The basics of cybersecurity, it turns out, aren’t so basic.
Fundamental defenses — identity and access management, MFA, memory-safe languages, patching and vulnerability management — are lacking or nonexistent across the economy, according to cybersecurity experts.
“It is the simple stuff,” Arctic Wolf CISO Adam Marrè said during an interview at Black Hat. “Year after year these data breach reports come out, year after year it’s the same thing as most attacks happen because you’re not patching your systems and you’re not taking care of your credentials.”
An oversupply of applications and services complicate efforts to rollout phishing-resistant MFA and identity protection. The average large business uses 367 software apps and systems, according to a 2022 Forrester study.
It’s as if an airline mechanic was tasked with repairing a plane’s engine while it’s flying, according to Rick Holland, VP and CISO at Reliaquest.
Valid credential compromises were responsible for more than half of all attacks studied in the Cybersecurity and Infrastructure Security Agency’s fiscal year 2022 annual risk and vulnerability assessment.
Identifying key applications and assigning proper access to those services across an organization is fraught with challenges, Holland said. “We often focus on the technology side and not the people and the process.”
While the imperative to increase identity protection is widely acknowledged, many CISOs say it could take 18 months or more to properly roll out MFA. MFA adoption also remains siloed.
Only 28% of Microsoft users had MFA enabled as 2022 came to a close and yet, more than 99.9% of accounts that are compromised don’t have MFA enabled, Alex Weinert, Microsoft’s VP of identity security, wrote in a blog post early this year.
Heavy damages are caused or enabled by lax security controls. These unmet basics turn up time and again when things go wrong.
“Two-thirds of vulnerabilities in memory-unsafe languages today are caused by memory-safety vulnerabilities,” Jack Cable, senior technical advisor at CISA, said during a presentation at Black Hat.
Phishing, the king of compromise, remained the top initial access vector for security incidents last year, accounting for more than 2 in 5 of all incidents studied in IBM Security X-Force’s annual threat intelligence report.
Incremental progress is better than nothing
Cybersecurity isn’t a game of inches by design, but rather necessity. “You can’t solve all the problems at once,” Holland said.
Organizations have to commit to making progress, however incremental.
Don’t let the best be the enemy of the good, Mark Ryland, director of the Office of the CISO at AWS, told Cybersecurity Dive at Black Hat.
“People rightly say, ‘hey, you should use phishing-resistant MFA. Don’t use the older MFA tokens,’” Ryland said. “I totally agree with that, but if your choice is to not do anything or do that, you should do that because it’s so much better than not having any MFA at all.”
Progress on these fronts also relies heavily on the need for a cultural shift.
“We haven’t gotten to the point where we see cybersecurity as locks on doors and seatbelts in cars, and that’s where we need to get to,” Marrè said.
Basics bear big benefits
The prevalence of attacks attributed to basic pitfalls underscores the need for a collective mindshift as well, particularly as it relates to insufficient identity protections.
Attackers “found a white space where identity was kind of a gap,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told Cybersecurity Dive. “You really need to think about identity security because that isn’t going away and you can’t stick your head in the sand and hope it’s not going to happen to you.”
The underground ecosystem for credential theft, sales and compromises is thriving, according to Meyers.
Defenders know their weak spots. Organizations and threat hunters routinely link intrusions to a failure to achieve a basic security control.
“We know what we need to do,” Marrè said.
“Doing the basics well will protect you against everyone,” he said. “It will protect you against criminals, it will protect you against low-level hackers, and it will protect you against nation states.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.