4 Cybersecurity Best Practices in Protecting Servers
UK’s Information Commissioner’s Office recently fined Cathay Pacific £500,000 for failing to protect the company’s servers leading to customers’ personal details being exposed, 111,578 of whom were from the UK, and nearly 9.4 million more worldwide.
The data breach at Cathay Pacific came to light when the company disclosed on October 24, 2018 that it discovered unauthorized access to some of its information systems containing data of 9.4 million customers. In a statement about the fine imposed by the UK’s Information Commissioner’s Office, Cathay Pacific said it “would once again like to express its regret, and to sincerely apologize for this incident”.
According to the UK’s Information Commissioner’s Office, the large-scale data breach at Cathay Pacific covered the period of more than 4 years, between October 2014 to May 2018. Here are the findings of the Information Commissioner’s Office that highlight the cybersecurity best practices needed to protect servers:
1. Properly manage vulnerability scanning
According to UK’s Information Commissioner’s Office, the company, Cathay Pacific, itself informed the Information Commissioner’s Office that it suspects that one of its internet-facing servers was illegally accessed by exploiting a known security vulnerability. Although a security update fixing this vulnerability was made available more than 10 years ago, the Information Commissioner’s Office said the company failed to apply the said security update.
Although unnamed, the security vulnerability was described as a server vulnerability known and published via the Common Vulnerabilities and Exposures (CVE) more than 10 years ago, specifically on February 21, 2007. This particular security vulnerability is said to allow “remote attackers to bypass authentication and gain administrative access via direct request” and “very little knowledge or skill is required to exploit it”.
The company admitted that even as the security vulnerability was known more than 10 years ago, its vulnerability scanner didn’t detect the vulnerability even though the company had been using this vulnerability scanner since 2014. The Information Commissioner’s Office said that Cathay Pacific’s failure to manage its vulnerability scanning appropriately enabled the attackers to exploit the said security vulnerability as part of the data breach to carry out reconnaissance from the vulnerable internet-facing server.
2. Never use server operating system (OS) that no longer receives software updates
According to the Information Commissioner’s Office, one of Cathay Pacific’s servers that was exploited by the attackers was no longer supported by the software vendor. Unsupported software is a software that no longer receives security updates.
No software exists without a security vulnerability. This imperfect nature of software is the reason why software vendors regularly release updates in order to fix known security vulnerabilities. Software vendors, however, limit the release of security updates for only a certain number of years. Beyond this time limit, also known as lifespan, software vendors typically no longer issue security updates.
The continuous use of server operating systems that no longer receive security updates leaves your organization’s server vulnerable to cyberattacks. Cyber criminals specifically target server operating systems that no longer receive security updates as they’re confident there won’t be fixes to the vulnerabilities that they’re exploiting, leaving their victims defenceless.
3. Up-to-Date Patch Management
Patch is another term for a security update that “patches” or fixes a particular error in the source code of the software. The thing with patches is that there are too many of them especially if your organization is using tens, hundreds or even thousands of computers. One computer alone contains not just one software that need security updates. Multiply this number of security updates with hundreds or thousands of computers makes patching a messy process.
It’s, therefore, important for organizations to observe proper patch management – the process of prioritizing what patches should be applied first. In the order of priority, server OS needs to be patched first. Security vulnerabilities in server OS are often exploited by attackers as servers are often the entry point to the victims’ networks.
In the case of the Cathay Pacific data breach, the Information Commissioner’s Office found Cathay Pacific could not provide any evidence of up-to-date patch management for 2 of the servers compromised in the data breach. One server which was compromised for 8 months, between November 2017 and July 2018, had 16 missing security updates, 12 of which were easily exploitable, the Information Commissioner’s Office said.
4. Privileged Access Management
Privileged access management refers to the strategy of controlling “privileged” access to accounts, processes and systems across your organization’s IT environment. In the context of privileged access management, all your organization’s servers should only be used for necessary operation, for instance, for applying server OS security updates, and shouldn’t be used as if it were ordinary desktops. Access to these servers should also be time-bounded, that is, only for a limited period.
In the case of the Cathay Pacific data breach, the Information Commissioner’s Office found Cathay IT system had 90 permanent accounts in the domain administrator group, giving full access to the company’s servers.
“It is also best practice to adhere to the concept of ‘just enough administration’, whereby each account is only given the tools it needs to perform its own administrative tasks,” UK’s Information Commissioner’s Office said. “Linked to that is the concept of ‘just in time administration’, whereby such permissions are afforded for a limited period, rather than on a permanent basis.”
Protecting your servers is a full-time job, and requires specialized knowledge. When you need help, our trained and certified experts are a phone call away.
Call today (416) 920-3000 or email us at firstname.lastname@example.org and mitigate the risks within hours.