Security vulnerabilities are popping up all the time, and can put any business that uses technological assets at risk. In a nutshell, vulnerabilities represent the ideal opportunity for malicious actors to break into systems and wreak all types of havoc. From data theft to information compromise and beyond, vulnerabilities are a particularly pertinent issue for today’s enterprises.
According to current data, more vulnerabilities are coming to light than ever before:
• 2017 represented a record-breaking year for reported exploitable vulnerabilities, reported SecurityWeek. Overall, more than 20,000 security flaws were spotted over the course of the year, a more than 30 percent year-over-year increase. While this can be taken a number of different ways – creating heightened security risks, or more frequent reporting of vulnerabilities on the part of enterprise software users – this level of rising platform flaws is certainly concerning.
• Although numbers are still being tallied for 2018, a report from RiskBased Security noted that by August of last year, more than 10,000 vulnerabilities had been reported. This includes 3,000 potential flaws that many enterprises failed to patch.
“The severity of the vulnerabilities disclosed still remains significant, demanding organizations remain vigilant by implementing a comprehensive software vulnerability assessment and management plan,” stated RiskBased Security.
While it’s becoming more challenging to guard against the rising tide of vulnerabilities – particularly zero-day flaws – there are several key strategies enterprises can incorporate to help bolster their security.
Types of vulnerabilities and how they’re used for malicious activity
Before we delve into those strategies, though, it’s worth taking a look at vulnerabilities in action, and understanding how these software flaws can be leveraged by a malicious actor.
As Trend Micro explains in its ebook, “Beat Cybercriminals at Their Own Game: A Guide to Winning the Vulnerability Race and Protecting Your Organization,” there are several types of vulnerabilities, and these different flaws present key challenges for security.
A traditional vulnerability, for example, is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These problems are unfortunately pretty extensive, and new vulnerabilities that can be exploited by cybercriminals are being discovered by security experts all the time.
Where general vulnerabilities typically have security patches or updates available to repair them, this is not the case with zero-day vulnerability. Zero-days are brand new software issues that have only just been identified, and have not yet been patched by vendors. As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue, or has chosen not to fix it.”
An undisclosed vulnerability, on the other hand, also represent a considerable threat to enterprise security. These are flaws that have been identified and reported, but are not yet disclosed to public users, giving vendors time to patch the issue.
In any of these cases, vulnerabilities can be leveraged by hackers to support unauthorized access, install malware, exfiltrate compromised data or modify existing files, launch a denial-of-service attack, or maliciously take over control of systems. This only scratches the surface – vulnerabilities provide an entryway for cybercriminals to conduct an array of different kinds of attack, all of which can impact an organization’s productivity, profits, customer relationships, vendor partnerships, and the company’s overall reputation.
Vulnerabilities represent considerable risk to enterprise security.
How to address vulnerabilities in the enterprise
There are several critical approaches today’s businesses and IT teams can take to safeguard their organization from software vulnerabilities.
Pay attention to current security research
Whenever a vulnerability is discovered and reported, security experts like Trend Micro will look to educate users on the software flaw, the potential risk and approaches businesses can use to protect themselves. One of the best ways to support an up-to-date security posture is by paying attention to this key research, and leveraging its insights for the good of the business.
“The threat researchers and data scientists in Trend Micro Research labs around the world identify and disclose new vulnerabilities across a wide range of platforms,” Trend Micro’s ebook explained of its in-house security research. “Using workflows and techniques refined through years of collaboration with our partners, our highly skilled team of researchers can reverse engineer a security threat and provide protection to our clients quickly.”
Trend Micro also supports the world’s largest bug bounty program – the Zero Day Initiative – enabling users and white hat hackers across the globe to report vulnerabilities in an effort to patch the issue as quickly as possible. Best of all, these individuals are rewarded for making reports – Apple, for instance, has offered up a $100,000 bounty for anyone who can successfully extract sensitive data from its Secure Enclave solution.
Be aware of updates and patches – and prioritize accordingly
In addition to reading up on the latest research from security solution providers and other experts, it’s also important that IT leaders be aware of patches and updates released by vendors.
Microsoft, for example, is known for its unofficial “Patch Tuesday,” as many of its software updates and patches are released on Tuesdays. Organizations that rely on Microsoft solutions should check for updates according to the vendor’s regular schedule.
However, as Trend Micro’s ebook pointed out, with so many patches being released by security and software vendors, it’s no longer possible for IT teams to keep up and install them immediately. This means there is potentially time for hackers to exploit identified vulnerabilities before the enterprise has time to apply the patch.
The solution here is to establish a prioritized patching process that takes into account:
• The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
• Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise, and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
• Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.
“Focus on those vulnerabilities that are present within your operating systems, devices, and applications that are also actively being exploited in the wild,” Trend Micro’s ebook stated. “This significantly reduces the number of vulnerabilities that you need to patch while mitigating risks for your business.”
To find out more about how you can get ahead of vulnerabilities and associated security risks, check out Trend Micro’s ebook guide.