Awareness is the first and most essential ingredient in any successful risk mitigation strategy. StealthAUDIT v8.1 has been enhanced to extend your awareness into high risk conditions that can easily sneak up on you in three key ways:
- SQL Database Security – Discover, assess access, and monitor activity within SQL databases, scouring each for sensitive data that attackers are likely to target
- Weak Password Identification – Identify Active Directory user accounts leveraging passwords contained in publically available dictionaries and organizationally-defined unapproved password lists
- Expanded Threat Reporting for Active Directory and Windows – Identify conditions and vulnerabilities across Windows desktops and Servers, as well as Active Directory objects and permissions, that attackers exploit to compromise systems and credentials, achieve persistence, and circumvent security controls
SQL Database Security
Data privacy and security is quickly evolving to be on equal footing with traditional security measures focused on the network, hardware, or software the data is contained within. Organizations aligning to concepts like Data-Centric Audit and Protection (DCAP) as defined by Gartner, or the requirements of strict compliance regulations like EU GDPR, are looking to implement processes that help them understand where sensitive data is stored, who has access to the data, and what are users doing with their access privileges across unstructured and structured data sources.
As part of STEALTHbits’ comprehensive Data Access Governance suite for unstructured (and now structured) data, the introduction of SQL support enables organizations to automate the process of understanding where SQL databases exist, who has access to them, how they obtained access, who or what is leveraging their access privileges, where sensitive information resides, and how each database has been configured.
Why Is This Important?
With visibility into every corner of Microsoft SQL Server and the Windows Operating System it relies upon, organizations can proactively highlight and prioritize risks to sensitive data. Additionally, organizations can automate manual, time-consuming, and expensive processes associated with compliance, security, and operations to easily adhere to best practices that keep SQL Server safe and operational.
Weak Password Identification
Password strength is an important component of any organization’s overall information security strategy. Weak and default passwords make it exponentially easier for attackers to compromise accounts of all types, however, there are only a limited set of controls provided within Active Directory to prevent users from creating and leveraging weak passwords, even if they do meet strong complexity requirements.
StealthAUDIT for Active Directory’s new AD Weak Passwords audit utilizes a provided dictionary of known vulnerable or weak passwords (modifiable by the user) to check for weak passwords being used by AD user accounts. The contents of the dictionary is hashed and compared to the password hashes stored in Active Directory for user accounts. If a match is found, the user account with a weak password will be returned, however, no information around the matched password is stored.
Preconfigured reporting provides user counts of:
- Weak Passwords
- Default Computer Passwords
- Empty Passwords
- Weak Historical Passwords
- Shared Passwords
Why Is This Important?
With the ability to identify users leveraging passwords contained in publically available password dictionaries and organizationally-defined unapproved password lists, security personnel can proactively identify users most susceptible to successful brute force or password guessing attacks. Leveraging strong passwords across all accounts effectively mitigates the risk of security breach for the organization as a whole.
Expanded Threat Reporting for Active Directory and Windows
Microsoft and others have documented hundreds of ways in which attackers can exploit various conditions, misconfigurations, and the nature by which certain functions operate within Active Directory and Windows to compromise credentials, obtain unauthorized access to network resources, and achieve persistence within the environment. However, many organizations are unaware of these exploits and whether or not they exist in their environments, exposing them to unnecessary risks that could otherwise be a non-factor or even be a significant boon in their overall security stature.
StealthAUDIT v8.1 provides six (6) additional threat reports aligning to Windows and Active Directory exploits:
- Local Account Authentication Policies
- The information provided helps to create a listing of systems vulnerable to Pass-the-Hash attacks using Local Accounts.
- Act as Part of Operating System
- The information provided helps to create a listing of systems that may be compromised because a user or users have been assigned the right to “Act as Part of Operating System”.
- Fine-Grained Password Policies
- The information provided helps to determine if an attacker or other bad actor is leveraging fine-grained password policies to compromise account credentials.
- Domain-level Replication Permissions
- The information provided helps to determine if an attacker or other bad actor is exploiting a vulnerability that allows them to steal passwords, compromise accounts, and achieve persistence within Active Directory.
- SID History Filtering
- The information provided helps to determine if there are any risks to be concerned about with regards to SID History tampering.
- AdminSDHolder Permissions
- The information provided helps to determine if Active Directory has been compromised and persistence achieved through the use of the AdminSDHolder container.
Why Is This Important?
StealthAUDIT’s catalog of threat reports provide organizations with a method to easily highlight the scenarios and situations they need to prioritize to safeguard their systems and accounts from compromise. As it’s difficult for any organization to keep themselves abreast of and protected from all the different vectors of attack bad actors are leveraging, STEALTHbits’ preconfigured solution eliminates the time needed to research these common threats, along with how to mitigate them via homegrown or 3rd party solutions.
These capabilities are only a few of the many enhancements included in StealthAUDIT v8.1. For more information, click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is the Senior Vice President of Product Management at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.