Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/27/2018
02:30 PM
Matt Watchinski
Matt Watchinski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Keep Up Security in a Bug-Infested World

Good digital hygiene will lower your risk, and these six tips can help.

This past April saw a milestone: the 100,000th common vulnerability and exposure (CVE). Although we've hit a major mark in CVE identifiers, Cisco found that the total number of high-impact vulnerabilities is actually decreasing year over year. That means there are now fewer high-impact vulnerabilities with the potential to affect a large number of users than there were three years ago.

Unfortunately, this lower number is not all good news. As we have seen over the past year, it's easier than ever for bad actors to mass-exploit disclosed vulnerabilities by assuming that a large number of companies can't or don't keep up with patching cycles. The situation is made worse by the ready availability of exploits and tools that can be used for nefarious purposes. Anyone with an Internet connection has access to tools, such as penetration testers and videos that teach people how to tailor them for malicious intent. The sheer number of people wanting information about exploits has made that information a commodity, so it's never been easier to quickly write highly effective exploits.

Take, for example, EternalBlue. Soon after Microsoft issued a patch for an issue with the Windows SMB Server, Shadow Brokers released an exploit in April 2017. A month later, the world was hit by the WannaCry ransomware, which incorporated this exploit into its attack. If that wasn't enough, in June NotPetya was released on the world, which yet again used the same exploit. As everyone saw with the economic impact of WannaCry and the NotPetya, this quick leap to a weaponized exploit turned a possible threat into a real-world attack — fast. Millions of users could have avoided damage if they had applied the patch that Microsoft issued months earlier.

Given the accelerated maturation and deployment of these threats, any organization's first line of defense must include cultivating a solid understanding of where its assets are and a fast, automated way to patch them. Yet despite the growing awareness of the cyber threats that target them, it's easy to find organizations that still aren't taking these steps and aren't practicing the fundamental security basics that would help bolster needed resilience. Proactively embracing the following practices will help:

  • Take patching seriously. Develop, implement, and actively maintain a thorough system for applying patches across your network and IT infrastructure. As soon as vulnerabilities are announced, bad guys are working to exploit them. Reputable vendors are on top of vulnerabilities and regularly make patches available as quickly as possible. But patches won't be effective if they're not applied.
  • To do that, you need to identify everything that is on your network. Conduct a risk-focused evaluation of your existing hardware and software: rank products in terms of which ones create the most effective, essential value, and determine how much risk each product brings based on its age, vulnerabilities, and cyber resilience. With this information, you can then develop a prioritized list for updated technology investments with resilience built in.
  • If your line of business doesn't allow for ready patching, such as with certain medical, industrial or even Internet of Things applications, then segmentation is critical — essentially, creating a security fence around those systems.
  • Another area that many people talk about but often don't actually practice is two-factor authentication. This one simple move means the difference between being alerted to an adversary attempting malicious access and finding out after the attack has occurred. As social engineering continues be one of the most effective tools in an attacker's arsenal, two-factor authentication is critical.
  • Increase visibility across your entire infrastructure. Visibility is especially important for larger organizations (where legacy assets can linger for years) and those adopting shadow IT, where third- and even fourth-party involvement can introduce greatly increased layers of risk.
  • Develop policies and procedures for dealing with those threat postures at scale. Upgrade aging infrastructure and systems, patch quickly, and consistently back up your data. Employ strong password management to impede lateral movement and propagation.

Effectively managing risk requires hardening the overall strength and resilience of your deployed infrastructure and systems. Bad habits — such as not patching and keeping outdated solutions in place — put an organization's overall resilience into jeopardy, increasing risk. Practicing good digital hygiene, starting with and sticking to the fundamentals, will lower that risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Matt Watchinski is the vice president of Cisco Talos, the company's global threat intelligence group. With over 300 security researchers globally, Talos is the largest commercial threat intelligence group in the world. As leader of Talos, Watchinski is responsible for ongoing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
washplant
50%
50%
washplant,
User Rank: Apprentice
11/19/2018 | 1:48:45 AM
Re: Pending Review
haha, thank you for sharing
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.