And on the community groups, when asked what’s the worst that could happen as a result of poor user
               security, another member said: “Social engineering, gathering data, installing software, running
               ransomware on shared resources” — no doubt a terrifying prospect for any IT administrator.


               Most of these scenarios stem from the fact that AD can’t defend against the use of stolen logon
               credentials. It can’t stop careless user behaviour such as password sharing or concurrent logins. It
               doesn’t let you apply temporary logon controls. It doesn’t ensure access is identifiable and attributable to
               an individual user. It can’t monitor systems in real time to get a clear picture of who, when and where is
               on the network at any one time. And there’s no auditing with centralised, network-wide reporting, which
               means it can’t detect possible or suspicious access events.


               The restrictions of AD are leaving organisations at a loss at what to do, and many organisations are not
               going about fixing the issue of AD in a logical way. Some are completely overhauling their security
               systems. Brad Voris says: “My organization is implementing a massive new security program and
               overhaul to change not just the physical/logical aspects of security but also the culture.”


               Some companies have ruled out real-time monitoring on the mistaken assumption that it is too time
               consuming and difficult. Guurhart says: “Keeping up with who's doing what in real time seems like a
               pointless exercise that will drain your IT and infosec staff rapidly.”

               Most shockingly, many are sticking their head in the sand and doing nothing due to a lack of budget to
               fund access security. Roguetroll says on Reddit: “We use Windows Active Directory. But since there's no
               budget for security (I don't even know if we're running AV on all machines right now) let's just say we're

               deploying the "told you so" method when shit hits the fan."

               So, what can organisations do to improve the user access security beyond using AD? Brad Voris argues
               that because “there’s no real native support for MFA/2FA, third-party tools should be used” and Guurhart
               argues that it’s “very important to get an alert when certain access events occur. When detected or
               alerted, you need playbooks for handling these situations. If you don't have playbooks and someone

               trained in using those, you will respond inconsistently and randomly.”

               Technology like UserLock exists now that can run alongside Windows AD to plug the growing number of
               security holes with regards to user access. These tools can restrict logons to a combination of particular
               workstations, geographies, mobile devices, times of day and more — whatever the IT department deems
               fit — to close the window of opportunity for would-be attackers. Should an employee’s login credentials
               fall into the hands of an attacker, that attacker would likely attempt to log in outside of the restrictions set

               up by the IT department. This kind of security minimises the damage of a number of attack vectors like

                    94   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.