Do you know what is connected to your network, which applications are you and/or your organization is using?
Why is this important?
The majority of Cyber Security breaches are a result of an unpatched vulnerability in a device connected to your network. These can be to name a few, an operating system, application, database, WiFi access points, multifunction printer, switch, router, firewall, wireless speaker, home/office automation devices like security systems, thermostats, bulbs, light switches, etc.
What is a patch?
Patches are software fixes introduced by vendors to address issues identified in their product(s). In the cybersecurity world, these issues are called vulnerabilities. This particular issue is causing the product to be vulnerable to attacks by hackers. The hacker’s ability to use that vulnerability is called exploitation and the technique called an exploit. These vulnerabilities are the result of the absence of the following practices in the vendor’s software development life cycle (SDLC) process, such as:
Secure coding practices
Security by Design
Privacy by Design
Resilience by Design
How are vulnerabilities exploited?
Exploiting a vulnerability is a multi-phase approach.
Like anything in this world when someone starts to show some interest in something, they start by knowing everything about them, be this an individual, car, phone, motorbike, etc. This activity is known as reconnaissance, it is like when you are looking for a soulmate, you checkout their social media presence, talk to their friends, and once you have enough knowledge in terms of their likes and dislikes it is then when you make your move.
When a device is connected to a network, depending on what is running on the device, it either tells everyone on the network, "hey I am available, connect to me" this is called broadcasting and the other is sitting passively and waiting for someone to connect to the device. The device is typically listening on a port.
Devices use a specific speak, a method, aka protocol to establish communication, just like when …in the old days, lol, people called each other they would call, the other party not knowing who was calling pick up the call, the calling party would introduce themselves, and based on the person who received the call’s decision the conversation would happen of the called person would hang up the phone, disconnecting the call.
Hence the hackers use the same approach, they look for computers broadcasting or listening, they try to make a connection and based on what the computer says, try to figure out what is running on the computer, once they have established this they proceed to the next step.
The next step is to search the internet for vulnerabilities that this application has, once they have established this then the exploitation begins. Exploitation also proceeds in phases, first they want to break into the application by running code, or Remote Code Execution(RCE) once that is done and they are in the system, they have to find a power user, this user has full or partial system access which allows the hacker to change system configuration, this user in Linux/Unix is root and in windows is Administrator. This technique is called Privilege Escalation or PrivEsc
Once privesc has been achieved what follows is end-users doom, such as ransomware, data exfiltration, making your systems inaccessible, etc.
Internet vs internal network
Where the vulnerable host is located is also very important. If the host is on the internet, where someone is doing reconnaissance all the time, the attack surface is pretty large and the chances of you getting hacked are very high.
While the attack surface on the internal network is much smaller than the internet, nevertheless there is still a need to reduce or eliminate this attack surface. Because once the hacker has made it into your internal network and they have vulnerabilities to exploit, they will not hesitate.
The Point is!
This is why it is key to have an accurate asset inventory of your IT environment. Once you know what is connected to your network only then can you start planning on addressing issues as they are found. Furthermore when you know of the assets in your IT environment very well and if your environment is exploited, you have a good chance of containing the issue by shutting down or disconnecting that particular system.
It is key that you stay on top of your assets all the time and ensure vulnerabilities are patched as soon as possible, it all depends on your organizations’ risk tolerance. If I were you I would patch ASAP.
Establishing a robust Vulnerability Management Program can take at least a year to establish if management and teams are dedicated, much longer otherwise. IT is key that in this landscape, the top priority for any organization that does not have an active & robust Vulnerability management program is to establish one. This will address the majority of your issues, and in parallel, you can start other cybersecurity initiatives.
If you have any questions and or want further guidance give us a shout at https://www.securityprivacyrisk.com