At RSA 2019, Paula Januszkiewicz of CQURE explained common infrastructure shortcuts that open the door to hacking.
Taking certain common shortcuts when it comes to network and infrastructure security can leave your organization wide open to hackers, according to a Tuesday RSA 2019 session from Paula Januszkiewicz, CEO of CQURE.
"Technology and security as we all know is not always about the techie stuff and solutions—it's also about people," Januszkiewicz said in the session.
Sometimes stealing information is as easy as following an employee in through company doors and pretending to work there, she added.
SEE: Security awareness and training policy (Tech Pro Research)
Here are 10 mistakes in infrastructure that hackers can leverage to steal your data, and how to fix them, according to Januszkiewicz:
1. Disabling firewall/misconfigured network access
Firewalls are great segmentation tools, but Windows Firewall in particular is often misconfigured, Januszkiewicz said. You can allow only certain processes to communicate online or locally—there is no need to know processes to block them, she added.
2. Overly simple passwords and security questions
Organizations and employees almost always reuse passwords, Januszkiewicz said. These passwords typically involve some variant of the company's name and a number, like a year or month. IT departments should check for obvious passwords, and continuously delivery security awareness training to employees, she added.
SEE: Password Policy (Tech Pro Research)
3. No network segmentation
Network segmentation can be both a blessing and a curse, Januszkiewicz said. It offers greater control over which employees have access to which data, and allows IT to set rules to limit traffic between the different subnets, reducing exposure to security incidents. However, it can also involve VLANs limits, security limits, and managerial overhead, she added.
4. Lack of SMB signing
Organizations should do the following to avoid attacks in this area, Januszkiewicz said:
- Set SPNs for services to avoid NTLM
- Reconsider using Kerberos authentication all over
- Require SPN target name validation
- Reconsider turning on SMB Signing
- Reconsider port filtering
- Reconsider code execution prevention (but don't forget that this attack leverages administrative accounts)
5. Allowing unusual code execution
Common file formats that contain malware are .exe, .dll, .vbs, and .docm, along with PDFs, Januszkiewicz said. On Windows machines, you can enable SafeDllSearchMode for added protection, she added.
6. No whitelisting on board
Code execution prevention implementation is a must, Januszkiewicz said. PowerShell is a key hacking tool, so potential solutions to mitigate attacks would be blocking it for users or using Just Enough Administration, Januszkiewicz said. Organizations can also verify where users have write access to with accesschk.exe -w.\users c:\windows.
While some companies have turned to machine learning tools for threat protection, these solutions require a lot of understanding of what they actually do, Januszkiewicz said.
7. Old protocols or their default settings
SNMPv3 addresses are a user-based system for access control, and a means for properly authenticating users, Januszkiewicz said. Organizations should also ensure ODBC drivers have a secure networking layer built in, she added.
8. Trusting solutions without knowing how to break them
The best operators won't use a component until they know how it breaks, Januszkiewicz said. Almost every solution has some backdoor weakness.
9. Misusing service accounts and privileged accounts
Service accounts' passwords are in the registry, which is available online and offline, Januszkiewicz said. Privileged users sometimes have more access than anticipated, and the potential to read system and security hives from the registry, she added.
10. Falling for hipster tools
Security budgets are largely increasing, along with the risk of adopting shiny new tools that may not be fully vetted, Januszkiewicz said. "Sometimes we've got different types of tools we're supposed to trust, but most end up getting hacked," she added. "You need to follow the news about security. We spend so much on different tools that might not be the greatest."
How IT can protect the network
In the short term, IT and security teams should isolate infrastructure components to prevent attacks from spreading, Januszkiewicz said. They should also engage with the network security team, and review servers' and workstations' configuration periodically, she added.
In the medium term, IT teams should regularly perform penetration tests and configuration reviews, Januszkiewicz said. And in the longer term, companies should seek prevention and vulnerability management, and implement monitoring and execution prevention, she added.
"These are the most imp things to focus on in the current infrastructure from the hacker's perspective," Januszkiewicz said.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy template download (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)