by Nick Kael
Posted on July 11, 2023
Let’s start with the usual list:
All well and good – except that people are busy. Distracted. Negligent. Forgetful. Anxious to respond to appeals for assistance. Overwhelmed. In short, human and fallible.
So, when it comes to cybersecurity, the fatal flaw in the to-do list above is that every element requires every single IT manager and user to be completely on board, 100% of the time.
To be blunt: Ain’t gonna happen.
A recent example illustrates this point admirably. And alarmingly.
In early June, Fortinet issued updated firmware for its FortiGate firewall appliances. The update addressed a new critical security issue discovered during a code audit conducted after a previous FortiOS SSL-VPN zero-day vulnerability had been exploited in attacks on government organizations.
Identified as CVE-2023-27997, the second FortiOS vulnerability has an exceptionally high severity score of 9.8 out of 10. It allows authenticated attackers to execute code remotely on devices whose SSL VPN interfaces are exposed on the web.
To protect the hundreds of thousands of its firewall users and enable them to secure their devices before threat actors could create exploits, Fortinet issued patches before disclosing the new vulnerability. In very strong terms, they urged customers – even those that were not operating SSL-VPN – to “take immediate action to upgrade to the most recent firmware release.” Yet even prior to the patch being issued, investigators found that at least one issue had been exploited in a number of cases.
Vulnerabilities happen. Given that fact, Fortinet acted reasonably and responsibly to protect its FortiGate users and enable them to stay ahead of threat actors. But as we all know, people – and even IT professionals – can’t always be counted on to act in their own best interest.
According to security researchers, over 300,000 FortiGate firewall remained both unpatched and reachable over the public internet almost a full month after the updates were issued. Only slightly more than half that number had been updated. Even more concerning, many of the exposed FortiGate devices were running firmware that had reached end-of-life almost nine months ago, and was therefore vulnerable to exploits of both recently disclosed FortiGate zero days.
Anyone who has ever blown through a work or school deadline or paid a late fee for overdue library books (or tax returns!) knows that despite good intentions, life gets in the way of prompt action.
It is simply not realistic to rely on today’s busy, pressured users to distinguish between genuine sign-in requests and the expertly engineered spoofs cybercriminals send. Similarly, IT professionals are simply too busy, and deal with too many interdependent solutions, to be able to patch every appliance or app immediately – or in many cases, even be aware of all the legacy solutions that may still be around.
So while it is important to train users about phishing and malicious downloads, and alert customers to keep up with new versions and patch newly identified zero-day vulnerabilities ASAP, and ensure that all essential elements of the security stack are in place in the organization… all that is just not enough.
With the increasing complexity of security stacks and webification of almost every aspect of our workflows, expecting users to serve as the last line of defense is simply courting disaster. Smart cybercriminals are leveraging this gap with brilliant social engineering ploys and accelerating use of zero-day exploits for ransomware attacks.
Detection-based solutions, even when scrupulously patched and updated, are simply unable to stop zero-day exploits. Similarly, users and even IT security folks cannot be counted on to immediately notice, catch and take proper action on every alert or malicious link that crosses their desk – even critical ones.
As amply demonstrated time and again, the web is the simplest, most effective way for cybercriminals to get to their targets, often with users’ active assistance or not-at-all-benign neglect.
That’s why hands-free prevention through isolation is essential for every business. Ericom isolation-based Web and Email Security and clientless ZTNA solutions airgap endpoints, networks and web apps from the web so that threats can’t get in, without the productivity loss caused by overblocking access or prohibiting use of valuable tools. It stops all web-based threats, even exploits of zero-day vulnerabilities that are yet to be found.
We all aspire to perfection. But in the imperfect world, protection is the option that’s next best. Contact us today to learn more about protecting your business in today’s imperfect cyberspace.
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.
Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.
Risk assessment is a key factor in investment decisions. Now, with SEC disclosure rules in effect, investors can more easily take cyber risk into account.