[German]Even though cybercriminals are using increasingly sophisticated attack techniques to penetrate corporate networks, hackers often have an easy time of it. Security breaches are often due to avoidable, often overlooked misconfigurations.
Christoph M. Kumpa, Director DACH & EE at Digital Guardian, has provided me with an overview of the five most common configuration errors in networks These are the mistakes that companies need to avoid. To prevent hackers from opening the door to sensitive data and IT environments, here are the five most common configuration errors that companies need to avoid.
1. Standard credentials
Unconfigured default usernames and passwords of devices, databases, and installations are similar to leaving the key in a locked door. Even hobby hackers can cause extensive damage to a company with the help of freely available tools. Standard credentials on network devices such as firewalls, routers or even operating systems allow attackers to use simple password check scanners to gain direct access. In more sophisticated attacks, hackers perform a series of script attacks to crack devices with brute force, focusing on either standard usernames and passwords or simple passwords such as "qwerty" or "12345".
2. Multiple use of passwords
Using the same user account and password on every device in a fleet of endpoints gives cybercriminals the ability to attack any machine, even if only one of the devices has suffered a security breach. From there, attackers can use credential dumping programs to get their hands on the passwords or even the hashes themselves. Companies should therefore avoid password reuse at all costs and deactivate unneeded accounts.
3. Open remote desktop services and standard ports
Services such as Remote Desktop Protocol (RDP), a proprietary protocol developed by Microsoft, provide administrators with an interface for remote control of computers. Increasingly, cybercriminals have misused this open protocol if it was not properly configured. For example, ransomware such as CrySiS and SamSam can address companies via open RDP ports, both through brute force and dictionary attacks. Any outward-facing device connected to the Internet should therefore be secured by multi-layered protection to combat access attempts such as a brute force attack. Administrators should use a combination of strong, complex passwords, firewalls and access control lists to reduce the likelihood of a security breach.
4. Delayed software updates
Zero-day threats often make headlines, but the most common vulnerabilities exploited by cybercriminals are usually digital fossils. Therefore, updating operating systems and patches is critical to prevent a security breach. Although numerous exploits and vulnerabilities are found daily and it can be difficult to keep up, it is important for organizations to avoid delayed software patching.
5. Logging turned off
Deactivated logging does not necessarily allow attackers to enter a system, but it does allow them to operate there unnoticed. Once infiltrated, hackers can move laterally across the network to search for data or assets they want to sneak out. Without proper logging, they leave no trace. This creates a needle in a haystack for IT teams to reconstruct a security incident. That's why logging should be enabled and sent to a central location such as a SIEM (Security Information and Event Management) platform. This data provides the traces that forensic analysts need during an incident response investigation to track the attack and capture the intrusion. It also helps to adequately respond to threats that trigger alerts based on events that have already been logged.
By misconfiguring devices or platforms and leaving them in their default state, cybercriminals have an easy time launching attacks. Therefore, companies should implement the above security measures to protect themselves and their sensitive data.
Digital Guardian is active in the area of data security. More can be found on the company website.