Report: 97% of Firms Compromised Right Now. Really?
New research is full of alarming statistics about how cyber-compromised most companies are. Stretching credulity, the report seems to indicate that the sky is, indeed, falling.
The research, by Positive Technologies, seems to exist to “prove” that companies should buy their security software. But let’s not get too cynical.
What am I saying? In today’s SB Blogwatch, we rip the report to shreds.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: cats.
Pull the Other One
What’s the craic? Sead Fadilpašić is easy for you to say—“Evidence of compromise present in almost all enterprise networks”:
Almost all large organisations in Eastern Europe have been compromised to some extent. According to a new report … 97 percent of companies with at least 1,000 employees show signs of suspicious network activity. [Of which] 64 percent exhibited instances of traffic hiding (VPN tunnelling, connecting to the Tor network and proxying).
…
81 percent of companies’ advanced network traffic analysis detected malware activity, including miners, adware and spyware. … In a third of cases, internal networks had been scanned, which includes multiple failed attempts to connect to hosts.
And Todd R. Weiss shakes his head—“report finds 97% have suspicious network activity”:
The importance of IT security has been known for a long time, but you wouldn’t know that anyone was doing anything about it based on a new analysis of network security practices. … The companies that were evaluated in the research each had at least 1,000 employees and were reviewed for an average of one month.
…
Another alarming statistic from the research showed that 94% of the participating companies in the study suffered from noncompliance with their corporate security policies within their IT infrastructure systems, leaving them more vulnerable to successful cyberattacks. … Also worrisome is that 81% of the participating companies are transmitting their sensitive data in clear text, or text that is not encrypted, [which] can enable potential hackers to search their network traffic for logins and passwords.
…
67% of the companies allow the use of remote access software, such as RAdmin [and] TeamViewer … which can also be compromised by attackers to move along the network while remaining undetected. … Ultimately, 92% of these network security threats were detected inside the perimeters of the companies … which reveals the depth of the problems and the need for constant internal network monitoring.
Yikes! Are you sure? Evgeny Gnedin is positive—“Top cybersecurity threats on enterprise networks”:
The current trend is toward so-called “living off the land” attacks. … It is hard to tell in real time whether an action is performed by attackers using legitimate tools or by a system administrator. … That is why attackers can use legitimate tools and remain unnoticed for a very long time.
…
Certain anomalies in traffic can indicate malware infection with great probability. At 39 percent of companies, we detected attempts by servers and workstations to connect to sinkholed domains, [which] can indicate threats of various severity, from run-of-the-mill spam bots to a complex targeted attack.
…
The most common malware found on infrastructure was miners (found at 55% of infected companies) and adware (28%). … It would be foolish to think that the worst a miner can do is cause large electricity bills, or that the worst you can expect from adware is annoying pop-ups.
…
Cybersecurity must be more than just the perimeter. … 92 percent of threats are detected when the enemy is already inside.
How does this happen? One Anonymous Coward understands all too well:
Given that 97% of the IT policies that must be complied with are contradictory, asinine drivel written by IT security vendors, which make it literally impossible to do development or prod support and be compliant … this is hardly surprising. [Ours] require me to fix prod issues when I have no access to the server, no access to the logs, and no access to tools which can do things like verify “is the process running,” or “is something listening on the server’s port.”
ping is a banned binary… to say nothing of curl, whet, netcat, tcpdump, wireshark. … I’m positive legitimate development/support traffic is flagged as suspicious.
Also, darkain swearily expands on that thought:
“There were traces of scans of its internal network.” … Well no ****, we have active pen testing tools that scan the entire network for service ports left open and exposed, even on private LANs. We are the ones doing that scanning!
Also-also, FritzTheCat1030 chimes in with this frustrating experience:
“Multiple failed attempts to connect.” … I do this all the time, thanks to the 870 different departments just within my own company who all have completely different nonsensical password policies.
So Radu Sion draws his own conclusion:
Lateral attacks are impossible to avoid. Zero Trust designs need to be applied on prem too.
Meanwhile, it’s not escaped the attention of Mark Thiele—@mthiele10—that the research was conducted in eastern Europe:
I wonder … who might be behind many of these eastern European hacks?
And Finally:
Hat tip: Rusty Blazenhoff
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: S. Hermann and F. Richter (Pixabay)
