We’ve all made mistakes. And the best we can hope for is that we learn from them. Unfortunately, IT security mistakes can often have much more wide-ranging consequences than your standard mistake like a missed typo in a press release or a forgotten name of a new colleague.
That’s why it’s so critical to have a way to quickly spot IT security mistakes when they do happen. Because the longer a misconfigured security control lingers without remedy, the more likely someone with nefarious intent will take advantage of it.
So what are some of the most common mistakes we’ve seen?
Here’s a starter list, and please add your suggestions for additional ones in the Comments section. After all, the more we share about lessons learned, the more secure we all are. That’s why we wanted to include how you can spot these mistakes in your own network.
1.Clicking without thinking.
Why is this so common? The easiest way to get “digitally” screwed? Malware infection. And the easiest way to get infected with malware is to be a “promiscuous clicker”. Users who fail to think before they click on an email attachment, a link in a twitter feed, or an ad on a gambling site are notorious for infecting the rest of us with their promiscuity. In general, the same rules apply for navigating the digital world as it is for navigating the real one. Bottom line: Don’t enter scary neighborhoods without the right protection and keen awareness and don't enter scary websites, emails or other “neighborhoods” without the right protection and keen awareness.
How do you detect this? Make sure you implement and update basic endpoint security controls like personal firewalls, anti-virus, patch management, etc. Monitor network traffic, user activity, and intrusion detection (IDS) alerts to identify anomalies. Implement IP and domain reputation monitoring to detect communications with known malware distributors and command-and-control servers – this activity could signal system compromise. Vulnerability scanning will identify unpatched and unprotected endpoints. And of course educate users! How else will they develop keen awareness?
2. Disabling security controls.
Why is this so common? Users often have administrative privilege on their own machines, and may disable a security control for a variety of reasons. Maybe they perceived that it was impacting the functionality of one of their applications. Maybe they just got tired of seeing a dialogue box from their personal firewall or auto-update feature from their AV software. Whatever the reason, many users tend to prefer convenience to protection. And as a result, they’ll sacrifice security if they think it gets in the way of doing their job.
How do you detect this? First, you need to know the endpoints that are on your network, and how they’re configured. Automated asset discovery and inventory scans can tell you when endpoints appear on your network, and what software is installed. Vulnerability scans can identify how endpoints are configured, and identify those that are missing required security software, necessary updates and other protections. Want to make your life easier? Implement a unified solution that provides correlation between asset and vulnerability scan data so that validation and remediation are easier to tackle.
3. Neglecting to patch software.
Why is this so common? Maintaining current software and installing updates across an organization is an operational nightmare. Software updates from various vendors are frequent, often not timed conveniently, and can sometimes impact functionality. Testing these patches and updates should be a best practice, but with everything else going on in an IT department, it’s virtually impossible to do so with any regularity. Auto-update tools provide some help, but it’s very common for users to postpone these updates - especially when it’s in the middle of their workday and they have so many windows open on their laptops. As a result, software applications, especially client applications, go unpatched and introduce significant risk.
How do you detect this? Use the techniques we proposed for identifying when security controls have been disabled – know what’s on your network, enumerate software that’s installed on these devices, and run vulnerability scan reports to flag which machines contain unpatched and vulnerable software. Prioritize remediation efforts based on the severity of the vulnerability, as well as the value of the asset. Vulnerability scanning after remediation will validate the fixes were implemented properly and completely.
4. Using default passwords.
Why is this so common? Before we get to why it's so common, we should recognize this requires a bit of a look in the mirror for IT operations teams. This is one of those common IT security mistakes where we can be as guilty as (or more than) our users. We quickly stand up devices - servers, network gear - going through the motions, clicking through each default installation option - including the password option. Thinking we'll go back to change it but we never do. This is likely because we're all busier than 1-arm paper hangers, so... well okay now I've realized why it's so common.
How do you detect this? The list of default passwords for a wide variety of OS'es, applications, and network devices is as easy to find on the Internet as funny videos of cats. That's why this is such a huge security issue. Two ways to find this common mistake: log analysis and periodic vulnerability scan reports. We'd recommend using the same technology for both capabilities so you're not reinventing the wheel every time. Look for log analysis and SIEM event correlation tools that also perform vulnerability scan reports. That way you're not wasting time trying to integrate data feeds or manage multiple workflows and consoles. And don't forget: educate IT operation staff - and all employees - about the dangers of using default passwords and the need to change them, immediately and frequently, to strong ones.
5. Setting up “special” access and then forgetting to turn it off.
Why is this so common? Just like #4, this is less about user mistakes and more about IT operational or procedural mistakes. The scenario is a common one: Some VIP at your organization requests an exception to the security policy on the gateway firewall to allow direct, inbound access to your network via some random protocol to support some new partner initiative. Whatever the special reason or request, it requires a "temporary" policy exception. Another example is that this request involves the creation of a new "temporary" user account with administrative access to one of your production servers. Whatever the exception is - it invariably moves from temporary status to permanent status because someone forgot about it. Is it still necessary? No one knows because it wasn't documented. D'oh.
How do you detect it? Logs are your friend. Perform log analysis on your firewall, VPN and proxy logs to identify unexpected network connections to known and unknown entities. Implement SIEM event correlation to correlate firewall log data with IP reputation data to detect known malicious actors who may be disguising as a legitimate partner, supplier or vendor. From the start, document every exception to policy, require an expiration date, and add a notification to your calendar for one week prior to expiration to validate the need for the exception. Add an event correlation rule to your SIEM tool to trigger an alarm whenever the activity associated with the exception occurs - for example whenever a relevant connection is made through your firewall, or activity associated with the temporary user account is detected.
Hopefully these lessons learned help you and your teams stay ahead of the threat. And don't forget... stay focused on the essentials.