• United States




5 cyber security basics you can’t afford to ignore

Sep 20, 20185 mins
Asset Management SoftwareNetwork SecuritySecurity

Don't underestimate the impact of good cyber security housekeeping for preventing a successful attack.

teach train grunge abcs learn
Credit: Thinkstock

The recently discovered vulnerability involving fax lines on HP multi-function devices, termed Faxploit, are a reminder of the importance of fundamental security practices.

I did something a few weeks ago I rarely do: ignore a report about a significant vulnerability. Check Point Software released a very detailed analysis about the possibility of a network being attacked via a fax line. Perhaps it was disbelief, or alert fatigue, but I remember thinking that if a bad actor could attack a network using just a fax line, it was time for me to retire and take up chicken farming. As such, I ignored it for a few days.

The following Saturday, during my weekly hike, I was listening to the Security Now podcast led by Steve Gibson, someone whose judgment I trust. He spent much of the podcast discussing the fax vulnerability in great detail. Based on his report, I was forced to stop ignoring it, and spent a good bit of that Saturday afternoon planning my response.

A quick quiz: How many of you can quickly produce an inventory of all of your HP Officejet multi-function devices, particularly the models that are known to be impacted by this vulnerability? If you are like most, I suspect you answered with a blank stare.

Asset inventory is one of a number of basic cyber security housekeeping items that are critical, and yet are overlooked or simply ignored by many organizations. The folks that learn to do these security basics consistently and well can significantly lessen their chance of a successful attack. Those who neglect these in favor of focus on more complex problems and systems will generally pay the price in terms of intrusions, data breaches, and malware attacks.

Device inventory is just one of many housekeeping tasks critical to a secure environment. Here are 5 areas to focus on.

Asset inventory

With reference to the HP fax vulnerability mentioned above, most organizations I have encountered have poor or no asset inventory practices. In their article 10 Shocking Inventory Management Statistics, Capterra reported that only 46 percent of small and medium sized businesses properly track assets. In my experience, enterprises are not much better. This problem is particular prevalent in healthcare, where organizations often have thousands of network-connected devices they must account for. Without such an inventory, any announced device vulnerability will likely result in an urgent effort to search for matching devices. Having an inventory means issues can be more quickly remediated, lessening organizational risk.

Asset inventory is also a key aspect of incident response. One of the common incident types investigated by security operation centers is a device that is either infected with malware or is sending and receiving suspicious network traffic. Without a good asset inventory, it is difficult or impossible to track such devices down for analysis and remediation.

Address assignments

Sooner or later, you will get a stream of security warnings involving a particular IP address. When this happens, you will need to know quickly what the associated device is, and where it is located. Unfortunately, many organizations do not have such lists, and the longer time required to diagnose and resolve a security issue may be the difference between a successful and unsuccessful attack. Make sure you have a list of all your static addresses, and that you can quickly look up dynamic addresses.

Attack surface

In the information security world, we refer to attack surface as the collective exposures a network has to attack. Elements of the attack surface include open firewall ports, devices sitting outside the firewall, unmanaged mobile devices, and, it seems, even fax lines. The recent SamSam ransomware attacks plaguing municipalities and healthcare institutions have all been the result of an open firewall port. You must know what exposures you have, and why they must exist. You must constantly check to make sure your attack surface has not expanded without your knowledge, often as a result of some well-intentioned technician who opens a firewall port “temporarily.”

Vendor connections

Much of the business world depends on vendor interconnections, particularly those of us in healthcare. Those connections can be your downfall if not properly secured. It is possible for malware attacks on a vendor to cross an interconnection link and infect customer networks. A number of WannaCry infections during the 2017 outbreak spread across vendor communication links. Know what links you have and how each is connected. Strive for the minimum necessary open ports for any vendor links and have your inventory at hand in case you need to disable them quickly.

Incident response procedures

Security incidents are a reality in today’s world, so we must be prepared to respond to them, 24/7. These procedures must be explicit, well tested, and within easy reach of all of your team members responsible for responding to incidents. On more than one occasion, I have encountered organizations that had all of their incident documentation and materials on systems that became inaccessible during an attack. Make sure they are stored in a way that protects them from the very attacks that require their use.

Bottom line: If our networks can be infected by something as simple as a fax line, it is imperative that we get back to basics in securing our networks and data. If we fail to do this, we will lose the battle.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.