I’ve performed dozens of these assessments, which provides me with a unique vantage point on the state of cybersecurity across different industries and organizations of various sizes. With that perspective, I’ve seen four common threats that continue to pose significant risk to cybersecurity programs.
Continued Reuse of Weak Passwords
Password spray attacks (in which an attacker circumvents common countermeasures such as account lockout by trying the same password across many accounts) continue to be incredibly effective. Attackers compromise a third-party website, harvest credentials and then use those credentials to access corporate systems. It’s a simple attack that continues to work because it exploits human nature to find the easiest way to manage security controls. Organizations should promote the use of password managers as a simple and effective way to encourage users to maintain unique passwords for each site they visit.
Lack of Incident Response Capabilities
Most organizations that I visit do not have any organized incident response program. Leaders don’t know what to do when an incident occurs, so they make it up as they go along, squandering valuable time at the point when speed matters most. Quick reactions to security incidents can contain damage and limit the effects of a breach. Organizations should consider the use of incident response retainer services and tabletop exercises to ensure that they’re ready the next time they experience a cybersecurity incident.
Misconfigured Multifactor Authentication
Almost all of us have gotten the message that multifactor authentication is crucial to preventing phishing and other credential theft attacks. However, we commonly find that organizations haven’t effectively deployed these solutions and suffer from misconfigurations that threaten to undermine their usefulness as a security control.
For example, I recently visited a firm where MFA requests were routinely delayed by minutes, leading users to simply click “accept” without knowing whether the request was legitimate. In our penetration testing, we’re frequently able to bypass MFA requirements completely due to misconfigurations. Every organization using MFA should conduct a penetration test that focuses on this technology to ensure that it is working properly.
Failure to Meaningfully Implement Separation of Privileges
Our penetration tests also demonstrate that once we gain access to any user account, we are almost always able to use that account to gain administrative privileges. Tricking a receptionist into falling for a phishing attack almost always allows us to gain full access to back-end systems. Organizations must implement extremely strict access control policies that implement a need-to-know requirement and lock down access tightly.
Notably, none of these threats is exotic, and the solutions to mitigate them don’t require the use of emerging technologies. Instead, they’re all essential components of a strong cybersecurity program and are practices that we’ve been preaching for years. Even organizations that think they are doing well at these foundational practices are often surprised when we conduct an assessment and discover significant gaps.