- In-depth analysis of Bitdefender’s telemetry from 110,000 endpoints in the first half of 2020 show misconfigurations and human error are the initial cause of majority of cyber-attacks.
- Insider oversight can negate multi-layered security provided by installed products, primarily impacting small and medium-sized companies (SMBs).
- The future of protection against incidents caused by employees involves a mix of products with security services.
Endpoint misconfigurations are responsible for one-third of all security incidents, according to, Bitdefender, which found poor remote management policies account for hundreds of thousands of vulnerable systems. In addition, 93 per cent of employees recycle old passwords, sometimes undercutting the work of security departments. These security incidents are a small fraction of those that could happen in companies that don’t put an emphasis on cybersecurity.
Telemetry from Bitdefender’s Security Intelligence Cloud, which analyses more than 500 million endpoints, reveals these misconfigurations, vulnerabilities together with other security issues, and offers a protective blanket to all systems under its watch.
While pop culture depicts hackers working tirelessly to compromise security systems and break down firewalls, only a handful of attacks require this level of work. In reality, the hackers’ job is much simpler. Employees and misconfigured systems do most of the heavy lifting for these threat actors, creating vulnerable points of attack in organisations. The cyber kill chain is only as strong as its weakest link – which is often its people.
Companies may be tempted to address this problem by purchasing dedicated security solutions and handing more responsibility to an IT team who might already be overworked. “Deploy and forget” is never a sound security practice, and that is where specialised security services comes into the picture.
Until now, security operations centre (SOC) services have been available only to large enterprises with big budgets and a specialised workforce, but a new trend in the market has made them attainable for smaller companies. The near future will show MSPs/MSSPs offering more democratised packages with combinations of Managed Detection and Response (MDR), Endpoint Detection and Response (EDR) and SOC services.
Misconfigurations and human risks drive the need for security
For most organisations, it's nearly impossible to control human error and risk. It begins with the misconfiguration of company-wide security policies. Hackers love IT errors caused by policy misconfiguration in software, such as patching, access control, and services such as Windows Remote Management (WinRM).
Analysis of Bitdefender telemetry shows that WinRM topped the list of misconfigurations in the first half of 2020, with 55.5 per cent of all scanned endpoints. Attackers seek out WinRM vulnerabilities and misconfigured policies as they enable full remote control, and allow them to execute malicious code, change registry keys, grant PowerShell access, or simply remotely dial into machines.
And, while WinRM is not an attack vector in and of itself, it can have a devastating impact if misconfigured. Policies such as Unencrypted Traffic or Basic Authentication should be disabled as attackers might use them to discover hosts running WinRM and brute-force access. Compromising a trusted account or system allows an attacker to access the device shell, plant ransomware and move laterally across the organisation.
The Windows operating system and other living-off-the-land tools found in many organisations represent the tip of the iceberg. A recent ESG and Bitdefender report shows endpoint misconfiguration accounts for 27 per cent of entry points exploited by attackers. Bad policies related to accounts, password storage and password management are the most common endpoint misconfigurations caused by individuals which account for 12.5 per cent.
Internet settings are another important and often-overlooked category of security, and account for 73.1 per cent of all endpoint misconfiguration, according to the report.
For example, users should not be able to run unsigned .NET framework components from Internet Explorer, yet this happens frequently. Another problem arises with SSL 3.0 downgrade attacks, allowing attackers to perform man-in-the-middle attacks on what should otherwise be encrypted communication.
Password reuse is identified as a particularly common bad security practice. According to the report, 93.1 per cent of employees recycled old credentials. Users tended to choose weak or old passwords that were easy to remember, unless security policies stopped them from doing so.
When it's too much for the IT department to handle security
Between the increased sophistication and diversification of cyber-attacks and human errors, companies face mounting cyber-security pressure and rarely have the means to fend off attacks.
In these circumstances, the recommended approach is to adopt an integrated endpoint configuration that leaves a company's security in the hands of a dedicated team which works remotely and has complete visibility into the infrastructure. The best option also has to deliver comprehensive endpoint risk analytics, both from a technological and a human perspective.
Unless a company has the funds and talent to build its own security operations centre, the best alternative is to adopt a solution that puts security in the hands of specialists. Enter Managed Detection and Response (MDR), a service that offers the benefits of a SOC at a fraction of the cost.
MDR teams can even work with each company to set up pre-approved incident response scenarios, accelerating response times so the right security steps are taken long before any threat actor has a chance to move laterally across the infrastructure or compromise valuable assets.
As the cyber kill chain is as strong as its weakest link, reinforcing that link with a security team equipped to reduce the attack surface and take care of most of the issues that occur is both sound and secure planning.
Want to know more about how Bitdefender's Managed Detection Response Service? Click here to find out more.