November 24 2020
In part 1 of our 4-part series, we discussed how to evaluate your organisation’s security risks and the steps to creating a risk management strategy, including building a security policy. In part 2 we are looking at how to take that policy and implement technical security protection to help mitigate those risks.
Implementing Secure Configuration
New devices and software often comes with default configurations such as predefined passwords and whilst this is convenient for set up, leaving devices in this setting is not secure. A badly configured system could allow attackers to gain access to confidential information, tamper with critical data, or simply block your access to it (similar to how ransomware operates).
You can actively maintain your secure configurations by:
- Creating and maintaining an asset register, covering both hardware and software
- Changing default passwords and restricting the use of weak passwords
- Removing and disabling unnecessary user accounts and user privileges
- Removing and disabling unnecessary software
- Conducting regular vulnerability scans
- Using multifactor authentication before enabling users Internet-based access to sensitive data
Some of these things might sound like just more work, but reducing your attack surface is critical. For example, take removing unnecessary software – several major computer vendors have had vulnerabilities in default bundled software (often called “bloatware”). Dell released a patch in June 2019 to address a vulnerability in their bundled software “SupportAssist”, and Lenovo being hit by lawsuits following bundling adware “Superfish”.
With vulnerabilities being discovered daily and software updates being regularly released, software vulnerabilities are still one of the greatest causes of security incidents. Whilst fixing these risks and implementing upgrades may cause temporary disruption to the running of your business, it is essential to ensure you are continuously monitoring and managing them to minimise the risk of down time caused by a breach, which would be far more detrimental. Remember what happened to Equifax back in 2017, where a critical software update was missed!
By following the process of identifying vulnerabilities through regular vulnerability scanning, classifying their risk, working out the remedy and mitigating the issue, you can significantly reduce the chance of your organisation being exploited through software vulnerabilities.
Carrying out Security Testing
Many organisations fall foul of their security policy sounding impressive in the board room but not working in the real-world. For example, it’s common to hear companies mandate “penetration testing annually, or after a significant system change”. However, with the modern, agile approach to software development where changes are little-and-often, how many of these small system changes does it take before you consider it a “significant system change”? Companies should be considering how to perform security testing in a similar agile manner, to allow them to monitor and fix issues on a regular basis, which will ultimately save you time and money in the future.
Carrying out regular vulnerability scans alongside annual penetration tests will help ensure you stay on top of security issues. Integration into your CI/CD pipeline is even better.
Implementing Network Segmentation
Despite NotPetya being one of the most well known and catastrophic malware attacks in history, network segmentation is still one of the most neglected areas of security. By splitting the networks within your organisation and implementing strict filtering between these segments, it can not only help boost network performance, it will help contain threats and malware from spreading through your entire network.
It’s important to remember though, that even if you separate your devices through technologies such as VLANs, network segmentation bypasses may still exist. For example, a corporate device that (automatically or manually) connects to a guest WiFi network as well as being physically connected to the corporate network, is a device that is bridging two networks. This is a common weakness where a staff members devices could be compromised through the guest wireless network, allowing an attacker to pivot into the corporate network without having to deal with firewall restrictions directly.
All companies hold data, from employee and client information to intellectual property. However, how you acquire, store, protect and process this information is vital to ensuring that it’s secure and that you are adhering to the General Data Protection Regulation (GDPR).
Prior to May 25th 2019 before GDPR was implemented, the misuse of a person’s data was punishable by a fine of £500,000. This July the ICO demonstrated the importance of data compliance by announcing their intent to fine British Airways for their data breach at £183.39 million (approximately 1.5% of global annual revenue). Data misuse may not only see you being hit with large fines, it leaves you exposed to hackers stealing sensitive information and huge reputational damage.
By mapping out the following you can identify your areas of weakness, make improvements and implement a process that ensures your data is continued to be managed correctly:
- Identify what data you hold, where it is stored, and how long for
- Clarify who owns it and what your responsibilities are
- Evaluate how the data is currently secured and make improvements if necessary
- Consider how you are going to process the information and whether that adheres to GDPR
Managing User Accounts and Access
Throughout the life cycle of working for an organisation, employees are granted permissions to a range of systems to help them perform their job. Often over time, these permissions accumulate as the role develops or when people change positions, however permissions that are no longer necessary or relevant, rarely get revoked. Managing user accounts and access using the principle of least privilege (POLP) concept can help minimises your attack surface to things like insider threat or compromised credentials.
There’s also a complication here with cloud computing, as many providers allow incredibly granular permissions – but where many might allow a user more access than the name might initially suggest. This often referred to as the problem of “shadow admins”, where a specific collection of permissions might allow a user account to trivially escalation their privileges in a way that’s not immediately obvious.
Reviewing your Security Protections
At Secarma, we believe that all companies can benefit from the guidance and direction of a trusted cybersecurity advisor. We aim to assist companies in understanding the risks they face to improve their own cybersecurity maturity.
With this in mind we have developed a Cybersecurity Maturity Assessment (CSMA), a simplified version of the NCSC Cyber Assessment Framework, which covers all the areas discussed in this blog and the three blogs that make up this 4 part series.
Download our CSMA information pack to find out more about how we can help you assess and improve your current security program.