According to a recent report, companies are failing to properly patch and update their systems despite the disclosure of threatening vulnerabilities. The 2015 Cyber Risk Report (PDF) produced by HP analyzing last year’s threat landscape found that as many as 44 percent of breaches were the result of attackers leveraging a patched two- to four-year-old vulnerability. “Attackers continue to leverage well-known techniques to successfully compromise systems and networks,” read the report.
“Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.”
“Patching is hard for a number of reasons,” Threat Research Manager at HP Jewel Timbe told eWeek. “In the enterprise space, the volume of patches to apply across systems, while ensuring the patch doesn’t break anything custom or internal to the business, is daunting and resource-heavy.” Timbe recognized IT security teams are faced with a tough balancing act, but enterprises must find a way that makes patching a top priority. Additional findings from the report included the top CVE numbers seen in 2014, which included numerous flaws in Oracle Java, Adobe Reader and Acrobat, as well as Microsoft Windows and Microsoft Office.
Source: HP Cyber Risk Report 2015 By far, the most common exploit seen last year was CVE-2010-2568, a popular Microsoft Windows flaw used as one of the infection vectors for the Stuxtent. HP noted that this vulnerability in particular, was the only exploit for which the number of discovered samples continued to grow month over month throughout 2014. Furthermore, an Adobe Reader and Acrobat vulnerability, CVE-2010-0188, accounted for 11 percent of exploit samples, while six different Java flaws were also found to be top exploits. The report concludes that these common attack vectors indicate that there is still a significant percentage of Windows users who do not regularly update their systems with important security patches, likely due to the end-of-life for Windows XP in April. Despite other high-profile vulnerabilities in other technologies that were disclosed in 2014, such as Shellshock, attackers continue to focus their efforts on Windows. "One challenge for many organizations is to identify and take inventory of what systems are on their network and what applications and specific versions they are running—a lot of times, organizations don’t even know what systems require patching to begin with," said Tripwire Security Analyst Ken Westin. Taking inventory of what is on your network is a critical first step that needs to be taken to mitigate risks associated with vulnerabilities both new and old, he added. In an upcoming webcast, Westin will discuss how businesses can be best equipped to detect, patch and remediate high-impact vulnerabilities efficiently. Attendees will learn how to:
- Take steps to minimize risk and exposure before the next high-impact vulnerability is announced
- Identify potentially exploited systems to contain and remediate specific threats
- Develop a rapid response plan to reduce time recognizing new vulnerabilities on traditional operating systems as well as network and security devices