While companies proclaim: "Our people are our most valuable asset," it is also true that an enormous value is being held in their information assets – intellectual property, management information, marketing plans, transactional data, customer information, R&D, financial data, and HR files. The loss or exposure of this information can strike a sudden and critical blow to almost any organization, and breaches that shut down internal networks can leave staff confused, embarrassed, and unable to work.
How can a firm protect these vital assets? In the past, they were stored in a protected data center – in a locked up, controlled access room. But in a networked world, you can lock up the data center, guard the building, put up a fence, barbed wire, and a moat – and still not be able to protect this information. The truth is that there are vulnerabilities in every data network.
The changing nature of the perimeter
Security professionals have long known that what the industry thinks of as the security perimeter has been changing. IT and security management can no longer count on well-defined network security perimeters to protect an organization from external attacks. Data and access rights are distributed across users, and users exist in highly mobile, dispersed work environments which simply do not readily lend themselves to centralized enforcement of consistent controls.
During 2014, NTT Group gathered vulnerability and attack data to better understand the nature of current threats, and a fairly clear pattern emerged. Detailed analysis revealed that attacks directed at end users were usually gateway attacks, intended to compromise the user as a stepping stone to gain access to the organizational network on which the user works. This finding was confirmed with an analysis of the end user attacks and infection rates from typical Flash, Java and Adobe Reader vulnerabilities – there was actually a predictable profile that correlated to user patterns during the work week.
The conclusion is clear – the traditional idea of a defendable security perimeter no longer exists; it has been replaced with this idea: the user is the perimeter.
Businesses and hackers have the same drivers
High-tech startups are not the only firms depending on data – every firm is increasing their use of networked systems and data. As businesses continue to increase their digital activities, they realize that business drivers – including the speed of competition and the need for efficiency in operations and transactions – drive them toward making ever-more-effective use of their available data.
Criminal activities have exactly the same drivers. They are in a constant race with their targets to capitalize on the value of that data. These business-minded attackers are optimizing their time by placing greater emphasis on the weakest link in every security system: the end user. Every end user is a potential “back door” into the business network, and in many cases, the back door is open.
Improving information protection
What actions can businesses take to improve the situation? If end users are the security perimeter for every firm’s valuable information assets, then how can security and IT departments harden that perimeter?
Fortunately, there is one single best step that can be taken to accomplish this objective without unduly restricting access to the information that the distributed, modern workforce needs to be effective in their tasks. It is more challenging than it sounds, and depends on a set of actions that together will reduce risk exposure. What must be done is this: organizations must ensure that every end user client system is included in their configuration and patch management process.
Based on our extensive work with many clients, small and large, local and global, we have found that outdated, unpatched, and poorly configured software is one of the largest ongoing risks to every firm. In many cases, the patches for known security vulnerabilities had been available for years but the processes were not in place to ensure that every end user system was updated with the patches. These lingering vulnerabilities are an unlocked, open back door waiting for unauthorized entry.
Improving your configuration and patch management process
Here are some specific recommendations to help you review and improve your configuration and patch management process, which in turn will deliver a significant decrease in your vulnerability and exposure due to client-based vulnerabilities:
1. Approved Configurations. Define a set of approved configurations to harden and operate end-user workstations. This should include approved operating systems, applications and utilities, and even which browsers and plugins are supported for organizational use. The smaller and more consistent the organization can make its “gold standard,” the easier it is to maintain systems using that standard. Any program added to this standard build will increase the potential attack surface for an intruder to exploit.
2. Communicate End User Standards. Inform users what those standards are, and make it clear that “unapproved” software is not just unapproved, but unauthorized. Ensure that all users understand that the use of unauthorized software can result in disciplinary action. Awareness of the types of threats that face the organization and how skirting information security standards may lead to a breach can go a long way towards having users be an active part of the information security process.
3. Minimize Admin Authorities. Minimize the use of admin or other accounts which are allowed to change system configurations, including installation of new, potentially unauthorized software. Administrator credentials are a favorite target of hackers, and reducing the number of places they are present on a network reduces the potential for them to be stolen.
4. Formalize Patch and Configuration Administration. Actively patch end-user systems on a regular basis, and confirm that patches are installed. As new security threats are identified it will become necessary to update the security configurations of systems that are already deployed, this should be regularly conducted as part of a formal security program as well.
5. Regular Security Testing. Conduct regular internal and external vulnerability scans to help identify systems which are out of policy, then patch those systems. These scans should be supplemented with periodic penetration tests to identify more complex issues that vulnerability scanners can’t identify on their own.
6. Exception Management Process. Actively manage an exception process which tracks “special” software as well as users with elevated permissions. The security configurations and patch management of these special cases often end up being overlooked and may present a risk long after the standard software has been hardened and patched.
Of course, no security program is able to completely remove all risks, but there is no reason to leave the back doors open. Together, these recommended actions will close many back doors – and lock them securely.