By Scott Russ
A few centuries ago, a small safe in the local post office was sufficient to protect the town valuables. As time passed and criminals got more creative, the townspeople switched to dedicated guards watching over room-sized vaults to protect the treasures. Once again the valuables were safe, but it wasn’t long before the outlaws acquired better firearms and simply overwhelmed the guard into coughing up the combination.
Fast forward to present day where the “valuables” are digital ones and zeros, “bandits” are unknown perpetrators halfway across the globe, and “vaults” come in the form of complex machine learning algorithms.
Technology will continue to evolve and the cat and mouse game will keep going until the end of time. It’s easy to get caught up in the glamour of the latest security technology and forget to address the basics, but the most fundamental aspects of cybersecurity are the most effective at preventing a breach. While it is important to keep track of advancements in security technology, it’s more important to maintain a strong foundation. Think back to our 1800s bank vault scenario. The bigger, stronger vault kept intruders at bay for a while, but if the guard had left it unlocked the new technology would have been worthless.
Dig into the details of most data breaches, including high profile ones like Capital One and Alteryx, and you will find evidence of lapses in security hygiene. These large organizations certainly have access to the latest tech, financial funds and the smartest security people. They also have robust programs to address the basics, but the larger an organization is, the more difficult it is to maintain good security hygiene. In the past two years alone, bad security hygiene has resulted in breaches of battlefield imagery, voter records, financial information, security clearances and encryption keys, to name a few. In all of these events, the attack vector relied on misconfiguration, known vulnerabilities, or other similar lapses in basic maintenance.
The Mechanics of Security Hygiene
So how do we practice better security hygiene in this world of competing priorities and limited resources? After all , wouldn’t adding “hygiene” to your roadmap send a message that you’re ignoring the basics? No, in reality it would show that the organization is acutely aware of the danger of bad practices and is proactively managing them. Let’s break it down into the ever-popular people, process, and technology buckets to show how better hygiene can be obtained at each layer.
First and foremost, security needs to be embraced and advertised at the executive level. It’s not enough to have security policies in place that employees gloss over once a year to check off the annual training compliance box. At the end of the day security is only successful if it’s part of the culture of an organization. Security professionals cannot be expected to magically find and fix all of the gaps when everyone else in the organization is allowed to work around the controls. Conversely, employees cannot be expected to take security seriously if their leadership isn’t consistently advocating its importance. The leadership team needs to communicate the importance of security often and live by the principles they are advocating to set an example for the rest of the organization to follow.
The end-user is without a doubt the easiest link in the security chain to exploit. End-users don’t typically put security at the top of their priority list, and for good reason. They are concerned with good accounting practices, effective marketing campaigns, talent retention and a multitude of other disciplines that are essential to keeping the business running. It is imperative that end-users receive effective security training. Phishing simulations and interactive video training need to be memorable and not just a “check the box” activity.
Balance of needs and wants
Policy is often enforced from a pure security lens without regard for functionality or user experience. Even the most security-conscious employees will start to bypass policy when it begins to impact efficiency and user experience too much. The trick is to find balance, and the only way security professionals can do that is through open conversations with the users their policy will directly impact. They should be willing to make low-risk sacrifices where it makes sense to enhance the user experience. End-users will be more likely to follow process if there is minimal impact to their daily jobs.
Some of the most effective security enhancements can be made with little to no additional capital expenditure. It is a common practice for organizations to purchase a cutting edge technology, implement it, then immediately start the process of building the next great thing and forget to maintain what was just implemented. Several months pass and that beautiful (and very expensive) security solution is neglected and not as effective as it once was.
One of the most basic concepts in security, but also one of the most difficult to accomplish is asset management. You can’t protect something if you don’t know it exists. Maintaining currency on the endpoint is crucial to reduce the potential attack surface of the organization. Technology responsible for performing this function needs to know about new assets in order to be effective. Asset management programs usually fall short because they rely heavily on the human element. System administrators are often expected to enter details about new assets into a spreadsheet or database of some kind, but this manual process doesn’t provide a realistic mechanism for validation. Systems get spun up and shut down without a corresponding asset database update and before long the source of record is rendered useless. A combination of network discovery tools and automation can help to identify asset outliers and offset the weaknesses in manual asset management processes.
Let’s walk through a very common yet still overlooked example. John is a new employee starting next week in the engineering department. Human resources sends an email to IT requesting a new account for John with the same permissions as Sally because Sally is also in the engineering department. Just because John and Sally are in the same department does not mean they need the same access. On the surface this seems trivial. Sally and John will have similar roles so what do we gain by splitting hairs? Privilege abuse, in the form of both rogue employees and stolen credentials, is one of the most widely used tactics in data breaches. Following the principles of least privilege can significantly reduce the probability of unauthorized access.
The individual with the most knowledge of John’s new role is his direct manager. Moving the access decision from human resources to the direct manager increases the accuracy. It also allows organizations to perform access attestation. Sometimes there is due diligence up front when the account is created, but as time passes and the employee gets involved with different projects the access just keeps expanding. Access is rarely removed when the employee is no longer associated with a specific project unless there is a periodic attestation process in place. Direct managers have a sense of liability since they are closer to the action and are more likely to remove access for employees that no longer need it.
Every breach you’ve ever heard of has one thing in common: in each case, some type of vulnerability was exploited. Proper vulnerability management is an enormous undertaking that demands cooperation between security (for identification), IT (for remediation), and business units (for scheduling down time on revenue generating systems). Comprehensive vulnerability management is not easy, but there are a few concepts that can make it more effective.
Organizations should accept the fact that they will never patch every vulnerability and therefore should stop making that the target. Instead of trying to boil the ocean security teams should strive to identify the vulnerabilities most likely to cause impact to the business and its’ customers. The best way to do this is to use a combination approach. Identify the criticality of the vulnerabilities in your environment using industry standard scoring systems, but don’t stop there. Apply your knowledge of asset criticality to the scoring data to get a better understanding of what the real impact of exploitation would be. A highly critical vulnerability on a developer system in an isolated closet doesn’t pose nearly the business risk of a medium criticality vulnerability on a revenue generating system. This combination approach produces a much clearer patching priority than industry scoring alone, but it requires a partnership between IT and business units to fully understand financial impact.
Content and Cadence
Some organizations rely on periodic release cycles from software vendors to determine what to patch and when. This approach doesn’t produce a real-time view of system vulnerabilities. Additionally, it puts security professionals in the position of having to stay on top of email notifications from software vendors when critical out of cycle patches are released. Continuous vulnerability scanning of the environment gives a near real time view of the vulnerability landscape and will identify any out of cycle critical patches that may be needed. It also gives those responsible for patching a prioritized list to work from. Leveraging scanning technology on an ongoing basis has another advantage. Almost every major vulnerability scanning technology also has the ability to identify configuration issues. Configuration scanning is just as important as vulnerability scanning in detecting easy exploitation targets for adversaries.
An extension of vulnerability management is the method by which new systems are introduced into the environment. Once an organization has a handle on vulnerabilities it would be a shame to reintroduce them by using outdated system images to roll out new assets. Booting from flash drives may be a convenient way for IT resources to build new systems for their local end users, but it introduces image sprawl. Centralized image management is a good way to prevent the reintroduction of vulnerabilities that were previously patched.
Putting it all together
There’s no doubt that comprehensive security hygiene in the enterprise is a complex undertaking, but implementing good practices has a direct impact in reducing overall business risk. It’s worth the effort, and it’s more important than chasing the next big breakthrough in technology that was pitched at the local security conference. The next time you’re contemplating that big technology purchase, remember to check your hygiene first.
If you are looking for guidance on fitting good security hygiene practices into your environment, or perhaps just want to chat about the complexities of security in a rapidly changing technology world, contact us.
Published on 08.26.19