Popular preconceptions of enterprise security and network usage are often inaccurate, according to Cato Networks. While exotic attacks and nation-states such as Russia and China grab headlines, the most prevalent enterprise cybersecurity risks in Q1 came from unpatched legacy systems, attacks from the US, and consumer applications, such as TikTok.
Legacy security defenses fail as old exploits form most common threat
While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organizations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.”
Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.
Patching may address the problem, but enterprises find that staying on top of patching is challenging, and legacy security systems are often insufficient to stop threats. Furthermore, threat actors are constantly changing their signatures and characteristics to avoid detection.
Application vulnerabilities expose many enterprise networks to attack
During its analysis of network traffic, several security risks have been identified. Microsoft Office and Google continue to dominate, but widespread use was seen of remote access software, such as Remote Desktop Protocols (RDP), Virtual Network Computing (VNC), and TeamViewer.
If not properly secured, these applications can be targeted by threat actors with disastrous results, as was made apparent by the recent attacks on the Florida water supply system, Molson Coors, and Colonial Pipeline.
“The prevalence of remote access software is troubling from a security perspective. Many attacks on critical infrastructure involved attackers exploiting vulnerabilities and weak passwords. If organizations need to run such software, special care must be taken to ensure their security,” says Maor.
Enterprise networks also continue to be populated by consumer applications, with the most popular being TikTok that had millions of more flows than Google Mail, LinkedIn, or Spotify.
In recent months there was also a significant increase in Robinhood and eToro transactions – likely driven by the recent GameStop-Reddit-Wall Street. The data transmitted to these trading applications surpassed more popular applications such as CNN, The New York Times, and CNBC.
“The increase in consumer applications not only consumes bandwidth but poses a security risk to enterprises,” Maor said. “As the type of data flow and applications changes, so does the way in which threat actors exploit vulnerabilities, and in turn, the way enterprises secure their networks must change as well.”
Threats originate from countries other than Russia or China
To keep in front of attackers, enterprises will often block traffic from certain countries, such as Russia and China. Such an approach is ineffective. The analysis shows that during the first quarter of 2021, most threats did not originate from China or Russia. In fact, more malware attacks originated from the United States than any other country.
“Blocking network traffic to and from ‘the usual suspects’ may not necessarily make your organization more secure,” Maor said. “Threat actors are hosting their Command & Control servers on ‘friendly’ grounds including the U.S., Germany, and Japan.”