2014 has endured a fair amount of nasty vulnerabilities; some of the notable ones being Shellshock, Poodle, Heartbleed, Winshock and BadUSB, to only mention a few.
How can enterprises better equip themselves to fight the security challenges of 2015, knowing that threats such as these are likely to be prevalent in the year ahead. In this article we will consider some of the threats faced in 2014 and steps that could be taken to ensure better preparedness for the possible security threats of 2015.
It is wise to learn from previous experience and not disregard bug related events of 2014, learning from the threats and trying to prevent history from repeating itself. 2014 should help us better equip the enterprise in the event that we are faced with similar incidents again.
Every year we are dealt a new wave of bugs or software flaws that can result in serious vulnerability and exposure. In some cases causing potential security exploits. In 2014 we saw a great deal of extraordinary super bugs when compared to those of previous years and the far reaching impact was felt by organisations of all sizes.
2014 was an excellent year for malicious software bug activity causing chaos and affecting millions of organisations globally. Flaws included software vulnerabilities as well as exploits of device vulnerabilities.
Considering these bugs of 2014 and reviewing our systems and security policies and updating and making changes where necessary, similar exploits can be mitigated this year.
By preparing and arming ourselves with knowledge and learning mitigation techniques we can thwart possible known threats and improve our security posture, leaving organisations the much needed time to concentrate defence mechanisms in 2015.
The bugs that made headlines in 2014
Let’s consider five bugs that stood out in 2014.
In April 2014 many felt the wrath of the dangerous bug now known as Heartbleed, an estimated 500 million machines. Heartbleed exploited a serious vulnerability in the OpenSSL cryptographic software library, a flaw that existed for 2 years prior. The expanse of the vulnerability, the pronounced exposure and the ease at which the exploitation occurred with no traceability of attack (nothing is left in the logs), left large numbers of organisations vulnerable to this very precarious unsuspecting weakness and at risk of theft of their information usually protected by SSL encryption that secures the Internet. Security and privacy of communications was left compromised, including web, email, instant messaging and VPNs.
Encryption keys leaked allowing for decryption of all sensitive data and even after patching the vulnerability all the previous information still remained compromised.
The theft of passwords was vast and uncertain, commanding the greatest bulk password reset ever seen.
A patch was released, to fix the flaw, however up until today many machines remain unpatched.
In most cases it was found that some customers were so far behind with their patching cycle, that when they tried to patch certain systems, the work involved took far longer than if they were up to date.
2. Shellshock – BASH bug
This vulnerability occurred later on in 2014, September, with many fearing the worst and readily comparing it with the devastation caused by Heartbleed. The Bash bug probably the oldest mega bug to go undiscovered for over two decades. It works by trying to influence the manner in which software behaves, any machine running Bash (Bourne Again Shell) is vulnerable to the exploitation, enabling attackers to gain control of the machine.
The potential impact for this flaw is great, as Bash is widely used and the potential for attack and ways in which this vulnerability can be exploited is relatively simple and numerous (potentially far worse than Heartbleed).
The bug enables attackers to execute malicious code on an infected machine, without checking for authorisation, leaving data and sensitive information compromised and accessible. Above all it gives the attacker the control (mostly automatable too) they need over the environment leading to inexhaustible consequences for the organisation and/or user.
Bash is not found natively on windows but this does not mean you have escaped the vulnerability as you may have non-Microsoft components servicing various other commitments in the ecosystem.
Again the answer is to ensure your machines are patched. Also consider monitoring and web application firewalls to assist in the detection of this bug and stay clear of running random ‘software fixes’.
This affected numerous vendors that thought they were immune, as they did not run Microsoft; those vendors were caught by surprise. This is a clear lesson in security that demonstrates no system if fool proof.
In October 2014 we were faced with a bug appropriately named Poodle (Padding Oracle On Downgraded Legacy Encryption), attacking devices that connected to servers. Poodle exploits traffic over SSL 3, enabling the attacker to intercept a session and gain access to information by decrypting and extracting information (passwords, cookies and other user data) with the poodle bug, between the users device and the SSL 3 server - the ‘https://’ no longer ensured that your data was secure.
The hacker required network access thus limiting attacks, man-in-the-middle attacks, mostly to open Wifi networks therefore not as dangerous as Heartbleed or Bash vulnerability, where attacks can be undertaken remotely.
Poodle attack is undertaken with relative ease and the impact if efficacious great.
Disabling SSL 3.0 and utilising a cloud based Web Application Firewall can protect against this type of vulnerability. Keep software up to date, software should always be current. Vulnerable sites need to ensure their systems are patched and the vulnerability resolved until such time be sure to stay clear of logging in over untrusted networks.
Another flaw of 2014 was not a software security flaw making patching irrelevant as a resolution under these circumstances. The flaw BadUSB exploited insecurity of USB devices.
The hacker exploited the rewritable firmware of USB devices with rewritable chips, creating malware that infects the USB controller chip without being noticed.
Not knowing if your USB device contains a rewritable or not chip adds to the challenge of securing against this vulnerability.
Don’t share your USB device or plug them into a machine that’s not trusted
In November 2014 WinShock, a 19-year-old Microsoft Secure Channel (SChannel) vulnerability, came to light. The flaw exploited unpatched Windows Servers, 2012, 2012R2 2008R2 and 2003 as well as Vista 7,8,8.1,RT and RT8.1. Comparable to the Heartbleed bug however not as dangerous, SChannel is more challenging to exploit and easier to patch.
The bug exploits the Windows servers and clients remotely by enabling code execution and fully compromise vulnerable systems. The bug can also go about its business without the need for authentication and via undesirable network traffic.
This just goes to show that some issues will lie and wait for years before being discovered.
Improve your security posture in 2015
- Patch, Patch, Patch and quickly
Insight into organisations of various sizes has shown that the larger organisations tend to make patching a priority. Patching machines is likely to be the best route to resolution when software flaws are exploited. The smaller organisations tend to not be as fast when it comes to taking action and their approach to patching of systems tends to be a more laborious and slow process.
A lot of the time a quick approach to patching, especially under these critical circumstances, is the saving grace and divider between being exploited or not.
Act as quickly as you can, patch as soon as the patch is released and the chances of infection are drastically minimised. Quick patching should definitely be a priority under these circumstances.
After the Heartlbleed bug surfaced, many franticly patched systems (as they rightly should!) however once the hype had died down, patching slowed and many machines still remain unpatched and vulnerable today.
- Keep software current
Flaws can be prevalent in old versions as well as current versions (as echoed over and over in the flaws of 2014), however support is likely to be considerably improved for current software versions and patches for current versions are likely to be made readily available quickly and when required.
Wherever possible ensure application and software is kept current and updated.
New features are being created and added all the time; we depend heavily on these fast paced changes to technology. With each new feature and change a new potential vulnerability pops up so stay abreast of your updates.
- Stay vigilant
Remain vigilant and avoid complacently. Stay well informed of potential threats. Be aware of the daily advances in potential security threats to your systems and environment.
Be sure to have a procedure in place whereby notices or information regarding software updates or recommendations for password updates can be handled swiftly and be sure to not ignore these recommendations-they are important!
- Avoid untrusted networks
- Utilise Web Application Firewalls and Intrusion Prevention Systems
- Monitoring and threat detection is important
- Review existing policies and include procedures that address the existing environment and ever changing ways of computing
- The internet Of Things
Devices connecting to the Internet are becoming a common occurrence; this is a vulnerability to definitely watch out for in 2015 and the coming years.
Like with the BadUSB Bug in 2014 where a device was flawed rather than a piece of software it reiterates that we need to look further than software flaws and consider all potential areas for vulnerabilities that may be exploited.
The increased number of physical devices connecting over the Internet in varied applications and multiple use cases and multiple sectors makes this vulnerability challenging and one to prepare for.
- Secure against the unknown
Only so much can be done to prepare against attacks that are not yet known, or vulnerabilities that have not surfaced. Some steps to prepare against the unknown may include:
- Minimise the attack footprint and attack options where possible through carefully constraining site access
- Restrict access to trusted IPs
- Have prevention and detection solutions in place
- Utilise Web Application Firewalls and Intrusion Prevention Systems
- Harden your security to abate the results of an exploit
- Continuous network and log monitoring is important to stay observant to signs of malicious activity (remembering that some bugs can get through undetected and without leaving a trace)
Bugs exist in every piece of code, people write code and errors are inevitable, flaws and security vulnerabilities will always exist and once unearthed likely be exploited.
2014 saw millions of machines infected and volumes of data compromised by a variety of superbug manipulations.
Making 2014 more challenging was the realisation that many of the flaws where found in code and tools that have been around and ordinarily used for a very long time, not the expected new software flaws.
Consideration of encounters with previous bugs and learning from these previous exploits, should assist in our preparedness for securing against challenges such as these and more in 2015.
Take action early and be vigilant, to avoid a repeat of exploits that can now be avoidable while improving your security posture. Remember to keep your software current and patched.