The Hiscox Cyber Readiness Report 2020 reveals that more than half of all firms with more than 1,000 employees had at least one cyber incident in the past year. In this blog, Ivuoma Offor, our Cyber Analyst, explains why doing the basics well gives firms the best protection.
The past year has seen many changes to the cyber security landscape. Even before the COVID-19 pandemic forced companies of all sizes to drastically increase remote working, there were some new trends starting to form. In our Hiscox Cyber Readiness Report 2020, more than half of all enterprise firms (51%) – those with 1,000 plus employees – surveyed, said they had at least one cyber incident. They also reported by far the most cyber incidents (a median 100) and breaches (80) compared to smaller firms.
Almost certainly, large businesses are targeted more than the rest but they may also have been better at spotting attacks. The top three cyber breaches for large and enterprise firms are virus/worm infestation, business email compromise and ransomware infection, and are most commonly caused by phishing attacks1. This illustrates that doing the basics well – detecting, preventing, and building cyber resilience – is the best protection against today’s evolving risks.
Mapping the cyber threat landscape
- Multiple forms of attack: We have seen a continuous rise in cyber attacks and threat actors are increasingly using multiple forms of attacks in single incidents. For example, ransomware cases are fast becoming data breach incidents because of the newly added element of data exfiltration to add more pressure on the victims.
- Prioritisation of security: For the past few months, many large businesses had their IT staff enabling remote working for as many employees as possible, with a focus on IT resource functionality and ease-of-use. However, it’s important the focus shifts back to the security of these resources. Our research reveals it was big firms with more than 700 computers that devoted less than 8% of their IT budget to cyber security that were targeted most1. Failure to adequately focus and spend on cyber security cannot be a long-term change.
- Rise in VPN attacks: Remote working, in most cases involves the use of a Virtual Private Network (VPN). Towards the end of 2019, a number of VPN appliances contained critical vulnerabilities. This led to a spate of ransomware attacks especially in Q1 2020. UK foreign exchange company, Travelex, suffered a ransomware attack by the infamous Sodinokibi ransomware gang after exploiting a vulnerability in a Pulse VPN server owned by Travelex. Travelex had been warned of the vulnerability by a security researcher some months prior to the attack. VPN devices are typically much more dangerous as they are internet-facing.
- Phishing success: Cyber criminals have taken advantage of the current anxiety and thirst for information by sending out phishing emails with information on COVID-19 such as vaccines, tax refunds, preventive measures from the ‘World Health Organisation’ etc. People tend to be more relaxed about security outside of the work environment and this is made worse by a lack of physical presence where an employee could simply turn to a colleague to ask questions if something seems suspicious. It’s imperative that all employees take a refresher course on cyber awareness.
- Increase in patching requirements: Exploiting critical vulnerabilities is one of the major tactics employed by cyber criminals to carry out attacks against large businesses. This especially includes enterprise-scale devices software/devices such as VPN, operating systems, servers etc. While patching may sound easy in theory, it is quite often difficult to apply well in practice. The majority of large businesses use some Microsoft products for which updates are released monthly. Google Chrome and Adobe Acrobat released eight and 15 patches respectively in 2019. These are just three widely used software for enterprise businesses. Now imagine applying between 30 – 35 patches to thousands of devices owned by a business for just three pieces of software, and then maybe you can understand how difficult it is to patch on a wide scale.
Top exploited Common Vulnerabilities and Exposures (CVEs)
The US-CERT (United States Computer Emergency Readiness Team) recently published a list of the top 10 most exploited vulnerabilities between 2016 and 2019, seven of which were found in Microsoft products. Some of these vulnerabilities date as far back as 2015, with available patches.
- CVE-2017-11882: Microsoft Office Memory Corruption Vulnerability. A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.
- CVE-2017-0199: A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system.
- CVE-2017-5638: Apache Struts vulnerability where remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
- CVE-2012-0158: “Arbitrary Code Execution” or buffer overflow vulnerability that provides more than enough functionality to be an effective dropper. The malicious code can be triggered by a specially crafted DOC or RTF file for MS Office versions 2003, 2007 and 2010.
- CVE-2019-0604: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source mark-up of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
- CVE-2017-0143: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
- CVE-2018-4878: A critical vulnerability in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.
- CVE-2017-8759: A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system.
- CVE-2015-1641: MS Office vulnerability to allow remote attackers to execute arbitrary code via a crafted RTF document, aka ‘Microsoft Office Memory Corruption Vulnerability’.
- CVE-2018-7600: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
How can businesses protect themselves?
- Employees should be trained to spot and manage phishing emails. Hiscox currently offers the Hiscox CyberClear Academy, a free cyber awareness training platform, to all of its cyber insurance customers. The platform also contains helpful modules such as Bring Your Own Device (BYOD) and Remote and Mobile Working.
- Enable Multifactor Authentication (MFA) on user accounts, especially administrator accounts.
- Patch all VPN hardware and software and ensure they’re up-to-date.
- Ensure anti-malware software, IDS/IPS (Intrusion Detection/Prevention Software) etc. is up-to-date.
- Close all unnecessary open ports.
- Employees should use only applications recommended/vetted by the business.
- Encourage employees to secure their home routers. It is best practice to change the default admin passwords of devices before initial use and this includes home routers. They should also be updated to the latest available firmware and ensure the firewall is enabled.
- Adopt standalone cyber insurance. Nearly half (45%) say they have a standalone cyber policy and 70% intend either to buy or enhance their cyber cover. Standalone cyber insurance is dedicated to getting businesses back up and running quickly after a cyber attack.
The importance of maintaining a positive brand reputation has become more evident. Twice as many large and enterprise organisations experienced bad publicity or impacts on brand reputation as a result of a cyber security incident over the past 12 months (15% this year, 7% the previous year)1. It’s imperative to stay on top of evolving threats. Even in our post-COVID-19 world, doing the basics well still rings true.
Ivuoma Offor works within the CyberClear Centre (C3) which provides Cyber Expertise in areas such as value add services offerings, cyber training and advisory services to customers. She is currently responsible for managing the Hiscox CyberClear Academy, a cyber-awareness training platform. She holds a Master’s degree in Data Networks and Security.