8 hidden security vulnerabilities that may trip up providers
Configuration errors, lack of IT controls and unsecure internal processes all contribute to vulnerabilities that could lead to a data security breach, according to Continuum, a platform vendor offering a variety of managed IT services. Experts from the company identify potential landmines that healthcare providers should avoid.
Storing default user names or passwords on devices
After intruders find basic information about a victim’s computer—such as its IP address, open ports and the services running on those ports (which can be determined using freely available networking tools), their first step will be to try to access resources using less sophisticated methods to avoid leaving traces through logging events. Simple automated tools and wordlists make the password brute-force discovery process a breeze. Most network appliances, such as firewalls, wireless access points and routers, are sold with widely known credentials, often available on the vendor’s website or in their manuals.
Giving free rein to privileged users
How will a provider be able to spot a threat if there is no process for reviewing users with domain administrative access or privileged accounts? Periodically assessing the list of users with elevated privileges permits removal of access for users who have changed positions within the organization. Additionally, IT administrators should create another account for routine tasks that do not require administrative level roles and leave powerful users, such as backup administrators, to have their own elevated account access.
Forgetting to remove terminated users
This is a simple but valuable manual process. Organizations often lack procedures and controls to manage the provisioning of accounts for new and existing users. Generic accounts created for vendors, consultants and contractors are not reviewed and deleted. For very small organizations with minimal turnover, it may not be a big deal; a frequent user account review may not be needed, as the IT administrator will know who has powerful access and when someone leaves the company. However when the organization is growing and is seeing lots of traffic in terms of contractors, consultants and employee turnover, it is a good idea to implement a periodic review of user access, especially the ones with administrative privileges.
Not using a baseline security configuration for servers
Most vulnerabilities reported by scanners are a result of bad default configuration of the operating systems. OS vendors deliver their products with these features turned on. This affects not only the performance, but also the security of the system. Services that become a liability because of security issues are set to start automatically and configured to listen to certain known ports. To implement the security policy, there should be clear guidance on configurations that are aligned with the business requirements. Security Content Automation Protocol (SCAP) provides a checklist and set of baselines for various operating systems and applications.
Leaving FTP and Telnet services enabled
Among the services installed on servers are File Transfer Protocol (FTP), Telnet and Terminal Services. However, data sent over these protocols are sniffed using freely available tools. FTP and Telnet periodically phone home or to the linked computer to re-authenticate. During this handshake process, user names and passwords are sent in clear texts and can be used by a third party. There are often valid business reasons to use these services; however, there are more secure versions of FTP, Telnet and Terminal Services—such as Secure File Transfer Protocol (SFTP), Internet Protocol Security (IPSec) and Remote Desktop Protocol (RDP).
Using weak ciphers such as RC4
There has been proof of concept, as well as successful exploits, demonstrating the weaknesses in the RC4 algorithm and the way it generates its cipher texts. The randomness of the byte streams can provide a way for an intruder to convert the cipher texts into the actual encrypted data. Communications that occur over SSL/TLS may use the RC4 algorithm to encrypt data sent over the public domain if the configuration is not turned off. If intercepted, the data can be decrypted without having the required encryption key. Several versions of SSL/TLS have been disapproved for their use of the RC4 algorithm.
Not updating server message block protocol
It is important to upgrade to the latest server message block protocol (SMB protocol) that offers servers access over the Internet. SMB protocol was introduced with Microsoft Windows 95 to allow users to read and write files at remote server locations. These protocols are used on web servers as resources to customers, and are also used on internal storage servers.
The SMB protocol service has had a vulnerability for at least 18 years, which can be exploited with Man-in-the-Middle (MiTM) techniques. An attacker can use malware to redirect user requests in the browser for resources to a rogue file share and, in the process, steal user names and passwords. These user names and passwords can be decrypted and used in a replay attack. Because it's such a security concern, Microsoft continuously releases patches for SMB protocol, and users should deploy these patches as soon as they become available.