In one of my discussions with Lester Godsey, CISO for the City of Mesa, about the role of the CISO, he said “Start by eating your vegetables”. Like many other fields in life, there is nothing better than the words of the wise and experienced. Enterprise security, like a healthy body, needs to rest on solid foundations. Although we were discussing the use of Artificial Intelligence and other advanced technologies that can help us face the risks cyber threats are posing to our way of life, the reality is that too many organizations are really behind on the basic security tasks that can improve their cyber resistance. In this post, I will cover 11 of the most common security gaps that can affect your enterprise.
1. Reused Passwords
When your users register for other services on the web, too many of them will reuse their corporate passwords. In other words, when attackers are able to harvest passwords from weak websites external to your enterprise network, they can gain access to your users’ passwords and use these to breach your network. LogMeIn survey shows 59% of people use the same password everywhere.
Recommended Action: Insist on 2FA and MFA authentication, educate about security hygiene and encourage the use of unique passwords created by password management software.
2. Weak Passwords
One of the most popular passwords policies in corporate use is that passwords must include starting with a number and use a character with a Shift. This encourages many users, who are averse to learning whole new password phrases every 90 days, to only change the last character. 2q2w3e4r%
becomes 2q2w3e4r^
, which then becomes 2q2w3e4r&
and so on every 3 months. Attackers know to look for these patterns and can easily gain access to your network with them. According to the recent Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
Recommended Action: Invest in employee education and safe password practices. Mandate strong passwords and reconsider whether your password policy is really helping or harming your security efforts.
3. Social Networking
The amount of data your users are sharing with the world on social media allows attackers to learn a lot about your business and to profile your users for targeted phishing. Whether it’s Facebook allowing others to harvest user data, or just your staff posting detailed resumes on LinkedIn, it’s all data that attackers can use to craft targeted emails that can lead to a network compromise.
Recommended Action: Use simulated phishing campaigns on your workforce and make sure your security solution can recognize malicious code execution even from trusted processes.
4. Delayed Patching
Every month we hear about more and more vulnerabilities that are discovered and then patched – both on the OS level and at the application layer. Once a patch becomes available, they are quickly reverse engineered by cybercriminals to develop exploits that work well on any unpatched devices. Threat actors work fast, while users are typically slow to update and upgrade. The effort of patching often and patching early is not going away, and requires constant attention by IT and SecOps.
Recommended Action: Patching is just one of many protection layers, not a silver bullet that can completely protect your devices. Deploy an advanced EDR solution as a last line of defense against undiscovered vulnerabilities and new attack vectors.
Use software that can help automate patching to ensure all your endpoints are up-to-date.
5. Internet of Things (IoT)
Connecting more and more devices to your enterprise network, without considering the security factor, is a major risk. Many of these devices have old firmware that is easy to exploit, and they then become the weakest link in your armour and open up a route to your assets. Some IoT devices even include operational backdoors, like hardcoded admin credentials intended for maintenance but easily repurposed by threat actors. If you don’t know what devices are connected to your network, how can you defend against them when they turn malicious?
Recommended Action: Visibility across your entire network is vital, so look for and deploy a security solution that can meet that minimum requirement.
6. Linux
Many organisations are packed with Linux-based servers and services that are designed to provide maximum productivity, but if they are not managed properly, those boons can come at the expense of security. With unpatched distros vulnerable to attacks from maliciously crafted TCP packets, or long-standing but little-known privilege escalations, attackers will quickly find their way into unmanaged Linux devices.
Recommended Action: Deploy security software that is multi-platform and which can mitigate vulnerabilities in operating system software.
7. Legacy AV
It’s not a secret that traditional antivirus, a technology that was built to solve a problem that evolved from file-based viruses but turned into an endless stream of nation state level malware, including in-memory and lateral movement, does not save you from cyber threats. It’s true that over time, legacy vendors like Trend Micro, Symantec and McAfee have evolved to provide affordable IT solutions, but we see day-in and day-out how much money enterprise (and city halls) are paying for relying on weak security solutions.
Recommended Action: Active EDR solutions are the best way to protect your endpoints against ransomware and other attacks.
8. Unnecessary Rights
When attackers penetrate your network, they will look immediately for admin accounts as they will allow an easy way to move laterally to find their targets. Too many organizations fail to follow the maxim of “least privilege”. In other words, all users – right up to the CEO – should only have the rights to do what they need to do. A bank doesn’t give the Marketing Director the keys to the vault, and you shouldn’t be giving her – or anyone else – the keys to access critical parts of your network if that’s not in their job description.
Recommended Action: Removing unnecessary privileges whenever possible will reduce your attack surface dramatically.
9. Supply Chain Attacks
We select cloud vendors, manage our business intelligence through external services, manage our HR with external vendors and generally outsource more often than ever before. A legitimate software vendor pushes out what looks like a trustworthy software update to users, but it’s really a destructive instrument of cyber threats, in scale.
Recommended Action: Plug the holes that whitelisting and digital certificates create with a security solution that autonomously detects malicious code execution, whatever its source.
10. Temp Employees, Contractors & Others
The reality for the enterprise today is that it is always understaffed. While we outsource more often than ever before, we sometimes don’t have the means to enforce the right security controls and manage access to its absolute minimum. The result is we give unauthorized users access to our assets, opening the door for both internal threats and making ourselves an easy target for hackers to exploit.
Recommended Action: Take the burden off your over-worked teams by deploying software to manage access control.
11. Plugins
Chrome, Drive, Firefox and others. We allow our users to install plugins without knowing who is behind them, granting access to mailboxes, shared documents and other PII information in the business. These can offer an easy way for threat actors to compromise your business at scale, harvest your data and steal your intellectual property.
Recommended Action: Plugins are no different from any other executable software and should be monitored by a good EDR security solution.
Conclusion
The headlines always focus on the zero day vulnerabilities utilizing advanced attacks on the Enterprise, but it is too easy to compromise many of our networks when the basics aren’t even in place. Who needs advanced attacks when an enterprise hasn’t secured its devices from routine vectors that have been known for years? The above list represents easy to implement methods to upscale your cybersecurity resistance. Manage your endpoints, manage your users and protect your business from the ground up. As Lester Godsey wisely said, “Start by eating your vegetables!”