blog-banner-image.jpg

Systems Engineering Blog

A Hacker's Low Hanging 'Security' Fruit

March 30, 2018 | Posted in:

IT Security, Cloud

Posted by John Sterling

EMS

I spent a lot of time early in my career solving complicated problems related to security. In the late 1990's, I consulted as a civilian for the NSA to help automate the 'need-to-know' access of their internal web infrastructure and documentation. I followed that with some time as a Reserve Information Operations Officer for the U.S. Army, and then working for financial services companies including VISA during the birth of the PCI standards. Needless to say, the security field is one with overwhelming depth and it can be challenging for companies to make an iterative, incremental plan to become more secure.

I have seen companies spending a lot of money on complicated systems trying to protect themselves while, in the end, remaining very vulnerable to the basic problems and attacks. Systems Engineering has a Security Network Assessment tool that covers great depth in security assessments - and that is always our recommended course of action - but, here, I want to focus on the three largest attack vectors and propose some simple steps to improve your posture against them.

Multi-Factor Authentication and Single Sign-On

The most common entry point for malicious parties is via compromised credentials (aka user IDs and passwords) so, let's start there. It is not a matter of if your users' passwords get compromised, it is a matter of when. To manage this, you must have Multi-Factor Authentication (MFA) for all of your critical applications. MFA is not a silver bullet, but it is a basic protection that we implement for customers every day - and MFA can provide an excellent first barrier.

The challenge with MFA for some organizations is that it adds to the existing issue of having multiple ways of logging into business apps. To make it seamless, we always pair MFA with a Single Sign-On (SSO) rollout so there is a simple, unified user experience. This is especially simple if you are on the road to Microsoft O365. Note: if your business applications don't allow you to integrate these security measures with your network, then you need to start investigating alternatives. If your software vendors don't support basic security on their products, you should be concerned about their general security posture.

Patching Desktops and Servers

The second most common entry point for cyber hackers is via unpatched computers. Once a criminal has access to some of your desktops and/or systems, the first thing they will try to do is take advantage of past vulnerabilities to make their job easier. Keeping everything up to snuff with regards to patching can be ponderous, but it is critical to keep up with the pace of change. I see organizations leaving unpatched machines online because they are part of a segmented network behind a firewall, but security professionals will tell you it is critical to not daisy-chain security mechanisms. The bottom line is that having patched systems helps protect against and control the amount of damage done by a breach.

Layered Approach to Network Security

Finally, in almost every large attack I have seen the attackers had access to the systems for many months before actually causing any damage. A great example of this was the DoD Office of Personnel Management. This was the hack that leaked, among other things, the most personal information imaginable about military personnel who had gone through the security clearance process.

Here is a rough timeline:

  1. Hackers first breached the systems in November.
  2. Malicious reconnaissance continued undetected until December when they were able to escalate privileges.
  3. They operated totally undetected until March and stole some high level documents and manuals.
  4. At this point, the DoD noticed the activity, conducted a review, and declared the systems secure.
  5. Meanwhile, the hackers continued to progress deeper into their infrastructure for another year undetected.

This is a common scenario. Once hackers have minimal access, they do quiet reconnaissance looking to find vulnerabilities or opportunities for privilege escalation. The longer they are able to access the system, the bigger the impact will be. In this case, if they had been detected quickly, there would have been no meaningful loss of data.

Bottom line, once you have the basics in place, equip all of your network devices and endpoints with patching, set up automated alerts based on common attack fingerprints, and include a manual review of medium-level threats. This way, even if someone makes it through the outer barriers, you have a chance at nipping it in the bud before they have time to launch a more sophisticated internal attack.

Where to Begin

If you are concerned about your organization's network security, begin with the basics:

  1. Equip every application your teams use with Multi-Factor-Authentication and Single-Sign-On.
  2. Remediate legacy patching problems, then institute a pro-active patching procedure.
  3. Monitor, alert, and spot check all network traffic.

Once you have earned an 'A' in those areas, you can continue to progress further in the security infrastructure maturity model - opportunities for maintaining and enhancing your security posture will be limitless, so it becomes a process of continuous improvement.

Are you looking to better secure your organization's network? Fill out the form below and click on 'secure my data.'

 


 JSterlingJohn Sterling is the Director of Engineering at Systems Engineering, bringing 20+ years of IT experience in a variety of leadership roles. Most recently, John was Senior Director, Software Engineering at CashStar, Inc. Prior to that, he was Lead Architect at LabNetwork Inc.; Vice President of Global Product Development at WEX Inc.; and Director of Application Development at VISA USA.