To promote Cyber Security Awareness Month, we asked our Professional Services and Pre-Sales Consultants about the most common issues they have seen when they’ve engaged with businesses over the years and their approach to the issues they have faced.
Over the course of the month we’ve been sharing tips and tricks for our team on our LinkedIn page.
Today, we’re sharing a round-up of the experiences of our Professional Services team and Pre-Sales Consultants and what they see as the ramifications of poor cyber security practices in businesses.
Dan Ramsell talks about “Poor Policy Management”
“Almost every time a new customer is engaged and work commences on their Network Security estate, we find several different security policy implementations. Some of them are “ok”, others are very much not “ok”, however, very few of them are excellent, logical, or even secure.
There is often a multitude of reasons for these sub-par Security Policies. These reasons include:
- “The people before me looking after the estate have moved on so I inherited the policy like this!”
- “There are many different users that use the rulebase and everyone has their own way of doing things”
- “I’m pretty new using this vendor, so I’m just doing what I think is right”.
All these reasons lead to a poorly implemented and insecure security policy.
One of the very first tasks that we conduct when we engage with a customer is to assist them in building out a secure “Best Practice” rulebase.
Using naming conventions and colouring, best practice management rules and an efficient, logical and planned rulebase, management of the security policy is hugely simplified.
By assisting the customer to use a self-documenting rulebase (i.e. anyone new in the company should be able to look at the rulebase and know exactly what each rule is there to do), it reduces admin overhead, ensures that all Security Admins implement rules to a common standard and that management access to devices is locked down to only specifically required services and users.”
Timothy Deadman on “The Costs of NO Cyber Security”
“In 2019, I was engaged by the company (not Pentesec) running the network for a national infrastructure provider as they had been attacked by malware (ransomware). During the attack, they lost all of their on-prem servers and they were still working with a very limited IT infrastructure when I joined the business two months later.
I wasn’t aware how much of this business’ income depends on car parking, but to charge for that you have to have barriers that let cars in and cars out, these servers never recovered and new servers were purchased in the day or so after the attack.
I have no idea how much it all cost but assume it must have run into millions. The Information Display screens (IDS) were lost and whiteboards and pens were used to let people know what gate to use. All other plans reverted to paper and fax which was devastating for the business.
When people moan about the cost of implementing cyber security, they need to remember how much more expensive it can be when you DON’T have cyber security.”
Jon Telfer on “Not The Same Old Password”
Password Hygiene Has Never Been More Important
We all know the dangers of password misuse on the internet and I am sure that someone has already written that security best practice paragraph.
But the most important is always: DON’T reuse passwords across multiple sites.
When we leave a project there will be, inevitably, some passwords that we have created as part of our process for helping the customer.
These passwords are critical for us to do our work and are a requirement of the software.
Keep A Checklist of Accounts and Passwords You Set Up For Clients
It is vital that they get them changed when we leave and that they change them to something we do not know.
You may have got them to create the password when you needed it, but it still leaves a situation where you potentially know it.
It is also useful to have a standard clean up process of any Windows or Remote-Control Accounts that you have used.
Windows stores everything and browsers these days keep 1000’s of Cookies and passwords stored on them – all to make our jobs easier.
Web Browsers Store More Than They Ever Have
With Chrome and Firefox being the de facto browsers for most web interfaces, they can store passwords that have no security to view them in plain text.
So, in windows alone, one reset of your Domain Password and they can have your passwords.
Where-ever possible do not use any browser-based password storing solutions and try to use private browsing or similar to assist with this.
Always use a password manager as it keeps passwords away from the environment.
Ask any suppliers/security providers for their backup schedule, so you know how to make sure that your passwords and profiles are not stored or saved.
Even so, it is vital that you wipe, destroy & uninstall / remove any and all stored passwords and profiles that you may have on these machines when you have used their machines.
These simple things can also make a company realise that we do take security very seriously!
Gurjiv Sekhon on “Cloud Security Risks”
A common issue faced by many of our clients is Cloud Security and the misconfiguration of it which can lead to cloud data breaches. Their current Cloud Security Posture Management strategies are not good enough for protecting their cloud-based environment and organisations find it difficult to track who has access to the data and whether they are authorised parties.
This is further complicated when organisations have multi-cloud deployments which all have different security controls.
We offer a posture management solution that automates governance across multi-cloud assets and services as well as advice on best practices, continuous compliance, GDPR, auto-remediation steps and alerts via email when instances are created and configuration management.
We offer a free posture management check-up that only takes 10 minutes to onboard and within one-hour customers can start running assessments and reports.
Joshua Mulhern on “Cyber Security Awareness Training”
A common problem found with customers is that they are not educating their users correctly on their cyber security policy and advising them on how they can improve this.
Educating users reduces risks of human error.
Another common issue is when customers have not segmented their networks properly.
Implementing effective network segmentation enables more granular and tighter security policies to be adopted.
Daniel Rankin on “Next Generation Firewalls”
Over the past few years, I’ve spent a lot of time cleaning up misconfigurations, both at the perimeter and in the cloud. For example, with a Next Generation Firewall, the one golden rule to remember with inbound security policies is pre-NAT destination address, post-NAT zone.
Or to offer a specific cloud example, an organisation I’ve previously worked with had implemented BGP over their 2-separate perimeter VPN links into Azure.
Sadly, whoever implemented the connections had set the BPG routing costs higher on one of the VPN tunnels, meaning all traffic transitioning over VPN link 2 into Azure would get routed back via VPN link 1. This caused a routing loop and all users using VPN link 2 had no access to Azure services as they would never see the return packets.
The VPN links and BGP work got signed off as completed because all testing had been done via VPN link 1 only.
We’d like to thank the team for taking the time to provide us with their thoughts, examples and best practice advise on how to combat common problems.
If you’d like to find out more about how we can support you in implementing best practice, configuring rulebases, mitigating cloud misconfigurations and more, please reach out to us.