With so many security vulnerabilities, and new ones emerging each day, it’s getting impossible to know which ones to fix first. As hackers continue to increase their attacks in magnitude and sophistication, it is essential that your organization not only fix the most complex security issue, but also the most common and overlooked.
Our founder and CEO Reuven Aronashvili speaks on the CISO Talks podcast with host Danny Murphy about:
- The most common security gaps that CYE’s nation-level experts most frequently see when conducting organizational cybersecurity assessments.
- The need for organizations to be more aware of these vulnerabilities in order to patch them and reduce the likelihood of them being exploited.
- How the most basic items in organizations – for which solutions already exist – are often not covered in an effective or efficient way.
Danny Murphy: Reuven, thanks for coming on the show.
Reuven Aronashvili: It’s great to be here.
Danny Murphy: Last time we spoke, you said that CYE has had around 600 engagements with approximately 250 organizations. Are there common vulnerabilities that you see within these organizations or are they vastly different?
Reuven Aronashvili: Let me give you the secret – the top 5. These are the things that we see in almost all organizations:
1 – Poor Password Quality – Most organizations, even if they are very advanced, have legacy passwords or service accounts, without strong, robust passwords. This is usually how hackers get first access to the organization and their feet in the door.
Danny Murphy: Before you proceed, I was reading that in order to evade these detection systems, rather than guessing loads of passwords to a single account, you go across all the accounts and create basic passwords, which seems to be successful about 60% of the time.
Reuven Aronashvili: We call that password spraying. That means that instead of going to one account with many passwords, you go with one or two passwords that you anticipate the organization would use, like “name of the organization + summer 2021.” You would be surprised to see how many organizations fall victim to attacks that stem from weak passwords. I know the numbers and I’m still surprised. In a way, it’s very frustrating, but it’s also very human. We conduct password spraying – both to make sure that we’re not locking any accounts to create a denial of service attack and to stay under the radar as much as possible. Password quality is really the number one item we see in many organizations.
2 – Lack of Breach Detection Capabilities – We see that organizations are struggling with being able to identify active breaches and threats within the organization while they’re happening. Lack of breach detection capabilities are not advanced enough in order to be able to deal with the more modern attack routes that we see today. Usually what we see is that those capabilities are very capable against things that are already well-known. There are good solutions out there, but we do still see a gap between the capability of the attacker to move within the organization and the time that the organization is able to identify and respond to the specific issue.
3 – Lack of Network Segmentation – The capability of an attacker to move between different parts of the organization – from user environment to server environment to cloud environment and so on – is something that is still very far away from where it should be.
4 – Lack of Proactive Access Governance – The next item that we often see is administration and privileged access management. When attackers work on technical environments, they want to get access to the administrative account. Once they gain access to the administrative account, like a domain admin, they can often get access to other devices quite quickly. That is something that is very powerful for the attacker. Of course, it’s not the end of the process, but a good step in a way to achieve their targets within the organization.
5 – Basic Hygiene Still Lacking – The last item really surrounds basic cyber hygiene. All the solutions are already in the market, it’s just about proper asset management, as well as policies and procedures to make sure that they are implemented sufficiently. Of course, there are challenges. If it was easy, everyone would do it, but there are challenges, such as impact on production. Critical infrastructures or OT environments do not have the patch and if they do have the patch, are not allowed to install it because they could lose their warranty. If you’re working with an old version of Windows, of course you don’t have the patch to install. Those are inherited problems that you see in organizations – very simply, maybe, and some would even say stupid, but still problems – very tangible and relevant problems.
Those are the top 5. In many cases we also see issues around email protection, which are easy to fix, but often not implemented. The common ground between all of the things I’ve mentioned is that they are all basic foundations for cybersecurity. We hear a lot about “next generation” firewalls or anti-virus, but the basic items in most organizations are not covered in an efficient or complete way. That’s usually what we use to move laterally within organizations and gain access to business critical assets – not because we don’t know how to do other things, but those are the easiest and the attacker will always look for the easiest way in, instead of using the most complicated James Bond – types of attacks.