5 Ways to Find the Low-Hanging Fruit on Your Network
By Katherine Teitler-When it comes to securing an organization’s network, there is no shortage of basic blocking and tackling to be done. Companies’ IT infrastructures have become so complex and interconnected that many security departments aren’t entirely aware of all the systems and people that might have network access, much less maintain the ability to monitor and act upon every alert or anomaly. As a result, and as we’ve learned through the many highly publicized breaches and security incidents, cybercriminals need not be terribly wily or sophisticated to successfully hack into targets’ networks and steal, modify, corrupt, or otherwise abscond with the information they’re after; the typical enterprise offers plenty of low-hanging fruit for free.
Organizations don’t have to work extra hard at rolling out the proverbial red carpet for attackers. Thousands of vulnerabilities are disclosed every year, and the average time to patch is somewhere between 100-120 days. Though securing everything which needs securing—hardware, software, applications, data, people—is by no means a light lift, the security team’s ability to focus on eliminating low-hanging fruit will raise the “cost” of an attack for cybercriminals. In many cases, this means your adversary will turn his attention elsewhere. If your company is a high-value, singled-out target, erecting better barriers means the attacker has to elevate his game, and you’ll have a better chance of identifying an attack earlier in the cycle…so long as you don’t “set and forget.”
I was working part time in a five-and-dime
First things first. To understand what your low-hanging fruit is, you must identify everything you have: hardware, software, devices, applications, partners/partner networks, authorized individuals and connections, data, etc., basically everything mentioned above as a challenge. Once you have a grasp on all of the assets that require security’s attention, the next step is prioritization. Which data and systems contain the most valuable assets—the “crown jewels,” if you will—that would devastate the company if compromised? With this information in hand, you can now go about building a strategy to eliminate some of the most commonly exploited vulnerabilities.
At the heart of it, says Information Security Analyst Tim Krabec, keeping the bad guys away from your low-hanging network fruit boils down to the three most foundational goals of information security: Confidentiality, integrity, availability. With everything on the security team’s plate, even with all assets accounted for, the enormity of the situation can become overwhelming if it’s scrutinized piecemeal. Fitting action items into these three big categories provides a roadmap for the security program, simplification, and a way to make sure each action has a purpose, i.e., you’re not misstepping and distracting attention away from the desired end state. For instance, Krabec says, “Least privilege, zero trust models, and encryption give us confidentiality; patching and monitoring help ensure integrity; and backups provide availability in case of a disaster or incident.”
Least privilege is, of course, one of the basic principles the security industry talks about a lot, yet system administrators continue to get away with not only unrestricted network and file access, but also compounding the problem by using default and replicated passwords. “This is so easy to fix,[i]” exclaims Paul Asadoorian, CEO of Security Weekly and Offensive Countermeasures. And if you consider that, according to the Verizon Data Breach Investigations Report (DBIR), “81% of hacking-related breaches leveraged either stolen and/or weak passwords,” keeping access and authentication in check should be one of every security organization’s top priorities.
My boss was Mr. McGee
Getting back to those pesky vulnerabilities, Asadoorian advises organizations to revisit patching programs. As we saw with WannaCry, patching can cure many ills, but “just patch” isn’t always the answer. Organizations can run up against production and availability issues if patching isn’t rolled out or tested correctly. Therefore, it’s best practice to understand your organization’s current architecture, highest risks, and backup and redundancy capabilities, along with a realistic understanding of the criticality of the patch and the potential ramifications should you choose not to patch when one becomes available.
Patching, though, isn’t the only way to mitigate vulnerabilities and pick off low-hanging fruit. A February 2017 study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls. Not so coincidentally, the first two recommended critical controls tackle assets:
Inventory of authorized and unauthorized devices
Inventory of authorized and unauthorized software
The next two address technology implementations and maintenance:
Secure configurations for hardware and software
Continuous vulnerability assessment and remediation
The last control goes back, once again, to locking down the admin environment:
Controlled use of administrative privileges
It’s funny how everything circles around, isn’t it? Or perhaps it’s ironic? Or unsettling, because we keep returning to the same remedies…?
He told me several times that he didn’t like my kind