Narrowing the attack surface by patching

As the global crisis that is COVID-19 completely transforms the work environment for majority of office professionals, the threat landscape has changed alongside it. About six in 10 organizations said they experienced at least a 25 percent increase in cyber threats since the pandemic started. Remote work environments that may not have the best security leave employees and organizations vulnerable to attacks that they previously may have been protected from by the corporate network perimeter.

In addition, employees today rely on many more types of devices—from smart watches to desktop PCs—to work. With this ever-expanding attack surface, 58 percent of organizations said maintaining control of security devices and policies emerged as the top cyber security challenge. Even data systems no longer in use are constantly under threat by attackers. Evidently, organizations can no longer rely on the same security strategies they’ve used in the past; they need to create comprehensive policies that can protect their expanding attack surface.

Preventability of breaches

Obviously, the best place to stop any attack is before it happens, since this is by far the cheapest and least disruptive option. However, this is not always possible. The primary cause of breaches usually stems from one (or more) of three issues: human weakness (phishing), weak external access mechanisms, or unpatched external vulnerabilities. According to an IBM Security report, “inadvertent” breaches brought about by human error and system glitches accounted for 49 percent of data breaches, which estimated that human errors alone cost companies $3.5 million. Locally, the SingHealth cyber-attack—where personal data of 1.5 million patients and 160,000 outpatient medication records were leaked—happened because of lapses by employees and vulnerabilities with the system.

Even with a very mature and layered security posture, it is likely that a motivated and well-funded threat actor will eventually gain initial access. The universal truth we have learned over the course of so many investigations is that if prevention is not possible, early detection and action is the next best thing.

The need for vulnerability management

This mitigation is as old as the first computer bug, but time and time again this is something overlooked by even some large and experienced organizations. Vulnerability management is not made any easier by the fact that most externally accessible applications are often client-facing, revenue generating and/or critical services. Patching these systems has an inherent risk of disruption.

Vulnerability management is often considered to be “just” patch management, but the complexity and risk can be enormous. After all, the defender needs to patch everything, and the attacker can benefit from finding just one unpatched vulnerability — if it is the right one. In fact, we are seeing a trend of threat actors front loading their exploit efforts. In essence, taking advantage of the publicized vulnerability in an accelerated time frame, not with the intention of carrying out their objectives at the time (due to their own bandwidth limitations), but to install backdoors and revisit at a later time. Once the backdoor is in place, patching the original vulnerability is not enough to remove the attacker’s access to the environment.

Attackers are also exploiting backdoor access—according to Group-IB’s conservative estimates, a hacker, Fxmsp, earned US$1.5 million by providing backdoor access to hundreds of corporate networks. Detecting backdoor attacks are becoming increasingly difficult, and the problem is getting worse as the longer a malware remains undetected in a system the more damage it causes to the business. The average cost of a cyber-attack for organizations in Singapore stands at approximately S$1.7 million per breach—organizations need to bridge and secure their expanding attack surface to prevent disruptions to their businesses.

Tips for creating an effective Vulnerability Management Program

An effective program patches vulnerability as quickly as possible. In particular, ones that are externally facing and easily exploitable. Here are some tips to help stop the majority of attacks or at least limit the damage.

  1. Ensure the vulnerability management program has executive support
  2. Assign an owner who bears responsibility and takes it seriously
  3. Track the latest vulnerabilities, patches, and exploit releases
  4. Discover, learn, and begin to know your environment
  5. Scan everything, scan completely, scan often
  6. Prioritize vulnerabilities by:
    • Risk
    • Publicly available exploits
    • System criticality
    • Public exposure
  7. Assign the vulnerabilities to system owners and track them to remediation
  8. Rescan and validate the remediation
  9. Track the environment’s current state and progress — share with stakeholders
  10. Wash, rinse, repeat

Decreasing Time to Patch

Attackers are constantly looking for new vulnerabilities to exploit—and taking advantage of old vulnerabilities that may have gone unpatched. Having a vulnerability management framework in place that regularly checks for new vulnerabilities is crucial for preventing cybersecurity breaches.