The eight common weaknesses of IT security
Every organization in the 21st century understands that keeping proprietary data safe is crucial to its success. However, while business leaders tend to believe their current security products and policies are truly secure, breaches continue to climb. It is clear that despite an ever-increasing number of companies maintaining formalized security programs and annually increasing security budgets, there are gaps that continue to go unnoticed and unaddressed.
Through hundreds of assessments and breach analyses, we have concluded there are eight common weaknesses that most commonly enable threat actors to penetrate organizations’ security armor, move through networks to elevate privileges, and ultimately allow them to compromise defenses. These weaknesses are continuously probed by threat actors, and while they may seem secure at deployment, they often are not; and even if initially secure, they frequently become obsolete due to missed updates, upgrades, changes to the enterprise environment, and evolving threat tactics. A frequent misconception is that security products and processes can be set and then forgotten; but since threat actors’ tactics evolve at an alarming pace, security controls must also be continually adjusted to ensure that organizations’ security armor continues to envelop and protect. In the absence of continuous evolution, the armor and its contents become vulnerable and, often, more at risk due to a false sense of security.
Let’s explore some of the most common vulnerabilities.
Policies. Most organizational policies, plans, and even the tabletop exercises designed to test them are not fully relevant to the tactics, techniques, and procedures (TTPs) threat actors actually use to penetrate organizations. Many companies use frameworks like NIST or CIS to inform their cybersecurity programs. While useful, these frameworks often do not look deeply enough at the controls, configurations, and orchestration of the organization’s products and processes to arrive at a hack-proof security strategy. For example, while a framework may recommend a Zero Trust strategy, it typically will not recommend choosing a single IT-vetted and maintained filesharing application while blocking all others. Similarly, Zero Trust strategies, generally, do not recommend denying employees access to their personal email from corporate devices. Details like these are important to ensuring threat actors have fewer avenues of attack while also increasing IT’s visibility to those reduced avenues.
Change. Threat actor tactics are constantly changing. Threat actors are extremely innovative in their approaches, like using deep fake social engineering against help desk personnel to gain network credentials, exploiting software vulnerabilities within hours of their announcement, or exploiting the identities of recently departed employees. If policies and procedures are not designed to address the constantly changing threats the organization faces, they set the organization up for a potential breach. Few organizations understand that Software-as-a-Service (SaaS) applications pose real threats; even if secure at the outset (unlikely), each new version upgrade can introduce new settings and feature vulnerabilities; thus, settings must be inspected on a regular basis.
Backups. Backups are, arguably, the most important security control of the enterprise. If the organization suffers a catastrophic breach (which is increasingly likely), the only way to ensure ongoing operations is to have recoverable backups. Backups must be immutable (incapable of being changed, deleted, or accessed), redundant (multiple copies in multiple places), and resilient (capable of being easily restored). In our experience, fewer than 80 percent of backups are immutable, and ransomware threat actors target backups for encryption or destruction 93 percent of the time. They know that their ability to elicit a successful ransom is dependent on the victim being unable to mitigate the breach without payment.
Endpoints. Endpoint security is considered the Achilles’ Heel of security because IT considers user behavior the greatest risk. However, rather than trying to control the uncontrollable (humans will always be fallible), it is important for IT to take control and remove the option for users to click the wrong link and open the wrong attachment. IT must filter all traffic, including HTTPS/encrypted traffic, with deep packet inspection, block access to personal email accounts, inspect and filter all internet traffic all the time, and disallow all but IT-vetted filesharing systems, password vaults, and applications (among many other steps).
Remote. Remote work, cloud solutions, and SaaS evade many security controls. It is essential to bring remote traffic into the interior network (always-on VPNs), restrict access to SaaS/cloud solutions from non-organizational IPs, or create very stringent access restrictions leveraging tight endpoint controls in tandem with conditional access policies on the SaaS/cloud to restrict access by “public” or uncontrolled devices.
Firewalls. Most firewall traffic is ignored rather than deep-packet inspected and filtered, especially outbound traffic (which is important for insider and reputational threats). According to one study, 63 percent of all threats were discovered in encrypted traffic; some studies have stated as high as 90 percent. By not using all the tools available on the firewall, organizations effectively neuter the efficacy of this critical tool. If it does not look at ALL traffic, it is not providing an effective firewall.
Tools. Companies invest heavily in tools. Yet, if these tools aren’t a part of a comprehensive strategy to create an orchestrated blanket of protection, providing layers of defense, enterprises end up with unhelpful, money-wasting overlap and gaps in defenses. It is important to not only have tools, but to also have a strategy for how those tools work together along with the people and processes necessary to deliver robust defensive layers in a manner that ensures there are no gaps.
Products. Often, vendors, resellers, and VARs sell products, not outcomes. It’s important to have an outside perspective on the effectiveness of solutions against the range of current and evolving threats, how the solutions work together, and -- importantly -- ensure these products are always configured with the right settings to ensure proper defense. Default settings often don’t confer strong defenses; neither do yesterday’s settings.
It’s important for organizations of all types and sizes to not only have a security strategy, but also regularly assess it for gaps and continually adjust it against real-time threats. While it’s increasingly true that organizations and senior leadership understand the imperative of cybersecurity risk mitigation, they are often unaware of the current threat landscape and that effectiveness is in the details. Keeping an eye on organizational gaps through the lens of an attacker can help an organization avoid enterprise-ending breaches.
Photo Credit: Picsfive/Shutterstock
Eli Nussbaum is Managing Director, Conversant Group.