Common Entry Points #1 – ITaaS (IT as a Service) Part 2
Assessing the weak links in your company network is an important part of cybersecurity. The people that sit behind the computer keyboards make up some of the weakest links, as there are always a small minority of users that will click on just about anything embedded or attached in an email despite being warned about doing so. The introduction of unmanaged BYOD devices is another example. A less obvious culprit however may be your IT service provider.
At CYREBRO, one of our priorities is enabling the identification of weak links that threat actors can exploit, and yes, we find them with ITaaS providers. A recent case in point included a case involving three insurance companies that utilized the same provider. External hackers were able to take advantage of outdated operating systems still in production, some as much as 11 years out-of-date. The ITaaS only utilized a single management server for all its clients. Once it was exploited, all its customers were at risk and the attackers used it as their interchange to penetrate all three companies.
Never Assume Security
While it sounds like a classic cliché, never “assume” your IT provider instills best practices when it comes to security. Just because someone is an apparent expert in their particular IT field doesn’t mean they are well versed in cybersecurity. This is where a security monitoring and SOC Platform can provide checks and balances to ensure that your IT providers are operating with your best intentions in mind.
Cybersecurity is a moving target as cybersecurity strategies evolve to defend against attack methodologies that are constantly evolving as well. That’s why it is so important to have an IT provider that has a wide array of security experience. Because IT service providers must manage multiple environments, things can fall between the cracks per se and sometimes shortcuts might be taken to make it more convenient. Unfortunately, this makes it more convenient for hackers too. Large projects such as cloud migrations can get rushed and security may take a second seat.
Security Architecture is as Important as Tools
Having the right tools for the job is important for just about any endeavor, but security tools aren’t enough to protect your network and digital assets from external threats. If it were, there would be far fewer cyberattacks to read about in the news. While network segmentation plays a big role in containing a malware invasion, user segregation is also critical. This entails the clear separation of end users (one of your weak links) from critical network elements and valuable data.
It is common for SMBs to allow their users to permissively share files amongst one another. This may entail the use of using admin shares inappropriately to share a complete server volume to create a single file destination for everyone. It may include the sharing of personal OneDrive or Dropbox accounts. IT service providers often inherit these exploitable practices when acquiring a new SMB customer that simply didn’t know better. These practices however can take considerable time to rearchitect and thus might get pushed back to a “later time” that never seems to transpire.
The Principle of Least Privilege
Just as good parenting means granting children only the level of freedom and responsibility that is appropriate for their age, users should only grant the exact privileges that are appropriate for their job role. This doesn’t just apply to lower-level positions. There is no reason for network admin accounts to have read access to the HR employee records file directory or other sensitive information. There are instances in which an internal or governing administrator needs to perform some type of task on a select folder that holds sensitive data. Rather than have privileged access to the folder, the admin should be required to first take control of the folder, an event that would then trigger an alert that can be logged for future inquiry if necessary.
Companies often focus their efforts on external threats while underestimating the risk of internal threats to their network. Someone with an intimate knowledge of the network, security protocols and culture of the organization often has a better chance of snooping undetected than someone from the outside. While we certainly want to trust our employees, trust must be allocated in the form of least privilege. Just as no single person in government should have too much power in a checks and balances society, no single account should have access to everything.
Restricting Local Admin Rights
A study back in 2017 showed that 94% of Microsoft vulnerabilities can be easily mitigated by removing local admin rights for standard users. That’s because any malware downloaded by a user inherits the rights and privileges of that account. Standard users do not need local admin rights in this day and age. Unfortunately, companies continue this practice that vastly amplifies their exposure to attacks. One reason for doing so is to reduce helpdesk calls as users that lack local admin rights will periodically need assistance in getting past a UAC prompt or installing an application or peripheral.
Security Needs to be Policy Driven
Weak links are created when some links are treated differently than others. Connecting a new device to the network has never been easier thanks to wireless access. A decentralized approach to security is no longer viable. You must ensure that every computer is safeguarded using the same protection measures and that all users must adhere to a minimum-security standard. This is achieved through policy deployment. These policies are used to deliver mandated configuration settings or enforce security and compliance restrictions. For on-prem domain networks, this is usually done using Windows Group Policy. For mobile or remote machines, an MDM such as Microsoft Endpoint Manager is a better choice.
Don’t Shortchange Yourself on Security
The old cliché, you get what you pay for, is a metaphor that often rings true in life. It’s certainly good advice to follow when securing your network. This doesn’t mean you have to overprovision the tools you have. Different industries face different types of threats so not every organization needs the same tool set. This is one reason why it’s important to choose an IT provider that is vendor agnostic. You shouldn’t be conforming to the security stack of your IT provider. They should assemble the solution set that meets your needs.
Just a Matter of Time
One final cliché: it’s only a matter of time. Unfortunately, that is more than just an overused platitude when it comes to cybersecurity. Hacking is big business today. Criminal organizations and nation-states invest large amounts of time and money into their malicious efforts. Your likely threat actor is no longer a lone individual in a basement. It’s an organization that is well trained and well-funded. These organizations take advantage of a businesses’ s weak links to save time as they are also juggling multiple projects. In the end, it’s your job to make sure there are no weak links in your chain of defense, even if your weak link ends up being your IT service provider.