Today I heard an interview with the leader of the InfoSec team at Anthem during the breach they experienced (the breach was disclosed in February, 2015). Wikipedia page on Anthem breach. Besides being super interesting in terms of insider perspective on a major breach, the interview reinforced with me five particular common weaknesses in enterprise InfoSec. As these tasks usually fall to the IT staff, I have classified this post under “IT pros.”
First: You must know what is on your network: asset management is of the utmost importance. For small enterprises that lack resources this task can be particularly cumbersome – it often has to be done manually. If the enterprise is lucky enough to have asset management tools, that’s great – but IT staff has to follow through and ensure that inventories are accurate and complete. When third parties / vendors perform work which introduces new devices to the network, the new devices must be documented. (Of course, other steps follow, but for the purposes of this discussion I’m merely talking about accurate housekeeping.)
Second: A common blind spot in small to medium enterprises today is internal network activity. This lack of visibility means that adversary lateral movement post-breach will usually go undetected. I hear this question all the time: “I have perimeter security, so why do I have to worry about internal visibility?” The answer is layered security: when the perimeter is breached, there needs to be another layer of defense behind. Proper asset management and classification (see above) leads to properly segmented networks and visibility / filtering at the choke points. Endpoint agents (such as Red Cloak) are also advised.
Third: During mergers and acquisitions, enterprises are often exposed to risks (often due to political concerns) that would otherwise be untenable. When companies experience these conditions, it is important for IT staff and InfoSec pros to step forward and demand processes that result in the most secure environment possible. M&A always result in a mesh of technologies and processes, but it should be the best possible combination of both. The first step is for each organization to fully disclose to the other all of the necessary information – and that begins with proper asset management (see above). It is usually advisable to filter traffic between the two organizations until a consensus can be found on processes. However, without buy-in from upper management, filtering can be off the table. It is important – which leads me to my next point.
Fourth: Many breaches occur through third-parties, vendors, and other improperly secured connections (such as those in a M/A.) In particular, the Target breach and the Anthem breach occurred due to weaknesses in this area. Secure the connections and the access – proper firewalling and IAM are important. Always use least privilege when assigning access rights. Monitor these connections judiciously – at the perimeter and internally.
Fifth: Use a true MFA solution for remote access to your network, and insist that third-parties with direct access to your network also use true MFA. (This can extend to multiple layers – what if the third party has a vendor with direct remote access? – so due diligence can be challenging. ALL remote access should be behind some sort of MFA.) Obviously – yes – MFA can be defeated by a diligent adversary. But phishing creds and using creds for VPN access is still an all-too-common method of attack. This is basic. Don’t be the low-hanging fruit.
Stay safe out there, my droogies.
Comments are welcome!