Organizations are not properly patching their systems and networks, according to the HP Cyber Risk Report 2015, which took a look back at the threat landscape in 2014 and noted that 44 percent of known breaches were possible due to vulnerabilities identified years ago.
Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability that was used as one of the infection vectors for Stuxnet, Jewel Timpe, senior manager of threat research at HP Security Research, told SCMagazine.com on Monday.
The report shows that CVE-2010-0188, a vulnerability in Adobe Reader and Acrobat, accounted for 11 percent of exploit samples in 2014. Six Oracle Java bugs identified in 2012 and 2013 also made the top ten list, as well as two Microsoft Office flaws – one identified in 2009 and the other in 2012.
“Our biggest message here is that we have got to start learning from our past,” Timpe said, going on to add, “We know software has vulnerabilities and vendors patch them, and when those patches are made available, they need to be applied. The best patch in the world won't help your software if you don't apply it.”
Timpe admitted that patching everything is not easy.
Patch management is a challenge for organizations because it is expensive and resource intensive, she said, adding that launching new applications may negatively affect existing infrastructure and could even result in regression in other software – meaning previously patched vulnerabilities are possibly reintroduced.
Timpe suggested taking the stance of the “assumed breach,” and explained that organizations – big or small – should implement technologies that identify breaches quickly and shut incidents down. She added that companies should identify what assets are most valuable and assess how to protect it.
Another significant issue noted in the report is server misconfigurations.
“This year we saw the bulk of them are really misconfigurations that are allowing unnecessary access to files and directories that they should not be allowing access to,” Timpe said, going on to add, “These configurations are giving adversaries a new way to get in.”
According to the report, penetration testing coupled with internal and external analyses of configurations can help in identifying issues.
In 2015, Timpe said she expected to see more open source vulnerabilities, more SCADA attacks, and more of a focus on infrastructure. Additionally, she said that attackers will continue to have success by exploiting older bugs.
Timpe – who urged organizations to update if they are running older systems that have reached or are nearing end of support – said that cooperation and working together will help reduce the threat posed by attackers.
“If we talk more, share more, and gain a thorough understanding of imminent threats, it will continue to increase the cost the attacker has to spend to be successful,” Timpe said.