Identifying data security vulnerabilities
Data security hygiene does not just mean protecting your network from highly sophisticated attacks. It means making sure all the basics are covered. Could your network pass a Data Security 101 test? Stephen Lawton reports.
This editorial product was produced by the SC editorial team and underwritten by Informatica.
It is part two of a four-part series.
Network vulnerabilities are the bane of every CISO. It is not necessarily a question of what is the best new appliance to throw at the network or how does one protect a network against highly skilled, state-sponsored attackers determined to penetrate your data. Often it is more a question of whether the company is performing regular maintenance on its network to ensure that all the basics are covered.
Jeff Horne, vice president of enterprise information management and chief architect at the consulting firm Optiv (formerly Accuvant), says that many networks today are still vulnerable to commoditized versions of the Zeus virus and other older malware attacks. This happens, in part, because older systems are not patched properly or simply do not have the requisite updated anti-virus and anti-malware software running on a regular basis.
As a result, some legacy systems continue to be vulnerable to legacy attacks for which patches and updates were created years ago.
Brian Honan, CEO of Dublin-based BH Consulting, adds that many organizations do not conduct a comprehensive threat assessment of their company to determine what the potential threats facing them are or how potential attackers would try and breach their corporate network.
“Without knowing what threat actors you are facing, it is very difficult to ensure you have the right protections in place,” he says. “Threat assessments are something that should be done regularly and not just once-off exercises.”
Here's a question that network managers should be able to answer but often cannot: How many Windows XP systems do you have on your network and where are they?
We are now roughly 18 months out since Microsoft ended support for Windows XP and three months past the end of support for Microsoft Essentials for Windows XP. What are you doing to protect these systems on your network?
The challenge IT and network managers often face is that they do not necessarily know about all the systems that access the corporate network. Bring-your-own-device policies and employees who access the corporate network from home computers could introduce vulnerabilities unless the IT department has policies and procedures in place to limit risk.
Keeping software patched on all company-owned systems seems like a given, but some companies might not be aware of connected systems that are seldom used – or simply are running unattended applications. Also, patching takes time and effort, as patches need to be tested for software compatibility before they are installed on production systems. With the vast array of software most companies use, it is easy for patches to be overlooked, let alone ignored.
Even if you have a legacy Windows XP system running Service Pack 3 and all of the Microsoft security packs that were released before support was ended for that operating system, you are not necessarily safe from malware. While Microsoft has not released any new anti-malware security updates for XP since July, published reports still put the number of XP users – including corporate users – in the millions.
Just recently, AppRiver uncovered the Upatre trojan phishing campaign that specifically targets Windows XP systems. Further, an official-looking email with the subject line “Attorney-client agreement” is currently making the rounds. Early this year, another variant of this trojan was used to attack students' systems at the University of Florida.
In a recent Osterman Research survey that focused on phishing and malware, the firm said that one of the key takeaways was: “Decision-makers should conduct a thorough analysis of the entire organization to understand where data is stored and who has access to it, as well as the tools that employees are using to access corporate data and network resources.”
While this certainly is essential from the standpoint of defending against social-engineered attacks, it also is simply a best practice for defending against an array of network attacks. The survey recommends that companies audit their systems to determine the full breadth of tools that are being used on the network. While many of those tools have legitimate business purposes, it is likely that some tools that do not comply with the company's security and risk profile might also be present.
Among the tools on networks the survey found were personal webmail accounts, consumer-focused file sync-and-share tools, file-transfer programs, social media tools that allow content to enter the network using shortened URLs, and an array of mobile- and cloud-based tools that bypass the corporate IT department.
But not all malware attacks are targeted at users. One of the more sophisticated approaches is for an attacker's system to go after a corporate system without using compromised user credentials. In these breaches, the administrative user account is attacked.
Steve Santorelli, a Team Cymru Fellow and manager of the security firm's analysis and outreach teams, says there is fertile ground in machine-to-machine breaches. He says systems that use network devices with default passwords to router firmware attacks continue to be popular attack vectors.
“Combine that with automated tools that have fresh modules that can be deployed with new vulnerabilities and virtually zero end-user expertise, and it all leads to a very noisy attack surface,” he says. It's getting harder to spot the hyper-sophisticated attacker – even if they are effectively a machine – if they know how to blend in, he warns.
Security experts agree that one of the best defenses a company can provide for itself is to do the basics and do them well. Here are five steps CISOs can take immediately that will help them identify security vulnerabilities:
1. Do an asset assessment of your organization. This assessment will include identifying each network-connected system, its operating system and its current security status. You cannot protect your network if you do not know what is connected to it.
2. Make sure every system connected to the network has the basics: anti-virus and anti-malware software that are configured to update automatically with new database signatures. Make sure the operating system and software updates are installed, along with security patches.
3. Do a risk assessment of the network. Identify where confidential and other important data resides and determine if the data is sufficiently protected.
4. Make sure every network-attached device has had its login and password changed from the default setting.
5. Repeat this course of action periodically. Security is a process, not a destination.