Get the insights and action you need to improve your security postureRead more
This year, Dimension Data’s Executive Guide to the annual NTT Security 2019 Global Threat Intelligence Report highlighted an increase of 12.5% in the number of new vulnerabilities discovered during 2018.
Figure 1: Growth in vulnerabilities
In this article, I’ll delve into some of the findings that we’ve uncovered regarding this dramatic rise in vulnerabilities, discuss their causes and impacts, and provide some practical recommendations on how to raise your business’ defences.
The ‘weaponisation’ of vulnerabilities means that cybercriminals are exploiting them to launch highly co-ordinated attacks against individuals, businesses, and specific groups, by using a combination of technical and non-technical tools. Often these vulnerabilities are targeted in automated exploit kits, which are developed by criminal groups and monetised in various online forums.
These exceptionally well-organised campaigns are becoming more robust, precise, and targeted than ever before. Attacks are being informed by in-depth information that cybercriminals have gained from multiple sources about their targets. And they’re increasingly diversifying the manner in which they execute their attacks.
Let’s use the example of attacks on specific individuals. By scouring various channels – both legitimate and illicit – attackers are able to amass sufficient information about their targets to build a comprehensive profile about them. Gradually, they gather enough material to determine what’s going to be the most effective method(s) of attack and they’ll typically utilise multiple attack surfaces to pursue their targets.
Of course, organisations are also subjected to these types of co-ordinated attacks, but often an attack against an individual and a business are strongly connected.
For example, one of our client’s executives was approached by an individual masquerading as a respected leader of another business, regarding a potential merger. The approach was convincing, and the cybercriminals had gathered a wealth of information about the person purporting to represent the organisation seeking to be acquired. Here, of course, the ultimate objective was monetary gain to seal the acquisition deal.
Once cybercriminals have successfully compromised a company’s systems and stolen the information they want – they’ll sell it for profit on the dark web and/or attempt to extort funds or blackmail the organisation by threatening to sell their trade secrets to competitors.
These co-ordinated, longer-term types of attack are very different to what we’ve seen in the past, where attackers’ tactics were usually short and sharp: ‘Let’s break down the door, grab what we can, and run’. Organisations need to be aware of these shifts and adjust their defence mechanisms accordingly.
These vulnerabilities often reside in older systems and ageing computers that are unable to run new versions of software, but are still being widely used today. For example, many hospitals operate medical equipment that runs on versions of Microsoft Windows as old as v3 or thereabouts. Generally, these devices operate perfectly well for their intended purpose. And this doesn’t just apply to hospitals: within most organisations, somewhere, you’ll likely find older devices and computers that have been repurposed to perform some kind of basic function ─ perhaps simply providing supporting as a print server, for instance. These devices present an attractive attack surface for hackers, as the system software is long-retired and is no longer being updated or patched. With little or no modern security controls protecting them, they can represent a cybersecurity risk. Here, a vulnerability assessment would be advisable.
However, many vulnerabilities to modern software still exist ─ and often for many years following their discovery. Bash, Shellshock, Apache Struts, and Samba are good examples of older vulnerabilities which continue to see significant exploit traffic. Shellshock, the critical flaw in Linux and Unix operating systems that can allow an attacker to run malicious code remotely on a targeted system, was first discovered in September of 2014. However, it continues to be left unpatched in many organisations.
These vulnerabilities offer a lucrative target for attackers. With minimal effort, intelligence-gathering on vulnerable systems can be automated, widening the range and scope of the scans.
In addition to fending off traditional attacks, using tried-and-tested tools, security professionals now need to find ways to protect the organisation and their users from newer, more sophisticated types and methods of attack.
Some of the newer, emerging vulnerabilities, such as cryptojacking1 and the latest breed of web attacks, are relatively easy for cybercriminals to introduce into your environment, and often hard for you to detect. In some cases, all you need to do is visit a single, compromised webpage for your system to become infected by malware. You don’t even need to click on anything once you’re on the site.
This shift towards more sophisticated types of attack requires a very different defence mindset and model. In addition, everyone needs to be more vigilant ─ not just security professionals but also users ─ as today, it’s so much easier to unwittingly create system vulnerabilities.
This is because codes are generally written for a variety of purposes and housed in shared code libraries. It’s not uncommon for elements of existing code to be re-used or amalgamated into code that’s being used to develop new products or services, as they perform a specific, essential function.
However, if a piece of existing code happens to have a vulnerability ─ and it’s re-purposed by other developers who don’t perform appropriate testing on it ─ and it’s subsequently released, the vulnerability can quickly perpetuate throughout the organisation. In most cases, there’s no malicious intent involved. Code wasn’t deliberately written to compromise the organisation’s security posture; it’s usually the result of an innocent oversight.
In the age of DevOps, teams are now sharing and re-using code, libraries, and container images. Much of this has been developed without security in mind. This is why teams need to begin integrating security into the DevOps process.
The aim is to embed security into every part of the application lifecycle – development, build, and run time – thereby minimising vulnerabilities and bringing security closer to IT and the business’ overall objectives.
Here’s some guidance for businesses and cybersecurity professionals who’re on a journey to bolster their cybersecurity posture:
1 Cryptojacking (also known as coin mining, cryptomining, and cryptocurrency mining) is the illicit use of hijacked systems and CPU resources by cybercriminals to mine cryptocurrencies and generate revenue.
2Digital Means Business Benchmark Report, Dimension Data, 2018