Blog writer disclaimer: the opinion expressed in this post is based on anecdotal evidence and unquestionably serves the self-interest of the author and his company.
OK…now that I’ve gotten that out of the way, I have a bone to pick. I was reading an article in SCMedia about a VMWare vulnerability that appears to be the source of a number of network compromises. CISA, Department of Homeland Security’s Cybersecurity Infrastructure Security Agency estimates that over 3,200 servers have been compromised globally as a result of this vulnerability. Wow.
So here’s my issue: I’ve heard of one reported breach that’s been attributed (by name) to this (the Florida Supreme Court), apparently, ubiquitous vulnerability. One. But then again, silence is golden. From the same article linked here:
“A dozen universities contacted by Reuters, including the Georgia Institute of Technology in Atlanta, Rice University in Houston and institutions of higher learning in Hungary and Slovakia, did not immediately return messages seeking comment.”
As I work in this space, and am always on the lookout for relevant content, I scour reports, subscribe to newsletters, read security blog posts, and generally consume breach information wherever I can get it. What I’ve discovered is that 1) it’s rare for any breach report to include the root cause or initial access vector used by the bad guys, and 2) when it is reported, it’s nearly always attributed to phishing or some other form of “human error.”
Hmmm.
Countless articles attribute 70, 80, or 90 percent of breaches to that indispensable (“our employees are our greatest asset”), yet oft-maligned figure in cybersecurity, the human. Misconfigurations (careless humans), phishing (stupid humans), disgruntled employees (bitter humans), social engineering (gullible humans)…these are the breach causes most often enthusiastically offered by organizations that suffer breaches on the rare occasions any initial infiltration source is offered. Again…hmmm.
To whit:
82% of data breaches involve a human element or the use of stolen credentials.
90% of security breaches in companies are a result of phishing attacks.
95% of security breaches result from human error.
(collecting these via Google search took about 10 minutes)
Pretty compelling huh? But I’m wondering (aloud) if maybe something is missing from the analysis that underpins these stories and studies: are 90% of all breaches the result of phishing? Or, perhaps more credibly, is it that 90% of all breaches for which the initial access vector is disclosed are the result of phishing?
Think about it. Enterprises might be required to disclose a breach publicly (if data has been compromised), but they’re certainly not required to reveal the cause of the breach. So, when they do decide to do so, voluntarily, is it possible they’re cherry-picking the breaches that deflect blame to the unassailable “human factor”, and are electing not to disclose those breaches that result from an unpatched vulnerability so old that its “zero-day” status expired when we were all still attending Zoom weddings? The former (dumb employees) is completely understandable and nearly impossible to eliminate…the latter (a 2-year-old unpatched vulnerability) is, well, f’ing embarrassing.
To be clear, this is not another sanctimonious “just patch, you idiots” blog. Quite the opposite. There are legitimate reasons why many organizations haven’t patched the VMware vulnerability in 2 years, and it’s not because they’re lazy, stupid, negligent or otherwise incompetent. Patching is the red-headed stepchild of vulnerability management (and cybersecurity more broadly), and few tools have been built to alleviate the very real pain of the patching process. The task remains unsexy and not exactly a career-maker (see our FutureCon blog where one grizzled IT veteran implied he’d rather spend a month in an ISIS prison camp than return to his former role on a vulnerability remediation team…I’m exaggerating the sentiment, but not by much).
I’m simply suggesting that it’s possible – and would be 100% consistent with human nature and the laws of public relations – that the role unpatched vulnerabilities are playing in the acceleration of successful cyber attacks may be underreported, and that companies communicate messages that serve their self interests…much like this blog.
