What risks is your business taking unnecessarily? In the cybersecurity field, there are many risks to look for. CISA (Cybersecurity and Infrastructure Security Agency) has published a list of the ways that businesses are taking the most cybersecurity risk and are most vulnerable to attack. Today we are sharing CISA's list of 10 weak security controls, and we'll explain recommended mitigation steps in future blogs. Make sure you have a plan for each of these risks and weak security controls.
1. No Multi-Factor Authentication (MFA). Since Remote Desktop Protocol (RDP) is one of the most common attack vectors for ransomware, MFA is a big deal. Failing to enforce a MFA policy can allow malicious attacks and make access to sensitive data easier for attackers. No employee should be an exception to a MFA policy, and especially not administrators with higher security privileges.
2. Errors in permissions and privileges. Settings that are too relaxed could allow unauthorized users a path to important and privileged information. When it comes to security, making access especially easy for users is not always the safest or best path.
3. Software is not updated. Attackers may get access through a software vulnerability, especially if it’s a publicly known issue. Updating software may seem irritating at the time, interrupting workflow, but it is crucial to your company’s security.
4. Using vendor-supplied passwords or configurations. Many software products come with simple settings and passwords to help the user get started, but don’t leave them like that! Keeping default passwords is a great benefit to attackers, and we want to make attacks harder and harder – so be sure to change these defaults to strong passwords as soon as you install the product.
5. Lax control of remote services. Remote logins and tools are handy, but they come with new challenges. VPNs (virtual private networks) are especially subject to attack, so proceed with caution. If you don’t have tight controls, you are taking greater risk. Enforcing MFA, adding a firewall in front of the VPN, and monitoring the network for abnormal activity can be extremely useful here.
6. Strong passwords are missing. Are you tired of hearing about this yet? It’s one of the EASIEST risks you take, and one of the EASIEST you can remedy – create strong passwords, and require every employee to do the same. You can make this non-optional via your network configuration settings. Without strong passwords, or the enforcement of password policies, you are open to extremely high levels of unnecessary risk. Malicious cyber attackers have many methods to exploit weak or leaked passwords.
7. Unprotected cloud services. If your data is stored in a cloud-based service, you are susceptible to risk. You are taking even greater risks if you have not configured your service properly, especially with regard to sensitive data.
8. Internet exposure of open ports and misconfigured services. Here is a very common risk. Cyber attackers can use scanning tools to find open ports, and to gain access to your RDP, SMB, Telnet, and/or NetBIOS.
9. Missed opportunities to block phishing emails. If users on your network open a malicious file, it has slipped past both your network monitoring and your human filters. Both of these are risks, and both can often be avoided with filtering and proper training.
10. Poor EDR. If your Endpoint Detection and Response system is not up to date or industry standards, attackers may use malicious scripts to attack individual devices on your network.
Does all of this seem negative? Cyber risks can cause many problems. But there is also hope! There are ways to mitigate each of these.
For more information, keep following along as we share some mitigation tips, and/or read the CISA alert here for details.
We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today. Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills. We set the standard for cybersecurity excellence.