INSIGHTS FROM ENGINEERS
Elements of a Gap Analysis
We get asked about how to secure a company’s IT infrastructure almost every day. Company leaders are looking for us to perform risk assessments, create data breach and incident response plans, conduct penetration testing, or test backup and disaster recovery readiness. But what we find to be the most commonly overlooked element is that companies do not have a clear understanding of how, what and where they operate. What I mean by that is that they do not understand clearly how their systems, infrastructure, and users operate. Complicating this is that many businesses have moved many of their applications to the cloud and they no longer treat the data as their own.
Finding the Gaps
Do you have a physical layout and map of all of your locations and the equipment and circuits that connect them together? What about cloud providers? What services are running at these locations? Where is the data stored? How is it being handled? Is there visibility into who and what devices can access that data and applications and where they access from? Are the endpoints being monitored for what they are doing, accessing, and or processing? How is the data controlled and monitored in and out of the corporate infrastructure? When we ask these questions, we get mostly blank looks or responses like, ” I didn’t set all of this up, it was like this when I got here.” or “that is a good question, I have no idea.” This is not a dig on the responder, but just a reality of the situation. The honest truth is that no one is thinking about the infrastructure and how it is being used.
The False Security of “Shadow IT”
Many times users go out on their own and acquire services and infrastructure to make their jobs easier. We refer to this as “Shadow IT“. The good intentions that they had result in exposures to company data. Many times, it also leaves the company vulnerable to a disgruntled employee who now has either exfiltrated the data to a cloud file storage system, destroyed the data altogether, or both. It’s necessary to have visibility on the traffic to identify who is going where. Utilizing DNS filtering services on all of your infrastructure alongside good endpoint protection can be a strong protector against these types of security gaps.
Confidence in Cloud Security
Not all cloud services are made equal. Many cloud solutions do not provide the necessary security, leading to shared resources, applications, and systems. Then threats can originate from other clients with access to the cloud services and target one client who could also have an impact on other clients and other services. This is, in essence, a horizontal movement through the infrastructure that can leave a company devastated. We had a company contact us that had this happen. They lost ninety-four percent of their data to ransomware. By using an identity detection service, you can determine what is operating and connected to the infrastructure.
Infrastructure and the Internet
Another problem is infrastructure that is directly exposed to the public internet. When then cloud first became popular, Distributed Denial-of-Service (DDoS) attacks against cloud platforms were largely unthinkable. Due to the vast amount of resources cloud infrastructure presented it made DDoS attacks extremely difficult to initiate. But by using compromised IoT devices, smartphones, servers and other computing resources as there are available now, DDoS attacks have greatly increased in viability. If enough traffic is initiated to a cloud resource, it can either go down entirely or experience difficulties. Next Generation Firewalls can identify these attacks and stop the traffic from touching the resources.
I briefly spoke about compromised resources in the above paragraph, but cloud resources can still contain system vulnerabilities (CVEs, Common Vulnerabilities and Exploits), especially in networks that have multiple vendor devices and third-party platforms. Once a vulnerability becomes known, this vulnerability can be easily used against organizations. Attackers can use public services like Shodan to determine all the targets with the known vulnerability and attack the unpatched system. Proper patching and upgrade protocols are critical for fighting this threat. Visibility by using a SIEM or other monitoring solution is critical throughout the infrastructure. By using these services, it allows for remediation to what was touched during an attack.
Due to the openness of infrastructure, phishing and social engineering attacks have become particularly common. Once login information or other confidential information is acquired, a malicious user can potentially break into a system with ease with compromised credentials. Attackers are learning that users like to use the same password across all of their accounts. The Disney+ attack that completed recently was not due to a breach of their database. The attackers used the compromised credentials from other compromised databases and used the same credentials to access and gain control of the Disney+ accounts. User negligence and User mistakes remain one of the biggest security issues for all systems, but the threat is particularly dangerous with cloud and publicly visible resources. Users may log into cloud solutions from their mobile phones, home tablets, and home desktop PCs, potentially leaving the system vulnerable to many outside threats. Users must be knowledgeable about phishing and social engineering enough to avoid these types of attacks. Utilizing a good policy and patch management system with DNS filtering services on all of your infrastructure alongside good endpoint protection can be a strong protector against these types of security gaps.
The Backup Gap
Lack of a good backup system, data loss prevention, or disaster recovery plan is still a very large gap for most companies. Inadequate data backups and improper data syncing is what has made many businesses vulnerable to ransomware. In most cases there was no automation or notification when systems failed to perform the backup, replication, or snapshot. Separation of the backup data from an infrastructure standpoint in the case of an attack leaves the backups vulnerable to the same attack. We have witnessed where attackers have shut down the backups and timed the ransomware to encrypt once the backups had “expired”. The backups were not being monitored and credentials were shared from the infrastructure to the backup solution. Once the attacker had lateral movement with the credentials the entire infrastructure was locked out.
According to NIST, thirty percent pay ransom.
OF THE 30% OF RANSOM PAYERS, only 17% actually receive their data back.
According to NIST, thirty percent of reported cases of ransomware pay the ransom. Of that thirty percent, only seventeen percent actually get their data back. This isn’t necessarily because the attackers are intentionally withholding the decrypt keys. Many times, the attacker never received the decrypt keys themselves. Unfortunately, many companies are left with nothing on top of paying the ransom.
With an appropriate data backup plan, companies need no longer fall prey to these threats. We must also consider the infrastructure itself in cases where hardware failure, natural disasters, fire, or theft occur. Many businesses can experience days and or weeks of operational time due to lack of planning because of the above reasons. Proper planning with a good disaster recovery or business continuity plan can be the difference during these times of difficulty.
Addressing the Gaps
To address the gaps in security for your infrastructure you need to look at the map and layout of all the systems and processes.
You need to ask yourself these questions:
- Where does the data flow?
- Do you have visibility at those points?
- Do you have the ability to control the data flow at those points?
- Does the system maintain a log of all traffic in and out of all endpoints and connection points?
- Are you identifying the perimeter of your infrastructure and all of the devices connecting and attempting to access resources?
- Is the data that we create and modify protected from negligence or malicious intent?
- Can we operate in the instance that we lose resources due to an attack?
- If we operate during a disaster, are we still protected from an attack?
Assumptions are the enemy of security, and unfortunately in many cases if we haven’t thought through the scenarios. Take the time and implement visibility into your infrastructure. Analyze that data and create policy that mitigates your exposure. Repeat these actions continually. That is how you address your security gaps.
“Assumptions are the enemy of security.” – Todd Ellis, CTO, Secure Networkers