Vulnerabilities and exploits are critical in all security domains, but especially now, during the COVID-19 pandemic, where malicious actors are shifting attack vectors to utilise this unprecedented global situation.
Rapidly transitioning office-based workforces into remote workers comes with a whole host of security concerns. But what exactly are exploits and vulnerabilities within this context and why are they important now?
Security cannot be divided into “secure” and “not secure” categories. The suitability of security strategies is relative to the controls implemented to address risks. For example, instead of saying “my house is secure” it is better to say, “my house has been secured proportionately to the risks I have identified,” because the measure of security is based on risks and controls.
Security should be viewed as a function of time and resources; it cannot be ‘assured’ since there can be no ‘guarantee’ of security when human threats are adapting and technologies are changing.
According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are: “…caused by people that can change their behaviour or characteristics in reaction to prevention, protection, response, and recovery measures taken.” As defences improve, threat actors adapt. As the threat actor improves their capabilities, defensive actors must change their protections and so this cycle continues.
The US Department of Homeland Security (DHS) lexicon defines a vulnerability as “…characteristic of design, location, security posture, operation, or any combination thereof, that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation.” Even if unidentified, vulnerabilities may still exist, but given the right tools most security controls can be circumvented.
An exploit is defined as something that… “takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviour…” An exploit is something that can be used to gain advantage of a susceptibility in a control. However, not all vulnerabilities are of equal risk and severity and even though exploits and vulnerabilities are inextricably entwined, they are not mutually independent. One can only exist, in theory, without knowledge of the other and vulnerabilities are given Common Vulnerabilities and Exposures (CVE) classifications based on the sophistication or probability of exploit in order to help security teams prioritise. Below is an example of what has been posited in debate on this subject.
Imagine a modern bank vault with reinforced concrete walls covered with hardened steel and a Class Three bank vault door made of reinforced concrete and hardened steel locks. A UL608 Class Three vault door is rated to withstand 120 minutes with “torch and tools”. A person with a cutting torch and appropriate tools could circumvent the door’s security in around two hours. It is not invulnerable; it is simply resistant based upon ‘resources and time’. Those resources include the exploits (i.e. torch and tools) and vulnerabilities (i.e. steel’s melting point).
Now consider the vault being transported back to the Bronze Age. Would it seem probable that anyone would view the vault as ‘vulnerable’ or able to be opened with existing knowledge, tools, and effort? The answer is ‘no’. They could likely not envision an ‘exploit’ that could be used to circumvent an unidentified vulnerability. During the Bronze Age, iron had not yet been discovered and steel was at least 1,000 years away from being smelted. In short, there were no KNOWN exploits and no KNOWN vulnerabilities.
This is an important concept. The vulnerability exists whether it has been identified or not. This is an example of ‘threat adaptation’ without the vulnerability being known the exploit existed in theory only; without knowledge of an exploit, the vulnerability only exists in theory, too.
Consider Secure Socket Layer version 2 (SSLv2) protocol that was used to protect websites that accept payment data. In 2016 a previously unknown “weakness” was discovered in SSLv2 known as the Beast. Once an exploit is created that can gain advantage over a particular control, we can say definitively that X is vulnerable to Y.
Security can be viewed as a function of time and resources. Time can include the time required to attempt an exploit, time required for knowledge and for technology to advance. Resources can include the effort required to attempt an exploit, gain the knowledge, develop technology and tools be used as an exploit.
In summary, it is advisable for organisations to focus on the underpinnings of security theory as these basic concepts provide a platform for a more inclusive understanding of risk and how to implement controls to address them.
As ever, cybercriminals find ways to take advantage of situations, like the current pandemic, for their own benefit. However, one aspect that shouldn’t be overlooked is the notion that the psychology spawned from COVID-19 has inadvertently made people more open to risk, as there is now a demand for more information, especially on ways to stay protected. It’s evident that current threats are not becoming more sophisticated or capable, but are instead preying upon a new vulnerability – the fear within individuals.
As new threats emerge, and bad actors adapt their tactics and technologies to capitalise on changing conditions - like increased remote working and activity on unsecured networks and devices – we must anticipate how attackers will adapt their tactics given the current surge in remote working.
Actions to mitigate cyber risks could include:
- Virtual private networks (VPNs) and other remote access systems are appropriately patched with available security updates. The focus should be on access control as well as authentication.
- Checking that system entitlement (access permissions) are current and based on the roles of the remote workforce
- Employing the use of multi-factor authentication for people who access sensitive systems remotely
- Reminding employees of cyber risks through education and other exercises that promote heightened vigilance (Phishing and Ransomware are rampant in times of crisis)
- Keep in mind crucial data protection obligations when implementing unconventional remote work programs that may require employees to utilize their devices for work. (well-known pitfalls where organisations fall out of compliance)
- Update and utilise your cybersecurity policies and programs to adapt to a remote workforce model
By following these few tips, it is making it harder for criminals to take advantage of exploits and vulnerabilities during these uncertain times. Threats may be adapting, but if organisations can adapt and anticipate, they will have the ability to thrive in otherwise unpredictable times.
Author: Chris Mark, PCI National Practice Director, AT&T Cybersecurity