Wednesday, November 2, 2016

Protecting the Perimeter: Old Attacks Work Just as Well as New Ones

When we think about external threats to information security, often our first thoughts are of hacker attacks on the network perimeter—say, advanced persistent threats (APTs) targeting large companies and governments. One example is the compromise of the Equation Group with publication of some of the group's tools for breaching the network perimeter. But as it turns out, many of the exploits have been known for a long time, although the “cherry on the cake” was a zero-day vulnerability for SNMP services (with SNMP standing for “Security Not My Problem”). While we do not have a full list of the compromised exploits, we can start with the other end of the equation by evaluating the state of protection of corporate perimeters with the help of real-world vulnerability statistics.

One such study was presented at PHDays VI as part of Positive Research 2016. The sample spanned approximately 10,000 accessible addresses and 15,000 vulnerabilities over a two-year period (2014–2015). Note that these numbers include ONLY network perimeters with above-average security. Only companies with asset inventory and vulnerability management processes (which, in turn, enable collecting statistics) were included.

Let's start with the “sexiest” morsel from the published exploit pack: the SNMP 0-Day. Is this something to be worried about? Our study shows that the answer is “yes”. A few reasons: