Most organizations are very bad at computer security.
They don’t patch well, and they have short, simple passwords that don’t expire. They have dozens to hundreds of people in elevated groups. They don’t have a clue who has which permissions in their environment. Their networks are flat and often wide open to hundreds of contractors, business partners, and vendors. Defenses aren’t appropriately prioritized, and they try and fail to accomplish dozens of projects at the same time. My average security audit findings report is well over 100 pages long and often contains dozens and dozens of critical findings.
It’s no wonder companies get hacked successfully all the time.
Yet there are jewels in the rough. I know of a handful of companies that, despite the usual security challenges, seldom get hacked successfully. They implement a few defenses that are so successful at repelling badness that they outweigh other stuff that might have been missed.
I’ve discussed a few of these companies in the past, and in the intervening years, they have continued to offer a showcase for success. Unfortunately, I can’t get any of them to let me brag about them by name — probably a smart decision.
Each of these successful companies takes many measures to remain secure, but they also have commonalities. These are shared traits of highly successfully secured companies:
1. Little to no permanent members in admin groups
Want to frustrate a hacker? Create a “zero admin” environment. That is, have as few permanent members as possible in any elevated group. Some companies are able to get the number down to zero; others have maybe one or two. The idea is that no person in your environment, including a super administrator, needs to do all the tasks that being a member of a super group allows.
For example, if you are a member of the Domains Admins group in Active Directory, you can do nearly anything to Active Directory and any user or computer in it. You can create new trusts to join new domains, modify any user or computer attribute (there are hundreds), create or modify group policies or organization units, and manipulate any file in any folder. Even if you actually need all those permissions, you don’t need them all the time.
When attackers break into your environment, the first thing they want to do is move from the security context of the user or computer they just broke into to some sort of super admin account. If you don’t have any of those in your environment, it significantly frustrates them. I’ve seen APT attackers simply give up and go looking for other, more vulnerable, companies.
How do these model companies deal with permissions? Either they apply delegation, where users are given individual sets of permissions to smaller groups of objects, or they use some sort of password vaulting software, where super admin credentials must be checked out on the fly, and even then, only for short periods of time. Or they use privilege management software, where only particular tasks end up with super admin functions and the designation stays with the task and not the user.