The cybersecurity lessons from 2020

Satnam Narang of Tenable

The breach of SolarWinds and its Orion Platform software  captivated our collective attention in the final weeks of 2020. While arguably it was, and continues to be, considered the most significant event of the year, it is not the attack path most organisations should fear.

As Satnam Narang, staff research engineer at Tenable says,while backdoors in cybersecurity software might capture the headlines, attackers are far more predictable in their tactics. Threat actors are creatures of habit. They like to do what they know will work and exploiting unpatched vulnerabilities presents a rich vein for them to tap.

When you examine the data, troublingly, threat actors are relying on unpatched vulnerabilities in their attacks. These ‘broken windows’ are primarily used to gain initial access into a target network. From there, the attackers can leverage serious vulnerabilities like Zerologon in order to elevate privileges, granting themselves the ability to gain access to domain controllers within the network.

Attack warnings

Last year, government agencies issued several advisories warning about attackers leveraging vulnerabilities that had patches available, yet remained unmitigated. However, not all vulnerabilities are created equal. In fact, according to Tenable’s research of high-profile vulnerabilities in 2020, not all critical vulnerabilities had a name and/or logo given to them.

Conversely, not every vulnerability that did have a name and logo assigned were seen as critical. Instead, other factors need to be considered when weighing the severity of a vulnerability, including the presence of proof-of-concept (PoC) exploit code and ease of exploitation.

Given the dramatic changes necessitated by the COVID-19 pandemic, the uncertainty is a bonus for cybercriminals. As Governments globally mandated citizens to limit movement, there was an unprecedented shift for businesses to remote working, and schools to distance learning.

This created a brand new set of security challenges from relying on tools, such as VPNs and remote desktop protocol (RDP), to introducing new applications for video conferencing. Pre-existing vulnerabilities in virtual private network (VPN) solutions many of which were initially disclosed in 2019 or earlier proved a favourite target for cybercriminals and nation-state groups in 2020.

While attackers favour known vulnerabilities, there were some zero-days exploited in 2020. Web browsers particularly Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge were the primary targets, accounting for more than 35% of all zero-day vulnerabilities exploited in the wild. Considering that the browser is the gateway to the internet, patching these assets is essential to the security of the enterprise network.

What this teaches us

As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed and represent lucrative opportunities for ransomware actors.

Remediation needs to be handled with a risk-based approach, with a clear understanding of the impact patching will have on business operations, before deploying to a live environment. This is no small task for an organisation of any size, and can be especially difficult for those with large and diverse environments. Modern vulnerability management can be broken down into the following key stages:

  • Identify and remove unnecessary services and software
  • Limit reliance on third-party libraries
  • Implement a secure software development lifecycle
  • Practice accurate asset detection across the entire attack surface, including information technology, operational technology and internet of things, regardless of whether they reside in the cloud or on premises.

Find and fix

When looking at the vulnerabilities to find and fix, there were five that were primarily targeted throughout 2020. These include three legacy vulnerabilities from 2019 in virtual private network solutions from CitrixPulse Secure and Fortinet:

  • CVE-2020-1472 – Zerologon
  • CVE-2019-19781 – Citrix ADC/Gateway/SDWAN WAN-OP
  • CVE-2019-11510 – Pulse Connect Secure SSL VPN
  • CVE-2018-13379 – Fortinet Fortigate SSL VPN
  • CVE-2020-5902 – F5 BIG-IP

Browser-based vulnerabilities are easy enough to consider prioritising in the remediation process due to their ease of patching, however they do not necessarily carry the greatest risk. Devices such as firewalls, domain controllers and VPNs could have a significantly greater impact if compromised and more care is needed when testing and applying patches or mitigations.

Patching email servers should also be a priority to prevent exploitation and protect confidential information. In tandem, educating staff on email best practices and raising security awareness in areas such as phishing should also be a top priority.

Each device, each asset in the infrastructure, needs to be considered as having the potential to ‘go rogue’. It’s imperative that steps are taken to minimise the privileges and the attack surface to which they have access. While few organisations would have the wherewithal to prevent a breach as sophisticated as SolarWinds, thankfully few need to. Sound cyber hygiene practices, as outlined above, can help thwart most attacks perpetrated by cybercriminals.

The author is Satnam Narang, staff research engineer, Tenable.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

ICP DAS partners with IoT software provider Exosite to introduce “ExoWISE” solution

Posted on: January 18, 2022

Taipei Taiwan. Jan. 16, 2022 – ICP DAS, a  manufacturer of industrial automation equipment, is pleased to announce the new ExoWISE solution. The creation of ExoWISE is the result of a new partnership with Exosite, an enterprise software company and a provider in the Industrial Internet of Things (IIoT) platform market.

Read more

A busy time in the world of telco IoT

Posted on: January 17, 2022

It’s been a busy period for IoT (Internet of Things) market developments that affect the evolving 5G space for telcos. Global freelance business technology journalist, Antony Savvas looks at how IoT movers and shakers could help to further evolve mobile data processing and security.

Read more