While it seems that today’s cybercriminals have a myriad of tricks and techniques at the ready to gain access to your network, the reality is that they are typically taking advantage of common vulnerabilities – such as unpatched software or default passwords – time and time again. That’s why establishing a regular process for finding those vulnerabilities that put you at risk is a critical part of your cybersecurity program.
For starters, it’s advisable to have a penetration test (pen test) performed by an independent and experienced “white-hat hacker” at least annually or whenever a significant change is made to your environment. However, there are things you can do in between pen test engagements to reduce your risk of being breached. Here are ten items that should be on the top of your list.
#1. Run regular vulnerability scans.
We recommend a process of monthly scanning and remediation, with the goal of fixing High and Medium severity vulnerabilities. This regimen is important to keep remediation activities manageable. New vulnerabilities are being discovered all the time and patches could be missed. Plus your systems will change. A full year is too long to go without clearly understanding what’s going on in your network, especially with the dynamic cyber threat landscape.
#2. Patch software regularly.
Be sure to also include all third-party software. Adobe products, especially Flash, present the most common vulnerabilities. If you’re just patching your operating systems, you’re often leaving severe vulnerabilities unaddressed on your network infrastructure.
#3. Minimize local administrator privileges.
Malware runs in the security context of the logged-on user. This means if your end-users have administrator permissions on your systems, then so does the malware that may infect them. If there are applications that require special permissions in order to run properly, try using “Compatibility Mode” or the “Run As” command, as an alternative.
#4. Configure systems securely.
- Disable NetBIOS and Link-Local Multicast Name Resolution (LLMNR) on all systems. These are two old broadcast protocols that are legacy Microsoft tools made for back-up compatibility. You shouldn’t need them anymore, and disabling them is a really good idea because it reduces the attack surface. Note: Be sure to investigate any legacy systems running on your network to ensure these protocols are no longer required.
- Require SMB Signing. This means the servers on your network will have digitally signed communication between them, which will prevent unauthorized servers or devices from communicating with them.
- Reference the Center for Internet Security for other best practices.
#5. Practice secure network engineering.
- Check hardening guides for technologies and protocols in use. You should have a hardening checklist for each type of operating system and critical application that you use. We also recommend having an image library, and a process / program approach to keep the images updated as patches and updates are released.
- Set / change default passwords for internal network protocols and all devices. Never use default passwords! Defaults are a well-known and well-exploited attack surface.
- Consider network segmentation to limit access to systems / information to only those that require it.
#6. Enforce a password policy and require two-factor authentication when available.
Include length and complexity, and ensure your policy is being followed by using technical controls. It’s important to note that cybersecurity awareness training comes into play here. When employees understand why they need to do it, the more likely they are to do it. Provide them with a password management tool or technique to make it easy.
#7. Change default passwords on all application and appliances.
As stated previously, never use default passwords! Defaults are a well-known and well-exploited attack surface.
#8. Ensure all devices have unique local administrator passwords.
Using a tool like Microsoft LAPS (Local Administrator Password Solution) can help you ensure that all devices have unique local administrator passwords.
#9. Use secure software development practices.
The Open Web Application Security Project (OWASP) is a great resource. You can’t assume that software developers are security minded. It requires special training to write secure code. A coder's #1 goal is to code something that works. You need to make sure they are coding something that works securely.
#10. Make sure to have working and tested backups of key systems / data.
That rounds out our top ten tips for reducing common vulnerabilities on your network! Remember that staying on a regular schedule of finding issues and keeping things up-to-date will help you reduce the number of vulnerabilities on your network and shrink the attack surface available to cyber criminals.