Businesses are investing record sums into cybersecurity provisions at present, on software and services which purport to protect their data and tech stacks
In 2021 alone, global security and risk management spending reached an all-time high of $150.4 billion, having grown 12.4 percent in just one year. But it would be a mistake for companies to think that just because they are devoting more money to protect their businesses from cyberattacks, they can rest easy.
The reality is that businesses simply aren’t getting bang for their buck – and in fact, they are suffering from the same old breaches.
Common vulnerabilities often come down to unresolved issues regarding Active Directory (AD), the database and service administrators use to manage permissions and access to network resources. When looking to boost cyber defences and weed out vulnerabilities, businesses should begin with their Active Directory – because cyber criminals will absolutely do so as well!
Groundhog Day for businesses
As many penetration testers (or pen testers for short) will tell you, businesses are showing the same vulnerabilities on a repeated basis, no matter how advanced a company’s technology stack is.
Active Directory from Microsoft is a popular choice for organisations to carry out essential business functions, but unfortunately also a popular target for hackers to get a foothold into the company’s networks, mainly because the attack surface it carries is so vast. Think of the sheer number of devices and networks a typical business uses, and all of the data which could be at risk from just one exploit in their Active Directory, when spotted by a single hacker.
Relying on old hardware can effectively cancel out much of the spending poured into security and risk services, because the older the hardware or system, the more enticing and vulnerable it can appear to hackers. These malicious actors are well-versed in the types of exploits older systems offer and have had plenty of time to perfect how to break into them, allowing them to use a simple ‘point and shoot’ tactic. This tactic, when executed, can grant them near-instant access to system-level privileges on targeted systems.
This is every security team’s worst nightmare come true, but another issue with outdated systems is this: old systems often rely on legacy protocols, which are not compatible with modern authentication techniques and encryption capabilities. This means that, even if a business has a recently-patched Domain Controller (DC) – the server that responds to authentication requests and verifies users on computer networks – it will still have to rely on outmoded, less secure protocols to function if there are other old systems present within the network.
No progress? This is why
In short, most businesses are simply not getting the most out of their cyber security investments, and the problem is largely rooted in outdated operating systems.
In 2020,Deloitte published a report following a survey, which suggested that businesses spent 10.9 percent of their IT budgets on cybersecurity alone. However, by leaving their tech stacks and operating systems untouched for many years potentially, businesses are unintentionally offering hackers a playground in which to roam.
Pen testers such as myself are also concerned about the wider implications of the lack of progress in fixing these breaches, as we find ourselves running the same tests, using familiar hacking techniques from yesterday. As ethical hackers, we need to think like a cyber- criminal; so naturally, when AD vulnerabilities present themselves during a penetration test, it becomes the primary attack vector we investigate and report on.
Yet often, businesses fail to take the lessons on board and so they recur, resulting in no progress. In the meantime, less time and fewer resources can be allocated towards experimentation in penetration testing in order to scratch beneath the surface and identify new ways for businesses to bolster their cyber defences.
The industry is stifled as a result, focusing on attack methods as seen in the rear-view mirror, diverting pen testers from devoting adequate time to exploring the attack methods of today and tomorrow which businesses also need to protect themselves against.
Unlock ROI from cyber security investments
Looking at Active Directory and updating hardware and systems doesn’t just avert the likelihood of a damaging hack attack in the near future; it also opens the door to laying down the foundations of a more proactive cyber security strategy. But AD is just the tip of the iceberg when it comes to ensuring companies make the most out of the investment they are ploughing into security and risk management.
Besides keeping technology stacks in shape, businesses must also ensure their people and process controls are also resilient enough to withstand a breach. In other words, they must ensure employees are aware of the risks and are trained to spot and avoid malicious emails; implement and enforce robust security processes to ensure that any attacks are contained; and get to understand the vulnerabilities within their network, patching these as soon as possible. By focusing on the three pillars of an effective cyber defence – people, process and technology – they can ensure no penny spent on security goes wasted.
About the Author
Paul Cragg is an CTO at Norm Cyber. Established in 2015, norm. is a company on a mission to rid the world of cyber security complexity. We know that for most mid-sized businesses managing cyber risk is a stressful, costly and time-consuming exercise that distracts them from doing whatever it is they do best. That’s why we designed a service that’s easy to deploy, simple to manage and costs significantly less than an in-house function. All the reassurance of complete visibility and control over your cyber risk, without the hassle of managing it yourself.