The
Center for Internet Security (CIS) Top 20 Critical Security Controls, or "Foundational Controls," can help any organization address the growing number of digital security threats confronting them. Obviously, for these controls to reduce risk, a company must first implement them. Failure to do so can result in some real security nightmares.
IT experts who've been in the field long enough have witnessed security shortcomings firsthand. Some instances might leave you completely shocked and horrified. Others will make you wonder whether you should laugh or cry.
To highlight the importance of doing all you can to defend against digital threats, here are 11 IT experts' "horror stories" where organizations overlooked the CIS Critical Security Controls.
https://www.slideshare.net/Tripwire/it-security-horror-stories-where-foundational-controls-went-overlooked
As one of my good friends and mentor, David Prince, loves to call it, the "Brilliant Basics" are often forgotten when designing or maintaining our cyber security systems. Unfortunately, this is one of the most important areas we need to lock down because if you can't get the foundations right you better believe that will carry into the more complex situations.
One hilarious (but slightly disheartening) situation that comes to mind is in reference to the physical location and maintenance of hardware. This environment was for a SME that didn't use cloud hosting; they "maintained" the hardware onsite.
I was doing a physical security assessment for this company. One of the tasks is reviewing the server room. The 'server room' for this company was just another office that happened to contain a server rack in a repurposed closet with doors removed. It was open to all employees. Unfortunately, this is typical and not what stood out to me.
The real disheartening part was there was a window directly beside the server rack. It had no screen or bars, and it was on the ground level. I'm not talking like a couple feet away. I mean literally if you wanted you could do all your sysadmin tasks while sitting outside for a picnic. Or if you wanted you could walk by the building, plug in a random USB, and no one would be the wiser.
A couple feet from the window, there was a massive server. This housed all important data for offsite offices -- all backups running and that day's worth. Laying in front of this was all the week's backups on hard drives, nicely labelled and everything. If you happened to enjoy climbing through windows, these devices were a bit more exciting than the neighbour's pie to 'borrow.'
Never mind what would happen if it rained and no one shut the window!
Travis Smith | @MrTrav
The importance of static IP management is something I learned early on in my security career. While a company for which I previously worked had implemented
hardware and software discovery, being able to re-use addresses was fairly straightforward. Two criteria had to be met: the address shouldn't be in the asset database, and the address shouldn't be reachable on the network.
One of my first tasks at this company was to set up a ESXi server. I deployed the server and had no issues for months. Then one day I ran a port scan against our public IP address space and noticed something a bit odd: a website being hosted on a public IP that wasn't supposed to be used. It turns out that before my tenure, a staging web server had been setup that had a NAT between a public IP and the internal IP I was now using for my ESXi server. When the original staging server was decommissioned, the NAT rule in the firewall was never removed. I had an ESXi server publicly available from to the Internet. At first I cried, but after fixing the issue and sifting through logs for days, I laughed at how bad that was.
I am reminded of the time I gained physical access to a building, connected on to their network, and found 'Credit Cards Front and Back.pdf.' This was of course a copy of their staff credit cards.... Many more little incidents along the way have also left me with my head in my hands. When phishing large organisations, the replies to
phishing emails always really surprise you. I remember one person who replied, divulged more information to the person who recently screenshot the 'You've clicked a link' educational page I include in my phishing assessments, and then proceeded to complain the link wasn't working. "It just guides you to a page with a picture on". It's always important to stay focused, though. Often, it's just peoples awareness and understanding of infosec that lets them down.
A few years ago, while doing a security assessment for a company, I realized that the issue with security did not lie with the strategic direction for information security. Rather, the underlying business model was the source of the problem. Normally, we see the security teams trying to better their security posture by attempting to go beyond check box compliance. But this particular organization paid their employees bonuses based on the amount of money they saved from their budgets! Therefore, instead of trying to pick security solutions that helped better their security posture, they chose to do the minimum required to be compliant. They pitched a great story to the executives to say that being compliant with the
PCI standard made them secure, but they were horribly mistaken. It was like trying to mow the lawn with a pair of scissors. It will do the job, it's cheap to buy the tool, and you can check off the box for compliance. However, when you actually go to mow the lawn, the labour costs are so intensive, it's not worth the effort. I'm amazed to this day that they did not get breached. Actually, now that I think about it, it's possible that they did and just don't know it yet!
You see so many shocking examples over the years that over time you start to become accustomed to them and no longer find them shocking when you come across them. The most shocking examples are often the most basic of mistakes. But there is one example, out of many, that stands out to me.
I was tasked by a client to pentest a web app, which was presented to me as a simple login form. The client did not provide any login credentials. So the main goal was to try and gain access to the system. On the login page, there was an email address. It read something like "If you have any issues logging in, email the site administrator
[email protected].” My first thought was, "does this John fellow have an account on this application?" So I tried username =
[email protected], password = password. And lo and behold, it worked! The client had paid for several days and was quite embarrassed that it only took me about 5 minutes to gain access to their system."
Keirsten Brager |
We were in a staff meeting when one of the engineers received a call from our ISP to notify us about suspicious traffic. Their monitoring team observed that a server on our environment was communicating with a known malicious command and control server in another country.
The incident response plan: pull the server off of the network. Makes sense, right?
There was one small problem: no one could find the server.
Why not, you may be asking?
Well, some organizations take shortcuts and do just enough to check the compliance box. One of the ways to get that coveted check is by reducing the scope of the audit to “zones”. Everything outside of those zones exist with minimum or no security at all.
While this approach may save a dollar today, it leaves gaps in coverage that can render other security controls void. It also leaves the organization open to risk, as illustrated in the example above.
The moral of the story: asset management is number 1 on the Top 20 Critical Security Controls. After you read this story, send an email to the head of IT and security to inquire about asset management.
I’ll buy you a drink at DefCon if you can identify all of your assets.
Many years ago, I had the unsavory task of letting an employee go. Despite ongoing attempts to work with this individual, things didn’t improve. Unfortunately, this person was one of our sys admins, so it was a bit of process getting credentials changed, etc. After all the appropriate changes were made, I sat this person down and broke the news. I asked them to pack their things, turn in their keys, and leave. While the individual was packing, I stepped out momentarily to use the bathroom. I got cornered talking to someone in the hall and returned after about 15 minutes fully expecting the former employee to be packed and ready to go. Instead, I found the employee connecting his personal laptop to the network and attempting to download his archived work files. I promptly yanked out the network cable, closed the device, and escorted them and their belongings out the door! I was not happy and didn’t make that mistake again.
Sometimes the worst security mistakes are those that are simplest. Despite hours of training, reminders, and documentation requiring people to challenge visitors, people simply want to trust. One of the worst examples I have seen came when an "IT" staff member came to an office wearing a jacket that said IT on the back and requested access to the server closet. The front desk personnel asked them to sign in but allowed them to enter without an ID check. Roughly an hour later, the "IT" person departed the office and things started to go very badly. In short, the office servers got hit with ransomware and all operations ceased. In the post-mortem, the individual claiming to be part of the IT staff wrote "hacker" on the sign in sheet and was actually wearing a shirt that said hacker, all very obvious and plain. The people at the front of the office are the front line defense against social engineering. Train them well and encourage them to question and stop people they don't recognize!
Whilst working for a large energy company in the UK, one of my roles working in Information Security was to visit offshore sites and conduct technical security audits based on
ISO27001.
In May 2012, I was on one of my many visits to India conducting a review. I went to a brand-new facility of one of our suppliers, which had gone live. As part of the audit, I reviewed the six backup generators and how often they are tested, etc. I was shocked to see that two of the six generators were running at the time of my visit. Initially, I was informed they were being tested at that moment in time, but subsequently, I learnt that the entire site had not been supplied commercial power from the local grid, so the entire site had been running on generator power for the past nine months!
Furthermore, I discovered they had not acquired a license from the authorities to store diesel in the 70,000 litre silos on site. Instead, they were receiving daily shipments of ten barrels, a tube was stuck in to the top, and an electric pump was pumping the fuel through a hole that was created in the wall in o a tank that fed the generators.
In disbelief, I took the photo below. Note that the sign on the wall says ‘no phones’, yet the men stood next to me were smoking! Some incredible experiences in India.
That moment when you are working for a massive managed services company and you are about to upload a debug file to the vendor of your ticketing system and find out you can see all their clients SFTP folders on their drop site. Global banks, pharmaceutical companies, and defense contractors all have folders you can access. You quickly look in your own folder to determine what these other companies can see about your organization. You find out not only have professional services dropped all your architectural designs, passwords, and CMDB data there but that they also left the last onsite professional services representative’s unlocked PST file there. When you look at the PST, it contains a treasure trove of passwords, usernames, business communications, and enough company culture information to make a social engineer faint. The Monday morning call to the VP of IT to tell them is both hilarious and terrifying.
Alan Shimel |
One of my most horrifying times in the infosecurity space was during a frank conversation I had with a CIO of a fairly large bank. We were talking about vulnerability management and how prioritizing vulnerabilities are key to a successful VM practice. I tried to explain to the CIO that no one wanted to run scans during business hours, but scans could be run at any time remotely. In terms of remediation, these could then be prioritized to be worked on during business hours where possible.
To my horror, the CIO told me that his security people were salaried employees who were paid weekly and not by the hour. He told me and I quote, “I don’t care if my security people have to work every night and every weekend; it won’t cost me any more money and if they don’t like it, we will replace them.” What a caveman! Ignoring the fact that having people work evenings and weekends will leave them less than fresh for regular work hours, I realized that he didn’t value his security team as just people, let alone as the security professionals they were. No wonder the rest of his team had contempt and no respect for the security team and the role they played!
The funny thing was the security people, despite the diss, were trying their best to really get the job done at this bank. Me personally, I was almost pulling for an incident just to teach that CIO a lesson. But this was just an extreme illustration of a lesson I learned early and often in security. CIO and IT management did not value security expertise and did not value the security team as valuable members of the team. This reinforced the isolation of security within an organizations security team.
Conclusion
Have your own "horror story" where foundational security controls got overlooked? If so, tell it to us in the comments! In the meantime, you can read about how the Foundational Controls can protect against attack types and help you build a solid foundation
here and
here, respectively.
Editor’s Note: The opinions expressed in this article are solely those of the contributors and do not necessarily reflect those of Tripwire, Inc.
