These days, information security operations can feel like a constant series of scrambles. One week, it’s a huge dump of credentials. The next, it’s an outbreak of targeted ransomware exploiting a common Windows service. Many organizations are feeling the pressure, and don’t have enough staff and time to catch their breath from one major issue to the next. Are we being targeted? Are we already compromised? How susceptible are we to major malware outbreaks or exploit kits or criminal groups or… well, any of it?
The landscape of security is changing rapidly (every day there is a new exploit, sensitive data exposure, or story of horrifying things on the Internet), and many security teams are struggling to better understand their security exposure. While it’s true that we will all deal with a variety of “panic” scenarios at some point, most organizations can improve responsiveness by leveraging some foundational vulnerability tools and best practices. Whether this means scanning for missing patches or vulnerabilities, looking for possible avenues of credential misuse, or anything in between, vulnerability management can help us shore up our defenses, and find areas of exposure in our environments, hopefully before they’re compromised.
First, start with the most basic premise – inventory management. System and software inventory absolutely has to be the #1 priority, since you simply can't protect what you don’t know you have. Scanning tools can help with this, as can identity and access tools that inventory accounts in the environment. What do you have, what is running and installed, and who is using the assets and applications? Answering these questions will give you a good head start on protection.
The second critical area of focus should be on known vulnerabilities in the environment. In the recent WannaCry ransomware outbreak, Microsoft Windows systems were susceptible to a known bug that was released into the wild illicitly… roughly TWO MONTHS after it had been patched by Microsoft, who dubbed the flaw “critical” and urged all affected organizations to update their systems immediately. What happened? In 2017, we really can’t afford to casually wait two months or more to patch known critical vulnerabilities in major operating systems. Vulnerability scanning tools can help us enormously by pointing out the flaws and which systems are susceptible to them. Security and operations teams should then prioritize remediation of the issues reported, something we’ve known for years. We’re talking about the basic blocking and tackling, folks. Scan, patch, and check again. Do it once more. Maybe another time.
Today, we are seeing an unprecedented rise in the use of administrative credentials during attacks and data breach scenarios, as well. Tracking down admin privileges and services and applications where admin credentials are needed (or not) is another area that needs our attention, and fast. Start by focusing on local admin credentials in operating systems, and then start looking for core applications that require some admin interaction, and focus on locking down these accounts (or removing them if they’re not needed). Better yet, invest in a centralized set of tools that can help mitigate admin access and provide audit details to boot.
This is just the start – we’ve obviously got a lot of work to do, and no one is saying it’s easy. However, let’s not deny that these are all things we should have been focusing on all along, and it’s time to build a better information security preparedness program through proactive monitoring and inventory.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.