The path of least resistance for cyber threats

IT in many organizations today is better protected technically than ever before. A network scan on any infrastructure today will identify far fewer attack surfaces than 20 years ago. What hasn't changed in the same time is that attackers don't like to struggle at professionally locked vault doors. They'd much rather use the back entrance that was still open and forgotten. The adage that security is a chain and it is only as strong as the weakest link still applies.

Automated attack tools

The search for inadequately secured network services remains popular. After all, the list of the OWASP Top 10 shows that generally enough vulnerabilities can be tried out. Easy-to-use attack tools are available for exploitation, even for laymen (known as "script kiddies" in the jargon).

This allows poorly behaved script kiddies to vandalize largely randomly found systems while boosting their otherwise probably battered self-esteem. Those who would like to brag about a robbery story or perhaps even generate a footnote in the media reports with the event are almost there. Well over 90% of the attackers probably fall into this category.

Lack of overview and professional overload

With well-implemented basic IT protection, it should generally be possible to deal with such threats, which are not very sophisticated. In the joke about the two hikers who meet a bear, the one says to the other: "I don't have to be able to run faster than the bear, it's enough if I'm faster than you. Transferred to IT, this means that if the indiscriminately attacking troll is not immediately successful and finds an open door, it will usually lose interest and look for the next victim who is more willing to be pestered.

But for example, at the time of writing this article, tens of thousands of Exchange servers are still not protected against two vulnerabilities that have been actively exploited for attacks on the Internet for 4 months already. And also to the Confluence systems affected by the CVE-2022-26134 with a severity rating of 9.8 out of 10.0 possible points, there are still unpatched systems after more than 9 months, some of which are now also likely to work as cryptominer for the hackers on the side. If you run from a bear at this speed, you should not be surprised if it is not quite enough.

At the same time, many organizations today consider themselves to be quite well positioned. This is also the case, for example, with the window manufacturer Swisswindows, which once had 170 employees and had to shut down operations after a cyber attack. Anyone who believes they can run their IT entirely on their own with a handful of internal employees is likely to have misconceptions about the breadth of threats and the number and diversity of applications, services and technologies that need to be mastered. Even highly competent IT specialists are only able to keep track of a very small proportion of all the necessary systems to a sufficient extent and to constantly protect them against new threats. The fact that the job market has dried up and experienced employees are hard to find only makes this more difficult.

Implementing basic IT protection correctly

Most organizations today also commission professional IT service providers with the operation of many systems. And these IT service providers are less and less likely to take care of an almost unmanageable jungle of different systems, but are increasingly specializing in very specific components and services for which they have extensive in-house expertise. The remaining services are purchased from specialized as-a-service providers and subcontractors and combined into the product range.

As a result, the average technical resilience of the systems has increased significantly. Even in SMEs, the hardware components are now located in large data centers and are well protected against natural hazards and unauthorized access. In the event of an emergency, there are alternative locations with redundant hardware. If a software service fails, cloud orchestration software such as Kubernetes performs fully automatic failovers without manual intervention and simply restarts the services on other servers.

Detect technical weak points

Where are there still technical security gaps in such a professionalized IT landscape with specialized providers? Systems and processes that are only on the periphery of the IT departments' core business can be notoriously problematic. There, the operating processes are often less mature and the existing components are not inventoried centrally. Accordingly, the probability of technical precautions being forgotten is higher there. These include, for example:

• Systems of so-called shadow IT, i.e. systems that are operated by the business itself on its own initiative because IT does not offer suitable solutions or does not feel responsible. The problem here is not that these are not also operated by the IT department. On the contrary, the current trends in the direction of micro services and product development teams are moving in precisely the direction of the business taking greater responsibility. The problem is that these are operated in the shadows, i.e., they are sometimes not included in company-wide inventories and are not integrated into standard processes such as security management.
• Servers and network devices that are located outside a data center and are therefore more likely to be secured via a lack of access controls, uninterruptible power supply or elemental damage, and may also be included only to a reduced extent in otherwise standardized security processes such as updates/patching. This also includes network-enabled peripherals such as printers, scanners, etc.
• Insecure waste disposal of confidential documents as well as hardware such as mobile data carriers and hard drives, as in the case of data theft at the Zurich judicial authorities, for example
• Remote and home workplaces of employees
• Mobile devices such as smartphones, tablets, etc., which are only secured by weak PINs or predictable gestures and on which new seemingly legitimate apps are constantly being installed. For example, one of the 8,000 apps such as the apps "Notruf Graubünden Nord", "Adoptionshelfer" or the app of the "Fachkanzlei für Strafrecht", which apparently transmits part of its data to the Russian company in Novosibirsk disguised as an American company by means of the pushwoosh components used in it, without users, the clients of the apps or the app developers having realized this...

In short, almost everything that fulfills one of two criteria: a) due to a lack of clear responsibility, no one takes care of the system and the associated processes in a holistic manner, or b) someone is assigned to take care of it, but it is a secondary task for which insufficient resources are invested by those responsible.

What must a company management ensure?

• The inventory of assets worth protecting, i.e. information, resources, equipment, facilities, etc., must be regularly checked for completeness. What is not generally known cannot be managed professionally.
• For each asset category and asset, a (security) officer is designated who is responsible for providing adequate protection. To determine what appropriate means in each case, a protection assessment should be performed for each asset and reviewed on a regular basis.
• The resources required for adequate risk-based protection must be authorized and their implementation monitored. It is particularly important to note here that the graveyard of ineffective strategies has rarely grown for lack of good concepts, but for lack of implementation. Effective implementation must therefore be monitored in a measurable way. Agreed measures must be assigned, scheduled and checked off. Recurring tasks such as software updates and security patches can be logged and checked.