This post first appeared on LinkedIn, published by Daniel Weis, Lead Penetration Tester, Kiandra IT
My average day usually consists of copious amounts of caffeine, a workout and penetrating into some of the hardest (and easiest) networks in Australia, and around the world.
This year we have a substantial number of security engagements under our belt and already we’re seeing familiarities across all of these engagements in 2017, which is a worry. Some of the issues I commonly find are not direct security issues, they are basic house-keeping issues. CIOs and IT teams, if you want an easy way to reduce your risk profile, please keep your house clean!
Most of the clients that come to us have either never had any sort of security engagement performed, or they have had a basic “intrusion scan”, “security audit” or similar done (usually by a big audit house). In the case of the latter, it is usually because the company has been engaged to provide a service to the government, a bank or another security conscious organisation, and this has been dictated as a security requirement to do business. Unfortunately, these audits usually give the client something like this:
A spat out version of a vulnerability scan with no substance, and no real attack vectors utilised. It doesn’t look at the basics like leveraging default credentials or incorporating perimeter services. This gives companies a degree of comfort, (ignorance is bliss), but an organisation definitively shouldn’t think of themselves as secure because they have had this done.
Vulnerability assessments are important, but they only provide the “may be vulnerable to” issues. Unless the company/tester has actively validated the vulnerabilities using an exploit, or tried to leverage these vulnerabilities to gain further access, they don’t provide a lot of value.
Which leads me back to housekeeping. The audits above generally won’t involve checks around bad practices which can lead to a breach, for example bad passwords or policies, or old firewall rules.
It’s easy to let basic activities fall to the bottom of the list when you have support tickets to deal with, as well as maintenance and strategic IT projects, but ignoring or postponing IT basics can leave gaping holes in your environment.
Ask yourself: what are you doing to ensure you are not breached?
As a starting point, look at your organisation and check these points off:
- Are your password policies adequate? Are you enforcing a minimum of 10-12 characters, have complexity requirements and not allowing the company name, functions or generic dictionary words?
- When was the last time you did a review and clean up of Active Directory (AD) accounts? There is no need to keep accounts from three years ago.
- When was the last time you reviewed and cleaned up all domain, enterprise and schema admins?
- Do you separate admin access accounts from standard accounts
- Have you performed an audit of all accounts set to password never expires?
- When did you last change the service account passwords? Can you use Group Managed Service Accounts?
- When was the last time you reviewed and cleaned up your firewall rules? And, while you’re at it, when was the last time you did an upgrade to the firmware or software?
- Do you use multi-factor authentication (MFA) on your perimeter systems? If not its time you adopt it
- Are your lockout policies in line with best practice and do not auto unlock, is your threshold too high?
- Have you setup a Haveibeenpwned notification for when accounts are compromised?
- Do you reset user passwords to an easily guessed password, e.g Welcome1, Monday1 etc. If so it’s time to stop
- Do you have web filtering, email filtering and outbound firewall rule limiting in place?
- Would you know if someone was password spraying an account? If not you should implement alerting, it can be as simple as a Powershell script, or you can go more advanced like a HIDS, a service like Sumologic or a SIEM/USM like Alienvault
- Is AV/endpoint protection on every machine? When was the last time you tested it to ensure it is sufficient? Can users or admins disable or create exclusions in the product locally?
- Do you utilise application whitelisting and trusted locations?
- Are you blocking office macro documents?
- Are all your perimeter facing services fully patched, everything from operating system, through to applications, services and filtering?
- While we’re at it, how is the patching internally?
- Are your wireless keys changed regularly (for pre-shared key) are you utilising TLS/Certificates for WPA2-Ent (RADIUS)?
- Do you periodically review the network for sensitive data and clean-up?
- How do you store passwords? In a spreadsheet, in a text file, in a password manager? How is it protected?
- How do your users store passwords? Have you checked if they are storing credentials on the file shares in TXT documents?
- Do you still use legacy operating systems or apps? If so decommission or upgrade.
- Make sure you allocate the time and investment required to ensure your team can complete the above
- Are you undertaking Penetration Testing annually (at a minimum)? If not, why not?
- Do you have an incident response process in place for cyber events
- Have you made allocations in your budgets for security expenditure and testing?
- Do you have Cyber Insurance in place and is the amount suitable for the cover you need?
- Have you planned for decommissioning end-of life operating systems and applications, and planned for upgrades to the latest versions of software and operating systems?
- Have you started moving to the cloud?
- Do you have an intrusion prevention system (IPS) and sufficient detection and monitoring systems? If not it’s time to implement
- Do you have an awareness training program in place, if not why not?
- Are you ensuring that your third parties are secure, especially the ones who have access to your system. Are they undertaking penetration testing on their networks?
- Do you run your website on a dedicated host, shared hosting or locally? Are you ensuring sufficient protection is applied such as a web application firewall?
- Do you utilise a mobile device management (MDM) solution for mobile devices?
- Security policies – do you have them and when were they last reviewed?
- Do you enforce blocking/limiting of USB?
- Do you have a risk management framework in place?
For more ways to help ensure your organisation is secure, please see my annual Security Bulletin here. Most importantly, ensure you are getting a penetration test completed annually. This will test for the all of the above and much much more. I hope this post has given you some food for thought around your systems. If you would like more information on how we can help your organisation stay secure, check out our security solutions.