“The more things change, the more things stay the same.” This was the observation made by Dave Hogue, technical director of the NSA’s Cybersecurity Threat Operations Center when he addressed the Cyber UK 2018 Conference this month. During the talk, Hogue discussed how, while businesses rely on increasingly sophisticated software and services to transform their business and get the job done, they still fail to get basic cyber-defense strategies right.
He pointed out that threat actors are still exploiting the same old bad security habits. The situation is getting worse as organisations continue to overlook the security basics, continue to use old solutions that are no longer supported, and fail to patch applications. Awareness and accountability is shockingly low, as businesses prioritise speed and convenience over security.
The most disturbing thing, Hogue said, was that the vulnerabilities adversaries are taking advantage of would not exist, if organisations followed best practice advice that’s been available for months or even years. While we shouldn’t underestimate the sophistication of many cybercriminals, they are being given an easy ride because they’re able to use unsophisticated tactics to cause damage.
Hogue drew attention to the simple, non-technical means that criminals have used in high profile cyber-attacks. For example, in September 2017, hackers exfiltrated data from Equifax’s internal database: a breach that cost more than USD600M to remediate. Rather than exploiting an unknown or zero-day attack, the criminals simply used known vulnerabilities to get in.
The attack was completely preventable. Had Equifax patched the vulnerability when it was first announced, the breach affecting more than 145 million customers would have been avoided. Veracode confirmed that 90% of firms using the same computer programming library also failed to apply software patches after the Equifax hack. What’s more, widespread events like last year’s WannaCry ransomware attack highlighted the prevalence of delaying or failing to patch known vulnerabilities.
This month, Microsoft will be issuing over 20 patches this month to protect users from critical vulnerabilities in OS, browser and Office. It’s likely that many businesses won’t apply the new Microsoft patches, leaving 65 vulnerabilities wide open.
Businesses must change their approach. Hogue believes every employee should have a role to play in security and see themselves as part of operations. In particular, C-level executives must understand the financial and reputational incentives to improve. Hogue also advocates for more collaboration across sectors to reinforce best practice and to keep attackers behind a more complex network of security barriers.
While businesses continue to overlook the security basics, they will remain vulnerable to attack methods that are outdated and should no longer be effective. However, countering this doesn’t need to be complicated. Organisations have access to a wide array of best practice advice, and simple and effective solutions that will prevent the majority of attacks. The responsible—and easy—thing to do is to take advantage of these.