The digital threat landscape faced by enterprises large and small is in perpetual flux, and keeping an eye on things and adapting defenses should be of primary importance to every CISO.
According to Ziv Mador, VP of Security Research at Trustwave’s SpiderLabs, the current major and, unfortunately, rising threats are ransomware, CEO email attacks (BEC scams), and the exploitation of zero-day vulnerabilities.
“Our researchers tracked nine different zero-day vulnerabilities in 2016, five of which targeted Adobe Flash Player,” he tells me. There is also growing concern about zero-day exploits used by nation state agencies getting leaked to the public.
Finally, he pointed out that 63 percent of all breaches the company investigated in 2016 targeted payment card data, so any organization that handles this type of data needs to be particularly vigilant.
The zero-day market
“The zero-day market will continue to thrive because there are organizations – nation states, zero-day brokers and criminal groups – that are willing to pay for them. All of these groups need a constant stream of fresh zero-days for their operations and, in my opinion, the demand and supply side on this market will always exist,” he notes.
He’s also of the opinion that bug bounty programs can make a positive dent, but it depends on how the vendor approaches this initiative.
If a large vendor does not have a program for reporting vulnerabilities set up, he says, researchers who find them vulnerability may opt for going to a zero-day broker.
“White hats want recognition, and getting on the Hall of Fame of a major vendor means much to them, even if they don’t get paid,” he pointed out. But vendors that offer money for information about vulnerabilities will find that more researchers will concentrate on finding vulnerabilities in those particular products.
Most researchers are not a bad sort, he says. Grey hats often prefer to report a vulnerability to the vendor – if they are likely to get recognition or payment.
“But the payment needs to be competitive! If the vendor offers $20,000 for a vulnerability, but bug hunters can get $200,000 for it on underground markets, it’s pretty likely they will chose the second option,” he points out. “If large vendors were to offer somewhere between $500,000 and $1 million for a critical vulnerability, they would clear the zero-day market in short order.”
The insecurity of Web applications
99.7% of web applications Trustwave application scanning services tested in 2016 included at least one vulnerability, with the mean number of vulnerabilities detected being 11 per application. What do this numbers mean for organizations running large web applications?
“If they run a web application developed by another company, they should ensure they always run the latest version and have implemented all security patches,” Mador opines.
“Because it is so important for companies to keep applications’ up time at a maximum, we often see them refraining from implementing patches, lest there’s a problem with it. Needless to say, this make the applications vulnerable to attack.”
“If a company develops its own web application (like, for example, banks often do), it’s essential they pen test it before they go live,” he adds.
Are companies investing in the wrong technologies?
“We are seeing an increasing number of breaches not because companies are necessarily doing the wrong thing or using the wrong technology, but because there is an increasing number of attackers out there,” Mador believes. “The benefit of launching these attacks outweighs the risks.”
His advice to organizations, CISOs, administrators and IT security teams is to:
- Look at new technology to add layers of protection and ensure there are back-ups for all systems
- If possible, stop using unsupported operating systems
- Invest time into checking whether you are doing everything you can to make you environment more robust
- Use web gateways to identify infection attempts powered by zero-days
- Invest in access to skill and expertise. A managed security services provider (MSSP) is a good investment for companies wanting to ensure they have covered all bases while balancing their budget. Some benefits of using an MSSP can include access to security experts and 24-hour customer support, and outsourcing security services to a third party is often a less expensive activity compared to dealing with it in-house. However, any organization considering this must still employ a CISO for the MSSP to report to and coordinate with and it’s best to see an MSSP as a supplement for the in-house team rather than a replacement for it.