Often when a new security vulnerability is identified, the news hits fast and the questions begin. Systems Administrators/internal IT ask questions like: how did it happen, what should I do to minimize the impact, and when will the vendor release a patch/update/fix? Join any tech forum on Reddit or Discord and there will be plenty of posts and comments related to the above. Everyone is wondering what happened and event more importantly, when will it be fixed?

The recent PrintNightmare exploit is no exception. A lot of attention and even more time waiting for Microsoft to issue an update to fix the problem. In the meantime, some organizations decided to completely disable printing as a risk management approach because this was a heavy-handed advice that was issued. There was a real lack of clarity around exactly what risk still existed even after various patches and what was the best approach to mitigate those risks in each environment. In many cases, end user’s printing functionality was turned off which is a huge business disruption for even the smallest of businesses.

My question to any System Administrator/internal IT is why are YOU waiting on someone else to fix any problem? Better yet, what could YOU have done to minimize the impact of such an exploit?

Out of the box configurations are no longer good enough

With all the exploits, vulnerabilities, security loopholes, and targeted attacks occurring on a daily basis, it is no longer good enough to rely on out of the box configurations for security tools and even more unacceptable to sit back and wait for someone else to fix these problems. So many times, when these types of events occur, we take the finger pointing approach to it. Let’s be honest, it is easier to tell the CEO that it is “XYZ software or hardware vendor’s problem, and we have to wait for them to research, test, and distribute a fix.”

What if you could be the hero? What if you could minimize the risk and deploy a solution faster than some industry big name like Microsoft? Good news is that you can, and it is simply a matter of taking a different approach to your security.

Where to start?

Let us start with your security layer and ask yourself if you have properly scoped the size and functionality of your security devices? For example, do they sit on the edge of your network or are they properly segmented for the internal network? Do you have micro-segmented layers and a security appliance that has enough sizing to IPS full scan the internal traffic? The impact of the PrintNightmare exploit could have been significantly minimized if businesses stopped approaching their security as if it is a plug and play type of purchase.

Back to my original questions for System Administrators/internal IT is why are you waiting on someone else to fix any problem and what could you have done to minimize the impact? I see two different response scenarios. One is the group of System Administrators/internal IT that believe they are the experts in all things IT and they do not need the help of an external security expert because they have free public forums to interact with. The other group are the ones that have their hands tied because executive management believes that whomever they have in IT should be able to manage all aspects of IT. Management rarely understands the depth and breadth of the bucket they have labeled ‘IT’. This is especially true as it relates to network security.

For the first group, often times, they think they are getting complete information from resources such as Huntress, SentinelOne, CarbonBlack and alike. What many do not realize is that these companies employ security people that no longer perform systems and network engineering or administration (if they ever did). Couple that with the fact that they do not know your environment. By relying exclusively on these “resources”, 100% of the burden of interpreting the security risk and mitigation approaches plus the deployment of remediations is on your shoulders. On the other hand, if you have an ongoing relationship with a MSSP, they will most likely provide a vetted solution to your environment making you the hero. It is important to note that there is a distinct difference between lab testing and production environment testing. A thoroughly vetted solution will have been deployed and tested in a true production environment and not solely within a controlled lab environment.

For the second group, my response is to have an honest discussion with executive management. Exploits like PrintNightmare could be easily mitigated if you had the correct technology stack that is fortified with highly reliable configurations and backed with proactive management capabilities on the part of a MSSP like QPC Security. This approach allows you to benefit from the intelligence pool and leveraged effort of 100s if not 1000s of highly qualified and experienced security professionals providing you with depth and breadth.

How did QPC Security handle PrintNightmare?

With the PrintNightmare exploit, QPC Security did not wait for someone else to fix the problem. We also never assume that a single control will be efficacious. While our WatchGuard network security devices with IPS full scan had already automatically updated to block the exploit when it crossed packet visibility layers, we focused on our own internal R&D. Within days, we had full R&D testing complete and rolled out to our managed clients. This allowed QPC Security to reduce the risk from PrintNightmare as close to zero as possible while ensuring clients could still print.

Exploits like PrintNightmare are the daily reality and a proactive and highly configured network security posture is the only way to mitigate these types of risks and ensure business continuity. MSSPs like QPC Security ensure you have the correct network security stack and have the expertise to fully integrate this technology within your network to guarantee a fully comprehensive and effective security layer. I take a deeper dive into this topic on my Breakfast Bytes podcast so click here to listen in. For more information on our network security services, contact us today at 262-553-6510 or by visiting qpcsecurity.com.