This past April saw a milestone: the 100,000th common vulnerability and exposure (CVE). Although we've hit a major mark in CVE identifiers, Cisco found that the total number of high-impact vulnerabilities is actually decreasing year over year. That means there are now fewer high-impact vulnerabilities with the potential to affect a large number of users than there were three years ago.
Unfortunately, this lower number is not all good news. As we have seen over the past year, it's easier than ever for bad actors to mass-exploit disclosed vulnerabilities by assuming that a large number of companies can't or don't keep up with patching cycles. The situation is made worse by the ready availability of exploits and tools that can be used for nefarious purposes. Anyone with an Internet connection has access to tools, such as penetration testers and videos that teach people how to tailor them for malicious intent. The sheer number of people wanting information about exploits has made that information a commodity, so it's never been easier to quickly write highly effective exploits.
Take, for example, EternalBlue. Soon after Microsoft issued a patch for an issue with the Windows SMB Server, Shadow Brokers released an exploit in April 2017. A month later, the world was hit by the WannaCry ransomware, which incorporated this exploit into its attack. If that wasn't enough, in June NotPetya was released on the world, which yet again used the same exploit. As everyone saw with the economic impact of WannaCry and the NotPetya, this quick leap to a weaponized exploit turned a possible threat into a real-world attack — fast. Millions of users could have avoided damage if they had applied the patch that Microsoft issued months earlier.
Given the accelerated maturation and deployment of these threats, any organization's first line of defense must include cultivating a solid understanding of where its assets are and a fast, automated way to patch them. Yet despite the growing awareness of the cyber threats that target them, it's easy to find organizations that still aren't taking these steps and aren't practicing the fundamental security basics that would help bolster needed resilience. Proactively embracing the following practices will help:
- Take patching seriously. Develop, implement, and actively maintain a thorough system for applying patches across your network and IT infrastructure. As soon as vulnerabilities are announced, bad guys are working to exploit them. Reputable vendors are on top of vulnerabilities and regularly make patches available as quickly as possible. But patches won't be effective if they're not applied.
- To do that, you need to identify everything that is on your network. Conduct a risk-focused evaluation of your existing hardware and software: rank products in terms of which ones create the most effective, essential value, and determine how much risk each product brings based on its age, vulnerabilities, and cyber resilience. With this information, you can then develop a prioritized list for updated technology investments with resilience built in.
- If your line of business doesn't allow for ready patching, such as with certain medical, industrial or even Internet of Things applications, then segmentation is critical — essentially, creating a security fence around those systems.
- Another area that many people talk about but often don't actually practice is two-factor authentication. This one simple move means the difference between being alerted to an adversary attempting malicious access and finding out after the attack has occurred. As social engineering continues be one of the most effective tools in an attacker's arsenal, two-factor authentication is critical.
- Increase visibility across your entire infrastructure. Visibility is especially important for larger organizations (where legacy assets can linger for years) and those adopting shadow IT, where third- and even fourth-party involvement can introduce greatly increased layers of risk.
- Develop policies and procedures for dealing with those threat postures at scale. Upgrade aging infrastructure and systems, patch quickly, and consistently back up your data. Employ strong password management to impede lateral movement and propagation.
Effectively managing risk requires hardening the overall strength and resilience of your deployed infrastructure and systems. Bad habits — such as not patching and keeping outdated solutions in place — put an organization's overall resilience into jeopardy, increasing risk. Practicing good digital hygiene, starting with and sticking to the fundamentals, will lower that risk.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.