In order to make some sense of this, let’s take a step back and walk through 6 trends that are driving vulnerabilities and their exploitation to understand the bigger picture – and what can be done to mitigate it.
Pace of discovery – 4 New Highly Critical Vulnerabilities a day
During 2014 alone over 15,400 new vulnerabilities were found reflecting an increase of 18% compared to 2013. Of these vulnerabilities 11% were categorized as being highly critical – that makes for over 100 new
highly critical vulnerabilities per month or approximately 4 per day! With the development of new automated vulnerability discovery tools that check new methods of attack, the number of new vulnerabilities discovered is expected to further grow considerably.
Widely Shared Components – Vulnerable
The study quoted above also found that of the 3,870 applications on which vulnerabilities were found in 2014, especially damaging are those that lie at the heart of Content Management Systems (CMS), Open Source Libraries and Operating Systems embedded in literally hundreds of millions of websites. These systems are riddled with vulnerabilities making them popular targets for cyber criminals and a constant source of concern for companies using them. Another study published recently of the 1 Million most visited websites reinforces this with findings that a whopping 1 in 5 sites run vulnerable software.
Shared Vulnerability Database – Double Edged Sword
In an interest to consolidate information about vulnerabilities known in the wild so patches can be developed and implemented as fast as possible, a number of international organizations have been established to standardize the way vulnerabilities are characterized and communicated, the main one being the ‘Common Vulnerabilities and Exposures’ (CVE) database.
While this standardization helps security researchers understand these vulnerabilities faster and, allows companies deploy patches more efficiently it also makes life easier for cybercriminals who have an updated online database of vulnerabilities to exploit for malicious purposes.
Chasing the Corporate Tail
Any IT professional will confess that system upgrades in general and patch installations in particular are costly and complex procedures. Companies will therefore typically have set schedules for undergoing these periodic upgrades. The relentless pace of new vulnerabilities being discovered in the wild means that most companies are at any point in time exposed.
Immediate Exploitation databases – Publicly Available
Not only do cyber criminals have immediate access to the CVE database, but the exploits for these vulnerabilities are also managed in organized databases readily available for both professional cybercriminals and amateur ‘script kiddies’ to take advantage of for their next “victim”.
Examples of such databases are:
Open Source Automated Vulnerability Scanners
One thing is scanning websites and servers manually with the tools detailed above to find targets for exploitation, another is being able to do so automatically. With a wide variety of open-source automated vulnerability scanning tools available online cybercriminals can search for exponentially more targets, further shortening the time corporations have to respond to new vulnerabilities.
With these trends at play cybercriminals no longer need years of experience or expensive resources to exploit vulnerabilities.
Summary – Cyber Criminal Modus Operandi
Cybercriminals employ hordes of bots programmed to automatically scan the Internet for vulnerable servers and websites, when found, the vulnerability is exploited and the server is put to use for malicious purposes. This level of sophistication in automatically scouting for targets and exploiting their vulnerabilities, drastically improves the speed and reach cyber criminals have to execute a malicious activity.
With the industry dynamics outlined above and cybercriminals’ relentless modus operandi, the solutions expected to help corporations successfully mitigate the threat of cybercriminals exploiting vulnerabilities on their perimeter need to address the following:
Fast detection of vulnerabilities to keep one step ahead of cybercriminals;
- Prioritization of identified vulnerabilities so critical bugs can be patched. Fast.
Detailed remediation for immediate and effective action.
Defensive solutions like WAFs (Web Application Firewalls) are another key component