Today's businesses are hyper-focused on ensuring their IT environments are secure and protected from cyber threats. However, with all the attention being given to the front lines of defense, what happens if you leave the back door open to hackers and intruders?
Configuration errors, lack of IT controls, un-secure internal processes—these are all examples of vulnerabilities that could lead to security breach and major data loss. To decrease the chances of a successful breach, organizations can take simple countermeasures, such as working with an MSP to tighten IT security. But first, look out for these seven basic avenues that might be open to cyber criminals.
1. Storing Default Usernames and Passwords on Network Devices
Once an intruder finds basic information about a victim’s computer—such as IP addresses, open ports and the services running on those ports which can be garnered using freely available networking tools—their first step will be to try to access resources using less sophisticated methods to avoid leaving traces through logging events. There are simple automated tools and wordlists, for example, that make the password brute force process a breeze, whether the intruder is trying to decrypt a password file or doing online authentication. The majority of network appliances, such as firewalls, wireless access points and routers, are sold with widely known credentials often available on the vendor’s website or in their manuals; several websites also offer libraries of network products as well as the default usernames and passwords.
When an unauthorized user gains access to a server, they shouldn't be handed every piece of information. Oftentimes, the first break-in occurs with an unprivileged user account, such as guest. The goal for the intruder at this point is to try to escalate user privileges to administrative roles. To avoid this from happening, disable the guest account from changing the passwords on servers and workstations. Similarly, rename the admin password to be less obvious, and change any known default passwords on servers, workstations and network devices. Despite most IT administrators not implementing this configuration, it often represents the difference between a full system compromise with no trails of the intruder being caught, and your security systems triggering an alarm.
2. Giving Free Rein to Privileged Users
How will you be able to spot a threat if you don't have a process for reviewing users with domain admin access or privileged accounts? Periodically assessing the list of users with elevated privileges allows you to remove access for users who have changed positions within your organization. Additionally, IT administrators should create another account for routine tasks that do not require administrative level roles and leave powerful users such as backup administrators to have their own elevated account access.
3. Forgetting to Remove Terminated Users
This is a simple, but valuable manual process. Organizations often lack user management procedures and controls to manage the provisioning of accounts for new and existing users. Generic accounts created for vendors, consultants and contractors are not reviewed and deleted. For very small organizations with minimal turnover, it may not be a big deal; a frequent user account review may not be needed, as the IT administrator will know who has powerful access and when someone leaves the company. However when your organization is growing, and is seeing lots of traffic in terms of contractors, consultants and employee turnover, it is a good idea to implement a periodic review of user access, especially the ones with administrative privileges.
Disgruntled employees may try to log in and do damage to your systems, and may even delete log files that would leave you incapable to investigate the incident. Privileged credentials may end up on electronic boards and chat rooms where stolen electronic information is traded. Even internal, disgruntled IT employees who still work for the company may use terminated user accounts to commit fraud and other illegal activities.
4. Not Using a Baseline Security Configuration Standard for New Servers
The majority of vulnerabilities reported by scanners stems from bad default configuration of the operating systems. OS vendors deliver their products with these features turned on. This affects not only the performance, but also the security of the system. Services that become a liability because of security issues are set to start automatically, and configured to listen to certain known ports. To implement your security policy, your company should provide clear guidance on configurations that are aligned with the business requirements.
Security Content Automation Protocol (SCAP), managed by the National Institute of Standards and Technology, provides a checklist and set of baselines for various operating systems and applications. Use it as a guide to configure a multitude of products from web servers and office applications to web browsers. Several of these services, if running on a low security configuration, render your environment vulnerable and can provide a way in for unauthorized users.
5. Leaving FTP and Telnet Services Enabled
Among the services installed on servers are File Transfer Protocol (FTP), Telnet and Terminal Services. As we mentioned above, data sent over these protocols are sniffed using freely available tools. FTP and Telnet periodically phone home or to the linked computer to re-authenticate. During this handshake process, user names and passwords are sent in clear texts and can be used by a third party. There are often valid business reasons to use these services, however, there are more secure versions of FTP, Telnet and Terminal Services—such as Secure File Transfer Protocol (SFTP), Internet Protocol Security (IPSec) and Remote Desktop Protocol (RDP).
6. Using Weak Ciphers Such as RC4
There has been proof of concept, as well as successful exploits, demonstrating the weaknesses in the RC4 algorithm and the way it generates its cipher texts. The randomness of the byte streams can provide a way for an intruder to convert the cipher texts into the actual encrypted data. Communications that occur over SSL/TLS may use the RC4 algorithm to encrypt data sent over the public domain if the configuration is not turned off. If intercepted, the data can be decrypted without having the required encryption key. Several versions of SSL/TLS have been deprecated for their use of the RC4 algorithm.
7. Not Updating Server Message Block Protocol
It's important to upgrade to the latest server message block protocol (SMB protocol) that offers servers access over the Internet. SMB protocol was introduced with Microsoft Windows 95 to allow users to read and write files at remote server locations. These protocols are used on web servers as resources to customers, and are also used on internal storage servers.
The SMB protocol service has had a vulnerability for at least eighteen years, which can be exploited with Man-in-the-Middle (MiTM) techniques. An attacker can use malware to redirect user requests in the browser for resources to a rogue file share, and in the process, steal user names and passwords. These user names and passwords can be decrypted and used in a replay attack. Because it's such a security concern, Microsoft continuously releases patches for SMB protocol, and users should deploy these patches as soon as they become available.
There's a better way to protect clients from these vulnerabilities:
By Paula Griffin
By Mark Cline