Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits these vulnerabilities. We have automatic patching systems to fix vulnerabilities. We implement next generation detection and remediation devices to identify and stop attacks. This is all important, but what’s missing is a recognition that software vulnerabilities aren’t the most common attack vector: credential stealing is.
The most common way hackers of all types, from criminals to hacktivists to foreign governments, break into networks is by stealing, and using valid credentials. Basically, they steal passwords, set up man-in-the-middle attacks to piggy-back on legitimate logins, install malware on user devices, or engage in cleverer attacks to masquerade as authorized users. It’s a more effective avenue of attack in many ways: it doesn’t involve finding a zero-day or unpatched vulnerability, there’s less chance of discovery, and it gives the attacker more flexibility in technique.
In essence, zero-day vulnerabilities are overrated, and credential stealing is how cyber criminals get into networks. For big corporate networks, persistence and focus will get you in without a zero day, there are so many more vectors that are easier, less risky, and more productive. Stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day.
Our notions of defense need to adapt to this change. First, organizations need to beef up their authentication systems. There are lots of tricks that help here, two-factor authentication, one-time passwords, physical tokens, smartphone-based authentication, and so on. None of these is foolproof, but they all make credential stealing harder.
Second, organizations need to invest in breach detection and, most importantly, incident response. Credential-stealing attacks tend to bypass traditional IT security software. But attacks are complex and multi-step. Being able to detect them in process, and to respond quickly and effectively enough to kick attackers out and restore security, is essential to resilient network security today.
Finally, organizations need to seriously invest in focused, relevant and continuously run security awareness programs that not only focus the program to the areas that require it most, but which incorporate personalise and relevant materials run in a continuous manner and backup up by reinforcement materials. An awareness program focused on compliance only can never really succeed to change behaviour or improve security.
Vulnerabilities are still critical. Fixing vulnerabilities is still vital for security, and introducing new vulnerabilities into existing systems is still a disaster. But strong authentication, robust incident response and correctly run security awareness programs are also critical. And an organization that skimps on these will find itself unable to keep its networks secure.