Why do these large scale cyber attacks keep happening? How did a breach like Deloitte, and Equifax happen that exposed millions of people? While it is too early to determine the full nature of how the breaches at Deloitte and the SEC occurred, we would like to highlight three top cyber security threats to information systems. In addition, with these three attacks, we find underlying themes which we will touch upon. But, according to a recent CIOs survey, 51% of cyber attacks happen because of lack of security awareness. Even Deloitte who ranked #1 by Gartner in Security Consulting for the 5th consecutive year, can be subject to such attacks.
The top 3 cyber security threats to information systems that were identified in the survey include:
- Vulnerable web applications - noted by 55% of respondents
- Being overall security “aware” - noted by 51% of respondents
- Out-of-date security patches - - noted by 50% of respondents
Top 3 Cyber Security Threats to Information Systems:
Cyber Security Threat #1: Vulnerable web applications
While most businesses make it a priority to properly manage their web application security, it is important to understand that the goal shouldn't be to just avoid being hacked. The CIOs survey found, that the #1 security threat, is vulnerable web applications. GRC driven requirements, such as PCI, set a minimum standard for compliance reasons. However, the problem is that these compliance standards, while relevant today, may be out of date by tomorrow. Web application vulnerabilities and exploits are constantly evolving, and large-scale attacks require only one vulnerability for penetration. Therefore, securing your web applications (or any publicly facing applications for that matter) needs to be a layered approach, the follows the entire lifecycle of the application. From robust SDLC processes, to ongoing penetration testing, data encryptions and a variety of other controls that continuously tests your application’s resilience to a potential attack. This truly holds baring when it comes to Deloitte, as even a highly regarded security consulting company can fall prey.
According to Equifax’s chief security strategist at AsTech, “This is something we in the security community continue to see rising, as organisations are getting better at defending servers, workstations and laptops, the cyber-criminals simply move on to the next easiest target, which is most commonly the organisation’s web applications.” The Equifax breach started in May and spanned all the way until July. That’s a lot of time these hackers had access to files as well as private and sensitive data. According to Brian Vecci a Technical Evangelist, Equifax’s security seemed to be focused on their database, leaving their website and files exposed. Vecci explained, that companies are not watching how their data is being accessed. Companies have very little idea where their most sensitive data lies and tend to lack monitoring their users. If you are blind, you cannot expect to identify your weak spots. Therefore, you won’t know who is accessing your data, and this makes you susceptible to breaches.
Cyber Security Threat #2: Being overall security “aware”
Being overall security aware is the second threat identified by CIOs. With the explosion of digitalization and the changing threat landscape, threats are only on the rise. It only takes one vulnerability to expose your company, which may eventually lead to that devastating breach. This is why being aware of your overall security posture and the threats that are targeting your business is a crucial step in protecting it.
Testing your cyber security controls in order to monitor your organization’s cyber readiness is just as important as running awareness campaigns to educate your employees. You need to assess the security posture of your organization, as it is an essential part of your cyber security strategy. Doing so, allows for in-depth planning as well as the framework necessary to fend off potential attacks.
Did you know that 23% of all cyber attacks last year originated from the target’s supply chain? Your organization can only be as strong as your weakest link. We are often left vulnerable by the vendors we work with. Aside from evaluating your current cyber security capabilities, looking at your existing and future vendors, is just as important.
Simulating complex attack scenarios targeting your business from the perspective of an attacker, provides great visibility of the possible attack vectors into your business, along with your response plans. Thereby validating your defense's efficiency in the face of current and emerging cyber threats.
Javvad Malkik, security advocate at AlienVault, commented on the Deloitte breach stating that the incident demonstrated that even one of the largest organizations can overlook fundamental security practices. He continues to say, "It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner".
Cyber Security Threat #3: Security Patches
The third threat in the survey is patching. Patching plain and simple is something that just has to be done. However, it is a common reaction for IT managers to be hesitant when it comes to patching. Patch management is designed in a way to effectively prevent the exploitation of vulnerabilities on your network and endpoint devices. It is also effective in eliminating security flaws and creates a more stable environment. It prevents performance issues and memory leaks, among the positive security implications that come with it. Failing to patch your systems may leave your organization vulnerable to risks, that can be avoided.
It should be noted that according to initial media reports there were implications that the SEC's impacted electronic system, EDGAR – the Electronic Data Gathering, Analysis, and Retrieval test filing system may in fact be “an old system.” This may or not be true, but time will tell. But what we can learn from this accusation is this should be a warning to companies still operating "old systems" or unpatched legacy software.
This is not the first time we have spoken about patching, take a look out our article “WannaCry, Petya and All That is Wrong With the Cyber Security Ecosystem” for more insights.
Where’s the Accountability?
Time and time again we see these breaches resulting in apologies and poor post-breach handling. How much is an apology going to help the people you just subjected to possible identity theft, as well as other cybercrimes? Equifax, is a well-known company that was supposed to be there to help check your credit scores and protect customers from identity theft- what happened? The problem is they fell short here, big time. In all three breaches, the companies were well aware of these infiltrations, way before the news hit their clients.
In particular, Equifax handled the breach in a truly horrific manner. For starters, they did not disclose the breach until six weeks, when their consumers likely would have already been breached. Next, three Equifax executives sold their shares upon discovery of the breach and before it was even disclosed to the public. Third, Equifax tried to take advantage of the victims of their own breach. On their website they allowed users to check if they had been breached. They offered their consumers their own protection services! In addition, in their TrustedID terms of service they state that enrollees give up their right to sue Equifax as well as prevent them from filing a class action.
So, what can be done? It all boils down to accountability.
To date in the U.S, many industries have mandatory cyber security regulations. Over the past ten years, cyber security regulations have increased among all industries. These regulations are designed to ensure that all companies dealing with sensitive data such as PCI and PII, maintain a secure environment. As GDPR comes into effect in May 2018, companies will be required to take effective steps to safeguard this data or face crippling fines.
However, there are still companies that are not abiding. Equifax is one of these companies like Yahoo, who don’t follow cyber security best practices. In the case with Equifax, John Pescatore, director at SANS Institute, states that he was surprised to see the two Equifax executives leave. He explains that in some breaches, they result from “systemic top-down inattention to security practices”, and this breach was from Equifax’s failure to act on a known security issue. In a case like this, where basic security measure is required, there is usually no need to receive support from upper management in order to patch. According to Todd Thibodeaux, CEO of CompTIA, he believes the internal team at Equifax should have implemented the patch and enforced stricter passwords policies. But he also believes that their board of directors should be held responsible for not ensuring the proper adherence to best practices as well as providing an accountable audit trail. I tend to agree.
I would like to call to attention the wise words of Marcus Christian, attorney at Mayer Brown. He states that there are crucial lessons we can take away from breaches such as the SEC breach. “First, cybersecurity is never finished. Yesterday's and today’s improvements often become tomorrow's vulnerabilities. Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.” These wise words are relevant to these three attacks, as well as any future attacks.
Today is the day you can make changes and take steps to protect your organization. Don’t wait for an attack to happen. Breaches can be avoided, if the right steps are taken. We have outlined the areas you need in order to start assuring your security. It's time to start understanding what needs protecting, and how to protect it. Make a plan and see it through.
If you would to hear about CyberInt’s solutions for protecting your company’ click here.