“We got unreasonably lucky here. We can't just bank on that going forward.”
That's Andres Freund commenting on the exploit he discovered in the widely-used, open source software XZ Utils.
Andres is dead right, we can't bank on luck going forward. Maybe that worked in years past, but cyber threats are so ubiquitous, so automated, it's only a matter of time before your network's vulnerabilities are found out.
What are you doing to find those vulnerabilities before anyone else does?
Here are some ideas:
1. Vulnerability scans. Yes, we're all familiar with these, but how often do you scan your network, especially the perimeter? It should be done continuously.
2. Penetration testing. Again, most everyone is familiar with the idea of pentesting and probably cringes thinking of the high cost and disruption to your work whenever the annual pentest rolls around. But that's the old way of doing things. The better way is frequent (at least monthly) less costly pentests mostly focused on your perimeter. For example, we do this every month for our customers and present the findings in our monthly security review. Technology changes too quickly to wait 6 months or a year for the next pentest.
3. Cyber risk monitoring. This is a service provided by companies like BitSight, SecurityScorecard, and others. It's what your insurance company, your customers, and potential customers use to size you up and determine if they want to do business with you. It is all sourced from data that attackers can get and use to find your weaknesses, too.
4. Active Directory attack path monitoring. Do you know how many paths there are from a breached user to domain admin? With new accounts being created, old permissions forgotten about, and paths to admin not understood, your sensitive data and servers are more at risk than you realize. We use a tool called Bloodhound to show you exactly where the paths to admin are so you can lock them down.
5. Test your defenses. Have you ever run real threats against your environment to know if your security tools are working? We like a tool called BlindSpot that does just that. Think about it, you test backups for a reason. Why not test your security tools, too?