Cybersecurity is as dynamic as any industry I have worked in. It takes quite a bit to appreciate the tactical expertise requisite of senior cybersecurity operators, especially if you don’t have a deep technical foundation.
As a numbers nerd, I enjoy looking for trends, determining probabilities, and creating predictive models. And having read and helped edit every client report we’ve delivered, I glean new insights practically every day about the industry and how hackers think and operate.
So, I took my nerd interests and analyzed the most common ways a hacker can damage your company using our experience at Pathfynder as a proxy.
Here are the results:
Note: These aggregated results include external/internal penetration tests, web application assessments, and cloud email security audits. They do not include automated scans.
Observations:
Lack of Multi-Factor Authentication (MFA) is the most common finding across all engagements.
We get it. Enabling and enforcing MFA can be a pain. But it works. MFA isn’t the magic bullet that will prevent all hackers from breaking in, but the cost to implement is minimal and it will go a long way in improving the quality of your defenses.
Another important insight here: enabling MFA and enforcing MFA are two separate issues. For example, we often see clients who have enabled MFA for their cloud email provider (M365, Google Workspace) but have not enforced it. Lack of enforcement contributes to the same security risks as not having MFA because some employees simply avoid enrolling their devices and accounts because it can be a pain.
Tip: Stay ahead of MFA implementation and enforcement issues with a cloud security audit.
The low-hanging fruit of improving password complexity and eliminating password reuse accounts for nearly 1 of 5 critical & high findings.
I’ve lumped a few different issues here with one common thread – the human element. Let me highlight some key points.
A dictionary attack is when a hacker uses easily guessable passwords to access an account – think combinations of company name + year or season + year (e.g., Spring2022). These password combinations are surprisingly common in our engagements and, technically, may be compliant with instituted password complexity policies. The issue here is pretty obvious – using these passwords may be easy for staff to remember, but they are ripe for compromise via dictionary attacks, one of the first actions any adversary will take in attempting to penetrate your defenses.
The other side of the coin is enforcing sufficient password complexity to prevent brute force attacks. Well-resourced adversaries will bring password-cracking rigs to the fight that have the power to repeatedly guess password combinations. For example, with password lengths of 1 to 10, cracking rigs using inexpensive GPUs can work through all possible combinations in about a week. Adding just one additional character to this requirement increases the time to crack all possible combinations to 4 months.
Last is avoiding password reuse. Again – the common theme here is the human element and our innate desire to make life easier. In a world where there are no bad guys, using the same password across systems could work. Alas – the world is still filled with bad actors, and using the same (or similar) passwords from one account to another makes a hacker’s job easier because they only need to crack one password for use on all of your accounts. This risk extends beyond the boundaries of your business because we often see business email account passwords reused in common commercial services (e.g., Drizly, Equifax).
Tip: External & Internal penetration tests will uncover gaps in your password policies. More narrowly scoped engagements could include unit tests or mini-offensive engagements to address these common attack vectors. The use of password managers should be enforced to improve password strength and security.
Unmitigated CVEs are security grenades waiting to explode.
Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. CVE provides a convenient and reliable way for entities to share information about cybersecurity issues.
While CVEs didn’t make the cut for the top three most common findings, unmitigated CVEs are worth mentioning because they pose a significant risk to any business that has them. In several of our engagements, we encounter CVEs that have not been appropriately mitigated (or addressed at all). The problem here is the information about these exploits is publicly available. If they are relevant to your company and have not been resolved, it makes life very easy for the bad guy who has the playbook from which to do harm.
Tip: Hire security experts to regularly test your defenses. IT staff and/or dedicated internal cybersecurity defenders should be familiar with applicable CVEs relevant to your network and technology stack.
The Big Picture
I was inspired to put this article out there because of the number of relatively easy fixes that can make a hacker’s life harder. MFA can be a pain but works. Increasing password entropy by requiring 11 characters instead of 10 makes a huge difference. Banning company dictionary words eliminates a common attack vector. And, of course, passwords should never be reused.
While I’ve positioned these common findings as “easy” fixes, I acknowledge how hard it is to protect your company from cyber threats. Employee turnover and the sprawl of expanding digital infrastructure lead to increased security debt, which is one reason cyberattacks are making headlines with increased regularity.
Adding to this, most companies can’t afford a team resourced well enough to defend against emerging threats. And even when companies have identified staff members to lead cybersecurity programs, they often contend with conflicting priorities like network function and business needs over security.
Other organizations cannot maintain the tenured experience of “blue team” defenders, which often relegates cybersecurity to a high turnover IT collateral duty or a farmed-out Managed Security Service Provider (MSSP). Even when this happens, every company must still be able to clearly articulate what its environment looks like, what its crown jewels are, and have a good idea of its exposure to security threats. Passing the buck here may mean an increased risk to bad actors.
Understanding that exposure, however, requires testing your cyber defenses. Even when your defenses are contracted out to an MSSP, it is important to ensure these defenses are working as intended. This means investment in offensive cybersecurity services and leaning forward to address the more common findings mentioned previously is well worth the return.
Like weeds in a garden, getting ahead of this is probably the most important first step. If you are unsure where you stand, give us a buzz. We’d love to help.