Skip to main content

The Vulnerabilities of the Past Are the Vulnerabilities of the Future

 Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year – with 7% to 17% of those vulnerabilities being critical.

May had the fewest vulnerabilities, with a total of 55 and only four considered critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation.

Microsoft isn't the only big name regularly patching major vulnerabilities: We see monthly security updates coming from Apple, Adobe, Google, Cisco, and others.

Everything old is new again

With major vulnerabilities in so many applications, is there any hope for a secure future? The answer is, of course, yes, but that does not mean there won't be challenges getting there.

The vulnerabilities being seen may not be new to those of us who have been defending against attackers for years or even decades, but the adversaries continually change their tactics.

It is not uncommon for them to use legitimate resources for nefarious purposes, and it may not always be possible to plan for this misuse when an application is being built.

It's your privilege

With 80% of security breaches involving privileged accounts, a major vulnerability we will increasingly see exploited is privilege escalation. A common tactic of ransomware operators and other threat actors is to achieve elevated privileges on a system to help legitimize their actions and gain access to sensitive data.

If an info stealer has the same access as the current user, the chances of exfiltrating sensitive data are significantly increased. Meanwhile, admin access nearly guarantees access to juicy data.

In addition to keeping software updated, this is where Zero Trust initiatives and data flow monitoring become critical. At a minimum, Zero Trust means that the principle of least privilege should be applied, and multi-factor authentication should be required wherever it is available.

Essentially, this ensures that anyone who does not need access to a system or file cannot access it – while those who do must prove that they are whom they say they are. Monitoring the flow of data can also help catch a breach early on, limiting the amount of data stolen.

Remote control

Remote code execution (RCE) is not going away any time soon. These attacks accounted for around 27% of the attacks in 2020, up from 7% the prior year. If an attacker can find a way to run arbitrary code on your system remotely, they have a lot more control than they would from just getting a user to run a piece of malware with predefined functions unwittingly.

If the attacker can run arbitrary code remotely, they gain the ability to move around the system and possibly the network – enabling them to change their goals and tactics based on what they find.

Behavioral monitoring is one of the best ways to detect RCE on your systems. If an application begins running commands and spinning up processes that are not a part of its normal behaviors, you can put a stop to an attack early on. The fact that RCE is so common also mandates that you keep security patches up-to-date to stop many of these attacks before they even start.

Who needs malware anyway?

Today, a favorite attack method is using legitimate processes and trusted applications to accomplish nefarious goals. These fileless, or living off the land, attacks can be difficult to detect because the malware does not need to be installed.

One of the most common applications to be exploited this way is PowerShell. This makes sense because PowerShell is a powerful application used to script and run system commands.

This is another instance where monitoring the behaviors of applications and processes can be vital in stopping an attack quickly. Does PowerShell really need to disable security features?

In most cases, probably not. Behaviors like this can be monitored, even from trusted applications like PowerShell. Combine this monitoring with advanced machine learning and AI, and you can begin fingerprinting normal behaviors on your network, with automated responses to unusual activity.

Go forth and repeat yourself

While the common types of attacks may not change much, any changes to application or code have the potential to introduce new vulnerabilities. This doesn't mean we should give up and just let the adversaries win – it means that now is the time to double down on our efforts to thwart their attempts.

Implement a patch management strategy, monitor the network, use behavioral detection, and avoid complacency. The fact that major software providers are regularly patching major vulnerabilities is actually a good thing because the attackers are not giving up, so neither should we.

Comments

Popular posts from this blog

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Loca...

Be fraud aware - What are phishing, smishing and vishing.

  You may have heard the terms phishing, smishing or vishing before, but what exactly do they mean? At their core, all three terms are a type of financial fraud which tricks unsuspecting victims into giving out sensitive personal information, handing over money or installing malware onto their device. The only difference between each term is the channel via which you can be targeted; phishing refers to scam emails, smishing refers to scam text or WhatsApp messages and vishing takes place over the phone. Phishing The most common phishing method encourages victims to visit a malicious website through a fake email message, which appears to be sent from a legitimate company or source (e.g. from a bank, HMRC, a delivery company or the NHS). For example, you might receive an email which appears to be from an organisation who you’re familiar with, asking you to click on a link. At this point you will be taken to a webpage on which you’re asked to submit sensitive data, such as passwords, ...

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has...