Category: Advisory

Home / Advisory
Jul52024

Is the local administrator’s password reused in your environment?

Is the local administrator’s password reused in your environment?

The Windows operating system by default includes an administrator account for management purposes whose password is the same in many environments on multiple systems.

Why password reuse is common

The password for the local administrator account is regularly reused and is therefore the same on multiple systems within the organization. This may be because, for example, one image is used for all servers and one image is used for all workstations. In this image the local administrator account is set and the password is then never changed. Or the organization uses a script to set a default password on each system.

If an attacker has administrator rights to one of these machines and manages to recover the password or encrypted version of it, he can reuse it to gain access to multiple or sometimes all systems within the domain

Test environment overview

In our test domain playground.local, the same local administrator password was used for all systems within the domain. The hashed version of the password (NTLM hash) can be retrieved by reading the local SAM database on one of these systems.
A hash is the output of a hash function that converts a string to a string of letters and numbers. By doing so, an application can verify that the user has entered the correct password without storing the plaintext password.

It is possible to use this hash for a pass the hash attack. With this attack the attacker authenticates using the NTLM hash instead of a plaintext password. To demonstrate this attack we set up a lab environment consisting of one Windows client and two Windows server including a webserver and a domain controller. The lab looks like the following:

Executing the attack

We demonstrate this attack within our lab by using an account that has local administrator privileges on a workstation. Using these privileges an attacker can dump the password of (local) users using Invoke-Mimikatz. To do so the following command can be used: Invoke-Mimikatz -Command ‘”privilege::debug” “token::elevate” “lsadump::sam”‘

The hash (48e723f6efb3eff9ae669e239c42fff3) of the local administrator account can be used by the attacker to perform a pass the hash attack attempting to authenticate as the local administrator on any machine within the domain. An attacker can do this, for example, using the NetExec tool.

The orange letters in the image above indicate that we have local administrator rights on two systems. This means that we have full control of all systems except the domain controllers. By default, it is not possible to authenticate as the local administrator on the domain controller, unless AD restore mode is enabled. 

Local Administrator Password Solution

Local Administrator Password Solution (LAPS) is a tool used to manage local administrator passwords. LAPS generates a unique password for each local administrator. This password is then by default rotated every thirty days. Next, the password is stored in the Ms-Mcs-AdmPwd attribute. 

Access to the password is granted through the Control access right on the attribute. Control access is an Extended Right in Active Directory, meaning that if a user has the All Extended rights authorization on that attribute or an object above it, he can see the password in. An example is shown below:

Saving the unencrypted password is not a problem because the field in which this occurs requires special permissions to be read. If an attacker has an account that has access to the domain controller to read it or a user account with permissions, he has much more rights than local administrator accounts.

Retrieving LAPS passwords.

The passwords, if requested over the network, are sent encrypted by the LAPS GUI and PowerShell. The LAPS GUI looks as follows if an authorized user requests the password:

It is also possible to retrieve the password using PowerShell with the following command:

Get-AdmPwdPassword -Computername ‘computernaam’

May282024

Securance & Kiwa: Cybersecurity Solutions

Securance and Kiwa join forces on Cybersecurity and Risk Management solutions

Securance, a leader in integrated risk management and cybersecurity solutions in Europe, is excited to announce a new partnership with Kiwa, an esteemed provider of certification and compliance services. This collaboration will focus on ISO certifications and Assurance services, enhancing our offerings while maintaining our distinct expertise in our respective fields.

At Securance, our approach combines comprehensive assurance and advisory services with advanced cybersecurity measures to protect and empower businesses. By aligning with Kiwa, we aim to leverage our joint capabilities to provide more robust, industry-leading solutions tailored to the specific needs of our clients. This partnership will enable us to enhance our service delivery, particularly in areas demanding rigorous standards compliance and operational excellence.

Together, Securance and Kiwa are committed to setting new benchmarks in security, compliance, and risk management. Our collaboration will deliver scalable solutions that ensure business continuity and resilience, fostering growth and innovation in an ever-evolving digital world.

Koen van der Aa, COO of Securance, said, “We are very pleased to announce our partnership with Kiwa. This collaboration marks an important step forward for both companies as we join forces to enhance our services in risk management and cybersecurity. Together, we are committed to delivering substantial value to our clients, leveraging our combined expertise to meet the evolving needs of the market. I look forward to the opportunities and successes that lie ahead for both Kiwa and Securance.”

Marjolein Veenstra, team leader cybersecurity at Kiwa, expressed her enthusiasm for the strategic partnership, saying, “With this step, we can better serve our clients with complex certification and assurance issues. We relieve our clients in the process, allowing for a greater focus on substantive assessment. We are keen to explore opportunities to strengthen both our market position and that of our clients.”

May282024

DORA: Making the Financial Sector Stronger

DORA: Making the Financial Sector Stronger

As financial institutions increasingly rely on digital systems, the need for robust operational resilience has never been more critical. The Digital Operational Resilience Act (DORA) is a pioneering regulation aimed at fortifying the financial sector against digital disruptions. This blog explores how DORA enhances the sector’s resilience.

Understanding DORA's role

DORA is a regulatory framework introduced by the European Union to ensure the financial sector can withstand, respond to, and recover from IT-related disruptions and threats. Recognising the interconnectivity and interdependencies within the financial system, DORA aims to standardise and strengthen the sector’s digital resilience across the EU.

DORA’s importance lies in its comprehensive approach. It mandates financial entities to implement robust IT risk management processes, conduct regular threat-led penetration testing, and ensure continuous monitoring and reporting of their IT systems. By establishing a unified regulatory environment, DORA helps mitigate the fragmented approach to cybersecurity previously seen across different EU member states.

Boosting Operational Strength with DORA

Operational resilience is the ability of an organisation to deliver critical operations through disruption. DORA significantly enhances operational resilience by enforcing comprehensive IT risk management frameworks. Financial institutions must identify, assess, and mitigate IT risks, ensuring they can continue operations even under adverse conditions. Additionally, DORA mandates timely incident reporting, facilitating rapid response and coordination at both national and EU levels.

Business continuity and disaster recovery plans are central to DORA’s requirements. These plans must be regularly tested to ensure their effectiveness in real-world scenarios. Moreover, DORA sets stringent requirements for managing third-party risks, ensuring that dependencies on external service providers do not compromise operational resilience. By enforcing these practices, DORA ensures financial institutions are prepared to handle IT-related disruptions while maintaining essential services.

Better Data Handling under DORA

Data governance is a critical aspect of DORA’s framework, emphasising the need for effective strategies to manage data securely and efficiently. DORA aligns with existing data protection regulations like GDPR, ensuring that financial institutions handle customer data with utmost care and confidentiality. This involves implementing strong encryption and data masking techniques to protect sensitive information.

Ensuring data integrity and availability is paramount under DORA. Financial institutions are required to adopt robust data backup and recovery solutions, with regular testing to guarantee quick and accurate data restoration in case of disruptions. Additionally, DORA advocates for comprehensive data governance frameworks, outlining policies, procedures, and responsibilities for data management. These frameworks help maintain data quality, ensure compliance, and support informed decision-making.

Effective data handling under DORA also involves a clear incident response and reporting mechanism. Financial institutions must have protocols in place to quickly identify, contain, and report data breaches, minimising potential damage.

DORA’s strategic advantages can position financial institutions for sustained success and resilience in the future.

DORA and other Financial Laws

DORA is designed to work in harmony with other financial regulations, creating a cohesive regulatory environment. It complements the General Data Protection Regulation (GDPR) by ensuring robust cybersecurity measures are in place, safeguarding data against breaches and cyber-attacks. DORA also enhances the Revised Payment Services Directive (PSD2) by reinforcing the security of ICT systems involved in payment services, ensuring uninterrupted and secure payment processing.

Furthermore, DORA supports the Markets in Financial Instruments Directive II (MiFID II) by ensuring the ICT infrastructure underpinning financial markets remains resilient and secure. It also builds on the Network and Information Systems Directive (NIS Directive) by focusing specifically on the financial sector, ensuring tailored and stringent measures for financial institutions. By aligning with these regulations, DORA ensures a comprehensive approach to cybersecurity and operational resilience, covering various aspects of financial operations and data management.

Planning for the future with DORA

DORA is not just about compliance; it is a strategic tool that offers long-term benefits. Financial institutions adhering to DORA’s stringent requirements can demonstrate their commitment to operational resilience and cybersecurity, building trust with customers and stakeholders. This enhances the institution’s reputation as a secure and reliable entity, attracting more customers and business partners.

Implementing DORA’s frameworks can also lead to improved operational efficiency. Streamlined processes, regular testing, and continuous monitoring help in identifying and addressing issues proactively, reducing downtime and operational costs. Moreover, DORA’s emphasis on continuous improvement and adaptation ensures that financial institutions are prepared for future challenges. By staying ahead of emerging threats and regulatory changes, institutions can maintain their resilience and relevance in a rapidly evolving landscape.

Conclusion: DORA represents a significant step forward

In conclusion, DORA represents a significant step forward in strengthening the financial sector’s operational resilience. By integrating comprehensive IT risk management, data governance, and alignment with other regulations, DORA provides a robust framework for financial institutions to thrive amidst digital challenges. Leveraging DORA’s strategic advantages can position financial institutions for sustained success and resilience in the future.

Get started with Securance's Advisory Services

Are you ready to enhance your organisation’s resilience under DORA? Securance offers comprehensive advisory services to help you navigate this regulatory landscape. We can conduct a thorough gap analysis to identify your current standing concerning DORA and assist you in implementing necessary measures. Contact us today to secure your future.

Get Started
May142024

Operational Risk Management: Avoiding Pitfalls

Operational Risk Management: Avoiding common pitfalls and building resilience

Operational Risk Management involves the myriad uncertainties and inefficiencies inherent in the day-to-day activities of a company. These can stem from various sources—system failures, process inefficiencies, human error, or external events. Addressing these risks is pivotal, not merely for compliance or protecting assets, but as an essential strategy for organisational resilience and competitive advantage

The common pitfalls

The journey of operational risk management is fraught with potential missteps that can undermine an organisation’s objectives. Here are some nuanced issues often overlooked in traditional risk management approaches:

Compartmentalised risk functions: When risk management is confined to specific departments rather than integrated throughout the organisation, critical insights can be missed.

Dependency on outdated systems: Continued reliance on legacy systems without embracing digital advancements can slow response times and hinder risk detection.

Static risk models: Many organisations stick to risk models that don’t account for the dynamic nature of business, missing out on identifying evolving threats

A deeper understanding of these challenges is the first step towards crafting a more effective Risk Management strategy.

Best practices from our Advisory experts

Transforming an organisation’s approach to operational risk management involves strategic adjustments and not just tactical fixes. Here are some advanced practices that can fortify your risk management framework:

Cultivate a dialogue-driven culture: Foster an environment where discussing risks is encouraged at all levels, enhancing transparency and collective understanding.

Regularly update risk frameworks: It’s vital to ensure that your risk management frameworks keep pace with changes both within and outside the organisation. This involves regular reviews and updates of your risk policies and procedures to reflect new developments in your industry, changes in the regulatory landscape, or shifts in your operational environment.

Streamline reporting mechanisms: Implementing streamlined and efficient reporting mechanisms is crucial. These should be designed to provide clear, concise, and timely information to decision-makers. Effective reporting systems help in identifying potential risks early and provide actionable insights to mitigate them before they escalate.

Image that tries to show operational risk management. Text: fortify your risk management framework. In the right corner you see the Securance logo

It requires a forward-thinking approach that not only addresses current risks but also anticipates future challenges.

Advancing Operational Risk Management through tooling

In the realm of operational risk management, technology is not just a tool but a strategic ally. At Securance, our partnerships with leading technology providers equip us with sophisticated Risk Management tools that deliver:

Proactive risk detection: We utilize advanced predictive analytics to anticipate and mitigate potential disruptions before they impact our business operations. This proactive approach helps maintain continuity and integrity throughout our processes, ensuring that risks are managed efficiently.

Integrated risk solutions: Our Risk Management tooling partners provide comprehensive platforms that offer a holistic view of risks across the organisation. This integration allows for better-informed decision-making, as risk data from various departments is centralised, ensuring that all potential risks are visible and managed effectively.

Advanced Cybersecurity protocols: Through these partnerships, we implement the latest in Cybersecurity measures to protect against emerging digital threats. These protocols are continuously updated, responding to new cyber risks as they develop, and safeguarding our sensitive data and systems against breaches.

Conclusion: Embracing continuous evolution

Effective risk management is about perpetual evolution and adaptation. It requires a forward-thinking approach that not only addresses current risks but also anticipates future challenges. Organizations committed to continuously refining their risk management practices are better positioned to thrive in an unpredictable business environment.

By understanding the common pitfalls and integrating cutting-edge technology through Risk management tooling, companies can secure a robust operational framework that drives sustained success.