[BreachExchange] 5 computer security facts that surprise most people
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Dec 7 18:35:41 EST 2017
https://www.csoonline.com/article/3239644/data-breach/5-
computer-security-facts-that-surprise-most-people.html
The five statements below are the causes behind a lot of computer security
risk and exploits. If you understand them well enough today, you will be
ahead of your peers.
1. Every company is hacked
When the world hears about the latest big breach, people probably think
that the company involved must be bad at computer security. The next time a
big hack occurs that results in millions of customer records stolen or
millions of dollars in losses, what you should think is “Every company is
hacked. This is just the one the media is talking about today.”
Every company is completely and utterly owned by a nefarious hacker or
easily could be. That’s just a fact. I’m not including top secret military
installations that don’t have Internet and require that their hard drives
be placed in a locked safe at the end of every day. I’m talking about the
average corporate company or small business.
I’ve never consulted at a company (and I’ve consulted at hundreds) where I
didn’t find at least one hacker hidden somewhere when asked to do so. In
most cases, especially over the last decade, I found multiple groups that
had been in for years. My personal record was eight different hacking
groups, with some in as long as ten years.
That one was interesting because one of the reasons they called me was that
a software patch that they didn’t want applied was applying no matter what
they did. The hacker groups were tired of waiting for the victim company to
make its environment more secure, because more and more hacking groups kept
breaking in. It’s a problem when the hackers are more security conscious
than you are.
As a part-time penetration tester, I’ve often been asked to break into
companies (after getting legitimate authority). It’s never taken me more
than an hour to do so, except for one company that took me three hours, and
then only because they had already followed my advice after my previous
paid break in. I’m only an average penetration tester. The people I admire
get in even faster. I’m not even including all the world’s nation-states,
which are sitting on tons of zero days.
The world’s computers are very poorly secured. You don’t need zero day
exploits. You just need to look around a bit to find an easy weakness. Most
companies aren’t doing nearly enough to secure their computers. Most talk a
good game, but when it comes to really doing what’s needed to keep good
hackers out (e.g., perfect patching, application control programs, and no
Internet), they aren’t willing to do what needs to be done--at least not
yet.
2. Most companies don’t know the way they are successfully attacked the most
This is something I’ve only learned, and tested, in the last five years.
I’ve yet to meet an IT security employee who can tell me the number one way
their company is exploited the most on a routine basis. Well, that’s not
fair. Five to 20 percent of the employees guess the right answer, but can’t
point to any data to back up the claim. That means 80 percent at best of
the IT security staff thinks it’s something else. The rest of IT and the
rest of the company is clueless. If most of the company doesn’t agree on
what the biggest threat is, how can they effectively fight it?
The data to show the biggest threat is non-existent. You would think after
spending millions of dollars to collect bazillions of events into fancy
event log management systems that this question would be the easiest to
answer. It’s not. It might never be, especially if you aren’t even asking
the question.
3. A criticality gulf exists between real and perceived threats
There is a huge gulf between your biggest potential threats and your
biggest actual exploits. Security defenders who understand the difference
are worth their weight in gold. Each year 5,000 to 7,000 different new
exploits appear. (This has been fairly consistent for over a decade.)
One-fourth to one-third of them are marked with the highest criticality.
This means when you run vulnerability scanning software or look at a patch
management report, you’ll always have a ton of “top priority” things to
fix. You can’t concentrate and fix more than a few things at once. So, if
your report has 20 number-one priorities you need to correct, what do you
do?
Start by fixing the critical things that are causing the most damage in
your environment today, followed by the most likely culprits after that. It
could be that the top culprits aren’t even the highest ranked
vulnerabilities. Doesn’t matter. Criticality rankings are done on potential
to do harm. Real harm, and most likely future harm, trumps guesses.
Understanding this lesson should change a lot of what you do as a computer
security defender.
4. Firewalls and antivirus software aren’t that important
Most of today’s threats are client-side threats, initiated by the end-user.
This means they are already past all the firewalls (e.g., network or host)
that were put in their way to prevent them from reaching the user’s
desktop. Once a threat is there, firewalls provide very little value.
A traditional firewall’s main value is preventing an unauthorized
connection attempt to an existing vulnerable service. If your service isn’t
vulnerable, then a firewall probably isn’t providing a lot of value. This
is not to say that they don’t provide any value. They can and do,
especially intelligent, deep-packet inspecting firewalls. It’s just that
most threats aren’t the things they stop anymore, so the big value they
used to provide just isn’t there.
Antivirus software isn’t valuable because it’s very difficult for any AV
product to be 100 percent effective against all the newly emerging malware.
Anytime you see a “100 percent” rating, don’t believe it. Those tests are
conducted under controlled conditions where the malware is not getting
updated nearly as much as in the real world. In the real world, the first
malware program you are likely to encounter is simply a downloader that
downloads brand new malware programs, updated to bypass all AV software.
5. Two problems are almost 100 percent of the risk
It’s been true for over a decade that the two most likely reasons you will
get exploited is due to unpatched software or a social engineering event
where someone is tricked into installing something they shouldn’t. These
two issues account for nearly 100 percent of the risk. It would be a
stretch to claim every other exploit type in the world, added together,
would account for 1 percent of the risk. Put another way, if you don’t fix
the two top problems, then the rest do not matter. A single unpatched
software program has at times accounted for over 90 percent of the
web-based exploits. Social engineering gobbles up most of the rest. Make
sure you concentrate on the right problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171207/cc600479/attachment.html>
More information about the BreachExchange
mailing list