Last week, I had the pleasure of joining almost 200 security leaders from around the world for CDW’s Managing Risk SummIT. One thing was clear from the many great conversations we shared: The world has changed. The security practices that helped us keep intruders out for the past two decades will not hold up against today’s sophisticated attackers. We must rethink our philosophy and build a layered approach to security that is designed not only to keep attackers out, but also to contain them once they manage to breach our controls.
I’ve been a part of CDW’s security practice since we began in the early days of the internet, in response to a customer request in 1997. We worked with one of the first e-commerce companies to build security into its processes for taking orders and handling customer credit card information. Since that time, CDW has conducted more than 4,000 security assessments, and we’re still seeing some common themes in our findings. Let’s take a look at those key issues and our recommendations to improve security, based on those lessons learned.
Missing Patches Offer Attackers a Gateway
The security community is fully aware of the risk posed by unpatched systems, and, for the most part, we’ve risen to this challenge. It’s hard to find a modern enterprise that doesn’t use automated configuration management to quickly apply patches to all of its managed Windows systems.
Attackers understand this, and they’ve shifted their focus to all of the unmanaged devices on our networks. Internet of Things devices pose a particular challenge. Badge readers, security cameras, thermostats and other devices with IP addresses on our networks also run operating systems that need patching. Unfortunately, they usually don’t have automated updating systems, and patches can be difficult to apply, if they’re available at all.
The lesson here for security teams is to use network segmentation to isolate unmanaged devices from other systems on the network. Strictly limit access to those devices and prevent them from reaching other devices on the internal network. Assume that an attacker may be able to compromise one of them, and work to contain the potential damage they may cause.
Bad Passwords Jeopardize Security
I recently visited a Chicago-based company to talk to users and offer them some practical security advice. I began the talk by singling out an individual in the audience and asking him to explain the organization’s password policy. He didn’t really want to answer, so I said, “Let me guess: eight characters with an uppercase character, a lowercase character and a symbol, right?” When he nodded yes, I asked the audience: “OK, so which one of you has GoBears! for a password?” and then watched as several people avoided eye contact.
If you know a little bit about an organization and its region, it’s fairly easy to come up with a list of formulaic passwords that use the company name and names of local sports teams (particularly at the high school and college level) to develop a potential password list.
The lesson here for those playing defense is to get serious about the use of passphrases. Then supplement that serious attitude with password audits that check for permutations of common passwords. You’ll be surprised what you learn.