One of the more interesting things about the online security industry is that there is nothing seasonal about it. Thanks to technology and unfortunately now the opportunity for significant monetization, along with just creating major havoc, the bad guys don’t respect location, the calendar or the clock.
Given, the tidal wave of headlines about malware, data breaches, ransomware, etc., it seemed like a good time to check in with a pro to get a view on why so many companies seem susceptible to attack. I was curious as to why given the headlines if it was possible to discern the top mistakes organizations or all sizes are making regarding mitigating the risks of cybersecurity threats.
I turned to somebody with deep experience in online problems, Asher De Metz, Lead Senior Consultant (Information Security) at Sungard Availability Services (Sungard AS). With over 15 years of IT penetration tester experience, he is a recognized White Hat hacker. He is a good guy (double meaning intended).
It is Asher and his team who test how vulnerable you are to a cyberattack. That makes them people you might wish to speak to before bad things happen rather than as a forensic experts (which they happen to be superb at) looking at what to improve after your company has been compromised.
As such, Asher has some very timely views, adding to those from a recent blog. He explained up front that organizations of all sizes need to do assessments as to where, when, why and how they need to address security issues. He also noted that given the availability of resources, having advanced threat mitigation capabilities was obviously a great way to create a “stay away” sign for the Black Hats. However, security is about making reasoned choices about risks and then deciding when, where, why, how and by who risks can be mitigated and done so in the context of business imperatives.
As you can see from the below sub-headline where he started, and as you will see why he started there, was quite interesting.
The basics, the basics, the basics
In real estate it is location, location, location. In security as De Metz highlighted, it is “Focus on the basics, the basics, the basics.” He elaborated saying, “People get in trouble when focusing on the icing on the cake and then put it on a collapsed cake. What our testing consistently reveals is the surprising number of companies that don’t take care of the simple blocking and tackling that could save them a massive amount of problems. This means such things as patching software with solutions that are and in some cases have been available for some time, in certain cases several years, for known security issues. It means changing passwords frequently, providing user education, establishing metrics, and enforcing policies and rules.”
Indeed, echoing what many in the security industry have discovered, and reported in sounding the alarm over Microsoft (News - Alert) ending support of Windows XP—the OS for almost all of the world’s ATM machines, the extent to which companies with few exceptions in the financial services, government, defense contractor and healthcare sectors—is cause for concern.
De Metz pointed out three big areas where taking care of business could enable IT to do a better job of taking care of business.
While there are lots of “mistakes” IT is making, he noted that the reason to pay particular attention to these is they are simple and inexpensive to fix. Plus they pay big dividends in terms of the hard costs of cleaning up the mess once compromised as well as the softer and possibly larger costs associated with the damage to an organization’s reputation.
Below are three mistakes whose fixes you literally could bank on for increasing peace of mind.
Companies should focus more on egress filtering: De Metz notes that most organizations spend their IT security time and resources focusing on ingress (inbound) traffic filtering in order to keep the bad guys out. However, such a focus usually means neglect of egress (outbound) filtering. In a world where authentication and identity are now the perimeter, not paying appropriate attention to egress filtering is an invitation to disaster.
Egress filtering is how to stop data loss caused by rogue employees sending critical info out. It does so by stopping bots and malicious software from making a connection out to their control servers. It is this connection out that Black Hat hackers’ seek to exploit. As De Metz told me, “Strong outbound filtering with testing of various scenarios that the bad guys could employ is actually the way ultimately to keep the internal network safe from being compromised.”
Companies forget about the Local Administrator password: Sungard AS also found that while clients believe they do not reuse passwords, and may think they have a well developed password policy program, they generally miss the critical area of local administrator passwords. As De Metz explained, he cannot count the times he and his team have seen the local administrator password on the PC is the same as the local administrator password on servers and even domain controllers. In short, the local administrator password represents the keys to the kingdom. Measures need to be taken to make it as hard as possible to get access to critical information. This means not just testing to see if passwords, particular the vital local admin one are not currently duplicated, but also assuring duplication cannot occur to avoid the problem going forward. Avoid this scenario, and then specifically run tests to ensure that it cannot occur.
Companies leave un-patched systems around: It is almost hard to fathom that this item is even on the Se Metz list. After all, most organizations have a patch management program, and their end users get alerts from the vendors of popular apps software. De Metz, however, explained that he and his colleagues still see instances where systems have been un-patched for years. The real issue here is that even a system that has not been updated can serve as the gateway to your organization being compromised. And, remember, those with malicious intent are always looking for the weakest link.
De Metz, concluded by saying, “If most organizations did nothing more than tend to the basics, their security awareness, levels of protection and ability to respond would be greatly enhanced.” He added, the caveat, and one that I have heard from virtually every security vendor and CIO which is that security needs to become part of the organization culture, there must be executive buy-in, and everyone is responsible for security and needs to cooperate with the IT department because they are responsible but is also accountable.