Cyber security incident after incident is demonstrating organisations are still failing in the basics, but they also show that few are learning from others’ past mistakes, according to Troy Hunt, Pluralsight author and security expert.
“A good example of this is the BrowseAloud compromise that hit thousands of government websites and organisations in the UK and around the world,” he told Infosecurity Europe 2018 in London.
“Despite the fact this had a fairly significant impact, many organisations have not learned the lesson and most websites are not applying a free and easy fix, including those belonging to some UK and US government departments and some major retailers.”
The problem was caused by the corruption of a file in the Browsealoud website accessibility service that was automatically executed in the browsers of visitors to the site.
In addition to running the BrowseAloud service in the browser, the corrupted file also launched cryptocurrency mining software to enable the attackers to tap into the computing resources of visitors to affected sites to mine Monero cryptocurrency for the benefit of the attackers.
“This can be stopped with the use of a content security policy (CSP), which is just a few lines of code organisations can add free of charge to their websites to ensure that only approved scripts run automatically when they use third party services like BrowseAloud,” said Hunt.
“Despite the incident highlighting this issue, barely anyone is using CSPs. In fact, only 2.5% of the world’s top one million websites currently use CSPs to defend against rogue content,” he said.
Hunt said a cryptocurrency miner was perhaps the one of the “most benign” forms of content attackers could have chosen to launch through the compromised BrowseAloud file. “In reality, we got off lightly this time around, but we have not seen any significant action by website owners in response.”
This incident underlines the fact that many websites use services and content from third parties, which represents a security risk because attackers could compromise this is the way that the BrowseAloud file was compromised and execute malicious code through millions of websites.
Compounding the problem, he said, is that most organisations are poor at detecting malicious activity, which was well illustrated by the Sony Pictures cyber attack in 2014. “Various systems were compromised at the same time and different types of data stolen, but the first the company knew of it was when employees attempted to login and were greeted with a message saying: ‘You’ve been hacked’.”
According to Hunt, who runs the HaveIBeenPwned website that aggregates breached records and makes them searchable for those affected, most organisations either have no idea that they have been hacked, and even if they do, they have no idea what data may have been stolen.
“Many of them only find out when they get an email from me telling them that their data is available on the internet,” he said, adding that this underlines that fact that detection is often difficult. “But choosing a breach detection tool can be equally difficult. There are so many suppliers selling breach detection solutions, but it is difficult to work out what actually works.”
Organisations in the dark
Another indicator that organisations are not covering the basics, said Hunt, is that many organisations still have no idea of what company files are exposed to the internet.
According to security firm Varonis, 21% of all company folders are open to anyone on the internet, and of those open folders, 58% contain more than 100,000 files.
In summary, Hunt said organisations need to assess the state of their cyber security and ensure that at the very least they are addressing the basics because simple, well-known attacks are still working.
Organisations also need to understand that it is easier than ever for cyber attackers to make money out of their data thanks to the advent of cryptocurrencies.
Next, organisations need to understand that their websites and those that their employees visit to do their jobs are made up of code from multiple sources, and any one of these could represent a security risk.
And finally, in the light of the fact that choosing effective and affordable security solutions, organisations should not overlook those that are free and easy to implement.