6 Cybersecurity Precautions Companies Fail to Take
Guest Author: Shawn Stugart, Technical Instructor
The September 2017 Equifax breach is shaping up not only to be one of the largest in history (143 million private records exposed, or about 44 percent of US adults) but also the most potentially damaging since the data includes names, birth dates, Social Security numbers, and, in some cases, driver’s license and credit card numbers. In combination, this personally identifiable information could be used by identity thieves to open new lines of credit, apply for loans, file fraudulent tax returns, and more.
Even more disheartening is how companies like Equifax fail to learn from previous incidents. Case in point: In May of 2016, criminals were able to abscond with W-2 and salary information from an Equifax web site because the decision makers used a lousy PIN-based authentication system to protect the sign-on process.
These sorts of targeted attacks focusing on specific companies and assets are shockingly common nowadays, but so are the incidents of companies falling prey to emerging opportunistic threats—banking trojans that steal financial information, ransomware that holds critical data hostage, exploit kits that attack vulnerable web servers (which in turn recruit vulnerable web clients into botnet armies, etc.). Ponemon Institute’s 2017 Cost of a Data Breach report puts the average consolidated cost of a data breach at $3.62 million, or about $141 per lost record. At that rate, Equifax would theoretically stand to pay upwards of US $20 billion (although economies of scale have shown that they’ll pay nothing near that potential).
Whether you’re defending against a casual malware attack or a dedicated intruder, the following list is my top 6 cybersecurity precautions companies should be taking.
1. Manage Your Admins
One of the most effective information security precautions anyone can take is to control administrator/root/privileged access. According to Avecto, a whopping 94% percent of Windows-based critical code execution vulnerabilities patched in 2016 could be mitigated by removing admin rights. In other words, when people don’t log on as admin, the potential for attack decreases drastically. A comprehensive privileged access policy should take into account the following::
- Enforce Least Privilege. The principle of “least privilege” is an old security tenet that sysadmins in the *nix ecosystem have long held sacred but has had difficulty gaining traction in the Windows world. Don’t give users more privilege than they need, and revoke privileges when they’re no longer necessary.
- Require multi-factor authentication. When privileged accounts need to be used, those credentials should require multiple authentication factors (for example, a logon with SMS text, or smart card with PIN number). Weak PIN numbers without a second authentication factor is what lead to Equifax’s 2016 breach.
- Separation of duties. Sensitive operations should require a system of checks and balances, where one all-powerful subject can’t perform each step of the operation alone. For example, in financial transactions, the common wisdom recommends three separate individuals work together to A) approve a transaction, B) record the transaction, and C) review the transaction. The same approach should be taken to separate systems administration from log review and management and other sensitive activities.
- Audit all administrative activities. A record should be kept of all actions taken by a privileged account. The subject should not be able to review or alter the record (separation of duties!).
- Review privileges regularly. “Privilege creep” is the phenomenon whereby a person tends to accumulate system and network privileges over time, even when the old privileges no longer apply to that user. Regular audits should be done to identify privileges and reconcile them with your actual business needs.
2. Patch Quickly and Comprehensively
Patching’s a pain, but it’s necessary. Dedicated attackers are looking for a single flaw in your defenses, and they’re often willing to wait months to find one. Don’t have a “zero-day” exploit? Just wait until the next flaw is discovered in Adobe Flash or Java or IE. If the flaw remains unpatched, the intruder now has a viable attack vector. And because the attacker has likely already profiled your network and systems, a brief exposure window may be all that’s necessary for the attack to succeed.
The attackers in the Equifax breach, for example, exploited a vulnerability in the Apache Struts framework, a popular platform for developing Java applications. The vulnerability was disclosed in March of 2017, but Equifax’s security team was ineffective in patching the hole, ultimately resulting in a series of compromises two months after the weakness had been identified. To sum up: patch your OSes, your apps, your firmware, your infrastructure equipment, your IoT devices, your phones and your tablets. All unpatched vulnerabilities are essentially zero-days waiting to happen.
To sum up: patch your OSes, your apps, your firmware, your infrastructure equipment, your IoT devices, your phones and your tablets. All unpatched vulnerabilities are essentially zero-days waiting to happen.
3. Partition Your Network
The infamous Target breach of 2013 succeeded largely because of a lack of network partitioning: when a Target HVAC vendor was hacked, the attacker was able to use a vendor portal to infiltrate Target’s internal network and move freely about (see ZDNet’s report on the story here).
Of course, we’d like to stop intruders from accessing our networks in the first place, but when they get in (and they will get in), we want to make it as difficult as possible for the intruder to “pivot.” To navigate your networks, attackers are going to use reverse shells, DNS tunneling, port forwarding, proxying, DHCP spoofing, route manipulation, VPNs and more. Make the trespasser’s job as hard as possible by establishing physical and logical network boundaries. VLANs, PVLANs, firewalls, router ACLs, and Software Defined Networking technologies can be effective partitioning mechanisms. And partitioning also makes it more difficult for legitimate employees to digitally wander into areas of our networks where we don’t want them to go.
4. Filter Outbound Traffic Aggressively
The Target breach exposed 11 gigabytes of information, including the credit/debit card info and Personally Identifiable Information (PII) of 110 million customers. The information was exfiltrated via FTP. Sony lost terabytes of data in 2014, and in 2015 the Office of Personnel Management reported stolen the private information of tens of millions of Federal employees and contractors.
Egress Filtering helps mitigate such attacks. Many infiltrations depend upon outbound connections established from the victim system to the attacker directly or to a “command and control” server. Then, if the attack is successful, a common goal is to exfiltrate data using FTP, DNS, ICMP, HTTP, HTTPS or other common protocols. For both the breach and the theft, the attacker is using your network to attack your network.
If you take the time to define your legitimate outbound traffic flows and enforce aggressive outbound filtering, you can make the intruder’s job much more difficult.
5. Monitor Your Logs
It sounds simple—enable logging across your networks and systems so that you’re able to audit authorized and unauthorized activities. Log monitoring can provide accountability and an early-warning system for policy violations and other suspicious activity. The US Federal government now agrees and provides guidance for Information Security Continuous Monitoring through NIST SP 800-137.
But according to Verizon, whose security teams investigate hundreds of company breaches each year and process tens of millions of security events every day, “continual and pro-active log review happens basically never.” Without pro-active monitoring, your logs really only provide “post mortem” evidence. And according to Mandiant, the investigative arm of security company FireEye, the median time before a company discovers a breach is 205 days. That’s nearly 7 months the attacker(s) have inside your networks before being noticed. Continuous, pro-active vulnerability assessment and log review helps detect threats before they become successful attacks. And for attacks that succeed anyway, log monitoring helps your security team minimize the amount of time the intrusion goes unnoticed and unmitigated.
6. Understand Your Technology
A discouraging trend this summer has been the onslaught of damaging incidents that could have been mitigated or prevented entirely with a better understanding of the technologies the company uses. Here are some examples:
- FedEx Corporation’s TNT Express subsidiary experiences worldwide disruptions as a result of a Petya ransomware infection
- The shipping company A.P. Moller-Maersk suffers a similar attack at the hands of NotPetya, the aftermath of which will cost the company an estimated $200-$300 million
- Tens of thousands of MongoDB databases are “stolen” and ransomed as a result of insecure default configurations in the software
- Several companies, including Verizon, TigerSwan (a military security firm), and Time Warner, unintentionally expose sensitive confidential information through misconfigured cloud services.
What do these incidents have in common? At their heart, they demonstrate a lack of understanding of the risks inherent in the technologies being used. Whether it’s the use of outdated, unpatched technologies, or lack of awareness training for common phishing scams (both of which are exploited by ransomware), or misunderstanding newer technologies like cloud storage services, understanding the tech allows us to understand the risk.
Blunders like these can be attributed to a lack of executive oversight, something Equifax’s record of infosec negligence demonstrates pretty clearly. We need to be diligent in exploring the weaknesses in our existing and emerging technologies and processes, and we need to invest in the training necessary to get our people up to speed while leveraging the expertise of those who already are.
That’s it, my top 6 recommendations for companies to cover their assets: security precautions that are all-too-often overlooked or under-utilized. Much of this advice and more can be found in standards and control frameworks like ISO 27001, NIST 800-53, and the CIS 20 Critical Security Controls. These controls aren’t a silver bullet; a truly dedicated attacker with enough time, money and skill may find a way into your network anyway. But Robert Joyce, NSA’s Chief of Tailored Access Operations, puts it this way: “Well-run networks really do make our job hard.” And he should know. His job is to hack the networks and systems of nation states.
Do yourself a favor, and make the jobs of nation-state hackers, cyber criminals and script kiddies as miserable as you can. Click here if you would like to learn more about the information security training available at New Horizons.
Author: Shawn Stugart, Technical Instructor
CISSP, CEH, MCT, MCSE, MCITP, CompTIA
Shawn has 22 years of experience as a teacher and trainer. He specializes in Information Security, Windows systems administration and networking, and automation. When he's not in the classroom he enjoys reading, tinkering, watching hockey, hiking and GeoCaching with his wife and three daughters in the great outdoors of Colorado.
Don't Forget to Subscribe to Our Blog
Join our community and subscribe to our blog to receive great content surrounding the IT industry delivered right to your inbox every week!