Tackling Vulnerabilities & Errors Head-on for Proactive Security

As attack surfaces increase, partner networks widen, and security teams remain stretched, vulnerabilities and errors continue to be a daunting challenge.

Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security

August 9, 2024

5 Min Read
Keyhole above a digital background; cybersecurity
Source: Supawat Kaydeesud via Alamy Stock Vector

COMMENTARY

In its latest "Data Breach Investigations Report," Verizon made the lighthearted, Taylor Swift-inspired quip that it's "entering its vulnerability era." Why? Verizon's new data found that hackers exploited vulnerabilities to initiate breaches at nearly triple the rate since its last report. While this tactic is still less popular than credential-based or phishing attacks, the exploitation of vulnerabilities in software, supply chains, and basic human nature is on the rise and should be a top concern for cybersecurity leaders.

When coupled with what Verizon is calling an "error renaissance" — based on seeing approximately five times as many error-related breaches in 2024 as it saw in 2023 — there's growing urgency for all parties, from software vendors to security teams to end users, to more quickly identify and remediate weaknesses to seal out hackers. If these issues aren't addressed, organizations will be leaving their doors wide open to bad actors who are increasingly keen on using vulnerabilities to their advantage.

Managing Vulnerabilities: More Critical, Yet More Difficult, Than Ever

Organizations face an uphill battle when it comes to vulnerability management. In large part, this boils down to security risks becoming increasingly diverse — and some more controllable than others. For instance, while security teams work to develop and enforce consistent policies and data protections across all vectors, factors like Shadow IT can undermine these efforts. Looking externally, vulnerabilities introduced by software vendors or third-party partners can also wreak havoc on organizations. As companies' attack surfaces increase with new platforms and services, there are more places and opportunities for vulnerabilities to arise. To further complicate the matter, once security teams find vulnerabilities, many can't patch them quickly enough to beat the hackers. Ideally, fewer vulnerabilities would exist in the first place, but until we reach that utopia, data can help leaders understand where best to focus their efforts.

Risks Posed by Software and Partner Ecosystems

The 180% increase in vulnerability exploitation since last year's "Data Breach Investigations Report" is the proof in the pudding that this tactic is becoming more widespread among threat actors. The MOVEit breach of 2023 shows how ransomware and extortion-related hackers can run wild with zero-day vulnerabilities, in particular. As vendors take action to secure other popular avenues of attack, such as credentials, by implementing features like multifactor authentication and stronger access controls, hackers are being forced to concentrate their efforts elsewhere. These actors know that by dedicating enough resources to researching their targets, in some cases aided by AI tools, they're likely to find a vulnerability in their target's software, supply chain, or employee base.

Interestingly, most software vulnerabilities aren't net-new to us and fall into classes of weaknesses we've been aware of for decades. This is cause for optimism, since there's opportunity to learn from the past and apply it to our future and start proactively designing software to prevent common vulnerabilities from the get-go. Getting more software vendors to join forces with the Cybersecurity and Infrastructure Security Agency (CISA) and prioritize the security of their products will be key to decreasing the number of zero-day exploits in the years to come. But the responsibility of preventing these attacks doesn't fall only on software vendors; organizations also need to thoroughly vet their technology partners and complete patches to applications in their tech stacks as soon as they become available. 

Another common place that hackers look for vulnerabilities is along companies' supply chains. This approach often reaps results for threat actors, since many large organizations work with hundreds or thousands of third-party vendors. Managing risks across these expansive ecosystems is a known challenge, and it only takes one attack to cause a ripple effect across the entire interconnected chain. To mitigate supply chain attacks, organizations need to optimize their processes for third-party risk management and establish that their partners' security is up to par.

Accounting for Human Fallibility

It's an old saying that humans are the weakest security link. Even if companies verify their technology is secure and thoroughly vet the security stance of their partners, they can't underestimate the risks associated with employees and human error. In this year's "Data Breach Investigations Report," Verizon found that even after excluding cases of malicious privilege misuse, the "human element" was a component of 68% of the breaches analyzed. Breaches involving the human element could be an employee falling for a phishing email or publishing content for the wrong audience, or a host of other miscellaneous errors. But one thing's clear — human error is up, so organizations need to increase their employees' vigilance and awareness of threats. This is especially necessary to combat careless errors, such as unsecured laptops left on trains or sensitive emails sent to the incorrect recipient. Leaders across sectors should ensure they have the proper security controls in place to reduce the incidence and consequence of human errors as much as possible.

Steps for More Proactive Security

With vulnerability exploitation and mistakes occurring at alarming rates, security leaders need to foster a culture of proactive and effective error-catching. Steps to do so include, but are not limited to:

  • Using software and applications that are secure by design and up to date

  • Assessing and managing the security posture of third-party vendors

  • Continuously training employees to recognize prevalent social engineering attacks and encouraging them to reduce careless errors

  • Segmenting networks and internal assets to limit access and contain potential breaches

  • Tapping into newer capabilities like automated posture management to curb the impact of errors and misconfigurations and streamline security

As companies' attack surfaces increase, partner networks widen, and security teams remain stretched thin, vulnerabilities and errors will continue to be a daunting challenge to overcome. However, while the above steps are only the tip of the iceberg, they will go a long way toward preventing vulnerabilities or human missteps from resulting in the next big breach.

About the Author

Rodman Ramezanian

Global Cloud Threat Lead, Skyhigh Security

Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, has more than 11 years of extensive cybersecurity experience. Rodman specializes in the areas of adversarial threat intelligence, cybercrime, data protection, and cloud security. He is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor, currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights