A constant plague in most environments comes down to an inherited infrastructure that is dependent on protocols that don’t necessarily meet security standards of today.
Activities such as penetration testing will identify these services and show you the potential harm if manipulated by an attacker. Other instances become known when a critical resource is the victim of a substantial attack from which it cannot recover.
The references point to three main threats regarding available network services within an organization;
- Buffer overflows
- Exploitable services [FTP, SSH, SMB]
If we look at these examples, we can extrapolate some commonalities. All can be fixed and/or included in security remediation planning (DR/IR), and can be monitored using available solutions of the modern cybersecurity space – yet are still some of the most common attack vectors. Why is that? The answer is sometimes simpler than you would think; Risk Acceptance.
This is a dangerous phrase, as it goes against the industry best practice of a proactive model, where you are to build towards a greater security standard and become more “mature” from a defensive posture. There is an acceptable amount of risk that an organization will take, but the decision should never be made from a position of laziness. Threat modeling is a proactive measure that can help a security team understand where the organization may suffer from an incident, but the main benefit is to build a Threat Risk Assessment based on the findings. This document will give your senior leadership the ability to understand what a business essential service is, and potentially the risk that would follow a security incident because of allowing said service.
This is an important distinction. Once a potential risk is identified, alternate courses of action [COAs] should be developed. This will allow for security improvements to be built into a long-term roadmap that will phase out these exploitable services.
You can only fix an issue if you proactively search and identify a problem. Those who choose not to perform this action will eventually succumb to a cyber attack. It is not a matter of “if” but “when” an attack will take place.
Due diligence is key, and if you don’t know how to do something – ask!
We must be vigilant, we must be ready, and most of all, we must be educated!
If you missed part three of this series you can catch up here!
Adam Zimmerman, Security Solutions Architect
With over six years of experience in the technology industry, Adam’s experience covers information security operations, cyber security advisory, penetration testing, and advanced exploitation. Adam’s primary focus is helping organizations build strong security practices and prepare for potential attacks.
Adam holds a Masters in IT Security from the University of Ontario Institute of Technology, where he successfully developed a malware classification tool with a security firm based in Ottawa. Additionally, he has worked on several cyber consulting engagements as a lead security researcher and was able to develop an exploit for the FAA’s NextGen Air Traffic Control Management System.
Adam currently serves in the Canadian Armed Forces as a Second Lieutenant where he holds a command position as a Troop Commander for 32 Combat Engineer Regiment of Toronto; specializing in mobility denial and facilitation, tactical breaching, controlled munitions disposal, and various humanitarian support operations