Top 5 Security Misconfigurations Causing Data Breaches in 2023

Edward Kost
updated May 15, 2023

Security misconfigurations are a common and significant cybersecurity issue that can leave businesses vulnerable to data breaches. According to the latest data breach investigation report by IBM and the Ponemon Institute, the average cost of a breach has peaked at US$4.35 million. Many data breaches are caused by avoidable errors like security misconfiguration. By following the tips in this article, you could identify and address a security error that could save you millions of dollars in damages.

Learn how UpGuard can help you detect data breach risks >

What is a Security Misconfiguration?

A security misconfiguration occurs when a system, application, or network device’s settings are not correctly configured, leaving it exposed to potential cyber threats. This could be due to default configurations left unchanged, unnecessary features enabled, or permissions set too broadly. Hackers often exploit these misconfigurations to gain unauthorized access to sensitive data, launch malware attacks, or carry out phishing attacks, among other malicious activities.

What Causes Security Misconfigurations?

Security misconfigurations can result from various factors, including human error, lack of awareness, and insufficient security measures. For instance, employees might configure systems without a thorough understanding of security best practices, security teams might overlook crucial security updates due to the growing complexity of cloud services and infrastructures.

Additionally, the rapid shift to remote work during the pandemic has increased the attack surface for cybercriminals, making it more challenging for security teams to manage and monitor potential vulnerabilities.

List of Common Types of Security Configurations Facilitating Data Breaches

Some common types of security misconfigurations include:

1. Default Settings

With the rise of cloud solutions such as Amazon Web Services (AWS) and Microsoft Azure, companies increasingly rely on these platforms to store and manage their data. However, using cloud services also introduces new security risks, such as the potential for misconfigured settings or unauthorized access.

A prominent example of insecure default software settings that could have facilitated a significant breach is the Microsoft Power Apps data leak incident of 2021. By default, Power Apps portal data feeds were set to be accessible to the public.

Unless developers specified for OData feeds to be set to private, virtually anyone could access the backend databases of applications built with Power Apps. UpGuard researchers located the exposure and notified Microsoft, who promptly addressed the leak. UpGuard’s detection helped Microsoft avoid a large-scale breach that could have potentially compromised 38 million records.

Read this whitepaper to learn how to prevent data breaches >

2. Unnecessary Features

Enabling features or services not required for a system’s operation can increase its attack surface, making it more vulnerable to threats. Some examples of unnecessary product features include remote administration tools, file-sharing services, and unused network ports. To mitigate data breach risks, organizations should conduct regular reviews of their systems and applications to identify and disable or remove features that are not necessary for their operations.

Additionally, organizations should practice the principle of least functionality, ensuring that systems are deployed with only the minimal set of features and services required for their specific use case.

3. Insecure Permissions

Overly permissive access controls can allow unauthorized users to access sensitive data or perform malicious actions. To address this issue, organizations should implement the principle of least privilege, granting users the minimum level of access necessary to perform their job functions. This can be achieved through proper role-based access control (RBAC) configurations and regular audits of user privileges. Additionally, organizations should ensure that sensitive data is appropriately encrypted both in transit and at rest, further reducing the risk of unauthorized access.

4. Outdated Software

Failing to apply security patches and updates can expose systems to known vulnerabilities. To protect against data breaches resulting from outdated software, organizations should have a robust patch management program in place. This includes regularly monitoring for available patches and updates, prioritizing their deployment based on the severity of the vulnerabilities being addressed, and verifying the successful installation of these patches.

Additionally, organizations should consider implementing automated patch management solutions and vulnerability scanning tools to streamline the patching process and minimize the risk of human error.

5. Insecure API Configurations

APIs that are not adequately secured can allow threat actors to access sensitive information or manipulate systems. API misconfigurations – like the one that led to T-Mobile’s 2023 data breach, are becoming more common. As more companies move their services to the cloud, securing these APIs and preventing the data leaks they facilitate is becoming a bigger challenge.

To mitigate the risks associated with insecure API configurations, organizations should implement strong authentication and authorization mechanisms, such as OAuth 2.0 or API keys, to ensure only authorized clients can access their APIs. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate potential vulnerabilities in their API configurations.

Finally, adopting a secure software development lifecycle (SSDLC) and employing API security best practices, such as rate limiting and input validation, can help prevent data breaches stemming from insecure APIs.

Learn how UpGuard protects against third-party breaches >

How to Avoid Security Misconfigurations Impacting Your Data Breach Resilience

To protect against security misconfigurations, organizations should:

1. Implement a Comprehensive Security Policy

Implement a cybersecurity policy covering all system and application configuration aspects, including guidelines for setting permissions, enabling features, and updating software.

2. Implement a Cyber Threat Awareness Program

An essential security measure that should accompany the remediation of security misconfigurations is employee threat awareness training. Of those who recently suffered cloud security breaches, 55% of respondents identified human error as the primary cause.

With your employees equipped to correctly respond to common cybercrime tactics that preceded data breaches, such as social engineering attacks and social media phishing attacks, your business could avoid a security incident should threat actors find and exploit an overlooked security misconfiguration.

Phishing attacks involve tricking individuals into revealing sensitive information that could be used to compromise an account or facilitate a data breach. During these attacks, threat actors target account login credentials, credit card numbers, and even phone numbers to exploit Multi-Factor authentication.

Learn the common ways MFA can be exploited >

Phishing attacks are becoming increasingly sophisticated, with cybercriminals using automation and other tools to target large numbers of individuals. 

Here’s an example of a phishing campaign where a hacker has built a fake login page to steal a customer’s banking credentials. As you can see, the fake login page looks almost identical to the actual page, and an unsuspecting eye will not notice anything suspicious.

Real Commonwealth Bank Login Page
Real Commonwealth Bank Login Page.
Fake Commonwealth Bank Login Page
Fake Commonwealth Bank Login Page

Because this poor cybersecurity habit is common amongst the general population, phishing campaigns could involve fake login pages for social media websites, such as LinkedIn, popular websites like Amazon, and even SaaS products. Hackers implementing such tactics hope the same credentials are used for logging into banking websites.

Cyber threat awareness training is the best defense against phishing, the most common attack vector leading to data breaches and ransomware attacks.

Because small businesses often lack the resources and expertise of larger companies, they usually don’t have the budget for additional security programs like awareness training. This is why, according to a recent report, 61% of small and medium-sized businesses experienced at least one cyber attack in the past year, and 40% experienced eight or more attacks.

Luckily, with the help of ChatGPT, small businesses can implement an internal threat awareness program at a fraction of the cost. Industries at a heightened risk of suffering a data breach, such as healthcare, should especially prioritize awareness of the cyber threat landscape.

Learn how to implement an internal cyber threat awareness campaign >

3. Use Multi-Factor Authentication

MFA and strong access management control to limit unauthorized access to sensitive systems and data.

Previously compromised passwords are often used to hack into accounts. MFA adds additional authentication protocols to the login process, making it difficult to compromise an account, even if hackers get their hands on a stolen password

4. Use Strong Access Management Controls

Identity and Access Management (IAM) systems ensure users only have access to the data and applications they need to do their jobs and that permissions are revoked when an employee leaves the company or changes roles.

The 2023 Thales Dara Threat Report found that 28% of respondents found IAM to be the most effective data security control preventing personal data compromise.

5. Keep All Software Patched and Updated

Keep all environments up-to-date by promptly applying patches and updates. Consider patching a “golden image” and deploying it across your environment. Perform regular scans and audits to identify potential security misconfigurations and missing patches.

An attack surface monitoring solution, such as UpGuard, can detect vulnerable software versions that have been impacted by zero-days and other known security flaws.

6. Deploy Security Tools

Security tools, such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) solutions, to monitor and respond to potential threats.

It’s essential also to implement tools to defend against tactics often used to complement data breach attempts, for example. DDoS attacks – a type of attack where a server is flooded with fake traffic to force it offline, allowing hackers to exploit security misconfigurations during the chaos of excessive downtime.

Another important security tool is a data leak detection solution for discovering compromised account credentials published on the dark web. These credentials, if exploited, allow hackers to compress the data breach lifecycle, making these events harder to detect and intercept.

Dara leaks compressing the data breach lifecycle.

Learn how to detect and prevent data leaks >

7. Implement a Zero-Trust Architecture

One of the main ways that companies can protect themselves from cloud-related security threats is by implementing a Zero Trust security architecture. This approach assumes all requests for access to resources are potentially malicious and, therefore, require additional verification before granting access.

Learn how to implement a Zero-Trust Architecture >

A Zero-Trust approach to security assumes that all users, devices, and networks are untrustworthy until proven otherwise.

8. Develop a Repeatable Hardening Process

Establish a process that can be easily replicated to ensure consistent, secure configurations across production, development, and QA environments. Use different passwords for each environment and automate the process for efficient deployment. Be sure to address IoT devices in the hardening process. 

These devices tend to be secured with their default factory passwords, making them highly vulnerable to DDoS attacks.

9. Implement a Secure Application Architecture

Design your application architecture to obfuscate general access to sensitive resources using the principle of network segmentation.

Learn more about network segmentation >

Cloud infrastructure has become a significant cybersecurity issue in the last decade. Barely a month goes by without a major security breach at a cloud service provider or a large corporation using cloud services.

10. Maintain a Structured Development Cycle

Facilitate security testing during development by adhering to a well-organized development process. Following cybersecurity best practices this early in the development process sets the foundation for a resilient security posture that will protect your data even as your company scales.

Implement a secure software development lifecycle (SSDLC) that incorporates security checkpoints at each stage of development, including requirements gathering, design, implementation, testing, and deployment. Additionally, train your development team in secure coding practices and encourage a culture of security awareness to help identify and remediate potential vulnerabilities before they make their way into production environments.

11. Review Custom Code

If using custom code, employ a static code security scanner before integrating it into the production environment. These scanners can automatically analyze code for potential vulnerabilities and compliance issues, reducing the risk of security misconfigurations.

Additionally, have security professionals conduct manual reviews and dynamic testing to identify issues that may not be detected by automated tools. This combination of automated and manual testing ensures that custom code is thoroughly vetted for security risks before deployment.

12. Utilize a Minimal Platform

Remove unused features, insecure frameworks, and unnecessary documentation, samples, or components from your platform. Adopt a “lean” approach to your software stack by only including components that are essential for your application’s functionality.

This reduces the attack surface and minimizes the chances of security misconfigurations. Furthermore, keep an inventory of all components and their associated security risks to better manage and mitigate potential vulnerabilities.

13. Review Cloud Storage Permissions

Regularly examine permissions for cloud storage, such as S3 buckets, and incorporate security configuration updates and reviews into your patch management process. This process should be a standard inclusion across all cloud security measures. Ensure that access controls are properly configured to follow the principle of least privilege, and encrypt sensitive data both in transit and at rest.

Implement monitoring and alerting mechanisms to detect unauthorized access or changes to your cloud storage configurations. By regularly reviewing and updating your cloud storage permissions, you can proactively identify and address potential security misconfigurations, thereby enhancing your organization’s data breach resilience.

How UpGuard Can Help

UpGuard’s IP monitoring feature monitors all IP addresses associated with your attack surface for security issues, misconfigurations, and vulnerabilities. UpGuard’s attack surface monitoring solution can also identify common misconfigurations and security issues shared across your organization and its subsidiaries, including the exposure of WordPress user names, vulnerable server versions, and a range of attack vectors facilitating first and third data breaches.

UpGuard's Risk Profile feature displays security vulnerabilities associated with end-of-life software.
UpGuard’s Risk Profile feature displays security vulnerabilities associated with end-of-life software.

To further expand its mitigation of data breach threat categories, UpGuard offersa data leak detection solution that scans ransomware blogs on the dark web for compromised credentials, and any leaked data could help hackers breach your network and sensitive resources.

UpGuard's ransomware blog detection feature.
UpGuard’s ransomware blog detection feature.

Source :
https://www.upguard.com/blog/security-misconfigurations-causing-data-breaches

Three Reasons Endpoint Security Can’t Stop With Just Patching

Last updated: June 14, 2023
James Saturnio
Security Unified Endpoint Management

With remote work now commonplace, having a good cyber hygiene program is crucial for organizations who want to survive in today’s threat landscape. This includes promoting a culture of individual cybersecurity awareness and deploying the right security tools, which are both critical to the program’s success. 

Some of these tools include endpoint patching, endpoint detection and response (EDR) solutions and antivirus software. But considering recent cybersecurity reports, they’re no longer enough to reduce your organization’s external attack surface.

Here are three solid reasons, and real-world situations, that happened to organizations that didn’t take this threat seriously.

  1. AI generated polymorphic exploits can bypass leading security tools
  2. Patching failures and patching fatigue are stifling security teams
  3. Endpoint patching only works for known devices and apps
  4. How can organizations reduce their external attack surface?

1. AI generated polymorphic exploits can bypass leading security tools

Recently, AI-generated polymorphic malware has been developed to bypass EDR and antivirus, leaving security teams with blind spots into threats and vulnerabilities.

Real-world example: ChatGPT Polymorphic Malware Evades “Leading” EDR and Antivirus Solutions

In one report, researchers created polymorphic malware by abusing ChatGPT prompts that evaded detection by antivirus software. In a similar report, researchers created a polymorphic keylogging malware that bypassed an industry-leading automated EDR solution.

These exploits achieved this by mutating its code slightly with every iteration and encrypting its malicious code without a command-and-control (C2) communications channel. 

This mutation is not detectable by traditional signature-based and low-level heuristics detection engines. This means that security time gaps are created for a patch to be developed and released, for the patch to be tested for effectiveness, for the security team to prioritize vulnerabilities and for the IT (Information Technology) team to rollout the patches onto affected systems.

In all, this could mean several weeks or months where an organization will need to rely on other security tools to help them protect critical assets until the patching process is completed successfully.
 

2. Patching failures and patching fatigue are stifling security teams

Unfortunately, updates breaking systems because patches haven’t been rigorously tested occur frequently. Also, some updates don’t completely fix all weaknesses, leaving systems vulnerable to more attacks and requiring additional patches to completely fix. 

Real-world example: Suffolk County’s ransomware attack

The Suffolk County government in New York recently released their findings from the forensic investigation of the data breach and ransomware attack, where the Log4j vulnerability was the threat actor’s entry point to breach their systems. The attack started back in December 2021, which was the same time Apache released security patches for these vulnerabilities. 

Even with updates available, patching never took place, resulting in 400 gigabytes of data being stolen including thousands of social security numbers and an initial ransom demand of $2.5 million.

The ransom was never paid but the loss of personal data and employee productivity and subsequent investigation outweighed the cost of updated cyber hygiene appliances and tools and a final ransom demand of $500,000. The county is still trying to recover and restore all their systems today, having already spent $5.5 million. 

Real world example: An errant Windows server update caused me to work 24-hours straight

From personal experience, I once worked 24 hours straight because one Patch Tuesday, a Microsoft Windows server update was automatically downloaded, installed which promptly broke authentication services between the IoT (Internet of Things) clients and the AAA (authentication, authorization and accounting) servers grinding production to a screeching halt.

Our company’s internal customer reference network that was implemented by our largest customers deployed Microsoft servers for Active Directory Certificate Services (ADCS) and Network Policy Servers (NPS) used for 802.1x EAP-TLS authentication for our IoT network devices managed over the air.

This happened a decade ago, but similar recurrences have also occurred over the next several years, including this update from July 2017, where NPS authentication broke for wireless clients and was repeated in May of last year.

At that time, an immediate fix for the errant patch wasn’t available, so I spent the next 22 hours rebuilding the Microsoft servers for the company’s enterprise public key infrastructure (PKI) and AAA services to restore normal operations. The saving grace was we took the original root certificate authority offline, and the server wasn’t affected by the bad update. 

However, we ended up having to revoke all the identity certificates issued by the subordinate certificate authorities to thousands of devices including routers, switches, firewalls and access points and re-enroll them back into the AAA service with new identity certificates.

Learning from this experience, we disabled automatic updates for all Windows servers and took more frequent backups of critical services and data.
 

3. Endpoint patching only works for known devices and apps 

With the pandemic came the shift to Everywhere Work, where employees worked from home, often connecting their personal devices to their organization’s network. This left security teams with a blind spot to shadow IT. With shadow IT, assets go unmanaged, are potentially out-of-date and cause insecure personal devices and leaky applications. 

The resurgence of bring your own device (BYOD) policies and the lack of company-sanctioned secure remote access quickly expanded the organization’s external attack surface, exposing other attack vectors for threat actors to exploit. 

Real-world example: LastPass’ recent breach 

LastPass is a very popular password manager that stores your passwords in an online vault. It has more than 25 million users and 100,000 businesses. Last year, LastPass experienced a massive data breach involving two security incidents.   

The second incident leveraged data stolen during the first breach to target four DevOps engineers, specifically, their home computers. One senior software developer used their personal Windows desktop to access the corporate development sandbox. The desktop also had an unpatched version of Plex Media Server (CVE-2020-5741) installed.

Plex provided a patch for this vulnerability three years ago. Threat actors used this vulnerability to deliver malware, perform privilege escalation (PE), then a remote code execution (RCE) to access LastPass cloud-based storage and steal DevOps secrets and multi-factor (MFA) and Federation databases.

“Unfortunately, the LastPass employee never upgraded their software to activate the patch,” Plex said in a statement. “For reference, the version that addressed this exploit was roughly 75 versions ago.”

If patching isn’t enough, how can organizations reduce their external attack surface?

Cyber hygiene

Employees are the weakest link to an organization’s cyber hygiene program. Inevitably, they’ll forget to update their personal devices, re-use the same weak password to different internet websites, install leaky applications, and click or tap on phishing links contained within an email, attachment, or text message. 

Combat this by promoting a company culture of cybersecurity awareness and practice vigilance that includes: 

· Ensuring the latest software updates are installed on their personal and corporate devices. 

· Recognizing social engineering attack techniques including the several types of phishing attacks.

· Using multi-factor authentication whenever possible. 

· Installing and automatically updating the databases on antivirus software for desktops and mobile threat defense for mobile devices. 

Continuing education is key to promoting great cyber hygiene within your organization, especially for anti-phishing campaigns.  

Cyber hygiene tool recomendations 

In cybersecurity, the saying goes, “You can’t protect what you can’t see!” Having a complete discovery and accurate inventory of all network-connected hardware, software and data, including shadow IT assets, is the important first step to assessing an organization’s vulnerability risk profile. The asset data should feed into an enterprise endpoint patch management system

Also, consider implementing a risk-based vulnerability management approach to prioritize the overwhelming number of vulnerabilities to only those that pose the greatest risk to your organization. Often included with risk-based vulnerability management solutions is a threat intelligence feed into the patch management system

Threat intelligence is information about known or potential threats to an organization. These threats can come from a variety of sources, like security researchers, government agencies, infrastructure vulnerability and application security scanners, internal and external penetration testing results and even threat actors themselves. 

This information, including specific patch failures and reliability reported from various crowdsourced feeds, can help organizations remove internal patch testing requirements and reduce the time gap to patch deployments to critical assets.

unified endpoint management (UEM) platform is necessary to remotely manage and provide endpoint security to mobile devices including shadow IT and BYOD assets.

The solution can enforce patching to the latest mobile operating system (OS) and applications, provision email and secure remote access profiles including identity credentials and multi-factor authentication (MFA) methods like biometrics, smart cards, security keys, certificate-based or token-based authentication.

The UEM solution should also integrate an AI machine learning-based mobile threat defense (MTD) solution for mobile devices, while desktops require next-generation antivirus (NGAV) with robust heuristics to detect and remediate device, network, and app threats with real-time anti-phishing protection.

And finally, to level the playing field against AI-generated malware, cyber hygiene tools will have to evolve quickly by leveraging AI guidance to keep up with the more sophisticated polymorphic attacks that are on the horizon.

Adding the solutions described above will help deter cyberattacks by putting impediments in front of threat actors to frustrate them and seek out easier targets to victimize. 

About James Saturnio

James Saturnio is the Technical Product Marketing Director for the Technical Marketing Engineering team at Ivanti. He immerses himself in all facets of cybersecurity with over 25 years’ hands-on industry experience. He is an always curious practitioner of the zero trust security framework. Prior to Ivanti, he was with MobileIron for almost 7 years as a Senior Solutions Architect and prior to that, he was at Cisco Systems for 19 years. While at Cisco, he started out as a Technical Assistance Center (TAC) Engineer and then a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He is a former Service Provider and Security Cisco Certified Internetworking Expert (CCIE) and was the main architect for the IoT security architecture that is still used today by Cisco’s lighthouse IoT customers.

Source :
https://www.ivanti.com/blog/three-reasons-endpoint-security-can-t-stop-with-just-patching-or-antivirus

The 8 Best Practices for Reducing Your Organization’s Attack Surface

Last updated: June 20, 2023
Robert Waters
Security Unified Endpoint Management DEX

Increases in attack surface size lead to increased cybersecurity risk. Thus, logically, decreases in attack surface size lead to decreased cybersecurity risk.

While some attack surface management solutions offer remediation capabilities that aid in this effort, remediation is reactive. As with all things related to security and risk management, being proactive is preferred.

The good news is that ASM solutions aren’t the only weapons security teams have in the attack surface fight. There are many steps an organization can take to lessen the exposure of its IT environment and preempt cyberattacks.

How do I reduce my organization’s attack surface?

Unfortunately for everyone but malicious actors, there’s no eliminating your entire attack surface, but the following best practice security controls detailed in this post will help you significantly shrink it:

  1. Reduce complexity 
  2. Adopt a zero trust strategy for logical and physical access control
  3. Evolve to risk-based vulnerability management
  4. Implement network segmentation and microsegmentation
  5. Strengthen software and asset configurations
  6. Enforce policy compliance
  7. Train all employees on cybersecurity policies and best practices
  8. Improve digital employee experience (DEX)

As noted in our attack surface glossary entry, different attack vectors can technically fall under multiple types of attack surfaces — digital, physical and/or human. Similarly, many of the best practices in this post can help you reduce multiple types of attack surfaces.

For that reason, we have included a checklist along with each best practice that signifies which type(s) of attack surface a particular best practice primarily addresses.

#1: Reduce complexity

.

Digital attack surface Physical attack surface Human attack surface 
XX

.

Reduce your cybersecurity attack surface by reducing complexity. Seems obvious, right? And it is. However, many companies have long failed at this seemingly simple step. Not because it’s not obvious, but because it hasn’t always been easy to do.

Research from Randori and ESG reveals seven in 10 organizations were compromised by an unknown, unmanaged or poorly managed internet-facing asset over the past year. Cyber asset attack surface management (CAASM) solutions enable such organizations to identify all their assets — including those that are unauthorized and unmanaged — so they can be secured, managed or even removed from the enterprise network.

Any unused or unnecessary assets, from endpoint devices to network infrastructure, should also be removed from the network and properly discarded.

The code that makes up your software applications is another area where complexity contributes to the size of your attack surface. Work with your development team to identify where opportunities exist to minimize the amount of executed code exposed to malicious actors, which will thereby also reduce your attack surface.

#2: Adopt a zero trust strategy for logical and physical access control

.

Digital attack surface Physical attack surface Human attack surface 
XX

.

The National Institute of Standards and Technology (NIST) defines zero trust as follows:

“A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

In other words, for every access request, “never trust, always verify.”

Learn how Ivanti can help you adopt the NIST CSF in The NIST Cybersecurity Framework (CSF): Mapping Ivanti’s Solutions to CSF Controls

Taking a zero trust approach to logical access control reduces your organization’s attack surface — and likelihood of data breaches — by continuously verifying posture and compliance and providing least-privileged access.

And while zero trust isn’t a product but a strategy, there are products that can help you implement a zero trust strategy. Chief among those products are those included in the secure access service edge (SASE) framework:

And though it’s not typically viewed in this manner, a zero trust strategy can extend beyond logical access control to physical access control. When it comes to allowing anyone into secure areas of your facilities, remember to never trust, always verify. Mechanisms like access cards and biometrics can be used for this purpose.

#3: Evolve to risk-based vulnerability management

.

Digital attack surface Physical attack surface Human attack surface 
X

.

First, the bad news: the US National Vulnerability Database (US NVD) contains over 160,000 scored vulnerabilities and dozens more are added every day. Now, the good news: a vast majority of vulnerabilities have never been exploited, which means they can’t be used to perpetrate a cyberattack, which means they aren’t part of your attack surface.

In fact, a ransomware research report from Securin, Cyber Security Works (CSW), Ivanti and Cyware showed only 180 of those 160,000+ vulnerabilities were trending active exploits.

Comparison of total NVD vulnerabilities vs. those that endanger an organization

Total NVD graph.
Only approximately 0.1% of all vulnerabilities in the US NVD are trending active exploits that pose an immediate risk to an organization

legacy approach to vulnerability management reliant on stale and static risk scores from the Common Vulnerability Scoring System (CVSS) won’t accurately classify exploited vulnerabilities. And while the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (CISA KEV) Catalog is a step in the right direction, it’s incomplete and doesn’t account for the criticality of assets in an organization’s environment.

A true risk-based approach is needed. Risk-based vulnerability management (RBVM) — as its name suggests — is a cybersecurity strategy that prioritizes vulnerabilities for remediation based on the risk they pose to the organization.

Read The Ultimate Guide to Risk-Based Patch Management and discover how to evolve your remediation strategy to a risk-based approach.

RBVM tools ingest data from vulnerability scannerspenetration teststhreat intelligence tools and other security sources and use it to measure risk and prioritize remediation activities.

With the intelligence from their RBVM tool in hand, organizations can then go about reducing their attack surface by remediating the vulnerabilities that pose them the most risk. Most commonly, that involves patching exploited vulnerabilities on the infrastructure side and fixing vulnerable code in the application stack.

#4: Implement network segmentation and microsegmentation

.

Digital attack surface Physical attack surface Human attack surface 
X

.

Once again, borrowing from the NIST glossary, network segmentation is defined as follows:

Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.

From this definition, you can see how segmenting can reduce your attack surface by blocking attackers from certain parts of your network. While traditional network segmentation stops those attackers from moving north-south at the network level, microsegmentation stops them from moving east-west at the workload level.

More specifically, microsegmentation goes beyond network segmentation and enforces policies on a more granular basis — for example, by application or device instead of by network.

For example, it can be used to implement restrictions so an IoT device can only communicate with its application server and no other IoT devices, or to prevent someone in one department from accessing any other department’s systems.

#5: Strengthen software and asset configurations

.

Digital attack surface Physical attack surface Human attack surface 
X

.

Operating systems, applications and enterprise assets — such as servers and end user, network and IoT devices — typically come unconfigured or with default configurations that favor ease of deployment and use over security. According to CIS Critical Security Controls (CIS Controls) v8, the following can all be exploitable if left in their default state:

  • Basic controls
  • Open services and ports
  • Default accounts or passwords
  • Pre-configured Domain Name System (DNS) settings
  • Older (vulnerable) protocols
  • Pre-installation of unnecessary software

Clearly, such configurations increase the size of an attack surface. To remedy the situation, Control 4: Secure Configuration of Enterprise Assets and Software of CIS Controls v8 recommends developing and applying strong initial configurations, then continually managing and maintaining those configurations to avoid degrading security of software and assets.

Here are some free resources and tools your team can leverage to help with this effort:

#6: Enforce policy compliance

.

Digital attack surface Physical attack surface Human attack surface 
XX

.

It’s no secret that endpoints are a major contributor to the size of most attack surfaces — especially in the age of Everywhere Work when more employees are working in hybrid and remote roles than ever before. Seven in 10 government employees now work virtually at least part of the time.

It’s hard enough getting employees to follow IT and security policies when they’re inside the office, let alone when 70% of them are spread all over the globe.

Unified endpoint management (UEM) tools ensure universal policy compliance by automatically enforcing policies. This fact should come as no surprise to IT and security professionals, many of whom consider UEM a commodity at this point. In fact, Gartner predicts that 90% of its clients will manage most of their estate with cloud-based UEM tools by just 2025.

Nonetheless, UEM is the best option for enforcing IT and security policy compliance, so I’d be remiss to omit it from this list.

Read The Ultimate Guide to Unified Endpoint Management and learn about the key business benefits and endpoint security use cases for modern UEM solutions.

Additionally, beyond compliance, modern UEM tools offer several other capabilities that can help you identify, manage and reduce your attack surface:

  • Have complete visibility into IT assets by discovering all devices on your network — a key ASM capability for organizations without a CAASM solution.
  • Provision devices with the appropriate software and access permissions, then automatically update that software as needed — no user interactions required.
  • Manage all types of devices across the entire lifecycle, from onboarding to retirement, to ensure they’reproperly discarded once no longer in use.
  • Automatically enforce device configurations (refer to #5: Strengthen software and asset configurations to learn more about the importance of this capability).
  • Support zero trust access and contextual authentication, vulnerability, policy, configuration and data management by integrating with identity, security and remote-access tools. For example, UEM and mobile threat defense (MTD) tools can integrate to enable you to enact risk-based policies to protect mobile devices from compromising the corporate network and its assets.

#7: Train all employees on cybersecurity policies and best practices

.

Digital attack surface Physical attack surface Human attack surface 
X

.

Seventy-four percent of breaches analyzed for the 2023 Verizon Data Breaches Investigation Report (DBIR) involved a human element.

Thus, it should come as no surprise when you review the data from Ivanti’s 2023 Government Cybersecurity Status Report and see the percentages of employees around the world that don’t believe their actions have any impact on their organization’s ability to avert cyberattacks:

Do employees think their own actions matter?

Many employees don’t believe their actions impact their organization’s ability to stay safe from cyberattacks.

In the immortal words of Alexander Pope: “To err is human…” In cybersecurity terms: until AI officially takes over, humans will remain a significant part of your attack surface. And until then, human attack surfaces must be managed and reduced wherever possible.

Thus far, the best way to do that’s proven to be cybersecurity training, both on general best practices and company-specific policies — and definitely don’t forget to include a social engineering module.

Many cybersecurity practitioners agree. When the question “In your experience, what security measure has been the most successful in preventing cyberattacks and data breaches?” was posed in Reddit’s r/cybersecurity subreddit, many of the top comments referenced the need for user education:

Reddit / u/Forbesington
Reddit / u/slybythenighttothecape
Reddit / u/_DudeWhat
Reddit / u/onneseen

To once again borrow from CIS Controls v8, Control 14: Security Awareness and Skills Training encourages organizations to do the following: “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”

CIS — the Center for Internet Security — also recommends leveraging the following resources to help build a security awareness program:

Security and IT staff — not just those in non-technical roles — should also be receiving cybersecurity training relevant to their roles. In fact, according to the IT and security decision-makers surveyed by Randori and ESG for their 2022 report on The State of Attack Surface Management, providing security and IT staff with more ASM training would be the third most-effective way to improve ASM.

Ensuring partners, vendors and other third-party contractors take security training as well can also help contain your human attack surface.

#8: Improve digital employee experience (DEX)

.

Digital attack surface Physical attack surface Human attack surface 
XX

.

No matter how much cybersecurity training you provide employees, the more complex and convoluted security measures become, the more likely they are to bypass them. Sixty-nine percent of end users report struggling to navigate overly convoluted and complex security measures. Such dissatisfied users are prone to distribute data over unsecured channels, prevent the installation of security updates and deploy shadow IT.

That seems to leave IT leaders with an impossible choice: improve digital employee experience (DEX) at the cost of security or prioritize security over experience? The truth is, security and DEX are equally important to an organization’s success and resilience. In fact, according to research from Enterprise Management Associates (EMA), reducing security friction leads to far fewer breach events.

So what do you do? Ivanti’s 2022 Digital Employee Experience Report indicates IT leaders — with support from the C-suite — need to put their efforts toward providing a secure-by-design digital employee experience. While that once may have seemed like an impossible task, it’s now easier than ever thanks to an emerging market for DEX tools that help you measure and continuously improve employees’ technology experience.

Read the 2022 Digital Employee Experience Report to learn more about the role DEX plays in cybersecurity.

One area in which organizations can easily improve both security and employee experience is authentication. Annoying and inefficient to remember, enter and reset, passwords have long been the bane of end users.

On top of that, they’re extremely unsecure. Roughly half of the 4,291 data breaches not involving internal malicious activity analyzed for the 2023 Verizon DBIR were enabled through credentials — about four times the amount enabled by phishing — making them by far the most popular path into an organization’s IT estate.

Passwordless authentication software solves this problem. If you’d like to improve end user experience and reduce your attack surface in one fell swoop, deploy a passwordless authentication solution that uses FIDO2 authentication protocols. Both you and your users will rejoice when you can say goodbye to passwords written on Post-it Notes forever.

For more guidance on how to balance security with DEX, refer to the following resources:

Additional guidance from free resources

Ivanti’s suggested best practices for reducing your attack surface combine learnings from our firsthand experience plus secondhand knowledge gleaned from authoritative resources.

And while these best practices will indeed greatly diminish the size of your attack surface, there’s no shortage of other steps an organization could take to combat the ever-expanding size and complexity of modern attack surfaces.

Check out the following free resources — some of which were referenced above — for additional guidance on shrinking your attack surface:

Next steps

So, you’ve implemented all the best practices above and you’re wondering what’s next. As with all things cybersecurity, there’s no time for standing still. Attack surfaces require constant monitoring.

You never know when the next unmanaged BYOD device will connect to your network, the next vulnerability in your CRM software will be exploited or the next employee will forget their iPhone at the bar after a team happy hour.

On top of tracking existing attack vectors, you also need to stay informed about emerging ones. For example, the recent explosion of AI models is driving substantial attack surface growth, and it’s safe to say more technologies that open the door to your IT environment are on the horizon. Stay vigilant.

About Robert Waters

Robert Waters is the Lead Product Marketing Manager for endpoint security at Ivanti. His 15 years of marketing experience in the technology industry include an early stint at a Fortune 1000 telecommunications company and a decade at a network monitoring and managed services firm.

Robert joined Ivanti in November of 2022 and now oversees all things risk-based vulnerability management and patch management.

Source :
https://www.ivanti.com/blog/the-8-best-practices-for-reducing-your-organization-s-attack-surface

How Cloud Migration Helps Improve Employee Experience

Last updated: June 26, 2023
DEX ITSM and ITAM

The old saying goes, “practice what you preach.” When Ivanti started its “Customer Zero” initiative, Bob Grazioli, Chief Information Officer, saw it as a perfect opportunity to test the products and services consumed by customers.  

For example, during Ivanti’s move to the cloud, Grazioli and the team experienced the same issues that customers would’ve experienced in their migration process. This first-hand experience allowed them to make improvements along the way. Listen to Grazioli go into detail about other crucial findings in the Customer Zero initiative and how expanding ITSM helps elevate the employee experience. 

Key learnings from Ivanti’s “Customer Zero” program  

https://youtube.com/watch?v=unBhdg2rwkg%3Fenablejsapi%3D1%26origin%3Dhttps%253A%252F%252Fwww.ivanti.com

“That’s great to call out our Customer Zero program because we’re really proud of it, actually. We are the first customer in Ivanti. We take every one of our tools that are obviously applicable to IT or SaaS and we implement them first, before the customer,  to provide the feedback to our product managers, our engineering team and make sure that that feedback either makes it into the product or eliminates any potential problems that our customers might experience if something obviously wasn’t discovered during our testing.   

But having said that, we have learned an awful lot about actually moving from on-prem to SaaS. If you look at what we’ve done with Customer Zero, our focus now has been to take a look at the Ivanti on-prem products and move ourself to the cloud. Obviously, I manage SaaS, so I’m very biased towards being in the cloud and that is our focus right now. So, we’ve taken patch, we’ve moved that from on-prem to cloud.  

We now have taken our ITSM converged product with workflow management, with all of low-code, no code, we moved that into IT for ITSM. We have our own CMDB that we’re running against Discovery. Going out to our data centers, we have close to what, 40 different geos globally that we manage — thousands and thousands of assets across all of those data centers. Those are all being discovered placed in our own CMBD and managed.   

We’re now deploying GRC for our compliance. We were like a lot of, you know, companies struggle through our SOC 2, SOC 2 type 2, where artifacts are put into certain repositories. We managed those assets. Now we have GRC, where all those artifacts get managed to ITSM. They’re linked to the proper controls. It makes the audit process so much simpler, so much easier for us to get through every year for compliance.    

We’re learning that through the efficiency of moving to cloud from on-prem to SaaS, we’re learning those efficiencies do save us time, have a great ROI in terms of the OpeEx – CapEx equation, if most of you CIOs that go through that, there is a big advantage on the Capex-Opex side.”

Using ITSM to support a broader organization  

https://youtube.com/watch?v=unBhdg2rwkg%3Fstart%3D152%26enablejsapi%3D1%26origin%3Dhttps%253A%252F%252Fwww.ivanti.com

“And then, just having all of our data in the cloud in ITSM, as I said earlier, becoming a single source of truth for PatchDiscovery, RiskSense [now known as Risk-Based Vulnerability Mangement] vulnerabilities. And obviously, the main focus, all the tickets that are created on the customer facing side, giving us insight into the customer, into what they’re using or what they’re not using. So really, adoption, big part of obviously what you need in SaaS to manage, the real true user experience.   

It really has been eye opening, moving all of our products from on-prem to SaaS, leveraging those SaaS products in our own cloud, gaining that experience, pushing it back to product managers, pushing it back to engineering to produce a better quality product and a better service for all of our customers as they migrate to the cloud.   

So, we kind of blunt any particular problems that our customers would have experienced when they move from on-prem to cloud. Customer Zero – it’s definitely eliminating a lot of issues that customers would have had if they move on-prem to SaaS. And we’re providing valuable telemetry to help improve our product and improve the quality and service to our customers.” 

Important takeaways from Ivanti’s Customer Zero initiative 

https://youtube.com/watch?v=IzbJvG6Izs0%3Fenablejsapi%3D1%26origin%3Dhttps%253A%252F%252Fwww.ivanti.com

“Well, so we’ve improved our catalog for service requests and so on. That is the evolution of what ITSM should do. But DEX is the key. Having all of those tickets in ITSM that show customer issues or customer successes or what they’re using in our product, etc.

That is the game changer because now, as I said earlier, having DEX out there, looking at all those tickets, analyzing the tickets and then proactively either anticipating a problem with their device or potentially the way a customer is adopting certain technologies that we pushed out into the environment.  

Those tickets are gold for that level of telemetry that allows us to gain the insights we need to provide the customer with a better experience. I think ticket management is really, it’s tough — you don’t want a lot of tickets, obviously, because sometimes that’s not a good thing. But what these tickets represent in terms of knowledge of the customer, it really is instrumental in us making things better, making the service better and having the customer have a better experience.” 

How to use DEX to drive cultural change  

https://youtube.com/watch?v=x71aP3P4OCs%3Fenablejsapi%3D1%26origin%3Dhttps%253A%252F%252Fwww.ivanti.com

“I mean, we use the word culture, but let’s face it, the generation of customers that are out there today growing up with technology and having the ability to control a lot of that technology right at their fingertips, that’s really what you’re trying to accommodate.  

You don’t want someone to come into your company as an employee and have them not have that same experience. Not have them engaged with technology the same way they can engage at home or anywhere else out in the market. That’s what we’re trying to get to and be for that customer.   

And we’re doing that because today, with the proactive nature that we’re creating within our products. Proactive nature, that’s DEX.  

That’s having all that intelligence to engage the customer with empathy and with a proactive approach to giving them a solution to whatever issue they have. It’s empathy to what they’re going through and then proactively providing them with a fast, reliable solution to whatever experience they’re calling in on. 

I think that’s our goal and I think ITSM is evolving to that because again, of the amount of information it’s able to collect and use with all of the AI and ML that we’re applying to it, to really create that more proactive experience with a very intelligent, very tech savvy customer that we have both in and outside our company.   

And that’s happening. That’s the culture, if you will, that I see, that I’m engaged with, and we want to make sure our products can satisfy. ”

Broadening ITSM to support other areas brings with it new levels of proactive troubleshooting and empathy, helping you drive a better digital employee experience.

.

If you’d like to learn more, dive into our ITSM + toolkit and listen to this on-demand webinar on Expanding your ITSM: key learnings for building connected enterprise workflows.  

Source :
https://www.ivanti.com/blog/how-cloud-migration-helps-improve-employee-experience