Many of the questions and much of the confusion has to do with executives not understanding where their critical assets are and how to protect them. Their sense of security is skewed because they passed their compliance requirements, causing them to think they are safe. Most companies, if they were truly targeted by a sophisticated and determined attacker, would fail miserably.
Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration-testing organizations from all different industries, companies are doing a great job of locking down their externally exposed assets, with the exception of Web servers. Fewer devices exposed and even fewer ports open could provide an avenue for attack.
That sounds great, right? So why would these companies fail at protecting their critically important data and business systems?
The first problem area is not knowing where all of the critical assets are located inside the network and protecting them appropriately. When I ask during a penetration test to point out the critical systems, all too often I get several different answers -- depending on the person answering the question. The CIO will have a different answer than the security team leader, and this will differ from the various business unit owners.
Then once the testing begins, we find little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint, and there are usually very few, if any, firewall rules between those networks.
To combat the problem, your risk assessment and full inventory of all systems, including the types of data handled by each system, need to be completed. That information can then guide the proper network segmentation. Of course, that can be done completely without looking at the business processes and how users use and access the data. When the previous two processes are then combined, access control for users can be properly architected and implemented -- which leads us to the next problem area.
The second issue that plagues many enterprises is they lack a solid concept of what the "principle of least privilege" and "need to know" mean. Users regularly have a great deal more access and privilege than necessary to complete their jobs -- this goes for secretaries and systems administrators alike (i.e., Snowden, the snooping sysadmin). A company can take the proactive step of removing local administrator rights from its users on their desktops, but it doesn't bother with the level of access in various internal applications and network file shares.
Properly designing those access controls can be difficult without already having the inventory and understanding of the business, as mentioned above.
The third major area is security training and awareness for users. Having developed a security awareness program for a large university and worked with many different enterprise organizations, I've found the best way for traction is to make it personal: Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should do at home can also help protect their corporate desktops and laptops.
The fourth issue, and one that is compounded by several of the ones previously mentioned, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company's network once we compromise one system.
Or, once we compromise a user's password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It's even more useful to an attacker with a valid username and password because he can now get into everything with that one set of credentials.
User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and impact to help instill a sense of responsibility and ownership. The ability to explain to users exactly what could happen if their usernames and passwords were compromised -- such as theft of corporate trade secrets that could result in their losing their jobs or their companies going out of business -- opens a few eyes.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.