Every threat actor around the world shares one thing in common: they’re people. As such, they often look at their “job” from the effort/reward perspective. They ask themselves, “How can we get the greatest reward for the least amount of effort?” The answer is to go after low-hanging fruit, weaknesses which organizations might neglect in the absence of a robust security posture.
Let’s examine some examples below.
Commonly Exploited Vulnerabilities Are Older than You Think
Digital attackers understand that organizations don’t always have the means to patch vulnerabilities affecting their systems on a timely basis. This explains why older vulnerabilities remain so popular among malicious actors. In July 2021, for instance, the FBI along with the Cybersecurity & Infrastructure Security Agency (CISA) published a joint advisory with their national UK and Australian counterparts identifying 30 of the most common vulnerabilities exploited in the wild. The discovery dates for the list’s top four flaws ranged from 2018 to 2020.
Sometimes, digital attackers focus on misusing vulnerabilities even older than that. A 2021 survey noted that CVE-2017-11882, a memory corruption vulnerability in Microsoft Office, accounted for nearly 75% of exploits in Q4 2020, reported HealthITSecurity. Similarly, an analysis of some of the vulnerabilities most frequently used by ransomware attackers revealed that organizations hadn’t applied some security updates for almost a decade. One of the top five vulnerabilities was CVE-2012-1723, a vulnerability affecting the Java Runtime Environment (JRE) component in Oracle Java SE 7 which first emerged in 2012. ZDNet shared that CVE-2013-0431, a bug in JRE, and CVE-2013-1493, a flaw in Oracle Java, also made the list.
Other Low-Hanging Fruit Targeted by Attackers
Vulnerabilities might be one of the most common low-hanging fruit leveraged by attackers to target organizations without robust security postures. But it’s not the only weakness of its kind. Provided below are several others.
- Remote employees in an age of hybrid/remote work – As noted by BeyondTrust, many employees who work remotely use their own devices and/or Wi-Fi networks to fulfill their job duties. That includes accessing and interacting with company assets hosted in the cloud. The problem is that IT and security can only do so much to enforce the security of those devices and networks. Indeed, it’s possible that multiple people are sharing those devices and networks within the same household, thus raising the risk of a compromise. In the absence of other security measures like access controls, malicious actors might use those devices and networks to gain a foothold into the organization’s systems.
- Operational technology – As part of their digital transformation journeys, many industrial organizations are bringing together their Information Technology (IT) and Operational Technology (OT) environments. Not all OT systems are updated or patched, however. Some aren’t even capable of receiving fixes remotely. Malicious actors can exploit these shortcomings to establish a foothold in an organization’s infrastructure and disrupt its physical processes. All they need to do is exploit those assets’ link to the IT side of things using a ransomware attack or similar offensive beforehand.
- Employees in general – The digital threat landscape is evolving in such a way that employees can’t keep up with new risks to their organizations. Security awareness training can help, but people are fallible, and malicious actors are committed to devising new techniques to prey on human weakness. This helps to explain why phishing remains such a prevalent attack category. Phishers don’t need the expertise to exploit a technical vulnerability. They just need to craft a convincing lure that can trick an organization’s human defenses into doing something that advances the phish.
- Small- to medium-sized businesses – Finally, attackers set their sights on small- to medium-sized businesses (SMBs) for ransomware campaigns and other malicious activity. For example, a 2021 study found that 43% of ransomware victims were SMBs, wrote Forbes. Some SMBs assume that they’re too small to be targeted, so they might not prioritize their cybersecurity efforts. Additionally, SMBs don’t always have the budget to invest in cybersecurity, thus leaving them at greater risk of attack.
What This Means for Digital Defense
It’s true that malicious actors can use their knowledge of the low-hanging fruit to prey upon organizations with weak security postures. However, organizations can simultaneously work to address those areas of potential weakness so that they can raise the effort needed to successfully target them. They can do this by investing in a vulnerability management program that prioritizes security weaknesses and fixes them based upon their individual business risk, segmenting their IT and OT networks, and combining security awareness training with anti-phishing measures.
All this can be difficult for some organizations to do on their own, however. That’s where ITEGRITI comes in. The advisory firm provides customers with different types of services that will align their cybersecurity programs to enterprise risks, thus helping them to avoid data breaches and other costly security incidents. For example, it helps customers create processes, tools, and information for incident response and recovery; assists customers with their network security architecture design, segmentation, and redundancy; coordinates secure asset configuration and hardening across all types of environments including OT; as well as uses source and file validation and implementation to streamline security patching. What’s more, ITEGRITI’s team members use their experience to help customers navigate their regulatory compliance obligations by instituting organizational change management and designing processes for key IT functions.
Eliminate your organization’s low-hanging fruit with ITEGRITI today.