"A chain is only as strong as its weakest link"
-Thomas Reid, "Essays on the Intellectual Powers of Man" - 1786
The SolarWinds Orion hack has been in the news for months now. It is now alleged that an "intern" put a very weak, easily crackable password on a critical system and then copied that password to their private share for easy access. The full implications of this may never be truly known. While it is purely conjectured on my part, I wonder if the worldwide Exchange meltdown (250,000 organizations as reported by the Wall Street Journal), is part two of that attack as Microsoft was hacked and Exchange source code was exposed?
I have spoken of the issue of Zombie servers and workstations for many years - out of date, unpatched, unsupported workstations and servers that suddenly re-appear on your network due to improper retirement, "I just need to check one thing", or "one machine won't matter". We get busy and they get left on and provide the ideal attack platform against your network.
But dead logon IDs do as well. 25 years ago a high school in Westchester had some inappropriate activity going on. We were diligently trying to find out the source and kill it. One afternoon I was there looking and I tracked it down to a single user ID that was signed on at that very moment. I asked the school to look in their SIS system and figure out where this kid was right now. I was told that this student left the district six months ago and permanently moved to Hong Kong! A zombie ID being used by others to hide their activities.
25 years later the song remains the same. Here is what you need to do:
Review your critical on-line systems for who has access, what they have access to, and whether they need access or not. Add a multi-factor authentication requirement to all IDs.
Review your Microsoft Office 365, Google Apps, and Microsoft Active Directory IDs for the exact same items. Add MFA to at least all authority IDs and at least all on-line IDs. Eliminate all dead/dormant user IDs. Eliminate all dead computer IDs. Audit your group memberships - especially groups that provide rights starting with "Administrator-type" groups and make sure no one has shown up in those lists.
Have an "off-boarding" process when techs and users with authorized access to resources leave the district and implement that process each time.
Put at least a quarterly review of these items on your calendar so it becomes a routine process.
Implement an auditing system to help track and bring greater clarity to the events going on your network.
Implement a password-protected screen saver so even if people forget and leave them signed on with IDs that can alter systems, the system will automatically lock the workstation. (My ex-NSA friends keep telling me that this one simple step has proven to shutdown so many "drive-by" hacks where the bad guys did get through the defenses, but "it was too much like work" to hack the screen saver lockout, so they hacker drops off in search of other targets. Sadly, it was reported that during the January 6th Capitol breach the Congressional computers did not have password-protected screen saver timeouts and confidential data access was available to the rioters.)
Microsoft and the FBI say that up to 99% of compromises can be shut down just by MFA.
There are also some excellent tools in the Microsoft world to bring focus to the dead and dormant user and computer accounts.
There is a lot to digest and implement in what I have written today. CSI is available to assist you. If you need help sorting this out, give us a call.