Attackers still exploiting old vulnerabilities, says NTT report

Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.

In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.

“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.

“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”

The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.

Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.

NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.

The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.

The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.

The trends analysis is broken down geographically and by five industry sectors.

Among the recommendations for IT leaders:

  • Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
  • Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
  • Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
  • Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.

The report can be downloaded here. Registration required.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now