On October 20, 2020, the National Security Agency (NSA), a national-level intelligence agency of the United States Department of Defense, released an NSA cybersecurity advisory highlighting 25 vulnerabilities in commonly-used software that are currently under active exploitation. They released the advisory following a series of attacks targeted in the USA.
Here’s what happened
In September, analysts of the NSA identified vulnerability exploits and data theft in networks of interest that hold sensitive intellectual property, economic, political, and military information. Many of these vulnerabilities can be used to gain initial access to victim networks by exploiting software products directly accessible from the Internet. The NSA issued a public warning out of concern, asking all defense organizations and government contractors to immediately mitigate the 25 vulnerabilities in their networks and protect the country from malicious actors.
All these vulnerabilities have been publicly disclosed long before the attacks started. The software vendors have also provided patches to mitigate the vulnerabilities. All the devices compromised during this attack resulted from failing to mitigate a vulnerability earlier, even though a patch fix was available.
NSA Cybersecurity Advisory released three key takeaways from this incident
Cyber-attacks happen all the time, throughout the year. Security professionals should take up the responsibility to study the incidents and implement necessary measures to secure sensitive data and assets. Here are NSA cybersecurity advisory three takeaways we can infer from this incident:
1. Software vulnerabilities are the primary vectors of cyber-attacks
Whenever a threat actor decides to hack into an organization, the first and obvious choice is to look for vulnerable assets in the network. The hacker looks for vulnerabilities left unpatched, breaks into the network, and moves laterally into other devices.
To quote the advisory,
“They [hackers] often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities, and then launch their exploitation operation”.
In 2019, the highest security breaches were due to vulnerabilities where a patch was available but not deployed. These repeated patterns show us that software patching is vital to IT security. Preventing a fire is better than putting it out after it starts. Similarly, cyberhygiene should be the top priority on your list of security measures. You should regularly patch all IT assets and safeguard them from unforeseen attacks.
2. Vulnerabilities in the 2 months to 1-year range have a higher possibility of exploit
Hackers don’t always rely on creating new vectors of attack. They want to pluck the low-hanging fruits first. Take a quick look at the pattern of exploits in this attack.
The pattern of attacks clearly indicates that hackers find unpatched vulnerabilities older than 2 months fairly easy to exploit. There are two possible reasons for this. First, the average time taken by an IT team to patch a known vulnerability is 67 days. Moreover, many IT teams do not assess and mitigate vulnerabilities unless it’s time for a compliance audit or a software upgrade. Second, by the time a vulnerability is a few months old, hackers develop and distribute codes for exploiting specific vulnerabilities. The rate and ease of attack increases as time goes by.
Now, this doesn’t mean that vulnerabilities can remain unpatched until 2 months. In the first few days of a disclosed vulnerability, the pattern of attacks will be random and unpredictable. You still can’t risk falling into the trap. If the vulnerability is critical, you have to prioritize and roll out the patches right away.
To keep your IT assets secure, you have to mitigate vulnerabilities as soon as possible with effective patching strategies. Read the best practices of patch management and keep up with the latest practices of 2020.
3. An intrusion has to be detected and contained immediately
In the unfortunate situation of a breach, security professionals should be able to detect it immediately in order to take the next step. The scary part of most data breaches is that they go undetected for a long time or not detected at all.
According to IBM’s data breach report in 2020, the average time to identify and contain a breach is 280 days. The report also states that the speed of containment can significantly impact the cost of data breaches. Even if your IT assets are up-to-date with the latest patches, you need an alarm system to go off and report malicious activities immediately.
Endpoint detection and response (EDR) ensures all incidents are reported and responded to immediately. It can detect devices compromised by all types of ransomware to arrest the attack at the source immediately. The infected devices can be removed from the network preventing the spread of the attack. Antivirus software is an additional measure to detect and remove malware.
This incident is just the tip of the iceberg
The current attacks have come to light because highly sensitive military and defense data is at stake. However, this is just one incident out of thousands, and millions of vulnerability exploit happening around the world. Many attacks go unreported and undetected. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.
SanerNow Unified Endpoint Security and Management Platform helps automate and orchestrate all cyberhygiene practices across all endpoints in your organization. It offers vulnerability management and endpoint detection and response to keep your endpoints secure.
Sign up for a free demo, and we’ll show you how SanerNow can help you secure your IT infrastructure from cyber-attacks.