The gravest risk to your data is taking an ad hoc approach to security instead of implementing a carefully thought-out security program. Creating a security policy requires assessing risk and making decisions on how to mitigate it. Selecting security controls requires going through a process to find tools and techniques to execute and enforce your security policies. There’s no real security without deliberate action. That’s why ad hoc security won’t work.
If you are relying on ad hoc security, here are five common vulnerabilities you probably aren’t addressing.
#1 UNPATCHED SYSTEMS AND APPLICATIONS
Unpatched systems and applications are like open doorways into your network for bad actors. Most system patches exist to fill in a known and documented security gap. Hence, an unpatched system or application is the easiest vulnerability for hackers to exploit yet one of the simplest to eliminate.
A review of security metrics found "13.4% of all critical risks discovered in 2020 related to unpatched, unsupported or out-of-date systems." The research also found that hackers are attacking companies through common vulnerabilities and exposures (CVEs) that are years old and for which patches have long been available.
To cut your company's risk of CVE exploitation, automate your patch management. Patch management software can continually scan your system to identify unpatched vulnerabilities and can often automatically install the available patch or alert you so you can make the decision. It can also identify and report patches that require your manual installation. Finally, make sure you rank those systems and applications which should get the highest priority for patches and updates.
#2 NOT HAVING A COMPLETE SYSTEM AND DEVICE INVENTORY
Having a system or device on your network that you aren't actively managing is dangerous. Unmanaged infrastructure isn’t monitored for suspicious activity and thus rarely receives patches or upgrades unless someone happens to think about it. If you don't know a device or system is connected to or running on your network, you can't manage, monitor, or patch it.
Unfortunately, it’s pretty easy to understand why you’d have an unknown device or application—or many of them—on your network. Perhaps it's underutilized or obsolete, or maybe it was never approved in the first place. As newer infrastructure gets installed, earlier systems and computers are forgotten. Out of sight, out of mind.
The use of unapproved devices or applications—often referred to as "shadow IT"— presents a clear security threat when connected to the company's network. Bring-your-own-device (BYOD) programs were already growing pre-pandemic, but work-from-home (WFH) has expanded the number of non-corporate devices connecting to your network daily. The risk is more than just devices, though, it is software. Thanks to the growth in cloud-based SaaS solutions and mobile apps—often with low monthly subscription costs that don't trigger approval requirements—it is easy for employees to select applications outside of approved channels.
Companies need an array of security policies and controls to stay on top of underutilized, obsolete, or unapproved systems and software. To start, you should regularly run a network scan tool that inventories all the devices and applications on your network.
#3 WEAK PASSWORDS
You might find it hard to believe, but the most common password in 2021 is "123456." You can find a list of the most common passwords here, but you can bet hackers already know them. There's simply no excuse for weak passwords. Unfortunately, we can't begin to tell you how many hacks happen due to weak credentials.
Hackers exploit weak passwords through brute force attacks or password spraying. In a brute force attack, the hacker uses a program that keeps trying common passwords to get into an account. Password spraying is an expanded brute force attack that targets many accounts at once. Hackers also guess weak passwords using personal information publicly available, stolen, or gathered through phishing.
Hackers then exploit weak passwords to collect more credentials. They can look for stored credentials in the system and steal that data. One hacker forum hosts a file with an estimated 8.2 billion stolen credentials. Hackers also use a compromised account to send out credential phishing emails to others.
Whenever possible, your company should use multi-factor authentication (MFA), which blocks access even if the hacker breaks the password. In addition, you should train users on solid password generation and management techniques. Using a password management system makes it easier for users who only need to remember one passphrase. Finally, train users to identify a phishing or social engineering communication so they don’t inadvertently divulge their access credentials.
#4 POOR AUTHORIZATION MANAGEMENT
In almost every deep analysis we do, we find system users performing actions they shouldn't be able to do or accessing data they shouldn't be able to access. It's the difference between authentication and authorization. Too many companies have insufficient authorization schemes because they conflate it with authentication.
Authentication is when a user proves to the system that they are who they say they are, often via usernames and passwords or biometrics like facial or fingerprint recognition. On the other hand, authorization defines the scope and type of access that a user has in a specific system. For example, an unauthorized user could be someone who was inadvertently given:
- Write access where they should be read-only
- Administrator’s rights
- Access to folders, files, or databases that should be privileged
Without setting a security policy on how system authorizations are determined and managed, you increase the risk that a user will have technical authorization to systems and data they shouldn't.
To limit this risk, adopt a security policy to take a "least privilege" approach to authorization. A user should get no more access or authority within a system than needed to fulfill their role. A simple example is denying everyone other than the accounting team from accessing payroll systems and then only the minimum access they need to do their jobs.
Weak authorization schemes also increase the risk of a privilege escalation attack. During a privilege escalation attack, the hacker uses access to one account or system to grant themselves even greater access. The hacker can try to use it to access another system or take administrative control of the system they've already compromised. Privilege escalation also occurs by hacking a known bug or vulnerability to gain initial access—another reason to stay on top of patching and software updates.
#5 NO BACKUP OR RESTORATION PLAN
Given the danger from ransomware attacks, every company should be concerned about their critical data and systems. Ransomware attacks grew by 150% in 2020, and there’s no sign it will let up soon.
It can be perilous to rely on negotiating or paying a ransom to regain access to your data or systems. A recent analysis of ransomware attacks shows that more companies are paying ransoms—one significant reason attacks keep rising—but only 8% of them got back all their data.
Start with a security policy that sets guidelines for defining tiers for categorizing data and systems by priority. Then, you can determine additional security policies and controls for each tier. All your data should be backed up and stored on media offsite and unconnected to your network. You may decide to use disk mirroring for systems relying on your most critical data, so all that data is written in multiple places as it is created or updated.
In some cases, the attack locks you out of the system rather than encrypting your data. In this case, a business continuity plan is vital for bringing your systems back online if your primary environment is compromised.
BONUS #6: NOT IDENTIFYING RISKS OR TRACKING METRICS THAT INDICATE ABUSE
The foundation of a comprehensive security program is conducting a risk analysis to identify your company’s particular vulnerabilities. Taking steps like inventorying all devices, systems, and user authorizations is part of a risk analysis. You also want to ask questions like:
- Where are the most vulnerable points of your network, and what are possible ways hackers might access them?
- What are your operating system and software vulnerabilities?
- What are the attack risks for your industry?
- What are your high probability/high impact risks?
Conducting a risk analysis is more detailed than this, but it’s necessary to implement a security program that addresses your company’s specific risks. Once you have identified and categorized high risks and fraud paths, then you can identify the metrics that you can use to detect anomalies before an attack.
FIVE OR SIX BEST PRACTICES ARE A BEGINNING, BUT ONLY A BEGINNING.
Addressing these six vulnerabilities is a good start, but any list like this is necessarily a bit reductionist. There are so many security issues to be considered and addressed that the process of conducting a risk analysis and making security policy decisions is ongoing and evolving. Companies need to move away from ad hoc security and start building a security program that can mature over time. Without a security program in place, they aren’t just putting their network and digital assets at risk, but they’re throwing up red flags to potential partners.