3 Key Takeaways: How to Prevent Zero-Day Attacks
- More than 80% of cyber attacks involve data exfiltration. Pay attention to where you’re storing sensitive data, and how much of it.
- Using internet-facing software involves risk. Know what all your internet-facing systems are, and use attack surface monitoring to regularly scan your perimeter.
- Identify your top third-party software providers and ask them for a reasonable amount of due diligence, in order to help prevent third-party hacks.
Continuing our series of educational discussions with cyber risk management experts, NetDiligence® President Mark Greisiger and Sherri Davidoff, Founder and CEO of LMG Security, met for more conversation about trends in cybersecurity in 2023 that small and medium-sized enterprises (SMEs) must address.
Among other topics, they discuss the MOVEit hack as an example of a zero-day attack and third-party hack, zero-day attack prevention steps, the importance of asset management in the cloud, and attack surface monitoring as a top cybersecurity control.
Sherri is also the author or co-author of three books about cybersecurity, including Ransomware and Cyber Extortion: Response and Prevention (Addison-Wesley Professional, 2022). Additionally, she serves as a leading expert on NetDiligence’s Ransomware Advisory Group.
Read edited excerpts of Mark and Sherri’s conversation below, and watch the full interview above.
MG: I’m blown away by the amount of technical stealth things that happened this past quarter. I almost feel it’s time for SMEs to just throw their hands up in the air!
But I’m a big believer in outsourcing security to a managed security service provider (MSSP). I think some of the cyber insurance industry is going that way, too. Beyond asking, “Does this SME ‘get it’?”—is someone actually managing and watching it for them 24/7?
When it comes to cybersecurity trends in 2023, what’s the number one way you’re seeing bad guys break into organizations?
SD: We’ve seen lots of change. If there’s one constant in security, it’s constant change. I’ve been praying for a boring day for 22 years!
This summer, we saw the MOVEit hack. MOVEit is a secure file transfer software. A lot of higher security organizations like banks and major international corporations invest in MOVEit and similar products. They use it to transfer highly sensitive, confidential documents.
So, of course, hackers target it!
Hackers found a zero-day vulnerability in the MOVEit software, in both cloud and on-premise installations. So far, they’ve broken into at least 1,128 organizations. Over 55 million individuals are affected.
And this isn’t the end. We’re still hearing about the hack because, often, third-party providers were affected, like law firms or accounting firms transferring software files on clients’ behalf.
We’ve seen fourth-party hacks, even fifth-party hacks. These numbers are going to go up and up and up. We’re seeing hackers target those high value assets, find a zero-day vulnerability, and then—boom!—break in.
MG: The MOVEit hack is fascinating. We publish a monthly newsletter about trends hitting different business sectors and leading threats, and I couldn’t get away from the MOVEit hack. Every other news site had stories on it. It’s impacting businesses of all sizes, in all sectors. It’s shocking.
SD: MOVEit really has it all: zero-day vulnerabilities, data exfiltration, a third-party hack. It has all these components that have been individually trending wrapped up together. That’s why it’s been so damaging—and such a great illustration of the problems.
MG: The cyber insurance partners we support, who you also support, worry about systemic risk, aggregation risk, where one organization touches many others. They’re paying attention to the domino effect of potential liabilities. What do organizations need to know about how to prevent zero-day attacks?
SD: We must be aware of our internet-facing perimeter. The organization needs to know what all of its systems facing the internet are. They must make sure they’re regularly checking those systems.
A lot of organizations neglect asset management in the cloud. They might scan all the systems that are part of their main network, forgetting systems they have in the cloud, or thinking it’s their cloud provider’s problem.
LMG Security, my company, released our top control of Q3 for the year. It’s attack surface monitoring. You have to make sure you’re scanning and discovering everything on your perimeter.
And it’s not just about discovering vulnerabilities in that, because you may not know the vulnerabilities yet. We’re seeing a lot of zero-day attacks. Just the fact you have internet-facing software is a risk in and of itself. We all need to work to minimize it.
MG: How can organizations better prepare for a future breach involving third-party products?
SD: Here again, the MOVEit hack is a great illustration. MOVEit isn’t the only third-party file transfer product that’s been targeted. We saw the same thing earlier this year with a product called Go Anywhere. We saw the same issue last year with a zero-day vulnerability in Excelian, another file transfer product.
Our insurers bear the brunt. They’re paying out for these attacks that are hitting a wide number of organizations. Often, insurers don’t even know these companies use this critical software.
We all need to pay attention to high-value internet-facing assets. What do you have facing the internet that has all the sensitive, juicy information?
One of the trends in cybersecurity in 2023 is that the majority of attacks, over 80%, now involve data exfiltration. So you’ve got to pay attention to where sensitive data is being stored, and how much is there.
There are some simple solutions:
- Limit data retention. Clean it out after a week or two.
- Properly vet your third-party software providers– make sure they have secure coding practices and are getting regularly checked. You can’t just put it out there and forget it because the third-party software provider is handling it.
MG: Many organizations use dozens of third-party software providers—
SD: Hundreds.
MG: I guess you’ve got to pick your battles. Ask, “Who are our top ones?,” and ask for a reasonable amount of due diligence.
It could be an executive summary. We asked for executive summaries of their last assessment, or SOCKS or penetration test—something to show the third-party software provider is doing due diligence.
SD: You hit the nail on the head, Mark. Pick your battles. Identify high-value assets and focus on them like a laser.
Learn more about LMG Security. If you have questions for Sherri, reach out to her at LMGSecurity.com.
Learn more about NetDiligence solutions for a rapidly changing cyber risk landscape. If you have questions for Mark, reach out to NetDiligence.
Lastly, if you’re looking for a turnkey solution to help your organization develop an incident response plan, get more information about Breach Plan Connect® from NetDiligence.