IT disaster recovery, cloud computing and information security news

By Luke Potter, Operations Manager, SureCloud.

There's no reward without risk, as the old saying puts it. But try telling that to the IT teams who have their work cut out dealing with the daily deluge of threats to their networks: they’ll reply that they’d be happier without any risk at all. Even though security information and event management products can help make sense of the overwhelming amount of threat data, and provide information to mitigate the risk of attacks, they’re only part of an organization’s security controls. It’s also essential that those controls are regularly checked and tested, to ensure that the network has no weaknesses in its defensive armour that could be exploited.

In addition to penetration testing and vulnerability scanning to identify potential issues, there are a few basic, but essential, steps that all organizations should repeat regularly to minimise the risks of giving an attacker an easy entry point. Let’s take a closer look at these six security checks:

Firewall configurations

It’s important for firewall configurations to be regularly reviewed and independently audited to ensure that only the absolutely necessary configuration is active. When performing external penetration testing, we commonly see remote management services exposed to the public internet rather than being correctly filtered to only permit access from ‘trusted’ networks such as the LAN or VPN.

Network segregation

Along with checking the firewall configuration, it is important to check that segregation is working effectively across all network egress and ingress points. Businesses should check for network anomalies arising from the segregation between servers and clients. If cardholder data environments, or other secure enclaves, are insufficiently segregated, an attacker could access them by stepping across through compromised systems – as happened in the 2013 Target breach where hackers first compromised a third party supplier’s network before jumping across onto Target’s and eventually breached the POS network.

Username enumeration and strong passwords

Some of the common findings on the internal penetration tests we perform include file shares without appropriate permissions and the ability to enumerate usernames due to incorrectly configured Windows domain services. These flaws often lead to privileges being gained on the network. Organizations need to ensure that all users set strong passwords that go beyond simply meeting the current password complexity criteria. We regularly see organizations which have best-practice password policies, but still have users employing weak ones such as ‘Password01,’ just to meet the policy. Organizations must encourage users to take the time to set a suitable complex password, then test them regularly to ensure that they are appropriately strong.

Web applications

Weaknesses and vulnerabilities in web applications are quickly becoming one of the main attack vectors through which organizations are compromised. The main threats usually found within client’s applications are SQL Injection, cross site scripting and parameter tampering attacks. Along with regular web application penetration testing, all applications should be securely coded using an appropriate methodology, such as the Open Web Application Security Project (OWASP) secure coding guidelines. Whilst performing a review of applications, checks could also include ensuring that no dynamic queries are used in application code, input validation and sanitisation is correctly implemented and that authority checks are present for all user-controllable input.

Be careful with admin privileges

One common misconfiguration is assigning excessive privileges to users and network service accounts. Doing so potentially results in admin authentication tokens and Domain Admin credentials being present on all computers where these services are used. If a single domain member is compromised where one of these accounts has been used, it’s often easy to escalate privileges to that of Domain Administrator. Organizations need to ensure that Domain Administrator privileges are used only for administrating domain controllers. As a general rule, IT staff and service accounts should only be assigned local administrator access to the systems which they require access to. Organizations also need to ensure that domain token caching is in place across the server estate.

Patch management

Finally, one of the best lines of defence is to ensure that all systems and services are correctly and regularly patched. This should include third party software such as Adobe Reader, Flash and Java runtime environments and go beyond just operating system level patching. Attacks on third party software and compromise of networks through these means are continuing to increase. Vulnerability scanning can help to assure that patches are being applied effectively.

By carrying out these six checks regularly, organizations can ensure that their networks are better protected by exposing weaknesses and vulnerabilities before they can be exploited. Frequent checking of controls, complemented by independent penetration testing, vulnerability scanning, and extensive network defences can help assure that those controls are effective and processes are proficient at mitigating the risks of a network breach.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.