Why are hackers able to breach the security of so many organizations using known vulnerabilities, and what can you do minimize the risk that this happens to you?
It's an important question to ask, because consequences can be significant if a security breach leads to the theft of confidential proprietary data or loss of customer information. If hacker exploit a well-known vulnerability to access your system -- a vulnerability that you could have reasonably been expected to have contained - then the harm to your organization's reputation could be catastrophic.
Speaking at the recent RSA Conference Europe 2012 in London, Don Smith, technology director at Dell SecureWorks, says that organizations' failure to deal with known vulnerabilities stems from the vast increase in IT complexity over the past couple of decades.
In 1992 IT pros could look at a Web server package and understand every component of it - what it did, whether it was required, and whether it had any known security issues. Now, however, even a fairly basic Web server installation is many times more complex. "What's happened is that it's now simply too complex for any single individual to understand," Smith said.
Added complexity isn’t the only problem, though. Because companies are more likely to be attacked now, vulnerabilities are more likely to be discovered, said Smith. "We see our customers experiencing a security incident of one form or another about once every week."
Perhaps the biggest problem, though, is the emergence of new "threat actors" over the last few years. In addition to malicious individual hackers, there are also organized criminal gangs, hacktivist groups (like Anonymous) and even government-sponsored hacking groups -- mostly believed to be based in Eastern Europe or Asia -- looking to steal intellectual property.
The biggest security headaches are not directly caused by the limited number of hackers who discover vulnerabilities and create the code to exploit them, but rather by tech-savvy criminals who use these exploits for large-scale commercial gain. Many of these criminals pay for access to exploit packs like Blackhole, Crimepack or Eleanore. These automated hacking tools scan IP addresses looking for systems with any one of a range of known vulnerabilities, then launch appropriate exploits automatically at any unpatched machines they come across.
No organization can be expected to patch their machines against zero-day exploits, because by definition zero-days have never been seen before -- and therefore no patches exist. But once a vulnerability is publicly announced, it now takes as little as 24 hours before exploit modules taking advantage of the new vulnerabilities are added to exploit packs and to penetration testing tools such as the Metasploit framework.
"How often do you patch and update your security?" asked Smith. "It's highly likely that you are not as quick as these guys."
Also, in the period before a vulnerability is announced publicly, it's quite possible that the hacker or hacker group that discovered it was holding it in reserve, to be exploited only when any current vulnerabilities they are exploiting get discovered and publicized. Since a vulnerability's value to a hacker rapidly drops as soon as it is publicly announced (because over the following days and weeks and increasing number of potential victims will take steps to defend themselves against it), it is likely that any criminals who want to exploit it will do so as quickly as possible. That makes the need to patch or take other security measures all the more pressing.
So what can you do to make sure you don't fall victim to a known vulnerability? The good news is, it's probably not necessary to spend a great deal of cash. "You certainly don't need to buy fancy security products, even though lots of vendors are very good at persuading you to buy things that you don't need," Smith said.
Here is his advice:
Stay up to date with vulnerability news
A key plank in your strategy should be putting a process in place to ensure that every security bulletin is read and acted on in such a way as to mitigate any risks as quickly as possible. It's an obvious step, but one that often gets overlooked. The US Computer Emergency Readiness Team (US-CERT) produces email alerts while products like Secunia's Vulnerability Intelligence Manager can help you keep on top of the latest vulnerabilities for your particular IT infrastructure.
Scan for vulnerabilities
The only way that you can be sure that you have not missed a vulnerability or patched one ineffectively is to test your systems using a vulnerability scanner such as Rapid7 Nexpose or Tenable Nessus. "Every month we come across a customer who gets caught by the Conficker worm that was around five years ago! It's not hard to patch, but some people just don't patch properly, and that's why they get hacked," warned Smith
Be amenable to anything new
You can only patch against vulnerabilities in software that you know is being run in your organization. For that reason, Smith said it is important to embrace change, the cloud and anything else users might find new and interesting. If you are seen as the security person who says "no" to every innovation on security grounds, people will end up not talking to you and doing things behind your back. They'll simply use an iPad to access the cloud service that you ban, Smith said. "You have to make sure that you are in the thick of it. You can have influence as part of the process, but not if you are just the person who says 'no' at the end of the process. Don't block. Detect and monitor."
Train users, and back it up with testing
Finally, Smith pointed out that while automated attack tools try to gain entry onto your network through the "front door," targeted attacks use "back door" techniques such as spear-phishing -- sending "weaponized" emails with links to malware, or with malicious attachments -- to individuals in your organization.
Many organizations attempt to mitigate this risk through user education programs, although their effectiveness is likely to be limited unless they are reinforced and tested using tools like Phishme. These tools generate simulated phishing emails intended to entice users into clicking on an attachment or a malicious link, or supplying confidential information. They then report back on the number of users that would have fallen victim to the phishing attacks if they had been real. Thus, users who fall for the simulated scams can get additional training.
None of the tips above will help you defend against the kind of sophisticated attacker that targets your company using vulnerabilities that are not publicly known. But they can prevent your organization from falling victim to an attack that you could -- and should -- have prevented.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.