How do these model companies deal with permissions? Either they apply delegation, where users are given individual sets of permissions to smaller groups of objects, or they use some sort of password vaulting software, where super admin credentials must be checked out on the fly, and even then, only for short periods of time. Or they use privilege management software, where only particular tasks end up with super admin functions and the designation stays with the task and not the user.
2. Removed or forcibly patched Java
I hate to flat-out recommend removing any particular piece of software, even Java. If you keep Java patched and up to date, the risk of running it will be significantly lessened. Unfortunately, for reasons I've offered before, Java has one of the worst patching records at most customer sites. If you can't keep it patched all the time, get rid of it.
Companies that are good at computer security don't install Java on every desktop and server. When it is installed, it's patched on a monthly basis. In most companies, application compatibility prevents Java from being patched in a timely manner. In highly secure companies, application compatibility is second, at least when it comes to Java. Java users know this and accept that frequent updates might break a program. Either that or they run unpatched Java on computers not hooked to the network.
3. Admin passwords that are not shared
Not sharing passwords is the single best measure enterprises can take to slow down attackers once they gain a foothold on the network. Most companies use the same password across every local Administrator or root account on every managed computer. Attackers love this because once they have compromised one computer, they can dump the local passwords (or hashes) and begin using them to move easily throughout the environment.
Successful companies know this and enforce a separate, unique password for every local admin account. They either accomplish this manually (pure grunt effort) or use an automated password management tool made for just that. If you have a shared admin password across all your computers, change it now.
4. Outstanding monitoring and alerting
As Verizon's Data Breach Investigations Report reveals each year, the vast majority of attackers were documented in log files, but the companies did not bother to look. Secure companies take event logging and monitoring seriously. They create plans, buy the right tools, and alert upon suspicious activity. Every alert is immediately investigated by someone from the incident response team and investigated until it is proved to have been either a false positive or a security incident.
This "investigate everything" approach can be particularly powerful when combined with having very few — or zero — permanent members in admin groups. If someone's account gets added without appropriate justification, it's probably a good event to investigate.
Sign up for Computerworld eNewsletters.