Photo Courtesy: Blue Coat
In my last blog, I talked about the need to first address the simple elements of cyber security instead of getting bogged down by the complexity of well-marketed ‘silver bullet’ solutions that vendors often push.
Now, I’ll dive deeper into the topic and outline five areas that when addressed, will increase your organization’s security posture by leaps and bounds. While these may sound simple and obvious enough, in my experience, they are unfortunately often overlooked and therefore need to be explicitly addressed.
Your Users Have Too Many Rights!
The time when people could afford to have local admin rights has long passed. We cannot let the user decide what is a good or bad application and there should be a business reason to operate any software, since in the end, any executable could potentially present vulnerabilities.
Investing in technology that allows IT to avoid giving users local system privileges is high value when it comes to cyber security robustness. Special focus should also be given to privileged sessions which are required for the general administration of IT infrastructure. But again, if you can manage to limit the admin rights of end users, you will have taken an important first step.
Patch Your Systems
The importance of operating an environment which is up to date and has all critical software patches enabled cannot be overstated. The issue with running outdated software is that you open yourself up to attacks which are difficult to mitigate in other security systems, or those systems needs specific intelligence to handle the attack. If you cannot practically patch your systems quick enough, then considering technology which prevents buffer overflows and other common zero-day issues is an important step.
Investing into systems that can assist you in automating vulnerability assessments and even deployment of patches is what I call a high value security investment.
Understand how you get Infected
Today, malware is mostly an e-mail based issue. Meaning somehow, a malware infected document or link attached to a mail passed through a mail filter, which an internal user was unlucky enough to click and execute on the machine, thereby getting infected with crypto malware.
At Help AG, over the last 12 months, we have assisted several customers in dealing specifically with crypto malware and in ALL cases the infection vector was e-mail. If we go one layer down, ALL infections were due to an office document with malware embedded.
Based on this simple understanding, organizations should start to ask themselves if e-mailing office documents should even be possible? Well, of course this is not practical so maybe we should start removing those potentially malicious aspects such as macros and other dynamic functions, in which malware can hide.
Today there are systems available that can integrate with your mail-flow to remove the areas in a file where malware might be hiding. This means you remove the vehicle where malware is tagging along instead of relying on the ability to identify the malware itself. Again, this is a high value security investment that significantly increases your cyber robustness.
When we talk about crypto-malware and e-mails, during our incident response exercises on crypto malware we have actually identified that the most common infection vector is not the corporate mail, but someone checking their private mail on the corporate laptop. Maybe the time where users can open their private web-mail is over? It is anyway a huge risk when it comes to data loss.
I am in no way saying that e-mail is the only infection vector we need to focus on, but right now, the vast amount of infections is over e-mail and therefore that is where we should make our investments.
Understand Where Your Risks are, & Invest Accordingly
Is it your clients or your servers? Naturally everyone will say that the servers are the most important to protect as that is where the crown jewels are. However, what you need to ask yourself is where the attacks are happening- which in most cases is the client!
With that in mind, you should ensure that your client is well protected at all times. Clients invest hundreds of thousands of dollars in securing their corporate environment, but when the end users takes their laptops home, they are free to do what they want. Making sure the PC or laptop is always within the corporate environment, even when at home, through an always on VPN tunnel is really a solid investment, which will give you a high value from a security robustness.
It may be unappealing from bandwidth, latency and other aspects, but today, bandwidth is cheaper than ever and you have technical solutions that accelerate traffic between clients and servers.
Perform a Good Penetration Test
Penetration tests are unfortunately often delivered by consultants who just run a scanner and rely solely on the output of the tool they chose to utilize. We think different about pentests, where our focus is not telling you if you are missing patch A or B, but utilizing the vulnerability to elevate our access into your systems. Please also understand that a vulnerability is not only a coding issue, but it can also be how a specific configuration is applied in your infrastructure or on your clients.
In fact, small configuration changes can eliminate a lot of issues. In many ways, you can say that a penetration test should be a challenge of the systems you run, how you maintain them and how you have configured them.
I am still puzzled by how some organizations accept simple output from vulnerability scanners as a pentest. These vulnerability scanners should have already be a basic aspect of operating your architecture, and actually not really the topic of a penetration test.
Once you are done with these 5 basics of cyber security there are of course a million other things we can talk about. Some of them simple, some of them highly sophisticated. Cyber Security is an ever-changing environment and that is why I love working with it so much.
Nicolai Solling, CTO at Help AG