According to a security company’s 100 penetration attempts, most organizations succumb to five attacks, none of which involve malware or zero-day flaws. The top five attacks, according to darkreading.com:
- abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
- broadcast name resolution poisoning (like WPAD) — 64%
- local admin password attacks (pass-the-hash attacks) — 61%
- attacks on cleartext passwords in memory (like those using Mimikatz) – 59
- insufficient network segmentation — 52%
As darkreading.com noted, the top four involve stealing credentials. It also notes that, despite the relatively high sample count, these are all results coming from one company’s attempts – Praetorian’s – at hacking clients (who approved the hacking to begin with).
If you’ve taken some basic statistics classes, you’re quite aware that the above show potential problems. There’s potential bias in:
- the company’s abilities. To a guy with a hammer, everything looks like a nail. Likewise, a company that does its best work by stealing usernames and passwords is likely to lead to a result that reflects this core competency. Other security professionals may find it easier to exploit zero-days and see different results.
- the clients are self-selecting. In other words, the sample is not random. A classic problematic outcome of non-random sampling is Truman’s triumph over Dewey in the 1948 US presidential election. For the pen test outcome, it could be that companies hire pen testers after making sure all of the known zero-days are patched up. This, in turn, may make social engineering techniques the only possible way to breach a company’s defenses. This is an important distinction since companies that are not ready (or uninterested) in hiring penetration testers may very well have unpatched zero-days that can be exploited.
As it turns out, the above results are in sync with those reported by other security companies.
Praetorian lists a number of remedies and suggestions so that organizations can mitigate the fallout from successful penetrations (since it’s essentially a given that you cannot prevent successful attacks 100% of the time).
Is the Industry Too Focused on The Wrong Issues?
If you look through your information security newsfeed, you’ll find that it is overwhelmingly dominated by entries of the newest malware and zero-day exploits, be it how they remain unpatched despite repeated contacts to “the right people”; or how fixes are available but companies are not patching them; or how hackers – with the backing of the law or otherwise – are exploiting them. It stands to reason, then, that with so many different (and growing) ways to get past an organization’s cyber defenses, the ground zero of a data breach would point to this general area, and not something that exploded into the public consciousness with the movie Hackers in 1995.
And yet that’s not what empirical data is showing us. Why are our expectations not matching up with reality?
Some of the blame could be laid on the media. After all, nobody wants to report the “unsexy” stuff. When it does happen, it’s because of secondary characteristics like “over 200 million people affected!! You could be one of them!” The news pursues its namesake and forces us to focus on what’s new and different.
But perhaps it’s also because of the way the industry works. Like the proverbial drunk who’s looking for his house keys under the one working streetlight because that’s the only place where he can see anything (and thus carry out a search for his keys, never mind that he lost them at the bar), the industry is focused on finding zero-day and other technical flaws. While these are a serious concern, they are also easier to find and catalogue and research in the sense that you can throw more machines and code at the problem. Some might even say that it’s like shooting fish in a barrel, with these security issues popping up anywhere one looks.
The same cannot be said for social engineering which takes slow, inefficient human interaction.
Security Issues Stack Up
It behooves us to remember that new security issues do not necessarily replace old ones, which is different from how technology tends to work out in general. Rather, security issues stack up like the bricks of a wall. If any of them are compromised, there is a breach.