Cyber attacks are a risk to all organizations, small and large, across all sectors, public and private.
Even in light of known threats, we still see a lot of businesses failing to follow best practices when it comes to security, despite high-profile breaches like those experienced by Equifax and Target, not to mention the recent Baltimore ransomware attack.
If you’re concerned about creating a secure IT environment, the first step we recommend taking is to conduct a foundational security assessment. Here’s a little more about what that means and three reasons why you should care.
What is a Foundational Security Assessment?
A security assessment is a system audit that checks for vulnerabilities in your IT systems. The process involves recommending a series of steps to lower your risk of a future attack, and this helps organizations keep IT policies and systems updated and running smoothly.
The foundational security assessment aims to give companies a clear picture of at-risk areas like outdated operating systems, software that needs to be patched, or a poorly managed Active Directory.
You can run your own security assessment with your internal team or work with a third-party IT company. The latter option may be your best bet, particularly if you lack the time, resources, or expertise to perform a holistic assessment yourself.
1. Hacking Tools Are Incredibly Accessible
Reconnaissance or footprinting is a technique used to gather information about a computer system. This process is generally used to discover and map out network system devices and identify vulnerabilities within a system. While these features aren’t designed for hackers, they can be exploited by them.
You’ll typically hear this term in reference to ethical or whitehat hacking; however, open-source projects like Kali Linux provide users with free training in areas like penetration testing. All the tools you need for a basic attack are pre-loaded into Kali Linux.
In that case, the OS and access to knowledge are free. You can go on YouTube and watch videos that teach you reconnaissance 101. As a consequence, even a student can poke around and start uncovering vulnerabilities.
From there, this person might think, “Let me try to do a vulnerability scan.” This person might then ping sweep the target network to identify which IP addresses are active and responsive.
There’s also the issue of Google hacking, or Open Source hacking, which means you’re using information you find on the internet to hack into a system.
You can then find vulnerabilities based on the information you find open on the internet—e.g., you might look at someone’s Facebook profile to find answers to security questions—kids names, etc. Alternatively, you can use one of the countless tools available on the network.
A quick Google search for “Google Hacking” reveals several tools, tips, and tricks for finding information about target websites.
Take, for example, the site pentest-tools.com. The project is an online resource, designed to help people find things like directory listing vulnerabilities, publicly exposed documents, and log-in pages. While it doesn’t allow users to interact with a target website directly, it does reveal “juicy” information that can be exploited by bad actors.
Oftentimes people aren’t taking some of the basic steps available to protect themselves from these probes.
So if you’re not adequately monitoring your computer—i.e., you’re not scanning for probes or reconnaissance vulnerabilities—someone playing around with open-source tools could very well break into your system.
If there’s nothing in place to stop them, well, an attacker might keep going, putting at risk your private information, along with that of your employees and clients.
2. Organizations Need to Understand What Information is Out in the Open
Individuals need to know that their information is already out there, and likely, someone lost that information for you.
In other words, there’s nothing you can do to reset your privacy status once your information has been exposed.
Consider instances like the Equifax data breach, which exposed thousands of social security numbers. When faced with this kind of situation, it’s better to shift your mindset to damage control: “How do I protect affected users from identity theft?”
Business owners need to implement policies that protect employee and client data and that of the organization. To do so, they’ll need to get a baseline read on what information is already out there.
We’ve found that using one of the open source tools like Pen Testing Tools can be a wake-up call for a lot of people who had no idea what exactly is out there in the open waiting for the wrong person to come across.
For businesses, security is a top-down effort. It’s not the IT administrator’s job to protect an entire network infrastructure on their own. Further, it’s risky for leadership and rank-and-file employees to assume everything is safe. Instead, leadership needs to take a proactive approach, building security into the company culture.
3. Identify Potential Exploits
We see this all the time: companies contact us after experiencing an EternalBlue attack. This is one of the worst exploits out there, and it’s entirely preventable.
Microsoft released a patch a month after learning of Eternal Blue. Wanna Cry was released two months after the patch was released. Two years later, we still see people without the patch.
The Foundational Security Assessment Process
Now that we’ve gone over some of the reasons why your IT infrastructure needs a foundational security assessment, let’s go over what this process entails.
At Lockstep, the foundational security assessment was designed to help companies gather a LOT of security information FAST.
In the past, we’d run these 400+ hour security assessments that were expensive and time-consuming.
Our Foundational Security Assessment functions as a way to identify easy fixes and significant risks, so you can then start building out an IT strategy that supports your organizational goals.
Here are the four key areas the assessment focuses on:
1. Active Directory
Active Directory is at the center of your IT infrastructure. It’s the primary management tool that admins use to control everything from files and permissions to apps and user accounts. Without Active Directory, nothing else works.
Because Active Directory is the central hub for all manner of sensitive data, it’s a big red target for hackers. Even worse, many of these targets won’t show up in a standard vulnerability scan.
The AD assessment includes expert analysis on some of the elements that a traditional scan might not register as a threat such as outdated operating systems, a look at privileged groups and password policy, privileged user analysis, and more.
2. Domain-Joined Server Assessment
This part of the process looks at member server security and involves running targeted vulnerability scans, plus credentialed scans of the entire server infrastructure. Here, we’ll look out for outdated operating systems, how local administrators are using the platform, and server vulnerabilities.
3. External Vulnerability Scan
The external vulnerability scan checks for exposure to known threats on your public-facing devices (i.e. those that connect to the internet) and servers. Additionally, we’ll offer some guidance about how to best deal with security threats facing your IT network.
4. Workstation Scan
Attackers can gain access to vulnerable workstations and from there, move through the rest of your infrastructure, causing serious damage. In this stage of the security assessment, we’ll scan your system for “weak links,” a process that involves reviewing your operating systems, patching history, and risk controls.
What we’re trying to do here is find as many early-stage vulnerabilities as possible. This way, you’ll get an assessment of everything you need to do before it turns into a more significant security threat.
Finally, after we’ve performed the foundational security assessment, we won’t just print out a list of problems and say, “Okay, good luck.” Instead, we’ll guide you through the process of updating your security systems and help you develop a maintenance plan for long-term success.
Are you interested in learning more about our Foundational Security Audit? Schedule a consultation, and let’s get the process started.