Check out these five common security mistakes and how they typically lead to security exposure. Plus learn how to spot them and how to remediate.
Hello. I’m going to spend the next few minutes talking about some common security mistakes, and how you can find them in your network before it’s too late. Well first, very popular unfortunately, is clicking without thinking, which can result in malware infection, system compromise and more. Another one is when users disable the security controls on their PCs, tablets, laptops. And then another one is neglecting to patch applications. Unpatched applications are one of the biggest vectors of risk. Another one is using default passwords. And then another one, and I don’t think this one gets enough attention, is when you set up special access, and then forgetting to turn it off when it’s no longer necessary. So let’s talk about how you can spot some of these. We all have heard “Think before you click”, right.
One of the biggest problems and challenges with malware infections is that users tend to click on an embedded attachment in an email, or even an embedded link in their twitter feed, and that often can lead to infecting their device, and exposing your organization to unnecessary risk. So encourage your users to do that. But the challenge here is it really is hard to know when users are clicking on these things and you’re getting infected. SpyEye is an example. So most of the time, you’re going to know when users have done some… made this mistake after the fact, right. And that’s why it’s so essential to have security monitoring in place, because if you have a tool that can spot that infection early on, you can then focus on remediation, find it early, fix it fast, contain it, and then work really hard on educating your users. And you might even need to tweak some security policies here and there.
Alright, another big one is disabling security controls, which is almost like freefalling without a parachute. It’s never a good idea to turn off antivirus, or antispyware, personal firewalls, web browser security settings, and even auto-update, and we’ll talk more about the importance of updating software. But how do you detect this? So at a minimum, you need to know what’s on your environment. So run periodic asset inventory scans that are going to tell you what software exist in those machines. And you may also want to apply an event correlation rule on a product like AlienVault’s USM, which will enable you to identify instantly any out of policy configurations. And we have an example of such a rule right here. You might event want to consider removing admin access on those laptops and desktops for your users, and only you will know if that’s the right remediation strategy to take.
Mistake number three is neglecting to patch applications. That’s a really ugly picture there, because moldy software is really as unappealing and dangerous as moldy fruit is. And so it’s very important to update software when you’re prompted to do so. And then also if there’s unnecessary software that your users are using, or that they install that they’re no longer using, it’s really important to spot that as well and remove it. But in order to know if you have unpatched software in your environment, again, I’m going to reiterate this, you need to have some sort of way of determining what’s on your environment. So automated asset discovery is a great way to do this – you’ll be able to see what devices have what services running, and whether those services are vulnerable. You’ll also be able to ask questions of that environment. “Do I really need that piece of software, that Citrix plugin I see down there?” Also, if I want to know which users are installing Apache servers, either because we need to identify if those are vulnerable, or you might even want to remove it because you’re migrating to a different type of technology, you can ask those questions when you do that asset discovery and inventory. Another way of finding unpatched software is a very common one, a very robust way, is to do periodic vulnerability scans. You can identify those vulnerabilities, and also match that against the inventory that you have in your environment.
Alright, mistake number four is using default passwords. Passwords are one of the worst, I think, failures in the information security industry. The fact that we have to remember so many of them, the fact that they’re so easy to break – I know that’s why we rely on default passwords, but it’s really critical to change these as much as possible, because this list is being shared everywhere on the internet, and that’s why I wanted to bring that table up here. But how do you find it? Well another good answer is this periodic vulnerability scan. Those scans will run checks to see if any default passwords are being recognized, and being accepted on common devices where we know those default passwords. And again, this comes down to user education. Educate your users on changing those passwords, and especially for IT operations teams who may have forgotten when they stand up a new infrastructure device, they may have forgotten to change those passwords. So again, make sure you’re continuing to remind people how important this is.
Alright, number five – setting up special access, and then forgetting to remove it. This is one of the most common things, especially for IT teams. And, you know, here are some examples, you know, you can have a VPN connection to a partner, a supplier, or a vendor; another one is you might need to have escalated privilege for certain user accounts – again, this could be on the IT operations side. And you may only intend to have that for temporary access, for testing or other reasons; and then, again, testing right: test accounts, test networks, test applications… you’ll want to make sure that you turn those things off and you no longer need them. But where are you going to find out how this happened, or when this happens? The logs are your friends. Here’s an example of a raw log. Not exactly intuitive to read, right? But you do need to review them regularly. And there’s a way that you can do it that doesn’t just sort of drive you crazy, right, and it’s called normalization, or translation. So having a log management tool that can do that translation normalization for you is really critical.
The other thing you’ll want to do is to have a reminder for yourself to expire the special access. When anyone comes to you and says “I need special access, I need to change a firewall rule set, I need to set up a VPN connection, I need to open our network up for these services”, ask them why, of course. Have a process to ask them when they’ll no longer need that service, and then set up a reminder for yourself to disable it. If you forget, here’s your safety net – create a correlation rule in your SIEM engine so that you can capture any events related to that special access, just in case you forget.
Okay, so people make mistakes. Here’s an example, right. But the idea here is that we want to learn from those mistakes – you want to learn from the mistakes of others too, because you’re going to make them, others are going to make them, but the point is spot them as quickly as you can using the technology and the process that you have in place. To find out more about how to spot the mistakes of others, and even your own, before they impact your network, go to www.AlienVault.com. We have a learning center there where you can find that information out. After all, at AlienVault, we’re a big believer in sharing knowledge, even when it comes from making a few mistakes here and there.