First, it should be noted that this list is compiled from IT Security Audits performed by BAI Security during January to July of 2013 and is not intended to be a comprehensive list of all security risks. BAI Security specializes in auditing regulated organizations, such as those in banking and finance, pharmaceutical, healthcare, insurance, and the utility sector. While commonalities often exist, the results found here are not necessarily representative of businesses outside of these sectors.
Social engineering has long been a serious security concern, but more recently organizations are slipping even further into a much higher level of risk in this area. Even with most organizations performing annual end-user security awareness training, which usually includes a piece on social engineering risks, users are more likely than ever to succumb to this threat.
One primary reason organizations are at a higher risk in this area is that they train and tests users with scenarios that are commonly already outdated. Simply explaining to users that they should not give out sensitive information to unauthorized individuals does not properly prepare them for what they will see from malicious individuals these days. The sophistication of social engineering has grown considerably and users need training on specific scenarios used today, so they can properly identify when malicious individuals are social engineering them. To ensure the efficacy of the training and to validate adherence to the policies, organizations need to routinely (i.e. at least annually, semi-annually, or more often) test their user’s abilities to detect and not fall victim to the latest social engineering threats.
Internal Application Vulnerabilities
Most organizations realize they have some vulnerabilities within their software applications. Between zero-day (i.e., just identified) and requirements for older versions of software for compatibility, it’s almost impossible to be completely vulnerability free. However, what most organizations (7 out of 10 in our studies) don’t realize is that they actually have as many as 50 or more times the number of vulnerabilities than they actually knew about. While this may seem unrealistic or impossible, it’s true and we see it nearly every day. Frankly, most organizations are truly running under a very real false sense of security.
The reason for such a serious problem going unnoticed in so many regulated organizations today, is simple and routinely identified during our audit process. The primary causes include poor vulnerability testing tools, inadequate testing methodologies, or a combination of both. There are signs to determine if your organization is also “likely” in this high-risk group. As an end-user, do you routinely see notices pop-up on your PC for Adobe products like Acrobat, Flash Player, and Shockwave or products like Java, or even common Microsoft updates? This is an indication your organization may not be promptly updating what can be the highest-risk applications. As an IT person, if your vulnerability scanning does not test for vulnerabilities associated with Adobe products (i.e., Acrobat, Flash, Shockwave) or Java, you are very likely at high-risk. What is so concerning is that many vulnerability scanning tools used by internal IT departments and audit companies don’t actually test for many of these high-risk applications and therefore do not report the applications are a serious security risk.
Bring You Own Device (BYOD)
It wasn’t long ago that few would dream of asking IT to connect their personal laptop to an enterprise network beyond typical web-based access to systems, knowing full well that would violate security policies. Those sneaking them in were often called out by alarms. That changed rapidly following the release of the first iPad device, which opened the floodgates, primarily because of the millions of devices sold.
Now an astounding 78 percent of white-collar employees in the United States use their own PC, smartphone or tablet for work purposes, according to a report last year released by Cisco Systems Inc. outlining the Bring Your Own Device (BYOD) trend. According to a December report released by IT market researcher Gartner, 70 percent of organizations allow users’ personal devices to access network systems and applications.
Only 33 percent of organizations have BYOD policies in place to ensure employee-owned devices aren’t a security threat, according to the Gartner report. At the very least, organizations need to have a comprehensive end-user use policy, as well as internal network administration setup / configuration policies. More appropriately organizations should also be utilizing Mobile Device Management (MDM) software, which is now available, to lockdown all devices and to wipe suspect device. In addition, there should be a plan in place to include at least a sampling of these devices in routine vulnerability testing processes.
While not a topic that gets the headlines, legacy applications can be found in almost every organization and they often leave gaping holes in the overall security posture of the organization. On most audits conducted during 2013, our audit team has identified old (i.e., often end-of-life) versions of Java and Adobe Acrobat that are “required” for application compatibility with other linked legacy systems.
These old versions of Adobe Acrobat and Java are riddled with major high-severity vulnerabilities that can lead to compromise and denial-of-service within corporate systems. The problem is not the fault of Adobe and Sun Microsystems (the makers of the two applications) because they have made the older versions end-of-life (i.e., noting updates are no longer available); it’s with the related legacy systems that have not been updated to support the latest versions of Acrobat and Java.
It is vital that IT Departments put more pressure on legacy software vendors to update their software and/or replace these older applications that do not support more current (secure) versions of Adobe and Java. Organizations that are serious about their security posture spend a fairly significant amount of money and resources to properly patch all primary applications in the environment and shouldn’t have their security program undermined by an isolated legacy application.