Over the last 20 years I done hundreds of security audits and worked on many resolutions. It amazes me that many businesses think they are completely secure, yet have not taken the appropriate steps to actually ensure their company’s security success. There are the obvious task a company should perform, like security patches, updates and such. Once complete, they pat themselves on the back and announce they are secure. But there are so many more items and points you overlook everyday. Vulnerabilities lurk in some not-so-obvious places. I am going to discuss these today. Things and places companies rarely consider, but should.
If your company or business is like every other company in this economy, then your IT staff is thin, real thin. I work with several companies that use to employ five to ten IT staff members, but due to downsizing and reductions in force brought on by the slumping economy, slowing revenues, bad management or a variety of other circumstances, today only employ one of two IT staff members. In every case, the hardware, software and business requirements have not changed. The demand is even higher on these poor remaining staff members and things begin to slip.
As mention above you should make sure you perform hardware and software updates. Plus – your IT staff should regularly check with vendors for updates too. Just don’t rely on Microsoft to push out it’s weekly and monthly patches. Most times, Microsoft does not include many hardware updates, and does not include any third-party software updates in their update process.
So here is a list of the not-so-obvious security risk, when patched and resolved, coupled with the standard patches and updates should make you a much lower security prospect.
Your employees – your own employees are your biggest source of security risks. Sometimes, it is deliberate; often times it is not. Employees have the most access to your assets. We expend a lot of effort worrying about external threats, but all it takes is an employee bringing in a virus from a home PC on a USB drive to nullify all your measures. Disgruntled employees sometimes express their anger by hurting your computer systems. And of course, it is possible for a well-meaning employee to make a major mistake. Good governance, education, setting (and enforcing) policies, and knowing your employees are your best steps to closing the holes.
Common coding mistakes – certain mistakes in programming still get made despite years of warnings and education. Most common are SQL injection and cross-site scripting vulnerabilities. I still see these issues from time to time even in major software packages that you would think are trustworthy (WordPress is a good example). It’s hard to change software once you’ve installed it, so you need to keep these packages up to date even though it is quite a hassle.
Unauthorized machines – I see this all the time, unauthorized computers, servers, switches even routers and firewalls. Someone decides to bring in an old PC and put it on the network to do something your existing infrastructure doesn’t allow them to do. They think that they are being helpful. The best way to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines. If machines can’t get IP addresses, they can’t do much harm.
Old “rock solid” servers – we all have them — that server buried deep in the data room that “just won’t quit.” Most times, it’s running some software package that is impossible to migrate to another machine. Sadly, these machines are often major security risks because they typically are no longer getting patches or we fail to patch them out of fear of breaking them. In addition, those older versions of operating systems often come with inherent security holes that no patching can fix. You need to replace these servers one way or the other. The best first step is to visualize them. From there, it is a lot easier to try to update them.
Legacy applications – it’s not just the old servers that are big security risks; it is also the applications running on them, as well as other legacy applications you may have running. These applications would be a lot less problematic if they were current with their patches, but usually they aren’t. All too often, we miss a major version update because the upgrade is so difficult, and then we’re so far behind the ball that it’s impossible to catch up. Sometimes the applications are completely discontinued. It’s painful to say it, but the best thing you can do is find a migration path to a recent version or another package entirely.
Local admins – there are dangers of allowing users to run with escalated privileges. Occasionally businesses end up with users being granted local admin rights inappropriately. This often happens while troubleshooting a problem: We make the user a local admin to see if it fixes a problem and we forget to undo it. Regardless of how it occurs, it is a ticking time bomb for security. Use your central administration tools to make sure that the local admin list gets reset on a regular basis to the proper users and groups.
Incorrect share/file permissions – File permissions are tricky things, and most users are not even aware of how to set them. So what happens? Users create sensitive files in their usual networked location and those files get the default permissions, which are “collaboration friendly” to say the least. The next thing you know, everyone can read the documents, which are supposed to be confidential. Your best weapon is to pre-establish a share and file structure with the correct permissions. For example, give everyone a home directory for personal documents and create shares or directories around roles, projects, and teams with the appropriate permissions. The hard part is then educating them to use the correct locations — but that is much easier than trying to teach them permissions.
Hidden servers within applications – I have seen more and more applications lately that use a local Web server as an administration console. Sometimes, these applications are installed by users without permission. But occasionally, the IT department just does not realize what comes with an application. While these servers can be locked down so that they are not a risk (and with luck, they get installed like that), you need to verify that the applications are secured properly before allowing them to be installed on users’ machines.
VPN clients – some users figure out how to set up VPN access on their personal machines. For a power user, it isn’t too hard to do. But you have no control over that machine, and once it is on the VPN, problems with the unauthorized machine can easily spill over onto the VPN. One thing you can do is audit the VPN systems to see who is connecting from what PCs and compare it to your list of authorized systems. Also, you can put additional firewalls around VPN clients to quarantine them. Finally, there are various systems to ensure that the clients connecting are on a pre-approved list.
Disabled security software – security software often puts up roadblocks to getting work done, so the “logical response” from many users is to find a way to work around it. Power users (especially developers and system administrators) often know how to circumvent security tools. They may also be local administrators because of a technical need, which makes disabling software and changing settings even easier.
It is tough to stay in front of these items. Today’s security threats go way beyond what they use to. Every Acrobat file, for example, is a potential security risk. Start looking for unusual trends, like large amounts of consistent traffic to an IP address and use centralized tools to ensure that settings are at the right levels and are reset periodically. Also, take any unnecessary local administration rights and firewall entire groups onto their own network segment to limit damage if those groups have a legitimate need for lower security.
If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.