Our Pen Testers have seen quite a few security environments and can identify typical vulnerabilities in organizations of all sizes and industries. Below is list of all the security issues and potential exploits that companies face today; these are areas in which to focus. This list includes 8 of the most common cybersecurity weaknesses our team looks and tests for on a regular basis. While it is impossible to completely secure any network by eliminating all degrees of risk, the vulnerabilities below equate to a great first step towards implementing a strategy conveying a due care. In the end, it is all a reasonable person can be expected to do.
PRIVILEGE SEPARATION
All organizations should adhere to the Principle of Last Privilege (PoLP). PoLP is about only allotting user accounts the essential access rights, computing processes and resources they need in order to perform the functions of their job. Forrester Research estimates that 80 percent of security breaches involve privileged credentials. These include the IT professionals who administer the systems, databases, and networks of an organization. Admin rights are the keys to the kingdom because they provide unrestricted access to resources and assets. A study in 2016 found that up to 94 percent of Microsoft vulnerabilities can be mitigated by removing admin rights for standard users.
With nearly every aspect of the enterprise being vulnerable to some degree, companies must begin embracing the concept of a zero-trust network. This concept starts at the desktop. A survey conducted last year showed that 57 percent of organizations on average assign local admin rights to some portion of their normal users. Surprisingly, this percentage increases along with the size of the organization as 69% of enterprises with over 5,000 users admitted to this practice. This is when malware is downloaded and installed (note we didn’t say if) via the privileged rights of that local admin. Now compound the potential consequences when a user with greater network privileges or domain admin rights checks their email using their privileged account.
But admin roles go far beyond the realm of the desktop. Today’s hybrid networks incorporate both on premise and multiple cloud services into a single ecosphere that utilize admins roles to manage a broad coalition of resources. Some of these include Cloud Service Providers (AWS, Azure), MDM Service, Federated Services, SaaS applications, DNS, AD domain services and DHCP just to name a few.
PASSWORDS
As early as 2004, Bill Gates, the founder and Chairman of Microsoft, predicted the demise of the password while speaking at the RSA Security Conference that year. In his words, “The traditional password cannot meet the challenge of keeping critical information secure.” How right he would be. Some of the problems with passwords today are as follows:
- Too many users still utilize weak passwords. The most popular password in 2018 was “123456”
- Too many users use the same password for all of their accounts. A 2018 survey showed that 59 percent of people follow this vulnerable practice. 62 percent use the same password for both personal and work accounts.
- Passwords today are stored, traded and sold on the dark web like trading cards. In December of 2017, 1.4 billion clear text credentials were discovered in on holding spot on the dark web. 2019 began with the discovery of collection of 773 million email addresses.
While nearly all companies report to have a password policy, less than half require a basic password complexity policy. Password policies should take into consideration that not all accounts are equal. While a minimum password policy for regular staff personal of 8 characters may be suitable, privileged accounts in IT, HR, Finance, Legal, and C-Level Management require a more stringent policy. While this was not possible years ago for Windows networks, the ability to create granular password policies for designated users is easily done using Active Directory Administrative Center. Fourteen character passwords are recommended today.
Passwords by themselves are not enough. This is why so many companies are implementing multifactor authentication (MFA) solutions. MFA should be implemented for all remote logon attempts at the very least. Alternative factor authentication methods can include SMS 2FA, authenticator apps and push-based 2FA. Be wary of simply relying on security questions as many hackers now troll social media looking for those answers. Those seemingly innocent quizzes on Facebook that ask you the make and model of your first car or what your first attended concert was are sometimes actually created and circulated by hackers. Hackers can then use big data and AI techniques to correlate users with their answers.
PATCHING
Remember the giant Equifax data breach back in 2017 that compromised the personal data of 145 million people? If only that one patch that would have protected against it had been applied. That same year, Nationwide Mutual Insurance settled a case involving a data security breach back in 2012. If only they had patched that known application vulnerability that was exploited by the attacker. They could have saved themselves $5.5 million. Then of course there was the NotPetya attacks that summer which brought down companies such as Nuance Communications for weeks. The company lost nearly $100 million and trading of their stock on the market suspended temporarily all because of, yes, you guessed it, patching. At least in their case they patched some of their equipment, just not all of it.
If only… That is a phrase that too many companies find themselves repeating. At the time of this writing, stories abound about a new cryptojacking strain that targets the EternalBlue exploit. EternalBlue is the same exploit used by the NotPetya and WannaCry attacks back 2017, the same exploit that Microsoft released MS17-010 patch to address it six months prior. Yet, the EternalBlue exploit continues to plague enterprises across the world that fail to address it.
One could argue that patching is the single most important task that your IT personnel perform on a regular basis. But it isn’t just desktops and servers. It’s everything in your enterprise. Routers are highly targeted by cybercriminals as a way to divert DNS and web traffic. Just last May, the FBI released a warning that hundreds of thousands of routers have been compromised by Russian computer hackers. Even medical equipment today needs to be patched and updated to protect patient data. Whether it’s a network appliance, a server or a desktop application, a neglected patch is a vulnerability. A patch management strategy is essential for any enterprise today.
PHISHING
According to the Verizon 2018 Data Breach Investigations Report , 4 percent of your users will click on just about anything in an email whether legit or not. That is a problem. The bigger your organization, the larger the scale of that 4 percent vulnerability. Consider the fact that the U.S. Defense Department contends with 36 million phishing emails a day. That’s 13 billion a year. Only one in seven emails sent to its users are legitimate. But its not just the Pentagon. According to Symantec’s 2018 Internet Security Threat Report, 54.6 percent of all email is spam and that figure has grown each of the last three years.
The rudimentary Nigerian phishing attempts of twenty years ago may have been a joke back then, but no one is laughing today. Phishing attacks are no longer characterized by bad grammar, spelling errors and cheap graphics. Cybercriminals today create phishing emails within systematic fashion, carefully crafting campaigns focusing on fear and urgency, incorporating current events and social trends. Hackers today subscribe to the same email cloud services your company does in order to test their latest creations to find new techniques to bypass defenses. They also know that phishing emails are far more effective if the email comes from a sender the recipient knows or even better, trusts. A study released in August of 2018 showed an 80 percent increase in phishing attacks that impersonated someone familiar to a targeted individual. The truth is for most companies; the weakest link is the human behind the keyboard.
Email is the gateway into your organization that allows attackers to simply skirt around your walled perimeter. According to the Verizon Data Breach Investigations Report, 66 percent of all malware was installed through malicious email attachments and 43 percent of all data breaches were the result of some type of phishing email. In the case of BEC attacks, email can also be an alternative way to your company’s financial accounts as well. In 2016, the Mattel Corporation fell victim to an elaborate BEC attack that cost them $3 million. According to the FBI, cybercriminals have managed to steal over $12 billion over the last five years targeting U.S. companies with BEC attacks. Email is a highly coveted and targeted vulnerability that every organization must focus on and secure.
IMPROPERLY CONFIGURED NETWORK EQUIPMENT
Thanks to explorers and scientists, we no longer view the world as being flat. Thanks to the growing sophistication of malware attacks today such as ransomware and banking trojans, companies can no longer view their networks as being flat either. Infiltrating your network is only the first step of the mission for an attacker. Once a beachhead is established, the attack then moves laterally throughout your network seeking out assets and privileged accounts. Network architecture should follow the same principles as modern day ship design. The hulls of today’s large ships are subdivided into multiple watertight compartments so that in the event of a leak, flooding is contained within a single compartment. Enterprise networks today must follow the same philosophy in order to prevent attacks from running unabated. Some examples of proper network segmentation include:
- Segmenting wireless traffic from wired
- Isolating guest or BYOD wireless traffic
- Separating your servers from your LAN
- Creating separate traffic zones for HR and Finance
Of course there are many ways to partition a network and multiple ways to do it. Possible ways include the creation of multiple zones through your firewall appliances, configuring VLANs in your switch infrastructure or utilizing access control lists in your routers. Unfortunately, companies still fail to secure network segmentation by taking advantage of these options or else lack the expertise to configure them according to best practice.
KEEPING UP WITH RECOMMENDED SETTINGS
The dynamic world of cybersecurity is continually evolving in order to adapt to new attack methodologies and newly discovered exploits. As current protocols and security tools are compromised, new ones must be created as part of the evolutionary process. What was considered to be “Best Practice” a decade ago is outdated today. A deprecated setting doesn’t equate to an exploit necessarily, it just means that you are operating from a state of weakness against a foe that often uses the latest techniques, tools and strategies. There are a number of deprecated standards that companies continue to utilize today including TLS 1.0, DES, 3DES, RC4, SMB 1.0 and NetBIOS name accessibility to name a few. Other examples include the use of unrecognized certificates to protect servers and network appliance and open DNS and BIND zone transfer abilities. Unused settings should be disabled and inactive server roles and functions should be uninstalled. All of these steps collectively help to shore up your devices.
BYOD (Bring Your Own Device) and IoT (Internet of Things)
The attack surface of your network expands in sync with the number of devices that reside on your network. That is an inconvenient truth today. Security demands visibility. This means you have to know who and what are connected to your network, as well as where, when and how these connections are being made. This was easy in a hardware centric desktop world in which computers were lugged on site and set up, never to be moved again until the next refresh cycle. Thanks to the Consumerization of IT, users regularly bring in multiple personal devices on a daily basis. In addition, IoT sensory devices are sprouting across enterprises like weeds on a warm spring day. According to a study published in September of 2018, only 10 percent of IT managers reported being fully confident that they knew all of the IoT devices on their networks. Now consider another recent survey by the Ponemon Institute in which 94 percent of risk management professionals believe that a security incident resulting from unsecured IoT devices “could be catastrophic. Another study by Ponemon showed that only 66 percent of respondents say their organizations are secure their IoT devices and apps.
When it comes to BYOD, it isn’t just about the devices you have to worry about. It’s what else they are bringing as well (malware, spyware, insecure applications). Establishing a minimum security baseline standard that specifies endpoint protection, current patch levels, etc., is essential to secure BYOD environments. BYOD devices also leave the office every day, which means that the risk of data leakage increases as well. The introduction of BYOD and IoT into your enterprise calls for a new security approach, on that includes access controls rather than the sole reliance on edge-based control systems.
INSECURE CODING
A few lines of insecure code can cause a lot of havoc. Just last year, a vulnerability within Facebook’s code itself exposed the accounts of 50 million people. According to the Verizon 2017 Data Breach Report, there were 571 web application attacks with confirmed data disclosure. While it is essential to eliminate the most common security risks inherent in insecure software as outline in the OWASP Top 10 Web Application Security Risks, realizing that goal is challenging at best. Unlike a Windows 10 notification informing you that your device in need of updating, how does one go about looking for insecure code vulnerabilities? This is where the reliance on experienced professionals is important; those who have the proper tools to test, validate and remediate source code.
Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
