The best way for hackers to pwn a company is to steal elevated credentials, but Skyport's SkySecure solution sells nearly impenetrable admin boxes Persistent hackers have a common means of taking over company networks: They compromise one or more enterprise users using social engineering.Either they’ve already compromised a website the user visits or they send a phishing email, which asks for enterprise credentials. If the user visits a compromised website, usually a malicious script will probe the user’s computer for common unpatched software (such as Java) or induce the user to run a Trojan executable.Either way, the bad guy gets a backdoor into one or more user systems, gains local admin access, then uses that access to look for elevated network credentials. It usually doesn’t take long. Usually, there are dozens of active users with elevated group memberships all over any network. The average hacker needs less than an hour to move from a single pwned computer to total environment takeover.The two best defensive strategies are to implement “perfect patching” and to teach your users how to spot social engineering scenarios. It’s also a huge help to not have multiple users running around your network using superelevated credentials all the time. Locking down admin boxesToday, most companies have reduced elevated group membership to a bare minimum or require that every potential admin check out, on a limited time-basis, any elevated credential they need to use. But even more can be done.Back in 2013, I wrote about using secure jump boxes to improve your overall enterprise security. They go by many names, including secure admin workstations (SAWs). The concept: You lock down a workstation — and tell all administrators to use only that secure workstation whenever they do anything requiring elevated credentials. This makes elevated credential far more difficult to steal. SAWs can be real computers or virtual machines. I recommend the following characterisitcs for any SAW:Highly tightened security settingsMultifactor access controlNo access to or from the InternetStrict firewall rulesApplication control whitelisting so that only pre-approved programs can runPerfect patchingHypervigilant auditingSAWs are fairly common in most of today’s enterprises. My strongest experience is in Microsoft Windows systems, but I also love Linux and BSD for creating SAWs. At home and for some of my clients, I use OpenBSD. It’s hard to beat the based security given by OpenBSD’s default settings and security choices.Skyport kicks it up a notchI recently ran across the talented people at Skyport Systems. They’ve created what looks to be a great Linux-based SAW, which is only part of their SkySecure solution. Their solution is essentially a bunch of SAWs, each dedicated to one or more applications, managed from a very secure platform.They start with a tamper-resistant chassis running a hardware-based hypervisor chip, a Trusted Platform Module (TPM) chip, and Intel’s Trusted Execution Technology. This combination of hardware and software ensures that the critical hardware remains unadulterated and the integrity of the BIOS/UEFI, hardware boot process, and operating system boot process has verified integrity. This last part is relatively common on many of today’s computers, Windows and otherwise, but without it as a base, you can’t trust the system.Skyport starts with this trusted base and adds Security Enhanced Linux (SELinux), which is a hardened implementation (or module, depending on the implementation) of Linux. SELinux implements Linux with least-privileged, mandatory access controls, along with a slew of heightened security options that have been reviewed, approved, and recommended by security experts around the world for almost two decades.Native multifactor authentication is used (including from LDAP, geo-fencing, and 2FA-Mobile repositories). Synthetic credentials are used for shared resources so that no admin ever has global device-level credentials or passwords. SSH is monitored and filtered for X11 and SCP traffic. Anomalous traffic generates proactive alerting. Bare minimum applications are installed. Whitelisting is done with an implicit deny on all applications along with traffic not previously approved and defined. Whitelisting policies are implemented in hardware with the Cavium processor located on the network interface card/IO controller. Hardware-based packet capturing and mirroring is used to detect any flows violating whitelisting policies.SELinux runs as a secured proxy/firewall for each application. The SkySecure solution allows an admin to SSL into a particular address/port and authenticate using multifactor authentication — and it binds the admin into a specific device and application. Everything is monitored and recorded. If an admin tries to allow access to the Internet, an audit exception is made and flagged.Good luck, hackers, stealing those sessions and credentials.I’m new to Skyport and its SkySecure solution, but I’m impressed with what I read and saw. After a few email exchanges with company officers and technologists, I can tell this company gets it. I must get a dozen computer security pitches a day. Most of them are boring and repetitive, and they rarely offer anything new. Skyport is different. If you have high-value assets or critical applications to protect, check out Skyport’s SkySecure solution. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe