Software Vulnerabilities: Loved by Cybercriminals, Dreaded by Companies
Software vulnerabilities are common despite being are to find. Find out why hackers love discovering new ones and how companies can deal with the aftermath of those discoveries.
Software is an important tool that most businesses use in their day-to-day operations. However, apps can be detrimental to organizations’ operations if they contain vulnerabilities — that is, flaws or weaknesses that can be exploited by an attacker for malicious purposes. In 2019 alone, there were 22,316 new software vulnerabilities reported. A similar total is expected for 2020, as the mid-year count was 11,121.
Besides being numerous, vulnerabilities are silent. They typically do not announce their presence in any way, so they can go undetected for years. For example, the Zerologon vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol has been present in Microsoft Windows Server software as far back as 2008, but researchers did not discover it until August 2020.
Unpatched Vulnerabilities Are a Hacker’s Best Friend
Some cybercriminals try to discover flaws or weaknesses in software themselves. Worth thousands of dollars on the Dark Web, finding a new vulnerability is like finding gold, according to one real-world hacker. Vulnerabilities that hackers discover are often used in zero-day attacks. These attacks get their name from the fact that there are zero days between the time when the software developers and researchers first learn about the susceptibilities and the first attack exploiting it.
Discovering vulnerabilities takes time and expertise, which is why many cybercriminals exploit known weaknesses instead. Hackers like to keep abreast of newly discovered vulnerabilities so they can exploit them before people have a chance to install the updates that fix the flaws or weaknesses. For instance, on July 22, 2020, a researcher announced he had discovered a vulnerability (CVE-2020-3452) in two Cisco apps and posted the flaw’s proof-of-concept (PoC) code. On the same day, Cisco released updates to fix the vulnerability, which was located in the web services interface of its Adaptive Security Appliance Software and Firepower Threat Defense Software. Shortly after the PoC code was posted, hackers started exploiting the vulnerability. At that time, only about 10% of the companies using these apps had installed the update.
The vulnerability in the Cisco apps allows hackers to access potentially sensitive data in the web services file system. Cybercriminals often exploit unpatched flaws and weaknesses to access systems from which they want to steal data. In a Ponemon Institute study, 60% of the data breach victims said their systems were breached because a patch for a known vulnerability was not applied.
Data breaches aren’t the only malicious activity resulting from exploited vulnerabilities, though. Hackers also take advantage of them to install malware, spy on organizations, and carry out other nefarious activities.
How to Deal with Vulnerabilities
Patching known vulnerabilities in a timely manner is crucial if you want to protect your business from cyberattacks. You need to make sure that all the apps (including the operating system software) on your business’s computers are regularly updated so that known flaws or weaknesses are fixed. Although updates are often automated in operating system software and mainstream apps, they might need to be manually installed in other programs. In addition, you need to make sure that the software and firmware in devices such as smartphones, printers, and routers are updated.
Making sure that updates are being applied in a timely manner can be a monumental task If your business has numerous computers and devices and they have a lot of software and firmware on them. In this case, you might want to take advantage of a patch management system or patch management service.
There are other measures you can take that will help protect your business against known vulnerabilities. For example, you can make sure your firewall uses stateful inspection so that it detects and stops suspicious connections. Although most modern firewalls use stateful inspections, older firewalls might not. You can also reduce your business’s attack surface by uninstalling or disabling software that is not needed anymore, including web browser plug-ins not being used. The less software you have, the less vulnerable your business will be.
If you want specific recommendations on the measures to take, we can assess your IT environment and develop a strategy that will ensure your apps are patched and your business is protected.