The cybersecurity lessons from 2020

Satnam Narang of Tenable

The breach of SolarWinds and its Orion Platform software  captivated our collective attention in the final weeks of 2020. While arguably it was, and continues to be, considered the most significant event of the year, it is not the attack path most organisations should fear.

As Satnam Narang, staff research engineer at Tenable says,while backdoors in cybersecurity software might capture the headlines, attackers are far more predictable in their tactics. Threat actors are creatures of habit. They like to do what they know will work and exploiting unpatched vulnerabilities presents a rich vein for them to tap.

When you examine the data, troublingly, threat actors are relying on unpatched vulnerabilities in their attacks. These ‘broken windows’ are primarily used to gain initial access into a target network. From there, the attackers can leverage serious vulnerabilities like Zerologon in order to elevate privileges, granting themselves the ability to gain access to domain controllers within the network.

Attack warnings

Last year, government agencies issued several advisories warning about attackers leveraging vulnerabilities that had patches available, yet remained unmitigated. However, not all vulnerabilities are created equal. In fact, according to Tenable’s research of high-profile vulnerabilities in 2020, not all critical vulnerabilities had a name and/or logo given to them.

Conversely, not every vulnerability that did have a name and logo assigned were seen as critical. Instead, other factors need to be considered when weighing the severity of a vulnerability, including the presence of proof-of-concept (PoC) exploit code and ease of exploitation.

Given the dramatic changes necessitated by the COVID-19 pandemic, the uncertainty is a bonus for cybercriminals. As Governments globally mandated citizens to limit movement, there was an unprecedented shift for businesses to remote working, and schools to distance learning.

This created a brand new set of security challenges from relying on tools, such as VPNs and remote desktop protocol (RDP), to introducing new applications for video conferencing. Pre-existing vulnerabilities in virtual private network (VPN) solutions many of which were initially disclosed in 2019 or earlier proved a favourite target for cybercriminals and nation-state groups in 2020.

While attackers favour known vulnerabilities, there were some zero-days exploited in 2020. Web browsers particularly Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge were the primary targets, accounting for more than 35% of all zero-day vulnerabilities exploited in the wild. Considering that the browser is the gateway to the internet, patching these assets is essential to the security of the enterprise network.

What this teaches us

As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed and represent lucrative opportunities for ransomware actors.

Remediation needs to be handled with a risk-based approach, with a clear understanding of the impact patching will have on business operations, before deploying to a live environment. This is no small task for an organisation of any size, and can be especially difficult for those with large and diverse environments. Modern vulnerability management can be broken down into the following key stages:

  • Identify and remove unnecessary services and software
  • Limit reliance on third-party libraries
  • Implement a secure software development lifecycle
  • Practice accurate asset detection across the entire attack surface, including information technology, operational technology and internet of things, regardless of whether they reside in the cloud or on premises.

Find and fix

When looking at the vulnerabilities to find and fix, there were five that were primarily targeted throughout 2020. These include three legacy vulnerabilities from 2019 in virtual private network solutions from CitrixPulse Secure and Fortinet:

  • CVE-2020-1472 – Zerologon
  • CVE-2019-19781 – Citrix ADC/Gateway/SDWAN WAN-OP
  • CVE-2019-11510 – Pulse Connect Secure SSL VPN
  • CVE-2018-13379 – Fortinet Fortigate SSL VPN
  • CVE-2020-5902 – F5 BIG-IP

Browser-based vulnerabilities are easy enough to consider prioritising in the remediation process due to their ease of patching, however they do not necessarily carry the greatest risk. Devices such as firewalls, domain controllers and VPNs could have a significantly greater impact if compromised and more care is needed when testing and applying patches or mitigations.

Patching email servers should also be a priority to prevent exploitation and protect confidential information. In tandem, educating staff on email best practices and raising security awareness in areas such as phishing should also be a top priority.

Each device, each asset in the infrastructure, needs to be considered as having the potential to ‘go rogue’. It’s imperative that steps are taken to minimise the privileges and the attack surface to which they have access. While few organisations would have the wherewithal to prevent a breach as sophisticated as SolarWinds, thankfully few need to. Sound cyber hygiene practices, as outlined above, can help thwart most attacks perpetrated by cybercriminals.

The author is Satnam Narang, staff research engineer, Tenable.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Thailand marine department to deploy several thousand Globalstar SPOT Gen4 satellite trackers via Thaicom to safeguard island visitors

Posted on: June 30, 2022

Dublin, Ireland. 30 June, 2022 – Globalstar Europe satellite services ltd, a wholly owned subsidiary of Globalstar Inc., and a provider in satellite messaging, IoT, and emergency notification technologies, announces that SPOT Gen4 satellite messengers will be deployed by Thailand Marine Department to provide safety and security for all travellers on and around the island

Read more

BigChange elevates green ambitions for VM Elevators

Posted on: June 30, 2022

Leeds, United Kingdom. 29 June, 2022 – VM Elevators, independent lift and escalator services provider, is boosting its green credentials using BigChange job management software. Using the cloud based platform, VME delivers 100% of its client reports electronically and has moved its business to an entirely paperless system. Intelligent scheduling and routing, and collaboration with

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox