September was a rough month on the security front. The bombshell, of course, was the news that Equifax had been breached and that cyber thieves made off with personal information of 143 million US consumers. Equally surprising was finding out how they did it—by exploiting a web server vulnerability for which a patch had been made available two months prior. Equifax responded by constructing a web portal through which consumers could register for free credit monitoring. Unfortunately, this move quickly inspired phishing attacks that steered victims to lookalike sites that harvested names and portions of their social security numbers. Seems like we just can’t win.
Sure, Equifax dropped the ball by not patching against this vulnerability once it was announced. But patching this particular security hole would have been no easy task, as many web applications may have had to be entirely rewritten to work with the new code. And following the rewrites, of course, everything would have had to be thoroughly tested for interoperability. Not a recipe for a quick turnaround.
Problem is, the time between a vulnerability announcement and active exploitation is now measured in minutes and is always growing shorter. We simply don’t have time to fix code on the back end once attackers learn which buttons to push in order to breach a system. But at the same time, we can’t send hundreds of millions of people scrambling to sign up for credit-monitoring services and credit freezes when something like this happens.
So, what are we to do?
This is where we need to rely on compensating controls to help stem the tide. For instance, was the Equifax portal protected by some type of Intrusion Prevention System (IPS)? Could it have been leveraged to stop this particular attack once the news of the vulnerability broke?
Vulnerability exploitation has always been a serious issue. Case in point is Avast CCleaner—a free, widely deployed application that was designed to aid routine system maintenance. Last month, attackers managed to insert a multi-stage malware payload into an official update for the application. When CCleaner users downloaded and installed the update, they unknowingly installed a backdoor on their own systems. These supply chain attacks are an extremely effective way for attackers to distribute malicious software into target organizations because they exploit the trust relationship between users and an application supplier itself. Would you have thought twice about installing an official update like this?
Retail hasn’t been safe, either. Whole Foods Market announced last week that its point-of-sale systems in taprooms and restaurants at some of its stores had been breached. This likely isn’t anywhere near Target in terms of scale, but disconcerting nonetheless for consumers who frequent these establishments.
These incidents—along with many others—serve as a constant reminder that we’re always under attack. Is there anything we can do to completely protect ourselves and the assets we’ve been entrusted with? In a word, no. But what we can do is make it exponentially more difficult for attackers to breach the systems we control. Certainly, we can do that by shoring up our security technology. Adding things like threat intelligence and advanced malware protection can go a long way. But equally important is ensuring that our coworkers’ level of security awareness is complementary to—rather than competing with—the security technology we’ve deployed. Initiatives like phishing tests and awareness training can help fill in the gaps that our technical controls miss. Making our users realize that they play an irreplaceable role in this battle gives us the best chance to survive in this new paradigm.
Whether you’re looking for a way to improve your security technology, your users’ security awareness, or to just get an unbiased assessment with detailed recommendations for improvement, Symplexity has you covered. We help to simplify the complex. Contact us today to learn how.