Perimeter

10/2/2017
10:30 AM
Darren McCue
Darren McCue
Commentary
100%
0%

5 IT Practices That Put Enterprises at Risk

No one solution will keep you 100% protected, but if you avoid these common missteps, you can shore up your security posture.

A billion data records are compromised in the US in more than 90 million different cyber-related incidents each year, with each event costing a company an average of $15 million in damages. Certainly, cybersecurity threats continue to increase in size and complexity, but the real problem is that too many IT organizations are leaving their enterprises vulnerable to attacks because they overlook a number of simple tasks. Although no single solution or approach will keep organizations completely protected, there are some things to avoid so that IT teams can shore up their security posture and ensure continual improvement to match the advancing threat.

1. Using Old Printers
Surprisingly, office printers present three threat vectors. First, printers store images of documents. Don't forget to destroy the remains of sensitive corporate data or personally identifiable information that may be left on an internal hard drive of an office printer.

In addition, IT staffers often miss updates or news of exploitable office vulnerabilities. Tracking firmware updates for printers is something for which no one really has the time or patience. Most updates will require at least some physical access to the device (especially if something doesn't go as expected). Doing routine update checks is a great idea, and if you can't keep up with multiple vendor patches, make sure that you at least isolate printers on a separate VLAN with access limited to core protocols for printing. 

Finally, third-party vendor access can cause issues. Managed providers often have VPN credentials for enterprises to allow them access to perform maintenance and inventory. This is another gateway into your environment and is a third-party exposure that must be monitored. Limit their access as much as possible and require that access be handled via least privileged means.

2. Disregarding Alerts
The average enterprise generates nearly 2.7 billion actions from its security tools per month, according to a recent study from the Cloud Security Alliance (CSA). A tiny fraction of these are actual threats — less than 1 in a 100. What's more, over 31% of respondents to the CSA study admitted they ignore alerts altogether because they think so many of the alerts are false positives. Too many incoming alerts are creating a general sense of overload for anyone in IT. Cybersecurity practitioners must implement a better means of filtering, prioritizing, and correlating incidents. Executives should have a single platform for collecting data, identifying cyber attacks and tracking the resolution. This is the concept of active response — not only identifying threats, but being able to immediately respond to them as well.

3. Giving Away Admin Rights
Administrative rights arm malware and other unwanted applications with the authority needed to inflict damage to an enterprise. The access granted to manipulate system-level services and core file systems is greater than a power user needs on a regular basis. Forcing users to provide administrator credentials to deploy new applications tremendously cuts down threat exposure. This also creates an audit trail that lets security analysts rapidly identify issues, especially those that present signs of intrusion.

Any form of administrator rights must come with a degree of risk analysis on behalf of the IT department. IT executives should consider what damage is possible if a user account is compromised, and what ripple effect would administrative rights have on secondary systems. Administrator access should be the exception, not the norm. If applied properly, organizations can proactively identify issues rather than spend all weekend cleaning up compromised systems.

4. Ignoring Employee Apps
Do you really know what cloud services are being actively used in your network? Many organizations look the other direction when employees use social media and cloud services on their own. But the potential for an IT crisis can be quietly brewing as internal business users create their own IT infrastructure without any adherence to corporate policy. Monitoring cloud application connections can create increased visibility into unapproved software-as-a-service use, and limit the potential for a loss of intellectual property or sensitive information. Cloud access security broker solutions proxy outbound traffic to cloud applications and offer a detailed view into user behaviors.

5. Being Unprepared for Device Loss
Road warriors often fall victim to theft or accidentally leave a laptop or smartphone in a taxi, never to be seen again. This can be a non-event if the device is remotely managed and encrypted, but a major threat if the device contains unsecured sensitive data. IT administrators need to understand what data is being stored where. If it is anything sensitive, they should ensure that devices are properly encrypted and that remote access tools such as VPNs are in use and disabled in the event of a loss. Documenting that devices are encrypted and properly locked down will go a long way in the event of a data leak as well.

As cyberthreats have evolved, so has incident management. What hasn't changed, unfortunately, is the need to address the simple and often tedious IT practices that, when ignored, can threaten enterprise security. From forgetting to revoke administrative privileges to providing third-party access to printers, the common cybersecurity challenges that enterprises face can be fixed, putting enterprises in the best position to address the current and evolving cyberthreat.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Darren McCue is President of Dunbar Security Solutions, where he has led the integration of Dunbar's Cybersecurity, Security Systems, and Protective Services businesses and is responsible for strategically growing the company. For more than 22 years, he has spearheaded growth ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/10/2017 | 4:42:50 PM
Re: VERY INTEREEESTING!!!
@REISEN: It's been a while, but I seem to remember that if you del'd or deltree'd a file or directory, it was still in memory until you turned off the computer or rebooted -- and could be undeleted as such. Is my memory mistaken?

(Or perhaps that was only in a later version?)
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/5/2017 | 10:42:41 AM
Re: VERY INTEREEESTING!!!
Server - not really on subject. Anybody who remembers NOVELL and DOS.  Avon in Suffern NY was a client of Microage of Mahwah and one day the CNE admin left his desk for coffee - terminal on, admin rights and a user wlaked by, thought he could use DELTREE to clean off some folders on his assigned F drive ... which he did, sitting at the admin console on the ROOT DRIVE OF THE NOVELL SERVER.

DELLTREE did what it was told to do and wiped the server off the face of the earth in 5 seconds.,

They were glad for backups.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/3/2017 | 5:36:47 PM
Re: VERY INTEREEESTING!!!
> Local Admin right should NEVER be granted

Reminds me of a colleague telling me about an organization he went into where -- because they were out of workstations -- they let the temp use the main server for his computer!

That was quickly changed once AIM and ICQ and a bunch of games were found downloaded on the server.
PVDB
50%
50%
PVDB,
User Rank: Apprentice
10/3/2017 | 11:59:10 AM
Chapeau bas!
Great, really great article - respect to the form and substance.

I really appreciate your effort - big thanks.

 

pb
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/2/2017 | 10:51:37 AM
VERY INTEREEESTING!!!
To quote old Arte Joohnson on LAUGH IN.  Actually good stuff.  There was a horrendous hack open on HP Officejet printers that involved a long google search string and would display internal web page of ANY officejet printer around the world!!   IP address displayed too - open door for a hacker.  Local Admin right should NEVER be granted - closes down local app installatoin.    Updates and PATCHES are also mandatory. 
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.