Why are There Cyber Security Issues?

Why are there constant patches for security problems that are inside software?  Why???

Why do we have  New Security breaches? every year new ones are found and hackers find them to hack computers (which happen to have this breached software).

At the end of last year (2015) everyone was being circumspect and reviewed what happened – why is it we get new breaches and attacks every year?

There are also several blogs that have taken umbrage with Verizon’s DBIR (Data Breach Investigations Report)

Here are some:

  • OSVDB¹ blog
  • Rapid7 Blogpost²

Found another interesting analysis of Verizon’s DBIR:  FoxGlovesecurity(6)

 

FoxGloveSecurity researched the types of vulnerabilities and categorized them (of the ones in the report). Foxglove says the focus should be on remote command execution and impact (51)

Remote Command Execution – 51 Instances

  • SQL Injection – 12 Instances
  • Default Credentials – 6 Instances
  • Insecurely Configured Application Server – 6 Instances
  • Guessed Password – 5 Instances
  • Outdated Software – 5 Instances
  • SQL User is SA – 5 Instances
  • Single Factor Authentication – 3 Instances
  • Command Injection – 2 Instances
  • Insecure File Upload – 2 Instances
  • Public Credential Leakage – 2 Instances
  • Unsafe Deserialization – 2 Instances
  • Reflected Cross-site Scripting – 1 Instance

 

Notice that there are a fair amount of errors in configuration or administration fault:

default credentials, insecure server config, guessed password,SQL User is SA, single factor authentication   (30 instances)  59% of the remote command execution impact table are errors of some kind.

The top10 vulnerabilities in the report were:

  1. SQL Injection – 38 Instances
  2. Insecure Authorization – 23 Instances
  3. Insecure Direct Object Reference – 15 Instances
  4. Stored Cross-site Scripting – 13 Instances
  5. Insecure Authentication – 9 Instances
  6. Insecure Password Reset – 9 Instances
  7. Guessed Password – 9 Instances
  8. Default Credentials – 8 Instances
  9. Single Factor Authentication – 8 Instances
  10. Insecurely Configured Application Server – 6 Instances

 

Foxglove took the 51 remote code executions out of the top10 (138 instances) which are the most dangerous.

So obviously there are many potential vulnerabilities and system administration pitfalls which many entities can’t seem to handle.

 

I have another question to ask:  Why is Security so Hard? I ask this because the hits just keep on coming.

“Hackers Breach Goldcorp, Lifeboat, Qatar national Bank”³  5/4/16 story

“The Future of our City Services? Cyberattackers target Core Water Systems”(4)  3/23/16 story

“Another Hospital Computer System Down to Ransomware”(5) 2/29/16 story

patchingvsattackersperfectsecuritynotpossible

My attempt at explaining the thoughts that may go through management (above picture).

Apparently the difficulties of proper IT administration with security in mind has not been solved yet by most organizations.

What is so difficult to patch all your computers, change default admin passwords, and even to make sure the system administrator and userid are not the same. Single factor authentication might have to do with budget considerations or not having the technical ability to handle switching to 2FA (Two Factor Authentication).

So the effect of a constant change in security, the technical challenges as well as administrative changes is just difficult enough to give many companies problems.

One solution is to have an outside entity test your environment.

 

systemengineeringassecurity

 

I know my solution is somewhat technical – but the point is to have a person test your environment (firewall, software, websites, or wifi device) so that the administration or configuration problems can be reviewed and fixed by the staff themselves.

The answer to the title is there will always be cybersecurity issues with humans running things because stuff happens and nothing is perfect.

Contact Me to discuss

 

  1. https://blog.osvdb.org/2016/04/27/a-note-on-the-verizon-dbir-2016-vulnerabilities-claims/
  2. https://community.rapid7.com/community/infosec/blog/2016/04/29/the-2016-verizon-data-breach-investigations-report-the-defenders-perspective
  3. http://www.esecurityplanet.com/hackers/hackers-breach-goldcorp-lifeboat-qatar-national-bank.html?utm_source=dlvr.it&utm_medium=twitter
  4. http://www.zdnet.com/article/the-future-of-our-city-services-cyberattackers-target-core-water-systems/
  5. http://oversitesentry.com/another-hospital-computer-system-down-due-to-ransomware/
  6. https://foxglovesecurity.com/2016/05/10/why-dos-isnt-compromise-5-years-of-real-penetration-test-data-to-stand-behind/
Advertisements