Most major corporations have nobody to blame but themselves when it comes to making themselves open to non-targeted online attacks with the average company leaving known vulnerabilities open for months giving hackers more than enough time to take action, according to a study by Kenna Securities.
The massive report, entitled How the Rise in Non-Targeted Attacks Has Widened the Remediation Gap, looked at 50,000 organizations, 250 million vulnerabilities and over one billion breach events – between September 2015-15. This has resulted in, as of August 1, 2015, a total of 1,272,152,215 successful exploits being discovered in the sample, Kenna said.
One of the reasons for this large number of successful attacks is the length of time it takes most companies to address a problem. The study found that on average companies take up to 120 days to fix issues or they simply left them unpatched.
Kenna CEO Karim Toubba told SCMagazine.com in an email Tuesday that the huge number of issues being faced by these organizations is the primary reason for the lag between a problem being discovered and repaired.
“First, most organizations have huge backlogs of vulnerabilities they need to work through. So when our report makes the point that, on average, it takes 100 days to remediate a vulnerability - that's just for the ones that do get fixed. It's not factoring in all of the 100s of 1,000s that aren't being touched by internal security teams. And the backlog exists, in part, because vulnerability assessment and detection are largely automated but remediation often involves very manual and labor intensive processes,” Toubba said.
Patching the problem in a timely fashion is another area companies need to improve upon. The report said there is a 90 percent chance of a vulnerability being exploited if not fixed 40 to 60 days after discovery so that is the outside window a company has to work within, but even that might not be quick enough.
“In our research report, we indicate that closing a vulnerability within 42 days reduces the probability of being exploited substantially - but it doesn't guarantee that you won't be breached in the first day after a vulnerability is released,” Toubba noted.
Toubba recommended using basically the same weapon to defend a company as is used by the attacker. Automation. The report describes how criminals use software, such as Heartbleed, to cast a wide net when looking for vulnerabilities.
“Many InfoSec teams are simply used to the old methods: using vulnerability scanners, manually parsing through the results, maybe integrating with a few threat feeds if they have the luxury. But all of this takes time. There are more automated approaches to prioritizing and remediation. It's simply a question of changing approaches, evaluating new platforms and resources can help them move at scale,” he said.