The security gaps that can be exposed by cybersecurity asset management – Help Net Security
Cybersecurity asset management does not come with the excitement following the metaverse, blockchain, or smokescreen detection technologies, but it is essential for the protection of corporate infrastructure. It is no secret that just one vulnerable, unsecured endpoint can open the gate for criminals to walk through, and as points of access increase exponentially, so does the element of risk.
Which is why cybersecurity asset management is transforming the way in which enterprises manage and protect their assets. It works by correlating data from various solutions within an organization’s infrastructure to provide a complete and always up-to-date asset inventory. That way, IT and security teams can easily identify security gaps, ensure assets follow security policies, and know immediately whether an asset has deviated from that policy in any way. We can also automate actions based on deviations.
Security teams face multiple challenges, but with asset management at their disposal, these can be addressed more easily. Here we identify five potential issues that can be uncovered by a cybersecurity asset management program.
Endpoint agents not being properly used
There is a plethora of tools being used to secure assets, including desktops, laptops, servers, virtual machines, smartphones, and cloud instances. But despite this, companies can struggle to identify which of their assets are missing the relevant endpoint protection platform/endpoint detection and response (EPP/EDR) agent defined by their security policy. They may have the correct agent but fail to understand why its functionality has been disabled, or they are using out-of-date versions of the agent.
The importance of understanding which assets are missing the proper security tool coverage and which are missing the tools’ functionality cannot be underestimated. If a company invests in security and then suffers a malware attack because it has failed to deploy the endpoint agent, it is a waste of valuable resources.
Agent health and cyber hygiene depends on knowing which assets are not protected, and this can be challenging. The admin console of an EPP/EDR can provide information about which assets have had the agent installed, but it does not necessarily prove that the agent is performing as it should.
Unknown unmanaged assets
The unknown of unmanaged assets is where vulnerabilities lie. With no management or agents installed, these devices – which may include desktops that are rarely used or laptops that are intermittently connected to the corporate network – present a threat.
Unmanaged devices might be identifiable to the network or to network scanners, but that does not provide useful information about them, such as whether they are part of a patch schedule or whether they need to have an EPP/EDR agent installed.
Passwords and permissions
Amongst the various Active Directory (AD) permissions that should not be set for users are three that we can focus on: AD password never expires, AD password not required, and AD no pre-authentication required.
There are risks for security teams if users have an account in AD with no required password, particularly if it is a domain admin account on a domain controller. The user will also not be subject to policies regarding password length and may be using a shorter password than is needed, or worse, no password at all, even if this is permitted.
The difficulty of having no pre-authentication set is that a cyber attacker can send a dummy request for authentication, and the key distribution center (KDC) will return an encrypted Ticket Granting Ticket (TGT) which the attacker can brute force offline. All that will be evident in the KDC logs is a single request for a TGT. If a Kerberos timestamp pre-authentication is enforced, the attacker cannot ask the KDCs for the encrypted material to brute force offline. The attacker must encrypt a timestamp with a password and provide it to the KDC, which they can do repeatedly. But by enforcing this, the KDC log will record the entry every time the pre-authentication fails.
VA tools can only scan cloud instances they know about
With more and more organizations moving to the cloud, the security solutions that have been implemented to protect their on-premise assets are struggling to keep up.
Vulnerability assessment (VA) tools, for example, are designed to scan a network to find devices with known vulnerabilities, but they can only scan what they know about. Because of its dynamic nature, the cloud can create a gap in which there are new instances and VA tools are not aware that these need to be scanned.
This is why attackers have been able to exploit zero-days to install ransomware on cloud servers that do not require end users to click on anything to be launched.
Keeping up to date with critical vulnerabilities
Assets with critical vulnerabilities are those within the Common Vulnerabilities and Exposures (CVE) classification and defined as deficient or vulnerable to a direct or indirect attack that will create decisive or significant effects.
Published vulnerabilities are, obviously, those that are exploitable and devices that have these are a common target for attackers. So, it makes sense that security teams pay attention to patching and updating their assets if they are found to have critical vulnerabilities.
This is not an exhaustive summary, nor is it a list of headline-grabbing vulnerabilities, but instead it addresses fundamental security practices. If security teams can take control of the devices that their organizations are adopting for innovation and improved efficiency and ensure they are protecting the full asset portfolio, they will significantly reduce vulnerabilities and improve their risk posture.