There are thousands of instances of companies using misconfigured systems or unpatched, outdated software, new analysis has revealed—offering a host of gift-wrapped attack vectors for cyber-criminals.
Leveraging its vulnerability scanner and management solution, Radar, F-Secure reviewed 85,000 security events of the 100 most common vulnerabilities. It found that the 10 most frequent vulnerabilities are of low or medium severity, but account for 62% of all weaknesses. About 7% of security events have high severity ratings according to standards used by the National Vulnerability Database, and 50% of these are exploitable and could be used by attackers to gain control over compromised machines via remote code execution.
Nearly all of these exploitable weaknesses are easy to fix with the right software patches or simple administrative changes.
All of this confirms to security experts that many companies don’t have enough visibility over their networks.
“It’s bad news for a company if an attacker finds one of these highly severe vulnerabilities,” said Jarno Niemelä, lead researcher, F-Secure Labs. “The fact that we found thousands of issues this severe suggests some serious security shortfalls amongst companies. Either they’re not implementing patch management programs, or they’re forgetting to include parts of their network in their maintenance practices. But no matter what the underlying cause is, it’s lots of opportunities for attackers, and lots of breaches waiting to happen.”
This finding reinforces previous warnings regarding the importance of implementing simple security measures. According to the United States Computer Emergency Readiness Team, following a few easy steps such as patching vulnerable software can prevent up to 85% of targeted cyber-attacks.
Crucially, misconfigurations or implementation issues with encryption protocols account for 44% of the most common issues—meaning that this is a far more common issue than the thousands of highly severe weak points.
“These issues aren’t particularly pressing if you think about them intrinsically, but hackers see non-critical issues as the cybersecurity equivalent of a ‘kick me’ sign,” said Andy Patel, senior manager, F-Secure Technology Outreach. “There’s lots of ways to stumble across these vulnerabilities just by casually browsing the web. Even hackers uninterested in doing anything bad could be tempted to pull at the thread and see what unravels. Companies that are lucky could get a helpful email informing them of the problem, but the unlucky ones are going to have professional criminals conducting reconnaissance in preparation for targeted attacks.”
Photo © Rawpixel.com