With the prevalence of 24-hour connectivity and modern advancements in technology, threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with the Internet of Things (IoT) this became a reality. The IoT has seen increased usage of digital communication and the increased transfer of data via digital platforms increases the risk of data interception by malicious individuals. Pervasive surveillance through digital devices is also a recent threat with the increased use of smartphones. Governments can now engage in digital surveillance of their citizenry with the excuse of providing security against potential terrorist threats. Criminals can also do similar tasks to the detriment of the targeted victims. In 2014, ESET, an internet security company, reported 73,000 unprotected security cameras with default passwords.
In April 2017, IOActive found 7,000 vulnerable Linksys routers in use, although they said that there could be up to 100,000 additional routers exposed to this vulnerability.
In 2018, Marriott Hotels disclosed that 500 million customers’ data was leaked, and in April 2020 they disclosed another data breach affecting 5 million customers.
In 2019, First American Corporation a real estate title insurer, disclosed quarters of a billion mortgage deal documents, including bank account numbers, tax records, Social Security numbers, wire transaction receipts, and driver’s license images.
In 2020, Fire one of the largest cybersecurity companies in world , disclosed that they had been hacked, likely by a government, and that an arsenal of hacking tools used to test the defenses of its clients had been stolen.
April 2021, Facebook disclosed one more data leakage this time 540 of its users data , including Mark Zuckerberg’s data…
Cybersecurity and COVID-19
The cybersecurity landscape is always evolving and presenting new challenges, but since the COVID-19 global pandemic began, the cyber landscape has shifted at rapid speeds, leaving IT security professionals around the world scrambling to adapt to the new threat landscape. This has driven the IT world to adopt innovative methods of managing the business resilience and digital needs of a fully remote workforce, for example, with the use of video conference technology.
One of those technologies is Zoom: free, accessible, and easy to use. Zoom’s user base rocketed from 10 million in December 2019 to 200 million by the end of April 2020. This rapid increase caught the attention of security researchers, who found many security issues that have cast a shadow over the product.
Of course, Zoom is not the only company to feel the pinch during the pandemic. Cybersecurity threats have heightened during the crisis, as cybercriminals look to take advantage of companies that haven’t adopted the best practices of this rapid change and, as a result, are not operating as securely as they usually would.
When a company CEO asks what the vulnerabilities in a home device have to do with their company, the Chief Information Security Officer (CISO) should be ready to give an answer. The CISO should have a better understanding of the threat landscape and how home user devices may impact the overall security that the company needs to enforce. The answer comes in two simple scenarios, remote access and Bring Your Own Device (BYOD).
While remote access is not new, the number of remote workers is growing exponentially. 43% of employed Americans report spending at least some time working remotely, according to Gallup, which means they are using their own infrastructure to access a company’s resources.
Compounding this issue, we have a growth in the number of companies allowing BYOD in the workplace. This use of unmanaged devices is opening doors for adversaries, who have shifted quickly to exploit the newly increased attack surface and overstretched IT resources. This rapid shift in the threat landscape has left organizations scrambling to scale their security systems to meet the rise in the use of personal home networks, handheld devices, and apps beyond the scope of the enterprise environment.
Keep in mind that there are ways to implement BYOD securely, but most of the failures in a BYOD scenario usually happen because of poor planning and network architecture, which lead to an insecure implementation.
What is the commonality among the previously mentioned technologies? To operate them you need a user, which is the greatest target for attack: human error is the weakest link in the security chain. For this reason, old threats such as phishing are still on the rise. This is because they attack the psychological aspects of the user by enticing them to click on something, such as a file attachment or malicious link. Once the user performs one of these actions, their device usually either becomes compromised by malicious software (malware) or is remotely accessed by a hacker.
Understanding the attack surface
In very simple terms, the attack surface is the collection of all potential vulnerabilities that, if exploited, can allow unauthorized access to the system, data, or network. These vulnerabilities are often also called attack vectors, and they can span from software to hardware, to a network, and to users (which is the human factor). The risk of being attacked or compromised is directly proportional to the extent of attack surface exposure. The higher the number of attack vectors, the larger the attack surface, and the higher the risk of compromise.
Just to give you the extent of an attack surface and its exposure, let’s look into MITRE’s Common Vulnerabilities and Exposures (CVE) database, here: https://cve.mitre.org/cve/. The database provides a list of cybersecurity vulnerabilities that have been targeted in the past, to make organizations aware of them should they use the same software or hardware systems. It has 108,915 CVE entries at the time of writing, which have been identified over the past few decades. Certainly, many of these have been fixed, but some may still exist. This huge number indicates how big the risk of exposure is.
Any software that is running on a system can potentially be exploited using vulnerabilities in the software, either remotely or locally. This applies particularly to software that is web-facing, as it is more exposed, and the attack surface is much larger. Often, these vulnerable applications and software can lead to the compromise of the entire network, posing a risk to the data it is managing. Furthermore, there is another risk that these applications or software are often exposed to: insider threat, where any authenticated user can gain access to data that is unprotected due to badly implemented access controls.
An attack surface may be exposed to network attacks that can be categorized as either passive or active, depending on the nature of the attack. These can force network services to collapse, making services temporarily unavailable, allow unauthorized access to the data flowing through the network, and other negative business impacts.
In the event of a passive attack, the network might be monitored by the adversary to capture passwords, or to capture sensitive information. During a passive attack, an attacker can leverage the network traffic to intercept communications between sensitive systems and steal information. This can be done without the user even knowing about it. Alternatively, during an active attack, the adversary will try to bypass the protection systems using malware or other forms of network-based vulnerabilities to break into the network assets; active attacks can lead to the exposure of data and sensitive files. Active attacks can also lead to Denial-of-Service (DoS) type attacks. Some common types of attack vectors are:
- Social engineering scams
- Drive-by downloads
- Malicious URLs and scripts
- Browser-based attacks
- Attacks on the supply chain (which are becoming increasingly common)
- Network-based attack vectors
To find out more about this topic, I would highly recommend that you download and read Verizon data breach reports: https://enterprise.verizon.com/resources/reports/dbir/.
What follows is a relevant excerpt, which indicates the various factors that shape an organization’s attack surface:
“Errors definitely win the award for best supporting action this year. They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries. Only Hacking remains higher, and that is due to credential theft and use, which we have already touched upon. Misconfiguration errors have been increasing. This can be, in large part, associated with internet-exposed storage discovered by security researchers and unrelated third parties.”
According to the Verizon breach report, hackers’ tactics and motives have not changed much over the last 5 years, with 63% of breaches launched for financial gain, and 52% of breaches featuring hacking. Ransomware attacks account for nearly 24% of attacks involving malware, and breaches continue to take a long time to be detected, with 56% taking several months or longer to be discovered. And typically, by the time the breach has been discovered, the damage has already been done.
With every passing day, the network of connected devices is increasing, and, while this growth of connectivity continues to grow bigger, the risk of exposure is also increasing. Furthermore, it is no longer dependent on how big or small businesses are. In today’s cyberspace, it is hard to establish whether any network or application is prone to attacks, but it has become extremely important to have a sustainable, dependable, and efficient network system, as well as applications. Properly configured systems and applications will help reduce the risk of attack, but we might not ever be able to eliminate the risk of attack completely.