Three Steps to Reduce Your Attack Surface
As more and more malicious actors are roaming into the wild trying to gain access to any system they can, it is important that banks review and reduce their “attack surface.” An attack surface is simply, the number of possible ways a malicious actor can get into a device or network and extract data. This is especially important for small to medium-sized businesses.
The group policies and active directory of an environment can be essential in helping reduce the attack surface of a system and providing defense in depth. They should not only be monitored for unauthorized changes, but also reviewed often to ensure they are appropriate and line up with security best practices. This can be done in a three-step process.
1. Clean Up
The first step involves performing a clean-up. The important items to address during this step are:
- Remove any outdated Group Policy Objects (GPOs), users, and user groups that have been migrated from older systems.
- Remove any GPOs or users that may be tied to old software that is no longer in use.
- Ensure there are no conflicting GPOs.
- Review where the GPO is being applied. Best practice is to apply the GPO linking as close to the intended systems as possible. For example, if a GPO is meant to be applied to workstations, having a group that includes only workstations and applying it there, instead of domain wide, helps reduce your attack surface by not applying settings that shouldn’t be on a server.
2. Harden Access
The second step is to use Active Directory and GPOs to harden access and control to sensitive systems.
- Ensure all GPOs follow security best practices. If a GPO is needed that does not fall in line with best practices, ensure that you are aware of the risk and, when possible, find another way to mitigate. Hardening traffic on the firewall is a great way to do this.
- Limit the use of shared accounts or have a way to audit who is accessing the account and when they are using it.
- Limit the use of Domain Admin accounts. If a Domain Admin account is needed in order to perform a function, have a separate non Domain Admin account that can be used when Domain Admin rights are not needed.
- Ensure all Active Directory accounts only have access to what they need to in order to perform their job function.
- Ensure that all passwords are following best practices. Eight-character passwords with complexity are no longer considered secure. Our Insite Data Services (IDS) security team recommends a passphrase with a minimum of 15-characters. These are easier for users to remember and forces Windows to store the password more securely than a shorter password.
3. Monitor Changes
The final step is to monitor changes to Group Policies and Active Directory privileged groups. If you are an IDS customer, this is done automatically by the IDS security team for the hosted environment. If you are not, it is important to ensure you are aware of changes done to Group Policies and Active Directories. If changes occur that circumvent the controls you have implemented in the above steps, it should be investigated fully to understand why each change was made, and who or what made the change.
Think of your virtual environment as your house. Cleaning up the GPOs and Active Directory is like ensuring all the locks on your house still work. You want to make sure that all the windows have locks on them and none of them are left wide open for a burglar to come through. This is akin to the Hardening step. If unusual activity happens to a window or a door, you want to ensure that information is getting to your security team so they can take appropriate action. This is the monitoring step. Altogether, these steps make it harder to get into your house and, if someone does, it sets off an alert, so it can be fully investigated.
About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.