In recent times, we have heard of how malicious users stole PII (personal identifying information) residing on enterprise servers of healthcare startups. How they managed to get inside and retrieve what they needed without being detected might be new to those not familiar with their mode of operation.
Infosec teams have relied on expensive endpoint detection systems and extremely restrictive traffic filters to narrow the possibilities of malicious users penetrating their network.
Every hacker (even script kiddies) expects Infosec teams to implement security controls to restrict them. So they prefer to use other routes to compromise systems.
Although we expect startups to implement methods to restrict and detect unauthorized access, there are other less-known ways to bypass detection systems.
I share tried-and-tested methods for protecting business assets from malware and malicious actors.
The following discusses ways malicious actors penetrate and retrieve assets on enterprise systems and recommends prevention/remediation solutions.
Through Fragile BYOD Policies
Businesses allow their employees to use mobile devices/laptops at work, connect to the corporate network, send emails to clients on their mobile phones (assuming a worker is far away from a workstation), etcetera.
Although the BYOD policy promotes productivity at work, it is another way for malicious actors to install malware on workers' devices or penetrate an organization's network.
Solution:
First and foremost, set a baseline standard/requirements for mobile devices and laptops belonging to employees/workers as follows:
- For mobile devices, specifically, ensure that only Android 12.0 ( or the latest Android OS versions are allowed to access the corporate network. The same rule is for all iPhone devices.
- For laptops (Windows, BSD, Linux, MacOS), ensure that employees use the latest kernel. You can implement a solution to restrict employees using older kernel versions from accessing the corporate network.
- Next, restrict users from downloading movies, software apps, and visiting social media apps via the corporate network. For the social media activities, I advise you not to allow your workers to use their mobile devices but rather provide your social media team with laptops "running" PureOS or Tails.
NB: I recommend Tails over PureOS for every social media team in a corporate network because I have used it before. Tails is good! I have yet to try PureOS.
- Ensure that workers/employees disable software apps except for specific VPN and 2FA apps (before connecting to the corporate network.)
- Finally, ensure that workers/employees use the same vulnerability scanner to scan their mobile devices before connecting to the corporate network. Also, configure an antivirus solution ( every worker should use the same antivirus app) to run dynamically.
Less Security Awareness
Every experienced hacker eager to penetrate your network does not focus on misconfigured routers or firewall solutions but rather on employees without basic security knowledge.
Solution:
The following discusses how to increase security awareness in a corporate environment:
- You can introduce "weekly security briefings" to developers, the HR team, the data science team, and other teams without cybersecurity expertise. During weekly security briefings, you can discuss the following topics: (1) how to detect phished emails, (2) how to check for phished URLs, (3) the difference between passphrases and passwords, (4) Why passphrases should be considered and not passwords, (4) how to interact on social media without exposing sensitive information, (4) how to spot "shadow social engineering, etcetera.
Discussing fundamental security matters every week increases security awareness and could make it difficult (but not impossible) for hackers to penetrate corporate networks to access business data.
Unaware Technical Mistakes
Even security engineers sometimes forget to assign appropriate permissions for software to execute accordingly or remove stale services from the corporate network. Hackers also focus on technical mistakes not noticed by the Infosec team. ( I did the same when I worked on vulnerability management projects). Technical errors can't be prevented or resolved by enterprise firewall solutions or by your pen-testers alone.
Solution:
- Your Infosec team can perform monthly vulnerability management to detect and remediate existing vulnerabilities.
- You can also seek assistance from licensed pen-testers ( not bug-bounty hunters ) to perform once-a-year thorough pen-testing. I advise you to hire external pen testers (and not to use your security team) to perform black-box pen testing.
- Finally, your security team should work with external pen testers and in-house developers to suggest ways to resolve existing vulnerabilities or minimize risk impact.
NB: Never entrust your assets to bug-bounty hunters. And never set up a bug-bounty program. I once worked as a freelance bug-bounty hunter with HackerOne and discovered an "IDOR". Not anymore. Every bug-bounty hunter is interested in finding severe vulnerabilities to earn more money. They are not interested in securing your business.
Out-of-Date Software/Web Service
Another preferred route used by malicious actors is via out-of-date software/ web services. Unfortunately, legacy applications still have access to the corporate network - because developers fail to isolate or restrict these services from communicating with other services.
Usually, out-of-date software apps are riddled with vulnerabilities. So malicious users prefer this route in addition to "less security awareness" among teams. In this case, malware leverages old web services to retrieve sensitive data from a corporate infrastructure.
Assuming we have a Postgresql database server serving as a backend for web services. Due to some security issues, the database team upgrades to a newer version. However, they forgot to disable/restrict the old database server from interacting with services in the network. Expect hackers to exploit the old database to retrieve business data.
Solution:
- I recommend Infosec teams (together with the development team) perform vulnerability management to detect software apps not in use.
Stale External Access keys
Some businesses hire consultants to work on specific projects alongside internal workers. So cloud platforms like Microsoft Azure and Google Cloud Platform have implemented diverse authentication solutions for system administrators/DevOps team leaders to grant access keys for external consultants to access managed services.
However, those in charge of business infrastructure fail to rotate keys periodically - allowing external consultants to re-use the same keys for future projects.
No one knows whether consultants' workstations are riddled with subtle rootkits recording keystrokes. Malicious users can take advantage of this to expose business data to the public. So in this case, you can implement the following solution.
Solution:
- Periodically rotate access keys for external consultants. In addition, I advise businesses to prevent consultants from using their own devices to access corporate networks but rather the company's workstation.
- Another alternative is to monitor access keys issued for consultants. Since system administrators can assign RBAC permission to access keys, they should be able to differentiate between abnormal and normal system activities.
- Finally, you can also configure alerts to notify the Infosec team whenever consultants attempt to perform other tasks/activities beyond their RBAC scope.