Cyber security must be a top priority for businesses in all industries today. While companies often focus on updating their protocols and keeping staff up-to-date on best practices, their IT systems can remain vulnerable to cyber or ransomware attacks. That’s due to companies having misconfigured systems, poor digital security, and unsecure software.
Recently, CISA, the FBI, and National Security Agency (NSA), along with cybersecurity authorities from Canada, New Zealand, the Netherlands, and the United Kingdom released a to-do list and best practices for companies in the report – Weak Security Controls and Practices Routinely Exploited for Initial Access.
“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” the joint advisory said.
With this in mind, we will explore these recommendations and how companies can apply them to their organizations.
Poor Security Practices Often Exploited by Cyber Criminals
Many companies are still employing hybrid workforces due to the recent pandemic. With employees using technology at home, often with insecure personal internet connections, cybercriminals have even more opportunities to launch sophisticated and potentially damaging attacks. Even if employees work on-site, many common missteps when setting up and maintaining an organization’s software and systems can still leave them vulnerable.
Here are some things to be aware of to prevent these kinds of attacks.
Multifactor authentication (MFA) not enforced: MFA secures data and applications by requiring users to present two or more credentials to verify their login. Even if one credential is compromised, an unauthorized user will not be able to meet the second requirement to gain access, which makes this a robust security measure for all users. Enforcing MFA, including with a thumbprint or a physical hardware key, will increase confidence within an organization that it is secure.
Using software or hardware with default security settings: New network software and devices often arrive packaged with pre-set passwords. These passwords, usually printed on the packaging, are designed to be easy to remember and activate. However, this simplicity makes it even easier for outside agents to access them. These default passwords are often readily available on the internet, including on the manufacturer’s website, and must be changed before using any new device or software for the first time.
Vulnerable remote services: Recently, threat actors are targeting remote services such as virtual private networks (VPN). These VPNs often lack sufficient controls to prevent unauthorized access. As a result, additional control mechanisms, including firewalls, MFA protocols, and detection systems that can identify unexpected activity are essential.
Weak passwords: Often, employees use weak or easy-to-remember passwords, such as “12345” or even “Password.” Cyber actors are very smart and can deploy various methods to exploit these weaknesses and gain unauthorized access. That’s why it’s essential to advise employees to not only use strong passwords, but also stress the need to update their passwords periodically, in case an organization’s system gets hacked and user passwords get shared on the “dark web.”
Misconfigured cloud services: Cloud services are often prime targets for cyber actors. This is primarily due to poor configurations and open ports exposed to the internet. Hackers often use scanning tools to detect open ports and find vulnerable entities, including RDP, Service Message Block (SMB), Telnet, and NetBIOS services.
Blocking Phishing Attempts: Cyber actors still find much success in sending emails with malicious links that can infect computer systems. It’s imperative that all users not open suspicious emails from unknown people and notify their IT or security departments about these messages when they receive them.
Recommended Mitigation Steps
With the variety of weaknesses and poor security practices listed above, companies need to take active steps to mitigate any potential cyber attack. Here are the recommendations from the NSA and CISA guidance.
Adopt a Zero-Trust Security Model: Zero-trust security ensures that all users, whether inside or outside a specific network, are authenticated, authorized, and consistently validated to have the necessary access. This strategy also includes the least-privilege model that ensures users only have access to the specific data and resources they need. Doing both will help prevent any potential cyber attack from reaching an entire database or network and facilitate easier containment.
Established Centralized Log Management: Keeping track of log files is vital for organizations to have enough information to investigate incidents and prevent future attacks. For maximum effectiveness, determine which log files are needed, including those for system logs, network logs, application logs, and cloud logs. Set up alerts that can record suspicious activity, including timestamps. Keep all logs away from local systems and move them to a centralized, secure location or repository. Finally, determine the amount of time that logs need to be retained and decide upon any record-keeping or archives for future research.
Employ Antivirus Programs and Detection Tools: Antivirus tools and programs still offer an effective way to monitor against potential attacks or malicious viruses embedded in software or hardware. Regularly update these programs to remain current with new threats. In addition, employ endpoint detection tools that regularly monitor for threats. These can include an employee station or laptop, server, cloud system, or mobile application. Ensure all potential hazards are recorded in a central database for further analysis and reporting.
Maintain Rigorous Configuration Management Programs: Misconfigurations of a system’s default settings can lead to many problems, including poor performance and potential vulnerability to a security breach. Pre-set passwords or pre-installed applications can be easily exploited, allowing a hacker access to unauthorized data. Specialized configuration management gives IT teams a better sense of what’s happening in their key assets and can better alert them to potential security issues. The basic tools will classify and manage systems, enable new settings, automate patch updates, and identify problematic and non-compliant configurations.
Effective Patch Management: Having an effective patch management process in place ensures that organizational software stays up to date and remains secure against potential threats. A sound patch process includes testing patch updates before releasing them system-wide and performing frequent vulnerability scanning to discover potential gaps in security along with retiring unsupported or end-of-life software or firmware on a timely basis. Finally, prioritize patches that counter known exploited vulnerabilities, including those listed on the CISA.gov site. (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Any commitment to improving overall cyber security requires a combined team effort from everyone within an organization. Implementing active mitigation measures and taking steps to secure common security issues will go a long way to keep any organization cyber secure.
Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.