Newsletters
Risk Central
Digital EditionCyber Is a Supervillain: Will 2022’s Cybersecurity’s Valiant Defenders Come to the Rescue?
There has been a 365% increase in common vulnerabilities and exposures from Q3 2021 to Q4 2021. If that cyber risk statistic doesn’t sound your company alarms, then what will?
This was one of the startling statistics found in Kroll’s “Q4 2021 Threat Landscape: Software Exploits Abound.” 2021 certainly sat front and center on the cyber risk stage, and that risk is only going to continue to flourish.
Kroll’s report noted cyber threat occurrences “did not see a substantial decline,” but rather there was a stark rise in “new actor-controlled ransomware sites and new ransomware variants.”
So, while companies may be attempting to curtail any variation of a cyber threat, cybercriminals and hackers are only becoming more skilled. In addition, all it takes is for one metaphorical door or window to be unlocked for a hacker to infiltrate a company’s system.
And as Keith Wojcieszek, managing director in Kroll’s cyber risk practice, said: “Say [a company] has 100 ‘doors,’ you have to multiply that by 1,000 individuals. It’s just layers upon layers.”
And with those layers, a company’s internal infrastructure is “very difficult to protect,” Wojcieszek said.
CVEs and Zero-Day Exploitation
One major section of the report focused on the record-breaking occurrences of common vulnerabilities and exposures (CVEs) and zero-day exploitation.
According to Wojcieszek, CVEs are “vulnerabilities that exist within software that can be exploited by cyber criminals.”
Simply put, CVEs makes the chances of a hacker’s success that much more likely.
Zero-day exploitation refers to a company’s cyber protection flaw that is attacked by a cyber criminal without any sort of detection by the victim. A zero-day attack is so dangerous because a hacker can be within a company’s software for an extended period of time before any warning bells go off. The implications can be vast and extensive.
According to the report, CVEs and zero-day events increased from 6% in Q3 to 27% in Q4, which accounts for the 356% as mentioned previously. The report specifically noted software that had vulnerabilities, which included ManageEngine, ProxyShell, VMWare and SonicWall.
Keith Wojcieszek, managing director, cyber risk practice, Kroll
Despite the drastic uptick in CVEs and zero-day exploitation, phishing tactics remained the top method that hackers are using to implement breaches, accounting for 39% of all initial access vectors for Q4.
Other main vectors that cyber criminals utilize are third-party vulnerability, remote code execution, social engineering and remote desktop protocol, per the report.
Other Report Findings
In terms of which threat incidents proved to be the most popular for hackers to use, ransomware topped the list, followed by email compromise, unauthorized access, web compromise and malware. Only web compromise saw an increase between Q3 and Q4, going from 2% to 6%.
The report also looked at which sectors were targeted the most in Q4 and compared those metrics to those from Q3. Professional services was the most impacted sector, “accounting for 16% of cases,” per the report, followed by technology & telecommunications and healthcare.
Also noted were the sectors that saw an increase in cyber incidents throughout Q4, including education, pharmaceuticals, construction and food and agriculture, with ransomware events making up a large portion of this increase.
Specifically within the education sector, the report said this increase in cyberattacks stemmed from “more open IT infrastructures seen in the education sector” as well as Q4 coinciding “with the new academic year in North America and Europe, making access to systems a key target at this time for threat actors.”
Companies: Time to Stand Up to the Bullies
The capabilities and techniques of cyber criminals only seem to continue to flourish, despite cyber risk being a top concern for companies and organizations.
Wojcieszek made an important point regarding cyber criminals that perhaps many may not think about: These hackers are professionals in this line of work, simply trying to get the job done.
He said: “Attackers are cybersecurity professionals to an extent. It’s just that the software – in this case, malware — they’ve created, produces an outcome on their terms, rather than ours.”
This attempt at switching our perspective to those of cyber criminals can allow those looking to mitigate the risk to have a deeper understanding of how the enemy operates. As Wojcieszek said, “Taking a step back and knowing your enemy is extremely important.”
Additionally, how else can companies equip themselves against, at times, inevitable cyberattacks? Cyber maturity is always an important component to note, as this reveals just how capable a company is at fending off an attack.
Other techniques mentioned by Wojcieszek included multi-factor authentication and being strict with both weekly and monthly patches, which are regularly scheduled updates computers should run to detect any “patches” or vulnerabilities that need to be resolved.
In addition, the report concluded with recognizing yet another tough year in cyber, and said that companies “must use actionable threat intelligence to guide the management and prioritization of vulnerabilities and ensure they have a strong managed detection and response program in place.” &
