Bad guys are so much more nimble than good guys that they have a two-month head start in most hacking situations, a new report has found. Meanwhile, software flaws that are even a decade old continue to be used to hack hundreds of thousands of computers, according to Kenna Security.
In the hacking world, a secret software flaw that can be exploited is known as a “zero-day” vulnerability. Known only to a select few, zero-day exploits give hackers the ability to break into machines at will, and much has been made of this alarming problem.
But even known vulnerabilities might as well be “zero day” flaws, suggests findings in a report issued Tuesday by Kenna on what it calls the “Remediation Gap.” Kenna says it examined one billion breach events and came to this disturbing conclusion:
Most organizations require 100-120 days before fixing vulnerabilities; meanwhile, hackers exploit them within 40-60 days. That’s two months of free shots.
“The public has grown plenty familiar with hacker seeking out a specialized target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, CEO of Kenna. “Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers.”
The report suggests that too much attention has been placed recently on targeted attacks, while old-fashioned “spray and pray” attacks remain many firms’ greatest threat.
“Of the organizations that Kenna has evaluated, 100 percent are susceptible to vulnerabilities – which correlate to at least one stable publicly available exploit,” the report says.
Kenna said it pulled its sample from a database of 10 million successful attacks per week, collected through AlienVault’s Open Threat Exchange, as well as threat intelligence data as well as data from various partners, including Dell SecureWorks, Verisign, SANS ISC and US-CERT.
“By executing this approach, we were able to estimate the probability that a vulnerability might be exploited, as well as the sheer volume of attacks, based on the volume of attacks displayed by the aggregated data,” the report says.
Security professionals do a poor job of prioritizing which threats they remediate, and often fail to patch old flaws that are known to be popular among hackers in favor of top-of-mind flaws that have been recently announced, the firm argues.
“One of the points we need to make is that the vulnerabilities in question are often very old, well-known weaknesses that simply haven’t been fixed yet. We’ve seen this over and over again as we evaluate the data,” the report says. “In many cases these vulnerabilities are not sexy, and they don’t hog the spotlight – but in many environments they actually represent major weaknesses.”
For example, Kenna spotted 156,000 exploitations of the Slammer worm executed during 2014. Slammer hit so many servers that it dramatically slowed down general Internet traffic – in 2003.
The report also finds that automated attacks are on the rise: Kenna says there have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined – an increase of 445 percent.
“Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combating the sheer volume of automated attacks,” Toubba said.”