Low-hanging security fruit you can’t afford to overlook

(Last updated on February 5, 2021)

Vilfredo Pareto got it right many decades ago when he said that 80 percent of the effects come from 20 percent of the causes. This very principle can be applied to your information security program. Rather than getting caught up in unnecessary complexities that only serve to distract, your security risks can be distilled into a minority of vulnerabilities creating the majority of problems. The security gaps that are highlighted in every research report, breach database, and in my own work, typically involve people, business processes, or poorly-implemented technology that is creating a false sense of security.

Regardless of the size of the business, the industry which it operates, or the level of security maturity, the following security vulnerabilities are present on virtually every network in some form – and they must be discovered and resolved:

  • Weak passwords – they’re everywhere, from your domain accounts to local operating systems, database accounts, web applications and beyond, they are creating untold security risks.
  • Missing patches – as with passwords, a pervasive security problem in most organizations, especially as it relates to third-party software updates for Java, Adobe, and so on.
  • Open network shares – there’s hardly a network that I’ve looked at that doesn’t have share and file permission weaknesses exposing personally-identifiable information and intellectual property.
  • Misconfigured wireless networks – this is when guest users or external attackers with cracked pre-shared keys can hop over and access internal production network segments through system weaknesses that have been overlooked.
  • Internet of Things devices – Increasing the attack surface but are often outside of the scope of security control and visibility, such as ongoing security vulnerability and penetration testing.
  • Web sites and applications – from the local production system to software out in the cloud – and virtually everything in between, including development, test, and staging systems – I’ve never come across a flawless web system that wasn’t creating risks in some way.
  • Undiscovered databases – with increasing network complexity and shadow IT, there tends to be a slew of database systems that are housing sensitive information, yet they are out of scope in terms of security oversight.
  • Physical security access control and camera systems – these devices and their accompanying web interfaces tend to run with default settings, including weak passwords, and are hardly maintained thus exposing them to attack.
  • Physical security weaknesses in buildings and across campuses – this includes improper access controls on data centers, unmonitored security cameras, and unencrypted laptop computers that are physically exposed.
  • Web, FTP, telnet services exposing user credentials – these are often critical systems (external and internal) running vulnerable protocols that use cleartext transmission of login information.
  • Mobile devices with little to no security control – these are systems that are used by practically everyone, including high-profile executives who are often targeted. Many users haven’t stopped to think about the sensitive corporate assets and access being exposed due to weak mobile configurations.
  • Gullible users – willing to click any link or open any attachment as long is the email message is compelling enough.

Of course, you could go off in many directions chasing down various lower-priority security findings but such efforts are usually not fruitful. That is, until you find and fix all your low-hanging fruit first.

Don’t let the vital few get lost in the trivial many. Focus your security efforts on the vulnerabilities that matter. This requires regular in-depth vulnerability and penetration testing that looks across your entire network to find the exposure points. The moment you get sidetracked with security vulnerabilities of minimal importance, you lose focus. And when you lose focus, the inevitable incident or breach will, no doubt, surface.

Tags: ,

Written by

Kevin Beaver

Kevin Beaver is an independent information security consultant, writer, and professional speaker with Atlanta, Georgia-based Principle Logic, LLC. With over three decades of experience in the industry, Kevin specializes in performing independent security assessments and consulting to help his clients uncheck the boxes that keep creating a false sense of security. He has written over 1,300 articles and 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin can be reached at through his website at https://www.principlelogic.com/.

Back to Blog