We are our own worst enemies, writes Mark Weir, Regional Director – UK and Ireland at the firewall and secure wi-fi product company Fortinet.
The role of the CSO and staff may sometimes seem like a never-ending job. The security lifecycle needs constant monitoring and analysis, responding to security threats and finessing policies and protocols. Activities such as patching and replacing should be ticking along in the background. This is how organisations should be staying ahead of the cybercriminals who are always targeting infrastructure and resources. Sometimes, we are our own worst enemies.
In Fortinet’s Global Threat Landscape report for Q2, much of the data provides just what you’d expect. For example, FortiGuard labs detected a 30pc increase in exploit attempts over the course of the quarter, and with the growth of IoT and Shadownet resources, these numbers are expected to continue rising. Additionally, seven in ten organisations were affected by high or critical exploits during the quarter. These numbers should be a wakeup call for organisations across every sector.
It didn’t just stop there. Millions of organisations around the globe were also affected by high-profile global attacks such as WannaCry and NotPetya, which were able to exploit vulnerabilities that had been leaked and patched a few months prior. Whilst these are the kind of findings that security professionals have come to expect from threat reports, Fortinet’s report provides irrefutable evidence of what the security industry has known for a long time- organisations are failing to do even the basics to protect themselves, and they must take action now.
Hot and Cold Exploits
Cyber-criminals have discovered an almost perfect business model. By simply exploiting known vulnerabilities, they can avoid spending valuable resources on building zero-day attacks. Targeting a recently announced vulnerability is known as a ‘hot exploit.’ Much like a zero-day attack, the aim is to take advantage of the window of opportunity between the announcement of a vulnerability and when companies begin applying the patch. This was the case for the WannaCry attack, in which a Microsoft vulnerability was exploited, despite a patch having been available for nearly two months. In an ideal world, that window should be kept as narrow as possible, but that is still not the case. NotPetya followed shortly after WannaCry, just one month later, targeting the same vulnerability. Far too many organisations failed to learn the lesson first time round.
This is a symptom of a much larger problem. During Q2, an astounding 90pc of organisations revealed that they had been the victims of exploits targeted towards vulnerabilities which were over three years old. Add that to the fact that 60pc of firms experienced attacks targeting vulnerabilities which were more than ten years old. Th reasons for this are complicated and multifaceted. Networks are growing exponentially and now span across a variety of highly distributed and ever-changing ecosystems, including physical, virtual and cloud environments. In these kinds of landscapes, it can be easy to lose track of devices or maintain a patch and replace protocol. That’s not factoring in the financial ramifications of a business having to take down a server or an entire system in order to apply a patch.
This means that more and more cyber-criminals are realising that their best option is to shift resources towards developing automated and intent-based tools designed to deliver more sophisticated payloads.
Hyper-connectivity challenges
Speed and efficiency are integral to today’s digital economy, and access to data is the priority. This is why everything is increasingly connected to everything else. This is why so many organisations are supporting peer-to-peer (P2P) and proxy applications. Interestingly, organisations which allow P2P applications are experiencing seven times as many botnets and malware as those who don’t. Likewise, organisations which allow proxy applications report nearly nine times as many botnets and malware as those that don’t allow them.
Vulnerable systems, such as IoT devices, are posing similar challenges. Q2 saw approximately three billion botnet detections from nearly 250 unique botnets. Some 45pc of firms detected at least one active botnet in their environment during the quarter, and about 3pc reported being simultaneously infested with ten or more unique active botnets. This makes for alarming reading.
What can you do?
Organisations need to first and foremost, get back to basics. This means identifying all critical assets and services on their network. Next, work on efforts to identify and patch vulnerable systems and replace older systems which are no longer supported. This might mean putting an asset tracking and management tool in place. Then, proper mitigation solutions and incident response plans can be built around that. IT teams will need to take into consideration the impact that analysing large volumes of encrypted traffic will have on the performance of security devices and platforms. This will mean the volume and percentage of encrypted traffic will continue to rise. Not only this, but organisations should expect to see advanced malware attacking the limitations of security devices through the exploitation of CPU-intensive areas such as unstructured data. IT should implement tools which can consume data at scale and not fail when heavy processing is needed. Network segmentation should also be integral to any digital business strategy. Apps, IoT devices and encrypted data should be separated as much as possible from the wider network. Suitable segmentation will ensure that security is embedded deep into the network so that infected devices and malware can be detected and isolated wherever they occur, before they spread. Segmentation along with regular data backup is also a great way to tackle ransomware.
Attacks are not only striking more rapidly, but they are also reducing the time between breach and impact. Smart attacks are even able to avoid detection. It’s no longer enough to hand correlate threat data between devices to detect threats, or respond to attacks without the support of technology. In the ever-evolving threat landscape, it’s important to fight automation with automation. Which means no longer deploying isolated devices or platforms. Instead, it’s vital to create an integrated expert security system that can automatically collect, correlate, share and respond to threats in a coordinated manner, anywhere across a distributed network ecosystem.
