An organization can implement all the best security tools, but security is ultimately a people problem. "Human error accounts for most data breaches," says Mike Mellor, vice president of cybersecurity consulting at network security firm Nuspire.
Ransomware attacks, for example, dominate the headlines and cost companies millions of dollars each year. "The most effective way to reduce the occurrence of these types of attacks is to train the users," Mellor advises.
Asset management is an important first step in securing an environment. "Unmanaged devices are one of the biggest internal network security mistakes an organization can make," says Devin Ertel, CISO of Menlo Security, a network security company. "Devices that aren’t under the control of the security and IT teams, but have access to the overarching network, cause a huge risk to the environment."
In past years, many organizations simply prohibited unmanaged devices. Times are changing, however. "The increase of remote, hybrid, and contracted work means that these unmanaged devices must be allowed on the network," Ertel explains. "As a result, security teams must ensure that their security stacks adequately protect them against the inherent vulnerabilities that are associated with unmanaged devices."
Apps pose a problem, too. If employees are allowed to freely install unauthorized apps, use unprotected devices to connect to the network, or set any passwords they like, they open doors to all kinds of cyber threats, says Dmitry Kurskov, head of the information security department at ScienceSoft, an IT consulting and software development company. "Outdated or unused software that goes unnoticed is likely to have multiple vulnerabilities, enabling malicious actors to break into the network."
One of the biggest internal network security mistakes is reusing passwords between accounts on networking devices. "The compromise of a single device can cascade compromises across the entire network," says Justin Bollinger, principal security consultant at cybersecurity consulting firm TrustedSec. "As an attacker, one of the things I look for the most is insecure default configurations. That might be an active unused protocol or a default password,"
When working as a penetration tester, Bollinger says he's always trying to discover novel ways of gaining a foothold on ActiveDirectory. "Our penetration test goals are almost always looking to gain access to something new or to elevate our privileges." He notes that the Cisco Smart Install (SMI) protocol, for example, is enabled by default on all Cisco Catalyst switches. "Abuse of the SMI protocol can allow an attacker to download a copy of the device configuration, including all of its secrets, without authentication."
Since sharing passwords between networking equipment is such a common practice, one device with SMI enabled often leads to a full network compromise, Bollinger warns. "These same passwords collected from networking equipment, often [give attackers] access into corporate Active Directory environments."
While many organizations have made improvements in security basics–such as by adopting multi-factor authentication, encryption, anti-phishing, and security patching–there are often gaps remaining in egress filtering, which can lead to data breach disasters. "Many organizations allow internal devices to initiate unmonitored outbound communications to anywhere," says Ryan Thomas, a vice president at security automation firm LogicHub. "This can enable internal systems to be exploited to leak any data to which they have access."
Organizations can properly implement egress filtering by allowing only internal devices to initiate outbound communications. "Then, if a compromise occurs, [attackers] are typically prevented from succeeding in stealing data," Thomas says. "Plus, alarm bells [will] go off as outbound connections are denied, making breaches easier to detect."
Failing to train internal users on ways to identify threats and avoid actions that may compromise the enterprise network is the biggest mistake an organization can make, Mellor says. Providing general security awareness instruction that covers the most common threats educates employees on how to identify specific threats as well as how to safely handle the situation. "General security awareness training should be provided no less than annually, with frequent reminders throughout the year," he says. "It's best to provide training as often as possible so that employees are well equipped to protect the organization and include security in the decisions they make."
Security is a constant, endless battle. "Even if you defend against an attack, your job isn't done," Ertel says. "Attackers are constantly evolving their methods to get through security stacks and, as security leaders, we must evolve with them to always stay one step ahead."
Staying a step ahead of attackers isn't easy. "CISOs and the security community are facing more cyberthreats than ever and have had to learn how to fight them effectively," Ertel says. "We must stay vigilant and be even more diligent than we ever have."