It’s the most wonderful time of the year! No, we’re not breaking into song and dragging out the holiday lights … it’s National Cybersecurity Awareness Month, my favorite month-long holiday where I don’t have to buy gifts.
I hear from customers every day who are concerned about all of the ways attackers might get into their networks and onto their assets. Effectively protecting your organization certainly can feel like a moving target, and yet, when I consider the threat landscape from the past 20 years, some of the same weaknesses are still just as prevalent today as they were in 1998.
So what should keep security leaders and practitioners up at night today?
In assembling this list, my team and I considered the last few years of notable breaches. What are the bad guys grabbing from their toolbox when they start planning an attack? What’s most reliable for them? What can they count on finding when they evaluate a target’s environment?
I hope you’re ready for some acronyms and buzzwords as you read our thoughts on this set of questions:
We’ve grown a lot as an industry – and so when a modern enterprise operating system rolls out today, it’s had more effort put into ensuring a minimal attack surface than ever before. But your network probably still has legacy operating systems, network devices, and applications. And they’re often less hardened – running older protocols like SMBv1, allowing authentication using older suites like NTLMv1 or even LANMAN, or using services that send credentials, files, and session data in cleartext like SNMP or telnet.
I’ve seen customers embark on a ‘network modernization’ project to resolve some of these issues. They retire older applications and services; update their operational processes; and go through a hardening exercise using benchmarks from the platform vendor or from the Center for Internet Security.
In a rush to migrate applications and workloads to hosted infrastructure, we find many developers and architects overlooking basic access controls that restrict the public internet from downloading sensitive data. As a result, we’ve seen millions of records of PII exposed in the last few years.
Often, the culprit isn’t even the organization itself. Many times, a third-party marketing, analytics, or development group was given the data and left it out in the open. This oversight is most certainly what regulatory standards like GDPR are meant to address.
So, check the restrictions on your cloud storage – as well as the practices of the partners to whom you’re giving your data!
Strong vulnerability management is still a challenge, and with more organizations allowing employees to use personal devices to handle company data, ensuring that all assets stay patched is a constant battle.
Patching effectively doesn’t happen by accident – it will take a concerted effort by security and operations staff to make sure patches are identified, tested, and distributed within 30 days of release, and that stragglers are identified and corrected through vulnerability assessments. Missing just one server can make all the difference!
Key to this effort: Know the assets that store and process sensitive data, and that run business-critical applications, and start your rigorous patching cycles there. Then expand to the entire environment in a phased approach. Or, have us do it for you.
Yes, we’re still talking about passwords, despite tech media calling for their death for at least a decade. Face it, we’re stuck with passwords for the time being, and that’s why we still see attackers stealing them, guessing them, and cracking them.
If you’re a security practitioner, you should worry that your employees’ AD passwords are the same as the one that they set on their LinkedIn account that was stolen years ago. Or, that your network admins remembered to change the default password on the Cisco switch in the closet, or the Liebert power unit controlling the power in the datacenter.
Password reuse, easily guessable passwords, and unchanged vendor-default passwords are still juicy opportunities for attackers. Good vulnerability management means auditing enterprise passwords, setting a strong password policy, and for goodness’ sake, using multi-factor authentication for critical applications, privileged accounts, and remote access.
You have to try really hard to work in a modern office environment and not know that phishing is a problem. So why do users keep falling for the scams? Because it’s still trivial for the bad guys to recon their targets, cook up an extremely convincing pretext, and slip it past your defenses.
You’ve probably heard of at least one successful phishing attack that led to someone installing ransomware in their environment in the last year. Or, one successful e-mail scheme that had a hapless junior financial staffer wire-transferring emergency funds to someone they thought was the CFO.
A series of controls are required to effectively protect against these kinds of attacks. People must be trained regularly, and you should use a variety of methods to teach them how to spot an attack. Processes and policies must enforce good behavior and hygiene to ensure employees know the consequences of a breach. And technology must protect the business, its data, and customers from ourselves – restricting access to malicious websites and email, stopping malware, and detecting attacker movements inside the network.
Thanks for reading, and enjoy this lovely month of October!
To learn more about CBTS security strategies, read our Ebook on Why your backup solution is crucial to defending your organization from ransomware.