The adversaries aren’t trying to score style points to break in; they’re just going to find a way in. – Jeremiah Grossman.
To watch Grossman’s presentation, click here.
Grossman is the CEO of BitDiscovery, which gives companies a complete and current inventory of all of its Internet-accessible technology. He was the founder and CEO of WhiteHat Security, previously served as chief of security strategy for endpoint security vendor SentinelOne, and was an information security officer at Yahoo!
According to reports from the cyber-insurance industry, 54% of all data breaches are from email phishing attacks, 29% are remote desktop protocol (RDP) attacks, and 6% are social engineering attacks. Third-party compromise, brute force (authentication), and “other” attack techniques each make up 3% of all data breaches.
The healthcare industry makes up about 10% of total data breach cyber-insurance claims.
How can organizations inside and outside of the healthcare industry protect themselves? What cybersecurity basics are companies missing that make them so open to security vulnerabilities?
Let’s look at the information Grossman presented.
What is an asset inventory?
With a lot of organizations, they’re getting hacked on things that are entirely preventable only if they knew those systems existed. – Jeremiah Grossman.
An asset inventory is a collection of all Internet-connected assets within an organization. These assets include websites, mail servers, FTP servers, IoT devices, VPNs, etc., whether they live in the cloud or an on-premise system, and what assets have expired or soon-to-be expired TLS certificates.
This inventory type helps many departments across the organization, including IT, information security, finance, compliance, audit, and more.
A comprehensive asset inventory management system tells an organization what assets it has and where they are. This knowledge aids with security ratings, incident response, third-party risk management, and finding vulnerabilities and patching them.
Without an up-to-date asset inventory, organizations will unknowingly leave vulnerabilities exposed, allowing bad actors to exploit them.
Why asset inventories are important
A robust and up-to-date asset inventory system can keep organizations abreast of potential vulnerabilities so that they can be appropriately resolved.
As Grossman touched on during his presentation, the 2017 Equifax data breach happened simply because Equifax didn’t deploy a patch. Equifax hadn’t patched a compromised system vulnerability despite patching the same vulnerability elsewhere because the company didn’t know it was there.
Because Equifax didn’t have a proper asset inventory, the company opened itself up to exploitation. The company had no idea over 150 million people’s information could be compromised until it was too late.
If your organization doesn’t know what assets it has, it also doesn’t know what assets bad actors can access.
The danger of expired certificates
It stands to reason that you’ll lose track of certain certificates as they expire. – Jeremiah Grossman.
The number of certificate authorities (CA) an organization has doesn’t mean it is more or less secure, but the more certifications it has, the more it will need to manage.
A certificate authority certifies the ownership of a public key with a public key certificate. The CA acts as a third-party trusted by the public key owner and the parties that rely upon the certificate.
Vulnerabilities lie within the number of expired TLS certificates related to the total number of Internet-accessible assets.
With over 100,000 assets and only 97 expired TLS certifications (0.09%), HCA has a manageable number of certification vulnerabilities.
However, McKesson has 614 total expired certifications, with only 22,000 Internet-accessible assets (2.69%), which Grossman says may indicate an “IT hygiene problem.”
Expired certifications provide an opening for a bad actor and create security vulnerabilities.
The danger of WordPress
WordPress sites tend to be really secure and really well managed or not well managed. There really is no in-between. – Jeremiah Grossman.
WordPress is a popular open-source content management system used for millions of sites and is relatively secure if plugins are kept up-to-date.
SEE ALSO: Is WordPress HIPAA Compliant?
The best way for an organization to scan WordPress for plugin vulnerabilities is to utilize WordPress Scan. This website keeps a running list of all plugins and their versions. It will flag older versions of plugins and report those vulnerabilities to an organization.
Remember, bad actors only need one vulnerability within one site to break into an organization’s entire system.
How to protect your company
Grossman provides some guidance for companies to protect their assets, their organization, and their data. He notes that adhering to the security basics can be hard, especially for larger firms, but without them, security risks only increase.
The basics include:
- Keeping a robust, up-to-date asset inventory
- Using multi-factor authentication and not reusing passwords on different systems
- Utilizing a HIPAA compliant email security solution, like Paubox Email Suite
- Performing routine backups of all systems and data (such as email archiving)
- Setting up wire transfer verification for all monetary transactions
Everyone gets compromised; everyone gets breached; it’s only a matter of time. Security can never be perfect. You want to be able to detect these things fast, and you want to be able to recover as quickly and easily as possible. – Jeremiah Grossman.