Patchable and Preventable Security Issues Lead Causes of Q1 Attacks:
Attacks against U.S. companies spike in Q1 2022 with patchable and preventable external vulnerabilities responsible for bulk of attacks.
Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim's external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.
The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyberattacks against United States organizations between January and March 2022.
The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credential are still major factors in attacks against organizations.
The study looks at the Root Point of Compromise (RPOC) in attacks. The RPOC is the initial entry point through which a threat actor infiltrates a victim organization and is categorized as the external exposure to a known vulnerability, or a malicious action performed by the user or a system misconfiguration.
"Incidents caused by unpatched systems cost organizations 54 percent more than those caused by employee error," according to the report.
[...] According to Tetra Defense, the widespread awareness about the Log4Shell vulnerability minimize the active exploitation and was only the third most exploited external exposure accounting for 22 percent of total incident response cases. The Microsoft Exchange vulnerability ProxyShell outpaces the Log4Shell and leads the way by accounting for 33 percent of cases.
The Tetra Defense revealed that nearly 18 percent of the events were caused by the unintentional action performed by an individual employee in the organization.
[...] "Advocating for better patching practices has almost become a cliché at this point as it's common knowledge that it plays a major role in reducing cyber risk," Tetra Defense noted.
"To best prevent exploitation of external vulnerabilities, organizations need to understand their attack surface and prioritize patching based on risk, all while ensuring they have the defenses in place to protect their systems knowing that that will have obstacles that will prevent them from immediately patching vulnerable systems," Tetra Defense added.
(Score: 2) by AnonTechie on Friday July 01 2022, @10:55AM
“Everything that needs to be said has already been said. But since no one was listening, everything must be said again.”
― André Gide
Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
(Score: 4, Insightful) by crafoo on Friday July 01 2022, @02:18PM (2 children)
No. The cause of the attacks is not unpatched vulnerabilities. Obviously not. Hackers are motivated for many reasons, but the existence of unpatched vulnerabilities is not one of them.
It's also hilarious that in the chain of events that allows hackers access to systems, we focus on the billions of users not patching their systems. It's their fault. It's not the fault of the company that wrote buggy software, or the testers that didn't do their job, or systems that update every other day saturating hotspot and cell users worldwide with daily "upgrades".
Let's talk about the financial incentives to release shit software and then blame the users when it constantly breaks and is exploited.
(Score: 3, Interesting) by Spamalope on Friday July 01 2022, @02:47PM (1 child)
The MS WSJ ads where they said: Outlook and IE are fine, your IT staff isn't patching enough! That's why you have infections. It's not us!
(Score: 2) by bzipitidoo on Saturday July 02 2022, @12:45PM
Worse is MS sending out what amounts to a Trojan. Sent out a "security" patch that is actually security for their IP against the possibility that their customer pirated something. They lie that it's for the user. Did that in the early days of Windows Vista. I haven't heard that they'd tried any such thing since, but you can't take their word on anything of that sort. Them trying to lock down their software with all this phoning home with license keys and such crap has made things worse. Drives people into the arms of crackers who really have piggybacked malware with the cracks.
One time they tightened up their downloads so that only people using registered copies of Windows could access the patches. Instantly created a chicken and egg problem in which you couldn't register your legit copy of Windows until it'd been patched, because if you tried, it'd be pwned before it could finish downloading the patches, and of course you needed another machine with a registered copy of Windows to do the downloads or you couldn't patch it first. If you didn't have such a machine, you were screwed, no way to patch your system thanks to MS's policy change. They relented after a month. MS has done a lot of stupid crap like that. It's a problem I've seen over and over with these vendors of proprietary tech. Think they can just trample upon users' right in pursuit of what they perceive to be their own rights.
(Score: 3, Funny) by DannyB on Friday July 01 2022, @03:12PM (1 child)
I find that the bestest way to protect passwords is to wear my T-shirts inside out.
I can still pull the neck out a bit and peek down inside to read all the passwords.
The lower I set my standards the more accomplishments I have.
(Score: 2) by captain normal on Friday July 01 2022, @06:16PM
My favorite method is: when I need a password I don't use every day is to hit the "forgot password" link. Of course the outfit that I'm trying to deal with already has an email address for me on file, so I then make up a new one. I can then forget that password because I won't need it again for at least 6 months. Works fine unless I forget which email account I used for them.
The real problem as I see it is that everyone wants me to register and make up a password in order for me to relate to them.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--