1600/Plane.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1000" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGYcToBRTsHdC-PzjPrfar_6p-WkMM8bi_poX45FQymdimN4KKUy-VP4IySqRPrhRtyrUIS773oe8aXlPYeK1QhQubJ0I5ZJYE4E_KcdjRf3l6R70hly4PwnjQJechWXkYwd6mJiPNe_s/s640/Plane.png" width="640" /></a></div>
<br />
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! <span style="color: #999999;">(Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)</span><br />
<span style="color: #999999;"><br /></span>
Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -<br />
<ol>
<li>I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog</li>
<li>I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver</li>
<li>I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver</li>
<li>I'd want to know exactly which SKUs of Microsoft Surface this may have happened on</li>
<li>I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package </li>
</ol>
<br />
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.<br />
<br />
<br />
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "<i><span style="color: #cc0000;">we spend over a billion dollars of R&D each year, in building security into our mainstream products</span></i>", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft <b>Windows</b> and Microsoft <b>Surface</b> ?! -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/QSz1j22TEfI/0.jpg" frameborder="0" height="320" src="https://www.youtube.com/embed/QSz1j22TEfI?feature=player_embedded" width="640"></iframe></div>
<br />
<br />
Also, speaking of Microsoft's ecosystem, it indeed is <a href="http://www.paramountdefenses.com/blog/its-time-to-help-safeguard-organizatonal-cyber-security-worldwide-i-e-protect-microsofts-global-ecosystem/" target="_blank">time to help safeguard Microsoft's global ecosystem</a>. (But I digress,)<br />
<br />
<br />
<br />
<b>In Conclusion</b><br />
<b></b><br />
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimxU4FFWLn1IaleJ1v9qGtmHx1m9JvDvYLrtSJYucgWpDn1WNlIq4UeCGS4PjKmjf3tQ0fD4EajYjuxAm0gHTkTFgQIUocE8kH_y4LisVe0P5mQordEnRmLbcQkvnMc5fJS6ZJkHwCk0k/s1600/The-Entire-World.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="1100" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimxU4FFWLn1IaleJ1v9qGtmHx1m9JvDvYLrtSJYucgWpDn1WNlIq4UeCGS4PjKmjf3tQ0fD4EajYjuxAm0gHTkTFgQIUocE8kH_y4LisVe0P5mQordEnRmLbcQkvnMc5fJS6ZJkHwCk0k/s640/The-Entire-World.jpg" width="640" /></a></div>
<br />
<span style="color: #38761d;">Hopefully, as you'll agree</span>, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. <span style="color: #38761d;">This is really as simple, as fundamental and as concerning, as that. </span><br />
<span style="color: #38761d;"></span><br />
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. <b>Update</b>) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "<i>a system is only as secure as is its weakest link.</i>"<br />
<br />
<br />
By the way, I happen to be <a href="http://www.sanjaytandon.com/impact.html" target="_blank">former</a> Microsoft Program Manager for <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">Active Directory Security</a>, and I care <a href="http://www.active-directory-security.com/2017/05/a-trillion-dollar-letter-to-microsoft-concerning-cyber-security-worldwide.html" target="_blank">deeply</a> for Microsoft.<br />
<br />
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">global security</a> may depend on Active Directory Security, and thus may be a matter of <a href="http://www.paramountdefenses.com/" target="_blank">paramount defenses</a>.<br />
<br />
Most respectfully,<br />
Sanjay<br />
<br />
<br />
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.<br />
<br />
PS2: <span style="color: #cc0000;">Another small request to Microsoft</span> - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a>, <span style="color: #cc0000;">which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured!</span> Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. <span style="color: #cc0000;">Can you imagine just how insecure and vulnerable</span> an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">paramount capability</a>, could be today?Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-9102279518635623782018-06-14T09:00:00.000-07:002018-06-14T09:00:17.150-07:00Hello World, We Are Paramount DefensesFolks,<br />
<br />
Hello again. I know its been 6 months since I blogged, and considering that I <a href="http://www.cyber-security-blog.com/2017/12/2017-the-year-the-world-realized-the-value-of-active-directory-security.html" target="_blank">penned 60+ posts</a> last year, it feels like an eternity.<br />
<br />
Perhaps I should introduce ourselves again ;-) <br />
<br />
<b>Hello World, We are …</b><br />
<b></b><i></i><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/PF2KOjWiM6k/0.jpg" frameborder="0" height="337" src="https://www.youtube.com/embed/PF2KOjWiM6k?feature=player_embedded" width="600"></iframe></div>
<br />
<br />
I've been <a href="https://www.active-directory-security.com/2018/06/hello-again.html" target="_blank">busy</a>, but its finally <span style="color: #cc0000;">time to help safeguard Microsoft's global ecosystem</span>, so we'll start on June 18, 2018.<br />
<br />
Best wishes,<br />
SanjaySanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-25418022024431269902017-12-31T23:59:00.000-08:002018-01-05T12:15:47.169-08:002017 - The Year The World Realized the Value of Active Directory SecurityFolks,<br />
<br />
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.<br />
<br />
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi69IEBVN8HWKJsrkKTiEp988Wljb41eWarqjWH87J_ePlLVFuGa8rVdiTK9X-KtTRhBVguXUmOZmZKFuS8UUthECK0KLdrKGNu6UfvApt7U_qzHxu0_wYCZLBqHtaqCGTU1OQpwtXG_aw/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi69IEBVN8HWKJsrkKTiEp988Wljb41eWarqjWH87J_ePlLVFuGa8rVdiTK9X-KtTRhBVguXUmOZmZKFuS8UUthECK0KLdrKGNu6UfvApt7U_qzHxu0_wYCZLBqHtaqCGTU1OQpwtXG_aw/s640/Active-Directory.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - <i><span style="color: #cc0000;">Privileged User</span>, Privileged Access, <span style="color: #cc0000;">Domain Admins</span>, Enterprise Admins, <span style="color: #cc0000;">Mimikatz DCSync</span>, AdminSDHolder, <span style="color: #cc0000;">Active Directory ACLs</span>, Active Directory Privilege Escalation, <span style="color: #cc0000;">Sneaky Persistence in Active Directory</span>, Stealthy Admins in Active Directory, <span style="color: #cc0000;">Shadow Admins in Active Directory</span>, Domain Controllers, <span style="color: #cc0000;">Active Directory Botnets</span></i>, etc. etc.<br />
<br />
<br />
<b><span style="color: #cc0000; font-size: large;"><br /></span></b><b><span style="color: #cc0000;">Active Directory Security</span> Goes Mainstream <span style="color: #cc0000;">Cyber Security</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwpmgISQWzdAQkvmr07OuzfnxgaSJJavi-LGCxw3yygrmUaVtrkcm-mRAuHYy01iXfHdHQMSFar38Z0ZyrVUGxTEFqeEThJzJ9INAylUIdQ9tX4cwnGzppS3GuXfGcIpNZhnJ3tMaPDcs/s1600/Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="1100" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwpmgISQWzdAQkvmr07OuzfnxgaSJJavi-LGCxw3yygrmUaVtrkcm-mRAuHYy01iXfHdHQMSFar38Z0ZyrVUGxTEFqeEThJzJ9INAylUIdQ9tX4cwnGzppS3GuXfGcIpNZhnJ3tMaPDcs/s640/Cyber-Security.png" width="640" /></a></div>
<br />
<ol>
<li>Since the beginning on the year, i.e. January 01, 2017, <a href="http://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">Mimikatz DCSync</a>, an incredibly and dangerously powerful tool built by <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Benjamin Delpy</a>, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.<br />
</li>
<br />
<li>On May 15, 2017, the developers of <a href="https://wald0.com/?p=112" rel="nofollow" target="_blank">BloodHound</a> introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, <span style="color: #cc0000;">which is massively inaccurate</span>, seems to have started becoming very popular in the hacking community.</li>
<br />
<li>On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (<span style="color: #cc0000;">massively inaccurate</span>) tool called <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">ACLight</a> to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.</li>
<br />
<li>On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast <a href="https://adsecurity.org/?p=3658" rel="nofollow" target="_blank">penned</a> an entry-level post "<i>Scanning for Active Directory Privileges and Privileged Accounts</i>" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!</li>
<br />
<li>On July 11, 2017, Preempt, a Cyber Security <a href="https://blog.preempt.com/new-ldap-rdp-relay-vulnerabilities-in-ntlm" rel="nofollow" target="_blank">announced</a> that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. </li>
<br />
<li>On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled <a href="https://www.blackhat.com/us-17/briefings/schedule/#an-ace-up-the-sleeve-designing-active-directory-dacl-backdoors-6223" rel="nofollow" target="_blank">An ACE Up the Sleeve - Designing Active Directory DACL Backdoors</a> at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.</li>
<br />
<li>Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled <a href="https://www.blackhat.com/us-17/briefings/schedule/#the-active-directory-botnet-7423" rel="nofollow" target="_blank">The Active Directory Botnet</a> introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.</li>
<br />
<li>On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/09/18/active-directory-access-control-list-attacks-and-defense/" rel="nofollow" target="_blank">Active Directory Access Control List - Attacks and Defense</a>, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">revealing</a> just how little its ATA team seems to know about the subject.</li>
<br />
<li>On December 12, 2017, Preempt, a Cyber Security <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">announced</a> that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">suggested</a> that organizations worldwide use their (<span style="color: #cc0000;">massively inaccurate</span>) tooling to find these Stealthy Admins in Active Directory.</li>
<br />
<li>From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted <a href="http://www.cyber-security-blog.com/2017/08/teaching-microsoft-about-active-directory-security.html" target="_blank">Active Directory Security School</a> for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9 above, lies in <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access.</a></li>
</ol>
<br />
<br />
<span style="color: #cccccc;"></span><br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;"><br /></span></b><b>Helping <span style="color: #cc0000;">Defend</span> Microsoft's Global </b><b>Customer Base</b><br />
<b><span style="color: #cccccc;">( i.e. <span style="color: #cccccc; font-size: large;">85%</span> of Organizations Worldwide )</span></b><br />
<span style="color: #cccccc;"></span><br />
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...<b><br /></b><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj80IbL75pjzJ32Sen6-ZkcYlG1pPcL9Ei3q11hwPp5rQ3Ic0zzavRMNx7qdcjDygbveiS9jxUlwbjS-DZmzNTwIlnLiK1hJZe1XvYxQwfXxVyPPWt8KjLqDutiy2Tt38yklBvgp2PwgMc/s1600/Paramount-Defenses.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj80IbL75pjzJ32Sen6-ZkcYlG1pPcL9Ei3q11hwPp5rQ3Ic0zzavRMNx7qdcjDygbveiS9jxUlwbjS-DZmzNTwIlnLiK1hJZe1XvYxQwfXxVyPPWt8KjLqDutiy2Tt38yklBvgp2PwgMc/s640/Paramount-Defenses.png" width="640" /></a></div>
<b><br /></b>
...not just the paramount <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">importance</a> of Active Directory Security to their <a href="http://www.paramountdefenses.com/active-directory.html" target="_blank">foundational</a> security, but also about how to <span style="color: #38761d;">correctly</span> <span style="color: #cc0000;">secure and defend</span> their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.<br />
<br />
This year, <span style="color: #38761d; font-family: "verdana" , sans-serif; font-size: x-large;">I</span> ( / <a href="http://www.paramountdefenses.com/" target="_blank">we</a>) ...<br />
<br />
<ol>
<li>conducted 30-days of advanced <a href="http://www.paramountdefenses.com/blog/30-days-of-advanced-active-directory-security-school-for-microsoft/" target="_blank">Active Directory Security School</a> for the $ 650+ Billion Microsoft Corporation</li>
<br />
<li>showed thousands of organizations worldwide <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">How to Render Mimikatz DCSync Useless</a> in their Active Directory</li>
<br />
<li>helped millions of pros (like Mr. Metcalf) worldwide learn <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">How to Correctly Identify Privileged Users in Active Directory</a></li>
<br />
<li>helped the developers of BloodHound understand <a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">How to Easily Identify Sneaky Persistence in Active Directory</a></li>
<br />
<li>helped Microsoft's ATA Team learn advanced stuff <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">About Active Directory ACLs - Actual Attack and Defense</a></li>
<br />
<li>showed <a href="http://www.cyber-security-blog.com/2017/12/privileged-account-security-guidance-for-cyberark.html" target="_blank">CyberArk</a>, trusted by 50% of Fortune 100 CISOs, <a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">How to Correctly Identify Shadow Admins in Active Directory</a></li>
<br />
<li>helped cyber security startup Preempt's experts learn <a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">How to Correctly Identify Stealthy Admins in Active Directory</a></li>
<br />
<li>helped the presenters of The Active Directory Botnet learn <a href="http://www.active-directory-security.com/2017/12/how-to-easily-solve-the-active-directory-botnet-problem.html" target="_blank">How to Easily Solve the Problem of Active Directory Botnets</a></li>
<br />
<li>helped millions of cyber security folks worldwide understand and illustrate <a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a></li>
<br />
<li>Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access</a> to Active Directory Security</li>
</ol>
<div>
<br />
<br />
In fact, we're not just providing <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">guidance</a>, we're uniquely <a href="http://www.paramountdefenses.com/company/provide-mission-critical-cyber-security-insight-worldwide.html" target="_blank">empowering</a> organizations <a href="http://www.paramountdefenses.com/company/customers.html" target="_blank">worldwide</a> to easily <a href="http://www.paramountdefenses.com/solutions.html" target="_blank">solve</a> these challenges.<br />
<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;"><span style="font-size: large;"><br /></span></span></b>
<b><span style="color: #cc0000;"><span style="font-size: large;">S</span>ummary</span></b><br />
<b></b><span style="color: #38761d;"></span><span style="color: #cc0000;"></span><br />
All in all, its been quite an eventful year for Active Directory Security <span style="color: #cccccc;">(, and one that I saw coming over ten years ago.)</span><br />
<br />
In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEa7jI7EBjI37y7kfs3AwFowzSRSjtYBqFqFlXtTnFhWIwYowXbELD_TMfBsyjiNYpflLPlNbNq8w-c5W2EyH5tTCujPTuNTAWY1236QDCN5dHavbU02qDWc03DzsMlfNiKfvdsYEewbk/s1600/Active-Directory-Privileged-User-Access-Audit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1100" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEa7jI7EBjI37y7kfs3AwFowzSRSjtYBqFqFlXtTnFhWIwYowXbELD_TMfBsyjiNYpflLPlNbNq8w-c5W2EyH5tTCujPTuNTAWY1236QDCN5dHavbU02qDWc03DzsMlfNiKfvdsYEewbk/s640/Active-Directory-Privileged-User-Access-Audit.png" width="640" /></a></div>
<br />
Perhaps, in 2018, they'll realize that the <a href="http://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">key</a> to Active Directory Security lies in being able to accurately determine <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">this</a>.<br />
<br /></div>
Best wishes,<br />
Sanjay.<br />
<br />
PS: <a href="http://www.cyber-security-blog.com/2017/12/why-i-do-what-i-do.html" target="_blank">Why I do, What I Do</a>.<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5493427189188014728.post-16752299065129666662017-12-29T09:30:00.000-08:002018-01-05T12:11:52.583-08:00Why I Do, What I DoFolks,<br />
<br />
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtDRLz8nz82SWGJC4r91WpxHMYnYbFwLAvvjWZ8XzNx3BXfNJkcgumwQJEl5vMOjEb2v1AGOy3oiVlnDBGiRtNLtCIs9bXp9B6bLHdPduWLTEU1ipzObbyBUSsPTBkRf0glPLNA6V6TJQ/s1600/Thought-Leadership.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="309" data-original-width="800" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtDRLz8nz82SWGJC4r91WpxHMYnYbFwLAvvjWZ8XzNx3BXfNJkcgumwQJEl5vMOjEb2v1AGOy3oiVlnDBGiRtNLtCIs9bXp9B6bLHdPduWLTEU1ipzObbyBUSsPTBkRf0glPLNA6V6TJQ/s640/Thought-Leadership.png" width="640" /></a></div>
<br />
Here are the answers to the <b><span style="color: #cc0000; font-size: large;">Top-5</span></b> questions I am frequently asked -<br />
<br />
<ol>
<li><span style="color: #cc0000;">You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?</span>
<br /><br />Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my <a href="http://www.paramountdefenses.com/leadership.html" target="_blank">background</a>) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.<br /><br />
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (<a href="http://www.active-directory-security.com/" target="_blank">here</a>) and Cyber Security (<a href="http://www.cyber-security-blog.com/" target="_blank">here</a>) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.<br /><br />
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Speaking of which, how big is Paramount Defenses?</span>
<br /><br />At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.<br />
<br />If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of <a href="http://www.paramountdefenses.com/company/customers.html" target="_blank">prominent</a> organizations across six continents worldwide.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?</span>
<br /><br />The simple answer to this question - <i><span style="color: #cc0000;">For Security Reasons</span></i>.<br />
<br />At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.<br />
<br />As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.<br />
<br />Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest <a href="http://www.paramountdefenses.com/leadership/global-community.html" target="_blank">community</a> of Active Directory Security Professionals on LinkedIn.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">What do you intend to accomplish by blogging?</span><br /><br />The intention is to help organizations worldwide understand just how <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">profoundly</a> important <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">Active Directory Security</a> is to organizational cyber security, and how paramount <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a> are to Active Directory Security.<br />
<br />
That's because this impacts <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">global security</a> today, and here's why -
<br />
<br /><br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKBdY-fK1313JvECPtY1KTGulUdo7i7z0ZT8wfx5PJdthng3VqZriCaW4TI4j-Qnr6WTZ1uPOCFDaCEc-joHG8VJYaJQ1IqWK6F4HYFinuydcgE8S2wenJHWmUqMn1JA5OsGw7lCEsL14/s1600/Active-Directory-Privileged-Access.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="234" data-original-width="676" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKBdY-fK1313JvECPtY1KTGulUdo7i7z0ZT8wfx5PJdthng3VqZriCaW4TI4j-Qnr6WTZ1uPOCFDaCEc-joHG8VJYaJQ1IqWK6F4HYFinuydcgE8S2wenJHWmUqMn1JA5OsGw7lCEsL14/s320/Active-Directory-Privileged-Access.jpg" width="320" /></a></div>
<br />
<br />
You see, the <b><span style="font-size: large;">Crown Jewels</span></b> of cyber security reside in Active Directory, and if they're compromised, its Game Over. By <i>Crown Jewels</i>, I'm referring to <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">privileged access</a>, or as commonly known, <i>Domain Admin</i> equivalent accounts.<br />
<br />It is a fact that <a href="http://www.paramountdefenses.com/privileged-access.html" target="_blank">100%</a> of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.<br />
<br />
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the <a href="http://www.active-directory-security.com/2015/07/how-to-search-identify-and-minimize-privileged-users-accounts-in-active-directory.html" target="_blank">Tip of the Iceberg</a>, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.<br />
<br />This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. <a href="http://www.paramountdefenses.com/company/insight.html" target="_blank">Here</a>'s why.<br />
<br />In fact, <span style="color: #cc0000;">Active Directory privileged access accounts have been getting a lot of attention lately</span>, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, <a href="https://wald0.com/?p=112" rel="nofollow" target="_blank">one</a>, <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">two</a>, <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">three</a> etc.), and some have even started developing amateur tools to identify such accounts.<br />
<br />What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "<i>Who has what Permissions in Active Directory</i>" <span style="color: #cc0000;">WHEREAS</span> the <span style="color: #38761d;">ONLY</span> way to correctly identify privileged user accounts in Active Directory is by accurately finding out "<i>Who has what <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Effective Permissions</a> in Active Directory</i>?"<br />
<br />On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.<br />
<br />To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "<i>Find out who has what privileged access in Active Directory,</i>" and since so many IT personnel don't seem to know better, they get misled.<br />
<br /><span style="color: #cc0000;">
Thus, there's an imperative need</span> to help organizations learn how to correctly audit privileged users in Active Directory.<br />
<br />Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">effective permissions </a>/ <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">effective access</a> in Active Directory. There is only ONE correct way to accomplish this objective.</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Why have you been a little hard on Microsoft lately?</span>
<br /><br />Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
<br /><br />In that regard, if you truly understand cyber security in Windows environments, you know that <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access</a> play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) <span style="color: #cc0000;">no one seems to have a clue.</span><br />
<br />You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what <span id="goog_1223718632"></span>Active Directory Effective Permissions<span id="goog_1223718633"></span> are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the <a href="http://www.paramountdefenses.com/operating-in-the-dark.html" target="_blank">proverbial dark</a> today.<br />
<br />It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">Proof</a>.<br />
<br />Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise <a href="http://www.businesswire.com/news/home/20160226006223/en/Paramount-Defenses-World's-Top-Cyber-Security-Companies" target="_blank">awareness</a>.<br /><div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.<br />
<br />Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been <a href="http://www.paramountdefenses.com/company/timeline.html" target="_blank">laser-<span id="goog_1733657356"></span>focused</a><span id="goog_1733657357"></span>. Besides, actions speak louder than words, so once you understand what it is <a href="http://www.paramountdefenses.com/company/provide-mission-critical-cyber-security-insight-worldwide.html" target="_blank">we do</a> at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.<br />
<br />Those who understand what we've <a href="http://www.paramountdefenses.com/company/develop-innovative-mission-critical-cyber-security-solutions.html" target="_blank">built</a>, know that we may be Microsoft's most strategic <a href="http://www.paramountdefenses.com/company.html" target="_blank">ally</a> in the cyber security space.</li>
<br />
</ol>
<div>
<br /></div>
<div>
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.<br />
<br />
Best wishes,</div>
<div>
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a></div>
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-61206554497277354892017-12-12T07:00:00.000-08:002017-12-16T13:15:15.703-08:00Paramount Privileged Account Security Guidance (101) for CyberArk<h2>
Shadow Admins - The Stealthy Accounts That You Should Fear The Most, <span style="color: #38761d;">but Needn't Anymore</span></h2>
<div>
<span style="color: #666666;"></span><span style="color: #cc0000;"></span><br /></div>
Folks,<br />
<br />
Today's post concerns <a href="https://www.cyberark.com/" rel="nofollow" target="_blank">CyberArk</a>'s guidance on <span style="color: #cc0000;">Privileged Account Security</span>, a subject that is <a href="http://www.paramountdefenses.com/" target="_blank">paramount</a> to cyber security today, and it likely <span style="color: #cc0000;">impacts Trillions of $</span>, as it impacts the foundational cyber security of <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">85%</a> of all organizations worldwide. I pen this as former Microsoft Program Manager for Active Directory Security, and thus as the world's top expert in privileged access.<br />
<br />
<br />
<b><span style="color: #cc0000;"><br /></span></b>
<b>An Intro to <span style="color: #cc0000; font-size: large;">CyberArk</span></b><br />
<br />
I shouldn't have to provide an intro to CyberArk (CYBR), a $ Billion+ cyber security company, because according to its website, CyberArk is the (self-proclaimed) leader in <span style="color: #cc0000;">Privileged Account Security</span>, with more than 3450 global companies, including more than 50% of the Fortune 100 companies, relying on its solutions to protect their most critical and high-value assets.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfsPITjEk-5FZ8fM-SJN9M_lqurCRD23gLlCDbTttM9IgBufo7qTx7vVgxRg5oVEew7NPVoF3-DX6bS4BJgd3MK4vU1wTyyiAMG5qFBHlxDi59Y4hFHoobhxcuNIQ6MZTa9qnjAr4GvzGj/s1600/CyberArk.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="336" data-original-width="700" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfsPITjEk-5FZ8fM-SJN9M_lqurCRD23gLlCDbTttM9IgBufo7qTx7vVgxRg5oVEew7NPVoF3-DX6bS4BJgd3MK4vU1wTyyiAMG5qFBHlxDi59Y4hFHoobhxcuNIQ6MZTa9qnjAr4GvzGj/s640/CyberArk.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div style="text-align: right;">
<span style="color: #cccccc;">Image Attribution: CyberArk's Website</span></div>
</td></tr>
</tbody></table>
<span style="color: #cccccc;"></span>According to CyberArk's <a href="http://www.cyberark.com/" target="_blank">website</a> - <span style="color: #cc0000;">HALF OF FORTUNE 100 CISOs RELY ON CYBERARK</span>.
<br />
<br />
If that is the case, then recent guidance provided by CyberArk's experts on a very important topic is <span style="color: #cc0000;">a bit concerning</span>. <br />
<br />
Specifically, on June 08, 2017 CyberArk's researchers penned a blog post on their <b>Threat Research Blog</b>, which is presumably read by thousands, titled <span style="color: #cc0000;"><a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">Shadow Admins - The Stealthy Accounts that You Should Fear The Most</a><i>.</i></span> In it, they've shed light on a category of privileged accounts they called Shadow Admin accounts, and introduced and recommended tooling that they have developed, and that according to them, could help organizations discover these Shadow Accounts in their networks.<br />
<br />
<span style="color: #cc0000;">It is concerning because </span>as a subject matter expert, i.e. as former Microsoft Program Manager for Active Directory Security, it is my professional opinion that though its premise is accurate, the guidance and tooling provided in that post are <span style="color: #cc0000;">inaccurate</span>, and consequently any reliance upon it by organizations could result in a false sense of security, and leave them vulnerable.<br />
<br />
<blockquote class="tr_bq">
<u>Note</u>: The specific details of the various inaccuracies are provided below in the section titled <b><span style="color: #cc0000;"><i>The Inaccuracy</i></span></b> and a link to two demos that illustrate these inaccuracies is also provided in the section titled <b><i><span style="color: #38761d;">Accurate Guidance</span></i></b>.</blockquote>
<br />
<span style="color: #38761d;">The remainder of this well-intentioned blog post is meant to help CyberArk and organizations worldwide understand this esoteric yet paramount aspect of organizational cyber security i.e. the so-called "<b>Shadow Admins</b>" and how to correctly discover them.</span><br />
<br />
<span style="color: #38761d;"></span><br />
<br />
<br />
<b><span style="font-size: large;"><br /></span></b>
<b><span style="font-size: large;">Privileged Account </span><span style="color: #cc0000; font-size: large;">Security</span></b><br />
<span style="color: #cc0000;"></span><br />
Before I share why CyberArk's guidance may be inaccurate, its important to say a few words on <span style="color: #cc0000;">Privileged Account Security</span>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhpnxYzU59__U2O7-cd0YHCQjwFpwWuAtyhekoqqwjhuRDSJozJy3F4jMFAP1car7yzftefnFvfgXB5ON7NI2KMH95JTnbcRvCpbCTzPo7h0AH3fizRbN09EZkiMWlJHottEOkDGpjUFZ-/s1600/Impact-of-Privileged-Admin-Account-Compromise.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="1000" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhpnxYzU59__U2O7-cd0YHCQjwFpwWuAtyhekoqqwjhuRDSJozJy3F4jMFAP1car7yzftefnFvfgXB5ON7NI2KMH95JTnbcRvCpbCTzPo7h0AH3fizRbN09EZkiMWlJHottEOkDGpjUFZ-/s640/Impact-of-Privileged-Admin-Account-Compromise.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
The importance and value of Privileged Accounts is perhaps best summarized in line #1 of CyberArk's <a href="http://lp.cyberark.com/rs/316-CZP-275/images/ds-CyberArk-Privileged-Account-Security-11-2017.pdf" rel="nofollow" target="_blank">data-sheet</a> -<br />
<blockquote class="tr_bq">
"<i><span style="color: #cc0000;">Privileged accounts represent the largest security vulnerability an organization faces today.</span> These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data.</i>"
</blockquote>
CyberArk is 100% right. The compromise of even just <span style="color: #cc0000; font-size: x-large;">1</span> (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over the entire IT infrastructure and empower them to swiftly enact a devastating cyber attack.<br />
<br />
In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.<br />
<br />
In that regard, CyberArk's focus on helping organizations adequately protect privileged accounts is spot-on and appreciated.<br />
<br />
<br />
That said, and as you'll hopefully agree, "<span style="color: #cc0000;">one can't protect what one can't identify</span>" which is why the <span style="color: #38761d;">accurate discovery </span>of all privileged accounts in an organization's network, especially of all <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">Active Directory Privileged Access Accounts</a>, is paramount.<br />
<br />
<span style="color: #cc0000;">In fact</span>, it is exactly these privileged access accounts in Active Directory that CyberArk's well-intentioned blog sought to shed light on. Further, they likely felt this was very important (and they're right), which is why they even proceeded to develop tooling to help organizations identify <u>all</u> such accounts. Its just that perhaps CyberArk's experts too may not yet understand the intricate details of Active Directory Security well enough, and thus their well-intentioned guidance may have turned out to be inaccurate.<br />
<br />
Speaking of which, this makes for a perfect segue, so please allow me to shed light on where CyberArk's well-intentioned guidance is inaccurate, and how organizations can correctly discover all such "Shadow Accounts" in Active Directory.<br />
<br />
<br />
<br />
<br />
The so-called <b><span style="color: #cc0000; font-size: large;">Shadow Admin Accounts</span></b><br />
<span style="color: #cc0000; font-size: large;"><br /></span>CyberArk's famous post on Shadow Admins, titled <i><span style="color: #cc0000;">Shadow Admins - The Stealthy Accounts that You Should Fear The Most </span></i>begins by describing what these so-called "Shadow Admin Accounts" are, and I quote -<br />
<blockquote class="tr_bq">
"<i>Shadow Admin accounts are accounts in your network that have sensitive privileges and are typically overlooked because they are not members of a privileged Active Directory (AD) group. Instead, Shadow Admin accounts were granted their privileges through the direct assignment of permissions (<span style="color: #cc0000;">using ACLs on AD Objects</span>)</i>"</blockquote>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP_uftnDv7UrWx9BhwHJGqQQft8pL3lCZdYkYO42IFwWoRAKQEjROxVXGcBGJK-TcRzNStETWrPEKHshYYilySxthTtSvPL9IiZha6lJPlmwAag3v4p7b_x4cXp__cIb-ONBmwDaiHPKVl/s1600/Shadow-Admins.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="700" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP_uftnDv7UrWx9BhwHJGqQQft8pL3lCZdYkYO42IFwWoRAKQEjROxVXGcBGJK-TcRzNStETWrPEKHshYYilySxthTtSvPL9IiZha6lJPlmwAag3v4p7b_x4cXp__cIb-ONBmwDaiHPKVl/s640/Shadow-Admins.jpg" width="640" /></a></div>
<br />
I've been working on Active Directory Security for almost two-decades know and may have personally clocked over 30,000 hours on the subject, and yet the first time I came across the term "<i>Shadow Admins</i>" was when I read CyberArk's blog post.<br />
<br />
If you Google/Bing "<i>Shadow Admins</i>" you're likely not going to find many references to it, other than to CyberArk's post on their blog, and then all the places wherein numerous people who may have read their blog have shared this across the Web.<br />
<br />
<span style="color: #cc0000;">Ah!</span> What CyberArk's researchers are referring to as "<i>Shadow Admin</i>" accounts are actually Active Directory user accounts that may not belong to any privileged Active Directory groups, yet may have been directly granted various security permissions at various locations (i.e. on various Active Directory objects) within Active Directory, SUCH THAT the permissions they've been granted effectively provide them with access that is tantamount to possessing privileged access in Active Directory.<br />
<br />
The rest of us, who have been doing Active Directory Security for years, and by that I also mean and include thousands of Active Directory admins at organizations worldwide, typically refer to such accounts as "<i>Delegated Admins</i>" in Active Directory.<br />
<br />
By the way, I only know this because while at Microsoft, I wrote the Bible on Privileged Account Security in Windows - i.e. back in 2004, I authored Microsoft's official 400-page whitepaper titled "<i>Best Practices for Delegating Active Directory Administration.</i>"<br />
<b></b><br />
<span style="color: #cc0000;">For instance</span>, here are 3 quick examples -
<br />
<ol>
<li>James has Write-Property Member permissions specified in the ACL of the Domain Admins group.</li>
<li>Emily has <i>Reset Password</i> permissions specified in the ACL of a Domain Admin's user account.</li>
<li>John has <i>Get-Replication Changes All</i> permissions granted in the ACL of the domain root.</li>
</ol>
In each case above, even though Emily, James and John may not be a member of any one of the many default Active Directory admins groups, their access is<span style="color: #cc0000;">*</span> tantamount to Domain-Admin equivalent access; this discovery might be startling for novices.<br />
<br />
Like other accomplished cyber security folks who may have recently taken a keen interest in Active Directory Security (e.g. <a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf" rel="nofollow" target="_blank">one</a>, <a href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/11/what-am-i-missing-how-to-see-the-users-youre-denied-from-seeing/" rel="nofollow" target="_blank">two</a>, <a href="http://adsecurity.org/" target="_blank">three</a>, etc.), CyberArk's experts too may be new to Active Directory Security, and may have come to realize that indeed there likely possibly exist hundreds of such "<i>Delegated Admin</i>" accounts in Active Directory, many of whom may have what is tantamount to unrestricted privileged access in Active Directory, yet neither these account holders nor the organization's privileged users may know about them, BECAUSE it is very difficult to accurately identify/discover/audit these accounts.<br />
<br />
Speaking of which, therein lies the inaccuracy in CyberArk's guidance and tooling, as explained below.<br />
<br />
<br />
<br />
<br />
The <b><span style="color: #cc0000; font-size: large;">Inaccuracy</span></b><br />
<b></b><span style="font-size: medium;"></span><span style="color: #cc0000;"></span><br />
Let me first acknowledge that CyberArk's general recommendation on Privileged Account Security are correct, and I <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">quote</a> -<br />
<blockquote class="tr_bq">
"<i>To maintain a strong security posture, CyberArk Labs highly recommends that organizations get to know all of the privileged accounts in the network, <span style="color: #cc0000;">including those Shadow Admins.</span></i>" </blockquote>
That said, if you read their entire blog post, which I highly recommend every IT and Cyber Security professional and CISO to do, you'll find that CyberArk's experts seem to be making the same classic mistake that so many other have been making for years.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWSzVfbnTwA3G5FD6ZL1jv0TLv_r6Ijv_kgkf_uVj7nOk0zul0J_GBL1sB2i6vW5BebHuIfa9vO9RNEyGjGwJUdUWKwD46OQX-qDjc4yQtY_b6D2gXtDat7BDZKKnkApP0sOvRjqjgclE2/s1600/CISO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="574" data-original-width="836" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWSzVfbnTwA3G5FD6ZL1jv0TLv_r6Ijv_kgkf_uVj7nOk0zul0J_GBL1sB2i6vW5BebHuIfa9vO9RNEyGjGwJUdUWKwD46OQX-qDjc4yQtY_b6D2gXtDat7BDZKKnkApP0sOvRjqjgclE2/s640/CISO.jpg" width="640" /></a></div>
<br />
Specifically, here's that classic mistake, and again I <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">quote</a> from their post -<br />
<blockquote class="tr_bq">
"<i><span style="color: #cc0000;">Searching and analyzing the ACL permissions granted to each account is a more comprehensive method.</span></i>"</blockquote>
You see, searching and analyzing the permissions granted to each account in Active Directory ACLs is <span style="color: #cc0000;">NOT</span> the right way to find out exactly what level of access that account holder may actually (i.e. effectively) have in Active Directory.<br />
<br />
Here's why - the ONLY CORRECT WAY to find out exactly who actually has what access in Active Directory, including of course any/all privileged access, is by determining "<a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a> / <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access</a>."<br />
<br />
This cardinal technical fact may be confirmed by contacting Microsoft .<br />
<br />
Not only is there a HUGE difference between merely "<i>searching and analyzing the ACL permissions granted to each account</i>" and "<i>determining effective permissions in Active Directory</i>," more importantly the latter is a thousand times more difficult.<br />
<br />
Incidentally, for reasons best known to Microsoft, for an entire decade, Microsoft <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">apparently forgot</a> to educate the world about the paramount importance of effective permissions/access in (and to the security of) Active Directory, which is also likely why even the authors of <a href="http://www.active-directory-security.com/2017/07/an-ace-up-the-sleeve-designing-active-directory-acl-backdoors.html" target="_blank">An ACE Up the Sleeve - Designing Active Directory ACL Backdoors</a>, which likely was what prompted CyberArk's experts to look into and pen this post, also seem to have made the same mistake in their approach and tooling.<br />
<br />
I find it amazing that based on this limited (and inaccurate) knowledge, CyberArk's experts even procceded to develop tooling, and I say so because unlike the developers of (the inaccurate) Bloodhound, CyberArk is a respected Billion $ company -<br />
<blockquote class="tr_bq">
"<i>...we have developed a special tool that scans and discovers privileged accounts based on account permissions. The tool, ACLight, is available for free on GitHub and can be used to discover these Shadow Admin acocunts on your network today...</i></blockquote>
<br />
We <a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">tested</a> their <i>ACLight</i> tooling and unfortunately it failed even the most basic of tests that one could put such a tool through.<br />
<div>
<br /></div>
<span style="color: #cc0000;">Consequently</span>, it is in light of the above (i.e. their guidance seems to be based on incorrect technical facts and relies upon the use of tooling which too may be based on the same incorrect technical facts, and thus may likely be vastly inaccurate) that my professional opinion leads me to believe that the following guidance from CyberArk's experts is most likely inaccurate -<br />
<blockquote class="tr_bq">
"<i>...We encourage you to use our Shadow Admins scanning tool, ACLight, to start uncovering these accounts.</i>"</blockquote>
<br />
To help everyone clearly understand this, I've illustrated this in 2 DEMOS which can be accessed <a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">here</a>.<br />
<br />
<br />
<br />
<br />
<b><span style="color: #38761d; font-size: large;">Accurate</span> <span style="font-size: large;">Guidance</span></b><br />
<br />
To help CyberArk's experts and the entire world better understand why the naïve approach of "<i>searching and analyzing the ACL permissions granted to each account</i>" is fundamentally flawed, and why it is effective permissions that matter, as well as how to CORRECTLY identify all such Shadow Admins in Active Directory, I've penned a separate blog post on my technical blog, and here's the URL -<br />
<div style="text-align: center;">
<a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">HOW TO CORRECTLY DISCOVER SHADOW ADMIN ACCOUNTS IN ACTIVE DIRECTORY</a></div>
<span style="color: #cc0000;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH3jgz1jjfHNgHbLqHmfbAFhclw_ZEjZ3oqXXBtlfe2voQRl7-MlLrcJ191eI0Qo7CQ0Blwg6BrGbcXZTp3wVUn_2PP_paJ2BK8mCkC_h8wGM7KIBLjJaW7Sj8aZPdspNYOWMPKcVQY89D/s1600/Shadow-Admin-Account-Discovery.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="267" data-original-width="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH3jgz1jjfHNgHbLqHmfbAFhclw_ZEjZ3oqXXBtlfe2voQRl7-MlLrcJ191eI0Qo7CQ0Blwg6BrGbcXZTp3wVUn_2PP_paJ2BK8mCkC_h8wGM7KIBLjJaW7Sj8aZPdspNYOWMPKcVQY89D/s1600/Shadow-Admin-Account-Discovery.png" /></a></div>
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">I highly recommend </span>that every IT and Cyber Security professional and every CISO, including the CISOs of half of the Fortune 100 that rely on CyberArk today as well as the half that don't rely on CyberArk yet, READ that insightful technical blog post.<br />
<br />
<br />
<br />
<span style="font-size: large;"><span style="color: #cc0000;"><b><br /></b></span></span>
<span style="font-size: large;"><span style="color: #cc0000;"><b>Fear,</b></span><span style="color: #38761d;"> <b>No More</b></span></span><br />
<span style="font-size: small;"><b></b><br /></span>
Those who truly understand Active Directory Security, and thus those who truly understand Privileged Account Security in Windows networks know that the <span style="color: #38761d;">ONLY CORRECT WAY</span> to accurately identify all such Delegated Admins (or as CyberArk calls them, "Shadow Admins") in Active Directory is by determining <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">effective permissions</a> / <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">effective access</a> in Active Directory.<br />
<br />
As former Microsoft Program Manager for Active Directory Security, let me be the first to tell you that accurately determining effective permissions in Active Directory, on even a single Active Directory object, is very difficult. To then be able to do so on thousands of objects in an Active Directory is almost a herculean task on par with scaling Mount Everest.<br />
<br />
That said, if you can click a button, you needn't fear "<i>Shadow Accounts</i>" anymore because <a href="http://www.paramountdefenses.com/active-directory-administrative-access-and-delegation-audit-tool.html" target="_blank">this</a> tool can uniquely, instantly and accurately identify all such "<i>Delegated Admins</i>" (or if you prefer to call them "<i>Shadow Admins</i>") accounts in Active Directory -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMOzSDAVv9hDlysu4cYK0Cbj9KILgIhSIlMbT4FHda1x-ff7PBFLFz4C8g6kPVkIYS3JtV7Wo4_IVA-eXKSHMvAtHPP_vt-acjO1Vbv5-6ytQX6qNkDBbvLsUZQjgxh0HWr3VU1AUGMTu/s1600/Active-Directory-Administrative-Access-and-Delegation-Audit-Tool.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="738" data-original-width="1023" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMOzSDAVv9hDlysu4cYK0Cbj9KILgIhSIlMbT4FHda1x-ff7PBFLFz4C8g6kPVkIYS3JtV7Wo4_IVA-eXKSHMvAtHPP_vt-acjO1Vbv5-6ytQX6qNkDBbvLsUZQjgxh0HWr3VU1AUGMTu/s640/Active-Directory-Administrative-Access-and-Delegation-Audit-Tool.png" width="640" /></a></div>
<br />
It is the only tool in the world that can accomplish the herculean feat of being able to accurately identify all such "<i>Delegated Admin</i>" / "<i>Shadow Admin</i>" accounts in Active Directory, and it took over half a decade to build, thoroughly test and deliver.<br />
<br />
Today, the world's <a href="http://www.paramountdefenses.com/company/customers.html" target="_blank">most</a> powerful government and business organizations across 6 continents worldwide rely on it.<br />
<br />
We care deeply about all organizations, including all cyber security companies so I'll also be the first to tell you that it does <span style="color: #cc0000;">NOT</span> obviate the need for various privileged account security solutions that respectable companies like CyberArk and others provide.<br />
<br />
It ONLY helps accurately discover/identify/audit all such accounts, but as CyberArk too has emphasized in their blog, that in itself is <span style="color: #cc0000;">PARAMOUNT</span> because "<i>you cannot protect what you cannot identify</i>" and <span style="color: #cc0000;">just ONE such privileged account</span> (of which at most organizations, there likely are hundreds today) is all that perpetrators need to discover and compromise to then be able to easily 0wn the Kingdom.<br />
<b></b><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
<br />
<b><span style="font-size: large;">Summary</span></b><br />
<br />
Ladies and Gentlemen, in closing, Privileged Account Security is paramount to organizational cyber security, and please don't just take my word for it, for <a href="http://lp.cyberark.com/rs/316-CZP-275/images/ds-CyberArk-Privileged-Account-Security-11-2017.pdf" target="_blank">here</a>'s CyberArk communicating in effect the same fact -<br />
<blockquote class="tr_bq">
"<i><span style="color: #cc0000;">Privileged accounts represent the largest security vulnerability an organization faces today.</span> These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data.</i>"
</blockquote>
As I've said above, CyberArk is 100% right. The compromise of even just <span style="color: #cc0000; font-size: x-large;">1</span> (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over your entire network and empower them to swiftly take over everything.<br />
<br />
In fact, <a href="http://www.paramountdefenses.com/privileged-access.html" target="_blank">100%</a> of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoSui-3m29GlVj8bvBm6YzCdrXvO8pHKRshgdB1W-7MnqzGs4p1LnOd9pL6T5AXsihoLuOuZVXtN2WHe-VvwngAB0oAwPCpZP2bZb6_baVbAvL9M60SsNdpozq4rO59m49s1WOKsYU9N7/s1600/iStock_000037411490_Medium.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoSui-3m29GlVj8bvBm6YzCdrXvO8pHKRshgdB1W-7MnqzGs4p1LnOd9pL6T5AXsihoLuOuZVXtN2WHe-VvwngAB0oAwPCpZP2bZb6_baVbAvL9M60SsNdpozq4rO59m49s1WOKsYU9N7/s640/iStock_000037411490_Medium.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #cc0000;">CyberArk is also 100% right</span> that in most Active Directory deployments worldwide, today there likely exist a <a href="http://www.paramountdefenses.com/privileged-access-insight.html" target="_blank">dangerously</a> and <span id="goog_1238918925"></span>excessively large<span id="goog_1238918926"></span> number of such "Shadow Admin" accounts, that for all practical reasons possess the same level of privileged access as do members of default Active Directory administrative / privileged access groups, yet because they're not members of these default privileged access groups, these accounts are in fact very difficult to accurately identify.<br />
<br />
Consequently, their presence may possibly post <a href="http://www.paramountdefenses.com/minutes-to-compromise.html" target="_blank">a FAR greater risk</a> to organizational cyber security, which is why it is so very important for organizations to be able to accurately discover/identify all such accounts i.e. <i>each and every single one of them</i>.<br />
<br />
We also appreciate CyberArk's well-intentioned efforts to offer guidance that could help organizations identify all such accounts. Unfortunately, because this is a rather esoteric subject, and Microsoft has apparently not provided any guidance on how to correctly identify such accounts, CyberArk's experts may not have known how to correctly identify all such accounts.<br />
<br />
Thus, we were happy to have shed light on this paramount subject to help them and organizations worldwide better understand how to accurately identify all such "Shadow Admin" accounts. Towards the same, I also shared a <a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">pointer</a> to a technical blog wherein we're illustrated the inaccuracy and classic mistake that most organizations make, as well as the correct approach.<br />
<br />
Finally, for all such organizations that wish to be able to efficiently and accurately identify all such "<i>Shadow Admin</i>" accounts, I've also shared with you above how the world's most powerful government and business organizations easily do so today.<br />
<br />
I hope you've found this to be helpful, and I wish you all, including CyberArk, all the very best. <br />
<br />
We're <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">all</a> in this together.<br />
<br />
Best wishes,<br />
<a href="http://www.cyber-security-blog.com/2017/12/demonstrating-cyber-security-thought-leadership.html" target="_blank">Sanjay</a><br />
<br />
<br />
PS: (Highly) Recommended Reading -<br />
<ol>
<li><a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">The Entire World runs on Active Directory</a></li>
<li><a href="http://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">Defending Active Directory Against CyberAttacks</a> (Slide 88 alludes to CyberArk)</li>
<li><a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a></li>
<li><a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a> - A Trillion Dollar Example</li>
<li><a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">How to Thwart Sneaky Persistence in Active Directory</a></li>
<li><a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">How to Discover Stealthy Admins in Active Directory</a></li>
<li>A <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Letter to Benjamin Delpy</a>, a <a href="http://www.active-directory-security.com/2017/05/a-trillion-dollar-letter-to-microsoft-concerning-cyber-security-worldwide.html" target="_blank">Letter to Microsoft</a>, and a <a href="http://www.cyber-security-blog.com/2017/01/cyber-security-insight-for-president-trump.html" target="_blank">Letter to President Donald Trump</a></li>
</ol>
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-14455814527608441932017-12-08T10:15:00.000-08:002017-12-08T11:30:13.546-08:00Time to DEMONSTRATE Thought Leadership in the Cyber Security SpaceFolks,<br />
<br />
Hope you're all well. Last year I had said that it was time for us to <a href="http://www.cyber-security-blog.com/2016/05/cyber-security-thought-leadership.html" target="_blank">provide</a> Thought Leadership to the Cyber Security space.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF_-fjgSi5H4sFd9jfhFn1mejjDswQV-RZmaRwTOhYpVTARKl2pLM8r1KCMTFHHrbPWZrmtqmUziDppggi4AqjoeHDyRNMeQW3AKwMUdWshdHTaO7fCdB-Kbu0eVfSqYjMkdzskziHzQAp/s1600/Cyber-Security-Thought-Leadership.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="330" data-original-width="650" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF_-fjgSi5H4sFd9jfhFn1mejjDswQV-RZmaRwTOhYpVTARKl2pLM8r1KCMTFHHrbPWZrmtqmUziDppggi4AqjoeHDyRNMeQW3AKwMUdWshdHTaO7fCdB-Kbu0eVfSqYjMkdzskziHzQAp/s1600/Cyber-Security-Thought-Leadership.png" /></a></div>
<br />
Since then, I've <a href="http://www.paramountdefenses.com/blog/30-days-of-advanced-active-directory-security-school-for-microsoft/" target="_blank">penned</a> over 50 blog posts, on numerous important topics,<br />
and helped 1000s of organizations worldwide better understand -<br />
<br />
<table>
<tbody>
<tr>
<td valign="top" width="50%"><ol>
<li>The <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">Importance of Active Directory Security</a></li>
<br />
<li>Insight into <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">Active Directory ACLs - Attack and Defense</a></li>
<br />
<li>How to <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">Defend Active Directory Against Cyber Attacks</a></li>
<br />
<li>How to <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">Mitigate the Risk Posed by Mimikatz DCSync</a></li>
<br />
<li>How to Thwart <a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">Sneaky Persistence in Active Directory</a></li>
<br />
</ol>
</td>
<td valign="top" width="50%"><ol>
<li value="6">How to Identify <a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">Stealthy Admins in Active Directory</a></li>
<br />
<li>Understand <a href="http://www.active-directory-security.com/2017/07/preempt-windows-elevation-of-privilege-vulnerability-CVE-2017-8563.html" target="_blank">Windows Elevation of Privilege Vulnerability</a></li>
<br />
<li>Illustrate <a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a></li>
<br />
<li>Correctly <a href="http://www.paramountdefenses.com/effective-privileged-access-audit.html" target="_blank">Identify Privileged Users in Active Directory</a></li>
<br />
<li>Importance of <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a></li>
</ol>
</td>
</tr>
</tbody></table>
There's so <a href="http://www.active-directory-security.com/2017/10/some-love-for-microsoft-and-time-to-help-microsoft.html" target="_blank">much more</a> to share, and I will continue to do so. <br />
<br />
<br />
<b><br /></b>
<b></b><br />
<b><br /></b>
<b>A <span style="color: #cc0000;">Paramount</span> Global Cyber Security Need</b><br />
<br />
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">all</a> business and government organizations worldwide, including most cyber security companies.<br />
<br />
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "<i><span style="color: #cc0000;">Keys to the Kingdom</span></i>" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuSf1Ah_pefCIgIuqOnm8uoTAJPtnKYopUSQSbOv_TrF67m6nSmD1IoknlHBoawpLug7wL-gjoe6fZe92nrbAq4KRv0_p99E46S-CgA-BgkM9M1eb3i59LVVWEXxO5o_GToZiS_v9VRqkf/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuSf1Ah_pefCIgIuqOnm8uoTAJPtnKYopUSQSbOv_TrF67m6nSmD1IoknlHBoawpLug7wL-gjoe6fZe92nrbAq4KRv0_p99E46S-CgA-BgkM9M1eb3i59LVVWEXxO5o_GToZiS_v9VRqkf/s640/Active-Directory.jpg" width="640" /></a></div>
<br />
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just <a href="http://www.paramountdefenses.com/privileged-access.html" target="_blank">ONE</a> Active Directory Privileged User Account.<br />
<br />
Since <a href="http://www.paramountdefenses.com/" target="_blank">we</a>'ve been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject. <br />
<br />
<span style="color: #cc0000;">Unfortunately</span>, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate. <br />
<br />
<br />
<b><br /></b>
<b><span style="color: #38761d;"></span></b><br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;">Thought</span> Leadership</b><br />
<div>
<b><br /></b></div>
<div>
There's an old saying - "<i>Actions Speak Louder Than Words</i>." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., <span style="color: #cc0000;">the key</span> to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.</div>
<br />
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">foundational</a> Active Directory deployments worldwide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSsUy2YDr_a_c4xd4wJbqI5Vkils15AHxXP4p4luGGR-wKggnhtS0aHWCSNRkroxtRPEsVLlVzL7_zTD3ZvkIDGVcqe4eQSj6OCvvzXzItoA7KiANedH_BytwEjKSjbCJfGVQsHPU5sFdh/s1600/Thought-Leadership.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="409" data-original-width="650" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSsUy2YDr_a_c4xd4wJbqI5Vkils15AHxXP4p4luGGR-wKggnhtS0aHWCSNRkroxtRPEsVLlVzL7_zTD3ZvkIDGVcqe4eQSj6OCvvzXzItoA7KiANedH_BytwEjKSjbCJfGVQsHPU5sFdh/s640/Thought-Leadership.jpg" width="640" /></a></div>
<br />
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already <a href="https://www.linkedin.com/in/sanjaytandon" target="_blank">said</a> I'm just a nobody (, whose work possibly impacts everybody.) <span style="color: #38761d;">This is about a desire to help.</span><br />
<br />
So, that post should be out right here on this blog next week, possibly as early as Monday morning.<br />
<br />
Best wishes,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.comtag:blogger.com,1999:blog-5493427189188014728.post-59965564690980313462017-10-13T08:00:00.000-07:002017-10-24T13:21:25.935-07:00A Massive Cyber Breach at a Company Whilst it was Considering the 'Cloud'<span style="font-size: large;">(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)</span><br />
<br />
<br />
Folks,<br />
<br />
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."<br />
<br />
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?<br />
<br />
<br />
<b><br /></b>
<b>The <span style="color: #cc0000;">C-Suite </span>Meeting</b><br />
<br />
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidvksoUnTtuKtybW5QjoSM2sxJ0cuv3bKXPbLGtgN6DmruVnatcq0ZJz4eXEopF35BzW7tcwmsagLLeLat3bn4fhii7kDAHTJRzUqzOGCKvXjp15ucv0HiZbLplDdOTTDx0jrQVC5bfZc/s1600/Board-of-Directors.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1066" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidvksoUnTtuKtybW5QjoSM2sxJ0cuv3bKXPbLGtgN6DmruVnatcq0ZJz4eXEopF35BzW7tcwmsagLLeLat3bn4fhii7kDAHTJRzUqzOGCKvXjp15ucv0HiZbLplDdOTTDx0jrQVC5bfZc/s640/Board-of-Directors.jpg" width="640" /></a></div>
<br />
This meeting is being chaired by the <span style="color: #cc0000;">Chairman of the Board </span>and attended by the following organizational employees -<br />
<br />
<table>
<tbody>
<tr>
<td valign="top" width="10%"></td>
<td valign="top" width="45%"><ol>
<li>Chief Executive Officer (CEO)</li>
<br />
<li>Chief Financial Officer (CFO)</li>
</ol>
</td>
<td valign="top" width="45%"><ol>
<li value="3">Chief Information Officer (CIO)</li>
<br />
<li>Chief Information Security Officer (CISO)</li>
</ol>
</td>
</tr>
</tbody></table>
<div>
<br />
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.</div>
<br />
<br />
<br />
<b><br /></b>
<b>Meeting <span style="color: #cc0000;">In-Progress</span></b><br />
<br />
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.<br />
<br />
The C-Suite then took a break for lunch.<br />
<br />
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden <span style="color: #cc0000;">this happened...</span><br />
<br />
<div style="text-align: left;">
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.</div>
<br />
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "<i>Are you 100% sure?</i>" He said "<i>Yes</i>."<br />
<br />
<br />
<br />
<br />
<b><br /></b>
<b>Houston, <span style="color: #cc0000;">We Have a Problem</span></b><br />
<br />
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzC_DX0FBphPQRr1Suhz62AR6gMOCRSuyNeNFbH88LCXqW54NdwaeEULcDfMb2YRJ9RmGU46MuXLptdxOm2g2KDuUufo_cpZsNW-PqchTXVi9rcDreFyDoUJ5CN-kuBXHGqjwyptsU-04/s1600/Concerned-Executive.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1095" data-original-width="1600" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzC_DX0FBphPQRr1Suhz62AR6gMOCRSuyNeNFbH88LCXqW54NdwaeEULcDfMb2YRJ9RmGU46MuXLptdxOm2g2KDuUufo_cpZsNW-PqchTXVi9rcDreFyDoUJ5CN-kuBXHGqjwyptsU-04/s640/Concerned-Executive.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.<br />
<br />
He told the Vice President of this Cloud Computing company - "<i>Hopefully, we'll get back to you in a few weeks.</i>"<br />
<br />
He then looked at the CEO and the Chairman of the Board, and he said - "<span style="color: #cc0000;"><i>Sir, we have a problem</i></span><span style="color: #cc0000;"><i>!</i></span>"<br />
<br />
<br />
<br />
<br />
<b>Its <span style="color: #cc0000;">Over</span></b><br />
<br />
The CEO asked the CIO - "<i>What's wrong? What happened</i>?"<br />
<br />
The CIO replied - "<i>Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!</i>"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13h6uBsd-dfv_B-SHIi5_hdewApDRy3g-zdSTv345RHUILIZis09k64FcAWBcMZodQgOnm98rsznJsHVYIBMa2Se9Umz8YSvoIZmUuR_d0tzGXXrwlQOljpZY8DTgJVMfqa8CynVGbVJZ/s1600/Chairman-of-the-Board.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1068" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13h6uBsd-dfv_B-SHIi5_hdewApDRy3g-zdSTv345RHUILIZis09k64FcAWBcMZodQgOnm98rsznJsHVYIBMa2Se9Umz8YSvoIZmUuR_d0tzGXXrwlQOljpZY8DTgJVMfqa8CynVGbVJZ/s640/Chairman-of-the-Board.jpg" width="640" /></a></div>
<br />
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "<i><span style="color: #cc0000;">Everyone</span></i>'s <i>credentials</i>?!"<br />
<br />
The CIO replied - "<i>I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!</i>"<br />
<br />
The CEO could sense that there was more bad news, so he asked - "<i>Is there something else I should know?</i>"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The CIO replied - "<i>Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!</i>"
<br />
<br />
The CEO was shocked! They'd just been breached, and what a massive breach it was - "<i>How could this have happened</i>?"<br />
<div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike><br /></strike></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b>Mimikatz <span style="color: #cc0000;">DCSync</span></b> </div>
<br />
The CIO turned to the CISO, who stepped in, and answered the question - "<i>Sir, an intruder used a tool called <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Mimikatz DCSync</a> to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment.</i>"<br />
<div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike><br /></strike></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ_F8PtddUEnLGlAF5h3SB6xfVi4QhT5Fh9Yn7PvpAz8JEm8TcMXOAQsgAMILQG2tasXgFsSBarpDFq1kZaVrZFSLu0iXcQCo41lCehZVtLBPltfmdbjCzXNsjw-0p1GzPahGrQ3vrp1LX/s1600/Mimikatz-DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="699" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ_F8PtddUEnLGlAF5h3SB6xfVi4QhT5Fh9Yn7PvpAz8JEm8TcMXOAQsgAMILQG2tasXgFsSBarpDFq1kZaVrZFSLu0iXcQCo41lCehZVtLBPltfmdbjCzXNsjw-0p1GzPahGrQ3vrp1LX/s640/Mimikatz-DCSync.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
The CEO asked - "<i>What is </i><i>Active Directory?</i>"</div>
<div>
<br /></div>
<div>
The CISO replied - "<i>Sir, simply put, it is the very <a href="http://www.paramountdefenses.com/active-directory.html" target="_blank">foundation</a> of our cyber security"</i></div>
<div>
<i><br /></i></div>
</div>
<div>
The CEO then asked - "<i>Wait.</i> <i>Can just anyone request and extract credentials from Active Directory?</i>"</div>
<div>
<br /></div>
<div>
The CISO replied - "<i>Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have <span style="color: #cc0000;">Get-Replication-Changes-All </span><a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">effective-permissions</a> on the domain root object, can do so.</i>"</div>
<br />
The CEO then said - "<i>This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!</i>"<br />
<br />
The CISO replied - "<i>Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"</i><br />
<i><br /></i>
The CEO figured it out - "<i>So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?</i>"<br />
<br />
The CISO replied - "<i>That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory.</i>"<i> </i><br />
<b></b><i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Z0flSiV0ywQBld0JSKugwehQ8bMjDTaEGOhBHzpL2PNXYWnef5hti-PauwXzD_FoSkt_GZvKjqs7_n4tXcfVwgjHiJD0wwpcvyJMHkocE85d_TzEz2vNFIT-vA3l4Up05O9PRAQWhiik/s1600/Microsoft.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="276" data-original-width="640" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Z0flSiV0ywQBld0JSKugwehQ8bMjDTaEGOhBHzpL2PNXYWnef5hti-PauwXzD_FoSkt_GZvKjqs7_n4tXcfVwgjHiJD0wwpcvyJMHkocE85d_TzEz2vNFIT-vA3l4Up05O9PRAQWhiik/s640/Microsoft.jpg" width="640" /></a></div>
<br />
The CEO was furious! - "<i>You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!</i><br />
<br />
The CISO replied - "<i>Seventeen years.</i>"<br />
<br />
The CEO then said in disbelief - "<i>Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! <span style="color: white;">Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!</span></i><span style="color: white;">"</span><br />
<div>
<i><br /></i></div>
<div>
<i><br /></i></div>
<div>
<i><br /></i></div>
<div>
<div>
<b><br /></b></div>
<div>
<b>This is <span style="color: #cc0000;">for Real</span></b></div>
<div>
<b></b><br /></div>
<div>
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to <span style="color: #cc0000;">exactly</span> who has sufficient <span style="color: #cc0000;">effective permissions</span> to be able to replicate secrets out of their Active Directory. <span style="color: #cc0000;">None</span> whatsoever!</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoSui-3m29GlVj8bvBm6YzCdrXvO8pHKRshgdB1W-7MnqzGs4p1LnOd9pL6T5AXsihoLuOuZVXtN2WHe-VvwngAB0oAwPCpZP2bZb6_baVbAvL9M60SsNdpozq4rO59m49s1WOKsYU9N7/s1600/iStock_000037411490_Medium.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoSui-3m29GlVj8bvBm6YzCdrXvO8pHKRshgdB1W-7MnqzGs4p1LnOd9pL6T5AXsihoLuOuZVXtN2WHe-VvwngAB0oAwPCpZP2bZb6_baVbAvL9M60SsNdpozq4rO59m49s1WOKsYU9N7/s640/iStock_000037411490_Medium.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.</div>
<i></i></div>
<i></i><br />
<div>
<i><br /></i></div>
<i>
</i>
<br />
<div>
<i><br /></i></div>
<div>
<b>This Could've Been (and Can Be) <span style="color: #38761d;">Easily Prevented</span> </b></div>
<div>
<div>
<b></b><br /></div>
<div>
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">effective permissions</a> in their foundational Active Directory deployments.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKc_i3vwAqDOV0L1pBKaX7TbjEaTWmnG4SkJlMQe_FNwsMobJ2mhO1WBom67QKjMhLctVbE23ktSjioV7NbMM3oUAqZa7lXS2tFZ6kDDFj1fRKQPgencpYSa89Aqo5FWMfKfHU6FGmaw7F/s1600/Authorized-Access-Only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="800" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKc_i3vwAqDOV0L1pBKaX7TbjEaTWmnG4SkJlMQe_FNwsMobJ2mhO1WBom67QKjMhLctVbE23ktSjioV7NbMM3oUAqZa7lXS2tFZ6kDDFj1fRKQPgencpYSa89Aqo5FWMfKfHU6FGmaw7F/s640/Authorized-Access-Only.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Sadly, since Microsoft apparently <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">never educated</a> its customers about the importance of <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory effective permissions</a>, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments! </div>
<div>
<br /></div>
<div>
Unfortunately, <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Mimikatz DCSync</a> is just the <a href="http://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">Tip</a> of the <a href="http://www.active-directory-security.com/2017/07/an-ocean-of-access-privileges-in-active-directory.html" target="_blank">Iceberg</a>. Today most organizations are likely <a href="http://www.paramountdefenses.com/operating-in-the-dark.html" target="_blank">operating in the dark</a> and have no idea about <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">the actual attack surface</a>, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.</div>
<div>
<br /></div>
<div>
Technically speaking, with even just minimal education and the right tooling, <span style="color: #38761d;">here is how easy it is </span>for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">RIGHT HERE</a>.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft <span style="color: #0b5394;">Azure</span>. </div>
<div>
<br /></div>
<div>
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b><i><br /></i></b></div>
<div>
<b><i>Fast-Forward</i> <span style="color: #cc0000;">Six Months</span></b></div>
<div>
<br /></div>
<div>
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-PvYzRT9Bx_WH4iiC0Of4La_eHdRazrBqcL14l9p-a4GvBSYVK3WDt_cWhsS1fJH-T7TiPezBo0qjoqIFlGcUf4SBlptMgstQxuWQoo3HjDtVnpb8DaHERfnlgzLBpLfeE2zSO5n2hQ1/s1600/Cyber-Attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="800" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-PvYzRT9Bx_WH4iiC0Of4La_eHdRazrBqcL14l9p-a4GvBSYVK3WDt_cWhsS1fJH-T7TiPezBo0qjoqIFlGcUf4SBlptMgstQxuWQoo3HjDtVnpb8DaHERfnlgzLBpLfeE2zSO5n2hQ1/s640/Cyber-Attack.png" width="640" /></a></div>
<br />
All of this could've been prevented, if they only <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">knew</a> about something as elemental as <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">this</a>, and had the ability to determine <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">this</a>.</div>
<div>
<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<b><span style="color: #cc0000;">Summary</span></b><br />
<br />
<span style="color: #cc0000;">The moral of the story</span> is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you <span style="color: #cc0000;">on-prem </span>cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A <a href="http://www.cyber-security-blog.com/2016/08/how-to-lockdown-active-Directory-to-thwart-use-of-mimikatz-dcsync.html" target="_blank">single</a> excessive <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">effective permission</a> in Active Directory is <a href="http://www.paramountdefenses.com/company/insight.html" target="_blank">all</a> it takes.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmgDSdR3nft8WfreFqsCCQz-SBhno1R5uKK0zBzUbBR2fE7zCbJ-zGA0HDKQ6mDjm1Ez6qBrhDHZp2S1iz8JZdICZFqLyNHBoSq8cBK7oHCxcepJllEkhq6BesGFo0-RCs_FGDH7lUmJeW/s1600/Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="1100" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmgDSdR3nft8WfreFqsCCQz-SBhno1R5uKK0zBzUbBR2fE7zCbJ-zGA0HDKQ6mDjm1Ez6qBrhDHZp2S1iz8JZdICZFqLyNHBoSq8cBK7oHCxcepJllEkhq6BesGFo0-RCs_FGDH7lUmJeW/s640/Cyber-Security.png" width="640" /></a></div>
<br />
<span style="color: #cc0000;">I'll say this one more time and one last time</span> - what I've shared above could easily happen at almost <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">any</a> organization today.</div>
<div>
<br /></div>
<div>
Best wishes,</div>
<div>
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a></div>
<div>
<br />
CEO, Paramount Defenses<br />
<br />
<br /></div>
<div>
<br />
PS: <span style="color: #38761d;"><b>If this sounds too simple </b>and high-level</span> i.e. hardly technical, <span style="color: #38761d;">that is by intent</span>, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found <a href="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8429708.PN.&OS=PN/8429708&RS=PN/8429708" target="_blank">here</a>, <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">here</a>, <a href="http://www.active-directory-security.com/2017/08/how-to-correctly-audit-who-can-delete-an-organizational-unit-in-active-directory.html" target="_blank">here</a>, <a href="http://www.active-directory-security.com/2014/05/An-Automated-Kerberos-Token-Size-Calculation-Tool.html" target="_blank">here</a>, <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">here</a> <a href="http://www.paramountdefenses.com/privileged-access-insight.html" target="_blank">etc.</a> <a href="http://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">etc</a>.<br />
<br />
<br />
<br />
PS2: Note for Microsoft - This may be the simplest example of "<i><a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">Active Directory Access Control Lists - Attack and Defense</a>.</i>" <br />
<br />
Here's why - <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">Mimikatz DCSync</a>, which embodies the technical brilliance of a certain Mr. <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Benjamin Delpy</a>, may be the simplest example of how someone could <span style="color: #cc0000;">attack</span> Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, <a href="http://www.paramountdefenses.com/goldfinger.html" target="_blank">Gold Finger</a>, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could <span style="color: #38761d;">defend</span> Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.<br />
<br />
<br />
<br />
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read <a href="http://www.cyber-security-blog.com/2017/08/teaching-microsoft-about-active-directory-security.html" target="_blank">this</a> & <a href="http://www.cyber-security-blog.com/2017/09/helping-microsoft-with-active-directory-security.html" target="_blank">this</a>.)<br />
<br />
PS4: If you liked this, you may also like - <a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">How To Easily Identify & Thwart Sneaky Persistence in Active Directory</a> <b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></div>
</div>
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com