I’m trying to wrap my head around how this happens. How does an employee clicking on an email effect the entire company’s networked storage? They should not have the privileges necessary for that to happen. Is this a matter of outdated IT infrastructure? Can this be prevented entirely? Say I have a sftp connection opened. Is there any way a company can prevent files I have rw permissions from being effected other than regular backups?
An IT-Department should just take in money and not be heared from. Because as long as you throw money at minor problems and keep pace with most recent developments, stuff is good.
I just said that very thing to a client maybe an hour ago. If all goes well, then you won’t even know anything happened.
You may not be able to prevent some intern in marketing from getting phished and bricking their system, but if there’s any way that can lead to an entire department or the whole company getting locked out, then whoever was maintaining things there is going to have some explaining to do.
I glad more techs didn’t go rougue, use their internal knowledge, and install malware to take over more oil tankers networks/ network stores.
Even if they did blame it on hackers, who try to hack the Gibson spy for choina
I’ve been reading through articles like this for an ethics in IT class and I can’t help but think that, when this happens, the company’s IT dept. was not doing something that could have prevented it. However, I don’t know enough to say with any confidence what that would be. It isn’t clear to me how much is due to lack of funding or not keeping pace with the best practices at the time.
What if an employee with admin access is attacked? Backups will prevent lasting damage, but there will still be an interruption of service. Without getting too far into the technical details, is there a way to prevent such a case? I’ve been reading about MDM and MAM. I like the idea of MAM. If I’m understanding correctly, you could isolate access to a company resource to an application running inside a container.
A single limited privilege user account on a single machine gets compromised, this goes unnoticed.
Time passes, during this time the hackers will use every known method to try and gain elevated privileges, local admin is good, a domain account with local admin privileges to other machines great, domain admin amazing!
If they are able to get something like mimikatz onto the machine, and force an event that gets a help desk tech with local admin permissions to several machines to log on they are in business.
This may well take months, and might only go somewhere if patching is behind or a mistake on the part of the help desk team or a sysadmin is made.
Finally, and this is key, if user desktops are in the same subnet as servers, and the ports on the servers are open to domain authenticated desktops a small problem becomes a big problem…
Sometimes the problem isn’t with the desktops or users at all, and the way in is via SQL injection and then exploitation of the database or database server. The number of DBA’s who like the conviniance of XP_Cmdshell, and keep it enabled, never ceases to amaze me
That’s just how computer viruses (or “worms”) work… One person gives it a foothold (via an e-mail). It propagates itself to everything (network share, e-mail contact, or similar) they have access to. Everybody else they share data with gets infected. Some of those people will have more (or at least different) access so the virus can now spread itself to even more locations, infecting even more systems. And on and on it goes, unnoticed, until it does something overt like cutting off access to files.
It’s impossible to completely prevent this kind of viral spread, and even reducing the risk or impact requires a LOT of time and effort from a well-funded and properly staffed IT Department. Companies very often see their IT Departments as a big expense with minimal value, until something big like this goes horribly wrong.
There are some ways such malicious activity can be identified sooner, some ways to minimize everyone’s access, but it’s all a lot of thankless, endless Sisyphean tasks for your IT Department. “Offline” copies of regular backups of every system are a very good fallback option to have.
Over the years I’ve been involved in the recovery of databases at firms hit by malware a few times. The biggest one was when NotPetya hit Maersk in 2017:
…and a blog writen by an ex-employee I worked with:
The last one is probably of most interest to the OP. As to saying this could have been prevented entirely - I doubt it, but at Maersk the blast radius really should have been the Ukrainian offices and not the whole global network.
This could have been achieved via better network segmentation and access/permission controls and management. Ultimately it was mostly stuff that had been proposed prior to 2017 but never done, or not completed due to costs and other projects being granted higher priority.
One point to note - at Maersk only the desktop and Windows Server systems were affected, anything running on Unix, GNU/Linux or Azure PaaS stayed up. Unfortunately the identity management was all Microsoft, so even though several key systems were online no one had a desktop left able to get to them, or an AD server to authenticate against. Make of that what you will…
