Lessons from a Decade of Security Assessments

Cybercriminals target every organization and network connected to the internet. While many organizations feel that their small size might enable them to slip under the radar of attackers or that they simply don’t have any information of value to steal, the reality is that every organization possesses computing resources that are attractive targets for ransomware, cryptocurrency mining and similar threats. Security assessments play a crucial role in helping organizations determine the status of their security posture and build a strong layered defense against modern threats.

Over the past 15 years, I’ve performed thousands of security assessments for CDW’s customers. I’ve looked at systems and networks belonging to state and local governments, hospitals, school districts, large industrial manufacturers and small retail stores. No matter where we turn our attention, the one common truth I’ve discovered is that the more things change, the more they stay the same. We’re discovering the same critical security issues today that we saw a decade ago.

Let’s look at five things that continue to surface as we perform security assessments and discuss the controls that organizations can put in place to defend against each.

We’ve known for years that passwords aren’t sufficient to protect sensitive resources, and that multifactor authentication plays a crucial role in securing systems against attack. That said, in almost every assessment we conduct, we find systems that not only aren’t protected with MFA but also use weak, formulaic passwords, such as “Winter2021!,” that are easily attacked. It’s time to inventory every external-facing system and ensure that it is protected with MFA.

As we analyze the configuration of servers and other devices, we routinely find settings that go against long-standing security recommendations. Organizations must develop baseline security configurations for all operating systems they use and consistently apply them using a configuration management tool.

Most organizations lack appropriate network segmentation. I’ve logged on to systems at a corporate office in San Francisco and then seamlessly connected directly to systems in a Chicago branch office. Organizations should adopt a zero-trust approach to network security that implements proper segmentation to limit the reach of a successful attack.

Many organizations have a security information and event management (SIEM) system in place, but it’s rare to find an organization that consistently sends log entries from every application and device to those systems. In other cases, logs are sent to the SIEM system, but nobody is actively monitoring the it to identify security incidents. SIEM tools play an essential role in a modern security program, but they must also be backed by a security operations center (SOC) that is prepared to react to threats identified by the SIEM system.

Organizations know patch management is important, and most are actively deploying and monitoring operating system patches. However, some third-party applications may manage to slip through the cracks. We consistently discover unpatched applications and viable remnants of previously updated applications that can present an attacker with initial access or elevation of privileges within a network. Technology teams should update their patch management programs to include all software, systems and devices used by the organization.

Before conducting a formal security assessment, organizations should first check how well their security programs control against these five common risks. Fixing the most apparent problems before performing an assessment will increase its value by allowing the assessment team to focus on more nuanced issues and deliver more value to the organization.

Story by Brenden Morgenthaler, a principal consulting engineer for the information security practice at CDW. He has been in the IT field since 1996 and in the security field since joining CDW in 2007. His experience with systems administration allows him to understand and appreciate the crucial balance between security and usability. Brenden’s primary focus is on blue teaming and SEIM deployments, and he also serves as the team’s subject matter expert on security assessments.