Seven Things You Can Do to Reduce Your Risks
In this time of heightened risk as cybercriminals seek to exploit the coronavirus, we’ve summarised the commonest security vulnerabilities we identify during our pen-testing engagements.
Regardless of the size or sector of our clients, our testing reveals the same vulnerabilities time and time again. As well as listing them here, we point you to resources you may find helpful, including our new remote testing service and a free cybersecurity assessment.
From our humble beginnings in a small office in Northamptonshire in 2010, we were recognised as England’s no. 1 Penetration Tester in 2019. In the last two years, our security consultants have undertaken almost 600 penetration tests.
A Lack of Basic Cyber Hygiene
You don’t need to spend a fortune on a myriad of tools and bells and whistles – get the basics right, and you’ll rapidly reduce many of your risks.
Sin 1. Poor Patch Management
To fix, update, or improve
Depending on what security report you read, unpatched software vulnerabilities account for between 60% and 80% of data breaches. But it’s not that IT pros are unaware of the risks; the rate at which patches are released can be overwhelming. And sometimes this vital, but mundane, task plays second fiddle to the juicier jobs, as our sysadmin points out in his blog about getting back to basics with your network’s security.
We recommend a proactive approach. Assign a patch management owner and appoint a buddy as their backup to avoid bottlenecks at busy times. Subscribe to vendor security alerts, schedule daily or weekly scans to analyse your environment and deploy critical patches. Automate what you can, and test first, when appropriate.
You could also consider outsourcing the responsibility to a Managed Service Provider with an established Network Operations Centre (NOC) or Security Operations Centre (SOC).
Sin 2. Lack of Basic Security Hardening
To strengthen and increase resistance
In cybersecurity terms, hardening reduces risk by eliminating potential attack vectors and condensing a system’s attack surface. There are several types of system hardening activities, addressing applications, operating systems, servers, databases and networks.
This topical blog on the dangers of neglecting security hardening as organisations move to remote working includes technical advice.
Password / Authentication Flaws
There’s an abundance of great tools in the marketplace to help organisations manage user access. Despite this, we find that even household names continue to fall foul.
Sin 3. Poor password complexity
This guidance from the NCSC (National Cyber Security Centre) is a great place to start: Password administration for system owners.
For more insights, check out our blogs: Weak password policies – improve your network’s security and Passwords and Permissive Outbound Firewall Rules,
We also recommend working towards a Cyber Essentials (CE) or Cyber Essentials PLUS certification, which will help you to develop and maintain a robust password policy. If you’re interested in CE, then you should know about the significant changes to the scheme. Find out here: Cyber Essentials is Changing! What You Need to Know.
Sin 4. Lack of two-factor authentication
To establish as genuine
The method of confirming a user’s identity using a combination of two factors has been around since the eighties. Unsurprisingly, the payment card industry was an early adopter. As digital dominates our everyday lives, two-factor authentication (2FA) and multifactor authentication (MFA) have become mainstream.
Despite this, we still encounter a lack of 2FA regularly. Why is this? Duo Security published this insightful piece back in 2012: Top 7 Reasons Companies Don’t Use Two-Factor Authentication. And in our experience, the reasons haven’t changed.
The bald fact is that a lack of two-factor authentication increases the likelihood that your data and other assets will be stolen, and that your systems and users will be compromised.
2FA and MFA are not a panacea, but they are a crucial layer of your cybersecurity posture. These days, more options are available than ever before, so you needn’t compromise the user-experience or introduce unnecessary technical complexities to your infrastructure.
This blog by our colleagues at IT Lab contains useful tips around considering the needs and psychology of your user base: Security and Simplification.
Sin 5. Lack of account lockouts
Do not pass go
Account Lockout Policies are used to lock an account after several failed login attempts. It’s reasonable to assume a legitimate user could enter the wrong credentials once or twice, but not several times consecutively. Numerous login attempts could indicate a brute force attack.
A brute force password attack uses randomly generated passwords or common password lists to attempt access; computer programmes can make hundreds of attempts a minute. Some hackers will also apply logic and try to guess passwords using the information they’ve picked up on social media.
As the intensity and frequency of brute force attacks increases, a sensible account lockout password is a vital part of any security-savvy organisation’s armoury.
Sin 6. Password reuse
A gilt-edged invitation to hackers
The risk of using the same password for multiple systems can’t be overstated. Should it fall into the wrong hands, it’s the equivalent of giving an attacker a free ticket to every ride in the funfair. But we get it – it’s natural for people to want to make life easy – and so does the NCSC – Living with password re-use.
At Perspective Risk, we can help you create a robust password policy that meets the needs of your organisation and users. Pop your details into our contact form, and we’ll quickly be in touch.
Custom Application Flaws
Done right, first time
Our penetration testers regularly find that security isn’t baked into new apps. As well as the risks to customers and data, it’s more expensive to tackle security retrospectively. A serious breach can lead to withdrawing the app, or reputational harm.
Sin 7. Lack of security by design by developers when creating custom / bespoke web applications
Across the IT Lab group, we’ve talked and written about secure by design principles for years. This short video from our IT Strategy Briefing conference in 2018 gives a neat overview:
Wrapping Up: How We Can Safeguard Your Workforce and Protect Your Assets
In response to the coronavirus, we’re offering remote security testing. But if you’re not sure where best to start, you can take advantage of our free cybersecurity assessment.
You can also visit the IT Lab group’s COVID-19 Support Hub, where you’ll find a wealth of resources to help you in these difficult times. Thanks for reading, stay safe, and we’re here if you need us.