Phil Ashley, Managing Director - Managed Services, breaks down some of the biggest and most common cyber security weaknesses and how you can fix those to mitigate the risks of an attack.
Regardless of the size of your organisation, there are always cyber security weaknesses and vulnerabilities that will need to be addressed. One of the key issues that we always tend to find is that security teams believe that they have secure systems and have implemented a lot of security controls. Often that is the case and they have, but sometimes they haven’t and we pick up on these vulnerabilities.
As a SOC team, we look at real world activities, actual data, actual traffic flows and pick up on things such as weak encryption mechanisms that the teams think have been disabled but are still being used and other forgotten items like that. Additionally, we find that patching is always a problem, so we monitor what is actually happening in the background and report back as a verification mechanism.
Vulnerabilities from poor cyber security processes
From a reactive standpoint, we see a lot of what you’d expect to see - old admin accounts lying around with lots of system access, build processes that maybe didn’t quite complete or work as expected and where a service may have been left turned on. Quite a big issue we encounter are in backup jobs where either misconfigurations or broken jobs are running and failing to properly access systems they are trying to protect. It’s actually quite hard to see that as part of a normal back up process - so maybe there’s old service accounts, legacy systems that aren’t quite doing what people expect them to, which happens a lot and leaves you vulnerable to breaches.
One of the major things we’ve seen is business email compromise, and while it’s not new, attackers can gain a lot of access to cloud platforms and perform brute force attacks. These all tend to originate from known networks, so with everyone working from home all using the big ISPs where they have dynamic IP address is causing some issues as ranges and attacks are coming from things that look very ordinary, as they’re just mechanisms to evade detection and to try and get through to a cloud account.
Why and how your employees are being targeted
Additionally, MFA fatigue and MFA denial of service is still a big thing. We see successful attacks happening where, despite MFA being turned on, the attacker just annoys a user sufficiently that eventually the attacker is able to get through, or they’re allowed in. This tends to start from phishing, which attackers are getting better at. Again, it’s not necessarily super exciting but these things work and when they do work they can be very damaging.
Other than that, change management is always a challenge, so we spend time looking at where systems change and whether something has been left or not quite as documented. It could be that the security team thought they changed one thing but actually something different changed, so we then start helping to monitor some of the day to day challenges and operational processes - starters, leavers, onboarding - and can see whether they’ve still got a few user accounts that are still enabled that we weren’t quite expecting.
Attackers are getting quicker
Finally, the major change that we’re seeing is the automation of attacks. Typically you would see an attack process as a bit of reconnaissance first, but now with so many vulnerabilities being released over the last 12-18 months, attacks can just go straight to exploit. Whether or not it’s been identified that a system is vulnerable it’s just getting exploited and attacked anyway. Even if the vulnerability is just a simple network reverse shell, with any major vulnerability that occurs, you’ve got very little time before it will probably be exploited by somebody sophisticated or otherwise, so attacks are now happening much faster than in the past.
And while none of this sounds groundbreaking, these are easy fixes a lot of the time and can really make a material difference to the general security of an organisation as they’re the exact kind of thing that an attacker would be trying to exploit.
How to discover and fix vulnerabilities
Therefore, the 5 ways in which you could help protect your company against an attack are:
Shut down any old admin accounts linked to the company - improve offboarding processes company wide for your overall security posture
Double, and even, triple check your backups and builds - anything that’s broken or misconfigured is a vulnerability ready to be exploited
Provide security training to your employees so that they better understand the risks of poor cyber hygiene and clear guidance on what to do if something is not right.
Improve your change management protocols. Update record keeping, improve handover processes.
Go back and repeat steps 1-4
If you require assistance in performing all of these checks and would like ongoing security support, find out more about Nightingale Security Monitoring.
Comments