Patching & Passwords Lead the Problem Pack for Cyber Teams

Weak credential policies and a lax approach to patching were among the most common points of IT security failure for organizations in 2022, while a failure to configure tools properly could leave organizations open to attack.

That's according to a recent study by cybersecurity firm Horizon3.ai, based on findings from approximately 7,000 penetration tests that evaluated approximately 1 million assets.

Of the Top 10 vulnerabilities Horizon3.ai detected in 2022, the use of weak or reused credentials topped the list, followed by weak or default credential checks in protocols (SSH and FTP) and threat actors using Dark Web credential dumps from Windows or Linux hosts.

Exploitation of critical vulnerabilities on CISA's list of Top 15 Routinely Exploited Vulnerabilities list, as well as the exploitation of critical VMware vulnerabilities, rounded out the top five.

Corey Sinclair, cyber-threat intelligence analyst for Horizon3.ai, explains that professionals are challenged by balancing the three factors of security, functionality, and usability. The requirements of the end user, usability and functionality, are often at odds with or contradictory to the best security practices.

"To ease our own burden, we as individuals tend to shy away from the difficult, and move to what's easy and convenient," he says. "This means having fewer or easier credential requirements."

Related:Let’s Unpack the 10 Immutable Laws of Security Administration

Individuals thus tend to reuse credentials when they know they should have unique passwords for everything, and organizations fail to enforce stronger credential requirements or invest in a companywide password solution.

Sinclair adds that sometimes, companies simply don't know to go back and check to see if default credentials were changed when a new technology is brought online.

Security teams should be on notice: The successful combo of using stolen credentials and social engineering to breach networks is increasing the demand for infostealers on the Dark Web, according to Accenture's Cyber Threat Intelligence team (ACTI), which recently surveyed the infostealer malware landscape over 2022.

Continue reading this article on Dark Reading