The vast majority of successful cyber-attacks in 2014 used known vulnerabilities that were at least a year old – with some of them dating back to 1999, according to the latest Verizon 2015 Data Breach Investigations Report (DBIR).
Verizon is calling on organisations to urgently improve their patch management in response, saying its findings “demonstrate the need for all those stinking patches on all your stinking systems”.
Verizon found that more than 90 percent of the known vulnerabilities exploited by cyber-attackers in 2014 had been identified and given a ‘CVE' number at least a year before.
And it reported the “pretty amazing statistic” that the top 10 CVEs accounted for almost 97 percent of the exploits observed in 2014. According to Verizon, these top 10 vulnerabilities included one vulnerability dating back to at least 1999, two from 2001 and five from 2002.
Just one of the top 10 CVEs was discovered in 2014 itself.
“Apparently, hackers really do still party like it's 1999,” says the report. “The tally of really old CVEs suggests that any vulnerability management programme should include broad coverage of the ‘oldies but goodies'.
“Just because a CVE gets old doesn't mean it goes out of style with the exploit crowd. And that means that hanging on to that vintage patch collection makes a lot of sense.”
Verizon senior security consultant, Jason Whyte, told SCMagazineUK.com that the findings show a strong patch management regime is vital – but is not the only answer to breaches.
He said via email: “The data set from the 2015 DBIR suggests a robust patching policy is an essential component of any risk mitigation framework. However the need for education of users is also critical. Patching alone will not protect from user-involved data breaches, such as phishing.”
Whyte said that when it comes to patching, it is vital for organisations to decide how big a priority to give each CVE that emerges. “The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be patched with the rest,” he told SC.
To help organisations prioritise which new vulnerabilities to act on quickly, the DBIR report says “a CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild”.
Subjectively, it says, one other key attribute of a “critical” vulnerability is whether it “gets a cool name in the media”. For example: “In 2014, Heartbleed, POODLE, SChannel and Sandworm were all observed being exploited within a month of CVE publication date.”
The report also warns against focusing solely on the 10 biggest CVE threats.
“Don't be lulled into thinking you've found an easy way out of the vulnerability remediation rodeo,” it says. “Prioritisation will definitely help from a risk-cutting perspective, but beyond the top ten are seven million other exploited vulnerabilities that may need to be ridden down.”
Analysing Verizon's findings, UK cyber-experts say the lasting success of old vulnerabilities highlights continuing failures in organisations' approach to patching.
Gavin Millard, technical director of Tenable Network Security, told SC via email: "It's unfortunately of no surprise to see many of the breaches in 2014 were achieved in part by utilising old vulnerabilities that should have been patched years ago.
“If organisations haven't fully operationalised vulnerability and patch management and continuously monitor for unpatched systems, bugs will continue to linger.
"Hackers and automated exploit tools don't consider how long a vulnerability has been disclosed or how popular it was in the media - they just care how effective it is in achieving their goals."
Sarb Sembhi, director of risk management consultancy STORM Guidance, agreed that patch management is a big issue, both for users and hardware and software vendors.
He told SC: “Organisations are not patching - the question is why they are not patching. It's not just about poor patch management, it's the whole process, the different components that make up why it doesn't happen.”
Sembhi said that unlike Microsoft, some software vendors don't flag important patches to users. “There need to be some patches that come out that are so important that they are done automatically. But a lot of products don't enable that automatic updating. Also people aren't aware of patches and don't realise their importance.
“However, where there is a tool that will check and update for vulnerabilities for you, people don't always choose to receive patches automatically, and patching is not set to automatic.”
Sembhi, a leading light in ISACA, pointed out that for many large organisations with lots of legacy applications, testing new patches across that estate can take months or even years.
He advised: “In the meantime organisations have to make sure they have other controls in place so the vulnerability cannot be exploited.
“Organisations need to make sure their vendors are providing patches as quickly as they need them – and not all vendors do that. Secondly, they should be using some sort of vulnerability management software so they've got an overview on all of their estate and what is running on it.
“If you're not using patching management systems or any vulnerability management tools, basically you're not going to have a clue as to what does need to be patched and what doesn't.”
The Government's Cyber Essentials scheme puts a lot of focus on patch management, he said.
* Verizon's report chimes with Symantec's latest Internet Security Threat Report which finds hackers exploiting patching problems among vendors.
“Symantec research reveals that it took software companies an average of 59 days to create and roll out patches - up from only four days in 2013,” the report says. “Attackers took advantage of the delay and, in the case of Heartbleed, leapt to exploit the vulnerability within four hours.”
Further analysis on the Verizon 2015 Data Breach Investigations Report (DBIR) to follow on www.scmagazineuk.com today.