Cybercrims Find Easy Route To Attack Networks

Experts from Kaspersky Lab and Outpost2 recently carried out a security audit studying the global prevalence of unpatched vulnerabilities. The joint report illustrates that even unsophisticated attacks on corporate networks can succeed without expensive zero-day exploits. The expert team’s security audit revealed that although the number of zero-day attacks is on the rise, cybercriminals still make use of known vulnerabilities. 

 

Experts from Kaspersky Lab and Outpost2 recently carried out a security audit studying the global prevalence of unpatched vulnerabilities.

The joint report illustrates that even unsophisticated attacks on corporate networks can succeed without expensive zero-day exploits.

The expert team’s security audit revealed that although the number of zero-day attacks is on the rise, cybercriminals still make use of known vulnerabilities. Accordingly, there is no need for cybercriminals to hack a corporate system; they simply need to ‘hack’ the people that manage the system.

A baseline is for all critical vulnerabilities to be resolved within three months. The study found 77 percent of the threats that passed this three-month deadline were still present a year after being discovered. The team collected data on vulnerabilities dating back to 2010, and found systems that had been vulnerable for the past three years.

These unpatched vulnerabilities are considered critical due to the ease with which they can be exploited and the impact they can have. The study found some corporate systems that had remained unpatched for a decade despite the fact that the companies were paying for a special service to monitor their security. 

After collecting the data with the Outpost24 team, Kaspersky Lab’s senior security researcher David Jacoby carried out a social engineering experiment to see how easy it was to insert a USB drive into computers at government institutions, privately owned companies, and hotels.

“What is really surprising is that the hotels and privately owned companies had greater awareness and security than the government organisations,” Jacoby. “The results are a wake-up call for those searching for tailored security solutions that cover the ‘threats of tomorrow’ – it highlighted that training your staff to be prudent is just as important.”

The security audit performed is relevant globally because the gap between the moment a vulnerability is detected and the moment it’s patched is almost uniform in every country.

“Whether it’s exploiting poor security practices, misconfigured security devices or staff that lack security training, companies should understand that it is possible to gain control of most parts of the organisation, even though no new attacks or methods are used. It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes,” Martin Jartelius, Chief Security Officer at Outpost24 said.

Leave a Reply