Vulnerabilities / Threats

1/10/2018
10:30 AM
Lee Waskevich
Lee Waskevich
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

'Back to Basics' Might Be Your Best Security Weapon

A company's ability to successfully reduce risk starts with building a solid security foundation.

Despite an influx of best-in-breed security technologies, organizations around the world are seeing a continued rise in cyber attacks. There are big implications. Financial consequences include immediate costs of investigating the breach and extend longer-term to include lawsuits and regulatory fines. Loss of customer trust can translate into declines in business. Perhaps most damaging is the impact of shutting down entire systems, which can grind operations to a halt. This is especially dangerous when the target is a critical healthcare, government, or utility provider.

From the high-profile Equifax breach to payment compromises at hotel chains and retailers, security teams are increasingly under pressure to not only determine why this is happening but what can be done to fix or prevent these problems. For many companies, getting "back to basics" could be one of the most effective weapons in the war on cyberattacks.

It's About the Fundamentals
Spending more time on maturing and measuring fundamental security controls might have helped prevent many of the breaches we've seen recently. For instance, Equifax was compromised by a Web application vulnerability that had an available patch, which the company failed to employ. Too often companies underestimate basic security measures, instead prioritizing time and budget on the latest and greatest technology solutions.

Here are ways to stick to the basics of managing cyber-risk to better protect your company.

Achieve Visibility
This is one of the most challenging aspects of security, especially with dispersed assets. You can achieve greater visibility by leveraging these functionalities:

  • Passive technologies that either live at the gateway or process log data are very effective at detecting when new devices come online and then triggering an active scan in order to provide more user information and context.
  • Active scanning technologies that constantly poll your network will discover when new devices come online and report these assets back to a system of record where more information can be obtained from the user directories. An informed decision can then be made about whether or not the devices need to be passed along to the vulnerability management team.

Prioritize Vulnerability Management
Continuous assessments around known inventory can help lower the risk of exploitation. Many of the recent breaches resulting from the leaked Shadow Brokers' tool sets could have been avoided, but too many organizations have weak vulnerability management platforms that leave critical systems exposed. The crippling of the UK's National Health Service by the WannaCry ransomware attack, which targeted basic security weaknesses, was particularly egregious because of the direct impact on patient care.

A robust vulnerability management program can identify these issues so they can be patched, preventing them from being exploited. Some best practices include:

  • Before even attempting a program, understand who is responsible for the functional areas of IT so the proper groups can be alerted when a vulnerability is identified.
  • Obtain the correct buy-in from system owners that are going to be affected, which typically include those managing endpoints, servers and non-user devices such as printers and video cameras.
  • Have clearly defined next steps once vulnerability is identified. Too often, companies recognize their vulnerabilities but have no action plan to move forward with patching, virtual patching, or another means of control.
  • Patching servers and applications can inadvertently have a negative impact on business-critical applications resulting in system downtime. Yet, comprehensive patch management can be time-consuming. Putting a strong development team in place can accelerate the patch process. Alternatively, virtual patching can identify an active exploit and stop it at another layer, whether in the OS itself or at a network function or gateway.

Layer on Next-Gen Technology
With these baseline controls in place, next-generation threat prevention solutions such as anti-malware software, firewalls, and Web/email protections can be more successfully integrated into a company's architecture and associated operational structure.

This is also critical as security solutions become even more sophisticated, sometimes combining different technologies into one more powerful platform. For instance, next-gen endpoints are more advanced than traditional endpoints, with machine learning, artificial intelligence, integration, and open APIs. But leveraging these features into an orchestrated operational model can add a certain level of complexity for analysts and operators, and care should be taken to ensure manual concepts and abilities are understood before employing these enhanced features.

Master Manual Processes Before You Automate
Automating certain security controls can be extremely beneficial, helping analysts more efficiently investigate and triage events by allowing multiple sources of records to be examined and providing context to determine the traffic, user, intellectual property on the device, and what it was doing before and after the event. But automation can also greatly increase risk if done too quickly. While it provides the heavy lifting, it will not make you an instant expert. You still need brains and smarts to accompany orchestration and automation. This means it's much more effective and reliable to first create well-defined and tested manual processes before writing the appropriate automation scripts and playbooks.

While there's no guaranteed security solution, a company's ability to successfully reduce risk starts with building a solid security foundation. These baseline concepts are essential, and understanding the capabilities of technologies currently in place will help make operations more secure in the long term.

Related Content:

 

Lee Waskevich, Vice President, Security Solutions at ePlus Technology, is responsible for overall strategy for the ePlus Security practice. Lee and his team design and deliver tailored cybersecurity programs aimed at mitigating business risk, fortifying digital ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/18/2018 | 10:09:40 AM
Re: Basics do not sound really sexy, do they?
Agreed - "Security is about processes and humans first. Technology is only assisting your teams and help streamline your processes. "

Technology is knowledge - the knowhow to produce some product, or accomplish some task - not the product, task, materials or the tools used. That goes double for IT: Information Technology
Dimitri Chichlo
100%
0%
Dimitri Chichlo,
User Rank: Apprentice
1/15/2018 | 3:35:06 AM
Basics do not sound really sexy, do they?
Security is about processes and humans first. Technology is only assisting your teams and help streamline your processes. 

I was recently discussing this with a Director from a large, international consultancy, and the guy asked: "From your point of view, what are the trends in information security?". My answer was: "The basics. Companies are so far behind industry standards that almost any of the projects re. basics can be sold, like framework, policies and reporting, identify the assets you are protecting, user access and privileged identity management, vulnerability and configuration management, user education, encryption, endpoint security."

I know he did not like it. Basics are probably not as sexy to sell to a Board as a pen test, a SOC with AI or IoT threat. And make you look old fashioned. And oblige your IT teams working differently. 
JohnF782
50%
50%
JohnF782,
User Rank: Apprentice
1/12/2018 | 3:02:18 PM
Re: Basics indeed
CIS CSC20 in priority order. The top 5 solve the highest risk threats.  Gaps in fundamentals are what have tripped up most organizations who have had major breaches in the last 5 years.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/11/2018 | 9:45:35 AM
Re: Basics indeed
Thanks - and this is nothing NEW.  In 2000 I remember an actuary at Aon receiving the Anna Kournikovia virus - the famous tennis star picture.  I visited his office and he started to MOVE THE MOUSE to the picture!!!  Why?  He was CURIOUS to see what IT DID!!!  (Killed the cat too).  i told him YOU OPEN THAT UP AND I AM TERMINATING IT SUPPORT FOR YOU FOREVER.  
lee337w
50%
50%
lee337w,
User Rank: Apprentice
1/11/2018 | 9:23:00 AM
Re: Basics indeed
Couldnt agree more. Culture and user awareness are paramount to complimenting solid technology. Technology can be configured but users can only be advised and educated. All users consumer, commercial, or other have a responsibility to help safeguard their digital lives. 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/11/2018 | 9:00:24 AM
Basics indeed
Nothing exotic sometimes - one (1) user opening an infected PDF attachment brought the State of North Carolina down through ransomware.  Just one user.    USER EDUCATION is a good place to start too., 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17317
PUBLISHED: 2018-09-21
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /ww...
CVE-2018-17320
PUBLISHED: 2018-09-21
An issue was discovered in UCMS 1.4.6. aaddpost.php has stored XSS via the sadmin/aindex.php minfo parameter in a sadmin_aaddpost action.
CVE-2018-17141
PUBLISHED: 2018-09-21
HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.
CVE-2018-17173
PUBLISHED: 2018-09-21
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
CVE-2018-17174
PUBLISHED: 2018-09-21
A stack-based buffer overflow was discovered in the xtimor NMEA library (aka nmealib) 0.5.3. nmea_parse() in parser.c allows an attacker to trigger denial of service (even arbitrary code execution in a certain context) in a product using this library via malformed data.