5 bad practices that hinder your security, and how to improve it

Hardly a day goes by without news that yet another business, healthcare organization or government agency has been compromised by a security breach. After the breaches at Target, UCLA, the Office of Personnel Management and scores of other organizations, millions of people in the US have had their personal and financial information compromised by hackers. In part, today’s cloud-based, global-ecosystem economy—in which organizations need to provide employees and third parties access to corporate applications—is to blame. Use of the Internet to access corporate resources, combined with compromised credentials, is rendering traditional secure access solutions, such as VPNs, ineffective.

Despite the known threats, many organizations continue to maintain bad application and network security practices. What follows are five bad practices that are all too common, and what actions you can take to improve your security posture.

Application Security Research Update: The State of App Sec in 2018

1. Leveraging firewall rules to manage access control policies

When a firewall is first put into production, it typically enables a very strong security perimeter. But over time, the perimeter decays. Why? Because we keep opening inbound ports to accommodate new applications and user groups. Meanwhile, security staff members come and go, and soon no one remembers which ports are associated with which specific use case. And while ports are easily opened, it seems they never get closed, because we just aren't certain what will happen if we shut down port x, or whom it might impact. Before long, the security perimeter looks like Swiss cheese. Obviously, proper record-keeping, audits, and controls would mitigate this bad practice, but a more holistic approach to managing inbound traffic may be warranted.

2. Using VPNs to provide secure access

VPNs are not as secure as you would like to believe, even though they’ve been the de facto secure access solution for more than 20 years. In fact, VPNs have several shortcomings, which are becoming more pronounced as the cloud, mobility, and enterprise ecosystems come to dominate what is turning into an “outside-in” enterprise. The biggest problem with VPNs is that they give devices and users full network access whether they need it or not. They also don’t control access based on user identities as well as is needed, and they can be a management burden, taking significant time to configure, manage, and deploy. At best, they result in fragmented security policies for distributed enterprises. Companies must cease their reliance on this two-decade-old technology and look at more modern solutions.

3. Endorsing a network policy of trusting everyone and every device

The Stagefright vulnerability showed how any device can be silently hijacked, increasing the risk that malicious activity could ride across an authorized connection. With so many users and business partners employing their own devices in the enterprise, we're left in the position of not trusting the people we hire or work with, or at least the security of their devices, since just one compromised device or lost password can open the entire network to attack. It’s safer to assume that any device accessing a network cannot be trusted and be cautious about what various users are allowed to see. In practice, this means not installing clients or certificates on devices. Trust must be transient and re-established on each access attempt via access policies and multifactor authentication.

4. Standing up new enterprise apps, sites without adequate controls

Hackers and bad actors use automated tools that can find new applications and websites in minutes, and immediately compromise those sites by deploying bots and launching attacks. The large public cloud providers that host these sites use a shared security model—they secure their own infrastructure, but the customer is responsible for securing its own apps and data. Customers often don’t realize how vulnerable they are and would be surprised to learn that public cloud providers do not apply the same security measures found in an enterprise data center. When you use the public cloud, you need to focus on security, reinforcing the perimeter around your applications and websites to block hackers.

5. Using outdated technology

Even though Windows Server 2003 is at end of its life, many companies are still using this outdated product, with its many unpatched security vulnerabilities. Spiceworks reported earlier this year that 61 percent of customers have at least one instance of Windows Server 2003 running, representing millions of installations across both physical and virtualized infrastructures. Generally the IT industry is plagued by inertia—if it isn’t broken, why fix it? While this may work from a functionality standpoint, it's poor from a security viewpoint. Even if older technology is patched, it doesn’t mean it’s secure and won’t be susceptible to another vulnerability in the near future. Organizations need to make it a priority to shelve antiquated solutions, and adopt more current technology designed to address modern security threats.

Turning bad practices into best practices

Public cloud adoption, the desire for greater mobility, and a vibrant partner ecosystem are disruptive forces in the business landscape. To ensure a high level of security amid these changes, you must adopt equally disruptive solutions to protecting your networks, data, and applications.

You can never take a one-and-done approach to security. Security is a practice in and of itself. It must be ongoing in terms of updating, auditing, and evolving the underlying processes and technologies. As part of this practice, you must constantly re-evaluate your own definition of trust and adjust it based on the type of business you have, the value of your security assets, and how big a risk they pose. Vigilance in maintaining security and constant re-evaluation of the solutions and processes being used are the foundation for strong security best practices. 

 

Topics: Security