Many organizations are focused on managing and patching common vulnerabilities and exposures (CVEs). While patching is very important and a central process of a strong security model, focusing on prioritized remediation of CVE’s based on the Common Vulnerability Scoring System (CVSS) scoring model is only a partial plan

Most organizations have a huge backlog of CVEs due to legacy software and infrastructure, and the inability to keep up with the ever-changing landscape of new and highly exploitable CVEs (20,00+ CVEs in 2021 alone). The amount of remediation work, with little revenue payback, creates a situation where focusing on remediation outweighs the payback. Some recent research suggests that approximately 15% of all vulnerabilities are actually exploitable. Patching every vulnerability is not an effective use of time for engineering, operations, and security teams. Identifying the truly exploitable CVEs is evolving with models like FAIR, DREAD, and OWASP, but it remains a very difficult concept to implement.

What is an organization to do?

Adoption of a “hacker centric” prevention model is essential. Hackers are looking for the most efficient way to access networks, systems, and services.

The most common hacker tool is phishing in all its varieties with a focus on social engineering and obtaining credentials Additionally, hackers look for default credentials, unauthenticated access using insecure interfaces (FTP, SMB, HTTP, etc.), accessible points of access with default passwords or passwords that are easily cracked. Hackers generally do not even require a high-level CVE to gain a foothold into your services, but once in, they often leverage CVEs to move laterally and access your “crown jewels” data.

To model the hacker mindset, pay close attention to your attack vectors and secure them at every point. Adopt a control program that recognizes that it is not the vulnerability, but the vector that matters most. Having seen the results of many Red Team exercises, the ability for the hacker to access a system or services usually starts with obtaining credentials in some fashion. Social engineering, weak passwords, default passwords, etc., are often used to gain the initial foothold. Once in, hackers comb through files and systems looking for additional credentials to access core services or privileged accounts. Many times, lackadaisical internal models like putting passwords in text files on intranet pages, abound and are easily found by hackers. Once armed with privileged credentials, hackers have little resistance to prevent the execution of major damage.

Organizations need to adopt the hacker-centric mindset and focus on reducing attack vectors, eliminating weak credential exposure, scanning for credentials floating around in dark corners of their internal systems, and implementing security advance threat protection barriers (Crowdstrike, SentinelOne).

Need help identifying your attack vectors and securing your services? Trust Hawk Cybersecurity is here to help you. Contact us today.