First, some good news: Sure, hacks that exploit the Internet of Things and mobile devices generate plenty of headlines and angst. But decades-old best practices still can mitigate the vast majority of threats — even ones that target emerging technologies like IoT.
Surprised? You’re not alone. As a CDW security consultant, I often hear enterprise clients worry that it’s impossible to keep up with attackers. That mindset brings us to the bad news: Many attacks succeed not because cybercriminals are geniuses, but because fundamental security measures are not rigorously applied.
For example, a Hewlett Packard Enterprise study found that the 10 most common exploits in 2015 were more than 1 year old, and 68 percent were at least 3 years old. They succeed because patches and updates aren’t applied quickly, broadly or both. For instance, even when enterprises implement Windows updates as soon as they’re available, they often don’t do the same for the browsers and other applications running on those machines.
One common cause of imperfect patching is that organizations often don’t have a comprehensive, continuously updated inventory of their servers, PCs and other hardware, as well as what software is running on those systems. That’s why an asset management solution is an effective first step toward fending off ransomware and other common attacks. This approach also can be extended to IoT devices and other emerging technologies.
Also, don’t overlook devices owned by third parties, such as contractors and managed service providers. Many major, headline-grabbing hacks over the past few years have used third parties as a back door into the target organization. Make sure contracts require third-party providers to implement patches and upgrades in a timely manner, and give you the right to audit those policies to see that they’re being followed.
Another best practice is to crack down on credential sharing across boundaries, a vulnerability that few organizations are aware of, much less test for. One common example is an administrator password for one system that also works on other, unrelated systems.
Sometimes intentionally and sometimes by sheer luck, attackers get credentials from a lower-level system, or one with weaker security, and then use them to access an organization’s crown jewels. This can leverage other well-known vulnerabilities and tactics, such as “pass the hash.” That’s why CDW security assessments spend so much time ferreting out shared credentials.
Sometimes cybercriminals get credentials from employees whose roles appear to have little impact on security; for example, by hacking the email account of an intern and finding a welcome message that both explains how to access company IT assets and provides credentials for doing so. Such messages should be deleted after being read — or, better yet, never sent in the first place, at least not with credentials included.
Attacks targeting credentials are an important reason why educating all employees — not just IT staff — about security do’s and don’ts is as important as installing firewalls and other infrastructure safeguards. My colleagues have offered similar advice for combating hacks such as phishing: User education remains a key part of any comprehensive security strategy.
IT departments have so much on their plate that there’s often no time or people left to manage user education programs, apply patches or search for shared credentials. This chronic shortage means plenty of low-hanging fruit for hackers. But here’s more good news: The CDW security team is standing by to help. Contact your account manager to find out how we can help address your security challenges..