On May 17, 2022, the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom published a joint Cybersecurity Advisory on Weak Security Controls and Practices Routinely Exploited for Initial Access (AA22-137A). The advisory detailed the most exploited “poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices” that cybercriminals use to gain access to victim organizations.
While the cybersecurity landscape rapidly changes day by day, many of the techniques used by malicious actors remain the same. These bad actors are frequently observed:
- Exploiting public-facing applications such as websites and databases;
- Leveraging external remote services such as Virtual Private Networks (VPNs);
- Conducting phishing campaigns;
- Gaining access through trusted third-party relationships;
- Using compromised account credentials.
The advisory outlines ten weak security controls and practices that leave organizations vulnerable to these common techniques and practices that can help mitigate some risks. The advice covers various topics that include ensuring software is up to date, managing permissions and access controls, enforcing multi-factor authentication, and protecting cloud services.
Your organization and your third parties should follow these strong cybersecurity practices. Third parties are responsible for an ever-increasing amount of cybersecurity incidents, and those incidents were reported to be the most costly enterprise data breaches.
RiskRecon performs deep asset discovery and continuous assessments that provide a trusted and transparent view into enterprise security programs. The RiskRecon platform evaluates 37 security criteria across nine security domains that help organizations assess the effectiveness of weak security controls, including many of those detailed by the published Cybersecurity Advisory. We wanted to provide an example of how you can use RiskRecon to address the controls that were noted as most common.
The advisory mentions that open ports and misconfigured services is one of the most common vulnerability findings and is often used as an initial attack vector. RiskRecon’s Network Filtering domain analyzes the company networks and systems for the presence of unsafe network services and IoT devices. Enterprises should limit the systems and services exposed to the Internet to those that are safe and necessary.
Additionally, out-of-date software was listed as “one of the most commonly found poor security practices”. Software Patching domain enumerates systems that are running end-of-life and vulnerable software. Because the vendor does not support end-of-life software, it cannot be patched against known security issues or new vulnerabilities that might be discovered, increasing the likelihood of system compromise. RiskRecon helps you address issues according to the assigned issue risk priority, determined based on the combination of issue severity and asset value. RiskRecon uses the CVSS rating as the severity for software patching issues.
These are just a small sample of how RiskRecon helps you manage the risk of you and your third parties. Beyond the Joint Cybersecurity Advisory, we are constantly evaluating ways to increase our visibility and help our customers manage their third-party risks. This includes the ability to detect additional products, versions, and vulnerabilities. Passive scanning provides varying levels of insights into an organization’s infrastructure (for example, some systems are typically internal to an organization and not internet-facing). In other cases, passive scanning may not yield full visibility into the specific vulnerabilities of a product; however, identification of a product and information system provides critical awareness and insight for risk management.