March Madness, the annual college basketball championship, is here! Whether that means gearing up for the basketball tournament or getting ready to face spring and summer seasons, this is the beginning of a very busy time for a lot of people and organizations. The problem is, it's a busy time for hackers as well. The CIA/Wikileaks revelations have vendors scrambling to patch products. This time of year brings a high volume of identity theft via stolen W2s and other tax records. Let's face it, there is no “off season” for bad actors. So while you’re distracted by the madness within your organization, they are ready to take advantage of your lack of focus and exploit your weaknesses.
I may be (am) a bit of a sports junkie, so March Madness for me is filled with brackets, bets and basketball. However, thinking about this year's tournament, I see several similarities between the tournament and the overload of vulnerabilities hackers are using to exploit our networks. For example:
1. A Large Field of Players:
There are hundreds of basketball teams in the U.S. vying to get to “the big dance” and there are hundreds of thousands of vulnerabilities in existence worldwide trying to get into your network. How they get into the tournament is based on their record, conference and other determining factors. Vulnerabilities are the same. They get into your network based on your configuration of applications, devices and other network based solutions.
2. There is a Ranking:
Some teams are better than others – that's why they receive higher seeds in the tournament and go up against perceived weaker teams. Vulnerabilities are the same and are based on their CVSS score, which helps to prioritize which ones should be patched ahead of others.
However, sometimes the underdog gets a win. As I mentioned before, your network is made up of a collection of applications, devices and solutions that are unique and unlike any other in the world. Because of this, vulnerabilities are going to be more or less detrimental to your organization versus someone else’s. You need to understand which vulnerabilities are most important to you based on a combination of CVSS ranking and your own network weaknesses in order to prioritize and patch.
3. The Top Seed has a Known Path to Success:
In the majority of tournaments, the brackets are set where the top seed (aka the best team) starts by playing the bottom seed. While this may seem like an unfair advantage, it's the benefit that comes with being the best. While I love a good upset and I'm usually cheering for the underdog, typically you can take a look at the bracket and see exactly how the top seeds will make their way to the championship.
Applying this same concept to your network, you can do the same thing with vulnerabilities and their attack paths. When you can see into your network and know what applications, identities and devices are connected to each other, you can also see what path a vulnerability might take if it’s able to breach your network. This can also help with prioritization because you’ll be able to tell how many steps it would take for a hacker to reach your privileged information and plan for that. For instance, if a vulnerability in Microsoft (News - Alert) Word would take five steps to reach the information in your payroll system, but a vulnerability in Outlook would only take three, which one would you prioritize?
4. Only One Team Can Win:
During the tournament, all eyes are on the championship trophy. During a breach, all eyes are on your privileged data. While in the tournament, only one team will go home with the championship – but in real life you can fight back to prevent data loss. Breaches are going to happen. However, we can fight back against these bad actors and minimize data loss if we know:
As you settle in to watch this year's tournament, I hope your favorite team does well and your bracket fares better than your friends’. However, when it comes to your network, I hope you’re taking the time to analyze and prioritize your vulnerabilities and properly rank and patch them. Basketball is just a game, but losing privileged data within your network has very real consequences.
About the Author
John Blanchard is a Solutions Engineer at Core Security with over 15 years of experience. He has worked as a Senior Penetration Tester, Cyber Analyst and Forensic investigator in both commercial and government sectors. He holds 22 certifications and has a Bachelor of Science in Information Technology- Security. Over the years, Mr. Blanchard has worked on various security-related Open Source (News - Alert) projects in his free time.