Web exploits: what they are, how they work, and how to defend oneself (Part 2)
We wanted to devote ample space to the topic of “Web Exploit,” a topic that every IT manager should govern domestically; therefore, we will publish two complementary articles.
» Part 1: First article
» Part 2: the present article!
1. Hardware exploits
Although software exploits are the most common, they are not the only types of exploits out there. Sometimes attackers are able to exploit flaws in the physical hardware (and related firmware) of a device.
The best-known case is that of Meltdown and Spectre, which are two processor hardware vulnerabilities that have become notorious because of their potentially dangerous nature.
They were discovered (believed to be in June 2017) by Google’s Project Zero (GPZ), a working group that researches vulnerabilities, simultaneously with researchers from a number of universities and then disclosed in early 2018.
Meltdown is technically designated as vulnerability CVE-2017-5754 (“rogue data cache load”) and affects only processors built by Intel, while Spectre is actually two vulnerabilities: CVE-2017-5753 (“bounds check bypass”) and CVE-2017-5715 (“branch target injection”). It affects all processors: Intel, AMD, and even those made with ARM architecture.
Luckily, no exploits are reported to have ever been created to exploit these vulnerabilities (because they are hardly “exploitable” in practice). Intel and other chip manufacturers have released patches (first software patches and then hardware patches) to mitigate the risks.
>> We discuss it in this article
2. How to defend oneself from web exploits
Disarming web exploits requires the elimination of vulnerabilities. This cybersecurity measure is obvious but, unfortunately, not always applied with due care. Zero-day vulnerabilities are the most dreaded, but not the most used by exploits. An interesting report from Verizon tells us that 85% of successfully executed exploits are due to just ten vulnerabilities, six of which are more than ten years old and, therefore, have already had a patch that fixed them.
In other words, the remedy for these flaws (responsible for most attacks) has existed for ten years, but, evidently, those who should be updating systems are not doing so as expeditiously as they should.
Thus, we can definitely say that most exploits act after the publication of the patch; so the moment of greatest risk is the so-called “window of vulnerability.” This term is used to define the time interval between the publication of the patch and its installation to close the vulnerability.
In fact, the moment the patch is released, the vulnerability becomes known to anyone. By analyzing the patch itself, an attacker can figure out how to take advantage of the vulnerability and, with “reverse engineering” techniques, can build the web exploit to attack systems that have not yet been patched.
It is important to train, inform, and make users of computer systems (whether PCs, servers, or corporate networks) aware of the risks of unpatched systems.
>> FlashStart protects you from a vast gamma of threats and blocks the access to harmful sites ? Request a quotation or try it now
Therefore, it is necessary to work on the human factor, which, as always, is the main cause of cyber attack.
The above explanation has found resounding confirmation in just the past few days, when a massive attack took place, affecting organizations in many nations.
According to CERT-FR and the National Cybersecurity Agency (ACN), this attack campaign exploited vulnerability CVE-2021-21974, related to the well-known VMware ESXi virtualization software for which a patch has been available since February 23, 2021. So, once again, human error is confirmed as the number one cause of cyber attacks: in this case, not having made the security update available for almost two years!
In conclusion, there is just one thing to do: always update systems and software with patches, effectively stripping exploits of their effectiveness.
If you close all vulnerabilities, exploits will no longer find useful turf upon which they can operate.
3. What if an upgrade is not possible?
Constant updating should be the tenet for any IT manager…unfortunately, there are situations in which updating is either not possible or very complicated and/or expensive.
This is especially true in industrial control systems (ICS), where an upgrade could affect the operation of outdated industrial systems unable to support newer software.
In such cases, it is dangerous to limit oneself to “don’t update, because it might not work,” which is too superficial a way of dealing with today’s cyber risks.
Instead, “palliative” defensive solutions should be adopted, such as installing virtual patches, if possible. Alternatively, systems that cannot be updated should be segregated in separate networks and not exposed directly on the Web.
4. The author
Giorgio Sbaraglia, an engineer, provides consulting and training in information security and privacy.
He teaches courses on these topics for many leading Italian training companies, including ABIFormazione and 24Ore Business School.
He is the scientific coordinator of the master’s program “Cybersecurity and Data Protection” at 24Ore Business School.
He is a member of the CLUSIT Scientific Committee (Italian Association for Information Security) and an “Innovation Manager” certified by RINA.
He holds DPO (Data Protection Officer) positions at various companies and professional associations.
He is the author of the books:
» “GDPR kit di sopravvivenza” (Editore goWare),
» “Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” (2a edizione 2022, Editore goWare),
» “iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” (Editore goWare).
He is a contributor to CYBERSECURITY360 , Cybersecurity group’s specialist publication.
He also writes for ICT Security Magazine, for AGENDA DIGITALE, and for CLASS magazine.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.