To Move Forward Securely, Look Backward With Ongoing Risk Assessments

As security professionals, we’re constantly on the lookout for the latest research and trends to stay on top of new threats. This is sensible in that novel attacks seem most likely to go undetected, but if we focus on the future at the expense of performing risk assessments to maintain defenses against existing threats, we will always be one step behind attackers.

It’s said that history doesn’t repeat itself, but it often rhymes. This is particularly true with cybercrime. As we’ve watched malware trends shift from one generation of technology to the next, it’s clear that old techniques are often reused.

Legacy Code, Current Security Problems

Technology moves quickly, and most organizations have a lot on their plates dealing with a constant influx of new apps and devices. Each new wave of changes brings a new codebase and a new attack surface. It’s reasonable to take these risks seriously, but in this constant race to address new threats, we can accrue security debt that opens us up to threats that have not been completely addressed in older technology.

While it’s well-known that updating software is a key part of keeping the organization secure, this is not always practical. Most companies have legacy technology that must be kept for one reason or another, often because it’s too expensive or difficult to replace. Millions of computers are still using antiquated software, much of which is known to be problematic. For example, according to Statcounter, Windows XP still has around 2 percent of the global desktop Windows version market share, and Windows 7 — which will no longer be supported after 2019 — still has around 34 percent.

Even code that’s current, has been in use for years and is considered safe can sometimes hide major problems. There are plenty of examples from recent years in which vulnerabilities were found in code that was in active use for years or even decades, such as Heartbleed, Shellshock, Meltdown and Spectre.

From a return on investment (ROI) perspective, it makes sense for criminals to spend as little time and effort as possible creating new attacks when existing problems can easily be exploited. Old malware and vulnerabilities linger on a surprising number of systems.

Old Attack Types Resurface

Threat actors aren’t just recycling old vulnerabilities and malware; they are also fond of reusing old attack vectors, particularly those that have been off the industry’s radar for so long that we forget they’re a problem.

For example, boot sector viruses and macro viruses were once considered all but dead, as heuristic detection became so effective that even brand new malware was usually identified as soon as it was released. But once attackers rediscovered these techniques, a new generation of malware researchers had to resurrect skills from the past to reverse engineer these threats. As Krebs on Security reported last year, even malware sent by snail mail has made a bizarre reappearance.

The Pattern Repeats in New Devices

Sometimes old attacks are ported to new operating systems and devices, which are perceived as less threat-prone than more traditional computers. Malware authors have had years of practice porting Windows threats to other operating systems, and attacks have been carried out on everything from mobile phones to internet-connected refrigerators.

Researchers have been predicting internet of things (IoT) security issues for almost 20 years, due in large part to device manufacturers failing to learn the lessons of the past. Yet many “smart” devices fail to follow basic IoT security best practices, including using default login credentials and failing to include software update capabilities.

Start Addressing Security Debt With Ongoing Risk Assessments

The good news is that many of the techniques that help with addressing security debt will also help mitigate the problems that could come with new threats. Perhaps the best strategy is to conduct thorough and ongoing risk assessments to identify which assets and vulnerabilities are present in your environment. You can then move on to mitigating the biggest risks for different kinds of devices and code.

For Old Code or Devices

Identify and update what you’re able to. For things that you’re unable to update, it’s best to harden the machines as much as possible and monitor them closely. This hardening may include segregating these devices from the rest of your network, limiting the privileges of the device and/or using white lists.

For Newer IoT Devices

If at all possible, purchase devices that were built with security in mind. This should include, at a minimum, the ability to change usernames and passwords as well as software update mechanisms. Ask vendors to practice security by design principles as outlined by the Open Web Application Security Project (OWASP). You can also put risky devices on segregated portions of your network while monitoring traffic in and out of these areas.

For Everything Else

New devices with updated software can still fall victim to old attack techniques. It’s important to make sure you’re covering the basics, such as practicing good password hygiene and using a reputable security suite. But there are other protection steps you should also be taking.

For instance, use layers of defense wherever possible, such as multifactor authentication to protect login credentials rather than just a username and password. Set security policies and procedures and make sure your users are briefed on them early and often. Tailor your practices so that the people in your environment are able to do what they need to without undue trouble, but also without allowing more privileges than are truly necessary.

Invest Wisely to Combat Both Old and New Threats

Protecting a network can be a costly and difficult endeavor if you apply tools blindly in fear of future problems. Spend your security investments more wisely by regularly and thoroughly assessing which assets you have to protect and mitigate any risks to those assets — whether they’re old or new vulnerabilities. You don’t need to have the most newfangled technology to make your environments an unattractive target for cybercriminals.