Recent research by NTT Communications has an alarming takeaway: While companies may like to think they’re up-to-date on security, many are years behind in detecting and protecting against vulnerabilities.
The 2014 Global Threat Intelligence Report analyzed attacks from 2013 and found that many of these recent incidents involved well-known vulnerabilities. In fact, half of the exploited vulnerabilities were discovered between 2004 and 2011.
That means they were known about for at least a full year before being used in attacks – and that there were serious issues when it came to patch management.
Recent vulnerabilities are targeted, too
Clearly, having decade-old vulnerabilities exploited shows that many companies have a long way to go before catching up on critical patches. But as we stated earlier, those vulnerabilities only made up half of the attacks. Recently discovered vulnerabilities – those that have been uncovered in the last two years – were also serious threats.
One method for delivering these attacks was exploit kits.
These attacks, available to cybercriminals, package malware designed to attack a variety of known exploits, old and new. And according to NTT, 78% of the exploit kits it saw in 2013 contained attacks for at least one vulnerability discovered in the last two years.
Companies relying on antimalware and antivirus to alert them to these hazards could be in for a rude awakening, too: 54% of new malware went undetected by antivirus solutions.
Threats might not be hidden
Everyone fears the zero-day exploit that could cripple systems. The idea of hackers knowing about a crucial security vulnerability before you do is certainly a scary one.
But the truth is that the attack that could wreak havoc on your systems may in fact be using years-old methods.
Here are three ways to protect your company against vulnerabilities:
- Know reputations. Some common apps and services are more vulnerable to attack than others. Java can be notoriously buggy, and it’s likely bundled in a number of other programs you use. OpenSSL has also had many recent nightmare stories. Keep an eye out for vulnerabilities in these wide-reaching systems.
- Assign beats. Patch management services may not be in the cards for every company, so make sure you have techs looking out for vulnerabilities in apps and services your company relies on heavily. If you divide the apps so that each tech is looking for specific programs, it’s less likely that an exploit will sneak by you.
- Develop and refine your policies. Not every patch will be able to be made right away – some could cause headaches with existing systems and apps. But it’s important to have established procedures on how to react when these critical updates become available and to have a rough timeline of when to get from testing to applying the updates.
- Update antivirus. While antivirus isn’t a magic bullet to prevent attacks, it’s essential that you keep the protections you do have in place up to date. As the study noted, 54% of attacks made it by antivirus undetected – and out-of-date services are certainly one way that gap in security could be explained.
- Watch for misconfigured apps. A recent HP study found 80% of apps weren’t vulnerable because of bad code – they were improperly implemented into the system. Check with vendors to be sure your third-party apps are correctly configured and secure.