5 lessons from companies that get computer security right

Most organizations are very bad at computer security.

They don’t patch well, and they have short, simple passwords that don’t expire. They have dozens to hundreds of people in elevated groups. They don’t have a clue who has which permissions in their environment. Their networks are flat and often wide open to hundreds of contractors, business partners, and vendors. Defenses aren’t appropriately prioritized, and they try and fail to accomplish dozens of projects at the same time. My average security audit findings report is well over 100 pages long and often contains dozens and dozens of critical findings.

[ Also from Roger Grimes: 5 ways computer security has truly advanced. | It’s time to take another look at security. Two former CIOs show you how to rethink your security strategy for today’s world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

It’s no wonder companies get hacked successfully all the time.

Yet there are jewels in the rough. I know of a handful of companies that, despite the usual security challenges, seldom get hacked successfully. They implement a few defenses that are so successful at repelling badness that they outweigh other stuff that might have been missed.

I’ve discussed a few of these companies in the past, and in the intervening years, they have continued to offer a showcase for success. Unfortunately, I can’t get any of them to let me brag about them by name — probably a smart decision.

Each of these successful companies takes many measures to remain secure, but they also have commonalities. These are shared traits of highly successfully secured companies:

1. Little to no permanent members in admin groups

Want to frustrate a hacker? Create a “zero admin” environment. That is, have as few permanent members as possible in any elevated group. Some companies are able to get the number down to zero; others have maybe one or two. The idea is that no person in your environment, including a super administrator, needs to do all the tasks that being a member of a super group allows.

For example, if you are a member of the Domains Admins group in Active Directory, you can do nearly anything to Active Directory and any user or computer in it. You can create new trusts to join new domains, modify any user or computer attribute (there are hundreds), create or modify group policies or organization units, and manipulate any file in any folder. Even if you actually need all those permissions, you don’t need them all the time.

When attackers break into your environment, the first thing they want to do is move from the security context of the user or computer they just broke into to some sort of super admin account. If you don’t have any of those in your environment, it significantly frustrates them. I’ve seen APT attackers simply give up and go looking for other, more vulnerable, companies.

How do these model companies deal with permissions? Either they apply delegation, where users are given individual sets of permissions to smaller groups of objects, or they use some sort of password vaulting software, where super admin credentials must be checked out on the fly, and even then, only for short periods of time. Or they use privilege management software, where only particular tasks end up with super admin functions and the designation stays with the task and not the user.

2. Removed or forcibly patched Java

I hate to flat-out recommend removing any particular piece of software, even Java. If you keep Java patched and up to date, the risk of running it will be significantly lessened. Unfortunately, for reasons I’ve offered before, Java has one of the worst patching records at most customer sites. If you can’t keep it patched all the time, get rid of it.

Companies that are good at computer security don’t install Java on every desktop and server. When it is installed, it’s patched on a monthly basis. In most companies, application compatibility prevents Java from being patched in a timely manner. In highly secure companies, application compatibility is second, at least when it comes to Java. Java users know this and accept that frequent updates might break a program. Either that or they run unpatched Java on computers not hooked to the network.

3. Admin passwords that are not shared

Not sharing passwords is the single best measure enterprises can take to slow down attackers once they gain a foothold on the network. Most companies use the same password across every local Administrator or root account on every managed computer. Attackers love this because once they have compromised one computer, they can dump the local passwords (or hashes) and begin using them to move easily throughout the environment.

Successful companies know this and enforce a separate, unique password for every local admin account. They either accomplish this manually (pure grunt effort) or use an automated password management tool made for just that. If you have a shared admin password across all your computers, change it now.

4. Outstanding monitoring and alerting

As Verizon’s Data Breach Investigations Report reveals each year, the vast majority of attackers were documented in log files, but the companies did not bother to look. Secure companies take event logging and monitoring seriously. They create plans, buy the right tools, and alert upon suspicious activity. Every alert is immediately investigated by someone from the incident response team and investigated until it is proved to have been either a false positive or a security incident.

This “investigate everything” approach can be particularly powerful when combined with having very few — or zero — permanent members in admin groups. If someone’s account gets added without appropriate justification, it’s probably a good event to investigate.

Good event log monitoring is an art. Find someone who can create useful alerts and decisions from all the noise that’s filling those logs every minute of every day. These people are worth their weight in gold. Pay them appropriately.

5. Segmentation of weaknesses

Almost every company I audit has tons of insecurable legacy systems that should have been removed from the network a decade ago. That’s life. Sometimes operations requires that we support very old things. Successful companies segment their old and insecure systems.

Segmentation can be done in myriad ways, including:

• Separate Active Directory forest
• Make all computers standalone (not networked)
• Firewalls, routers, VLANs

The idea is to prevent easy movement of attackers (and configuration badness) between your weakest and strongest environments. Tell management you’ll keep those systems around, but as a trade-off, you must be able to keep them separate from your normal assets. If that becomes too difficult, maybe they will get rid of them or upgrade them, as they should have years ago.

When I share these “secrets,” I’m often told that the company will refuse to accept it. All such critics see is inconvenience and limited freedom. I’m here to tell you that the employees of companies who have implemented these common-sense measures are happier than most employees I see in other companies. The restrictions result in less compromise, less downtime, less rebuilding, and less blame.

If your organization is getting tired of being hacked all time, consider the lessons you can learn from companies that have done it right.

This story, “5 lessons from companies that get computer security right,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.