Vulnerabilities are here to stay, so it’s time to get serious about turning the tide on network security, writes Steve Forbes, Government Cyber Security Expert, Nominet.

Organizations today can’t afford to leave any stone unturned when securing their networks. Mapping out potential threats is an endeavor that requires understanding the full scope of all the hardware and software used across the entire network. Even then, identifying possible threats and the gaps that can be exploited is not an easy task.

Malicious actors have become much better at finding vulnerabilities and striking quickly to sabotage, steal data and even hold an organization to ransom. In today’s cybersecurity landscape, it’s not a case of if an organization is attacked – but when.

The endemic vulnerabilities

With software from the likes of Microsoft, VMware and Atlassian prevalent in scores of enterprise networks, when a major vulnerability is discovered and it’s not patched quickly enough, it quickly becomes a prime target for network security.

Perhaps most consequential in recent memory were the Log4j exploits, which allowed hackers to take over and control the networks of everything from industrial control systems to everyday electronics.

When CISA released its first advisories and statements on the vulnerability, Director Jen Easterly described the incident as “one of the most serious I’ve seen in my entire career” and stated that hundreds of millions of devices could be affected.

Organizations and governments are grappling with the risks from increased dependency on third party suppliers of managed services. The Cyber Safety Review Board called this vulnerability an “endemic” problem and many companies swiftly made the move to patch their systems.

Recently, however, CISA revealed that an unnamed Federal Civilian Executive Branch organization was compromised earlier this year by Iranian threat actors. Investigators discovered that they had exploited Log4Shell, a vulnerability within Log4j, through an unpatched server, even though CISA had ordered that these agencies patch all impacted systems.

This demonstrates the ongoing battle that even organizations with access to the most resources to mitigate threats remain fallible to attacks if vulnerabilities are not taken seriously.

Whilst we often talk about patching as a basic step in cybersecurity, the reality is that it can be much harder than first imagined. Organizations sometimes believe that they have alternative mitigations that reduce the need to patch quickly, which may be the case when the vulnerable applications or infrastructures aren’t internet-facing.

This might include ensuring the vulnerable services are not exposed to the internet, making configuration changes that mean existing exploitations cannot work on their services or putting additional software or hardware in place to add another layer of protection. It’s hard to say what happened in the situation of an unnamed US agency, but quite often there are challenges in making patching a priority for IT teams.

Often, it comes down to time and budget. If systems are designed to allow for consistent patching cycles, but overworked teams never have the proper amount of time to review the risks of present vulnerabilities to network security, then issues like this can and will continue to happen.

The ransomware surge

With the increasing prevalence of ransomware, IT teams must be ready to deal with it in their network security. Despite not always involving a very sophisticated attack method, ransomware achieves notoriety because of the impact it has in grinding an organization to a halt.

In one of their more brazen attacks, notorious ransomware group Conti launched a cyber-assault on the government infrastructure of Costa Rica last spring. The systems of dozens of government agencies faced major disruptions, with workers and the public impacted. It even affected the nation’s foreign trade as its tax and customs services weren’t able to operate properly.

Conti may now be a shell of its former self after collapsing in the summer of 2022, but this was the first time that an entire government had been held to ransom. They may well have been testing the waters to determine the rewards and the reaction from this kind of attack, both from Costa Rica and the wider international community. Regardless, groups like this will continue to seek out high-profile targets where loss or leakage of data has the highest impact.

The majority of these attacks will occur using known attack vectors and vulnerabilities, highlighting just how crucial it is for IT teams to stay ahead of the curve on ransomware threats.

Next steps and a look ahead

It is difficult to know why some organizations lag behind at times on patching systems when a major vulnerability is discovered. It may have been something that they were aware of but believed they had mitigations in place for. In other cases, it may have been something that they were planning on patching at a time when it wouldn’t impact any services.

As we approach 2023, it’s almost a given there will be attacks on large organizations to exploit common vulnerabilities; these won’t be sophisticated or advanced attacks and instead they will target obvious things that should have been patched.

This reinforces the need for leadership teams to understand the network security posture of their organization and make effective decisions and resources available to keep systems secure.

This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.