Is your organization the next cyber victim?

Attackers do not necessarily need zero-day exploits – they can target you more easily through known vulnerabilities

Author: Eija Paajanen
Date: 11.09.2015
Read Time: 3 Minutes

117,339 cyber-attacks per day. A huge number, and it keeps on growing.

We also know that over 80% of attacks are based on known vulnerabilities. Still, 70% of companies have no solution for patch management.

What’s more, according to “The SANS Institute 2015 State of Application Security Report”, internal security teams are alarmingly slack in taking the necessary measures to deploy patches to critical apps in use – 26% took two to seven days to deploy the patches, while another 22% took eight to 30 days. And as many as 14% needed 31 days to 3 months to deploy the patches satisfactorily.

Another troubling factor to the problem is that the SANS Institute report further states that nearly half of organizations patch vulnerabilities in production apps through quick-and-dirty fixes and other short-term workarounds, such as disabling a feature or function in the app.

So, put yourself in the shoes of the attacker… What would you do? Where would you aim your attacks?

Erka Koivunen, our Cyber Security Advisor, paints a clear picture of a very possible case of a targeted cyber-attack that could hit you, unless you take the necessary precautions:

Consider an organization that has been previously chosen as a target by the attacker. The attacker has identified potential injection methods but finds that in order for them to be effective, there would need to be a suitable vulnerability present in the target system. Reconnaissance has shown that no such vulnerability is exposed at present.

In theory, the attacker could utilize a zero-day exploit. However, not every target is worth this effort – after all, they are a pricey commodity even for a nation state attacker. Furthermore, the attacker knows that utilizing well-known, public exploits is a convenient way to hide their origins and serves to hide the pre-planned attack in the noise created by other, more opportunistic attackers.

With this in mind, the attacker has taken note that there is a noticeable delay in patching the systems whenever a new security update is released. Remember, he has been watching you for an extended period already, and even if you do not scan your own network, that doesn’t mean that no-one else is doing it. The attacker also knows that certain systems in particular roles, such as web application backends, are always the last ones to be patched.

Hence, the attacker sets out to wait for a suitable vulnerability and exploit to emerge. He will look through the CVE repository for a list of known vulnerabilities to detect one that can be used against the target organization. He can count on the fact that he has enough time to weaponize the exploit to fit the task at hand before the system administrators eventually patch the systems. The exploit can then hit the previously identified targets within the organization, and be used as a tool to do whatever it is the attackers want to do. Since the enemy is already inside the system, the patch – when eventually applied – will no longer help stop the attack.

Are you going to be the next victim of a cyber-attack? Or do you have good metrics to help prioritize the patching of externally exposed systems? And the tools to patch your apps and software in an easy way?

By the way, did you know that some attackers patch the systems they have successfully compromised? The reason for that? They want no competition from their fellow cyber criminals!


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s