Feeling vulnerable is difficult. Just ask your local enterprise security team. According to a study of the public and Internet-facing assets of 471 of the Fortune 500 companies, more than 148,000 critical vulnerabilities were discovered, which averages to 476 per company. This means that the volume of potential targets is so large that hackers don’t even have to leverage them all to breach enterprise systems. Instead, they have a menu of soft targets to go after, knowing that the security team is stretched much too thin to discover and resolve every weakness.
This inability to cover all their bases makes organizations more vulnerable to costly and disruptive breaches than ever before. According to Bitdefender’s 2023 Cybersecurity Assessment Report, more than half of businesses surveyed suffered a breach in the last 12 months—and much of those attacks were ransomware attempts that seek to take control of critical business systems in exchange for payment.
The rise and evolution of ransomware is forcing organizations to re-evaluate their security readiness through the lens of business risk. Security teams need to identify vulnerabilities, prioritize the most critical holes, and get better at resolving the vulnerabilities that pose the most risk to the organization.
Taking a page from multi-national corporations, threat actors have realized that scalability matters. Rather than working alone to spin up individual threats one at a time, threat actors have consolidated resources to create global ransomware gangs. Made up of operators and affiliates who act as self-employed contractors, these ransomware-as-a-service networks operate at scale to attack multiple victims simultaneously and reinvest their earnings into vast research and development centers where they work tirelessly to discover and exploit more vulnerabilities. This effort goes into developing ransomware kits that are sold on the black market to enterprising criminals who often don’t have any technical expertise. They simply slap down a credit card or Internet currency, and off they go—a threat to any organization from the Fortune 500 with a cybersecurity army measured in the hundreds to small organizations such as school districts or non-profits with limited cybersecurity coverage.
Fighting this ransomware industrial complex is daunting—for everyone. The problem is that today’s threat surfaces are so widespread, and they’re expanding at an unprecedented rate—making it nearly impossible for enterprise security teams to identify and fix every vulnerability in the organization. Ensuring that patches are up to date and accurate is a nightmare, forcing scheduled downtime that impacts user productivity. Expanding threat surfaces through digital transformation, partner integration, increasingly complex supply chains and hybrid work models are only making things harder. Tracking down every endpoint, server, application, and other entity that touches the network is a difficult task for a hundred administrators—much less for smaller teams.
It may seem counter-intuitive, but organizations will need to accept the fact that threat actors will continue to breach their network. Threat surfaces are expanding too rapidly to keep up, and shadow IT means that security teams will never have complete visibility into every corner of the network. In addition, the human element of ransomware means that users will continue to click on links or download documents they shouldn’t.
Rather than running around trying to plug every hole (which is impossible), organizations need to mitigate the impact of threats by combining prevention with detection. This allows security teams to stop most breach attempts and focus on stopping the spread of the attacks that do get through.
This mitigation strategy should be based on business risk. Security teams need a reliable and accurate asset management system that seeks out every vulnerable endpoint on the network and ensures it is up to date on the latest firmware and software patches. Least privileged access should be applied as well—ensuring that only users that need access have just the right amount of access without putting the organization at risk.
Here are five red flags that organizations need to be aware of when deploying a risk-based vulnerability strategy:
Software is fickle. Often, patches or upgrades can break an established process or block automated tasks. When looking for where the organization is vulnerable, a clear understanding of what software is in use, how it is connected to other business systems and the version that is installed (and why) are critical. For example, the supply chain management system may be running on an unsupported version of Windows, but upgrading may break a core business process. Properly knowing how software can impact productivity helps you assess risk in the proper context.
Training shouldn’t be a checkbox that you check for compliance reasons. It should mean something. Different roles have different risk factors, and it’s important that employees are adequately training for their specific responsibilities. Users that have access to financial or customer information should know what is expected of them in terms of privacy and follow detailed processes that protect this critical information. An email asking an executive assistant to cut a check should be followed by some way to authenticate the request. The increasingly sophisticated spear phishing and social engineering attacks make this critical.
Reliable backups serve as insurance for ransomware attacks, but it’s impractical to store everything on high-end drives in real time. It’s important that you assess what needs to be backed up, how it would be accessed again and the speed at which it needs to be recovered. Putting this into a business risk context allows organizations to rely on a variety of storage media—some high-capacity, fast and secure versus cheaper alternatives for less critical data. It’s also important to make sure images of critical system images are updated regularly to avoid errors and delays when speed is vital.
Today’s business is connected. Internal and external users rely on a variety of tools, processes, applications, Software as a Service (SaaS) platform and other web services to do their job—and they all require ubiquitous access. Security teams are never going to get a complete picture of all these connections, but it’s important that the most important are covered. Weekly and monthly scans can help discover open network connections and potential vulnerabilities and help you better manage and protect an expanding threat surface.
Nearly every organization is subject to multiple regulations and auditing requirements—especially if they operate in multiple countries and regions around the world. It’s important that the security team understands where the organization is culpable and whether they comply or not. Visibility and awareness are the keys to ensuring you are meeting compliance needs in a secure and reliable manner.
Increasingly sophisticated ransomware gangs are doing everything they can to exploit a growing number of vulnerabilities to breach enterprise networks. Even the largest, most efficient security teams can’t cover the entirety of a rapidly expanding threat surface. Organizations need to assess vulnerabilities as they relate to business risk—vulnerabilities that impact productivity or security more should be addressed quickly. Better, more reliable asset management helps security teams accomplish this—allowing them to identify vulnerabilities across the organization, prioritize the most critical ones and work quickly to resolve them. Threat surfaces are too large and expanding too rapidly for security teams to attempt to catch everything all at once. A more intelligent, nuanced strategy is needed.
To take a deeper dive, our new eBook, "Ransomware Revealed: How to Determine If You’re a Target," is your essential guide to understanding and combating the ransomware threat.
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.View all posts
Don’t miss out on exclusive content and exciting announcements!