Weak credential policies and a lax approach to patching were among the most common points of IT security failure for organizations in 2022, while a failure to configure tools properly could leave organizations open to attack.
That's according to a recent study by cybersecurity firm Horizon3.ai, based on findings from approximately 7,000 penetration tests that evaluated approximately 1 million assets.
Of the Top 10 vulnerabilities Horizon3.ai detected in 2022, the use of weak or reused credentials topped the list, followed by weak or default credential checks in protocols (SSH and FTP) and threat actors using Dark Web credential dumps from Windows or Linux hosts.
Corey Sinclair, cyber-threat intelligence analyst for Horizon3.ai, explains that professionals are challenged by balancing the three factors of security, functionality, and usability. The requirements of the end user, usability and functionality, are often at odds with or contradictory to the best security practices.
"To ease our own burden, we as individuals tend to shy away from the difficult, and move to what's easy and convenient," he says. "This means having fewer or easier credential requirements."
Individuals thus tend to reuse credentials when they know they should have unique passwords for everything, and organizations fail to enforce stronger credential requirements or invest in a companywide password solution.
Sinclair adds that sometimes, companies simply don't know to go back and check to see if default credentials were changed when a new technology is brought online.
Security teams should be on notice: The successful combo of using stolen credentials and social engineering to breach networks is increasing the demand for infostealers on the Dark Web, according to Accenture's Cyber Threat Intelligence team (ACTI), which recently surveyed the infostealer malware landscape over 2022.
That report also warned that malicious actors are combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.
Patching & Misconfigurations Are a Pain Point
The survey also found that known critical vulnerabilities were regularly exploited, while popular DevOps tools and resources, including Docker and Kubernetes, were riddled with misconfigurations and vulnerabilities.
"Patching and misconfigurations essentially come down to scale and prioritization," Sinclair says. "Depending on the size and infrastructure of a company's IT department, it will determine how quickly and effectively a company can find what needs to be patched or configured."
Additionally, not all organizations know what to patch, and how to prioritize what needs to be patched first.
"With the plethora of CVEs and vulnerabilities being released daily, most companies find it hard to keep up with, let alone fix what matters, before threat actors exploit them," he adds.
From his perspective, companies must take a different approach to security, in which they view their environments through the eyes of the attacker.
"They need to view their environment and prioritize [fixes] based on what is actually reachable, vulnerable, and exploitable," he says. "This mindset shift allows the company to stay one step ahead of the adversary, while ensuring they have a constant pulse on their environment's security posture."
Organizations without the time or talent to patch or review for misconfigurations may find patching-as-a-service (PaaS) a way to improve security, but a successful program will require accurate and robust asset management tools so the vendor knows what's live in the client's environment, he adds.
Adoption of Multifactor Technologies in 2023
Sinclair points out that while it is "way too early" to tell what 2023 will bring on the cybersecurity defense front, he believes there are going to be more and more companies adopting new multifactor technologies to aid in the fight against credential reuse and weak credentials.
"By adopting these technologies, it will push cyber-threat actors to find other vulnerabilities and weaknesses to exploit," he says. "As the cybersecurity world is always shifting and evolving, staying one step ahead of malicious cyber-threat actors is paramount."