Last week, I had the pleasure of joining almost 200 security leaders from around the world for CDW’s Managing Risk SummIT. One thing was clear from the many great conversations we shared: The world has changed. The security practices that helped us keep intruders out for the past two decades will not hold up against today’s sophisticated attackers. We must rethink our philosophy and build a layered approach to security that is designed not only to keep attackers out, but also to contain them once they manage to breach our controls.

I’ve been a part of CDW’s security practice since we began in the early days of the internet, in response to a customer request in 1997. We worked with one of the first e-commerce companies to build security into its processes for taking orders and handling customer credit card information. Since that time, CDW has conducted more than 4,000 security assessments, and we’re still seeing some common themes in our findings. Let’s take a look at those key issues and our recommendations to improve security, based on those lessons learned.

Missing Patches Offer Attackers a Gateway

The security community is fully aware of the risk posed by unpatched systems, and, for the most part, we’ve risen to this challenge. It’s hard to find a modern enterprise that doesn’t use automated configuration management to quickly apply patches to all of its managed Windows systems.

Attackers understand this, and they’ve shifted their focus to all of the unmanaged devices on our networks. Internet of Things devices pose a particular challenge. Badge readers, security cameras, thermostats and other devices with IP addresses on our networks also run operating systems that need patching. Unfortunately, they usually don’t have automated updating systems, and patches can be difficult to apply, if they’re available at all.

The lesson here for security teams is to use network segmentation to isolate unmanaged devices from other systems on the network. Strictly limit access to those devices and prevent them from reaching other devices on the internal network. Assume that an attacker may be able to compromise one of them, and work to contain the potential damage they may cause.

Bad Passwords Jeopardize Security

I recently visited a Chicago-based company to talk to users and offer them some practical security advice. I began the talk by singling out an individual in the audience and asking him to explain the organization’s password policy. He didn’t really want to answer, so I said, “Let me guess: eight characters with an uppercase character, a lowercase character and a symbol, right?” When he nodded yes, I asked the audience: “OK, so which one of you has GoBears! for a password?” and then watched as several people avoided eye contact.

If you know a little bit about an organization and its region, it’s fairly easy to come up with a list of formulaic passwords that use the company name and names of local sports teams (particularly at the high school and college level) to develop a potential password list.

The lesson here for those playing defense is to get serious about the use of passphrases. Then supplement that serious attitude with password audits that check for permutations of common passwords. You’ll be surprised what you learn.

Social Engineering Bypasses Technical Controls

Social engineering is a tried-and-true practice for attackers, and it can often bypass many layers of technical controls. One of my clients recently experienced a security breach that several forensic investigators were unable to trace. Finally, a third investigator found the source of the breach and realized that the only time the attacker logged into the target system, he or she used a valid username and password. There was no other trace of the attack. No reconnaissance. No probes. No back doors or malware left behind.

How did this happen? We finally figured out that the user’s account was phished through an elaborate scheme involving a popular Vietnamese restaurant next door. The company’s employees often ate at the restaurant and loved the noodle soup. One day, a stack of flyers appeared on the receptionist’s desk advertising the restaurant’s delivery service, which later launched an online ordering option.

It turns out that the restaurant never had a delivery service. Social engineers created a delivery service (and even filled orders!) just waiting for the right employee to create an account. Once they had a juicy target, they guessed that the employee would use the same password for the financial systems as he used to order noodle soup and, bingo, they were right!

The lessons in all three of these stories are similar. Building a strong set of security controls is necessary, but not sufficient. Security teams should constantly assess the organization’s weaknesses and think like an attacker to identify potential gaps in their security. If you can dream it, so can your adversary.

Get an in-depth look at how organizations view the modern security landscape in the CDW Orchestration Guide.

This blog post brought to you by:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>