Information security and time factor

Time is not on our side

According to statistics, Verizon attackers spend, on average, hacking a system and compromising it, be it a corporate or departmental system, just a few minutes, while information security specialists discover the hacking facts of their systems within a few months. How real these numbers are, is it not a typical horror story designed to spend more money, or in fact, the figures are practically worthless and are nothing more than a beautiful wrapper. Where can I find confirmation of these numbers? This is exactly what we will consider in this article, having considered the time factor in the context of information security.

The actions of intruders, in terms of temporal characteristics

If we look at what the attackers have been doing lately, we will see that in addition to constant adaptation, the addition of new functionality and new methods of circumventing protection, the temporal characteristics are what they are also concentrating on. For building security systems, firewalls, intrusion prevention systems, antivirus, content scanning, etc. are commonly used.

')

What do malicious programs do to circumvent this whole range of security technologies?

They use completely different mechanisms for circumventing protection: constant IP change, use of one-day websites, daily updates and regular change of target, thereby increasing the penetration efficiency of almost two. It is constant modifications that lead to an increase in the efficiency of the malicious code.

Useless help with blacklists

According to data, 71 percent of malicious sites exist for only 1 day or less, which means that mostly attackers have switched to using one-day websites, which live only a few hours. Many traditional approaches to the formation of blacklists of malicious sites, unfortunately, do not cope with such a frequency, because they are updated once a day. This means that such means of system protection become ineffective.

Time factor

If you look at the whole, then the average time of threat detection in the information security industry is on average about 200 days. That is, threats are updated hourly and, therefore, protection should be updated hourly. Usually, protection tools are updated 1 time per day and less often, then, of course, there can be no effective protection system.

Time and you

But in addition to the means of protection themselves and manufacturers, who should pay serious attention to the time factor, there are also information security services. They should also not turn a blind eye to this problem and should not expect that all their problems will be solved by those, or other manufacturers, whose products they purchased.

Lack of detection

According to a Verizon report, the time it takes to compromise systems is reduced, and the time to discover this fact, on the contrary, will increase. Consequently, there is a shortage of detection. In 60 percent of cases, attackers penetrated corporate or departmental networks of organizations in a minute. Almost all means of protection cannot be detected during such a time interval by the attacker. According to statistics collected around the world, including in Russia, the average time to detect network hacking is usually several months. Unfortunately, this figure has not decreased in recent years.

Invisible hacking

If we look at the reports of other companies, we see that it is still two hundred days. All these days, the systems remain unprotected, hacked. That is, the attackers manage in the system, almost any organization. The largest incident lasted for 2287 days, that is, the company was hacked and more than two thousand days. For almost seven years, the company did not see and did not know that it was hacked, because it used the approaches built on the old principles that are no longer in place in the field of building information security.

The simplest is the most effective.

According to the Verizon report reviewed above, 50 percent of users on average open email and click on phishing links in the first hour after receiving a letter. Are remedies ready to deal with clicking on phishing links? Are they ready to counteract this? For 99.9% of the exploited vulnerabilities, the CVE bulletin was published more than a year before the exploitation of this vulnerability. That is, in the absolute majority of cases, attackers use already known vulnerabilities that they simply forgot to close.

Large time interval

According to a NopSec report, the average time to eliminate vulnerabilities in various industries takes dozens of days. In educational institutions, in financial organizations - this is 176 days, health care is 3 months. For cloud providers, the situation is a little better - this is 50 days to fix vulnerabilities, but this is also a very long time interval.

Slow elimination

If we consider where the longer the vulnerabilities are not eliminated, it turns out that at the external period (at the network level), the vulnerabilities are removed very slowly. And it is through the network layer, and not applied, as is often the case, the attackers make their penetrations.

Open vulnerabilities

For Web applications in general, be it a finance company, an IT company, a retail, health care, manufacturing companies last two years or more, vulnerabilities on companies' web sites remain unresolved and can be used by attackers to implement “black” cases, to compromise nodes, to steal data and possibly to penetrate into the organization’s internal networks.

What is the reason ?

There is one reason - information technology services, information security services work much slower than attackers. The probability of vulnerability in the first 40-60 days reaches 90 percent. And the elimination of vulnerabilities reaches 100-120 days. This results in a rather large time gap, about two months, when the vulnerability has already been exploited. But the company has not even thought about eliminating this vulnerability and correcting vulnerable systems, that is, for almost two months the company is in a cracked state, because the attackers have exploited the vulnerability in the first 40-60 days.

Do you have an update strategy?

If we address the situation with hearthbleed, then vulnerable versions, to this vulnerability to openSSL software and a number of other libraries, remained unprotected for several years, during this time the software built on the basis of SSL was vulnerable. This is due to the fact that IT services and information security are late in comparison with attackers who more quickly conduct research on vulnerable software and develop appropriate exploits that allow the use of “holes” in various systems or organizations. So few people pay serious attention to the elimination of vulnerabilities or the use of special technologies - virtual patches, or technologies blocking attempts to use a particular vulnerability, if a patch has not yet been developed for it.

Self update

You can not "rest on our laurels" and assume that your system is protected and fully operational, before the actions of the attackers, you should constantly criticize your system of protection and be prepared that the attackers will find a way to get inside the corporate or departmental network. You can not be sure that the best, most expensive and advertised remedy will protect you, it is not.



Completely different means should be used to build a modern security system: an intrusion termination system, antivirus, content filtering system, access control system, firewalls, database protection systems, security scanners, patch management systems, backup systems, only a combination of protection tools, a combination of protection technology, will allow somehow to be confident in the security of their information, their applications, their infrastructure and their business processes.

Change strategy

There is no need to use the principles that appeared a few years ago, they are already outdated, not to mention the protection that appeared 10, 20 years ago. Malefactors change the strategy, the information security service also has to change the strategy.

findings

I would like to conclude that we should not close our eyes to the problem, the time factor is very important, the attackers respond very quickly to any changes, their malicious code, their attacks carry out their dirty deed in a minute.



It is necessary to increase the frequency of protection updates to the maximum, of course, this is not a 100 percent guarantee of detecting malicious code, but this will increase the performance of information security tools already acquired.



Do not hang from one remedy, no matter how good and advertised it is. Duplication, redundancy, overlapping protection of functionality is the key to success in today's fast-paced information security environment.



Not only to protect their systems, not only to “build a wall” around a certain object of protection, but also to monitor anomalous activity and suspicious events, as well as respond to any anomalous events, that is, you need to build the entire life cycle of the protection system that can deal with attacks before they appear on the object, in the process of carrying out an attack on the object of protection and to be prepared that the attack will be successful and you need to be able to detect this fact, that is, to localize the problem, not to let it spread throughout the corporation tive or a private network.



It is necessary to improve their own knowledge, their own competencies, and not to rely on knowledge gained even two or three years ago, they are likely to be outdated. Of course, the basics remain the same, but basically technologies change much faster.