Low Hanging Fruits

Lao Tzu said "The journey of a thousand miles begins with a single step". As per the Verizon Data breach report 2015, the list of Top Ten CVE's exploited by the attacker date as far back as 1999.  While companies invest a ton of money in new technology and products simple steps like fixing old vulnerabilities will go a long way in plucking the low hanging fruits. Security stance of an organization can be increased through simple changes in attitude.

1. Make security regional - Pushed security responsibility back to facilities with people who can manage the opportunity much more closely. They have the language capabilities and the cultural competency," he says.

2. Business Continuity Drills - A tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster gather for a few hours to talk through a simulated disaster.

3. Business Training for Security Professionals - The new generation of security leaders should understand business as well as security. Be proud to be someone rooted in both worlds.

4. Communication of Security awareness – Find someone outside of security who is involved in general corporate matters to communicate security. They are perceived as neutral 3rd parties with influence.

5. Agree to Disagree – If you disagree on how certain processes and protocols are feel comfortable in letting the rest of the team know.

Simple Technical steps also go a long way in strengthening the security posture of an organization. Here are a few low hanging fruits from the defenders point of view.

  1. Remove members from admin group - Use password vaulting software where super admin credentials must be checked out on the fly. Use privilege management software, where particular tasks end up with super admin functions and the designation stays with the task and not the user.

  2. Override application compatibility - Application compatibility prevents Java from being patched in a timely manner. In highly secure companies, application compatibility is second, at least when it comes to vulnerabilities in software libraries like Java and Flash.

  3. Shared Admin credentials - Most companies use same password across every local admin and root account on every managed computer. When attackers compromise one computer they can use same password hashes to move throughout the environment.

  4. Monitoring and alerting - Majority of attacks are documented in log files, but companies do not bother to look. Secure companies that take event logging and monitoring seriously succeed!

  5. Threat Modeling – Know Thy Assets. Where do your biggest threats lie? Where does your sensitive data reside? What do you want to protect?

  6. Segmentation of Networks - Successful companies isolate their old and insecure systems. The idea is to prevent movement of attacks between your weakest and strongest environments.

“Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.” - Sun Tzu

Appendix - Top Ten

Here is a  summary of the top ten vulnerabilities that made the attackers job easier than it should be.

Top Ten CVEs exploited: 1. CVE−2002−1932  : Microsoft Windows XP and Windows 2000, when configured to send administrative alerts and the "Do not overwrite events (clear log manually)" option is set, does not notify the administrator when the log reaches its maximum size, which allows local users and remote attackers to avoid detection.

2. CVE−2002−1931 :  Cross-site scripting (XSS) vulnerability in PHP Arena paFileDB 1.1.3 and 2.1.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the search string.

3. CVE−2002−1054 : Directory traversal vulnerability in Pablo FTP server 1.0 build 9 and earlier allows remote authenticated users to list arbitrary directories via "..\" (dot-dot backslash) sences in a LIST command.

4. CVE−2001−0680 : Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command.

5.CVE−2012−0152 : The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a series of crafted packets, aka "Terminal Server Denial of Service Vulnerability."

6.CVE−2014−3566 : The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

7.CVE−2001−0540 : Memory leak in Terminal servers in Windows NT and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed Remote Desktop Protocol (RDP) requests to port 3389.

8.CVE−1999−0517 : An SNMP community name is the default (e.g. public), null, or missing.

9. CVE−2002−0013 : Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges.

10. CVE−2002−0012 : Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling.