The Great Cybersecurity Arms Race
IT security is a race. Vulnerabilities must be closed by administrators faster than malicious actors can exploit them. This is the only way to avert damage of potentially business-destroying proportions. Can defenders win this race?
Action and Reaction
The short answer beforehand: No. The majority of security experts clearly see the arms race between the hacking community and companies as an eternal race to catch up for the latter. There are several direct reasons for this:
- In almost all cases, it is up to the defenders to close known vulnerabilities immediately. In the best case, these are not zero-day vulnerabilities, i.e., vulnerabilities that become known to the hackers at the same time as the developers of possible patches.
- Attackers can relax and choose the time and method of attack, while corporate IT administrators have to wait for the hackers to make the first move. Attackers also only have to be lucky once and find a gap the vicitim's armor, while defenders have to successfully fend off attacks every time, which brings us to the third point.
- IT networks are becoming more complex every day and securing them requires more effort. Keeping track of everything is like a Sisyphean task and applying all patches and successful monitoring is a considerable feat for a standard IT department.
The Cyber Arms Dealers - a Little Digression on Zero Days
In 2021, we saw a trend of vendors having to deal with zero-day exploits more and more often. In this case, malicious actors either knew about an existing vulnerability before the vendors or learned about the existence of the vulnerability at the same time as the vendors. A part of this development is contributed by so-called "exploit brokers". These are traders who buy exploits discovered by security researchers and then resell them to the highest bidder (intelligence agencies, criminals, vendors, etc.). These traders, operating partly in the shadows of the darknet, have recently enjoyed an increase in business, which has to do with the bug bounty policies of the major vendors. Although software developers, such as Microsoft, Apple or Google, offer security researchers a reward for reporting exploits (so-called "bug bounties"), the reporting chains are complex and bureaucratic, which leads to few, and according to the researchers, also to low payouts of the bug bounties. In order to continue their work, more and more white and grey hat hackers are therefore turning to exploit brokers, some of whom offer six-figure sums for exploits.
Preparing for Impact
So if you can't stay one step ahead of the malicious actors, you have to optimize the response to attacks and breaches in such a way that the hacker groups don't have an easy game and, at best, any hacking attempt can be fended off.
The most valuable weapons in this fight are prevention through technical and organizational measures, as well as personnel training to create awareness about the dangers of hacking attacks. For the latter, proven tools of choice include phishing exercises and live demonstrations of hacking tools, in addition to training videos and workshops.
When it comes to technical measures, backups should definitely not be neglected, especially in light of the ransomware epidemic that continues to run rampant. These should be stored onsite and offsite, separated from the system by firewalls. This can mean business salvation in the event of encryption. Further, the operation of endpoint detection and response tools (EDR) are an important component of effective cyber defense. The use of multifactor authentication (MFA) also makes it more difficult for attackers to hack into systems with password stealing. Last but not least, cyber insurance should not be missing from the list of essentials. In the event of a disaster, this can pay for recovery costs, which can dampen the impact of an attack.
All these measures should be subject to regular audits and/or self-assessments. This is the only way to assure protection (which gives administrators a good night's sleep). COMPLION conducts self-assessments at customer sites several times a year as part of the VOICE Cyber Security Competence Center.
For more information, click here.
Author: Tobias Philipsen