Hacker Survey: Simple Attacks Breach Systems in a Day
A security vendor survey of professional hackers finds that many are able to easily defeat “perimeter defenses” like firewalls, then pinpoint and steal critical data in less than a day.
The findings also support the conclusion that high-profile security breaches result from routine security lapses like failing to apply security patches rather than increasingly sophisticated attacks.
The survey of hackers and “penetration testers” by cybersecurity specialist Nuix found that antivirus software, firewalls and other countermeasures are “trivially easy to bypass.” The report found that most defenses can be breached and data stolen without detection in 15 hours.
Compounding the damage, the security specialist based in Herndon, Va., said most companies don’t realize systems have been breached and data stolen for months.
The report challenges the conventional wisdom that data breaches are harder to prevent because cyberattacks are becoming more sophisticated. If so, that reality raises the question of whether many attacks are the result of vulnerable legacy systems that administrators fail to patch, as in the case of last year’s massive Equifax data breach.
The Niux survey found that nearly a quarter of the hackers it interviewed said they used similar attack techniques for a year or more. “Hackers can keep using the same attack techniques because they still work,” said Chris Pogue, lead author of the report and head of services, security and partner integration ay Nuix.
“Many data breach victims believe they have suffered unprecedented and highly sophisticated cyberattacks, but they often turn out to be the result of mistakes or oversights.,” Pogue added.
Case in point was the Equifax breach. Last September, the Apache Foundation confirmed the data breach stemmed from the consumer credit reporting agency's failure to install patches to Apache Struts, an open source framework used to build Java web applications.
“When you read about data breaches in the media, the victims usually claim they suffered an unprecedented and highly sophisticated cyberattack,” the hacker survey notes. “Much later, it emerges that someone forgot to apply a security patch, or something equally simple and preventable.”
More than 80 percent of the hackers surveyed by Nuix used phishing and other “social engineering” techniques to obtain information about a target before attacking. An equal number said they use tools that are free or readily available on the Internet while employing “anti-forensic” tools and other techniques to cover their tracks. Hence, targets often do not discover for months after they have been breached.
While 93 percent said their targets only detect a breach half the time, respondents were unanimous in saying that once security perimeters are breached, “your most sensitive data is gone forever.”
The survey also shatters the myth of the teenage hacker living in a basement. Nuix found that three-quarters of respondents are college graduates and 57 percent have worked for medium-sized and large companies.