Tag Archives: DHS

The Eternal Battle over Active Directory between OT and IT

29 October 2020

On October 13th I moderated the anapur Virtual Dialog “Network Monitoring and Anomaly Detection”. During the breaks, some participants from industry talked about a really concerning issue: IT, IT-Security and GRC groups in their companies urge them to integrate their so far isolated production active directories in the corporate directory.

I have been involved in these discussion for 10 years and I never changed my answer:

Don’t do it!

This integration is dangerous. Active Directory simplifies lateral movement once an attacker created a foothold in your network. And it simplifies the distribution of malware through login scripts. Remind the Norsk Hydro attack from March 2019: Divisions with high vertical integration were more affected from LockerGoga than the Alumina production.

In their paper “Seven Strategies to Defend ICSs” from December 2016, DHS ICS-CERT, FBI and NSA provide a very clear active directory strategy:

Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.

For details see chapter 5, “Manage Authentication”.

Hope this helps in discussions with IT, IT-Security and GRC.


In his poem Ulysses, Alfred Tennyson brings it to the point:

Tho‘ much is taken, much abides;
and though we are not now that strength
which in old days moved earth and heaven;
that which we are, we are;
one equal temper of heroic hearts,
made weak by time and fate,
but strong in will to strive, to seek, to find.
And not to yield.

CNAP – a comprehensive approach to cyber security

15 February 2016

I really appreciate the comprehensive approach of the Cybersecurity National Action Plan (CNAP) because the news of the cyber-attack on the Department of Homeland security made one thing crystal clear:

It’s definitely not enough to focus on the upgrade of the U.S. IT security infrastructure. Security protocols must be reviewed and adjusted where necessary. And employees must be trained in their correct application.

Moreover, it is required to enable employees to say “No, I’m sorry, this is not allowed!” if an unambiguous identification of a caller is not possible.

Take care!

U.S. Department of Homeland Security hacked

9 February 2016

I was really shocked when I read the LIFARS post ‘Hacker Allegedly Dumps Data of 9,000 DHS Employees’ at 5:30 this morning.

It is very remarkable how easy it was for the attacker to get access to the DHS network:

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told the outlet. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

From this it’s apparent that the help desk hasn’t got enough training in the procedure for verification of a caller’s identity. In addition the passing-on of the token code is a massive violation of the security procedures.

Take care! And train the help desk staff…