The world is in a state of digital transformation. This is not a statement proclaiming a new evolutionary path for the world, but rather a statement of the goal of many companies that connect with other companies across the internet. Connectedness is critical for data flows, communications, news, and business transactions. Where we used to call each other on the telephone, today we email (even to the cube next to us). Where we used to track the references of another company, we are likely to check out the company’s reputation on the internet. Where we used to wait for the check to arrive, companies are beginning to accept cryptocurrency as payment for their goods and services.
This path of connectedness brings with it new ways of designing and implementing information technology architectures. Where we had rather monolithic IT infrastructures in the past, today we see those services highly distributed around the world. Cloud services, microservices, and containers are all parts of the evolving architectures that companies are implementing to manage scale, speed to deployment, and cost.
This path of connectedness also brings with it a state of risk that needs to be assessed and mitigated. The speed at which these new architectures are being developed should not obviate the basic premise that essential elements of security must be implemented to protect data and privacy.
In this year’s Global Threat Intelligence Report, we examine the top threats facing corporations and the top technologies that are being used as attack vectors in attempts to effect compromise. A common theme across the report is that whether an enterprise is using a monolithic IT infrastructure or implementing all its IT infrastructure in the cloud, basic security practices are essential to protecting data and privacy.
As part of a basic security strategy, a company must understand what resources are on its network, however that is defined today. In addition, the security team must understand what vulnerabilities are present in those resources.
This highlights two security practices that must be in place to protect the company:
1 – There must be a comprehensive and thorough vulnerability assessment process. Comprehensive, in this sense, means that the security team must assess every device that touches their network for new and existing vulnerabilities. This must be an ongoing task, not just a once a year checklist item. Thoroughness implies that this assessment must include all the third-party connections that touch the environment. It also stresses that vulnerabilities must be fully mitigated to eliminate the possibility that these could be used as points of attack in an architecture.
Our report shows the number of vulnerabilities has increased over previous years. Where the number of new vulnerabilities identified in 2016 and 2017 were 6,447 and 14,714, the number increased to 16,555 in 2018. Think about that. There were 16,555 new weaknesses identified. Not all these vulnerabilities would apply to every environment, but it does emphasize the importance of a comprehensive and thorough practice of identifying and mitigating your vulnerabilities.
2 – The enterprise must implement a comprehensive penetration analysis program. Some people believe that vulnerability assessment can be used in place of penetration analysis. After all, if I eliminate ALL the vulnerabilities, what would an attacker use to compromise a device? The answer is simple: plenty.
It is impossible to mitigate all vulnerabilities as some are identified as zero-day vulnerabilities, which have no identified mitigation at the time of discovery. It also takes time to mitigate all the vulnerabilities. Even though we may start with the most critical and work our way down to lower-rated vulnerabilities, it takes time to do all of this. Attackers know how most companies will resolve their vulnerabilities and can use that knowledge against the company. In addition, companies must understand all the points of entry into their network. Some of these may be software entry points, others hardware based. Some points of entry may not be active until the third-party repairman connects a device to check the status of service that they provide. The larger the corporation, the greater the risk that not all these entry points and vulnerabilities may be known.
In this year’s report, we identify three application-specific and web-application attacks that were highly targeted over the past year. Attacks against Bash, Apache Struts and Samba continue to be a focus of hostile activity, with the number of these attacks doubling over last year’s results. This points out the importance of security personnel working with the IT development staff to design and implement secure practices around the software and services being implemented in the enterprise IT architecture.
For more insights in the security threats affecting enterprises – and how to face them – download our Global Threat Intelligence Report at nttsecurity.com/2019gtir.