Think Zero Days Are Your Your Biggest Risk - Think Again by Ciara Campbell

Over. Thanks, Adam. Hi everyone. My name is Ciara Campbell. I'm delighted to be here to see you all. A bit of background about me. So, I'm security engineer. I've worked in the industry for about 10 years. Worked with Cisco, Microsoft, and now Tenable. Um more importantly, I'm a full-time mom and and work full-time. I have two boys. Three, if you count my husband at times. And um yeah, so I I'm going to call out my biggest fear is public speaking. They say if you face your fears head-on that you'll be better. One time at an event that I was talking with the customers, my leg started shaking so bad that I had to thump it to

stop. So, if I start hitting parts of my body randomly during the talk, I'm okay. You don't need to save me, okay? Um I want to call out I volunteered for this talk. Well, I put my my submission in. Um I like to push myself and face my fear head-on. Um but I got assigned an amazing mentor. I did not think I would get assigned Jenny Radcliffe. If you haven't listened to her podcast, I had. So, I was silently I actually did a screech. I did a screech. So, Jenny, thank you for all your help. She's given up loads of time to me like packed me and helped me prep. So, thank you Jenny. Okay, so I've done the introduction. Um

so, what are zero days? Um I'm going to touch on that. What exactly do they mean? It's kind of a hype word that's been spun about. Also talk about cyber hygiene. And there was a joint advisory released by CISA, the FBI, the NCSC um about the top exploited vulnerabilities that we are constantly seeing or seen for the last especially in 2020 and currently in 2021. So, why should we be worried about them? And then a look at some of the most exploited vulnerabilities. Kind of looking at a few of those and why they've been so popular. Okay, so what are zero days and what are they all about? The help me sign I think is more for me

than helpful about zero days, but here we go. So, what is a zero day mean? A zero day is a term that we hear a lot about. Um if a breach occurs, it must have been a zero day and it's quite elusive and it kind of nearly sounds scary. Uh there's many different definitions for it. But zero days are really vulnerabilities in hardware or software that exploited prior to the vendor knowing that the vulnerability existed. In other words, there were zero days for that vendor to implement a fix for the vulnerability before it was used in an attack. Vulnerabilities arise from variety sources, but most are result of simple coding errors. A zero day exploit refers to the code

then that attackers use to take advantage of the zero day vulnerability. And these exploits are difficult to detect because there's no signatures there for them. So, anti-malware, intrusion detection systems, and IPS are often ineffective because no attack signatures exist. They can carry a price tag of up to 1 million. And then the exploit code is used to exploit those vulnerabilities. A zero day attack then is the attack that's used to exploit that vulnerability and it hasn't been disclosed publicly. Once the zero day then vulnerability has been made public, it becomes known as an N-day or one-day vulnerability. And then you have the patch that can be released to day the vulnerability has been publicly disclosed.

In discussing like a strategy for mitigating zero days, you must weigh kind of the impact of the vulnerability, what how it can affect your organization or where you work, and how prevalent it kind of is in within your organization, and the likelihood of exploitation by those threat actors. The Stuxnet worm was a devastating and really everyone knows of it as zero day exploit targeted in SCADA systems. And it exploited four different Windows zero day vulnerabilities spread through infected USB drives. It has been widely reported that the results it was a result of a joint effort by the US and the Israeli intelligence agencies to disrupt the Iran nuclear program. Aurora was another one that was around

in 2010. And that was against 30 top companies such as Google, Akamai, and Adobe. The exploit allowed malware to load onto the computer and then take control of that computer to steal intellectual corporate information. Zerodium is one that I came across when I was doing the research for this talk and it's really interesting organization. But they pay bounties up to 2 and 1/2 million for zero days. Um they they're a group of researchers that have come together globally and that have been working in the industry for years, so have huge amount of intelligence between them all. Um and they are trying to improve the industry by by getting the most innovative information about exploits out there. So,

they do publish they do publicize, sorry. They do publicize how much they pay for these vulnerabilities as well. Google have another interesting spreadsheet that they make publicly available. Um the link is there for you, but it's publicly known cases of detected zero day exploits in the hope that this can be useful community resource. There's also the ongoing debate over whether the US government or any government should retain those so-called zero day software vulnerabilities or disclose them so that they can be patched. So, now we're going to move on to cyber hygiene. Um keep in mind it's a bit like personal hygiene. Cyber hygiene should start with basic actions that are most likely to promote good health.

So, what is cyber hygiene besides cleaning your laptop or your screen on a regular basis? Good cyber hygiene is practices every business should be doing and and everyone within cyber security industry should be doing to reduce down the risk, protect themselves from cyber threats during their digital transformation. A bit like personal hygiene, it should be part of your daily routine. Cyber hygiene has been described as many varying things such as computers with unpatched software, where patching practices for for operating systems, applications, firmware. I honestly think it's so much more. This is just my take on it. I think it's more than just patching. People like to think of cyber hygiene as a responsibility of the IT organization,

but it's not. It's a whole organization's responsibility. Make it more complex. The organization's threat landscape is constantly changing. We see new variants of attacks on computer systems appear by the hour. The sheer number of of security vulnerabilities in hardware, software, underlying protocols. And then you have the dynamic threat environment and it makes it nearly impossible for organizations to keep pace. And then threats aren't only technological either. Hackers and other bad actors are adept at social engineering like my friend Jenny here is an expert in. When the public thinks of massive cyber attacks, the assumption is that hackers are really clever, which they are, but they're they're using sophisticated techniques to gain entry. And this is

not always true. Even the most well-resourced APTs will rely on gaps in insecurity left by poor security hygiene. How do you do this? Using frameworks that are out there and guidance to build out your cyber security framework so that your to align with your business needs. So, things like ISO 27001, Cyber Essentials, Cyber Essentials Plus. And these are all on the NCSC website. The NIST cyber security framework. The NIST cyber security framework has five different areas. Identify, protect, detect, respond, and recover. Identify is identifying your critical assets for the operation of your business, your crown jewels. Data security, hardware, software, cyber security policies, risk management, your internal and external risks are identified. Protect. How you manage that access to

the assets and the information. Protecting your sensitive data, protecting your devices, your vulnerabilities, and also some training. Detect is testing and updating those detection processes on an ongoing basis, your logs, your your monitoring, your data flows, and the impact of cyber events if they occur. And then respond and how you test and respond to those plans that you have in place, updating them with your stakeholders. And recover, communicate with your stakeholders. Um managing the PR and not like TalkTalk. Et cetera. The NC The NCSC has has uh defended the UK from 723 cyber incidents within 12-month period. So, touching then not not just kind of lining to the NIST framework, but the NCSC um has published these 10 steps as a

foundation for cyber security. They really do overlap and kind of um they work together with the NIST framework as well. So, some of these are risk management, engagement and training, asset management, architecture and configuration, vulnerability management, identity and access management, data security, logging and monitoring, incident management, and supply chain security. So, moving on to the advisory that was released in July. The FBI and the NCSC NCSC and CISA and the Australian counterparts issued a joint advisory. This is NCSC website. I'm sure you all follow follow their follow them on LinkedIn and have looked at this website but I just put it up there in case. So, this was an advisory that was recently released in July 2021. They've

warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state cybercriminals and unattributed attackers than zero-day vulnerabilities. When we saw that when the pandemic happened, we saw a huge increase of people working remotely. Some ended up using their own devices which is another risk in itself. We saw VPN vulnerabilities come on top of the list in both 2020 and already in 2021. Perimeter type of devices continue to be one of the big targets. And some well one of these vulnerabilities have been around since 2017. The reason the advisory is so important is we talked about zero days. We talked about the hype around them. But from the UK, the US, and the

Australian counterparts, the most routinely exploited vulnerabilities they are seeing these last few years are the ones that have been around for a while. So, why the older vulnerabilities? Cyber actors continue to exploit publicly known and often detect software vulnerabilities. Malicious cyber actors are going to take the low-hanging fruit. They're going to use what's already known and out there and they're not going to spend all their time, resources, and they're as busy as we are. They're busy and if it's a easier way of doing it, they're going to take the easier way. The average vulnerability stays alive for nearly 7 years. Organizations are encouraged to remediate these vulnerabilities on this advisory as quickly as possible. And also if you haven't remediated them

yet, do check if you see if you have indicators of compromise there. Vulnerabilities in SSL VPN products are some of the most exploited by attackers for initial access to target your network acting as a doorway for exploitation and especially the last two this year and last year with all the remote workers. A number of the vulnerabilities on the list for 2020 and 2021 already are from Microsoft. Remote access vulnerabilities, there's a few from different vendors. Both featured in the list in 2020 and again in 2021. Successful exploitation would allow an actor to read the content contents of sensitive files in the on on the on the end point and then lead them to be able

to pivot eventually gain access to the corporate environment. The Citrix one is actually a little bit of a celebrity in the vulnerability world. It's a bit like one of the Kardashians. It was named the most exploited vulnerability of 2020 according to government data. It's been observed being exploited in the health care health care sector as well. So, they don't have a conscience. It was also targeted against the the COVID-19 vaccine development group as well. It was a top mentioned CVE on Russian and English-speaking dark web forums. Fortinet was seen in 2020 list and again in 2021 also in the top five. So, while our focus here is pointing out a few vulnerabilities, the important lesson is

that routine patching and maintenance for SSL VPNs is a critical aspect of cyber hygiene. The zero logon and the Microsoft Microsoft server vulnerabilities are two more areas that are worth of be concerned 21 and 2020.

So, I'm going to leave you with this. This is a quotation from Michael Jordan and it's the minute you get away from fundamentals whether it's proper technique, work ethic, or mental preparation, the bottom can fall out of your game, your school, work, your job, whatever you're doing. I think the same principle applies in cybersecurity. The fundamentals, the basics, and this is relevant for sports professionals but also in our daily lives as well. When we think about our mental health being challenged, are we doing the basics right? Are we eating well? Are we sleeping? Are we getting exercise in? My husband coaches on the 14 football team and he's constantly saying to them, "Get the basics right. Stop trying to do

the fancy footwork. Get the basics right." It's the same with cybersecurity or cyber hygiene. Thank you.