In our “cyber threats” series so far, we’ve looked at specific threats that criminals use to break into your business systems with the aim to extort, steal, or defraud.
In most of these cases, the criminals rely on some weakness - whether in the actions of a staff member or in the technology you use - to pull off their scheme. In this final part, we’re going to dive deeper into the potential vulnerabilities hiding in your technology, how they’re exploited, and what that means for your business.
But before delving into this blog, why not catch up on our series so far:
to Prevent Business Email Compromise (And Other Things You Should Know About BEC)
How To Protect Your Business From Ransomware (The Full Story)
Phishing Attacks: How Scammers Reel You In (And What To Do About It)
Australia’s Cyber Threat Report Card: Cybercrime In The Age Of COVID-19
While last year’s mass COVID outbreak was a nightmare for most, a handful of industries took off. One of those was anything to do with remote working technology. Unfortunately, there was another group whose eyes lit up: cyber criminals who could exploit vulnerabilities in software that people used in their work-from-home activities.
And when you look at a list of the top public CVEs (Common Vulnerabilities and Exposures) from 2020, these vulnerabilities often aren’t just a problem in software from smaller companies. Sure, you might not have heard of Pulse Connect before… but you’re probably relying on at least a couple of Microsoft apps, if not Citrix.
So what are these vulnerabilities? And how do cyber criminals exploit them? Well, that’s what we’re diving into right now...
CVE-2019-19781: The “Citrix Back Door”
In late 2019, Citrix released information around a newly-discovered vulnerability in their Application Delivery Controller, which was
software that managed application delivery and load balancing. On 10 January 2020, a proof-of-concept script was publicly disclosed that
showed how this vulnerability could be exploited.
An attacker could use the vulnerability to get access - using it as a “back door” - to deploy malware on any affected device. From the 10 January, the Australian Cyber Security Centre (ACSC) monitored criminals attempting to use this vulnerability to deploy ransomware, cryptominers, and other malware in various systems.
Citrix was able to advise on interim measures, and then released patches to fix the vulnerability around a month after it was discovered.
What’s a Security Vulnerability?
To put it simply, a security vulnerability is ANYTHING in your technology - whether it’s hardware or software - that can be used to gain access to data, applications, or systems.
And while most think it’s just about software, there are plenty of other places where vulnerabilities often hide:
- Misconfigured devices
- Open ports
- Unsecured databases
- Hardware or firmware issues
- Unpatched software
When it comes to security vulnerabilities, there are three important things to note...
#1: A vulnerability in itself doesn’t mean you’re 100% guaranteed to be hit by a cyber attack. But… while the vulnerability exists, there’s always a chance some cybercriminal will come sniffing, and if they find a way into your systems, won’t hesitate to exploit it.
#2: Not all vulnerabilities are equal. For example, a code bug that allows access to a non-critical database is unlikely to hurt you, while an open port might leave your entire system at the mercy of an unscrupulous attacker.
#3: Without regular scans and investigation, you won’t know there’s a vulnerability lurking in your systems. Sure, there’s a CVE register that tries to capture every publicly-known issue floating around, but that’s of no help if you never identify and lock down weak points in YOUR technology.
Vulnerability Statistics Report
revealed some interesting points about where the most dangerous vulnerabilities were likely to come from:
Vulnerability vs Exploit
If a vulnerability is like a door to your systems, think of an exploit as the key that unlocks and opens it. Usually, it’s a small custom-made app or a specific sequence of commands, such as an SQL injection attack. No matter what form it comes in, an exploit is specially crafted to take advantage of a certain vulnerability.
That said, “exploit” is a fairly general term, because it only describes a potential opening that criminals use to gain access to your applications and data. The nature of the vulnerability influences how the attacker exploits it, and doesn’t necessarily give them free reign over your systems. For example, they may be able to...
- Steal or hack sensitive data
- Install malware, such as ransomware
- Monitor network data
- Trick users into disclosing credentials
- Take down applications or networks
...or a combination of those.
Exploit Kits: The “Lazy” Attacker’s Way To Exploit a VulnerabilityWhile there are plenty of super-smart cyber criminals who can take a small vulnerability and turn it into a multi-million-dollar pay-day for themselves, there are many more who don’t have that kind of technical expertise.
And yet the numbers of attacks far out-dwarf those who can take advantage of vulnerabilities. The reason why lies in the exploit kit, which is a kind of “toolkit” that allows users without advanced knowledge to hit vulnerabilities easily and quickly.
Exploit kit creators often “rent” these out on underground markets, and the best kits can fetch thousands of dollars per month. It’s not hard to see why: being able to exploit just one vulnerability the right way can net cyber criminals hundreds of thousands or even millions.
How To Shore Up Your Systems From Cyber Exploits
First and foremost, be aware of this: it’s almost impossible to lock down every single vulnerability in your technology. The more complex your systems are, the more chance at least a couple will slip the net. But that doesn’t mean giving up and rolling the dice on whether any vulnerabilities get exploited or not. For every vulnerability you spot and fix, you reduce the risk of successful attack.
Naturally, every vulnerability is different (think database bug vs a misconfigured network device), so specific fixes for those will vary each time. We recommend you talk to a security expert, who’ll go deeper to identify, isolate, and fix individual vulnerabilities. However, there are plenty of holistic measures you can do to keep vulnerabilities to a minimum level.
Run regular vulnerability scans
Every new application or piece of hardware - and everything that gets updated - has the potential to introduce a vulnerability into the business. By getting FortiTech to run scans over your technology, you can detect any new ones and lock them down before they ever present a problem.
Improve endpoint detection
An “endpoint” is literally anything in your business at the end of your network. We tend to think just PCs or servers, but this can include mobile phones, tablets, and even virtual environments. Updating the ability of your devices to detect potential threats (such as antivirus or monitoring tools) doesn’t necessarily reduce vulnerabilities, but does increase your ability to respond should a cyber criminal come sniffing around.
Better data backup and recovery
If it feels like we keep banging on this drum… you’d be right! Solid data backup and recovery processes are one of the best ways to protect your business from disaster, whether that comes from a natural disaster or a vulnerability exploit.
Improve authentication and credential management
Lost or stolen passwords or credentials like keypasses aren’t vulnerabilities in the strict definition of the word… but they ARE vulnerabilities. Implementing stronger measures around this critical part of your technology will reduce your potential to be exploited:
Tougher password controls: make your team’s passwords stronger and force more regular changes
Two-factor authentication (2FA): introduce 2FA to beef up your authentication control
Advanced authentication: measures like thumbprints (on a mobile phone) or facial recognition (on a PC) complements 2FA nicely
Check out our recent blog on the top 5 techniques used to hack your password.
Train your team in security
Again, while not the kind of exposed-bug-in-software-allows-backdoor-access vulnerability, your team (or rather, their lack of knowledge around safe technology practices) can be problematic. Keep them up-to-date in best security practices to reduce the risk of a mistake that allows an exploit into your systems. Or better yet, why not contact us about one of our Security Awareness Training sessions?
Keep your software up-to-date
Yes, it seems simple. But many businesses use a lot of applications and software in their day-to-day operations and it’s easy to overlook something. FortiTech offers our PC and Server Security plans starting at just $25 + GST per device a month. Part of our plan automates patches and updates for Windows and Third Party apps, so you minimise the chance of human error.
Plus, you may want to look more closely at the apps you use. If app developers aren’t maintaining components they use, you could unwittingly be exposed to a third-party software vulnerability. Learn more about Patching and the Internet of Things (IoT) here
Do You Have “Unknown Knowns” In Your Systems?You might not be aware of it, but there’s a good chance you have known vulnerabilities in your technology if you’re not keeping on top of it. Speak to us today to find out how to fortify your technology - you can get in touch here.