Everywhere you turn in today’s corporate environment you are faced with making key decisions about protecting your data or you may be hearing about another successful attack on another unlucky company’s infrastructure. But what if luck didn’t have anything to do with it and it was a case of businesses making the same old mistakes and creating their own bad luck? Surely that couldn’t still be happening in today’s age with heightened awareness on data attacks?
In a nutshell it is, but why?
The explanation revolves around vulnerabilities and what to do about them. On average Australian businesses can expect to experience around 250 new vulnerability exposures annually – this encompasses businesses of all shapes and sizes. These vulnerability exposures can include everything from old and/or un-patched software with known and exploitable vulnerabilities to security mis-configurations. In the worst case scenario, these issues can result in a partial to full compromise of the underlying network infrastructure.
Other issues can place data integrity or confidentiality at risk or simply lack unnecessary information into the public domain. Potential attackers can then leverage this information to conduct more targeted and damaging attacks.
Infrastructure changes generate the highest level of possible vulnerabilities for a business and yet these infrastructure changes march on sometimes without any checks and balances in companies of all sizes. Infrastructure changes range from adding new software, both off the shelf and customised, to a network, making changes to web sites and web servers to adding mobile device management products. Ironically these solutions can be installed to achieve greater data protection and security for some organisations however vulnerabilities are known to occur even in off the shelf solutions.
You can never fully trust that the vendor has performed a full vulnerability check, or the outsourced security provider has an in-depth understanding of what types of vulnerabilities to look for, or that budget existed in the first place to thoroughly audit the software.
Recently an example of this type of attack occurred with off the shelf software designed to protect the mobile device fleet for a financial services operator here in Australia. It was something that wasn’t expected, but identification and remediation processes had been put into place before the detection and so a 24 hour turn-around in vulnerability identification and remediation was achievable.
Monitoring vulnerabilities as important as monitoring cash flow
Monitoring is vital in understanding what your organisation is doing wrong in today’s data security minefield. The identification process needs to be part of daily business operations to ensure that these 250 annual vulnerability exposures are caught before they can be exploited to inflict damage. The question is how do you identify these, and once known, what do you do?
The solution revolves around scanning of known vulnerabilities, research into new hacking techniques and exploits and finally rating the level of risk associated to the security threats (in your business context) to allow your organisation to focus on the remediation processes, quickly and calmly.
Sources you need to monitor include underground hacking communities and forums, black-hat activity and 0-day exploit databases. You can complete this internally by creating your own multiple scan engines and constantly refining these scan engines, or work with professional firms that provide these services.
Specially designed vulnerability monitoring and management services are now capable of preventing costly forensic and remediation work, with services based on around-the-clock scans and security consultancy to interpret and analyse identified vulnerabilities. In reality this is more like insurance, there to prevent a potentially expensive incident. For example, let’s just say a machine on the external infrastructure of a business exposed a serious vulnerability that could allow an attacker to take over the host.
The costs could potentially run to somewhere between $10 000 to $50 000 in forensics and investigation, the same amount again in remediation work and the impact on the company’s reputation could be extremely costly. The true cost could include losing existing customers and having difficulty in securing new customers – a quick path to financial decline.
So reading these figures and knowing that even medical centres on the Gold Coast are open to extortion attempts, we can safely surmise that the tipping point for not investing in protecting your organisation’s data has well and truly passed. So the discussion should now no longer be how much, but where do I direct this to?
Insurance for the digital age
If Australian businesses combine vulnerability management with experienced interpretation of vulnerability scan results, the insights can pinpoint and rate security risks accurately. This becomes an extremely valuable tool used to determine where best to invest resources in remediation efforts. For instance this can highlight serious risks making up five percent of attacks, medium risk threats around the 10 percent mark, whilst 20 – 40 per cent of attacks are actually low risk and the rest can be thrown in the false positives basket. If a business can rate its risks on a daily basis, then it should see a corresponding reduction in the management of “major” issues, in fact this reduction should be around the 50 percent mark.
For Information Technology (IT) and Security Managers, and even small business owners, the ability to prioritise remediation activities and assist with allocating IT budgets to where they are most needed is part of a new trend – directing time and budget to where they will have the greatest return.
Be more careful with software
Vulnerabilities reveal themselves in many forms but there is always the thousand pound gorilla in the room – self-inflicted vulnerabilities. Recent trends indicate that the top three security issues for majority of Australian businesses include:
1) Out of date software with vulnerabilities as a result of poor software patch management
2) Insecure configuration of web servers supporting web applications
3) Unnecessary services being enabled and exposed resulting in a larger potential attack surface
The main issue here for business owners and managers with or without IT support is that software needs to be patched much more often. Software that has known problems due to lack of patching is becoming a more regular occurrence.
Business needs to make sure that they regularly check their configurations to ensure that they follow the latest standards whilst disabling vulnerable configurations. Ensuring that their software has limited rights on the server it is running on is also critical to ensuring breaches are contained, and the business protected.
David Muscat is Chief Operating Officer of Pure Hacking.