Beyond the Basics: Key Vulnerabilities in Corporate Cybersecurity

In today’s digital age, our lives are increasingly intertwined with technology, making us more vulnerable to cyber threats than ever before. While most of us are aware of the importance of cybersecurity, several common vulnerabilities often go unnoticed by corporates and enterprises. More threats emerge for IT departments every year. Cybersecurity is increasingly challenging as attacks get more sophisticated. But many core basics are still being ignored. In this article, I will try to discuss these vulnerabilities and explain why they should not be ignored.

1. Identity and Access Management: Many common identity and access management misconfigurations can lead to security issues, such as granting users access to other’s data and allowing them to log in from unauthorized/unapproved IP addresses, leaving APIs vulnerable; these misconfigurations pose significant threats. Further, in my observation, organizations continue to use default credentials and configurations.

I am listing herewith (in a summarized form) the common Identity & access management risks that can affect your organization’s security posture:

• The Risk Posed By Lack Of Visibility Into User Access Data Risk
• Risk Posed By Manual User Access Management
• The Risk Of Granting Employees Excessive Permissions
• Data Access Risk
• Risk Of Irregular Audit/Access Reviews
• Data Security Risk Due To Poor Access Management Policies
• Account Credibility Risk

2. Endpoint Security: The majority of the time, this is the sweetest spot for an attacker. And, importantly, most endpoint security by corporates and enterprises is limited to Laptops & Desktops, ignoring the vast mobile devices that are used to access the organization’s data and applications. Further, there somehow is the belief that Windows is vulnerable, but MACs are not – this is a misconception and this leaves the MAC devices unattended.
3. Visibility: Visibility across all assets in the organization with complete inventory and asset details including hardware make and model number, firmware / OS versions, location, etc. is important. The challenges here are:

• Availability of a central CMDB for all the assets.
• Capturing all necessary/mandatory information from a wide sprawl of hardware assets.
• Software assets are often a vastly ignored area.
• Detection and inventory of unmanaged devices e.g., printers, scanners, CCTV cameras, and any other unmanaged devices in the network.
• Process for discovering devices in the network & adding them to inventory – an automated process is highly recommended. A manual process is prone to errors and the accuracy and completeness of the data are questionable.

4. Obsolete systems (Tech debt): Overlaying modern security on top of legacy architecture can be difficult. Likewise, the software ICSes run is often old and does not contain many of the security features today’s software can accommodate, such as strong authentication, encryption, and protection against web application attacks, such as cross-site scripting or SQL attacks. I cannot but emphasize the review and governance that is required for monitoring and reporting all End of Life (EOL) and End of Support (EOS) devices across the complete IT Infrastructure including both hardware and software. Implementing a program aimed at replacing/upgrading such devices is critical
5. Unauthorized Software / Applications: Using unapproved software can lead to potential consequences for an organization. Unauthorized software can compromise control and security measures, exposing sensitive data to external threats or malware attacks. Employees may knowingly or unknowingly download software with security vulnerabilities, leaving the organization vulnerable to breaches. Unapproved software may also lack integration capabilities, causing compatibility issues and decreased efficiency. Organizations need to recognize the risks and implement control measures. Clear guidelines and approved software options can ensure greater control and security.

To mitigate these risks, organizations can adopt various strategies for managing unauthorized software:

• Catch it at the beginning – The first step is to prevent unauthorized software from even entering your network. Enterprises should have dedicated teams who are responsible for obtaining, testing, approving, deploying, and maintaining software. This ensures that end users are unable to access it from external sources.
• Active content and browser extensions – A whitelisted application can still be attacked via ActiveX controls, java, and browser extensions.
• Keep administrative privileges at a minimum- Principle of least privilege helps reduce the risk of unauthorized access and potential misuse of critical system functions and resources. 
• Use the Audit/Monitor Mode – For large corporates/enterprises, it could take months or years to get a complete list of authorized software. However, most whitelisting applications offer an “audit” or “monitor” mode to provide visibility of what software is being used throughout the organization.
• Create a baseline – Create a ‘temporary whitelist’ with the current authorized software. This baseline can be used to ensure no additional software is permitted into the network while current software is being assessed.

6. Secure Configuration: Security misconfigurations are one of the most common gaps that criminal hackers look to exploit. Secure configuration refers to security measures that are implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities.

• Manufacturers often set the default configurations of new software and devices to be as open and multifunctional as possible. In the case of a router, for example, this could be a predefined password, or in the case of an operating system, it could be the applications that come installed.
• It’s easier and more convenient to use new devices or software with their default settings, but it’s not the most secure. Accepting the default settings without reviewing them can create serious security issues, and can allow cyber attackers to gain easy access to your data.
• Web server and application server configurations play a crucial role in cyber security. Failure to properly configure your servers can lead to significant security problems.
• Computers and network devices should also be configured to minimize the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.

7. DNS Security: Like many Internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, make DNS servers vulnerable to a broad spectrum of attacks, including spoofing, amplification, DoS (Denial of Service), or the interception of private personal information. And since DNS is an integral part of most Internet requests, it can be a prime target for attacks.

In addition, DNS attacks are frequently deployed in conjunction with other cyberattacks to distract security teams from the true target. An organization needs to be able to quickly mitigate DNS attacks so that they are not too busy to handle simultaneous attacks through other Vectors.

Listing the most common DNS attacks that an organization should be aware of and be designed to protect themselves from:

• DNS spoofing / Cache poisoning
• DNS tunnelling
• DNS hijacking
• NXDOMAIN attack
• Phantom domain attack
• Random subdomain attack
• Domain lock-up attack
• Botnet-based CPE attack

8. Active Directory (AD) Security: Microsoft Active Directory security is important for businesses because the service holds the keys to the kingdom — providing access to systems, applications, and resources. Businesses must be aware of vulnerabilities and take steps to strengthen their Active Directory security, like using security tools or following best practices, to keep their networks safe from cyberattacks. The main factor that makes Active Directory security, or AD security, uniquely important in a business’s overall security posture is that the organization’s Active Directory controls all system access. Effective Active Directory management helps protect your business’s credentials, applications, and confidential data from unauthorized access. It’s important to have strong security to prevent malicious users from breaching your network and causing damage.

When evaluating and designing an Active Directory security posture for your organization, consider looking for a tool that has some of the following features:

• Automation for creating user accounts and security groups
• Analysis of user permissions
• Analysis of vulnerabilities, such as abandoned accounts
• Active Directory auditing for changes to parameters

9. GRC (Governance, Risk, and Compliance): Three golden words for cyber security enthusiasts – the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.

Whilst organizations have the guidelines, framework, and policies decently defined and have a security posture too, the majority of them lack the capability and rigor of measuring the effectiveness/efficacy of the framework and reporting the same. Additionally, they may struggle with assessing vulnerabilities, understanding associated risks, and quantifying the potential threats to their business, operations, and reputation.

Whereas it is good to have a security posture, measuring and reporting of the same i.e., review and consequence management is equally important for an organization to take immediate corrective actions –this in my opinion needs to drastically improve.

10. Data Backup and Recovery (Data Resilience): Data loss caused by cyberattacks can seriously hamper operations, damage reputation, and result in considerable financial losses. Regular backup should be scheduled for all critical data across all systems so that in case of any incident, data can be restored to its original state.  A combination of on-site and off-site backups should be used to ensure business continuity. The backup data should be encrypted and backup and recovery procedures should be tested periodically. Enterprises should strive for and deploy an immutable backup strategy.
11. Disaster Recovery (DR) Drills & Incident Response (IR): Inadequate preparation for incidents may result in prolonged downtime, increased costs, and damage to reputation.  A comprehensive disaster recovery plan for responding to security incidents needs to be prepared and documented. The disaster recovery plan should be tested by carrying out DR drills (both scheduled and unscheduled) and an incident response team with defined roles and responsibilities be established. Regular training of employees on cybersecurity awareness should be ensured so that they are prepared to respond effectively to cybersecurity incidents when they occur. Keeping track of RPO (Recovery Point Objective) and RTO (Recovery Time Objective), maintaining consistency and improving RPO and RTO over a period of time should be top on the charts.

Overall, it is integral for enterprises to dig deeper into understanding the more sophisticated cybersecurity vulnerabilities that can lead to significant monetary and reputational losses and put in place mechanisms of prevention, action, reporting and governance to address the same.

Abhijit Chakravarty
Senior Vice President – Core Networks & Security Operations
HDFC Bank