Q&A: IT vulnerability and how it leads to cyber attacks
With the current wave of cybersecurity attacks, businesses everywhere are scrambling to protect their digital assets and prevent high-impact security breaches. One of the most crucial steps a company can take is to take a look at their system’s vulnerabilities.
We recently sat down with LANDESK’s Chief Security Officer, Phil Richards, to gain deeper insights into how neglecting your system’s vulnerabilities can lead to ransomware and other cybersecurity attacks.
Q: What is a vulnerability and how do you find it?
A: A vulnerability is a system’s inability to withstand a specific attack. A vulnerability can result from configuration, like having a weak password, or from physical issues, like having an unlocked computer in a public place. It can also be a software weakness, such as an application that has not been patched.
Defects in software that require patching are tracked in the Computer Vulnerabilities and Exposures Database (CVE database for short) kept by Mitre.org. The database contains more than 77,000 vulnerabilities and dates back to 1999.
Q: You mentioned that some catalogued vulnerabilities date back to 1999. Is it important to patch defects that old?
A: It is critical to patch older defects. Verizon publishes a report every year called the Data Breach Investigations Report. The 2016 version of that report states that the top ten vulnerabilities are responsible for 85 percent of all successful breaches, and that eight of those ten vulnerabilities are 13 years or older.
The key finding from this report is that older vulnerabilities are still heavily targeted, and that your vulnerability assessment and management processes should emphasize consistency and thorough coverage more than rapid patching.
Q: If a vulnerability is a system’s inability to withstand an attack, what is vulnerability assessment?
A: Vulnerability assessment is the process that determines whether or not a system exhibits any known vulnerabilities. You can do vulnerability assessment in many different ways, but the easiest way to assess vulnerabilities across many systems is to use a vulnerability scanner, or an accurate software inventory system.
A vulnerability scanner will probe computer systems and devices on the network to assess if they are vulnerable to specific exploits. Vulnerability scanners can be very beneficial, but they can also cause network and system issues if not configured or used properly, so be careful.
An accurate software inventory system can be used to assess vulnerabilities without performing any network probes of the systems directly, so they don’t pose the direct danger to the environment that vulnerability scanners do. That said, vulnerability scanners are probing your systems, so their findings may be more accurate than the inventory of installed software. Both of these tools will provide a list of steps to take to address the vulnerabilities.
Q: Is that list of steps part of the vulnerability management process?
A: Yes. Vulnerability management is the process of identifying, classifying, and addressing vulnerabilities. It is an iterative process. You are never completely clear of all vulnerabilities because new ones are discovered every day.
Additionally, software becomes de-supported by the vendor as it gets older. This process is another part of vulnerability management, called obsolescence management. It is just as important to stop using obsolete software as it is to patch.
Q: What happens if we don’t fix the vulnerabilities? How do the bad guys exploit vulnerabilities on corporate computer systems?
A: One of the best examples of how vulnerabilities are exploited is by looking at the behavior of Exploit kits. Exploit kits are the second most common way for malicious actors to gain a foothold within an organization, just behind phishing.
Exploit kits are sold on the CyberCrime black market as a service to individuals or organizations who use them in campaigns to gain control of unsuspecting consumers.
The way the attack starts is when an employee in your organization goes to a website that the bad guys have already compromised. The compromised site will perform a network scan of your computer’s IP address, looking for vulnerabilities on your computer. Essentially, an exploit kit starts as a vulnerability scanner.
Typically, these vulnerabilities are missing patches in products that plug into the browser, such as Adobe Acrobat Reader, IE, Java Runtime Environment or Microsoft Silverlight, or the browser itself. The exploit kit, if it finds vulnerabilities, will send your computer a string of characters to exploit for the specific vulnerability found on your computer. The exploit will dump executable code onto the computer, all through the compromised website that you are visiting.
Differing from phishing malware, the user is not notified in any way that the attack is underway, because it leverages exploits on the user’s computer. The first and best defence against these attacks is to make sure all your systems are fully patched, especially patching the software that is most often targeted by EK’s (IE, JRE, Silverlight and Adobe Acrobat Reader).
GfK and VMware: Innovating together on hybrid cloud
GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.
In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade.
“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.
Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.
By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.
One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.
“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.
Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs.
“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.
The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment.
The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.
One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.
“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.
“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client.
“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”