There’s an old saying that those who don’t remember the past are condemned to repeat it. If so, a lot of CISOs are repeating a lot of bad history.
That could be the conclusion from figures gathered by Hewlett-Packard Enterprise’s latest Cyber Risk Report, which found the most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that was discovered along with a patch issued in 2010 — and patched again in early 2015.
“We don’t seem to have learned from (the) lack of patching over the last few years,” Chandra Rangan, vice-president of marketing for HPE security products, concluded in an interview.
“We produce a lot of patches but IT organizations are not keeping up with the latest, leaving the same holes open.
“It’s a little bit discouraging.”
The report, released Wednesday, admits that patching in an enterprise isn’t trivial and can be costly. The most common excuse given by those who disable automatic updates or fail to install patches is that patches break things, the report says.
But to Rangan the “basic discipline of making sure that systems are up to date can go a long way” to improve cybersecurity.
In addition, he said, developers have to take more care when coding, building security into apps so they are resilient and hardened from the outset. This ensures developers don’t have to worry about security holes or patching after the fact.
“Software vendors must earn back the trust of users—their direct customers—to help restore faith in automatic updates,” the report adds.
And while report authors praise Microsoft and Adobe for releasing more patches than at any point in their history, they add that it “remains unclear if this level of patching is sustainable” because it is straining the resources of both vendors and IT departments. It points out that Microsoft has made some headway with defensive measures that prevent classes of attacks — for example, releasing the EMET (Enhanced Mitigation Experience Toolkit) in its browsers to better secure the Internet Explorer and Edge browsers.
Other software companies should follow such broad, asymmetric fixes that knock out many vulnerabilities at once, the report says.
Other major trends the report spotted last year include:
–2015 being declared the year of collateral damage — that is, people being hurt who weren’t directly affected by a breach. For example, the attack on the parent company of Toronto-based dating site Ashley Madison apparently disclosed the undesirable habits of certain spouses. Similarly, the report notes, the exposure of U.S. federal employee files in the huge Office of Personnel Management had ramifications in the CIA. Apparently the names of people NOT in the OPM files but working in foreign embassys was a tip-off they were agents.
–Thanks to mobile devices and the Internet of Things (IoT), attackers have shifted their aim to go directly after applications. They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can to exploit it.
“Today’s security practitioner must understand the risk of convenience and interconnectivity to adequately protect it,” says the report;
–Malware is increasingly being monetized: Attackers are going after not only data but directly after money. For example, ATMs are back as targets, ransomware is on the rise and last year saw the discovery of 100,000 banking Trojans;
–Worrying signs that in an attempt to improve cybersecurity some governments have backed legislation or regulations that could impede the legitimate work of security researchers.
For example, the report notes, last November the Zero Day Initiative, a bug bounty program run by HPE, was unable to sponsor mPwn2Own hacking contest at the annual PacSecWest conference in Vancouver because of the complexity of obtaining real-time import/export licenses in this country, which is a signatory to an international agreement on export controls of technology.
These researchers — some of whom are university students, some are independent consultants — release reports on vulnerabilities they discover in hopes of achieving a reputation or a bug bounty.
But there are those in the industry who worry their public reports only lead to attackers using their discoveries to quickly issue zero-day attacks. Responsible researchers only reveal their findings after notifying vendors and after a patch has been issued.
However, some researchers are willing to reveal at least parts of a vulnerability if they feel the vendor isn’t moving fast enough.
Complicating things is the so-called gray market where legitimate companies sell exploits they’ve discovered (or created) to governments.
“Looking at the past year, it becomes clear that security researchers play an increasingly important role in identifying security vulnerabilities and investigating state-sponsored threats,” the HPE report notes. “As they do so, researchers become increasingly misunderstood, bordering on imperiled, by well-meaning governments resorting to broad legislation to protect themselves and their citizens from attacks.”
Similarly, it points out that legislators in the U.S. and Britain think physical and cyber security can only be assured if fundamental rights of privacy and due process are abridged.
“Those evaluating the security of their enterprises would do well to monitor government efforts such as adding “backdoors” to encryption and other security tools,” the report warns.
Coincidentally, this morning Apple CEO Tim Cook announced his company will fight a court order compelling Apple to create a way to break into the locked iPhone of one of people who shot co-workers in California in December.
“We have not seen as much good news as we would like to have seen,” Rangan admits, pointing specifically to the patching problem. “We need to fight against fatigue, to make sure IT organizations are not thinking about security as an afterthought but building it in.”
“There is a heightened sense of awareness. We are seeing customers having conversations they didn’t have before, (and) trying to look more holistically at the problem. But it takes time.”