Six network security checks to mitigate the risk of data security breaches
- Published: Monday, 22 June 2015 15:38
By Luke Potter, Operations Manager, SureCloud.
There's no reward without risk, as the old saying puts it. But try telling that to the IT teams who have their work cut out dealing with the daily deluge of threats to their networks: they’ll reply that they’d be happier without any risk at all. Even though security information and event management products can help make sense of the overwhelming amount of threat data, and provide information to mitigate the risk of attacks, they’re only part of an organization’s security controls. It’s also essential that those controls are regularly checked and tested, to ensure that the network has no weaknesses in its defensive armour that could be exploited.
In addition to penetration testing and vulnerability scanning to identify potential issues, there are a few basic, but essential, steps that all organizations should repeat regularly to minimise the risks of giving an attacker an easy entry point. Let’s take a closer look at these six security checks:
It’s important for firewall configurations to be regularly reviewed and independently audited to ensure that only the absolutely necessary configuration is active. When performing external penetration testing, we commonly see remote management services exposed to the public internet rather than being correctly filtered to only permit access from ‘trusted’ networks such as the LAN or VPN.
Along with checking the firewall configuration, it is important to check that segregation is working effectively across all network egress and ingress points. Businesses should check for network anomalies arising from the segregation between servers and clients. If cardholder data environments, or other secure enclaves, are insufficiently segregated, an attacker could access them by stepping across through compromised systems – as happened in the 2013 Target breach where hackers first compromised a third party supplier’s network before jumping across onto Target’s and eventually breached the POS network.
Username enumeration and strong passwords
Some of the common findings on the internal penetration tests we perform include file shares without appropriate permissions and the ability to enumerate usernames due to incorrectly configured Windows domain services. These flaws often lead to privileges being gained on the network. Organizations need to ensure that all users set strong passwords that go beyond simply meeting the current password complexity criteria. We regularly see organizations which have best-practice password policies, but still have users employing weak ones such as ‘Password01,’ just to meet the policy. Organizations must encourage users to take the time to set a suitable complex password, then test them regularly to ensure that they are appropriately strong.
Weaknesses and vulnerabilities in web applications are quickly becoming one of the main attack vectors through which organizations are compromised. The main threats usually found within client’s applications are SQL Injection, cross site scripting and parameter tampering attacks. Along with regular web application penetration testing, all applications should be securely coded using an appropriate methodology, such as the Open Web Application Security Project (OWASP) secure coding guidelines. Whilst performing a review of applications, checks could also include ensuring that no dynamic queries are used in application code, input validation and sanitisation is correctly implemented and that authority checks are present for all user-controllable input.
Be careful with admin privileges
One common misconfiguration is assigning excessive privileges to users and network service accounts. Doing so potentially results in admin authentication tokens and Domain Admin credentials being present on all computers where these services are used. If a single domain member is compromised where one of these accounts has been used, it’s often easy to escalate privileges to that of Domain Administrator. Organizations need to ensure that Domain Administrator privileges are used only for administrating domain controllers. As a general rule, IT staff and service accounts should only be assigned local administrator access to the systems which they require access to. Organizations also need to ensure that domain token caching is in place across the server estate.
Finally, one of the best lines of defence is to ensure that all systems and services are correctly and regularly patched. This should include third party software such as Adobe Reader, Flash and Java runtime environments and go beyond just operating system level patching. Attacks on third party software and compromise of networks through these means are continuing to increase. Vulnerability scanning can help to assure that patches are being applied effectively.
By carrying out these six checks regularly, organizations can ensure that their networks are better protected by exposing weaknesses and vulnerabilities before they can be exploited. Frequent checking of controls, complemented by independent penetration testing, vulnerability scanning, and extensive network defences can help assure that those controls are effective and processes are proficient at mitigating the risks of a network breach.