Back to Basics

As a penetration tester I’ve seen hundreds of different  networks over the years. Networks belonging to small, medium and large clients from many sectors. For example, manufacturing, law enforcement, hospitals, local government, law firms, K-12 education, utilities and many others. Despite the unique nature of each network, they all have one thing in common. “Lack of basic hardening and not following best practices.” This of course lead to complete control through exploiting the most common, textbook vulnerabilities.

Why? What is the reason these networks were so vulnerable. I’m not referring to the 5% that required some thinking and work to penetrate the network. I’m wondering about the other 95% where simple mitigation steps could have made the difference, yet were simply not enforced. When examined in more detail and broken down to basic components, the following vulnerabilities were most glaring in these networks:

• Weak or common passwords
• Default passwords
• Excessive privileges
• Improperly set share permissions
• Legacy protocols
• Poor configuration
• Lack of Endpoint protection

I can go on, but you get the point. Lack of basic, fundamental best practices that should be enforced from the start. Yet, these basics steps were either completely ignored or poorly implemented, leaving huge gaps in the armour.

Getting back to my question, why?

Well, I can’t speak for my clients, however I can suggest the following:

• Lack of time. Too busy fighting daily fires or keeping the lights on so to speak
• Lack of basic security training
• Poor attitude
• Poor support from upper management for security initiatives
• Lack of funding
• Corporate culture
• Simple case of ‘I don’t know what I don’t know’

You may be thinking of other reasons. But I think this list speaks to most, at least from my point of view. Please don’t get me wrong, I truly believe everyone has best intentions, but somewhere along the way, things get lost in translation, or priorities change.

What is the answer? How do you change this? The short answer, through hard work. Best intentions are not enough. You must roll up your sleeves, dig in and get your hands dirty. Prioritize your time, put together a plan and chip away at it over time. There are no quick fixes! Methodically chip away at your list of things to do and just do it. This may require external support from experts, vendors. It may require training, funding, support or higher staffing levels.

Oh, if you’re thinking of looking for a silver bullet, like a fancy new security appliance, a magical device that will solve all your security problems. Think again, I’ve seen these devices in many places, and they are not a replacement for basic hardening of operating systems or well implemented security policies. Besides, you’ve already paid for amazing mitigation tools built into Windows. You just have to enable them. Take the time to learn and apply secure settings on your network. It’s time to go back to the basics.