We all know many enterprises are riddled with unpatched servers and PCs, vulnerable web applications and easy to fool end users. Despite growing awareness of the risk posed by vulnerabilities – from Heartbleed back in 2014 to the Equifax mega breach last year – we still found 77 per cent of applications have at least one vulnerability when initially scanned.
Why is action not being taken? Too frequently in development teams, we’re seeing security sacrificed to accommodate the speed of business. In fact, 83 per cent of IT decision makers working in cyber security reported having released code before testing or resolving security issues.
This is not because software developers do not care about security. Most enterprises aren’t doing enough to incentivise development teams to invest more time and resources into developing code that is not only high quality, but secure. This failure is increasing the risk of the vulnerabilities in their applications.
As new motivations constantly change the threat space for the worst, it is crucial that businesses – as well as their development teams – understand the potential cost of the dormant vulnerabilities in their IT environment.
So, why do cybercriminals target vulnerabilities?
The traditional reason cybercriminals exploited vulnerabilities was to gain entry to a network from which they could exfiltrate valuable data. The rise of today’s dark web markets has allowed for cybercriminals to monetise stolen information such as passwords, personally identifiable information (PII), and credit card numbers.
However, this approach is becoming less lucrative than it used to be. The price of stolen Visa or MasterCard details on the dark web typically costs just £11 today, which might not be worth the effort. With that said, information leakage is still a prevalent consequence of a vulnerability, present in 66 per cent of applications.
The decreasing value of personal data, along with the risk of a pseudonymous transaction required on dark web markets, has resulted in many criminals making a shift towards the ransom model.
Ransomware was developed by cybercriminals as an easier way to monetise exploiting a vulnerability. Instead of hunting for PII, the attacker can use the flaw to inject ransomware that will just encrypt the data on the victims PC, or in the case of an enterprise, an entire network of PCs, and demand a ransom in cryptocurrency to get their data back. There is no longer a need for a dark web transaction, as the victim pays the attacker directly. This approach exploded around the world when researchers detected a 3500 per cent increase in newly observed ransomware domains being created.
Ransom tactics have since continued to evolve, with some cybercriminals taking the trend further by holding the "cure" to ransom as well. During the San Francisco Muni ransomware attack, for example, the hacker did not only demand 100 bitcoins to unlock its computer systems and ticketing machines, but the hacker also offered to "help" them protect themselves against future attacks by revealing details of the vulnerability in their system for a few extra bitcoins.
The next evolution to come in easy-to-monetise attacks is to directly mine cryptocurrency. In such cases, attackers will be able to compromise a network of machines in a data centre or a cloud environment and be able to install mining programmes that create cryptocurrency that is then added into the attacker's own wallet.
We have seen web application vulnerabilities exploited repeatedly to mine cryptocurrency. IBM's X-Force team reported familiar infection techniques were used, such as using command injection vulnerabilities, in WordPress, Joomla, and JBoss web servers.
Talk about direct monetisation! With this approach, the attacker does not even need to communicate with another party to carry out the incursion. The cryptocurrency just shows up in their wallet.
There are more frequent examples of another form of attack – hacktivism. Hacktivism is an attack in which a group has the means, motive and skill to exploit vulnerabilities for the purposes of disrupting, financially harming or embarrassing an organisation to raise awareness for a cause. Usually driven by fuelling social or political change, these groups may seek access through social engineering, DDoS campaigns and other alternate techniques. If successful, hacktivists may leak information, demand change to government policy, or promote attacks to call attention to an issue they feel is overlooked and deserves wider attention. Many enterprises and government bodies around the world have been targeted by hacktivists repeatedly. Recent examples include hacktivists cracking into one of Isis's main online outlets and exfiltrating the details of over 1,700 newsletter subscribers in 2017. Another example from earlier this year occurred when hackers managed to control thousands of Cisco Systems switches and used it as an opportunity to warn others not to interfere with future U.S. elections.
Putting a price on a vulnerability
There is no question cybercriminals are successfully monetising their efforts to exploit vulnerabilities. Just as mining cryptocurrency is a relatively new phenomenon, I am confident that as new emerging technologies are deployed, and applications increasingly underpin core business processes as well as financial functions, cybercriminals are creating new ways to exploit them.
However, while organisations cannot underestimate this threat, it is not an unsurmountable task to improve security against these different attacks. For example, if an organisation built security into their software supply chain they could significantly reduce exposure.
With the rise of Agile and DevOps, we have seen many organisations adopt a “shift left” approach to security, providing sandboxing tools and on-the-job security eLearning to enable their developers to deliver secure software at speed. Coupled with regular application security testing in post-production (dynamic and/or static), organisations can significantly reduce the risk of vulnerabilities waiting to be exploited by cybercriminals.
Great software means secure software – just as a seatbelt in a car isn’t functionally necessary for it to operate, we treat this type of safety feature with the same level of importance. And when security becomes akin to a functional requirement, companies will make software secure starting from the earliest phases. There is financial incentive to do so as well – it is 30 times less expensive to secure software during the development phase versus after it is released.
Paul Farrington, Director of Solution Architecture, CA Veracode
Image source: Shutterstock/AlexLMX