Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.
In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.
“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.
“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”
The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.
Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.
NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.
The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.
The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.
The trends analysis is broken down geographically and by five industry sectors.
Among the recommendations for IT leaders:
- Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
- Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
- Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
- Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.
The report can be downloaded here. Registration required.