Focus on active directories to stay safe

Companies are now investing record sums in cybersecurity provisions, software and services that are supposed to protect their data and technology stacks.

In 2021 alone, global spending on security and risk management reached an all-time high of $150.4 billion, after growing 12.4% in just one year. But it would be a mistake for businesses to think that just because they’re spending more money protecting their businesses from cyberattacks, they can rest easy.

The reality is that companies simply don’t get what they pay for – and in fact, they suffer from the same old infractions.

Common vulnerabilities often boil down to unresolved issues with Active Directory (AD), the database, and service administrators used to manage permissions and access to network resources. When looking to strengthen cyber defenses and eliminate vulnerabilities, organizations should start with their Active Directory – because cybercriminals are sure to do that too!

Groundhog Day for Business

As many penetration testers (or pen testers for short) will tell you, companies repeatedly introduce the same vulnerabilities, no matter how advanced a company’s technology stack is.

Microsoft’s Active Directory is a popular choice for organizations to perform critical business functions, but unfortunately also a popular target for hackers to gain a foothold in corporate networks, primarily because the attack surface it door is so vast. Think of the sheer number of devices and networks a typical business uses, and all the data that could be at risk from a single exploit in their Active Directory, when spotted by a single attacker.

Relying on older hardware can effectively negate much of the expense of security and risk management services, because the older the hardware or system, the more attractive and vulnerable it may seem to hackers. These malicious actors are familiar with the types of exploits offered by older systems and have had plenty of time to perfect how to break in, allowing them to use simple “point and shoot” tactics. This tactic, when executed, can grant them near-instantaneous access to system-level privileges on targeted systems.

It’s every security team’s worst nightmare come true, but another problem with outdated systems is that old systems often rely on legacy protocols, which are not compatible with authentication techniques and capabilities. modern encryption. This means that even if a company has a newly patched domain controller (DC) – the server that responds to authentication requests and verifies users on computer networks – it will still have to rely on outdated protocols and less secure to operate if there are other legacy systems present in the network.

No progress? That is why

In short, most companies simply aren’t getting the most out of their cybersecurity investments, and the problem is largely rooted in outdated operating systems.

In 2020, Deloitte released a report following a survey, which suggested that companies were spending 10.9% of their IT budget on cybersecurity alone. However, by leaving their technology stacks and operating systems untouched for many years, companies are unwittingly giving hackers a playground to roam.

Pen testers like me are also concerned about the wider implications of the lack of progress in fixing these violations, as we find ourselves running the same tests, using familiar hacking techniques from yesterday. As ethical hackers, we need to think like a cybercriminal; so naturally, when AD vulnerabilities present themselves during a penetration test, they become the primary attack vector we investigate and report on.

Yet often companies fail to learn lessons and they reoccur, resulting in no progress. In the meantime, less time and fewer resources can be allocated to experimentation with penetration testing in order to scratch below the surface and identify new ways for companies to strengthen their cyber defenses.

As a result, the industry is suffocated, focusing on attack methods as seen in the rear view mirror, distracting pen testers from spending enough time exploring the attack methods of today and tomorrow. against which companies must also protect themselves.

Unleash the ROI of cybersecurity investments

Reviewing Active Directory and updating hardware and systems doesn’t just prevent the likelihood of a damaging hacking attack in the near future; it also opens the door to laying the groundwork for a more proactive cybersecurity strategy. But AD is just the tip of the iceberg when it comes to ensuring companies get the most out of the investment they make in security and risk management.

In addition to keeping technology stacks in shape, companies also need to ensure that their people and control processes are also resilient enough to withstand a breach. In other words, they must ensure that employees are aware of the risks and trained to spot and avoid malicious emails; implement and enforce robust security processes to ensure that all attacks are contained; and learn to understand their network vulnerabilities, fixing them as soon as possible. By focusing on the three pillars of effective cyber defense – people, process and technology – they can ensure that no penny spent on security is wasted.

About the Author

Paul Cragg is an ethical hacker at Norm Cyber. Established in 2015, standard. is a company whose mission is to rid the world of the complexity of cybersecurity. We know that for most midsize businesses, managing cyber risk is a stressful, costly and time-consuming exercise that keeps them from doing what they do best. That’s why we’ve designed a service that’s easy to deploy, simple to manage, and significantly less expensive than an in-house function. All the assurance of complete visibility and control over your cyber risk, without having to manage it yourself.

Comments are closed.