Even the bad guys and bad girls have some smarts. They know enough to use what works. This is definitely true when it comes to cybersecurity. So my question is why don’t we?
Kaspersky released its 2013 annual report last month. It contains various cybersecurity highlights from which we can learn. Unless companies and individuals remain vigilant, some of these highlights will likely be highlights again in Kaspersky’s 2014 report.
The one that jumps out to me the most is software vulnerability. When basic software used my most PCs is not updated in a timely manner, this leaves the door wide open for hackers to have their way. Java is a prime example of this as explained in the bulletin:
“ Cybercriminals have continued to make widespread use of vulnerabilities in legitimate software to launch malware attacks. They do this using exploits—fragments of code designed to use a vulnerability in a program to install malware on a victim’s computer without the need for any user interaction. This exploit code may be embedded in a specially-crafted e-mail attachment, or it may target a vulnerability in the browser. The exploit acts as a loader for the malware the cybercriminal wishes to install. . . . Cybercriminals focus their attention on applications that are widely-used and are likely to remain unpatched for the longest time—giving them a large window of opportunity through which to achieve their goals. In 2013, Java vulnerabilities accounted for around 90.52% of attacks . . . . This follows an established trend and isn’t surprising. Java is not only installed on a huge number of computers (3 billion, according to Oracle), but its updates are not installed automatically. . . . To reduce their ‘attack surface’, businesses must ensure that they run the latest versions of all software used in the company, apply security updates as they become available and remove software that is no longer needed in the organization. ” (pp. 17–18)
These are startling statistics and excellent—albeit basic—advice. Unfortunately, the relative success of the hackers reveals the inattentiveness of many businesses and individuals.
A basic principle of warfare is that we should know our enemy and know ourselves. It seems we are falling down on both counts.