IT security teams have a finite number of hours to tackle an ever-expanding list of projects. Vulnerability management is only one of those projects and by itself could be all consuming – so, IT organizations often prioritize their vulnerability management efforts. However, recent research shows that organizations focusing only on high-profile vulnerabilities are actually putting themselves at increased risk.
When high-profile zero-day vulnerabilities come to light (think Heartbleed), IT organizations go into action implementing a remediation plan. But even as they scramble to protect corporate assets, a new risk emerges.
In its 2014 Midyear Security Report, Cisco found that attackers are taking advantage of the distraction caused by zero-day vulnerabilites by exploiting the low risk and low-profile application and infrastructure vulnerabilities that organizations are leaving exposed.
It’s not unusual for an organization to run outdated software, for example, or bad code. As of May 2014, Cisco researchers found that Java exploits rose to 93 percent of all indicators of compromise.
Other weak links include abandoned digital properties, such as WordPress websites. To make matters worse, WordPress sites are often created without the knowledge of IT, then left abandoned. According to Cisco, attackers can upload malicious binaries to these sites and use them to deliver exploits.
Meanwhile, there is no shortage of exploitation methods: exploit kits, ransomware, social engineering, amplification attacks, infiltration of encryption protocols – the list of attack methods goes on. Plus, unlike security professionals, attackers have a wealth of resources at their disposal.
Consider this: Following the arrest of the alleged creator of the Blackhole exploit kit last year, Cisco researchers reported that the number of exploit kits decreased by 87 percent. Nonetheless, that hasn’t stopped threat actors.
According to Cisco, “Several exploit kits observed in the first half of 2014 were trying to move in on territory once dominated by the Blackhole exploit kit, but a clear leader has yet to emerge.” In the meantime, threat actors are using exploit kits and other methods to carry out more sophisticated attacks, targeting specific users with the goal of exploiting system and application vulnerabilities.
So, what should IT organizations do? The networking vendor has this to say:As vulnerability reports are published, security practitioners and the media tend to focus on zero-day vulnerabilities because there is a seemingly urgent need to react to such high-profile news. However, organizations should prioritize their investments of time and money into patching the small number of vulnerabilities that criminals are most actively exploiting. Other vulnerabilities can be managed by more routine processes.
In other words, do not focus on high-profile vulnerabilities at the expense of common, high-impact threats. A comprehensive approach to vulnerability management offers the most protection while reducing overall risk.
About the Author: Crystal Bedell is a freelance technology writer specializing in security. As the principal of Bedell Communications, she helps technology providers and IT media companies create engaging thought leadership content. Prior to launching Bedell Communications, Crystal worked for TechTarget, where she was the editor of SearchSecurity.com for eight years.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Vulnerability Management: Just Turn It Off! Part II
- Vulnerability Management: Just Turn It Off! Part I
- The Five Stages of Vulnerability Management
- So You Like Pain and Vulnerability Management?
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock