Recently, a hacker running a social engineering attack was able to get a corporate executive to connect to a malicious server and type in his username, password and two-factor ID token. Within seconds, the hacker had accessed the CEO’s e-mail and had access to the inner secrets of his company.
Fortunately, the hacker was one of the good guys. He was an engineer from CDW performing a Comprehensive Security Assessment (CSA) to help the business discover its vulnerabilities and devise a roadmap toward improving its security posture.
There are many companies that offer simple tool-based assessments that use automated systems to check IP addresses for open ports, look for missing patches or identify known and obvious misconfigurations. A CSA from CDW goes above and beyond such tool-based approaches and uses the same techniques and human intuition employed by malicious hackers.
“The reason customers like the CSA is that we find a lot of real-world vulnerabilities that less experienced and less talented security analysts wouldn’t find,” explains Mark Lachniet, information security solutions manager at CDW. “We’re able to find vulnerabilities that take a lot of human logic.”
For instance, CDW’s security assessment team analyzes thousands of passwords, identifies patterns and uses its findings to gain access to its clients’ user accounts. Despite all the horror stories about security threats, the team still finds that some of the most popular passwords incorporate the season and year or variations of the words “password,” “welcome” or “helpdesk."
Even if organizations establish password complexity requirements, users can often still get away with “Spring2016!,” “Welcome123” or “Passw0rd,” and automated testing tools often don’t find them. CDW’s testers, on the other hand, manually search for common or default passwords to uncover these vulnerabilities.
CDW’s security assessment team also searches for trust relationships. For instance, Windows computers use both a user and an administrator password, the latter of which is often shared between machines on the same network, particularly if multiple machines were deployed from a common configuration. So if a hacker were able to get into one computer, and could get access to the administrator password, he could then use this to log into other machines throughout the environment and often escalate to administrator access.
In addition to the usual servers and workstations, the CDW team analyzes databases, IP cameras, networking equipment, multi-function printers and other devices that could create a security risk. “These are just some examples of the manual, intellectual work that a good penetration tester is going to use that our competitors often don't use,” explains Lachniet.
It is often neglected devices and misunderstood concepts like trust relationships that lead to an administrator compromise. Sadly, such compromises are easier than you might think — CDW engineers have a history of obtaining administrator access when connected to a customer’s internal network over 95 percent of the time.
Human Error Is Inevitable
The growth of the Internet of Things (IoT) and bring-your-own-device policies has created an ever-increasing number of interconnected devices and, in turn, a growing supply of entry points for hackers. The risks this creates are exemplified in news reports of cyberattacks on everything from power stations and sewage plants to cars and baby monitors.
A study released in February by Strategy Analytics found that the leading cause of system breaches is human error. So even if firms have strong endpoint security, they still may be vulnerable to attack.
The study also revealed that of firms that reported being attacked, 44 percent were unable to determine the source of the attack, the type of penetration or the duration of the attack. Without this information, says Laura DiDio, the firm’s director of enterprise research, organizations can’t fix problems caused by breaches or prevent future attacks. In fact, an increasingly common type of attack is for hackers to alter data, which can cause irreparable damage to an enterprise without users even knowing about it, she points out.
“In this day and age, where the hackers are much more organized and proficient, the hacks themselves are much more pervasive and pernicious, and given the fact that we are living in an increasingly interconnected world, the likelihood of a successful penetration has risen by magnitudes,” says DiDio. “Therefore, I would recommend that every business, regardless of size or industry, get a penetration test at least once.” In fact, most well-managed organizations perform such tests at least annually, if not more often.
Stepping Up Security
Lachniet recently provided incident response and forensics services for a company that had several hundred thousand dollars worth of payroll stolen by a cyberattacker who was able to get a user’s two-factor identification and log in to the company’s banking system. Unfortunately, many companies never have a true understanding of their risk until it is too late. Instead of responding after an incident, Lachniet says that it is “vastly preferable to educate clients proactively before the damage is done, and using a trusted partner that is looking out for the organization’s best interests.”
After completing a penetration test, CDW’s security assessment team prepares a comprehensive report of its findings with recommendations for remediation. These recommendations are prioritized and assigned metrics relating to the urgency of the issue, time and cost that will be required to improve security. This ranking allows organizations to establish a balanced long-term plan for securing the environment that includes both technical and operational goals and can be broken down into smaller, more manageable chunks.
Balancing the different aspects of information security for example technical controls such as firewalls with procedural controls such as user training and policy is critical. Ultimately, when organizations complete a CSA, they tend to establish more comprehensive security programs, and to prepare for threats that they might not have previously emphasized such as phishing or ransomware.
“Hackers have discovered that it is a lot easier to go after people than it is to go after technology, because historically people have not been trained on how to identify shady cyber activity,” says Lachniet. “Even if you patch all of your software, all it takes it one uninformed person to compromise all of your security.”
To learn more about a CDW Comprehensive Security Assessment, visit CDW.com/risk-assessment, view CDW’s other security offerings at CDW.com/security or read blog posts from industry experts at blog.cdw.com.