What Can We Learn From Our Cyber Security Mistakes?

In information security, 2014 was viewed by many as ‘the year of the data breach’, with high-profile data theft incidents making global news headlines on an almost daily basis.

However, infamy was reserved for two vulnerabilities that affected the vast majority of the Internet infrastructure and users: Heartbleed and Shellshock. The revelation that decades-old code was leaving consumers and businesses vulnerable to attack by cybercriminals shocked the IT security community and entered the public consciousness in a way that has never been seen before.

Infrastructure threatened

In the last 12 months the threat landscape expanded into the network infrastructure itself, with a multitude of hidden vulnerabilities revealed deep within the code base of age-old popular protocols like Bash, OpenSSL, SSLv3. The likes of Shellshock, Heartbleed and Poodle highlighted the brittle nature of infrastructure standards and pushed businesses into action to deploy rapid risk assessment and apply mitigation methods to prevent exploitation and data theft.

The first major indication of the fragility in existing infrastructures came one year ago with the OpenSSL Heartbleed vulnerability (CVE-2014-0160). Heartbleed exposed the memory of systems using vulnerable versions of OpenSSL. Vendors rushed to provide patches and encouraged users of the open source toolkit to upgrade their versions of OpenSSL and/or the software using those libraries.

Five months later, in September 2014, IT teams already reeling from Heartbleed had to face up to the even bigger challenge of mitigating Bash Shellshock (CVE-2014-6271). The 25-year-old vulnerability allowed for remote execution of arbitrary commands via crafted environment variables. Within days of the public announcement, proof-of-concept code was widely published and attackers were dropping malware onto vulnerable servers.

A few weeks later the SSLv3 Poodle (CVE-2014-3566) weakness surfaced, posing a serious data theft risk to secure communications using the SSL standard. This also highlighted widespread use of older standards, even while newer and more secure standard options were available.

Despite these major data stealing attacks occurring, recent research from Websense during the eCrime Congress found that a third of respondents felt that their organisation would not be affected by data loss. Companies are continuing to ignore the potentially disastrous threats and are leaving their systems vulnerable to further attacks, and now amateur malware authors are taking advantage of this with very simple but aggressive malware.

Websense Security Labs recently warned that even six months after the initial public revelation, a simple, yet aggressive worm in the wild still looks to exploit the Shellshock vulnerability for reconnaissance purposes. The worm, a precursor to a larger more destructive attack effort, was created to target organisations that had not been patched following previous attacks. The worm leverages this weakness to gain access in order to download and execute a shell script; in turn it downloads and unpacks a tarball containing the worm that requests of list of IPs from its hard-coded command and control server. If the company’s IT infrastructure is easily accessible to attackers, they can then host a number of malicious activities including fatal DDoS attacks, steal PII and credentials, or using the host as a C&C server for various attacks.

With 35 percent of organisations believing they are protected from attacks, but the technology being used is not appropriate to combat data theft. The recent data theft attacks should be a wake-up call for IT teams, and failure to implement an effective security program will not only increase the company’s risk level but enable attackers to benefit from old vulnerabilities in order to exploit systems.

Businesses must ensure they conduct regular reviews of their mission-critical systems using legacy technologies for potential risk and upgrade opportunities. It’s also vital to have an established process for assessing potential risk and the scope the risk could pose to the organisation. Security professionals must also ensure they stay up to date with streams of threat intelligence and conversations that will reveal newly discovered potential vulnerabilities, by subscribing to security news feeds, reading blogs and networking with peers at any opportunity.

Are you an expert on cyber security? Take our quiz to find out!