Unfortunately, security incidents and breaches are the "new normal," and there are regular news reports on the scale and nature of these record loss events. First and foremost, these breach events can happen to virtually any organization. When they do happen, there are positive and proactive actions you can take to double-check your current-state security posture, practices, and protocols to see whether there are any additional measures that may be required to help avoid being a conduit for such breaches.
But first, why do these breaches happen?
The internet: An attacker's playground
As Rapid7 researchers note regularly in our quarterly threat reports and research papers such as the National Exposure Index, the internet provides ample opportunity for attackers to scout out potential targets, practice attacks, and conduct exploit campaigns. To provide some timely context, we reviewed the latest November 2018 Project Sonar scan results for the presence of internet endpoints exposing the following:
- Remote Desktop Protocol (RDP over TCP/3389), which organizations use to enable remote GUI logins to Windows systems on their networks
- NetBIOS/Server Message Block (SMB over TCP/445), which provides a cornucopia of Microsoft networking services, including file sharing
- Telnet (over TCP/23), which is a cleartext protocol that is used to remotely login to systems and devices
We found over 9 million systems actively running some combination of those protocols:
November 2018 Telnet/SMB/RDP Internet Heatmap
For the above chart, the entire square is the whole internet (all ~4 billion possible addresses). The labels are the IP address registries that are "in charge" of handing out IP address blocks, and each dot is one network segment (up to 256 IPv4 addresses). The dots are colored by how many devices we found in a given network segment. Yellow dots mean that almost all of the systems on the network segment are exposing some really bad service. Darker/purple ones indicate we found a few.
Another way to visualize this woefully insecure service distribution is with a "world tile grid" map in which we use one square to represent each country and try to keep the relative country positions the same to make it easier to see how many exposed nodes are in a given country:
The fact that we found these highly insecure services across so much of the internet should give you some idea of just how vast the attackers' playground really is and provide some insight into one reason why breaches may be so commonplace.
Now, it is virtually impossible to secure any of those services, and we regularly see attackers attempting to exploit them when they find them:
Woefully insecure services + eager, opportunistic attackers == recipe for a data breach.
More than one way to get inside
Our quarterly threat reports also show that these external threats to internet-facing services aren't the only area organizations need to be mindful of.
The above figure from our most recent threat report shows that attackers have access to scads of credentials from legacy and current breaches, regularly use phishing attacks to gain entry into organizations and then perform lateral movement and drop malware to accomplish some goal. Far too often, said goal is to gain access to and then steal sensitive data.
If you are in a leadership role in your organization and news of a breach in some other company reaches one of your glowing rectangles, what should your initial reaction be? Sadly, many information security professionals and business peers immediately rush to judgement and start victim-blaming. That is both unhelpful and unwarranted.
A much more proactive response is to use each instance of a breach to evaluate how you are handling the data that has been placed in your care. If you are a business process or business app owner, this means reviewing everything from secure development practices to data security, privacy, and retention processes that you have incorporated into your lifecycle management and operational performance reviews.
If you are in a direct cybersecurity role, this would be a great time to ensure your tabletop exercise handbook has various scenarios that include the core threat components that the adversaries used in the breach that made the news. Even if you're not in the same industry and the details are scant, you can likely pick up on enough nuggets to make sure you're covering all the necessary bases and have implemented or plan to implement the necessary controls to help ensure your organization's name isn't the next one in the headlines.
Those in charge of IT operations, IT networking, and cybersecurity within an organization can help mitigate the "woefully insecure services" attack vector by regularly checking for such insecure services being exposed to the internet and working as fast as possible with business process/app owners to put them behind a virtual private network (VPN). There are many other weak/difficult-to-secure services that you should also refrain from exposing directly to the internet (which we cover in our National Exposure Index reports).
May the odds be ever in your favor
Regardless of cybersecurity maturity, organizations are in an asymmetric position when it comes to attackers. An average, midsize organization may have around 1,500 employees, 2,500 user devices, multiple dozens of third-party business partners, hundreds of servers/services, and millions of sensitive records to protect—all with numerous constraints on time, staffing, expertise, and funding. Attackers only need to find one weak spot.
Along with controlling the overt exposure points (as noted above), you can foster a more holistic defense strategy by leveraging information from and the product/service capabilities of your IT security partner organizations, as well as intelligence from industry peer threat-sharing groups. Using a risk-based approach to prioritizing internal cybersecurity improvements will help your organization gain the upper hand on attackers.