Cybersecurity Controls & Configurations – Are You Locking Your Doors?

Summertime is the peak time for people to go on vacation. The kids are off from school and the weather is finally nice in most of the country. When you go on vacation, no matter how far you travel, there are certain precautions that you take to ensure that your home is safe while you are gone. You make sure the windows and doors are all locked up, you have your mail paused so it does not pile up and tip thieves that you are not home, and maybe you leave a light or two on to give the illusion that someone is in the house. If we take these precautions with our home, why don’t we take the same precautions with our networks?

Back in May, the Cybersecurity & Infrastructure Agency (CISA) released an alert that outlined that weak controls and practices are routinely exploited for initial access into an organization’s network. The alert goes on to outline some of the common weak security controls, poor configurations, and poor security practices that are exploited to gain access. The list in the CISA alert is much longer but I wanted to outline these four as they are the low hanging fruit on the list:

• Out of date software
• Use of default usernames and passwords
• Multifactor authentication (MFA) is not being used
• Weak passwords

These are all basic items and are shocking to see on this list, especially in 2022 with all the different breaches and security incidents that have happened over the last couple of years. So, if these are fairly basic items, why do they appear on this list? The answer is simple: convenience.

When you look at the list above, it is easy to see why some of these things fly under the radar and still take place in 2022. Patching systems can be time consuming and requires resources. Using default or weak passwords makes doing work faster and more efficient. MFA can be annoying at times. I am sure that we have all tried to login to a Microsoft Teams meeting and gotten the prompt to approve the access, through either an authenticator application, text message, or another authentication method. There is no greater joy then trying to login to a meeting just as it is starting and having to jump through a bunch of hoops to prove that it is you! I think that Microsoft does this intentionally to test our patience but that is a topic for another day.

In the CISA alert, they give you a fantastic list of strategies and mitigation techniques to use, which are all great and important. However, I am going to give you one strategy that covers most, if not all, of the items on that list: conduct a risk assessment.

You see, there are three things that are always changing in an organization:

• People
• Process
• Technology

People change jobs, get promoted, get demoted, get fired, etc. All organizations change their processes based on a number of factors, including growth, new business lines, expansion, contraction, etc. I do not think I have to cover technology as we all know that it is constantly changing, sometimes by the day!

Whenever any of the three items above change, you should really perform a risk assessment to understand what those changes mean for your organization and what risks those changes may introduce to the organization. Change is a positive thing and often times, risks are introduced through change as an unintended consequence. A thorough risk assessment mapped to a compliance mandate (if required) or to a security framework will help you uncover those risks and mitigate them before the bad actors find them. It is always best for you or a trusted third party, such as Compass IT Compliance, to find these control weaknesses or poor security configurations before anyone else does. If you have experienced changes recently to your people, processes, or technology, feel free to contact us to discuss these changes and to see how we can assist in assessing your environment. Treat your network like you treat your house when you leave for vacation and make sure, to the best of your ability, that all your doors and windows are locked!