Looking backwards on some of the most notable cyberattacks that have taken place in recent history, we are led to reflect that even today many companies, specially some very relevant ones, still don’t apply efficiently  the minimum security measures, let's say " the basics ", which should be included in any cybersecurity program.

Reviewing the security breaches found in two of the cybersecurity incidents with the most media coverage in recent years, we observe the following:

Panama Papers. April 2016

The Panamanian law firm Mossack Fonseca suffered the exfiltration of 11.5 million internal documents, bringing to light the involvement of a large list of international personalities in opaque company registration, and in tax evasion.

Weaknesses pinpointed in the IT infrastructure were the following:

•    Every firm's services were hosted on the same server: customer documentation access, public website, and email.
•    Outdated Wordpress plugin (used by web portal )
•    Outdated Drupal version with known security bugs. This CMS tool is used to exchange documents with the customers-
•    Lack of password rotation in the web portal administration account.

Wannacry. May 2017

The world scale ransomware attack affected, among others, companies such as Telefónica, and Iberdrola in Spain, and, beyond our borders, to organizations such as the British National Health Service, Fedex, Renault, or Hitachi.

This ransomware exploits a vulnerability in the Microsoft SMB file sharing protocol identified as MS17-010. The vulnerability was discovered in March 2017, and Microsoft published the update that corrected it in the same month. The cyberattack made use of the exploit known as “Ethernal Blue”, linked to the US National Security Agency (NSA), which takes advantage of the lack of software updates on Windows systems.

The great attack significance was due, on the one hand, to the fact that it was spreading through the network; but there is no doubt that its main cause was bad praxis in the software update management. In this case, the Windows Operating System.

In fact, something as simple and basic as password management, system configuration, or software updates, could have prevented these and many other cyberattacks. In view of cases like these, we could ask ourselves why companies do not apply these type of security measures in a more rigorous way. Among the possible reasons, we could list some, such as a defficient cyber risk evaluation, the lack of cybersecurity culture, the prioritization of other IT activities versus the security tasks, and even the lack of a methodology.

It is clear that the occurrence of these incidents and their dissemination lead to a greater awareness of the need to implement security measures, but it is true that in many organizations, in the absence of coercive elements, and even with some such as the GDPR mandatory regulation, the practices regarding to cybersecurity are reduced to the essential.

And it is also true there are good help tools, such as the Incibe cybersecurity decalogue; but actually the security measures aren't applied in a consistent manner. Perhaps the reason is the difficulty to get a mechanism to cover every item to consider ... For this reason, we bring the contribution of our methodology and rating system back on the table. For example, and it couldn’t be otherwise, these ten basic commandments are widely covered by our control checks, already from the lowest rating levels. In this way, something as simple as carrying out the qualification of our own services and / or requiring them to the subcontractors, would have highlighted these deficiencies, and therefore, would have allowed its mitigation and even avoid these incidents to a great extent.

Suscribe our newsletter by clicking here

You can follow us on twitter.com/leet_security

10 de abril de 2018