Anti-Vaxxers & Preventable (Cyber) Infections
Many of us are acutely aware of the measles outbreak in the US that started in Disneyland and has spread eastward. The title image from Vaccine Preventable Outbreaks Are Real shows historical data where measles outbreaks (in red) outside the US dominated measles outbreaks inside the US. Below is a 2015 heat map of measles outbreaks alone.
Clearly the measles outbreak in the US is dominating measles outbreaks worldwide in 2015.
For those of us that grew up with the Measles, Mumps, Rubella vaccine (MMR) as mandatory and standard vaccine for school-age children, we have been perplexed by the spread of measles in what was once considered a conquered disease in the United States, along with Polio.
The Twitterati and public opinion has cast blame at parents who have chosen not to vaccinate their children against preventable diseases like MMR. The so-called anti-vaxxers refuse to vaccinate their children largely out of fear, uncertainty, and doubt of potential adverse side-effects of vaccines. The effect is unvaccinated children, when exposed to highly contagious diseases like measles, contract it and spread it putting the community at risk.
Vulnerable Apps & Preventable Infections
While many of us feel placed at risk by parents who choose not to vaccinate their children against preventable diseases, the same phenomena occurs in cyber security today.
The most common example most security professionals relate to is patching known vulnerable software. The analogy seems apt at first blush. Take for example the distribution of exploits against vulnerable apps shown in the Kaspersky pie chart below.
The first thing that jumps out is unpatched (vulnerable) Oracle Java and browsers collectively account for 87% of all exploits Kaspersky sees (as reported in Kaspersky Security Bulletin 2014 report). Incidentally, Kaspersky notes that unpatched Java alone accounted for 90% of the exploits in 2013.
These unpatched vulnerable applications could be protected against known exploits by patching them, similar to vaccinating people can be effective in preventing disease. Likewise, we understand network compromise occurs when an intruder compromises a machine through a vulnerable app, and then uses this beach head to find other vulnerable machines on the network to compromise. In other words, one vulnerable member of the community of machines puts the others at risk, similar to unvaccinated members in human communities.
In the reality of enterprise networks, patching Java and browsers on patch Tuesday every month is simply not feasible for most organizations. Have you ever wondered why your company is running IE8 and Java 1.6? How hard can it be to patch them? It turns out that patching (vaccinating) Java and IE often times creates adverse effects such as breaking enterprise apps. The anti-vaxxers in this case have a legitimate point about not vaccinating these apps with patches because of adverse reactions in breaking critical enterprise apps. Regardless of how you feel about security, you still want payroll to process even if that means running unpatched Java.
Protecting Your Network Against Preventable Infections
We know that patching Java and Internet Explorer is hard in the enterprise. We also know that in many cases a window of opportunity exists where vulnerable apps are being exploited when patches are not available. For instance, since January 2015,three known 0-day exploits, i.e., previously unknown vulnerabilities, are being actively exploited against Adobe Flash plug-ins in browsers. These exploits are already incorporated in exploit kits like RIG, Angler, and HanJuan making for easy work for cyber criminals using malvertising on popular sites to deliver ransomware.
The Ponemon Institute recently published a study where they found:
Users’ insecure web browsers cause the majority of total malware infections. The web browser is a common attack vector that can severely impact their organization’s security posture. On average, a user’s insecure web browser is the cause of 55 percent of the total malware infections.
We also know that these infections are wholly preventable, both exploits against known vulnerabilities as well as exploits against unknown vulnerabilities (0-days). As proof, the FessLeak campaign Invincea tracked since October 2014 consisted of exploits against known vulnerabilities and 0-day exploits delivered via malvertising. Invincea detected and blocked these exploits from users running Dell Protected Workspace Powered by Invincea. Over 1.8 million Invincea users worldwide are protected against these known and unknown exploits and the infections they cause using a range vulnerable apps.
21st Century Cyber Security Anti-Vaxxers
So it’s the 21st century. You vaccinate your children against preventable diseases because the technology exists. In turn, you expect your neighbors to do the same for their school age children with the expectation that if enough members of your community vaccinate, herd immunity will develop limiting the spread of preventable infectious diseases.
It’s the 21st century in cyber security too. Are you still using 20th century anti-virus technology to protect your endpoints? Are you still waiting on patches or beholden to unpatchable enteprise apps? Are you still relying on signatures and IOCs that trail the threat by days and sometimes weeks?
It’s the 21st century. We have technology that solves this problem, just like we have vaccines that prevent MMR. More than 1.8 million users are now vaccinated against cyber threats against known and unknown exploits. In turn they are protecting the other members of their community on their networks and through the threat intelligence they produce using Invincea.
Now it’s your turn. You can help build herd immunity by adopting 21st century security technology that inoculates you against preventable infections such as Java, IE, Flash exploits through web-based drive-bys, malvertising, and spear-phishing. There is no doubt in my mind that this technology will be adopted on a mass scale that is following the typical adoption curve of new technology. The question is do you wait for the herd to adopt, or do you lead your herd?