“Patch your systems in a timely manner” is a mantra of security experts, but what happens when the patch well runs dry because a product’s maker no longer supports it? That is a situation many large enterprises find themselves in, and it’s one that poses security risks.
Between 30 percent and 50 percent of the hardware and software assets in the average large enterprise have reached their end-of-life date, according to a BDNA report released last month.
End-of-life products pose a serious security risk to the enterprise.
“The vast majority of vulnerabilities — more than 99 percent — exploit out-of-date software with known vulnerabilities,” said BDNA President Walker White.
Oversight is a common reason end-of-life products continue to run on an organization’s systems.
“There may be a new version of a product, but because you don’t have a clear view of what’s in your environment, you can miss the old version in your upgrade process,” White told TechNewsWorld.
That’s how orphan apps are created, too.
“These products may remain on a network and are not removed because no one is using them, and no one has turned off their lights,” White said. “A hacker will exploit that kind of leftover artifact.”
Overworked IT
Overworked IT departments can contribute to the end-of-life security problem.
“IT spends 80 percent of its resources just to keep the lights on and 20 percent on new development — if they’re lucky,” White said.
Moreover, IT can be overwhelmed by EOL data.
“They have plenty of data, but the data is so vast and there’s such a high degree of variance in it, that they can’t distill it down to information that is actionable,” White explained.
There are industries where there’s little incentive to replace end-of-life products because change is slow, added Faizel Lahkani, CEO of SS8.
For example, what’s changed in power distribution in the last 25 years?
“The answer is very little,” Lahkani told TechNewsWorld.
“As a result, there’s no fundamental driver to change something that’s designed well and works well and is for a fixed purpose,” he said. “Then the problem is you have technologies that weren’t built for security — that have vulnerable attack surfaces that allow hackers to take down things like power grids and water distribution systems very easily.”
Staying pat with legacy systems is not a good idea, Lahkani warned.
“Even in the case where you have to keep a legacy system, keeping it and saying, ‘I’m good’ is not acceptable because, from a security perspective, those systems are vulnerable,” he said. “You may have to live with them because you don’t have the dollars to replace them, but you still have to secure those systems.”
Malware’s Changing Role
Malware has become a penetration tool for hackers, but once nested in a system, Black Hats prefer to use other means to conduct malicious activity.
Ninety-nine percent of post-intrusion activities do not employ malware, according to a recent LightCyber report.
Instead, intruders prefer to leverage standard networking, IT administration and other tools, the report notes.
“We suspected there wasn’t a large use of malware, but we were surprised by how extreme our findings were,” said David Thompson, a researcher at LightCyber.
“They were much higher than we expected,” he told TechNewsWorld.
Avoiding Detection
Attackers have moved away from malware for a simple reason: detection.
“Attackers know security organizations are using multiple layers of defense on the perimeter and the endpoints so they’re not using malware that can be detected by those solutions,” Thompson explained.
When Black Hats do use malware, they tend to use it only once, LightCyber found.
More than 70 percent of the malware used for launching an intrusion was found at only one site, the study notes. That makes it very difficult for protection solutions based on signatures to identify such attacks.
However, “the signatures do catch up, which is why attackers stop using malware as soon as they can once they get into a system,” Thompson said. “If they continued to rely on it, they would be found in a matter of days or weeks.”
Breach Diary
- July 25. FBI announces it has opened investigation into theft of email from Democratic National Committee posted at WikiLeaks website July 22.
- July 25. Athens Orthopedic Clinic in Georgia announces personal information of all past and present patients is at risk after its systems were breached by an intruder using credentials from a third-party vendor.
- July 26. Customer data stolen from UK mobile network operator O2 is for sale on the Internet underground, BBC reports. Data was “almost certainly” obtained by using credentials of O2 customers stolen from another website.
- July 26. Shapeways, a New York-based 3D printer services company, advises its customers to change their passwords as a precaution because of a data breach of its systems.
- July 26. Klimpton Hotels, which has 62 properties across the United States, announces it is investigating reported unauthorized charges on its customers’ payment cards, and advises customers to closely monitor their payment cards for unauthorized charges.
- July 26. Solutionary releases report finding 88 percent of all ransomware during the quarter ending June 30 was in companies in the healthcare industry.
- July 26. Study by Gemalto and Ponemon finds only 34 percent of organizations encrypt or tokenize sensitive or confidential data directly within cloud-based applications.
- July 26. WinMagic releases survey of 250 IT managers in the UK in which nearly one in four (23 percent) said they stopped a data breach every day.
- July 27. Possibility Pictures files lawsuit against Sony Pictures in a Florida federal court alleging Sony’s failure to adequately protect its computer systems allowed a film produced by Possibility to be pirated. Possibility’s film, To Write Love on Her Arms, was one of four unreleased movies stolen and posted to the Internet in a massive data breach at Sony in 2014.
- July 28. South Korea claims North Korea was responsible for theft of personal information of more than 10 million customers of Interpark, a Korean shopping website owned by eBay.
- July 29. FBI is investigating a cyberattack on the Democratic Congressional Campaign Committee, Reuters reports. The intrusion was an attempt to steal donor information from the political party.
- July 29. Hillary Clinton campaign denies reports its computer systems have been hacked. No evidence of a system compromise has been found by our experts, the campaign says.
Upcoming Security Events
- Aug. 4. Proactively Fight Spear Phishing: A behind the scenes look into fighting imposter emails impersonating your executives. Noon ET. Webinar by Agari. Free with registration.
- Aug. 4-7. Def Con 24. Paris Convention Center, 3655 S. Las Vegas Blvd. and Bally Convention Center, 3645 S. as Vegas Blvd., Las Vegas, Nevada. Registration: $240, cash only at the door.
- Aug. 9. Smartphone Security Analysis and Security Flaws. 7 a.m. ET. Webinar by Ayaz Hussain Abro, information security and GRC consultant. Free with registration.
- Aug. 9. The Next Generation of Cyber Crime Is Here. 9 a.m. Webinar. Free with registration.
- Aug. 9. Understand and Manage Your Cyber Risk Exposure with ALE. 11 a.m. Webinar by Sikernes Risk Management. Free with registration.
- Aug. 9. Top Tools and Solutions to Fight Data Mining Malware. Noon ET. Webinar by Fidelis Cybersecurity. Free with registration.
- Aug. 9. Securing Your Organization with a Network Sandbox. 2 p.m. Webinar by security researcher Brook Chelmo. Free with registration.
- Aug. 9. Managing Your Security Policy: 10 Actionable Tips to Help Improve Your Firm. 2 p.m. ET. Webinar by RightSize Solutions. Free with registration.
- Aug. 9. Delivering Data Security with Hadoop and the IoT. 6 p.m. ET. Webinar by HPE Security. Free with registration.
- Aug. 9-10. Cyber Security for National Defense Symposium sponsored by Defense Strategies Institute. Mary M. Gates Learning Center, 701 N. Fairfax St., Alexandria, Virginia. Registration: academia and nonprofit, $450; industry/contractor, $925.
- Aug. 10. Intel & Threat Analysis — The Defensive Duo. 9 a.m. ET. Webinary by FireEye. Free with registration.
- Aug. 10. The Security Risks of Orphaned Network Traffic. 11 a.m. Webinar by AnubisNetworks. Free with registration.
- Aug. 10. The Three Axes of Evaluating Security Analytics Solutions. 11 a.m. Webinar by vArmour. Free with registration.
- Aug. 10. Using Endpoints to Accelerate Threat Detection, Protection and Response. Noon ET. Webinar by Bromium. Free with registration.
- Aug. 10. Cyber Intelligence Exchange: It’s Possible and Absolutely Necessary. 1 p.m. ET. Webinar by TruStart. Free with registration.
- Aug. 10. Current Cyber Attack Trends and Forecasts for the Financial Industry. 2 p.m. Webinar by Defense Intelligence Group. Free with registration.
- Aug. 10. User Behavior Analytics : A Game Changer in The Fight Against Cyber Attacks. 4 p.m. ET. Webinar by Interset. Free with registration.
- Aug. 16. Mapping the CYBERscape: Advanced Threat Detection within the Security Ecosystem. 1 p.m. ET. Webinar by Sqrrl. Free with registration.
- Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
- Sept. 7. FTC Fall Technology Series: Ransomware. 1 p.m. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
- Sept. 7-8. International Cyber Security & Intelligence Conference. Ontario College of Management and Technology, 510-240 Duncan Mill Rd., Toronto, Ontario, Canada. Registration: students, $400.01; others, $700.
- Sept. 8. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Cincinnati, Ohio. Registration: conference pass, $195; SecureWorld plus, $625; exhibits and open sessions, $30.
- Sept. 10. B-Sides Aug.a. J. Harold Harrison MD, Education Commons, 1301 R.A. Dent Blvd., Aug.a, Georgia. Tickets: $20.
- Sept. 14-15. SecureWorld Detroit. Ford Motor Conference and Event Center, 1151 Village Rd., Dearborn, Michigan. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Sept. 15. B-Sides St. John’s. Capital Hotel, 208 Kenmount Rd., St. John’s, Newfoundland, Canada. Free with registration.
- Sept. 17. B-Sides St. Louis. Moolah Shrine, St. Louis, Missouri. Free.
- Sept. 19-21. Iovation Presents Fraud Force “Fast Forward.” Portland Armory, 128 NW Eleventh Ave., Portland, Oregon. Tickets: $495.
- Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, New York. Registration: $250.
- Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
- Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
- Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
- Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
- Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
- Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
- Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
- Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before September 3, Pounds 1199 with VAT; before Oct. 29, Pounds 1559 with VAT; after Oct. 28, Pounds 1799 with VAT.
- Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Wash. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
Unwanted security woes needs to be do away with. Where smart reform should come to minimize security woes in a company.