Organizations Are Losing the Battle Against Vulnerabilities
There’s no such thing as perfect, bug-free software. No matter what kind of complex testing methodology is followed, any piece of software with the functionality and complexity to be used in the real world has bugs. These might range from the very minor to far more severe security vulnerabilities.
Add in hardware and the massive number of potential infrastructure vulnerabilities businesses face can get kind of mind-boggling. Like a ship that’s springing dozens of leaks on a constant basis, businesses are forever trying to ensure all vulnerabilities they face are patched. With multiple systems they rely on, and tens of thousands of new vulnerabilities discovered by cyber security researchers each year, organizations are constantly identifying, testing, and applying patches for vulnerable code. The result is that many firms have a backlog of tens of thousands of unfixed security flaws to fix.
The scale of the problem is terrifying. A recent Ponemon Institute study commissioned by IBM in 2020 claimed that every six months average firms fail to patch a sizable 28 percent of vulnerabilities found in their hardware and software. This leads to an average backlog of 57,000 security issues that have not been fixed.
An open door for hackers
The problem with security vulnerabilities is, of course, that it leaves systems open to exploitation.
While cybersecurity experts may diligently turn over information about discovered bugs to developers so that they may patch the problem, malicious actors such as hackers are just as likely to try and exploit these weaknesses. Even when a particular vulnerability has been patched by its developer, fixing the problem still entails the users of that software installing the patch in question. If they do not, the vulnerability remains open for bad actors to exploit.
According to the study commissioned by IBM, over half of organizations surveyed had been the victim of a security breach in the previous year. Of these, 42 percent blamed it on known, but still unpatched, vulnerabilities. Only a quarter of the firms surveyed prioritized fixing vulnerabilities according to the impact they would have on business. More than half had not identified the vulnerabilities that represented the highest risk to them.
This might seem like a massive oversight on the part of businesses, but it is partly understandable. Businesses and organizations have limited resources. With so many new vulnerabilities being discovered on a constant basis, trying to stop each one as it emerges is simply overwhelming. The problem is compounded by the fact that patching leaks, and prioritizing the ones to patch, is predominantly a manual job. As per the IBM study, only 21 percent of organizations — around one in every five — patch vulnerabilities in a manner that is appropriately timely.
Vulnerabilities can be devastating
The issue with this is that security vulnerabilities can wind up being devastating to organizations. Just as there are many types of vulnerabilities that exist, so too are there multiple ways hackers might take advantage of them to hurt targets.
In some cases, they open the door for unwanted surveillance, allowing hackers to monitor the behavior of users, both inside the organization and, potentially, customers who are reliant on it. They may also allow attackers to steal confidential information, which could be leaked, sold, or used for extortion purposes. They could alternatively be used to gain entry to systems via a backdoor that allows the hacker to install malware that could do anything from wipe information to stopping systems working as they rightly should.
The damage could come from the direct action of the hackers (such as halting access to various tools or systems) or the secondary effects, such as eroded customer trust or fines for failing to properly protect user data. As a result, the answer to the question “how could a hacker use a security vulnerability to hurt me?” is a bit like asking “how long is a piece of string?” There are so many potential responses that the question is impossibly broad to answer succinctly. It depends not just on the type of exploit, but also the sector or industry being attacked — whether it’s financial services, healthcare, education, transportation, retail, or others. Although, suffice it to say, almost all of the answers are bad news.
Go for patch prioritization
Every organization should do its utmost to ensure that security vulnerabilities are properly patched. One approach to consider is bringing in cyber security experts who can assist with patch prioritization. That means solving the vulnerabilities most likely to have the most devastating impact first, before moving onto the next.
Cyber security systems should offer vulnerability discovery, which will help reveal which software systems could be compromised by an attacker. This lets organizations understand the potential severity and impact of a vulnerability exploit, as well as take steps to mitigate the effects.
Similarly, tools like Web Application Firewalls (WAFs) and virtual patching can help to scale vulnerability management. These approaches to cyber security can even rapidly protect against the exploitation of vulnerabilities that may not yet be known to developers and are therefore unpatched.
As noted up top, there’s no such thing as bug-free software. But that doesn’t mean you can’t work to make your cyber security solutions as comprehensive and vulnerability-free as possible. It’s in the best interests of every organization to do exactly that.