2018 Security Threat Report Assessing Nine Years of Cyber Security Vulnerabilities and Exploits Internal Audit, Risk, Business & Technology Consulting Executive Summary Finding the right words to describe the magnitude of cyber security today is like trying to define the size and splendor of the Grand Canyon to someone unfamiliar with the natural wonder of the world. News of massive data breaches continues to make headlines. Among the largest breaches to date, one of the major consumer credit reporting agencies announced last year that hackers accessed its store of Social Security numbers, driver’s license data, birth dates and other personal information on more than 140 million consumers. A decade ago, such news would have been unimaginable. But sadly, over the last several months, disclosures of significant cyber security breaches have become routine as organizations increasingly rely on vulnerable digital technologies and third-party service providers. At the same time, cyber criminals are becoming more In addition, we provide insight into the root causes creative and sophisticated. New cyber threats emerge underlying the vulnerabilities and practical guidance daily that put any number of business systems at on how companies can protect their information. risk, and companies face a monumental challenge to In these times of digital treachery, we hope you find keep pace with the threats and safeguard their data, this report useful. particularly their “crown jewels.” It’s no surprise that cyber security is the chief concern not only for CIOs and IT departments, but also for executive-level Key calls to action we define include: management and boards of directors. This report aims to help organizations address and Strong permission and user access controls understand the cyber security landscape by exploring 01 and detailing the most common digital threats today. Since 2009, Protiviti security labs in the United States Employee security awareness have performed more than 500 in-depth security 02 scans on behalf of a broad range of organizations to test and assess their IT systems and infrastructure Patch management for cyber security risks. Keeping the organizations 03 anonymous, we have compiled and quantified the vulnerability and threat discoveries in our data, System configuration management offering insights and trends regarding the types of 04 threats organizations are most likely to face, the most frequently perpetrated cyber crimes, the recent Periodic penetration testing acceleration of attacks, and trends in cyber attacks by 05 industry and size, among other views. protiviti.com 2018 Security Threat Report · 1 About Our Study We compiled the data, analyses and trends presented • The data contains results from those of internet- in this report by reviewing information from security facing systems (external) as well as systems on the vulnerability scans of IT systems of more than 500 inside of the organization’s firewall (internal). organizations in a broad range of industries. Over a • Vulnerability data contained within this study relate nine-year period, Protiviti’s security experts were to network-related issues only. Web application engaged by these companies to scan their networks, vulnerabilities are not included. In addition, detect vulnerabilities, and help fix issues and establish vulnerability data related to the same missing patch proper mechanisms for monitoring and prevention. or outdated system versions have been removed, This data has been aggregated and analyzed into data with only the highest total remaining, to reduce points that we believe are both informative and useful repeat items. for those trying to safeguard their systems. • Vulnerability refers to a weakness in a computer Some important notes and definitions about the system that reduces its security posture. data in our report: • Exploit refers to vulnerabilities that have publicly • The scanned data from these engagements was not available exploit code as of the time of testing. validated – rather, it is the raw data from a leading vulnerability scanner that the Protiviti teams used. • Risk rankings generally follow the standard CVSS scoring mechanism: • The test data is from a broad range of industry organizations: – Vulnerabilities are labeled “Low” severity if they – Financial Services – Technology, have a CVSS base score of 0.0-3.9. Media and – Healthcare and Life – Vulnerabilities are labeled “Medium” severity if Sciences Telecommunications they have a CVSS base score of 4.0-6.9. Manufacturing – Consumer Products – – Vulnerabilities are labeled “High” severity if they and Services – Education have a CVSS base score of 7.0-8.9. Energy and Utilities – – Vulnerabilities are labeled “Critical” severity if they have a CVSS base score of 9.0-10.0. Key Definitions Vulnerability Weakness in a computer system that reduces its security posture Internal 01 Exploit 02 Non-internet facing systems Vulnerabilities that have 05 publicly available exploit code External Risk rankings 03 Internet facing systems 04 Follow CVSS scoring mechanism: • Critical: 9.0 - 10.0 • Medium: 4.0 - 6.9 • High: 7.0 - 8.9 • Low: 0.0 - 3.9 2 · Protiviti Key Takeaways/Trends and Analysis Based on the wealth of data taken from nine years’ • Not surprisingly, the number of exploits and vulnera- worth of security scans and the trends they reveal, bilities organizations have experienced has risen over there are a number of key takeaways and learnings: time. Also of no surprise, the ports with the most vulnerabilities are Windows 445 and web 443. • Patching, both external and internal, remains a critical issue. In particular, application patching • Every few years, a major critical exploit comes along appears to be a more problematic issue than oper- that has a drastic impact on the security landscape. ating system patching. Just a few examples include MS08-067, Heartbleed, Shellshock (CVE-2014-6271), MS17-010 and MS15-034. • Organizations are still running a significant number of unsupported systems. • Just under half of the vulnerabilities identified during testing have a publicly available exploit. • There have been consistent challenges with SSL, especially with regard to weak ciphers and diver- sions. Though the raw number of issues hasn’t reached a high level, this is an area for organizations to monitor. Organizations Included by Industry and Number of Scans/Tests Performed Education Consumer Products Energy & Utilities & Services 1% 7% 36% Manufacturing 8% 9% Technology, Media & Telecommunications 10% 29% Healthcare & Life Sciences Financial Services protiviti.com 2018 Security Threat Report · 3 Call to Action Regardless of an organization’s industry or size, devel- greatly reduce the effectiveness of technology, often oping, establishing and implementing five basic security very expensive, that the organization put in place to principles will dramatically reduce an organization’s risk protect its networks. Social engineering attacks try of a security breach. Organizational networks are only as to obtain information that should not be disclosed strong as their weakest link. As such, each of these areas and could facilitate gaining unauthorized access to needs to be looked at, evaluated and improved individu- companies’ private data and resources. Examples of ally and collectively in order to raise the bar high enough this include seeking information required to reset so that a non-targeted attacker will be compelled to and recover an employee’s password or any other move on to the next network. important information through electronic (phishing) or physical means, or through phone calls. The five items are: Strong security awareness programs provide and 1. Strong permission and user access controls – reinforce security awareness communications and Maintaining strong access controls is one of training provided to employees. Communications the primary ways to protect against a breach. inform employees and other users of the latest Seemingly simple steps such as ensuring appropriate security threats, activities the organization is permissions, reducing the number of powerful taking to mitigate these risks, and measures that administrative accounts and changing default pass- users can take to protect themselves and contribute words significantly reduce the attack surface for to promoting a secure office environment. Periodic a hacker. Software, systems and devices are often communications also stress proper password preloaded with default permissions, usernames and protection and management, as well as provide passwords that are easily identifiable through a quick employees with appropriate steps to take when internet search or system query. Attempting to access they feel that social engineering techniques are systems with default permissions and guessing these being attempted. usernames and passwords often is one of the first 3. Patch management – As noted in the threat data steps an attacker will take when attempting to gain presented in our report, most vulnerabilities can control of a system. be remediated and/or are the result of a system not Organizations that periodically check their network being properly patched. This not only applies to for default permissions/credentials and implement operating systems, but also to applications. While this change as part of the standard system getting a handle on application patching is often deployment procedures reduce the likelihood of one more difficult than on operating systems (largely or more attackers gaining easy