The vast majority of information security incidents aren't caused by highly-sophisticated, unprecedented technological exploitation. In fact, the bulk of security incidents is caused by just ten known security vulnerabilities or humans who fall prey to phishing attacks. Significantly reducing your company's risk of data breach requires organizations to mitigate the most commonly overlooked risks.
The breadth of the security field may be responsible for an organization's overlooked vulnerabilities. While one company may be an expert at applying necessary patches, the security policy may be well out-of-date. A competitor may have strong technological safeguards, but sloppy mobile protection. Best practices and regulatory compliance require organizations to take a comprehensive approach to risk management. In this blog, we'll define 10 of the most commonly overlooked security risks and discuss best practices for mitigation.
1. Mobile Devices
Mobile devices are a critical tool for worker productivity. A CIOInsight study indicates workers may gain as many as nine hours per week of additional productivity when given access to a smartphone, tablet, or another device. However, these devices can introduce a wide array of risks and vulnerabilities to the enterprise.
Some of the most common mobile-related risks can include:
- Device theft
- Communication interception
- Mobile malware
- User risks (sharing devices)
How to Mitigate Mobile Device Risk:
- Mobile device management (MDM) technology can improve oversight and the ability to maintain consistent, on-time security updates to mobile devices.
- Ensure your Acceptable Use Policies include clear guidelines for company and employee-owned mobile devices.
- Agent-based file integrity monitoring software can enable negative change detection on devices, even if they aren't connected to your company network.
- Carefully weigh the risks and benefits of a Bring-Your-Own-Device (BYOD) policy and whether it's worth implementation at your organization.
2. Portable Storage Devices
Portable storage devices like USB drives have the potential to both leak and introduce data to your network. While many organizations have chosen to introduce policies that prohibit the use of USB flash drives and other portable storage devices to mitigate risks, some are still reliant upon these business tools. If your organization is still using portable storage devices, it's wise to consider better controls around these items or an alternative like cloud-based file sharing.
How to Mitigate Portable Storage Device Risk
- Consider turning off ports in your desktops to completely prevent use. This can be accomplished with Windows Active Directory.
- Provide employees with alternatives to portable storage devices for data-sharing needs such as cloud-based file sharing options.
- Address portable storage devices in your security policy; include clear guidelines for use or the complete prohibition of use.
3. Poor Password Management
A shocking number of passwords are still set as "admin" or "default" due to poor password governance and control. These vulnerabilities can occur when IT professionals vow to change passwords "later" and fail to follow up. Other forms of poor organizational control, such as minimal password standards or infrequent password changes, can result in network security risks.
How to Mitigate Poor Password Management Risk:
- Implement technical safeguards to enforce appropriate passwords and changes.
- Address policies and penalties for employee password sharing in your security policy.
- Fully encrypt all stored passwords in compliance with PCI-DSS standards.
4. Poor Authentication Requirements
Single-factor authentication can allow unauthorized access to go undetected for long periods of time. While most security managers are familiar with the basics of access authentication—knowledge of credentials and possession of a known device—additional factors may be necessary for adequate security.
The 2016 Verizon Data Breach Investigation Report (DBIR) indicates a shocking number of data breaches occur after criminals gain access with credentials either stolen through phishing or hacked with brute force. Think of authentication as a critical sidekick to better password management which can help detect unauthorized access to an authorized account.
How to Mitigate Poor Authentication Requirements:
- Implement, at a minimum, two-factor authentication for users to gain successful access.
- Consider adding time and location of access as additional authentication factors.
5. Default Software Installations
Vulnerabilities in systems and applications can occur in both vendor-produced and home-grown IT solutions. Failing to update software can maximize risks. The ten most common technical vulnerabilities accounted for over 85% of data breaches in the past year. It's crucial to shift towards an active model of identifying and remediating threats based on known vulnerabilities in your software configurations.
How to Mitigate Application Risk:
- Deploy all updates from vendors to your software immediately.
- Actively identify and remediate risks in both vendor-supplied and homegrown applications.
- Follow appropriate change control procedures every time configurations are changed or updated.
6. Missing Patches
A single missing patch can weaken your entire network, leaving you vulnerable to attack. If your company's data ecosystem is complex, it can be easy to lose control of patch updates and let patches on utility servers go well out-of-date. However, this can introduce a significant vulnerability that organizations simply can't afford.
How to Mitigate the Risk of Missing Patches:
- Apply patch updates regularly in accordance with PCI requirements.
- Continue monitoring your critical files for negative changes during scheduled patch updates, instead of turning off file integrity monitoring software during update periods.
7. Insider Threats
In a recent TechRepublic poll, 76% of pros noted that "insider threats" are their biggest network security concern. In most cases, insider risks originate from poor knowledge or carelessness which can lead to human error or ignored policies and procedures.
More rarely, insiders with malicious intent can wreak havoc due to first-hand knowledge of system vulnerabilities and technical workarounds. Examples of organizational factors that may put you at risk of realized insider threats can include:
- Minimal training,
- Poor new hire screening,
- Excessive user access, and
- Unchecked administrative "super" users.
How to Mitigate Insider Threats:
- Implement behaviorally-driven training and metrics to measure the results of your awareness programs.
- Create comprehensive access governance policies to ensure users have the minimum degree of necessary access.
- Systemize daily review of your audit lots and log review and ensure your logs cannot be edited by super users.
8. Poor Configuration Choices
In many cases, default configurations can introduce a great deal of risk into network security. An expert review of your firewall rule bases could reveal a number of vulnerabilities because they aren't a good match for your organization's security needs.
How to Mitigate Poor Configuration:
- Ensure your security policy is comprehensive
- Use policy to guide firewall configuration rule bases.
9. Insufficient Policy
Without a comprehensive security policy, it is difficult to control and enforce positive behaviors in an enterprise. Your policy should be a guiding force behind your IT and employee-led efforts to mitigate risks. Per PCI, "All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it."
If your policy leaves any room for questions, it's probably long overdue for an update. The following risk mitigation recommendations are influenced by PCI compliance standards, which represent best practices even for organizations that are not required to comply.
How to Mitigate Policy Risk:
- Review and revise your policy at least once per calendar year.
- Develop daily, weekly, and monthly security procedures, and assign each of these responsibilities clearly to capable personnel.
- Address acceptable usage of computers, mobile, and other devices.
- Define the organization-wide responsibility to protect information for all employees, and ensure every employee is aware of this responsibility.
10. Infrequent File Integrity Monitoring
PCI requirements 10.5.5. and 11.5 require file integrity monitoring at least once per week. However, failing to monitor more frequently and certain forms of file integrity monitoring can fail to mitigate your network vulnerabilities. Agentless file integrity monitoring may only observe changes in throughput, which can neglect the detection of negative changes on certain network devices.
Going a full week or longer between scans can allow unauthorized access to your network to go undetected for days or more. As the DBIR reminds us, 82% of data breaches are complete in a minute or less. Without real-time file integrity monitoring software, your organization could fail to notice you're under attack until it's far too late to stop anything.
How to Mitigate Integrity-Based Risks:
- Implement real-time, agent-based file integrity monitoring software.
- Consider a solution that allows full, real-time remediation of negative changes.
Get the Fundamentals Right
Many of the most commonly-overlooked network vulnerabilities are relatively simple. Out-of-date patches and default passwords can place companies at risk of a successful information security attack. By using compliance, policy, and best-of-class security technologies to guide your security program, you can approach vulnerabilities with the systemic ability to search and destroy risks.
Cimcor offers real-time file integrity, which offers the benefit of network-wide vulnerability detection, advanced change insight, ease of use, and the ability to completely remediate changes in real-time. CimTrak allows organizations to be in full compliance with PCI-DSS standards and provides a best-of-class ability to mitigate and detect risks 24/7. To learn more about CimTrak and PCI compliance, click here.
May 24, 2016