Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Lee Waskevich
Lee Waskevich
Connect Directly
E-Mail vvv

'Back to Basics' Might Be Your Best Security Weapon

A company's ability to successfully reduce risk starts with building a solid security foundation.

Despite an influx of best-in-breed security technologies, organizations around the world are seeing a continued rise in cyber attacks. There are big implications. Financial consequences include immediate costs of investigating the breach and extend longer-term to include lawsuits and regulatory fines. Loss of customer trust can translate into declines in business. Perhaps most damaging is the impact of shutting down entire systems, which can grind operations to a halt. This is especially dangerous when the target is a critical healthcare, government, or utility provider.

From the high-profile Equifax breach to payment compromises at hotel chains and retailers, security teams are increasingly under pressure to not only determine why this is happening but what can be done to fix or prevent these problems. For many companies, getting "back to basics" could be one of the most effective weapons in the war on cyberattacks.

It's About the Fundamentals
Spending more time on maturing and measuring fundamental security controls might have helped prevent many of the breaches we've seen recently. For instance, Equifax was compromised by a Web application vulnerability that had an available patch, which the company failed to employ. Too often companies underestimate basic security measures, instead prioritizing time and budget on the latest and greatest technology solutions.

Here are ways to stick to the basics of managing cyber-risk to better protect your company.

Achieve Visibility
This is one of the most challenging aspects of security, especially with dispersed assets. You can achieve greater visibility by leveraging these functionalities:

  • Passive technologies that either live at the gateway or process log data are very effective at detecting when new devices come online and then triggering an active scan in order to provide more user information and context.
  • Active scanning technologies that constantly poll your network will discover when new devices come online and report these assets back to a system of record where more information can be obtained from the user directories. An informed decision can then be made about whether or not the devices need to be passed along to the vulnerability management team.

Prioritize Vulnerability Management
Continuous assessments around known inventory can help lower the risk of exploitation. Many of the recent breaches resulting from the leaked Shadow Brokers' tool sets could have been avoided, but too many organizations have weak vulnerability management platforms that leave critical systems exposed. The crippling of the UK's National Health Service by the WannaCry ransomware attack, which targeted basic security weaknesses, was particularly egregious because of the direct impact on patient care.

A robust vulnerability management program can identify these issues so they can be patched, preventing them from being exploited. Some best practices include:

  • Before even attempting a program, understand who is responsible for the functional areas of IT so the proper groups can be alerted when a vulnerability is identified.
  • Obtain the correct buy-in from system owners that are going to be affected, which typically include those managing endpoints, servers and non-user devices such as printers and video cameras.
  • Have clearly defined next steps once vulnerability is identified. Too often, companies recognize their vulnerabilities but have no action plan to move forward with patching, virtual patching, or another means of control.
  • Patching servers and applications can inadvertently have a negative impact on business-critical applications resulting in system downtime. Yet, comprehensive patch management can be time-consuming. Putting a strong development team in place can accelerate the patch process. Alternatively, virtual patching can identify an active exploit and stop it at another layer, whether in the OS itself or at a network function or gateway.

Layer on Next-Gen Technology
With these baseline controls in place, next-generation threat prevention solutions such as anti-malware software, firewalls, and Web/email protections can be more successfully integrated into a company's architecture and associated operational structure.

This is also critical as security solutions become even more sophisticated, sometimes combining different technologies into one more powerful platform. For instance, next-gen endpoints are more advanced than traditional endpoints, with machine learning, artificial intelligence, integration, and open APIs. But leveraging these features into an orchestrated operational model can add a certain level of complexity for analysts and operators, and care should be taken to ensure manual concepts and abilities are understood before employing these enhanced features.

Master Manual Processes Before You Automate
Automating certain security controls can be extremely beneficial, helping analysts more efficiently investigate and triage events by allowing multiple sources of records to be examined and providing context to determine the traffic, user, intellectual property on the device, and what it was doing before and after the event. But automation can also greatly increase risk if done too quickly. While it provides the heavy lifting, it will not make you an instant expert. You still need brains and smarts to accompany orchestration and automation. This means it's much more effective and reliable to first create well-defined and tested manual processes before writing the appropriate automation scripts and playbooks.

While there's no guaranteed security solution, a company's ability to successfully reduce risk starts with building a solid security foundation. These baseline concepts are essential, and understanding the capabilities of technologies currently in place will help make operations more secure in the long term.

Related Content:


Lee Waskevich, Vice President, Security Solutions at ePlus Technology, is responsible for overall strategy for the ePlus Security practice. Lee and his team design and deliver tailored cybersecurity programs aimed at mitigating business risk, fortifying digital ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/18/2018 | 10:09:40 AM
Re: Basics do not sound really sexy, do they?
Agreed - "Security is about processes and humans first. Technology is only assisting your teams and help streamline your processes. "

Technology is knowledge - the knowhow to produce some product, or accomplish some task - not the product, task, materials or the tools used. That goes double for IT: Information Technology
Dimitri Chichlo
Dimitri Chichlo,
User Rank: Apprentice
1/15/2018 | 3:35:06 AM
Basics do not sound really sexy, do they?
Security is about processes and humans first. Technology is only assisting your teams and help streamline your processes. 

I was recently discussing this with a Director from a large, international consultancy, and the guy asked: "From your point of view, what are the trends in information security?". My answer was: "The basics. Companies are so far behind industry standards that almost any of the projects re. basics can be sold, like framework, policies and reporting, identify the assets you are protecting, user access and privileged identity management, vulnerability and configuration management, user education, encryption, endpoint security."

I know he did not like it. Basics are probably not as sexy to sell to a Board as a pen test, a SOC with AI or IoT threat. And make you look old fashioned. And oblige your IT teams working differently. 
User Rank: Apprentice
1/12/2018 | 3:02:18 PM
Re: Basics indeed
CIS CSC20 in priority order. The top 5 solve the highest risk threats.  Gaps in fundamentals are what have tripped up most organizations who have had major breaches in the last 5 years.
User Rank: Ninja
1/11/2018 | 9:45:35 AM
Re: Basics indeed
Thanks - and this is nothing NEW.  In 2000 I remember an actuary at Aon receiving the Anna Kournikovia virus - the famous tennis star picture.  I visited his office and he started to MOVE THE MOUSE to the picture!!!  Why?  He was CURIOUS to see what IT DID!!!  (Killed the cat too).  i told him YOU OPEN THAT UP AND I AM TERMINATING IT SUPPORT FOR YOU FOREVER.  
User Rank: Apprentice
1/11/2018 | 9:23:00 AM
Re: Basics indeed
Couldnt agree more. Culture and user awareness are paramount to complimenting solid technology. Technology can be configured but users can only be advised and educated. All users consumer, commercial, or other have a responsibility to help safeguard their digital lives. 
User Rank: Ninja
1/11/2018 | 9:00:24 AM
Basics indeed
Nothing exotic sometimes - one (1) user opening an infected PDF attachment brought the State of North Carolina down through ransomware.  Just one user.    USER EDUCATION is a good place to start too., 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
PUBLISHED: 2021-04-14
Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.