Known Software Vulnerabilities: Your Biggest IT Security and Business Risk?
In insight / By Phil Muncaster / 16 April 2018
If the notorious Equifax breach of 2017 taught businesses anything, it’s what can happen if you fail to patch known vulnerabilities promptly. In fact, it’s no exaggeration to suggest that this may be the biggest cybersecurity risk facing your organisation. New research out over the past week highlights the scale of the problem facing organisations, and points the way to some solutions.
Twenty thousand problems
Software vulnerabilities have always been exploited by cybercriminals to circumvent cyber-defences, infiltrate corporate networks and spread malware. But today it’s happening on an unprecedented scale, in part because organisations today are more software-driven than they’ve ever been, and partly because more vulnerabilities are being discovered thanks to bug bounty programmes and a growing cybercrime underground.
The sheer volume of vulnerabilities that need patching every month make it an exhausting effort for system administrators. New figures from Flexera’s Secunia research division point to nearly 20,000 discovered last year, a 14% increase on 2016. Yet patches were available for 86% of these on the day of disclosure. So-called “zero-days” — for which there’s no immediate patch — are increasingly rare, comprising just 14 of those 19,954 known vulnerabilities in 2017.
Microsoft products were the most popular target for hackers looking to exploit these bugs last year, according to Recorded Future. It found that the Redmond giant’s software flaws accounted for seven out of the top 10 phishing and exploit kit attacks, with Adobe Flash taking up the rest. Interestingly, many of these flaws were years old. The second most frequently cited vulnerability, CVE-2016-0189, appeared on the vendor’s 2016 rankings, while five more Microsoft vulnerabilities dated from 2017, 2016 and even 2014. The three Adobe Flash vulnerabilities on the list were first published in 2015 and 2016.
No patches: more breaches
What does this tell us? Firms are still not patching promptly, despite the risks. A new study of 3,000 global security professionals from ServiceNow revealed that 57% of breach victims believe they were breached because of a patchable vulnerability. A third (34%) said they were aware that they were vulnerable before being breached, while a similar number (37%) said they don’t scan for flaws.
Yet the impact of these deficiencies can clearly be massive. Equifax is the biggest single cautionary tale. Its failure to patch a known Apache Struts vulnerability despite discovering it months earlier led to a breach of over 145m customers’ highly personal credit details. Many senior execs including the CEO, CSO and CIO all departed the company soon after and its reputation is in tatters. The financial impact to the firm is now surging into the hundreds of millions, with some reports suggesting it could be the most costly ever.
The NHS is also keenly aware of what can happen when outdated and insecure systems are allowed to support mission critical parts of the organisation. Microsoft released a patch for the Windows SMB vulnerability exploited in the infamous WannaCry ransomware attacks in march 2017. Yet by May, many NHS endpoints were still exposed. The result? An estimated 19,000 cancelled operations and appointments.
Why are firms not patching?
So why are organisations still failing to get the basics right? As mentioned, the sheer number of vulnerabilities discovered on a monthly basis on various heterogeneous systems, all with different patching mechanisms, can be overwhelming for all but the best resourced firms. But that’s not all. As a recent study by 0patch revealed concerns around: legacy systems that would be too expensive to update (58%); incompatibilities with apps and the latest OS version (53%); and the fear that a patch might brake existing systems (72%).
In fact, those fears are well founded. Both Intel and Microsoft have been caught out after providing ‘fixes’ to recent critical vulnerabilities dubbed Spectre and Meltdown which ended up requiring additional patches to correct. Intel has since decided not to patch some of its earlier processors as it’s not practical to do so effectively.
Time to change
So where does this leave us? According to ServiceNow, nearly two-thirds of global respondents plan to hire more staff to help with vulnerability management. Yet throwing more people at the problem won’t help — that’s if you can even find the right people to hire given endemic industry skills shortages.
Organisations need to optimise and automate their vulnerability management processes, and that will require IT and security to sit down together to work out what capabilities they have and where there are gaps. They need to scan regularly and prioritise the most important bugs to fix. That should help to clear the backlog and then teams will be better equipped to react quickly when there’s a breaking threat that needs addressing. Automated patch/vulnerability management tools will help with this, and also provide detailed reporting to help with compliance efforts. So-called virtual patching technologies could also be an option in helping to protect end-of-life or other key systems until proper testing has been done on updates.
Remember: regulators of the GDPR and NIS Directive will take a dim view of firms which fail to address known vulnerabilities. It’s time to act now.
Read about Nasstar’s approach to patching in this short guide.