By: Tyler Hardison , CISSP, PCI Qualified Security Assessor
Daily news headlines scream high-profile information security failures and consequences—Hacked! Attacked! Ransomware!—reinforcing that the severity of risk posed to sensitive information is unprecedented. Security threats can put your organization and your customers’ sensitive information at risk, costing you in customer loss, diminished trust in your brand and regulatory fines. Where are our data? What are our security holes? What are our risk scenarios?
Over numerous client engagements, our findings indicate that a basic networking error or an older version of software that is rarely used could, in fact, be the vehicle a hacker needs to break in, exposing customer data and sensitive information.
Data are everywhere and so are data breaches—and breaches are occurring with increasing frequency and volume. In today’s complex cyberworld, cybersecurity risk and incidents are part of doing business. Chances are, your organization’s data will be—or already have been—breached.
In our day-to-day work with organizations to discover and address security vulnerabilities, we are finding that the top 4 security vulnerabilities that organizations overlook are:
1. Networked printers. From a network security perspective, printers have outdated firmware and are susceptible to multiple attacks. Aside from potential data loss and espionage, more than one proof of concept exists where a printer is used as a springboard to launch other attacks. To resolve this:
- Make sure printers’ firmware is updated regularly and included in your already established patch cycle.
- Logically isolate printers on restricted network segments, allowing access only to a dedicated print server.
2. Internet of Things (IoT). More companies are accepting traditionally isolated devices (e.g., heating, ventilation and air conditioning [HVAC] controllers, IP cameras]. These have firmware that require regular updates. There are proofs of concept in the wild, including data theft, vandalism and remote compromise. To resolve this:
- Implement firmware updates and patching cycles.
- Isolate these devices into their own network segment, even a jumpbox.
3. Aging infrastructure. Over time, manufacturers such as Cisco end-of-life their products. This means that your network switch’s firmware is often out of date and susceptible to attack and compromise. Purchasing gray market, and/or used devices from auctions increases this risk exponentially. More than one gray market network device has been discovered to have unsigned (compromised) firmware. To resolve this:
- Track your device purchases and know their end-of-support dates. End of sale is usually a precursor to end of support. While tempting, never utilize hardware or software more than a year beyond vendors’ stated end-of-support dates. A best practice is to have your devices budgeted to be replaced before the end of your last support period.
- Know what firmware versions are on your devices.
4. People. People remain the biggest threat to the organization. People take the easiest path, which is usually not the most secure, constantly creating vulnerabilities in organizations. The latest data1 reveal that 70 percent of US employees lack security and privacy awareness. With an employee clicking on malware every 81 seconds in the US,2 is no surprise that cyberincidents that expose sensitive data are spreading, increasing an organization’s risk. Employees should be trained annually, at a minimum. This training should include social awareness and security awareness. To resolve this:
- Practice information and IT security as soon as employees are using network devices. It is the best way to build a habit.
- There are several ways to make security part of your organization’s culture. IT security can perform social engineering tests3 and discuss results. They can make security training fun and enjoyable, yet realistic and easy to implement. Consistent training programs that are interactive make employees feel like they are learning instead of having their hands slapped. Team-building activities such as brown-bag cybersecurity lunches4 or reminder cards for employees can help to keep cybersecurity awareness top of mind. Openly integrating security into conversations and meetings—for example, discussing the latest data breaches in the news and how they occurred—is a good way to highlight spear phishing, malware, and the social leaking of information,5 and should be accompanied by discussion of how to minimize these threats. Creating a holistic and positive company culture can also help to mitigate disgruntled employees who may be tempted to create breaches.
Security has grown up and needs regular maintenance and monitoring. It is no longer simply installing antivirus software and hiding the network behind a firewall. A strong security foundation is critical for your organization’s reputation and longevity. Does your organization need testing to check all computer systems and infrastructures to discover your vulnerabilities, risk, and targets? Maybe it’s time.
TYLER HARDISON, CISSP, PCI QUALIFIED SECURITY ASSESSOR, is responsible for working with the Solutions Architect team to develop solutions for clients. He is also responsible for leading innovation and developing new service solutions. Hardison is also responsible for leading the development team on the CyberSecurity Portal. He is a 12-year veteran of technology management in the financial services industry. Rising from the help desk to become chief information officer of a US $3 billion credit union, he has been at the forefront of regulatory changes and the development of the tools necessary to keep up with them.
1 Kawamoto, D.; “70% of US Employees Lack Security and Privacy Awareness,” InformationWeek DarkReading, 3 October 2017
2 Check Point, 2016 Check Point Security Report, USA, 2016
3 Geer, D.; “Meet Six of the Most Effective Social Engineering Techniques,” Mitnick Security, 9 April 2017
4 Heathfield, S.; “Use a Brown Bag Lunch for Internal Training,” The Balance, 12 October 2017
5 Hueya, Inc., Cyber Abuse and the Human Factor, USA, 2017