By: Chris Berberich, Senior Consultant and Penetration Tester at A-LIGN
In the real world of budgets and limited personnel, prioritizing security resources is a must. For the majority of companies who depend on IT resources, prioritizing information security resources is based on the significance of an asset to their overall operations. All too often, I see security departments overlooking or forgetting to take into account how attacks against the vulnerabilities in less critical systems, or “soft targets,” can jeopardize other high priority assets and give away the keys to their castle.
Most businesses focus their efforts on locking down vital assets, such as the infrastructure, servers, applications, and work machines. The protection, detection, and monitoring tools such as firewalls, intrusion detection systems, and other alerting systems are deployed to protect critical application servers and databases which store sensitive data. These are critical steps in securing your environment, but what I’m starting to see throughout my testing is that when companies assess risk, they are putting too much emphasis on critical assets and not focusing on the lower risk devices. For example, soft targets such as employees, printers and non-essential systems within the business offer attackers the least resistance to accessing vital systems.
So how do IT departments ensure they are taking a holistic view of their environment to avoid these types of breaches? I have outlined a few simple steps to guide and assist IT security personnel on how to secure lower risk soft targets.
1. Start with security training and awareness for all personnel in your company.
Breach reports show us again and again that early intervention by a trained employee could have stopped or limited the damage of a breach. Training should be tailored based on job responsibility and technical knowledge of the group. It should be administered at least annually with refreshers and reminders distributed throughout the year.
2. Next, you have to know what needs to be secured.
Gaining a comprehensive understanding of the types of assets within your organization will allow you to develop a road map to secure them. Discovering and tracking your assets will help ensure that vulnerability management and patch management programs address all attack vectors in the environment. Decisions can then be made to implement network segmentation or to deploy other security measures to reduce the interconnectivity between mission critical asset and soft targets to reduce attack vectors in the environment.
3. Lastly, I recommend that you assess all of your assets on a periodic basis.
Vulnerability scanning of both the network layer and the web applications in your environment will allow you to remediate vulnerabilities before they are exploited by a malicious individual. Penetration testing should be performed to simulate a hacker attempting to breach your security, so you know where your weaknesses are. Both of these assessment activities should be performed regularly. Most security standards require that vulnerability scans are performed quarterly and penetration testing is performed annually. You can increase the frequency of testing if you encounter large numbers of vulnerabilities during the test or if your environment experiences frequent changes.
I’m not proposing that accomplishing the perfect security posture is easy. I am suggesting that it’s time we get back to the basics and ensure all of our assets are included in the scope of our security landscape. An emphasis on doing the basics will not guarantee protection against every threat, but it will reduce your risk of data breaches.