Frequent Findings in Cybersecurity Assessments
Cybersecurity assessments can take many different forms. Penetration tests, vulnerability assessments, or even just a review of policies and procedures all ccan reveal weaknesses in an organization’s infrastructure. Regardless of the type of assessment, however, similar trends tend to appear. Three of the more common vulnerability trends relate to outdated components, security misconfigurations, and user credentials.
One of the most common security vulnerabilities that is present in assessments is organizations using outdated components within their infrastructure. A prevalent example of this is the operating system or systems in use by the organization. The two most common operating systems we encounter, Windows and Linux, release regular security updates that fix vulnerabilities and strengthen the system’s overall security. Depending on the size of the organization and the setup of their IT infrastructure, updating all of the servers and workstations can be a long and complex process. Not only that, but updating the operating system on business critical machines can often introduce compatibility issues with older or customized software that is required for the continued functioning of the business. Regardless of the reason, servers and workstations are often left without the latest security updates.
Beyond the issue of keeping software up to date with the latest security patches, organizations also run into problems when a piece of software is designated as “end-of-life” (EOL). This often happens when a particular version of software is superseded by a newer version. One of the most apparent examples of this is when Microsoft releases a new version of their Windows operating system. Although Microsoft still supports the more recent versions of Windows (8.1, 10, and 11), they no longer release updates for their older versions (2000, XP, Vista). This means that any exploits found in those older operating systems, or any other end-of-life software, likely won’t be patched and will remain vulnerable to attackers.
Another common method of unauthorized access that attackers look for is a security misconfiguration. This type of exposure can take several different forms. For example, user access rights are a common place to find a misconfiguration. Many organizations will allow all of their employees to have local administrator access on their machines. Sometimes an employee will move to a different department, but will retain access to sensitive documents related to their old role. Occasionally user access rights are in use, but are inconsistently implemented or too complicated to easily tell who has access to what. All of these are potential security risks that an attacker could make use of. To help mitigate these risks, user access rights should be clear, consistent, and well documented.
Another example of a security misconfiguration is when a piece of software has unnecessary components enabled. Some of the more frequent offenders of this are websites built with WordPress. WordPress allows users to add functionality to their websites by installing a wide array of plugins. Although this can be helpful, users should be careful when enabling new plugins to ensure they aren’t inadvertently enabling unwanted functionality. Internal servers can be exposed through this type of security misconfiguration as well. Server-focused operating systems can often come with several services enabled by default. When the server is put into production, it is important to review the enabled services present and disable the ones that are not necessary. If a server is to be used solely for file sharing, it likely does not require web server components to be enabled, for instance.
Usernames and passwords are one of the foundations of information security. Everything from Netflix accounts to bank accounts requires a password to access. Unfortunately, this has led many people to adopt insecure habits regarding their passwords. Some of the more unsafe habits include using passwords that are easily guessed, never changing passwords, and reusing the same password for different accounts.
Finding a password that is not easily guessed can be a difficult task. The password needs to be something that can be easily remembered, but can’t be figured out by even close friends or relatives. This means that it shouldn’t include any pieces of personal information, like a birthday or the name of a pet. As a general rule of thumb, if the information can be found on a social media account (like the “About” section on a Facebook profile) it shouldn’t be used as part of a password.
Passwords should also be unique for each account. Following this guideline helps mitigate the fallout of a data breach, even if it is another organization that was compromised. When an organization is compromised, attackers will often exfiltrate and compile databases of usernames and passwords that were being stored. Those databases are then used to help attack other organizations. If a user has the same password for all of their accounts, and one of those accounts is compromised, an attacker may have access to every other one of that user’s accounts.
To maintain strong security, it is recommended that passwords be changed occasionally. This can be easily forgotten, but is an important step in maintaining account security. Regularly changing passwords can help mitigate the effectiveness of a long-term brute-force attack. Additionally, updating passwords at regular intervals helps protect against unauthorized access in the event of a reused password being compromised via a data breach of another organization.
Remembering multiple unique passwords that are not easily guessed and are updated regularly is difficult. However, password managers can be used to help with this issue. They allow a user to remember a single strong password that they can use to access all of their other passwords. Using this, passwords can be randomly generated for each new account a user needs and then saved in the password manager. This allows each account to have a unique, secure password without requiring a user to remember each one of them.
Assessments & Remediations
The security issues listed here are just three of countless different vulnerability and exploit types. Ensuring that your organization has a secure environment both internally and externally is one of the most important steps you can take to protect sensitive business data as well as confidential client information. Whether you require a penetration test, vulnerability assessment, or a review of your policies and procedures, Vestige has the expertise to identify the weak areas of your environment and help you strengthen your overall security posture.
If your organization is in need of a cybersecurity assessment, pen test, assistance with cyber compliance and/or remediation CONTACT US today.
By Danny Stemple, BS, CCO, CCPA, ACE
Cybersecurity & Digital Forensic Analyst
Vestige Digital Investigations