Daily news headlines scream high-profile information security failures and consequences—Hacked! Attacked! Ransomware!—reinforcing that the severity of risk posed to sensitive information is unprecedented. Cybersecurity vulnerabilities and threats can put your organization and your customers’ sensitive information at risk, costing you customer loss, diminished trust in your brand, and regulatory fines. Where is our data? What are our security holes? What are our risk scenarios?
Over numerous client engagements, our findings indicate that a basic networking error or an older version of software that is rarely used could, in fact, be the vehicle a hacker needs to break in, exposing customer data and sensitive information.
Data is everywhere and so are data breaches—and breaches are occurring with increasing frequency and volume. In today’s complex cyberworld, cybersecurity risk and incidents are part of doing business. Chances are, your organization’s data will be—or already has been—breached.
In our day-to-day work with organizations to discover and address cybersecurity vulnerabilities, we are finding that the top 4 security vulnerabilities that organizations overlook are:
- Networked printers. From a network security perspective, printers have outdated firmware and are susceptible to multiple attacks. Aside from potential data loss and espionage, more than one proof of concept exists where a printer is used as a springboard to launch other attacks. To resolve this:
- Make sure printers’ firmware is updated regularly and included in your already established patch cycle.
- Logically isolate printers on restricted network segments, allowing access only to a dedicated print server.
- Internet of Things (IoT). More companies are accepting data from traditionally isolated devices (e.g., heating, ventilation and air conditioning [HVAC] controllers, IP cameras). These have firmware that require regular updates and are frequently missed by traditional patching processes. There have been several cases in the wild where these devices were remotely compromised leading to data theft and vandalism. To resolve this:
- Implement firmware updates and patching cycles.
- Isolate these devices onto their own network segment and leverage a jumpbox for access
- Aging infrastructure. Over time, manufacturers such as Cisco end-of-life their products. This means that your network switch’s firmware is often out of date and susceptible to attack and compromise. Purchasing gray market, and/or used devices from auctions increases this risk exponentially. More than one gray market network device has been discovered to have unsigned (compromised) firmware. To resolve this:
- Track your device purchases and know their end-of-support dates. End of sale is usually a precursor to end of support. While tempting, never utilize hardware or software more than a year beyond vendors’ stated end-of-support dates. A best practice is to have your devices budgeted to be replaced before the end of your last support period.
- Know what firmware versions are on your devices.
- People. People remain the biggest threat to the organization. People take the easiest path, which is usually not the most secure, constantly creating vulnerabilities in organizations. The latest data1reveal that 70 percent of US employees lack security and privacy awareness. With an employee clicking on malware every 81 seconds in the US,2 is no surprise that cyber incidents that expose sensitive data are spreading, increasing an organization’s risk. Employees should be trained annually, at a minimum. This training should include social awareness and security awareness. To resolve this:
- For new employees, provide in-depth and relatable information security training. Provide testing and remediation to ensure employees have a clear understanding of your organization’s security policies.
- There are several ways to make security part of your organization’s culture. IT security can perform social engineering tests3 and discuss results. They can make security training fun and enjoyable, yet realistic and easy to implement. Consistent training programs that are interactive make employees feel like they are learning instead of having their hands slapped. Team-building activities such as brown-bag cybersecurity lunches4 or reminder cards for employees can help to keep cybersecurity awareness top of mind. Openly integrating security into conversations and meetings—for example, discussing the latest data breaches in the news and how they occurred—is a good way to highlight spear phishing, malware, and the social leaking of information,5 and should be accompanied by discussion of how to minimize these threats. Creating a holistic and positive company culture can also help to mitigate disgruntled employees who may be tempted to create breaches.
Security has grown up and needs regular maintenance and monitoring. It is no longer simply installing antivirus software and hiding the network behind a firewall. A strong security foundation is critical for your organization’s reputation and longevity. Does your organization need testing to check all computer systems and infrastructures to discover your cybersecurity vulnerabilities, risk, and targets? Maybe it’s time.
This edited article was originally published in ISACA’s The Nexus, https://cybersecurity.isaca.org/articles-details?articleId=the-top-four-security-vulnerabilities-you-might-be-overlooking
1 Kawamoto, D.; “70% of US Employees Lack Security and Privacy Awareness,” InformationWeek DarkReading, 3 October 2017
2 Check Point, 2016 Check Point Security Report, USA, 2016
3 Geer, D.; “Meet Six of the Most Effective Social Engineering Techniques,” Mitnick Security, 9 April 2017
4 Heathfield, S.; “Use a Brown Bag Lunch for Internal Training,” The Balance, 12 October 2017
5 Hueya, Inc., Cyber Abuse and the Human Factor, USA, 2017