Read Time: 3 Minutes
Security experts talk a lot about vulnerabilities. And rightfully so, as patching vulnerabilities is one of the most important measures you can take to prevent attacks.
But a recent investigation has found that some of the most common weaknesses in company systems are being caused by configuration issues. While these issues don’t have the severity of some unpatched vulnerabilities, their prominence is quite surprising.
The above graph shows the 10 most frequently detected vulnerabilities that turned up during the investigation, which was conducted in early 2016 using F-Secure Radar – a vulnerability scanner/management solution. Put together, the top 10 accounts for just over 61 percent of the 100 most frequently detected weaknesses encountered during the investigation.
And if you have a look at the different vulnerabilities, you’ll notice many of them are misconfigurations or implementation issues with encryption protocols (accounting for roughly 44 percent of the most common issues).
So why are these issues so frequent?
Well, encryption is the de-facto standard for securing communications. Every company should be using it, and most do, in one form or another. But while many of them use encryption, they’re not necessarily implementing it in accordance with best practices.
For example, while Secure Socket Layer (SSL) encryption is widely used, even the most recent version (which is itself quite old) has vulnerabilities that can expose companies to man-in-the-middle (MITM) attacks. And because versions of SSL are being replaced by the newer, Transport Layer Security (TLS) protocols, companies using versions of SSL have not just one, but numerous weaknesses that could perk the interest of criminals, corporate saboteurs, or a variety of other actors.
And while the newer TLS protocols provide better security, companies need to ensure they’re running the most recent version. As the results show, many companies still aren’t doing this.
These issues do not have the severity of some other vulnerabilities, but they’re enough to attract unwanted attention.
“These issues aren’t particularly pressing if you think about them intrinsically, but hackers see non-critical issues as the cyber security equivalent of a ‘kick me’ sign,” said Andy Patel, Senior Manager, F-Secure Technology Outreach. “There’s lots of ways to stumble across these vulnerabilities just by casually browsing the web. Even hackers uninterested in doing anything bad could be tempted to pull at the thread and see what unravels. Companies that are lucky could get a helpful email informing them of the problem, but the unlucky ones are going to have professional criminals conducting reconnaissance in preparation for targeted attacks.”
So what can CISO’s do to avoid these vulnerabilities? Well, a comprehensive vulnerability management program is a good start. And it should include the following:
Making networks and vulnerabilities visible: Even IT admins can have a difficult time keeping track of the entire network. Some parts of a network may been used so infrequently that they’re forgotten about, or maybe even setup without consulting IT personnel. This makes them easy to exclude from maintenance practices, so having good visibility over your network is key.
Patching vulnerable applications/OS’: Patch management might seem like a no-brainer, but it’s still something lacking in many companies. Prioritizing this should be at the top of every CISO’s to-do list. It can seem like a daunting task, but patch management solutions can make it relatively quick and painless for companies, and take care of many of the serious vulnerabilities being used by attackers.
Implementing a broad hardening strategy: While patch management solutions are excellent at maintaining popular applications and software, they won’t find everything. Using vulnerability and port scans can make both the network and its weaknesses visible, and the best solutions will provide a support framework that IT admins can use to track and harden all the weaknesses in their networks.