Security compromises made to facilitate quick remote-working may now leave enterprises exposed. Here is how you can eliminate the loopholes.
In our rush towards a mobilizing a remote-workforce, security teams have had to make sudden and risky decisions that now prevail in the new post-lockdown landscape.
We have reconfigured security controls, made temporary policy exemptions, and shipped equipment to employee’s homes. At the same time, our SecOps teams now work remotely, limiting visibility into the systems that may be compromised. Further, working remotely often results in a lack of access to reporting, alarms, and dashboards.
Working blind is a nightmare for security pros. And now, unknown threats may lurk in the very system we strive to secure …
Misconfigurations lead to incidents
Data tells us that the biggest threats to cybersecurity are misconfigurations, lax policies, and simple errors. The 2020 Verizon Data Breach Investigations Report (DBiR) confirms this and showed a dramatic growth of security equipment misconfigurations that led to data breaches.
While our industry talks a lot about ‘insider threats,’ one must think about this particular misconfiguration threat broadly. It is not all about a nefarious employee, it is mainly about day-to-day work being done by security, IT, and other employees that cause misconfigurations that lead to breaches.
Starting to understand, continuously, where those misconfigurations are—and how to fix them—should be a tenet of any SecOps team. Misconfigurations can be simple things like:
- Leaving certain ports open.
- Not properly setting defaults to detect data exfiltration.
- Not having the time and resources to keep up with the vast amounts of updates being made by trusted security vendors.
The threat of Web applications
Web apps are spun up so fast it makes IT and security heads spin. And the DBiR reported that 43% of breaches came in via web apps.
Nowadays, in the era of DevOps and AWS/Azure, anyone can create an app and deploy it for use within a company. Typically, they are never scanned even for the Open Web Application Security Project (OWASP) top vulnerabilities, and because they are often deployed without SecOps knowledge, they are not protected by the Web Application Firewall (WAF).
Even when configured ‘correctly’, the WAF may not work as expected due to lack of knowledge of WAF rules and the constant shifts on the app side. SecOps and IT teams need to look more closely at web application security, BUT do it in a way that does not stifle innovation and growth.
The opportunity lies in security teams putting into place easy-to-understand WAF policies for web apps, then monitoring that WAF consistently in order to keep rule signatures configured correctly.
Finding misconfigurations
Errors and misconfigurations sound bad, but they can be addressed. Controlling your risk profile is a strong move in security, but in some organizations, it will take a shift in thinking.
While we will always search out the latest and greatest security tools to help defend and detect, we must also think of how we test the tools’ efficacy and fixing them when they do not work as intended. What if you could see the risks hidden in errors, misconfigurations, and policy exemptions?
Where do you start? Here are six internal assessments to do now that will help you uncover and fix those pesky misconfigurations:
- SSL decryption misconfiguration
Decryption can impact your app and network performance. Your IPS is not effective with SSL decryption misconfigured, but we often turn it off for performance or troubleshooting. Always test when it is on to be confident that your IPS is truly working. - Default protection profile
Outdated protection profiles can cause issues. Confirm where you have profiles, usually in web browser- and web- app security. We often do not think of this or change it for performance. A lack of review of the protection profile puts web apps and business at risk. - No or minimal segmentation within a security zone
Lateral movement is a problem. We often forget to re-segment network security zones after a temporary shutdown (e.g., for troubleshooting/maintenance). Remember to bring those security zones back up to mitigate risk from lateral movement. - Inefficient Data Loss Protection (DLP)
Loss of sensitive data can be a problem. Typically, it is caused by lack of knowledge of DLP behavior and where to go to configure them. It is important to properly configure your next-gen firewall (NGFW) or DLP to ensure employees (or others) cannot offload sensitive data accidentally or on purpose. - Inefficient cloud WAF rules protection
A leaky or holey cloud can create vulnerabilities. WAF rules, like NGFW, can be complex and always change. Test your WAF against the latest web application attacks to provide a clear path to set and fine-tune rules to stop attackers. - URL filtering policy misconfiguration
Web searches can make remote employees vulnerable, even with your VPN. URL filtering policies are often reconfigured during office moves or when enabling employees to work remotely and via VPN. Test that your filtering rules are in place, even over VPN, to help employees avoid spreading ‘malvertising’ or malware attacks.