Attackers have no need of zero-days, breach data shows
Cyber attackers do not have to use previously unseen or extremely sophisticated attacks to bypass defences, analysis of publicly reported breaches in the past year reveals
Most successful cyber attacks are possible because organisations are not doing a good job of protecting their systems, according to Dave Lewis, global security advocate at Akamai Technologies.
Too often, he said, attackers are able to take advantage of unpatched software, system configuration failures, compromised passwords and well-known attack methods such as SQL injection.
“Cyber defenders need to do a better job when it comes to basic security hygiene because most breaches are due to the fact that something that should have been part of a definable, repeatable process was not done,” Lewis told Computer Weekly.
Businesses are failing to look at the core issues that led to known data breaches and learn from them to avoid being breached in the same way.
Based on his analysis, Lewis said patching, or keeping software up to date with the latest security improvements, was one of the biggest problems. It is often neglected like many other basic security tasks.
“Security professionals typically want to move on to bigger and better things, so a lot of institutional knowledge goes with them because they are not usually good at documenting what they do,” he said. “Patching can be challenging and tedious, but it is something we simply have to do – much like preventive medicine.”
Common security failings
Failure to keep security patches up to date on Microsoft Windows systems has been identified as one of the key reasons so many organisations around the globe were affected by an indiscriminate and unprecedented ransomware attack that started on 12 May 2017.
Although relatively simple, the first variant of the WannaCry ransomware was able to infect thousands of machines running on the Microsoft Windows operating system, even though Microsoft had issued a software patch to fix the vulnerability exploited by the malware two months before the attacks.
Failure to manage system configurations was the second biggest common failing revealed by Lewis’s analysis of real-world data breaches.
Every IT professional knows it’s important to install critical patches to virtual machines in a timely manner, but what about the less serious updates?
Despite the plethora of software updater products, desktop security is too important to leave to chance.
“Just from the data from pulled from Akamai’s platform, we see that SQL injection is the top attack type, and although our customers are protected, there are millions of sites out there that need to address this problem.
“If you are not sanitising your inputs and outputs, you can fall foul of SQL injection attacks, which are well-documented and can be avoided, but continue to be popular simply because they continue to work,” said Lewis, as evidenced by the 2015 data breach at UK telco TalkTalk.
Password re-use also continues to be a big problem, with usernames and passwords harvested in one data breach routinely being used to access company systems because employees use the same credentials for personal online accounts.
Although these are well-known security issues, he said, they are also still huge problems that almost every organisation still needs to get to grips with properly.
Back to security basics
“Far too often defenders get wrapped up in the latest attack techniques and are not paying attention to the basic stuff that they should be doing. You will see people getting all upset about some or other zero-day, but meanwhile their database software is not patched up to date,” said Lewis.
If defenders do not understand exactly what the threats are pertaining to their organisation, their customers and their line of business, that is a real problem, he said. “If they can’t do a proper risk assessment, they don’t know where to put their resources because the threats that apply to one industry do not necessarily apply to another.”
Lewis said the breach data shows that many organisations have to re-focus their resources on getting back to the fundamentals of information security, such as patch management, configuration management, log review and asset inventories.
“About 10 years ago, organisations were doing a good job of these things, but they have moved away from that as they have been caught up in all the new exciting technologies, and the tendency to focus on innovation, without having the necessary resources to do that and keep the basics going at the same time,” he said.
“Patching can be challenging and tedious, but it is something we simply have to do – much like preventive medicine”
Dave Lewis, Akamai Technologies
Cyber defenders should ensure they have sufficient budget and management support to continue taking care of the basics, said Lewis, by highlighting the business risk of failing to do this properly and being able to express that risk in money terms.
“That is why a risk assessment is so important and useful in getting to the core of the risk and underlining the importance of doing things like patch management, which is where most organisations need to do a better job,” he said.
“Defenders need to make sure they are not forgetting the core competencies because, without a proper foundation, things are going to fall apart pretty quickly.”
Dave Lewis will discuss the issue of attackers getting access to critical assets without much difficulty in a presentation entitled Barbarians in the Throne Roomat Infosecurity Europe 2017 in London from 6-8 June.
