Raspberry beret
When it comes to securing an organization’s network, there is no shortage of basic blocking and tackling to be done. Companies’ IT infrastructures have become so complex and interconnected that many security departments aren’t entirely aware of all the systems and people that might have network access, much less maintain the ability to monitor and act upon every alert or anomaly. As a result, and as we’ve learned through the many highly publicized breaches and security incidents, cybercriminals need not be terribly wily or sophisticated to successfully hack into targets’ networks and steal, modify, corrupt, or otherwise abscond with the information they’re after; the typical enterprise offers plenty of low-hanging fruit for free.
Organizations don’t have to work extra hard at rolling out the proverbial red carpet for attackers. Thousands of vulnerabilities are disclosed every year, and the average time to patch is somewhere between 100-120 days. Though securing everything which needs securing—hardware, software, applications, data, people—is by no means a light lift, the security team’s ability to focus on eliminating low-hanging fruit will raise the “cost” of an attack for cybercriminals. In many cases, this means your adversary will turn his attention elsewhere. If your company is a high-value, singled-out target, erecting better barriers means the attacker has to elevate his game, and you’ll have a better chance of identifying an attack earlier in the cycle…so long as you don’t “set and forget.”
I was working part time in a five-and-dime
First things first. To understand what your low-hanging fruit is, you must identify everything you have: hardware, software, devices, applications, partners/partner networks, authorized individuals and connections, data, etc., basically everything mentioned above as a challenge. Once you have a grasp on all of the assets that require security’s attention, the next step is prioritization. Which data and systems contain the most valuable assets—the “crown jewels,” if you will—that would devastate the company if compromised? With this information in hand, you can now go about building a strategy to eliminate some of the most commonly exploited vulnerabilities.
At the heart of it, says Information Security Analyst Tim Krabec, keeping the bad guys away from your low-hanging network fruit boils down to the three most foundational goals of information security: Confidentiality, integrity, availability. With everything on the security team’s plate, even with all assets accounted for, the enormity of the situation can become overwhelming if it’s scrutinized piecemeal. Fitting action items into these three big categories provides a roadmap for the security program, simplification, and a way to make sure each action has a purpose, i.e., you’re not misstepping and distracting attention away from the desired end state. For instance, Krabec says, “Least privilege, zero trust models, and encryption give us confidentiality; patching and monitoring help ensure integrity; and backups provide availability in case of a disaster or incident.”
Least privilege is, of course, one of the basic principles the security industry talks about a lot, yet system administrators continue to get away with not only unrestricted network and file access, but also compounding the problem by using default and replicated passwords. “This is so easy to fix,[i]” exclaims Paul Asadoorian, CEO of Security Weekly and Offensive Countermeasures. And if you consider that, according to the Verizon Data Breach Investigations Report (DBIR), “81% of hacking-related breaches leveraged either stolen and/or weak passwords,” keeping access and authentication in check should be one of every security organization’s top priorities.
My boss was Mr. McGee
Getting back to those pesky vulnerabilities, Asadoorian advises organizations to revisit patching programs. As we saw with WannaCry, patching can cure many ills, but “just patch” isn’t always the answer. Organizations can run up against production and availability issues if patching isn’t rolled out or tested correctly. Therefore, it’s best practice to understand your organization’s current architecture, highest risks, and backup and redundancy capabilities, along with a realistic understanding of the criticality of the patch and the potential ramifications should you choose not to patch when one becomes available.
Patching, though, isn’t the only way to mitigate vulnerabilities and pick off low-hanging fruit. A February 2017 study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls. Not so coincidentally, the first two recommended critical controls tackle assets:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
The next two address technology implementations and maintenance:
- Secure configurations for hardware and software
- Continuous vulnerability assessment and remediation
The last control goes back, once again, to locking down the admin environment:
- Controlled use of administrative privileges
It’s funny how everything circles around, isn’t it? Or perhaps it’s ironic? Or unsettling, because we keep returning to the same remedies…?
He told me several times that he didn’t like my kind
Network segmentation is another “must,” says Asadoorian. Flat networks are easy for threat actors to traverse and have been an impetus in many infamous breaches, like Target and Sony. Allowing the organization’s HVAC network to talk to its Point-of-Sale network, for instance, is negligent, but companies can look to get even more granular. Create various sub-networks of data that are protected via firewalls and/or a VLAN to erect “high walls” that help deter malicious actors (and perhaps curious insiders). Does your sales department data need to be on the same network as HR data? Absolutely not, and doing so only creates greater potential for unauthorized access. Further, assigning access per job title or department may not be advisable; let the data and sensitivity thereof determine which individuals need access rather than “anyone assigned to the finance group.”
Organizations dealing with HIPAA or PCI-DSS should be especially attentive to regulations requirements. Those regulating bodies offer guidance on how to properly segment specified data, but any organization handling sensitive data—and every single one is—should develop its company-specific network segmentation plan that includes zoning off certain data, a list of which controls are used to do so, plus a way to monitor log traffic and escalate alerts when needed (again, think: Target).
‘Cause I was a bit too leisurely
Asset inventory, assigning least privilege, patching, implementing critical controls, and segmenting the network are not the only low-hanging fruit to shore up when securing your organization, but these five processes (not projects! Projects are point-in-time whereas processes are ongoing) are some of the most likely to eliminate the most egregious vulnerabilities.
- Know what you need to protect;
- Limit the individuals who can access what data, systems, applications, software, etc.;
- Keep systems up-to-date whenever possible (and know accompanying risks when you can’t);
- Focus on the fundamentals; and
- Keep your sensitive data compartmentalized
We never said finding and fixing your low-hanging fruit problem was going to be quick and easy, but neglected systems provide a clear path for attackers—who are continually scanning for the most obvious opportunities. It’s perhaps an old and overused analogy, but the five steps, above, are the high walls and wide moats likely to deter the enemy.
