“There are two types of companies: those that have been hacked and those that will be hacked,” said FBI Director Robert Mueller, speaking at the 2012 RSA Conference. While Mueller went on to discuss the likelihood of multiple attacks, some experts feel his statement may be in need of an update.
And at Microsoft’s U.S. Public Sector CIO Summit on March 28, 2013, in-house cybersecurity pro Mark Russinovich suggested in his speech a more fitting summary of the current cybersecurity landscape might be this: “There are two types of companies: those that have been hacked and those that don’t know they’ve been hacked.”
Pointing out that hacking is just as likely to occur in the public sector, Russinovich described a new threat making its way into the cybersecurity vernacular that takes advantage of people’s preference for single sign-on. Called “Pass the Hash,” or PtH, he learned of the technique from the U.S. General Services Administration, who had observed the tactic being used against government.
Pass the Hash targets users with no administrative network privileges with an innocent sounding email attachment. The malware, once opened, causes the user’s machine to behave in a manner that prompts a call to the organization’s help desk. When the IT troubleshooter, with administrative privileges, logs into the user’s machine with their own credentials, the malware captures their password “hash.”
The term hash refers to a type of credential used by Windows to enable single sign-on – not a password per se, but a password “hash” that enables users to access network resources from other machines without re-entering log-in information.
“If your users didn’t care for the convenience of being able to log onto a box, and then go access resources across the network without having to type in their password every time they wanted to access one, then we wouldn’t be having this discussion,” Russinovich explained.
By gaining local administrative access to one machine, the attacker can use hashes they find on that system to infiltrate other computers on the network. “At that point, they can use that hash to go own the heart of the network or every machine on the network.”
Microsoft convened a working group of experts across the company to help customers minimize the risks associated with PtH, though Russinovich admits that there’s no easy fix, as some recommendations come at a high price to the organization.
“Implementing some of these mitigations … means potentially breaking your apps, and we know customers have a lot of problems when your business apps break, so a lot of these can't be swallowed very easily,” he said. “But there are three [the first three in the list below] that are relatively straightforward that you just can't compromise on if you want to mitigate Pass the Hash.”
1. Don’t let high-value administrators use their credentials to log into low-value servers and systems. Instead, they should troubleshoot other machines using an isolated account that has no other network access.
2. Minimize the kinds of local accounts with administrative privilege. There's no reason to grant administrative privilege to the help desk receptionist, for example.
3. Use firewall rules to block incoming traffic from systems that shouldn't have access to servers. Ports should be restricted so that only internal, front-end machines can access back-end databases.
4. Segregate the network. A more advanced, yet highly effective strategy, Russinovich recommends using jump servers to isolate high-value resources from lower-value networks – a scenario in which administrators on one side are not administrators on the other side. Two-factor authentication should be required to access the other side of the network.
Government Technology editor Noelle Knell has more than 15 years of writing and editing experience, covering public projects, transportation, business and technology. A California native, she has worked in both state and local government, and is a graduate of the University of California, Davis, with majors in political science and American history. She can be reached via email and on Twitter.
NEW ON THE PODCAST