Lessons Learned from 4,000 Security Assessments
Years of testing have revealed key areas where organizations should focus their attention to address common vulnerabilities.
by | Melissa Delaney
Melissa Delaney is a freelance journalist who specializes in business technology. She is a frequent contributor to the CDW family of technology magazines.
Sadik Al-Abdulla has performed security assessments — penetration tests in which he assessed an organization’s security posture by attempting to break into its network for numerous clients. Each time, he gained full control of their networks. “I’d like to think that I’m good,” says Al-Abdulla, director of security solutions at CDW, “but I am not the world’s best.”
The industry average for a good “red team” of penetration testers is 95 percent, he explains. “So if talented hackers go after a company, they will get access.”
CDW’s security team has conducted more than 4,000 assessments for organizations of every size across all industries, and the team’s members have learned valuable lessons from their experiences — primarily, that most breaches are caused by user behavior. Employees click phishing links, create weak passwords and use the same credentials for multiple accounts, while IT personnel don’t always have a disciplined program for patching and updating hardware and software.
Shift to Adaptive Security
Hackers exploit user vulnerabilities in two ways: First, to gain access and then to expand it so they can reach their final objectives, whether that’s stealing money, sensitive data, account credentials or intellectual property.
The success rate of hackers necessitates a fundamental shift in how organizations think about security, says Al-Abdulla. Rather than focusing solely on avoiding breaches altogether – an approach that leaves an organization completely vulnerable when an attacker is successful at breaking through perimeter defenses – IT teams should build networks that can adapt to security incidents.
“It’s not only about preventing access, because sooner or later, attackers will get in,” he says. “What happens next is what’s important. Are they detected and contained, or are they able to then go transfer millions of dollars out of your electronic account?”
Karen Scarfone, principal of Scarfone Cybersecurity, agrees. Keeping intruders out is important, but organizations should also have plans in place to minimize damage in case of a breach. “I’ve spoken to some people who are almost giving up on prevention, and that’s a dangerous approach,” she says. “You need a balance.”
Key Threats in 2017
Hackers are most successful when they have the element of surprise on their side, so becoming familiar with emerging threats can help organizations stave off disaster.
One of the most popular exploits employed by cyberattackers is ransomware, which deploys malware to encrypt enterprise data and demands that users pay money to get it back. “There’s more ransomware today than there was six months ago, because it still works,” says Sadik Al-Abdulla, director of security solutions at CDW. “It’s a profit center.”
Unfortunately, victims keep paying ransoms, which enables attackers to enhance their arsenals. “It’s going to get more insidious,” says Craig Williams, senior technical leader and manager of outreach at Cisco Systems’ Talos Security Intelligence and Research Group.
The best defense against ransomware is to conduct regular backups — and practice restoring data from those backups to ensure that they work as anticipated, Williams advises. Not opening unexpected attachments can also help, as can disabling unused browser plug-ins, a main source of malware. Williams suggests users review their plug-ins once a month and uninstall any they don’t use.
Mobile technologies and Internet of Things projects represent another growing vulnerability. Networks host so many devices that IT departments struggle to manage them all. One of the best ways for organizations to minimize the damage from security incidents is to detect breaches quickly, so it may make sense to outsource monitoring to a vendor that can provide 24/7 coverage, says Karen Scarfone, principal of Scarfone Cybersecurity.
Protect Through Behavior Modification
1. Establish Update and Patch Discipline: Many organizations update their computers’ operating systems, but they’re not as good about patching other devices such as security cameras, multifunction printers, badge readers and manufacturing equipment, says Al-Abdulla. The proliferation of mobile devices and the Internet of Things exacerbate this problem.
Even if organizations use mobile device management software, users don’t always keep their personal devices up to date, says Scarfone. Creating a disciplined program for patching and updating all devices on a network — not only computers — can mitigate such vulnerabilities.
A good starting point is to enable automatic patches and updates, suggests Craig Williams, senior technical leader and manager of outreach at Cisco Systems’ Talos Security Intelligence and Research Group. Better yet, he adds, organizations should encourage users to get rid of software they no longer use. “If you don’t need it, remove it,” he says.
2. Manage Passwords Effectively: When CDW’s security team attempts to crack passwords during an assessment, they’re successful in five minutes or less in 85 percent of the cases. That’s because users choose passwords that are significant to them, such as their favorite sports teams, which can be easy to guess.
The number of data breaches stemming from weak passwords is staggering, according to Williams. “It seems like we have one about every other week, if not every week,” he says.
If organizations adopt more robust password policies, they can minimize that vulnerability, says Al-Abdulla.
3. Navigate Arbitrary Trust: Not all systems need the same level of protection. A user on a gardening forum might not worry about security. However, if that person uses the same login credentials at work, a hacker could breach the less-secure gardening forum and steal his unencrypted password to access his work account. That’s why it’s important to use unique passwords for different accounts, says Al-Abdulla.
4. Use Experiential Learning to Educate Users: Phishing attacks used to be laughably bad, but they’ve grown more sophisticated, says Scarfone. Many target individual users. For instance, a spear phishing scam disguised as an email from a CEO might instruct an employee to wire money. Policies such as requiring two people to approve a wire transfer can combat such attacks, she says.
When organizations hire CDW to attempt to phish their employees, they face a grim reality — an 80 percent click rate. But organizations can flip that equation by training employees to be skeptical of links. Security personnel can conduct audits to provide training for users who click phishing links. This training can take the form of videos that show strategies to avoid phishing scams. “If you do it every quarter for a year, over time, that click rate drops down into the single digits,” says Al-Abdulla.
The number of data breaches stemming from weak passwords is staggering. It seems like we have one about every other week, if not every week.
Craig Williams , Senior Technical Leader and Manager of Outreach, Cisco Systems
What’s the Password?
Security experts have talked for years about replacing passwords with new forms of authentication. But that change has yet to take place, says Sadik Al-Abdulla, director of security solutions at CDW. “We still live in a password-driven world, and for the foreseeable future, we are going to have to live with that,” he adds.
Al-Abdulla suggests some ways to make passwords more secure:
• Use passphrases: “Maryhadalittlelamb,” or better yet, “Maryhadalamblittle” is far more secure than an eight-character word.
• Be creative with the placement of digits, special characters and capitals: Instead of using initial caps, capitalize every third letter. Put punctuation in the middle of a string of words instead of at the end.
• Use a password manager: This tool automatically generates and keeps track of unique passwords for different accounts. “I personally do not use one, but I think that it’s a perfectly valid approach, and it’s one that I recommend to a lot of customers,” says Al-Abdulla.
• Employ security zones — one password for financials, one for medical information, one for social networks and so on: Security zones don’t eliminate risk, but they reduce it. If a hacker gets into a user’s Facebook account, he can also get into his Twitter account, but not his bank account. “Whatever you do,” says Al-Abdulla, “don't just use the same password everywhere.”
Limit Impact: Detect, Respond, Recover
Organizations invest a great deal of time and energy into building walls around their networks to keep out intruders. “But once that first crack occurs, in most cases for most companies, hackers have almost free rein,” says Al-Abdulla. “Starting to prioritize differently and to think about building more resiliency into the inside of the network is critical to containing and limiting the damage.”
One strategy is for security programs to focus on users just as they do on technology and processes. Training users to create stronger passwords and to recognize phishing scams is just as critical as firewalls and intrusion prevention systems. This training should be followed by audits to assess how well users have learned their lessons. “Don’t just teach them,” says Al-Abdulla. “Follow up and see if they’re using what you taught them.”
Organizations should also pay attention to what happens before, during and after a breach, he adds. They can take steps to prevent attacks, but if hackers get in, organizations should have plans to detect and contain them during the attack and remediate afterward.
For instance, organizations can segment their networks to make it harder for intruders to escalate their privileges. They can establish backup plans that enable them to restore data in case of a ransomware attack. Organizations can also conduct drills to practice containing a breach and resuming operations quickly.
“Those kinds of things are tremendously valuable, because sooner or later someone is going to click that one link,” says Al-Abdulla. “If you put the work in now, the impact to the business when it happens will be much less.”
Call us at 800.800.4239 to set up a consultation with a security expert.