The one company that wasn’t hacked

I’ve said it before: Every Fortune 500 company is compromised by APTs (advanced persistent threats). In fact, you’d be hard-pressed to find a single computer security expert who would argue differently.

But the experts, including me, could well be wrong. I recently encountered one company that’s a classic exception to the rule.

[ Roger A. Grimes maintains you don’t need a firewall. Do you agree? Let him know. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

How did this organization do it? It has no admins in the conventional sense — nada. Zero. Null set.

By this, I mean the company has no default members in any elevated group: no enterprise admins, domain admins, schema admins, power users, or administrators. All “administrators” are delegated specific rights and permissions to the Active Directory objects they need to access and only for what they need to do. It’s least privilege in action!

In the rare instance someone needs to belong to an elevated group, that person must fill out a change control form days ahead of time and get approval — at which point he or she is added for a specific period in order to perform a specific task. All relevant IT employees are notified.

I’ve talked about reducing admins to the bare minimum many times in the past, but what impressed me even more is, in this company’s case, all the delegation is accomplished using built-in Active Directory tools. Most other companies I know doing heavy delegation use third-party vendor tools, like Quest ActiveRoles Server. But the company in question has been using built-in Windows delegation tools exclusively.

They create groups for each task — from changing passwords to managing servers — according to region or organizational unit (for example, GGrp_PrintAdmins_Austin or UGrp_PasswordChanges_EMEA). Then they assign the correct users to each group/task to allow them to perform their jobs. But no one is added as a permanent member to any elevated group. The groups are empty most of the time.

How do these constraints — strong delegation, with no one in an elevated group — lead me to believe that this big company probably isn’t infected by an APT?

For one thing, there’s no sign of APT. The company is an active honeypot deployer, and none of those honeypots have turned up anything unusual. Second, network and event log managers are in place and used aggressively. Most companies do a very poor job in this area, but this one takes the task seriously. These active monitors haven’t flagged unauthorized activity that might indicate outside attackers have penetrated the network or transmitted data externally. When employees do something they shouldn’t, a call from security often comes promptly.

The lack of evidence of APT infection makes sense. In every case I’ve seen, APT compromises someone’s computer, uses that acquired access to escalate itself to an administrator of some type, adds its account to the Domain Admins group of the Active Directory forest, then dumps the domain controller’s password hashes. It happens every time. No matter how else hackers get in, they always grab the password hashes. In this case, the company monitors the empty Domain Admins group, so if anyone adds his or herself to it, nearly a dozen people get an immediate notification email, which is then investigated.

I’ve seen this setup before, but to test the company, I added myself to the Domain Admins group. Sure enough, cellphones and pagers all around me started ringing. I asked if each alert is explored; immediately all employees around me said yes. They didn’t hesitate, disagree, or laugh. That means something.

Now I can say I know at least one Fortune 500 company that has probably gone unexploited. I wish I could share the name, but that would make it an extraspecial target for hackers. But now that I’ve highlighted its successful zero-admin approach, you can join the secret club.

This story, “The one company that wasn’t hacked,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.