8 Vulnerabilities Penetration Testers Recommend You Address in 2019
With enterprises continuing to grow in complexity with the infusion of hybrid IT architectures that incorporate both on premise and multi-cloud environments, there is no doubt that securing your applications, data and workloads is growing more challenging. Yet, a focus on the basic elementary principles of cybersecurity can go a long way in protecting your company from most attacks. Penetration testers are the frontline witnesses on cyber threats. They continue to see the same weaknesses and vulnerabilities within the enterprises they examine. Below, is a list of recommendations for you to be aware of in the year ahead.
- Privilege Separation
Admin and privilege accounts are the keys to the kingdom for any hacker. When malware is downloaded and installed via the privileged rights of a domain admin or network account, the malicious code can spread laterally throughout the network uninhibited. A survey conducted last year showed that 57 percent of organizations on average assign local admin rights to some portion of their normal users. Surprisingly, this percentage increases along with the size of the organization; 69 percent of enterprises with more than 5,000 users admitted to this practice. In addition, unprivileged accounts often have access to privileged information such as intellectual property, financial information or personal data. Best security practices call for the enforcement of least privilege, so that standard users are allocated only the privileges, rights and data access permissions essential for them to perform their intended job functions. It also means privileged accounts only perform their intended job functions using these sought after profiles. User-based tasks such as checking email and accessing the internet should be done using a separate standard user account.
- Weak Passwords
The annual “Most Popular Passwords” list was released for 2018 and once again, the results are alarming. The most popular password was “123456” followed by, you guessed it, “password.” Users also tend to recycle the same passwords repeatedly. In January of 2019, the largest collection of compromised credentials was discovered that included 773 million email addresses and over 21 million passwords. According to a 2017 security study, 81 percent of confirmed data breaches are due to passwords.
Don’t just blame users however. The widespread use of default vendor passwords when it comes to network and IoT devices continues throughout enterprises everywhere. With the advances in credential stuffing attack methodologies and software applications, vulnerable passwords are easy to discover.
- Poor Patching Practices
In May of 2017, a series of global ransomware attacks utilizing the EternalBlue exploit made their way across the world, bringing down some of the worlds largest companies for weeks at a time. Despite Microsoft’s release of the MS17-010 patch to address the exploited vulnerability, EternalBlue continues to be used by hackers. It’s very simple. Inadequate patch management can leave loopholes in your IT infrastructure, and loopholes lead to cyberattacks. Patching is the most important process your IT staff can perform in order to harden and secure your devices.
- Keeping Up with Recommended Settings
The dynamic world of cybersecurity is continually evolving as current protocols and security tools are compromised and new ones created. The use of deprecated encryption standards such as TLS 1.0, DES and 3DES is not recommended today as these protocols are less secure than newer alternatives. Other common examples include the continued use of outdated wireless protocols, NetBIOS and SMB 1.0.
According to the Verizon 2018 Data Breach Investigations Report, 78 percent of users within an organization did not click a single phishing link the entire year of 2017. That’s the good news. The bad news is that four percent will click on just about anything and the remainder are susceptible to well-thought-out attacks. Phishing continues to be the primary delivery mechanism for malware and according to the FBI, cybercriminals made off with $676 million using business email compromise (BEC) schemes last year. In many ways, email today is a battlefield that requires your attention every day because it only takes a single click by one user on an embedded link or attachment to cause havoc on your enterprise.
- Improperly Configured Network Equipment
The era of the flat network in which broadcasts and other types of network traffic can simply run unabated are no more. The protection of east-west traffic is just as essential as north-south throughout your enterprise. Today’s networks must be designed under the premise that threats will penetrate the network perimeter which means that your network must be segmented into multiple sectors in order to limit the scope of a successful attack. This is done through proper configuration of your firewall, routers and switches. Many enterprises fail to maximize the equipment they have due to improper configuration of their infrastructure devices.
- BYOD and IoT
The attack surface of your network expands in sync with the number of devices that reside on your network. The Pandora’s Box predicament of BYOD is a conundrum that organizations continue to struggle against. Every device in your network is a point of vulnerability. This applies to IoT devices as well. The old adage that you can’t protect what you can’t see is especially true today with the proliferation of both BYOD and IoT devices within today’s enterprises. Full visibility is essential today in order to know what devices reside within your network as well as the state of their security status of each device.
- Insecure Coding Practices
It is an app driven world today. This means you have to protect your apps as well as your devices because hackers are probing them, seeking system flaws and application weaknesses that can be exploited and compromised. Eliminating the most common security risks inherent in insecure software as outline in the OWASP Top 10 Web Application Security Risks is essential to secure your application infrastructure.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.