CDW’s security engineers have conducted Threat Check security assessments for more than 500 organizations since launching the third version of this service one year ago. During a Threat Check, powerful security tools were deployed on an organization’s network to spot vulnerabilities and signs of a breach. As we’ve analyzed the results of those assessments, CDW has identified some recurring issues on customers’ networks that every organization can learn from.
Now, here’s a look at the five most common findings:
1. Active Cryptomining
The most common discovery is the presence of cryptocurrency mining activity on customer networks. In some cases, this is the result of malware infections. But cryptomining also occurs as the result of insider misuse of IT resources, with employees leveraging corporate computing assets to generate personal profit.
Click to enlarge image – SOURCE: IDG and CDW
A recent survey conducted by IDG found that cryptomining, the issue most commonly identified in CDW’s assessments, is viewed as the least significant threat by the surveyed business leaders. This suggests that leaders either aren’t aware of the threat or don’t fully understand the business risks posed by cryptomining.
2. Cleartext Credentials
Despite years of advice that organizations should eliminate nonsecure plain-text protocols for the management of sensitive systems and applications, CDW’s assessments continue to turn up evidence of user credentials being passed across networks in plain text. Typically, the authentication methods use static user credentials, such as usernames and passwords, and do not require multifactor authentication. This means those credentials can be captured and reused by anyone with access to eavesdrop on network communications.
These poor authentication practices are sometimes found on email systems that do not enforce encryption for communications. More alarming, we have discovered the use of the nonsecure telnet protocol to manage sensitive network devices and servers. Exposure of these credentials could compromise an entire network or server infrastructure.
3. Anonymous Browsing VPNs
Threat Check assessments consistently turned up evidence of unauthorized use of virtual private networks. This differs from the use of a typical corporate-sponsored VPN in that the sole purpose of an unauthorized VPN is to bypass corporate content monitoring and filtering. In some cases, this use may be relatively benign; for instance, employees who connect to an unauthorized VPN to access non-work-related websites outside of the watchful eyes of their managers. On the malicious side, malware often uses VPN connections to exfiltrate large quantities of sensitive information while escaping the scrutiny of data loss prevention technology. This is of particular concern if the assessment uncovers large quantities of data being transmitted over a VPN to countries where the customer has no business operations.
4. Use of Unsanctioned Cloud Storage
CDW assessments often discovered employees using unauthorized cloud storage solutions. This may be a matter of personal convenience, as employees seek to make data easy to access so they can work from home or on the road. However, this practice exposes the organization to risk, as cybersecurity teams lose visibility of corporate data and are unable to apply security controls to sensitive files.
Unauthorized use of cloud storage providers may also be malicious. CDW has documented cases in which disgruntled employees connect to third-party storage solutions to build up stores of sensitive information before leaving the company, intending to use that information to exact revenge against their former employers.
5. Active Known Malware
Business leaders surveyed by IDG said they expect security assessments to find active malware on their networks. CDW assessments revealed that this fear is well founded. The presence of malware on a network indicates that something is amiss with the organization’s security controls. If the organization uses standard anti-virus detection, it should be able to identify known malware signatures and alert administrators to the issue. If that isn’t happening, either the software signatures are not properly updated or the alerts are not being correctly managed. In either event, CDW recommends that organizations install and optimize their use of next-generation endpoint security measures that can detect known malicious behaviors of malware for which a signature may not yet have been recorded.
This blog post brought to you by: