Over the course of 2020, Microsoft has released over 100 patches, with a significant amount issued during the period of lockdown and remote working.
It was appropriate timing for a recent roundtable which Infosecurity attended, posing the question of whether 2020 has been the worst year for vulnerabilities. Simon Monahan, product marketing director at Redscan, asked the panelists, in terms of the number of vulnerabilities, if has 2020 been the worst year overall for risks posed to organizations?
George Glass, head of threat intel at Redscan, said that this year has “been tricky” as more people have worked remotely, and there has been “disparity” relating to what they are working on and how they are working. He also said that “infrastructure has had to change a fair amount to support that, so it has meant that infrastructure teams have had to work hard to patch a lot of vulnerabilities.”
He said that vulnerabilities “chained together creates a potent mix” which allows an attacker to access VPN connections, especially as a lot of vulnerabilities revolved around remote code execution. “Previously, you may leave a patch for maybe a couple of months if there was a limited scope to exploit, but chainable ones pose a risk with the impact for ransomware,” he explained.
Dinis Cruz, project leader at OWASP, asked if there were more vulnerabilities being exploited, or if the industry has just become better at finding and disclosing them? Cruz said it is not the case of there being more vulnerabilities this year, instead there has been “a constant stream of critical vulnerabilities.”
He said that, as an industry, we have become better at reporting issues, especially “if I compare with 10 or 20 years ago, when trying to report was much more difficult.” He and Glass both agreed that there is a lack of control of the infrastructure, with Cruz claiming organizations “fail to maintain and secure infrastructure, and in a way that is the problem” while Glass later commented that “getting a good understanding of your environment is absolutely pivotal.”
Cruz said it is important to improve how we detect and understand how to make good business decisions on what to patch, and what to evolve.
Tom Tervoort, security researcher at Secura and the man credited for discovering this year’s Zerologon vulnerability, said that type of vulnerability was relatively rare, but it can “happen every few years.”
He admitted that it was “hard to say if the threat is greater than ever,” as the difference is in attacker motivations and the business model of attackers, as an attacker will now scan the external infrastructure of any type of organization. Tervoot added that the damage done by an attack can be destructive, and the resulting impact on a business may include loss of access to critical services.
So where are vulnerabilities being created in the infrastructure? Cruz said that the more we automate cloud and DevOps, the larger the distributed set up, and the more vulnerabilities are created. “You get to the point where the biggest problem is not the cross-site scripting bug on the website, but S3 buckets left open and set ups left open and unprotected,” he said.
With a more distributed workforce, he added that it is critical the team is protected whilst working in a more distributed fashion.
“In 2021, we will find vulnerabilities wherever we look”
So what can we expect to see in 2021, and beyond? Glass believed we will “find vulnerabilities wherever we look” and this comes down to where the researchers are looking, and what is in vogue. In particular, he cited VPNs and edge computing as having been prominent for the past eight months, and researchers would be best suited to help companies improve those applications.
“I think the bigger question is: what will we see exploited in 2021?” he said, believing we will see advanced persistent threats use vulnerabilities, as this will avoid the need “to burn zero-days.” Looking forward, he recommended businesses understand how attackers use exploits and vulnerabilities, and use that knowledge to harden environments and what the attackers’ objectives are when they do attack.
No year has been free from vulnerabilities in the past decade, and it is hard to see how this situation can be improved, although the standard of security research continues to improve for the benefit of the overall community. If lessons can be learned from this year on applying patches to defend against exploits of the likes of Zerologon, the flaws may not be reduced, but the opportunity to exploit will be.