December 17, 2020
David Bery and Matt Flora contributed to this article.
Ankura performs cybersecurity assessments for a wide range of clients across a diverse set of industries and sizes, from highly regulated industries such as healthcare and financial services to less regulated ones such as academia or wholesale distribution, many of whom have recently gone through an incident of some sort and are looking to improve their security posture. Although our client base is highly diverse, there are common findings we encounter across engagements. These findings are consistent whether our clients have in-house information technology (IT) employees or use a 3rd party outsourced IT vendor.
The two lists provided below are really broken out by Operational gaps and Technical Vulnerabilities. There are obviously several other components to a mature Cybersecurity program – but these are the top items identified by our Assessment Team. As you review this list, you can perform a mental assessment of your organization and see how many of these may apply.
Top Operations Gaps
- Lack of a formal cybersecurity governance and risk management program
In order to effectively allocate resources and strategize on new security capabilities, organizations must take a risk-based approach. Unfortunately, most do not perform annual risk assessments to evaluate all potential risks to their systems and data and to identify mitigating controls to implement. This leaves many organizations to invest in an ad-hoc manner, which often does not address their top risks.
- Lack of a formal vendor cybersecurity due diligence program
It is not uncommon for an organization to outsource a wide variety of services, from cloud storage solutions to full outsourced IT/Security vendors. However, outsourcing and providing access to your data and systems should be done with the utmost care. Most organizations have yet to build out a formal process for assessing vendor security programs to ensure the data that is being accessed remains secure and meets the security standards that have been established.
- Lack of an employee cyber security awareness training program
Employees continue to be the weakest link and training them on topics such as phishing emails, social media, and password management is critical. Most organizations Ankura assesses have minimal cybersecurity training that is provided annually. However, employees need consistent training on cyber threats and best practices to stay abreast of top risks.
- Lack of formalized cybersecurity polices
Most organizations have ad hoc cybersecurity policies that are not uniform or widely understood, and many don’t have policies at all. Policies are often dispersed throughout the organization in different formats and templates, they are typically outdated, have not kept up with new technologies (ex. mobile devices, social media, cloud computing), and are not properly communicated to employees.
- Lack of data inventory
Ankura found that most organizations do not perform routine data inventory exercises to identify where all sensitive data resides. Without an understanding of where critical data is stored and maintained, it is difficult for IT to allocate the proper resources and security tools to protect said data.
- Lack of a vulnerability management tool
Most organizations rely on endpoint protection, anti-malware, and patch management tools to manage network vulnerabilities. However, a common gap is the lack of a vulnerability scanning tool to routinely scan all network devices for vulnerabilities or missed patches.
- Lack of a formal Security Information and Event Management (SIEM) tool
Though many organizations have local logging enabled and have firewalls with logging capability, a common gap is the inability to aggregate all events on the network and prioritize them based on criticality. Many organizations choose not to review logs at all due to time and resource restrictions. A robust SIEM solution would aid in this process so critical events are not overlooked.
Top Technical Vulnerabilities
- Bluekeep, POODLE, Bar Mitzvah
The aforementioned named vulnerabilities are some of the most critical. Threat actors have packages available to them that are easily implemented. While not common, they often appear on large networks as forgotten servers or systems never received the proper patches or updates. The risk of leaving these open is significant and exploiting them is not difficult. Vulnerability scanning ensures these exploits are known, patched and do not leave one’s network vulnerable to the costliest attacks.
- Unsupported windows operating systems
Operating systems like Microsoft Windows 7 or Server 2008 R2 are commonly used OS’s and have become deprecated as of 1/14/2020. Leaving these systems on the network unsupported creates high risk as new vulnerabilities and exploits are discovered. Systems with unsupported applications and/or operating systems, which are identified by vulnerability scans, no longer receive needed security patches and should be upgraded.
- Missing KB cumulative updates, specifically security updates
While it is not common to find one missing KB update over others, IT teams sometimes don’t apply cumulative updates for fear of breaking the network. Exploits later become available, threat actors take advantage of them and the forgotten or unpatched updates become a significant security risk. Examples include: KB4457145: Windows 7 and Windows Server 2008 R2 September 2018 Security Update; KB4534273: Windows 10 Version 1809 and Windows Server 2019 January 2020 Security Update; KB4528760: Windows 10 Version 1903 and Windows 10 Version 1909 January 2020 Security Update.\
- Security Update for Microsoft Office Products
Security updates for Microsoft products are often released on a monthly basis. With such frequent releases for numerous products, systems get missed, and unpatched systems pile up over time. These patches range from simple updates to critical security patches.
- Browser Vulnerabilities for Firefox, Internet Explorer, Google Chrome
These vulnerabilities are usually patched on a monthly basis and often appear on scans as IT teams haven’t gotten to them yet. Some noted issues include not being able to update user’s browsers until the user closes it. Updates can be missed if the user was offline during the patching cycle. Browser vulnerabilities are becoming more common and one user can leave numerous critical and high vulnerabilities open on your network.
- Oracle Java SE Vulnerabilities
These are commonly found on servers that are forgotten about or haven’t been updated and were running old Java versions that aren’t included in IT Teams patching. Includes Oracle Java SE Multiple Vulnerabilities (July 2015 CPU) (Bar Mitzvah) vulnerability.
Unfortunately, we have seen many of these items consistently on our Top Findings List year over year. It’s a call out and a reminder that the basics of a mature cybersecurity program are critical to be successful in your risk mitigation strategy.
Based upon our experience, it is likely that most of the above findings are relevant to your organization to some degree. It is important for organizations to regularly assess not only their technical infrastructure, but also their governance and policies related to Cybersecurity.
If you would like to discuss these top assessment findings and how they apply to your organization, please contact us at: firstname.lastname@example.org.